Red Hat Linux System Administration Guide-450

Red Hat Enterprise Linux 4.5.
0
4.5
System
Administration Guide
lSBN: N}A
Publication date:
Red Hat Enterprise Linux 4.5.0
Red Hat Enterprise Linux 4.5.0: System
Administration Guide
Copyrght 2007 Red Hat, Inc.
Copyrght 2007 by Red Hat, Inc. Ths matera may be dstrbuted ony sub|ect to the terms and
condtons set forth n the Open Pubcaton Lcense, V1.0 or ater (the atest verson s presenty avaabe
at http://www.opencontent.org/openpub/).
Dstrbuton of substantvey modfed versons of ths document s prohbted wthout the expct
permsson of the copyrght hoder.
Dstrbuton of the work or dervatve of the work n any standard (paper) book form for commerca
purposes s prohbted uness pror permsson s obtaned from the copyrght hoder.
Red Hat and the Red Hat "Shadow Man" ogo are regstered trademarks of Red Hat, Inc. n the Unted
States and other countres.
A other trademarks referenced heren are the property of ther respectve owners.
The GPG fngerprnt of the securty@redhat.com key s:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
1801 Varsty Drve
Raegh, NC 27606-2072
USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Trange Park, NC 27709
USA
Introducton .................................................................................................. xv
1. Changes To Ths Manua .................................................................. xv
2. Document Conventons .................................................................... xv
3. More to Come ...................................................................................... xx
3.1. Send n Your Feedback ............................................................. xx
I. Instaaton-Reated Informaton .....................................................................1
1. Kckstart Instaatons ............................................................................3
1. What are Kckstart Instaatons? ...................................................3
2. How Do You Perform a Kckstart Instaaton? ................................3
3. Creatng the Kckstart Fe .............................................................3
4. Kckstart Optons ...........................................................................5
4.1. Advanced Parttonng Exampe ........................................27
5. Package Seecton ........................................................................28
6. Pre-nstaaton Scrpt ...................................................................30
6.1. Exampe ............................................................................30
7. Post-nstaaton Scrpt .................................................................32
7.1. Exampes ..........................................................................33
8. Makng the Kckstart Fe Avaabe ..............................................33
8.1. Creatng Kckstart Boot Meda ...........................................34
8.2. Makng the Kckstart Fe Avaabe on the Network ..........34
9. Makng the Instaaton Tree Avaabe .........................................35
10. Startng a Kckstart Instaaton ..................................................36
2. Kickstart Configurator ....................................................................39
1. Basc Confguraton ......................................................................39
2. Instaaton Method ......................................................................41
3. Boot Loader Optons ....................................................................43
4. Partton Informaton ....................................................................45
4.1. Creatng Parttons ............................................................46
5. Network Confguraton .................................................................50
6. Authentcaton .............................................................................51
7. Frewa Confguraton ..................................................................52
7.1. SELnux Confguraton .......................................................53
8. Dspay Confguraton ..................................................................53
8.1. Genera .............................................................................53
8.2. Vdeo Card ........................................................................55
8.3. Montor ..............................................................................56
9. Package Seecton ........................................................................57
10. Pre-Instaaton Scrpt ................................................................58
11. Post-Instaaton Scrpt ...............................................................59
v
11.1. Chroot Envronment ........................................................60
11.2. Use an Interpreter ...........................................................60
12. Savng the Fe ...........................................................................60
3. PXE Network Instaatons ....................................................................63
1. Settng up the Network Server ....................................................63
2. PXE Boot Confguraton ................................................................63
2.1. Command Lne Confguraton ............................................65
3. Addng PXE Hosts ........................................................................66
3.1. Command Lne Confguraton ............................................68
4. Addng a Custom Boot Message ..................................................69
5. Performng the PXE Instaaton ...................................................69
4. Dskess Envronments ........................................................................71
1. Confgurng the NFS Server .........................................................72
2. Fnsh Confgurng the Dskess Envronment ...............................72
3. Addng Hosts ................................................................................73
4. Bootng the Hosts ........................................................................74
5. Basc System Recovery .......................................................................77
1. Common Probems .......................................................................77
1.1. Unabe to Boot nto Red Hat Enterprse Lnux ...................77
1.2. Hardware/Software Probems ............................................77
1.3. Root Password ...................................................................78
2. Bootng nto Rescue Mode ...........................................................78
2.1. Renstang the Boot Loader .............................................81
3. Bootng nto Snge-User Mode .....................................................81
4. Bootng nto Emergency Mode .....................................................82
II. Fe Systems ................................................................................................83
6. The ext3 Fe System ...........................................................................85
1. Features of ext3 ..........................................................................85
2. Creatng an ext3 Fe System .......................................................86
3. Convertng to an ext3 Fe System ...............................................86
4. Revertng to an ext2 Fe System .................................................87
7. Logca Voume Manager (LVM) ...........................................................89
1. What s LVM? ...............................................................................89
2. What s LVM2? .............................................................................90
3. Addtona Resources ...................................................................91
3.1. Instaed Documentaton ...................................................91
3.2. Usefu Webstes .................................................................91
8. LVM Confguraton ...............................................................................93
1. Automatc Parttonng .................................................................93
2. Manua LVM Parttonng ..............................................................95
v
2.1. Creatng the /boot/ Partton ...............................................95
2.2. Creatng the LVM Physca Voumes ..................................98
2.3. Creatng the LVM Voume Groups ...................................100
2.4. Creatng the LVM Logca Voumes ..................................102
9. Redundant Array of Independent Dsks (RAID) ..................................105
1. What s RAID? ............................................................................105
2. Who Shoud Use RAID? ..............................................................105
3. Hardware RAID versus Software RAID .......................................105
3.1. Hardware RAID ................................................................106
3.2. Software RAID .................................................................106
4. RAID Leves and Lnear Support ................................................107
10. Software RAID Confguraton ...........................................................109
1. Creatng the RAID Parttons ......................................................109
2. Creatng the RAID Devces and Mount Ponts ............................113
11. Swap Space .....................................................................................119
1. What s Swap Space? .................................................................119
2. Addng Swap Space ...................................................................120
2.1. Extendng Swap on an LVM2 Logca Voume ..................120
2.2. Creatng an LVM2 Logca Voume for Swap ....................121
2.3. Creatng a Swap Fe .......................................................121
3. Removng Swap Space ..............................................................122
3.1. Reducng Swap on an LVM2 Logca Voume ...................122
3.2. Removng an LVM2 Logca Voume for Swap .................123
3.3. Removng a Swap Fe .....................................................124
4. Movng Swap Space ...................................................................124
12. Managng Dsk Storage ...................................................................125
1. Standard Parttons usng parted ................................................125
1.1. Vewng the Partton Tabe .............................................126
1.2. Creatng a Partton .........................................................128
1.3. Removng a Partton .......................................................130
1.4. Reszng a Partton .........................................................131
2. LVM Partton Management ........................................................132
13. Impementng Dsk Ouotas ..............................................................135
1. Confgurng Dsk Ouotas ............................................................135
1.1. Enabng Ouotas ..............................................................135
1.2. Remountng the Fe Systems .........................................136
1.3. Creatng the Ouota Database Fes .................................136
1.4. Assgnng Ouotas per User ..............................................137
1.5. Assgnng Ouotas per Group ...........................................139
1.6. Assgnng Ouotas per Fe System ...................................139
v
2. Managng Dsk Ouotas ...............................................................140
2.1. Enabng and Dsabng ....................................................140
2.2. Reportng on Dsk Ouotas ...............................................140
2.3. Keepng Ouotas Accurate ................................................141
3. Addtona Resources .................................................................142
3.1. Instaed Documentaton .................................................142
3.2. Reated Books .................................................................142
14. Access Contro Lsts ........................................................................143
1. Mountng Fe Systems ...............................................................143
1.1. NFS ..................................................................................143
2. Settng Access ACLs ..................................................................144
3. Settng Defaut ACLs ..................................................................145
4. Retrevng ACLs .........................................................................145
5. Archvng Fe Systems Wth ACLs ..............................................146
6. Compatbty wth Oder Systems ..............................................147
7.2. Usefu Webstes ...............................................................148
III. Package Management ..............................................................................149
15. Package Management wth RPM .....................................................151
1. RPM Desgn Goas ......................................................................151
2. Usng RPM ..................................................................................152
2.1. Fndng RPM Packages .....................................................153
2.2. Instang .........................................................................153
2.3. Unnstang .....................................................................156
2.4. Upgradng .......................................................................157
2.5. Freshenng ......................................................................158
2.6. Oueryng .........................................................................159
2.7. Verfyng ..........................................................................160
3. Checkng a Package's Sgnature ................................................161
3.1. Importng Keys ................................................................162
3.2. Verfyng Sgnature of Packages .....................................162
4. Impressng Your Frends wth RPM .............................................162
5.2. Usefu Webstes ...............................................................165
5.3. Reated Books .................................................................166
16. Red Hat Network .............................................................................167
IV. Network-Reated Confguraton ................................................................173
17. Network Confguraton ....................................................................175
v
1. Overvew ....................................................................................176
2. Estabshng an Ethernet Connecton .........................................177
3. Estabshng an ISDN Connecton ...............................................180
4. Estabshng a Modem Connecton .............................................182
5. Estabshng an xDSL Connecton ..............................................185
6. Estabshng a Token Rng Connecton .......................................188
7. Estabshng a Wreess Connecton ...........................................190
8. Managng DNS Settngs .............................................................193
9. Managng Hosts .........................................................................195
10. Workng wth Profes ...............................................................197
11. Devce Aases ..........................................................................200
12. Savng and Restorng the Network Confguraton ....................202
18. Frewas ..........................................................................................203
1. Netfter and IPTabes ................................................................205
1.1. IPTabes Overvew ...........................................................205
2. Basc Frewa Confguraton ......................................................205
2.1. Security Level Configuration Tool ............................206
2.2. Enabng and Dsabng the Frewa ................................207
2.3. Trusted Servces .............................................................208
2.4. Other Ports ......................................................................209
2.5. Savng the Settngs .........................................................209
2.6. Actvatng the IPTabes Servce .......................................210
3. Usng IPTabes ...........................................................................210
3.1. IPTabes Command Syntax ..............................................211
3.2. Basc Frewa Poces .....................................................212
3.3. Savng and Restorng IPTabes Rues ..............................212
4. Common IPTabes Fterng ........................................................213
5. FORWARD and NAT Rues ............................................................214
5.1. Postroutng and IP Masqueradng ....................................216
5.2. Preroutng .......................................................................216
5.3. DMZs and IPTabes ..........................................................217
6. Macous Software and Spoofed IP Addresses ...........................218
7. IPTabes and Connecton Trackng .............................................219
8. IPv6 ............................................................................................220
9.2. Usefu Webstes ...............................................................221
9.3. Reated Documentaton ..................................................221
19. Controng Access to Servces ........................................................223
1. Runeves ...................................................................................224
x
2. TCP Wrappers ............................................................................225
2.1. xnetd ...............................................................................225
3. Services Configuration Tool .................................................226
4. ntsysv .......................................................................................228
5. chkconfg .....................................................................................229
6.2. Usefu Webstes ...............................................................230
6.3. Reated Books .................................................................230
20. OpenSSH .........................................................................................233
1. Why Use OpenSSH? ...................................................................233
2. Confgurng an OpenSSH Server ................................................233
3. Confgurng an OpenSSH Cent .................................................234
3.1. Usng the ssh Command ..................................................234
3.2. Usng the scp Command ..................................................235
3.3. Usng the sftp Command .................................................236
3.4. Generatng Key Pars .......................................................236
4.2. Usefu Webstes ...............................................................241
4.3. Reated Books .................................................................242
21. Network Fe System (NFS) ..............................................................243
1. Why Use NFS? ............................................................................243
2. Mountng NFS Fe Systems ........................................................243
2.1. Mountng NFS Fe Systems usng /etc/fstab .....................243
2.2. Mountng NFS Fe Systems usng autofs .........................244
2.3. Usng TCP ........................................................................245
2.4. Preservng ACLs ..............................................................247
3. Exportng NFS Fe Systems .......................................................247
3.1. Command Lne Confguraton ..........................................250
3.2. Hostname Formats ..........................................................251
3.3. Startng and Stoppng the Server ....................................252
4.2. Usefu Webstes ...............................................................252
4.3. Reated Books .................................................................253
22. Samba .............................................................................................255
1. Why Use Samba? .......................................................................255
2. Confgurng a Samba Server ......................................................255
2.1. Graphca Confguraton ..................................................255
x
2.3. Encrypted Passwords ......................................................262
3. Connectng to a Samba Share ...................................................265
3.1. Command Lne ................................................................267
3.2. Mountng the Share .........................................................268
4.2. Usefu Webstes ...............................................................269
23. Dynamc Host Confguraton Protoco (DHCP) .................................271
1. Why Use DHCP? .........................................................................271
2. Confgurng a DHCP Server ........................................................271
2.1. Confguraton Fe ............................................................271
2.2. Lease Database ...............................................................276
2.4. DHCP Reay Agent ...........................................................278
3. Confgurng a DHCP Cent .........................................................279
24. Apache HTTP Server Confguraton .................................................283
1. Basc Settngs ............................................................................284
2. Defaut Settngs .........................................................................287
2.1. Ste Confguraton ...........................................................287
2.2. Loggng ...........................................................................289
2.3. Envronment Varabes ....................................................291
2.4. Drectores .......................................................................294
3. Vrtua Hosts Settngs ................................................................296
3.1. Addng and Edtng a Vrtua Host ...................................297
4. Server Settngs ..........................................................................301
5. Performance Tunng ..................................................................303
6. Savng Your Settngs ..................................................................305
7.2. Usefu Webstes ...............................................................306
7.3. Reated Books .................................................................306
25. Apache HTTP Secure Server Confguraton .....................................309
1. Introducton ...............................................................................309
2. An Overvew of Securty-Reated Packages ...............................309
3. An Overvew of Certfcates and Securty ..................................312
4. Usng Pre-Exstng Keys and Certfcates ...................................313
x
5. Types of Certfcates ..................................................................314
6. Generatng a Key .......................................................................316
7. Generatng a Certfcate Request to Send to a CA .....................318
8. Creatng a Sef-Sgned Certfcate ..............................................320
9. Testng The Certfcate ...............................................................321
10. Accessng The Server ..............................................................322
11. Addtona Resources ...............................................................323
11.1. Usefu Webstes .............................................................323
11.2. Reated Books ...............................................................323
26. Authentcaton Confguraton ..........................................................325
1. User Informaton ........................................................................325
2. Authentcaton ...........................................................................327
3. Command Lne Verson ..............................................................329
V. System Confguraton ...............................................................................333
27. Consoe Access ................................................................................335
1. Dsabng Shutdown Va Ctrl-Alt-Del ........................................335
2. Dsabng Consoe Program Access ............................................336
3. Defnng the Consoe .................................................................337
4. Makng Fes Accessbe From the Consoe .................................337
5. Enabng Consoe Access for Other Appcatons ........................338
6. The foppy Group ........................................................................339
28. Date and Tme Confguraton ..........................................................341
1. Tme and Date Propertes ..........................................................341
2. Network Tme Protoco (NTP) Propertes ....................................343
3. Tme Zone Confguraton ...........................................................344
29. Keyboard Confguraton ...................................................................347
30. Mouse Confguraton .......................................................................349
31. X Wndow System Confguraton .....................................................351
1. Dspay Settngs .........................................................................351
2. Dspay Hardware Settngs ........................................................352
3. Dua Head Dspay Settngs .......................................................353
32. Users and Groups ............................................................................355
1. User and Group Confguraton ...................................................355
1.1. Addng a New User ..........................................................356
1.2. Modfyng User Propertes ...............................................358
1.3. Addng a New Group .......................................................360
1.4. Modfyng Group Propertes .............................................360
2. User and Group Management Toos ...........................................361
2.2. Addng a User ..................................................................362
x
2.3. Addng a Group ...............................................................363
2.4. Password Agng ...............................................................364
2.5. Expanng the Process ....................................................367
3. Standard Users ..........................................................................369
4. Standard Groups ........................................................................370
5. User Prvate Groups ...................................................................373
5.1. Group Drectores ............................................................373
6. Shadow Passwords ....................................................................374
33. Prnter Confguraton .......................................................................377
1. Addng a Loca Prnter ................................................................378
2. Addng an IPP Prnter .................................................................380
3. Addng a Samba (SMB) Prnter ...................................................381
4. Addng a |etDrect Prnter ..........................................................383
5. Seectng the Prnter Mode and Fnshng ..................................384
5.1. Confrmng Prnter Confguraton .....................................385
6. Prntng a Test Page ...................................................................386
7. Modfyng Exstng Prnters ........................................................386
7.1. The Settings Tab ...........................................................386
7.2. The Policies Tab ............................................................386
7.3. The Access Control Tab ................................................387
7.4. The Printer and ]ob OptionsTab ..................................387
8. Managng Prnt |obs ...................................................................388
9.2. Usefu Webstes ...............................................................389
34. Automated Tasks ............................................................................391
1. Cron ...........................................................................................391
1.1. Confgurng Cron Tasks ...................................................391
1.2. Controng Access to Cron ..............................................393
1.3. Startng and Stoppng the Servce ..................................394
2. At and Batch ..............................................................................394
2.1. Confgurng At |obs ..........................................................394
2.2. Confgurng Batch |obs ....................................................395
2.3. Vewng Pendng |obs ......................................................396
2.4. Addtona Command Lne Optons ..................................396
2.5. Controng Access to At and Batch .................................396
2.6. Startng and Stoppng the Servce ..................................397
x
35. Log Fes ..........................................................................................399
1. Locatng Log Fes ......................................................................399
2. Vewng Log Fes .......................................................................399
3. Addng a Log Fe .......................................................................401
4. Examnng Log Fes ...................................................................402
36. Manuay Upgradng the Kerne .......................................................405
1. Overvew of Kerne Packages ....................................................405
2. Preparng to Upgrade ................................................................407
3. Downoadng the Upgraded Kerne ............................................409
4. Performng the Upgrade ............................................................409
5. Verfyng the Inta RAM Dsk Image ..........................................410
6. Verfyng the Boot Loader ..........................................................411
6.1. x86 Systems ....................................................................411
6.2. Itanum Systems .............................................................412
6.3. IBM S/390 and IBM eServer zSeres Systems ..................413
6.4. IBM eServer Seres Systems ...........................................413
6.5. IBM eServer pSeres Systems ..........................................414
37. Kerne Modues ................................................................................417
1. Kerne Modue Uttes ...............................................................418
2. Persstent Modue Loadng .........................................................420
3.2. Usefu Webstes ...............................................................421
38. Ma Transport Agent (MTA) Confguraton ......................................423
VI. System Montorng ...................................................................................425
39. Gatherng System Informaton ........................................................427
1. System Processes ......................................................................427
2. Memory Usage ...........................................................................430
3. Fe Systems ..............................................................................431
4. Hardware ...................................................................................432
40. OProfe ............................................................................................435
1. Overvew of Toos ......................................................................436
2. Confgurng OProfe ...................................................................436
2.1. Specfyng the Kerne ......................................................437
2.2. Settng Events to Montor ................................................438
2.3. Separatng Kerne and User-space Profes .....................441
3. Startng and Stoppng OProfe ..................................................442
xv
4. Savng Data ...............................................................................442
5. Anayzng the Data ....................................................................443
5.1. Usng opreport ..................................................................444
5.2. Usng opreport on a Snge Executabe .............................445
5.3. Usng opannotate ..............................................................447
6. Understandng /dev/oprofe/ .......................................................447
7. Exampe Usage ..........................................................................448
8. Graphca Interface ....................................................................449
9.1. Instaed Docs ..................................................................453
9.2. Usefu Webstes ...............................................................453
Index .............................................................................................................455
xv
xv
lntroduction
Wecome to the Red Hat Enterprse Lnux System Admnstraton Gude.
The Red Hat Enterprse Lnux System Admnstraton Gude contans nformaton on
how to customze your Red Hat Enterprse Lnux system to ft your needs. If you are
ookng for a step-by-step, task-orented gude for confgurng and customzng your
system, ths s the manua for you. Ths manua dscusses many ntermedate topcs
such as the foowng:
Settng up a network nterface card (NIC)
Performng a Kckstart nstaaton
Confgurng Samba shares
Managng your software wth RPM
Determnng nformaton about your system
Upgradng your kerne
Ths manua s dvded nto the foowng man categores:
Instaaton-Reated Reference
Fe Systems Reference
Package Management
Network Confguraton
System Confguraton
System Montorng
Ths gude assumes you have a basc understandng of your Red Hat Enterprse
Lnux system. If you need hep nstang Red Hat Enterprse Lnux, refer to the Red
Hat Enterprse Lnux Instaaton Gude. For more genera nformaton about system
admnstraton, refer to the Red Hat Enterprse Lnux Introducton to System
Admnstraton. If you need more advanced documentaton such as an overvew of
fe systems, refer to the Red Hat Enterprse Lnux Reference Gude. If you need
securty nformaton, refer to the Red Hat Enterprse Lnux Securty Gude.
xv
1. Changes To This Manual
Ths manua has been reorganzed for carty and updated for the atest features of
Red Hat Enterprse Lnux 5.0.0. Some of the changes ncude:
Updated Kerne Modues and Manuay Updatng the Kerne Chapters
The Kerne Modues and the Upgradng the Kerne Manuay chapters ncude updated
nformaton n regards to the 2.6 kerne. Speca thanks to Arjan van de Ven for
hs hard work n hepng to compete ths chapter.
An Updated Network Fe System (NFS) Chapter
The Network Fe System (NFS) chapter has been revsed and reorganzed to
ncude NFSv4. Speca thanks to Steve Dickson for hs hard work n hepng to
compete ths chapter.
An Updated OProfe Chapter
The OProfe chapter has been revsed and reorganzed to ncude updated
nformaton n regards to the 2.6 kerne. Speca thanks to Will Cohen for hs
hard work n hepng to compete ths chapter.
An Updated X Wndow System Chapter
The X Wndow System chapter has been revsed to ncude nformaton on the
X11R6.8 reease deveoped by the X.Org team.
Before readng ths gude, you shoud be famar wth the contents of the Red Hat
Enterprse Lnux Instaaton Gude concernng nstaaton ssues, the Red Hat
Enterprse Lnux Introducton to System Admnstraton for basc admnstraton
concepts, the Red Hat Enterprse Lnux System Admnstraton Gude for genera
customzaton nstructons, and the Red Hat Enterprse Lnux Securty Gude for
securty reated nstructons. Ths gude contans nformaton about topcs for
advanced users.
2. Document Conventions
Certan words n ths manua are represented n dfferent fonts, styes, and weghts.
Ths hghghtng ndcates that the word s part of a specfc category. The
categores ncude the foowng:
Courer font
Courer font represents commands, fe names and paths, and prompts .
lntroduction
xv
When shown as beow, t ndcates computer output:
Desktop about.htm ogs pauwesterberg.png
Ma backupfes ma reports
bold Courier font
Bod Courer font represents text that you are to type, such as: service jonas
start
If you have to run a command as root, the root prompt (#) precedes the
command:
# gconftool-2
tac Courer font
Itac Courer font represents a varabe, such as an nstaaton drectory:
nsta_dr/bn/
bold font
Bod font represents application programs and text found on a graphical
interface.
When shown ke ths: OK , t ndcates a button on a graphca appcaton
nterface.
Addtonay, the manua uses dfferent strateges to draw your attenton to peces of
nformaton. In order of how crtca the nformaton s to you, these tems are
marked as foows:
Note
A note s typcay nformaton that you need to understand the
behavor of the system.
Document Conventions
xx
Tip
A tp s typcay an aternatve way of performng a task.
lmportant
Important nformaton s necessary, but possby unexpected, such as a
confguraton change that w not persst after a reboot.
Caution
A cauton ndcates an act that woud voate your support agreement,
such as recompng the kerne.
Warning
A warnng ndcates potenta data oss, as may happen when tunng
hardware for maxmum performance.
3. More to Come
The Red Hat Enterprse Lnux System Admnstraton Gude s part of Red Hat's
growng commtment to provde usefu and tmey support to Red Hat Enterprse
Lnux users. As new toos and appcatons are reeased, ths gude w be expanded
to ncude them.
3.1. Send in Your Feedback
If you fnd an error n the Red Hat Enterprse Lnux System Admnstraton Gude, or
f you have thought of a way to make ths manua better, we woud ove to hear
from you! Pease submt a report n Bugza (http://bugza.redhat.com/bugza/)
aganst the component rh-sag.
Be sure to menton the manua's dentfer:
lntroduction
xx
rh-sag
By mentonng ths manua's dentfer, we know exacty whch verson of the gude
you have.
If you have a suggeston for mprovng the documentaton, try to be as specfc as
possbe when descrbng t. If you have found an error, pease ncude the secton
number and some of the surroundng text so we can fnd t easy.
Send in Your Feedback
xx
xx
Part l. lnstallation-Related
lnformation
The Red Hat Enterprse Lnux Instaaton Gude dscusses the nstaaton of Red Hat
Enterprse Lnux and some basc post-nstaaton troubeshootng. However,
advanced nstaaton optons are covered n ths manua. Ths part provdes
nstructons for kckstart (an automated nstaaton technque) and a reated toos.
Use ths part n con|uncton wth the Red Hat Enterprse Lnux Instaaton Gude to
perform any of these advanced nstaaton tasks.
Kickstart lnstallations
1. What are Kickstart lnstallations7
Many system admnstrators woud prefer to use an automated nstaaton method
to nsta Red Hat Enterprse Lnux on ther machnes. To answer ths need, Red Hat
created the kckstart nstaaton method. Usng kckstart, a system admnstrator
can create a snge fe contanng the answers to a the questons that woud
normay be asked durng a typca nstaaton.
Kckstart fes can be kept on a snge server system and read by ndvdua
computers durng the nstaaton. Ths nstaaton method can support the use of a
snge kckstart fe to nsta Red Hat Enterprse Lnux on mutpe machnes, makng
t dea for network and system admnstrators.
Kckstart provdes a way for users to automate a Red Hat Enterprse Lnux
nstaaton.
2. How Do You Perform a Kickstart
lnstallation7
Kckstart nstaatons can be performed usng a oca CD-ROM, a oca hard drve, or
va NFS, FTP, or HTTP.
To use kckstart, you must:
1. Create a kckstart fe.
2. Create a boot meda wth the kckstart fe or make the kckstart fe avaabe on
the network.
3. Make the nstaaton tree avaabe.
4. Start the kckstart nstaaton.
Ths chapter expans these steps n deta.
3. Creating the Kickstart File
The kckstart fe s a smpe text fe, contanng a st of tems, each dentfed by a
keyword. You can create t by edtng a copy of the sampe.ks fe found n the
Chapter 1.
3
RH-DOCS drectory of the Red Hat Enterprse Lnux Documentaton CD, usng the
Kickstart Configurator appcaton, or wrtng t from scratch. The Red Hat
Enterprse Lnux nstaaton program aso creates a sampe kckstart fe based on
the optons that you seected durng nstaaton. It s wrtten to the fe
/root/anaconda-ks.cfg. You shoud be abe to edt t wth any text edtor or word
processor that can save fes as ASCII text.
Frst, be aware of the foowng ssues when you are creatng your kckstart fe:
Sectons must be specfed n order. Items wthn the sectons do not have to be n
a specfc order uness otherwse specfed. The secton order s:
Command secton - Refer to Secton 4, "Kckstart Optons" for a st of
kckstart optons. You must ncude the requred optons.
The %packages secton - Refer to Secton 5, "Package Seecton" for detas.
The %pre and %post sectons - These two sectons can be n any order and are
not requred. Refer to Secton 6, "Pre-nstaaton Scrpt" and Secton 7,
"Post-nstaaton Scrpt" for detas.
Items that are not requred can be omtted.
Omttng any requred tem resuts n the nstaaton program promptng the user
for an answer to the reated tem, |ust as the user woud be prompted durng a
typca nstaaton. Once the answer s gven, the nstaaton contnues
unattended (uness t fnds another mssng tem).
Lnes startng wth a pound (or hash) sgn (#) are treated as comments and are
gnored.
For kckstart upgrades, the foowng tems are requred:
Language
Language support
Instaaton method
Devce specfcaton (f devce s needed to perform the nstaaton)
Keyboard setup
The upgrade keyword
Chapter 1. Kickstart lnstalla...
4
Boot oader confguraton
If any other tems are specfed for an upgrade, those tems are gnored (note that
ths ncudes package seecton).
4. Kickstart Options
The foowng optons can be paced n a kckstart fe. If you prefer to use a
graphca nterface for creatng your kckstart fe, use the Kickstart Configurator
appcaton. Refer to Chapter 2, Kickstart Configurator for detas.
Note
If the opton s foowed by an equas mark (=), a vaue must be
specfed after t. In the exampe commands, optons n brackets (||)
are optona arguments for the command.
autopart (optona)
Automatcay create parttons - 1 GB or more root (/) partton, a swap
partton, and an approprate boot partton for the archtecture. One or more of
the defaut partton szes can be redefned wth the part drectve.
gnoredsk (optona)
Causes the nstaer to gnore the specfed dsks. Ths s usefu f you use
autopartton and want to be sure that some dsks are gnored. For exampe,
wthout gnoredsk, attemptng to depoy on a SAN-custer the kckstart woud fa,
as the nstaer detects passve paths to the SAN that return no partton tabe.
The gnoredsk opton s aso usefu f you have mutpe paths to your dsks.
The syntax s:
gnoredsk --drves=drve1,drve2,...
where drveN s one of sda, sdb,..., hda,... etc.
Kickstart Options
5
autostep (optona)
Smar to nteractve except t goes to the next screen for you. It s used mosty
for debuggng.
auth or authconfg (requred)
Sets up the authentcaton optons for the system. It s smar to the authconfg
command, whch can be run after the nsta. By defaut, passwords are normay
encrypted and are not shadowed.
--enabemd5
Use md5 encrypton for user passwords.
--enabens
Turns on NIS support. By defaut, --enabens uses whatever doman t fnds on
the network. A doman shoud amost aways be set by hand wth the
--nsdoman= opton.
--nsdoman=
NIS doman name to use for NIS servces.
--nsserver=
Server to use for NIS servces (broadcasts by defaut).
--useshadow or --enabeshadow
Use shadow passwords.
--enabedap
Turns on LDAP support n /etc/nsswtch.conf, aowng your system to retreve
nformaton about users (UIDs, home drectores, shes, etc.) from an LDAP
drectory. To use ths opton, you must nsta the nss_dap package. You must
aso specfy a server and a base DN (dstngushed name) wth --dapserver= and
--dapbasedn=.
--enabedapauth
Use LDAP as an authentcaton method. Ths enabes the pam_dap modue for
authentcaton and changng passwords, usng an LDAP drectory. To use ths
opton, you must have the nss_dap package nstaed. You must aso specfy a
server and a base DN wth --dapserver= and --dapbasedn=.
--dapserver=
If you specfed ether --enabedap or --enabedapauth, use ths opton to specfy
the name of the LDAP server to use. Ths opton s set n the /etc/dap.conf fe.
6
--dapbasedn=
If you specfed ether --enabedap or --enabedapauth, use ths opton to specfy
the DN n your LDAP drectory tree under whch user nformaton s stored. Ths
opton s set n the /etc/dap.conf fe.
--enabedapts
Use TLS (Transport Layer Securty) ookups. Ths opton aows LDAP to send
encrypted usernames and passwords to an LDAP server before authentcaton.
--enabekrb5
Use Kerberos 5 for authentcatng users. Kerberos tsef does not know about
home drectores, UIDs, or shes. If you enabe Kerberos, you must make users'
accounts known to ths workstaton by enabng LDAP, NIS, or Hesod or by usng
the /usr/sbn/useradd command to make ther accounts known to ths workstaton.
If you use ths opton, you must have the pam_krb5 package nstaed.
--krb5ream=
The Kerberos 5 ream to whch your workstaton beongs.
--krb5kdc=
The KDC (or KDCs) that serve requests for the ream. If you have mutpe KDCs
n your ream, separate ther names wth commas (,).
--krb5admnserver=
The KDC n your ream that s aso runnng kadmnd. Ths server handes
password changng and other admnstratve requests. Ths server must be run
on the master KDC f you have more than one KDC.
--enabehesod
Enabe Hesod support for ookng up user home drectores, UIDs, and shes.
More nformaton on settng up and usng Hesod on your network s n
/usr/share/doc/gbc-2.x.x/README.hesod, whch s ncuded n the gbc package.
Hesod s an extenson of DNS that uses DNS records to store nformaton about
users, groups, and varous other tems.
--hesodhs
The Hesod LHS ("eft-hand sde") opton, set n /etc/hesod.conf. Ths opton s
used by the Hesod brary to determne the name to search DNS for when
ookng up nformaton, smar to LDAP's use of a base DN.
--hesodrhs
The Hesod RHS ("rght-hand sde") opton, set n /etc/hesod.conf. Ths opton s
used by the Hesod brary to determne the name to search DNS for when
Kickstart Options
7
ookng up nformaton, smar to LDAP's use of a base DN.
Tip
To ook up user nformaton for "|m", the Hesod brary ooks up
|m.passwd<LHS><RHS>, whch shoud resove to a TXT record that
ooks ke what hs passwd entry woud ook ke (|m:*:501:501:|unge
|m:/home/|m:/bn/bash). For groups, the stuaton s dentca, except
|m.group<LHS><RHS> woud be used.
Lookng up users and groups by number s handed by makng
"501.ud" a CNAME for "|m.passwd", and "501.gd" a CNAME for
"|m.group". Note that the LHS and RHS do not have perods . put n
front of them when the brary determnes the name for whch to
search, so the LHS and RHS usuay begn wth perods.
--enabesmbauth
Enabes authentcaton of users aganst an SMB server (typcay a Samba or
Wndows server). SMB authentcaton support does not know about home
drectores, UIDs, or shes. If you enabe SMB, you must make users' accounts
known to the workstaton by enabng LDAP, NIS, or Hesod or by usng the
/usr/sbn/useradd command to make ther accounts known to the workstaton. To
use ths opton, you must have the pam_smb package nstaed.
--smbservers=
The name of the server(s) to use for SMB authentcaton. To specfy more than
one server, separate the names wth commas (,).
--smbworkgroup=
The name of the workgroup for the SMB servers.
--enabecache
Enabes the nscd servce. The nscd servce caches nformaton about users,
groups, and varous other types of nformaton. Cachng s especay hepfu f
you choose to dstrbute nformaton about users and groups over your network
usng NIS, LDAP, or hesod.
bootoader (requred)
Specfes how the GRUB boot oader shoud be nstaed. Ths opton s requred
for both nstaatons and upgrades. For upgrades, f GRUB s not the current
8
boot oader, the boot oader s changed to GRUB. To preserve other boot
oaders, use bootoader --upgrade.
--append=
Specfes kerne parameters. To specfy mutpe parameters, separate them wth
spaces. For exampe:
bootoader --ocaton=mbr --append="hdd=de-scs de=nodma"
--drveorder
Specfy whch drve s frst n the BIOS boot order. For exampe:
bootoader --drveorder=sda,hda
--ocaton=
Specfes where the boot record s wrtten. Vad vaues are the foowng: mbr
(the defaut), partton (nstas the boot oader on the frst sector of the partton
contanng the kerne), or none (do not nsta the boot oader).
--password=
Sets the GRUB boot oader password to the one specfed wth ths opton. Ths
shoud be used to restrct access to the GRUB she, where arbtrary kerne
optons can be passed.
--md5pass=
Smar to --password= except the password shoud aready be encrypted.
--upgrade
Upgrade the exstng boot oader confguraton, preservng the od entres. Ths
opton s ony avaabe for upgrades.
cearpart (optona)
Removes parttons from the system, pror to creaton of new parttons. By
defaut, no parttons are removed.
Note
If the cearpart command s used, then the --onpart command cannot be
used on a ogca partton.
Kickstart Options
9
--a
Erases a parttons from the system.
--drves=
Specfes whch drves to cear parttons from. For exampe, the foowng cears
a the parttons on the frst two drves on the prmary IDE controer:
cearpart --drves=hda,hdb --a
--ntabe
Intazes the dsk abe to the defaut for your archtecture (for exampe msdos
for x86 and gpt for Itanum). It s usefu so that the nstaaton program does not
ask f t shoud ntaze the dsk abe f nstang to a brand new hard drve.
--nux
Erases a Lnux parttons.
--none (defaut)
Do not remove any parttons.
cmdne (optona)
Perform the nstaaton n a competey non-nteractve command ne mode.
Any prompts for nteracton hats the nsta. Ths mode s usefu on S/390
systems wth the x3270 consoe.
devce (optona)
On most PCI systems, the nstaaton program autoprobes for Ethernet and SCSI
cards propery. On oder systems and some PCI systems, however, kckstart
needs a hnt to fnd the proper devces. The devce command, whch tes the
nstaaton program to nsta extra modues, s n ths format:
devce <type><modueName> --opts=<optons>
<type>
Repace wth ether scs or eth
<modueName>
Repace wth the name of the kerne modue whch shoud be nstaed.
10
--opts=
Mount optons to use for mountng the NFS export. Any optons that can be
specfed n /etc/fstab for an NFS mount are aowed. The optons are sted n the
nfs(5) man page. Mutpe optons are separated wth a comma.
drverdsk (optona)
Drver dskettes can be used durng kckstart nstaatons. You must copy the
drver dskettes's contents to the root drectory of a partton on the system's
hard drve. Then you must use the drverdsk command to te the nstaaton
program where to ook for the drver dsk.
drverdsk <partton> |--type=<fstype>|
Aternatvey, a network ocaton can be specfed for the drver dskette:
drverdsk --source=ftp://path/to/dd.mgdrverdsk --source=http://path/to/dd.mgdrverdsk
--source=nfs:host:/path/to/mg
<partton>
Partton contanng the drver dsk.
--type=
Fe system type (for exampe, vfat or ext2).
frewa (optona)
Ths opton corresponds to the Firewall Configuration screen n the
nstaaton program:
frewa --enabed|--dsabed |--trust=| <devce> |--port=|
--enabed
Re|ect ncomng connectons that are not n response to outbound requests,
such as DNS repes or DHCP requests. If access to servces runnng on ths
machne s needed, you can choose to aow specfc servces through the
frewa.
--dsabed
Kickstart Options
11
Do not confgure any ptabes rues.
--trust=
Lstng a devce here, such as eth0, aows a traffc comng from that devce to
go through the frewa. To st more than one devce, use --trust eth0 --trust eth1.
Do NOT use a comma-separated format such as --trust eth0, eth1.
<ncomng>
Repace wth one or more of the foowng to aow the specfed servces through
the frewa.
--ssh
--tenet
--smtp
--http
--ftp
--port=
You can specfy that ports be aowed through the frewa usng the
port:protoco format. For exampe, to aow IMAP access through your frewa,
specfy map:tcp. Numerc ports can aso be specfed expcty; for exampe, to
aow UDP packets on port 1234 through, specfy 1234:udp. To specfy mutpe
ports, separate them by commas.
frstboot (optona)
Determne whether the Setup Agent starts the frst tme the system s booted.
If enabed, the frstboot package must be nstaed. If not specfed, ths opton s
dsabed by defaut.
--enabe
The Setup Agent s started the frst tme the system boots.
--dsabe
The Setup Agent s not started the frst tme the system boots.
--reconfg
Enabe the Setup Agent to start at boot tme n reconfguraton mode. Ths
mode enabes the anguage, mouse, keyboard, root password, securty eve,
tme zone, and networkng confguraton optons n addton to the defaut ones.
hat (optona)
12
Hat the system after the nstaaton has successfuy competed. Ths s smar
to a manua nstaaton, where anaconda dspays a message and wats for the
user to press a key before rebootng. Durng a kckstart nstaaton, f no
competon method s specfed, the reboot opton s used as defaut.
The hat opton s roughy equvaent to the shutdown -h command.
For other competon methods, refer to the poweroff, reboot, and shutdown
kckstart optons.
nsta (optona)
Tes the system to nsta a fresh system rather than upgrade an exstng
system. Ths s the defaut mode. For nstaaton, you must specfy the type of
nstaaton from cdrom, harddrve, nfs, or ur (for FTP or HTTP nstaatons). The
nsta command and the nstaaton method command must be on separate
nes.
cdrom
Insta from the frst CD-ROM drve on the system.
harddrve
Insta from a Red Hat nstaaton tree on a oca drve, whch must be ether vfat
or ext2.
--partton=
Partton to nsta from (such as, sdb2).
--dr=
Drectory contanng the RedHat drectory of the nstaaton tree.
For exampe:
harddrve --partton=hdb2 --dr=/tmp/nsta-tree
nfs
Insta from the NFS server specfed.
--server=
Server from whch to nsta (hostname or IP).
Kickstart Options
13
--dr=
Drectory contanng the RedHat drectory of the nstaaton tree.
For exampe:
nfs --server=nfsserver.exampe.com --dr=/tmp/nsta-tree
ur
Insta from an nstaaton tree on a remote server va FTP or HTTP.
For exampe:
ur --ur http://<server>/<dr>
or:
ur --ur ftp://<username>:<password>@<server>/<dr>
nteractve (optona)
Uses the nformaton provded n the kckstart fe durng the nstaaton, but
aow for nspecton and modfcaton of the vaues gven. You are presented wth
each screen of the nstaaton program wth the vaues from the kckstart fe.
Ether accept the vaues by cckng Next or change the vaues and cck Next to
contnue. Refer to the autostep command.
keyboard (requred)
Sets system keyboard type. Here s the st of avaabe keyboards on 386,
Itanum, and Apha machnes:
be-atn1, bg, br-abnt2, cf, cz-at2, cz-us-qwertz, de,
de-atn1, de-atn1-nodeadkeys, dk, dk-atn1, dvorak, es, et,
f, f-atn1, fr, fr-atn0, fr-atn1, fr-pc, fr_CH, fr_CH-atn1,
gr, hu, hu101, s-atn1, t, t-bm, t2, |p106, a-atn1, mk-utf,
no, no-atn1, p, pt-atn1, ro_wn, ru, ru-cp1251, ru-ms, ru1, ru2,
ru_wn, se-atn1, sg, sg-atn1, sk-qwerty, sovene, speakup,
14
speakup-t, sv-atn1, sg, sg-atn1, sk-querty, sovene, trq, ua,
uk, us, us-acentos
The fe /usr/b/python2.2/ste-packages/rhp/keyboard_modes.py aso contans ths
st and s part of the rhp package.
ang (requred)
Sets the anguage to use durng nstaaton. For exampe, to set the anguage to
Engsh, the kckstart fe shoud contan the foowng ne:
ang en_US
The fe /usr/share/system-confg-anguage/ocae-st provdes a st of the vad
anguage codes n the frst coumn of each ne and s part of the
system-confg-anguage package.
angsupport (requred)
Sets the anguage(s) to nsta on the system. The same anguage codes used
wth ang can be used wth angsupport.
To nsta one anguage, specfy t. For exampe, to nsta and use the French
anguage fr_FR:
angsupport fr_FR
--defaut=
If anguage support for more than one anguage s specfed, a defaut must be
dentfed.
For exampe, to nsta Engsh and French and use Engsh as the defaut
anguage:
angsupport --defaut=en_US fr_FR
If you use --defaut wth ony one anguage, a anguages are nstaed wth the
specfed anguage set to the defaut.
ogvo (optona)
Create a ogca voume for Logca Voume Management (LVM) wth the syntax:
Kickstart Options
15
ogvo <mntpont> --vgname=<name> --sze=<sze> --name=<name><optons>
The optons are as foows:
--noformat
Use an exstng ogca voume and do not format t.
--useexstng
Use an exstng ogca voume and reformat t.
--pesze
Set the sze of the physca extents.
Create the partton frst, create the ogca voume group, and then create the
ogca voume. For exampe:
part pv.01 --sze 3000 vogroup myvg pv.01 ogvo / --vgname=myvg --sze=2000
--name=rootvo
For a detaed exampe of ogvo n acton, refer to Secton 4.1, "Advanced
Parttonng Exampe".
mouse (requred)
Confgures the mouse for the system, both n GUI and text modes. Optons are:
--devce=
Devce the mouse s on (such as --devce=ttyS0).
--emuthree
If present, smutaneous ccks on the eft and rght mouse buttons are
recognzed as the mdde mouse button by the X Wndow System. Ths opton
shoud be used f you have a two button mouse.
After optons, the mouse type may be specfed as one of the foowng:
apsps/2, asc, ascps/2, atbm, generc, generc3, genercps/2,
generc3ps/2, genercwheeps/2, genercusb, generc3usb, genercwheeusb,
genusnm, genusnmps/2, genusprops/2, genusscrops/2, genusscrops/2+,
thnkng, thnkngps/2, ogtech, ogtechcc, ogbm, ogmman,
ogmmanps/2, ogmman+, ogmman+ps/2, ogmmusb, mcrosoft, msnew,
msnte, msnteps/2, msnteusb, msbm, mousesystems, mmseres,
16
mmhttab, sun, none
Ths st can aso be found n the /usr/b/python2.2/ste-packages/rhp/mouse.py fe,
whch s part of the rhp package.
If the mouse command s gven wthout any arguments, or t s omtted, the
nstaaton program attempts to automatcay detect the mouse. Ths procedure
works for most modern mce.
network (optona)
Confgures network nformaton for the system. If the kckstart nstaaton does
not requre networkng (n other words, t s not nstaed over NFS, HTTP, or
FTP), networkng s not confgured for the system. If the nstaaton does requre
networkng and network nformaton s not provded n the kckstart fe, the
nstaaton program assumes that the nstaaton shoud be done over eth0 va
a dynamc IP address (BOOTP/DHCP), and confgures the fna, nstaed system
to determne ts IP address dynamcay. The network opton confgures
networkng nformaton for kckstart nstaatons va a network as we as for the
nstaed system.
--bootproto=
One of dhcp, bootp, or statc.
It defauts to dhcp. bootp and dhcp are treated the same.
The DHCP method uses a DHCP server system to obtan ts networkng
confguraton. As you mght guess, the BOOTP method s smar, requrng a
BOOTP server to suppy the networkng confguraton. To drect a system to use
DHCP:
network --bootproto=dhcp
To drect a machne to use BOOTP to obtan ts networkng confguraton, use the
foowng ne n the kckstart fe:
network --bootproto=bootp
The statc method requres that you enter a the requred networkng
Kickstart Options
17
nformaton n the kckstart fe. As the name mpes, ths nformaton s statc
and are used durng and after the nstaaton. The ne for statc networkng s
more compex, as you must ncude a network confguraton nformaton on one
ne. You must specfy the IP address, netmask, gateway, and nameserver. For
exampe: (the "\" ndcates that ths shoud be read as one contnuous ne):
network --bootproto=statc --p=10.0.2.15 --netmask=255.255.255.0 \
--gateway=10.0.2.254 --nameserver=10.0.2.1
If you use the statc method, be aware of the foowng two restrctons:
A statc networkng confguraton nformaton must be specfed on one ne;
you cannot wrap nes usng a backsash, for exampe.
You can aso confgure mutpe nameservers here. To do so, specfy them as a
comma-demted st n the command ne. For exampe:
network --bootproto=statc --p=10.0.2.15 --netmask=255.255.255.0 \
--gateway=10.0.2.254 --nameserver
192.168.2.1,192.168.3.1
--devce=
Used to seect a specfc Ethernet devce for nstaaton. Note that usng
--devce= s not effectve uness the kckstart fe s a oca fe (such as ks=foppy),
snce the nstaaton program confgures the network to fnd the kckstart fe.
For exampe:
network --bootproto=dhcp --devce=eth0
--p=
IP address for the machne to be nstaed.
--gateway=
Defaut gateway as an IP address.
--nameserver=
Prmary nameserver, as an IP address.
18
--nodns
Do not confgure any DNS server.
--netmask=
Netmask for the nstaed system.
--hostname=
Hostname for the nstaed system.
--nostorage
Do not auto-probe storage devces such as ISCI, IDE or RAID.
part or partton (requred for nstas, gnored for upgrades)
Creates a partton on the system.
If more than one Red Hat Enterprse Lnux nstaaton exsts on the system on
dfferent parttons, the nstaaton program prompts the user and asks whch
nstaaton to upgrade.
Warning
A parttons created are formatted as part of the nstaaton process
uness --noformat and --onpart are used.
For a detaed exampe of part n acton, refer to Secton 4.1, "Advanced
Parttonng Exampe".
<mntpont>
The <mntpont> s where the partton s mounted and must be of one of the
foowng forms:
/<path>
For exampe, /, /usr, /home
swap
The partton s used as swap space.
To determne the sze of the swap partton automatcay, use the
--recommended opton:
swap --recommended
Kickstart Options
19
The mnmum sze of the automatcay-generated swap partton s no smaer
than the amount of RAM n the system and no arger than twce the amount of
RAM n the system.
rad.<d>
The partton s used for software RAID (refer to rad).
pv.<d>
The partton s used for LVM (refer to ogvo).
--sze=
The mnmum partton sze n megabytes. Specfy an nteger vaue here such as
500. Do not append the number wth MB.
--grow
Tes the partton to grow to f avaabe space (f any), or up to the maxmum
sze settng.
--maxsze=
The maxmum partton sze n megabytes when the partton s set to grow.
Specfy an nteger vaue here, and do not append the number wth MB.
--noformat
Tes the nstaaton program not to format the partton, for use wth the --onpart
command.
--onpart= or --usepart=
Put the partton on the aready exstng devce. For exampe:
partton /home --onpart=hda1
puts /home on /dev/hda1, whch must aready exst.
--ondsk= or --ondrve=
Forces the partton to be created on a partcuar dsk. For exampe, --ondsk=sdb
puts the partton on the second SCSI dsk on the system.
--asprmary
Forces automatc aocaton of the partton as a prmary partton, or the
parttonng fas.
20
--type= (repaced by fstype)
Ths opton s no onger avaabe. Use fstype.
--fstype=
Sets the fe system type for the partton. Vad vaues are ext2, ext3, swap, and
vfat.
--start=
Specfes the startng cynder for the partton. It requres that a drve be
specfed wth --ondsk= or ondrve=. It aso requres that the endng cynder be
specfed wth --end= or the partton sze be specfed wth --sze=.
--end=
Specfes the endng cynder for the partton. It requres that the startng
cynder be specfed wth --start=.
Note
If parttonng fas for any reason, dagnostc messages appear on
vrtua consoe 3.
poweroff (optona)
Shut down and power off the system after the nstaaton has successfuy
competed. Normay durng a manua nstaaton, anaconda dspays a message
and wats for the user to press a key before rebootng. Durng a kckstart
nstaaton, f no competon method s specfed, the reboot opton s used as
defaut.
The poweroff opton s roughy equvaent to the shutdown -p command.
Note
The poweroff opton s hghy dependent on the system hardware n
use. Specfcay, certan hardware components such as the BIOS, APM
(advanced power management), and ACPI (advanced confguraton and
power nterface) must be abe to nteract wth the system kerne.
Contact your manufacturer for more nformaton on you system's
APM/ACPI abtes.
Kickstart Options
21
For other competon methods, refer to the hat, reboot, and shutdown kckstart
optons.
rad (optona)
Assembes a software RAID devce. Ths command s of the form:
rad <mntpont> --eve=<eve> --devce=<mddevce><parttons*>
<mntpont>
Locaton where the RAID fe system s mounted. If t s /, the RAID eve must be
1 uness a boot partton (/boot) s present. If a boot partton s present, the /boot
partton must be eve 1 and the root (/) partton can be any of the avaabe
types. The <parttons*> (whch denotes that mutpe parttons can be sted)
sts the RAID dentfers to add to the RAID array.
--eve=
RAID eve to use (0, 1, or 5).
--devce=
Name of the RAID devce to use (such as md0 or md1). RAID devces range from
md0 to md7, and each may ony be used once.
--spares=
Specfes the number of spare drves aocated for the RAID array. Spare drves
are used to rebud the array n case of drve faure.
--fstype=
Sets the fe system type for the RAID array. Vad vaues are ext2, ext3, swap,
and vfat.
--noformat
Use an exstng RAID devce and do not format the RAID array.
--useexstng
Use an exstng RAID devce and reformat t.
The foowng exampe shows how to create a RAID eve 1 partton for /, and a
RAID eve 5 for /usr, assumng there are three SCSI dsks on the system. It aso
creates three swap parttons, one on each drve.
part rad.01 --sze=60 --ondsk=sda
22
part rad.02 --sze=60 --ondsk=sdb
part rad.03 --sze=60 --ondsk=sdc
part swap --sze=128 --ondsk=sda
part swap --sze=128 --ondsk=sdb
part swap --sze=128 --ondsk=sdc
part rad.11 --sze=1 --grow --ondsk=sda
part rad.12 --sze=1 --grow --ondsk=sdb
part rad.13 --sze=1 --grow --ondsk=sdc
rad / --eve=1 --devce=md0 rad.01 rad.02 rad.03
rad /usr --eve=5 --devce=md1 rad.11 rad.12 rad.13
For a detaed exampe of rad n acton, refer to Secton 4.1, "Advanced
Parttonng Exampe".
reboot (optona)
Reboot after the nstaaton s successfuy competed (no arguments). Normay
durng a manua nstaaton, anaconda dspays a message and wats for the
user to press a key before rebootng.
The reboot opton s roughy equvaent to the shutdown -r command.
Note
Use of the reboot opton may resut n an endess nstaaton oop,
dependng on the nstaaton meda and method.
The reboot opton s the defaut competon method f no other methods
are expcty specfed n the kckstart fe.
For other competon methods, refer to the hat, poweroff, and shutdown kckstart
optons.
Kickstart Options
23
rootpw (requred)
Sets the system's root password to the <password> argument.
rootpw |--scrypted| <password>
--scrypted
If ths s present, the password argument s assumed to aready be encrypted.
senux (optona)
Sets the system's SELnux mode to one of the foowng arguments:
--enforcng
Enabes SELnux wth the defaut targeted pocy beng enforced.
Note
If the senux opton s not present n the kckstart fe, SELnux s
enabed and set to --enforcng by defaut.
--permssve
Outputs warnngs ony based on the SELnux pocy, but does not actuay
enforce the pocy.
--dsabed
Dsabes SELnux competey on the system.
For compete nformaton regardng SELnux for Red Hat Enterprse Lnux, refer
to the Red Hat SELnux Gude.
shutdown (optona)
Shut down the system after the nstaaton has successfuy competed. Durng a
kckstart nstaaton, f no competon method s specfed, the reboot opton s
used as defaut.
The shutdown opton s roughy equvaent to the shutdown command.
For other competon methods, refer to the hat, poweroff, and reboot kckstart
optons.
24
skpx (optona)
If present, X s not confgured on the nstaed system.
text (optona)
Perform the kckstart nstaaton n text mode. Kckstart nstaatons are
performed n graphca mode by defaut.
tmezone (requred)
Sets the system tme zone to <tmezone> whch may be any of the tme zones
sted by tmeconfg.
tmezone |--utc| <tmezone>
--utc
If present, the system assumes the hardware cock s set to UTC (Greenwch
Mean) tme.
upgrade (optona)
Tes the system to upgrade an exstng system rather than nsta a fresh
system. You must specfy one of cdrom, harddrve, nfs, or ur (for FTP and HTTP) as
the ocaton of the nstaaton tree. Refer to nsta for detas.
xconfg (optona)
Confgures the X Wndow System. If ths opton s not gven, the user must
confgure X manuay durng the nstaaton, f X was nstaed; ths opton shoud
not be used f X s not nstaed on the fna system.
--noprobe
Do not probe the montor.
--card=
Use specfed card; ths card name shoud be from the st of cards n
/usr/share/hwdata/Cards from the hwdata package. The st of cards can aso be
found on the X Configuration screen of the Kickstart Configurator. If ths
argument s not provded, the nstaaton program probes the PCI bus for the
card. Snce AGP s part of the PCI bus, AGP cards are detected f supported. The
probe order s determned by the PCI scan order of the motherboard.
--vdeoram=
Kickstart Options
25
Specfes the amount of vdeo RAM the vdeo card has.
--montor=
Use specfed montor; montor name shoud be from the st of montors n
/usr/share/hwdata/MontorsDB from the hwdata package. The st of montors can
aso be found on the X Configuration screen of the Kickstart Configurator.
Ths s gnored f --hsync or --vsync s provded. If no montor nformaton s
provded, the nstaaton program tres to probe for t automatcay.
--hsync=
Specfes the horzonta sync frequency of the montor.
--vsync=
Specfes the vertca sync frequency of the montor.
--defautdesktop=
Specfy ether GNOME or KDE to set the defaut desktop (assumes that GNOME
Desktop Envronment and/or KDE Desktop Envronment has been nstaed
through %packages).
--startxonboot
Use a graphca ogn on the nstaed system.
--resouton=
Specfy the defaut resouton for the X Wndow System on the nstaed system.
Vad vaues are 640x480, 800x600, 1024x768, 1152x864, 1280x1024,
1400x1050, 1600x1200. Be sure to specfy a resouton that s compatbe wth
the vdeo card and montor.
--depth=
Specfy the defaut coor depth for the X Wndow System on the nstaed
system. Vad vaues are 8, 16, 24, and 32. Be sure to specfy a coor depth that
s compatbe wth the vdeo card and montor.
vogroup (optona)
Use to create a Logca Voume Management (LVM) group wth the syntax:
vogroup <name><partton><optons>
The optons are as foows:
--noformat
Use an exstng voume group and do not format t.
26
--useexstng
Use an exstng voume group and reformat t.
Create the partton frst, create the ogca voume group, and then create the
ogca voume. For exampe:
part pv.01 --sze 3000 vogroup myvg pv.01 ogvo / --vgname=myvg --sze=2000
--name=rootvo
For a detaed exampe of vogroup n acton, refer to Secton 4.1, "Advanced
Parttonng Exampe".
zerombr (optona)
If zerombr s specfed, and yes s ts soe argument, any nvad partton tabes
found on dsks are ntazed. Ths destroys a of the contents of dsks wth
nvad partton tabes. Ths command shoud be n the foowng format:
zerombr yes
No other format s effectve.
%ncude
Use the %ncude /path/to/fe command to ncude the contents of another fe n
the kckstart fe as though the contents were at the ocaton of the %ncude
command n the kckstart fe.
4.1. Advanced Partitioning Example
The foowng s a snge, ntegrated exampe showng the cearpart, rad, part,
vogroup, and ogvo kckstart optons n acton:
cearpart --drves=hda,hdc --ntabe
# Rad 1 IDE confg
part rad.11 --sze 1000 --asprmary --ondrve=hda
part rad.14 --sze 8000 --ondrve=hda
part rad.15 --sze 1 --grow --ondrve=hda
Advanced Partitioning Example
27
part rad.21 --sze 1000 --asprmary --ondrve=hdc
part rad.24 --sze 8000 --ondrve=hdc
part rad.25 --sze 1 --grow --ondrve=hdc
# You can add --spares=x
rad / --fstype ext3 --devce md0 --eve=RAID1 rad.11 rad.21
rad /safe --fstype ext3 --devce md1 --eve=RAID1 rad.12 rad.22
rad swap --fstype swap --devce md2 --eve=RAID1 rad.13 rad.23
rad /usr --fstype ext3 --devce md3 --eve=RAID1 rad.14 rad.24
rad pv.01 --fstype ext3 --devce md4 --eve=RAID1 rad.15 rad.25
# LVM confguraton so that we can resze /var and /usr/oca ater
vogroup sysvg pv.01
ogvo /var --vgname=sysvg --sze=8000 --name=var
ogvo /var/freespace --vgname=sysvg --sze=8000 --name=freespacetouse
ogvo /usr/oca --vgname=sysvg --sze=1 --grow --name=usroca
Ths advanced exampe mpements LVM over RAID, as we as the abty to resze
varous drectores for future growth.
5. Package Selection
Use the %packages command to begn a kckstart fe secton that sts the packages
you woud ke to nsta (ths s for nstaatons ony, as package seecton durng
upgrades s not supported).
Packages can be specfed by group or by ndvdua package name. The nstaaton
program defnes severa groups that contan reated packages. Refer to the
RedHat/base/comps.xm fe on the frst Red Hat Enterprse Lnux CD-ROM for a st of
groups. Each group has an d, user vsbty vaue, name, descrpton, and package
st. In the package st, the packages marked as mandatory are aways nstaed f
the group s seected, the packages marked defaut are seected by defaut f the
group s seected, and the packages marked optona must be specfcay seected
even f the group s seected to be nstaed.
In most cases, t s ony necessary to st the desred groups and not ndvdua
packages. Note that the Core and Base groups are aways seected by defaut, so t s
not necessary to specfy them n the %packages secton.
Here s an exampe %packages seecton:
28
%packages @ X Wndow System @ GNOME Desktop Envronment @ Graphca Internet @
Sound and Vdeo dhcp
As you can see, groups are specfed, one to a ne, startng wth an @ symbo, a
space, and then the fu group name as gven n the comps.xm fe. Groups can aso
be specfed usng the d for the group, such as gnome-desktop. Specfy ndvdua
packages wth no addtona characters (the dhcp ne n the exampe above s an
ndvdua package).
You can aso specfy whch packages not to nsta from the defaut package st:
-autofs
The foowng optons are avaabe for the %packages opton:
--resovedeps
Insta the sted packages and automatcay resove package dependences. If
ths opton s not specfed and there are package dependences, the automated
nstaaton pauses and prompts the user. For exampe:
%packages --resovedeps
--gnoredeps
Ignore the unresoved dependences and nsta the sted packages wthout the
dependences. For exampe:
%packages --gnoredeps
--gnoremssng
Ignore the mssng packages and groups nstead of hatng the nstaaton to ask
f the nstaaton shoud be aborted or contnued. For exampe:
%packages --gnoremssng
Pre-installation Script
29
6. Pre-installation Script
You can add commands to run on the system mmedatey after the ks.cfg has been
parsed. Ths secton must be at the end of the kckstart fe (after the commands)
and must start wth the %pre command. You can access the network n the %pre
secton; however, name servce has not been confgured at ths pont, so ony IP
addresses work.
Note
Note that the pre-nsta scrpt s not run n the change root
envronment.
--nterpreter /usr/bn/python
Aows you to specfy a dfferent scrptng anguage, such as Python. Repace
/usr/bn/python wth the scrptng anguage of your choce.
6.1. Example
Here s an exampe %pre secton:
%pre
#!/bn/sh
hds=""
mymeda=""
for fe n /proc/de/h*
do
mymeda=`cat $fe/meda`
f | $mymeda == "dsk" | ; then
hds="$hds `basename $fe`"
f
done
set $hds
numhd=ècho $#`
30
drve1=ècho $hds | cut -d' ' -f1`
drve2=ècho $hds | cut -d' ' -f2`
#Wrte out partton scheme based on whether there are 1 or 2 hard drves
f | $numhd == "2" | ; then
#2 drves
echo "#parttonng scheme generated n %pre for 2 drves" > /tmp/part-ncude
echo "cearpart --a" >> /tmp/part-ncude
echo "part /boot --fstype ext3 --sze 75 --ondsk hda" >> /tmp/part-ncude
echo "part / --fstype ext3 --sze 1 --grow --ondsk hda" >> /tmp/part-ncude
echo "part swap --recommended --ondsk $drve1" >> /tmp/part-ncude
echo "part /home --fstype ext3 --sze 1 --grow --ondsk hdb" >> /tmp/part-ncude
ese
#1 drve
echo "#parttonng scheme generated n %pre for 1 drve" > /tmp/part-ncude
echo "cearpart --a" >> /tmp/part-ncude
echo "part /boot --fstype ext3 --sze 75" >> /tmp/part-ncud
echo "part swap --recommended" >> /tmp/part-ncude
echo "part / --fstype ext3 --sze 2048" >> /tmp/part-ncude
echo "part /home --fstype ext3 --sze 2048 --grow" >> /tmp/part-ncude
f
Ths scrpt determnes the number of hard drves n the system and wrtes a text fe
wth a dfferent parttonng scheme dependng on whether t has one or two drves.
Instead of havng a set of parttonng commands n the kckstart fe, ncude the
ne:
%ncude /tmp/part-ncude
The parttonng commands seected n the scrpt are used.
Note
The pre-nstaaton scrpt secton of kckstart cannot manage mutpe
nsta trees or source meda. Ths nformaton must be ncuded for
each created ks.cfg fe, as the pre-nstaaton scrpt occurs durng the
second stage of the nstaaton process.
Post-installation Script
31
7. Post-installation Script
You have the opton of addng commands to run on the system once the nstaaton
s compete. Ths secton must be at the end of the kckstart fe and must start wth
the %post command. Ths secton s usefu for functons such as nstang addtona
software and confgurng an addtona nameserver.
Note
If you confgured the network wth statc IP nformaton, ncudng a
nameserver, you can access the network and resove IP addresses n
the %post secton. If you confgured the network for DHCP, the
/etc/resov.conf fe has not been competed when the nstaaton
executes the %post secton. You can access the network, but you can
not resove IP addresses. Thus, f you are usng DHCP, you must specfy
IP addresses n the %post secton.
Note
The post-nsta scrpt s run n a chroot envronment; therefore,
performng tasks such as copyng scrpts or RPMs from the nstaaton
meda do not work.
--nochroot
Aows you to specfy commands that you woud ke to run outsde of the chroot
envronment.
The foowng exampe copes the fe /etc/resov.conf to the fe system that was
|ust nstaed.
%post --nochroot
cp /etc/resov.conf /mnt/sysmage/etc/resov.conf
--nterpreter /usr/bn/python
Aows you to specfy a dfferent scrptng anguage, such as Python. Repace
32
/usr/bn/python wth the scrptng anguage of your choce.
7.1. Examples
Turn servces on and off:
/sbn/chkconfg --eve 345 tenet off /sbn/chkconfg --eve 345 fnger off /sbn/chkconfg
--eve 345 pd off /sbn/chkconfg --eve 345 httpd on
Run a scrpt named runme from an NFS share:
mkdr /mnt/temp mount -o noock 10.10.0.2:/usr/new-machnes /mnt/temp open -s -w --
/mnt/temp/runme umount /mnt/temp
Note
NFS fe ockng s not supported whe n kckstart mode, therefore -o
noock s requred when mountng an NFS mount.
Add a user to the system:
/usr/sbn/useradd bob /usr/bn/chfn -f "Bob Smth" bob /usr/sbn/usermod -p
'k|df$04930FTH/ ' bob
8. Making the Kickstart File Available
A kckstart fe must be paced n one of the foowng ocatons:
On a boot dskette
On a boot CD-ROM
On a network
Normay a kckstart fe s coped to the boot dskette, or made avaabe on the
network. The network-based approach s most commony used, as most kckstart
nstaatons tend to be performed on networked computers.
Let us take a more n-depth ook at where the kckstart fe may be paced.
Examples
33
8.1. Creating Kickstart Boot Media
Dskette-based bootng s no onger supported n Red Hat Enterprse Lnux.
Instaatons must use CD-ROM or fash memory products for bootng. However, the
kckstart fe may st resde on a dskette's top-eve drectory, and must be named
ks.cfg.
To perform a CD-ROM-based kckstart nstaaton, the kckstart fe must be named
ks.cfg and must be ocated n the boot CD-ROM's top-eve drectory. Snce a
CD-ROM s read-ony, the fe must be added to the drectory used to create the
mage that s wrtten to the CD-ROM. Refer to the Red Hat Enterprse Lnux
Instaaton Gude for nstructons on creatng boot meda; however, before makng
the fe.so mage fe, copy the ks.cfg kckstart fe to the sonux/ drectory.
To perform a pen-based fash memory kckstart nstaaton, the kckstart fe must
be named ks.cfg and must be ocated n the fash memory's top-eve drectory.
Create the boot mage frst, and then copy the ks.cfg fe.
For exampe, the foowng transfers a boot mage to the pen drve (/dev/sda) usng
the dd command:
dd f=dskboot.mg of=/dev/sda bs=1M
Note
Creaton of USB fash memory pen drves for bootng s possbe, but s
heavy dependent on system hardware BIOS settngs. Refer to your
hardware manufacturer to see f your system supports bootng to
aternate devces.
8.2. Making the Kickstart File Available on the
Network
Network nstaatons usng kckstart are qute common, because system
admnstrators can easy automate the nstaaton on many networked computers
qucky and panessy. In genera, the approach most commony used s for the
admnstrator to have both a BOOTP/DHCP server and an NFS server on the oca
network. The BOOTP/DHCP server s used to gve the cent system ts networkng
nformaton, whe the actua fes used durng the nstaaton are served by the NFS
34
server. Often, these two servers run on the same physca machne, but they are not
requred to.
To perform a network-based kckstart nstaaton, you must have a BOOTP/DHCP
server on your network, and t must ncude confguraton nformaton for the
machne on whch you are attemptng to nsta Red Hat Enterprse Lnux. The
BOOTP/DHCP server provdes the cent wth ts networkng nformaton as we as
the ocaton of the kckstart fe.
If a kckstart fe s specfed by the BOOTP/DHCP server, the cent system attempts
an NFS mount of the fe's path, and copes the specfed fe to the cent, usng t as
the kckstart fe. The exact settngs requred vary dependng on the BOOTP/DHCP
server you use.
Here s an exampe of a ne from the dhcpd.conf fe for the DHCP server:
fename"/usr/new-machne/kckstart/";
next-server barg.redhat.com;
Note that you shoud repace the vaue after fename wth the name of the kckstart
fe (or the drectory n whch the kckstart fe resdes) and the vaue after
next-server wth the NFS server name.
If the fe name returned by the BOOTP/DHCP server ends wth a sash ("/"), then t s
nterpreted as a path ony. In ths case, the cent system mounts that path usng
NFS, and searches for a partcuar fe. The fe name the cent searches for s:
<p-addr>-kckstart
The <p-addr> secton of the fe name shoud be repaced wth the cent's IP
address n dotted decma notaton. For exampe, the fe name for a computer wth
an IP address of 10.10.0.1 woud be 10.10.0.1-kckstart.
Note that f you do not specfy a server name, then the cent system attempts to
use the server that answered the BOOTP/DHCP request as ts NFS server. If you do
not specfy a path or fe name, the cent system tres to mount /kckstart from the
BOOTP/DHCP server and tres to fnd the kckstart fe usng the same
<p-addr>-kckstart fe name as descrbed above.
9. Making the lnstallation Tree Available
Making the lnstallation Tree
35
The kckstart nstaaton must access an nstaaton tree. An nstaaton tree s a
copy of the bnary Red Hat Enterprse Lnux CD-ROMs wth the same drectory
structure.
If you are performng a CD-based nstaaton, nsert the Red Hat Enterprse Lnux
CD-ROM #1 nto the computer before startng the kckstart nstaaton.
If you are performng a hard drve nstaaton, make sure the ISO mages of the
bnary Red Hat Enterprse Lnux CD-ROMs are on a hard drve n the computer.
If you are performng a network-based (NFS, FTP, or HTTP) nstaaton, you must
make the nstaaton tree avaabe over the network. Refer to the Preparng for a
Network Instaaton secton of the Red Hat Enterprse Lnux Instaaton Gude for
detas.
10. Starting a Kickstart lnstallation
To begn a kckstart nstaaton, you must boot the system from boot meda you
have made or the Red Hat Enterprse Lnux CD-ROM #1, and enter a speca boot
command at the boot prompt. The nstaaton program ooks for a kckstart fe f
the ks command ne argument s passed to the kerne.
CD-ROM #1 and Dskette
The linux ks=floppy command aso works f the ks.cfg fe s ocated on a vfat or
ext2 fe system on a dskette and you boot from the Red Hat Enterprse Lnux
CD-ROM #1.
An aternate boot command s to boot off the Red Hat Enterprse Lnux CD-ROM
#1 and have the kckstart fe on a vfat or ext2 fe system on a dskette. To do
so, enter the foowng command at the boot: prompt:
linux ks=hd:fd0:}ks.cfg
Wth Drver Dsk
If you need to use a drver dsk wth kckstart, specfy the dd opton as we. For
exampe, to boot off a boot dskette and use a drver dsk, enter the foowng
command at the boot: prompt:
linux ks=floppy dd
36
Boot CD-ROM
If the kckstart fe s on a boot CD-ROM as descrbed n Secton 8.1, "Creatng
Kckstart Boot Meda", nsert the CD-ROM nto the system, boot the system, and
enter the foowng command at the boot: prompt (where ks.cfg s the name of
the kckstart fe):
linux ks=cdrom:}ks.cfg
Other optons to start a kckstart nstaaton are as foows:
ks=nfs:<server>:/<path>
The nstaaton program ooks for the kckstart fe on the NFS server <server>,
as fe <path>. The nstaaton program uses DHCP to confgure the Ethernet
card. For exampe, f your NFS server s server.exampe.com and the kckstart
fe s n the NFS share /mydr/ks.cfg, the correct boot command woud be
ks=nfs:server.exampe.com:/mydr/ks.cfg.
ks=http://<server>/<path>
The nstaaton program ooks for the kckstart fe on the HTTP server <server>,
as fe <path>. The nstaaton program uses DHCP to confgure the Ethernet
card. For exampe, f your HTTP server s server.exampe.com and the kckstart
fe s n the HTTP drectory /mydr/ks.cfg, the correct boot command woud be
ks=http://server.exampe.com/mydr/ks.cfg.
ks=foppy
The nstaaton program ooks for the fe ks.cfg on a vfat or ext2 fe system on
the dskette n /dev/fd0.
ks=foppy:/<path>
The nstaaton program ooks for the kckstart fe on the dskette n /dev/fd0, as
fe <path>.
ks=hd:<devce>:/<fe>
The nstaaton program mounts the fe system on <devce> (whch must be vfat
or ext2), and ook for the kckstart confguraton fe as <fe> n that fe system
(for exampe, ks=hd:sda3:/mydr/ks.cfg).
ks=fe:/<fe>
Available
37
The nstaaton program tres to read the fe <fe> from the fe system; no
mounts are done. Ths s normay used f the kckstart fe s aready on the ntrd
mage.
ks=cdrom:/<path>
The nstaaton program ooks for the kckstart fe on CD-ROM, as fe <path>.
ks
If ks s used aone, the nstaaton program confgures the Ethernet card to use
DHCP. The kckstart fe s read from the "bootServer" from the DHCP response
as f t s an NFS server sharng the kckstart fe. By defaut, the bootServer s
the same as the DHCP server. The name of the kckstart fe s one of the
foowng:
If DHCP s specfed and the boot fe begns wth a /, the boot fe provded by
DHCP s ooked for on the NFS server.
If DHCP s specfed and the boot fe begns wth somethng other then a /, the
boot fe provded by DHCP s ooked for n the /kckstart drectory on the NFS
server.
If DHCP dd not specfy a boot fe, then the nstaaton program tres to read
the fe /kckstart/1.2.3.4-kckstart, where 1.2.3.4 s the numerc IP address of the
machne beng nstaed.
ksdevce=<devce>
The nstaaton program uses ths network devce to connect to the network. For
exampe, to start a kckstart nstaaton wth the kckstart fe on an NFS server
that s connected to the system through the eth1 devce, use the command
ks=nfs:<server>:/<path> ksdevce=eth1 at the boot: prompt.
38
Kickstart Configurator
Kickstart Configurator aows you to create or modfy a kckstart fe usng a
graphca user nterface, so that you do not have to remember the correct syntax of
the fe.
To use Kickstart Configurator, you must be runnng the X Wndow System. To
start Kickstart Configurator, seect Appcatons (the man menu on the pane)
=> System Tools => Kickstart, or type the command
/usr/sbn/system-confg-kckstart.
As you are creatng a kckstart fe, you can seect File => Preview at any tme to
revew your current seectons.
To start wth an exstng kckstart fe, seect File => Open and seect the exstng
fe.
1. Basic Configuration
Chapter 2.
39
Figure 2.1. Basic Configuration
Choose the anguage to use durng the nstaaton and as the defaut anguage to
be used after nstaaton from the Default Language menu.
Seect the system keyboard type from the Keyboard menu.
Choose the mouse for the system from the Mouse menu. If No Mouse s seected,
no mouse s confgured. If Probe for Mouse s seected, the nstaaton program
tres to automatcay detect the mouse. Probng works for most modern mce.
If the system has a two-button mouse, a three-button mouse can be emuated by
seectng Emulate 3 Buttons. If ths opton s seected, smutaneousy cckng the
eft and rght mouse buttons are recognzed as a mdde mouse button cck.
From the Time Zone menu, choose the tme zone to use for the system. To
confgure the system to use UTC, seect Use UTC clock.
Chapter 2. Kickstart Configurator
40
Enter the desred root password for the system n the Root Password text entry
box. Type the same password n the Confirm Password text box. The second fed
s to make sure you do not mstype the password and then reaze you do not know
what t s after you have competed the nstaaton. To save the password as an
encrypted password n the fe, seect Encrypt root password. If the encrypton
opton s seected, when the fe s saved, the pan text password that you typed are
encrypted and wrtten to the kckstart fe. Do not type an aready encrypted
password and seect to encrypt t. Because a kckstart fe s a pan text fe that can
be easy read, t s recommended that an encrypted password be used.
To nsta anguages n addton to the one seected from the Default Language
pudown menu. check them n the Language Support st. The anguage seected
from the Default Language pudown menu s used by defaut after nstaaton;
however, the defaut can be changed wth the Language Configuration Tool
(system-confg-anguage) after nstaaton.
Choosng Target Architecture specfes whch specfc hardware archtecture
dstrbuton s used durng nstaaton.
Choosng Reboot system after installation reboots your system automatcay
after the nstaaton s fnshed.
Kckstart nstaatons are performed n graphca mode by defaut. To overrde ths
defaut and use text mode nstead, seect the Perform installation in text mode
opton.
You can perform a kckstart nstaaton n nteractve mode. Ths means that the
nstaaton program uses a the optons pre-confgured n the kckstart fe, but t
aows you to prevew the optons n each screen before contnung to the next
screen. To contnue to the next screen, cck the Next button after you have
approved the settngs or change them before contnung the nstaaton. To seect
ths type of nstaaton, seect the Perform installation in interactive mode
opton.
2. lnstallation Method
lnstallation Method
41
Figure 2.2. lnstallation Method
The lnstallation Method screen aows you to choose whether to perform a new
nstaaton or an upgrade. If you choose upgrade, the Partition lnformation and
Package Selection optons are dsabed. They are not supported for kckstart
upgrades.
Choose the type of kckstart nstaaton or upgrade screen from the foowng
optons:
CD-ROM - Choose ths opton to nsta or upgrade from the Red Hat Enterprse
Lnux CD-ROMs.
NFS - Choose ths opton to nsta or upgrade from an NFS shared drectory. In
the text fed for the the NFS server, enter a fuy-quafed doman name or IP
42
address. For the NFS drectory, enter the name of the NFS drectory that contans
the RedHat drectory of the nstaaton tree. For exampe, f the NFS server
contans the drectory /mrrors/redhat/386/RedHat/, enter /mrrors/redhat/386/ for the
NFS drectory.
FTP - Choose ths opton to nsta or upgrade from an FTP server. In the FTP
server text fed, enter a fuy-quafed doman name or IP address. For the FTP
drectory, enter the name of the FTP drectory that contans the RedHat drectory.
For exampe, f the FTP server contans the drectory /mrrors/redhat/386/RedHat/,
enter /mrrors/redhat/386/ for the FTP drectory. If the FTP server requres a
username and password, specfy them as we.
HTTP - Choose ths opton to nsta or upgrade from an HTTP server. In the text
fed for the HTTP server, enter the fuy-quafed doman name or IP address. For
the HTTP drectory, enter the name of the HTTP drectory that contans the RedHat
drectory. For exampe, f the HTTP server contans the drectory
/mrrors/redhat/386/RedHat/, enter /mrrors/redhat/386/ for the HTTP drectory.
Hard Drive - Choose ths opton to nsta or upgrade from a hard drve. Hard
drve nstaatons requre the use of ISO (or CD-ROM) mages. Be sure to verfy
that the ISO mages are ntact before you start the nstaaton. To verfy them,
use an md5sum program as we as the nux medacheck boot opton as dscussed n
the Red Hat Enterprse Lnux Instaaton Gude. Enter the hard drve partton that
contans the ISO mages (for exampe, /dev/hda1) n the Hard Drive Partition
text box. Enter the drectory that contans the ISO mages n the Hard Drive
Directory text box.
3. Boot Loader Options
Boot Loader Options
43
Figure 2.3. Boot Loader Options
GRUB s the defaut boot oader for Red Hat Enterprse Lnux. If you do not want to
nsta a boot oader, seect Do not install a boot loader. If you choose not to
nsta a boot oader, make sure you create a boot dskette or have another way to
boot your system, such as a thrd-party boot oader.
You must choose where to nsta the boot oader (the Master Boot Record or the
frst sector of the /boot partton). Insta the boot oader on the MBR f you pan to
use t as your boot oader.
To pass any speca parameters to the kerne to be used when the system boots,
enter them n the Kernel parameters text fed. For exampe, f you have an IDE
CD-ROM Wrter, you can te the kerne to use the SCSI emuaton drver that must
be oaded before usng cdrecord by confgurng hdd=ide-scsi as a kerne parameter
(where hdd s the CD-ROM devce).
44
You can password protect the GRUB boot oader by confgurng a GRUB password.
Seect Use GRUB password, and enter a password n the Password fed. Type
the same password n the Confirm Password text fed. To save the password as
an encrypted password n the fe, seect Encrypt GRUB password. If the
encrypton opton s seected, when the fe s saved, the pan text password that
you typed are encrypted and wrtten to the kckstart fe. If type an aready
encrypted password, unseect to encrypt t.
If Upgrade an existing installation s seected on the lnstallation Method
page, seect Upgrade existing boot loader to upgrade the exstng boot oader
confguraton, whe preservng the od entres.
4. Partition lnformation
Figure 2.4. Partition lnformation
Partition lnformation
45
Seect whether or not to cear the Master Boot Record (MBR). Choose to remove a
exstng parttons, remove a exstng Lnux parttons, or preserve exstng
parttons.
To ntaze the dsk abe to the defaut for the archtecture of the system (for
exampe, msdos for x86 and gpt for Itanum), seect lnitialize the disk label f you
are nstang on a brand new hard drve.
4.1. Creating Partitions
To create a partton, cck the Add button. The Partition Options wndow shown n
Fgure 2.5, "Creatng Parttons" appears. Choose the mount pont, fe system type,
and partton sze for the new partton. Optonay, you can aso choose from the
foowng:
In the Additional Size Options secton, choose to make the partton a fxed
sze, up to a chosen sze, or f the remanng space on the hard drve. If you
seected swap as the fe system type, you can seect to have the nstaaton
program create the swap partton wth the recommended sze nstead of
specfyng a sze.
Force the partton to be created as a prmary partton.
Create the partton on a specfc hard drve. For exampe, to make the partton
on the frst IDE hard dsk (/dev/hda), specfy hda as the drve. Do not ncude /dev n
the drve name.
Use an exstng partton. For exampe, to make the partton on the frst partton
on the frst IDE hard dsk (/dev/hda1), specfy hda1 as the partton. Do not ncude
/dev n the partton name.
Format the partton as the chosen fe system type.
46
Figure 2.5. Creating Partitions
To edt an exstng partton, seect the partton from the st and cck the Edit
button. The same Partition Options wndow appears as when you chose to add a
partton as shown n Fgure 2.5, "Creatng Parttons", except t refects the vaues
for the seected partton. Modfy the partton optons and cck OK.
To deete an exstng partton, seect the partton from the st and cck the Delete
button.
4.1.1. Creating Software RAlD Partitions
Creating Partitions
47
To create a software RAID partton, use the foowng steps:
1. Cck the RAlD button.
2. Seect Create a software RAlD partition.
3. Confgure the parttons as prevousy descrbed, except seect Software RAlD as
the fe system type. Aso, you must specfy a hard drve on whch to make the
partton or specfy an exstng partton to use.
Figure 2.6. Creating a Software RAlD Partition
48
Repeat these steps to create as many parttons as needed for your RAID setup. A
of your parttons do not have to be RAID parttons.
After creatng a the parttons needed to form a RAID devce, foow these steps:
1. Cck the RAlD button.
2. Seect Create a RAlD device.
3. Seect a mount pont, fe system type, RAID devce name, RAID eve, RAID
members, number of spares for the software RAID devce, and whether to format
the RAID devce.
Figure 2.7. Creating a Software RAlD Device
4. Cck OK to add the devce to the st.
Network Configuration
49
5. Network Configuration
Figure 2.8. Network Configuration
If the system to be nstaed va kckstart does not have an Ethernet card, do not
confgure one on the Network Configuration page.
Networkng s ony requred f you choose a networkng-based nstaaton method
(NFS, FTP, or HTTP). Networkng can aways be confgured after nstaaton wth the
Network Administration Tool (system-confg-network). Refer to Chapter 17,
Network Confguraton for detas.
For each Ethernet card on the system, cck Add Network Device and seect the
network devce and network type for the devce. Seect eth0 to confgure the frst
Ethernet card, eth1 for the second Ethernet card, and so on.
50
6. Authentication
Figure 2.9. Authentication
In the Authentication secton, seect whether to use shadow passwords and MD5
encrypton for user passwords. These optons are hghy recommended and chosen
by defaut.
The Authentication Configuration optons aow you to confgure the foowng
methods of authentcaton:
NIS
LDAP
Kerberos 5
Authentication
51
Hesod
SMB
Name Swtch Cache
These methods are not enabed by defaut. To enabe one or more of these
methods, cck the approprate tab, cck the checkbox next to Enable, and enter
the approprate nformaton for the authentcaton method. Refer to Chapter 26,
Authentcaton Confguraton for more nformaton about the optons.
7. Firewall Configuration
The Firewall Configuration wndow s smar to the screen n the nstaaton
program and the Security Level Configuration Tool.
Figure 2.10. Firewall Configuration
52
If Disable firewall s seected, the system aows compete access to any actve
servces and ports. No connectons to the system are refused or dened.
Seectng Enable firewall confgures the system to re|ect ncomng connectons
that are not n response to outbound requests, such as DNS repes or DHCP
requests. If access to servces runnng on ths machne s requred, you can choose
to aow specfc servces through the frewa.
Ony devces confgured n the Network Configuration secton are sted as
avaabe Trusted devices. Connectons from any devces seected n the st are
accepted by the system. For exampe, f eth1 ony receves connectons from
nterna system, you mght want to aow connectons from t.
If a servce s seected n the Trusted services st, connectons for the servce are
accepted and processed by the system.
In the Other ports text fed, st any addtona ports that shoud be opened for
remote access. Use the foowng format: port:protocol. For exampe, to aow IMAP
access through the frewa, specfy imap:tcp. Specfy numerc ports can aso be
specfed; to aow UDP packets on port 1234 through the frewa, enter 1234:udp.
To specfy mutpe ports, separate them wth commas.
7.1. SELinux Configuration
Athough confguraton for SELnux s not specfed n the Kickstart Configurator,
kckstart enabes SELnux n enforcng mode by defaut f the senux parameter s
omtted from the kckstart fe.
8. Display Configuration
If you are nstang the X Wndow System, you can confgure t durng the kckstart
nstaaton by checkng the Configure the X Window System opton on the
Display Configuration wndow as shown n Fgure 2.11, "X Confguraton -
Genera". If ths opton s not chosen, the X confguraton optons are dsabed and
the skpx opton s wrtten to the kckstart fe.
8.1. General
The frst step n confgurng X s to choose the defaut coor depth and resouton.
Seect them from ther respectve pudown menus. Be sure to specfy a coor depth
and resouton that s compatbe wth the vdeo card and montor for the system.
SELinux Configuration
53
Figure 2.11. X Configuration - General
If you are nstang both the GNOME and KDE desktops, you must choose whch
desktop shoud be the defaut. If ony one desktop s to be nstaed, be sure to
choose t. Once the system s nstaed, users can choose whch desktop they want
to be ther defaut.
Next, choose whether to start the X Wndow System when the system s booted.
Ths opton starts the system n runeve 5 wth the graphca ogn screen. After the
system s nstaed, ths can be changed by modfyng the /etc/nttab confguraton
fe.
Aso seect whether to start the Setup Agent the frst tme the system s rebooted.
It s dsabed by defaut, but the settng can be changed to enabed or enabed n
reconfguraton mode. Reconfguraton mode enabes the anguage, mouse,
keyboard, root password, securty eve, tme zone, and networkng confguraton
54
optons n addton to the defaut ones.
8.2. Video Card
Probe for video card s seected by defaut. Accept ths defaut to have the
nstaaton program probe for the vdeo card durng nstaaton. Probng works for
most modern vdeo cards. If ths opton s seected and the nstaaton program
cannot successfuy probe the vdeo card, the nstaaton program stops at the
vdeo card confguraton screen. To contnue the nstaaton process, seect your
vdeo card from the st and cck Next.
Aternatvey, you can seect the vdeo card from the st on the Video Card tab as
shown n Fgure 2.12, "X Confguraton - Vdeo Card". Specfy the amount of vdeo
RAM the seected vdeo card has from the Video Card RAM pudown menu. These
vaues are used by the nstaaton program to confgure the X Wndow System.
Figure 2.12. X Configuration - Video Card
Video Card
55
8.3. Monitor
After confgurng the vdeo card, cck on the Monitor tab as shown n Fgure 2.13,
"X Confguraton - Montor".
Figure 2.13. X Configuration - Monitor
Probe for monitor s seected by defaut. Accept ths defaut to have the
nstaaton program probe for the montor durng nstaaton. Probng works for
most modern montors. If ths opton s seected and the nstaaton program cannot
successfuy probe the montor, the nstaaton program stops at the montor
confguraton screen. To contnue the nstaaton process, seect your montor from
the st and cck Next.
Aternatvey, you can seect your montor from the st. You can aso specfy the
horzonta and vertca sync rates nstead of seectng a specfc montor by checkng
the Specify hysnc and vsync instead of monitor opton. Ths opton s usefu f
56
the montor for the system s not sted. Notce that when ths opton s enabed, the
montor st s dsabed.
9. Package Selection
Figure 2.14. Package Selection
The Package Selection wndow aows you to choose whch package groups to
nsta.
There are aso optons avaabe to resove and gnore package dependences
automatcay.
Currenty, Kickstart Configurator does not aow you to seect ndvdua
packages. To nsta ndvdua packages, modfy the %packages secton of the
kckstart fe after you save t. Refer to Secton 5, "Package Seecton" for detas.
Package Selection
57
10. Pre-lnstallation Script
Figure 2.15. Pre-lnstallation Script
You can add commands to run on the system mmedatey after the kckstart fe has
been parsed and before the nstaaton begns. If you have confgured the network
n the kckstart fe, the network s enabed before ths secton s processed. To
ncude a pre-nstaaton scrpt, type t n the text area.
To specfy a scrptng anguage to use to execute the scrpt, seect the Use an
interpreter opton and enter the nterpreter n the text box besde t. For exampe,
}usr}bin}python2.2 can be specfed for a Python scrpt. Ths opton corresponds to
usng %pre --nterpreter /usr/bn/python2.2 n your kckstart fe.
58
Caution
Do not ncude the %pre command. It s added for you.
11. Post-lnstallation Script
Figure 2.16. Post-lnstallation Script
You can aso add commands to execute on the system after the nstaaton s
competed. If the network s propery confgured n the kckstart fe, the network s
enabed, and the scrpt can ncude commands to access resources on the network.
To ncude a post-nstaaton scrpt, type t n the text area.
Post-lnstallation Script
59
Caution
Do not ncude the %post command. It s added for you.
For exampe, to change the message of the day for the newy nstaed system, add
the foowng command to the %post secton:
echo "Hackers w be punshed!" > /etc/motd
Tip
More exampes can be found n Secton 7.1, "Exampes".
11.1. Chroot Environment
To run the post-nstaaton scrpt outsde of the chroot envronment, cck the
checkbox next to ths opton on the top of the Post-lnstallation wndow. Ths s
equvaent to usng the --nochroot opton n the %post secton.
To make changes to the newy nstaed fe system, wthn the post-nstaaton
secton, but outsde of the chroot envronment, you must prepend the drectory
name wth /mnt/sysmage/.
For exampe, f you seect Run outside of the chroot environment, the prevous
exampe must be changed to the foowng:
echo "Hackers w be punshed!" > /mnt/sysmage/etc/motd
11.2. Use an lnterpreter
To specfy a scrptng anguage to use to execute the scrpt, seect the Use an
interpreter opton and enter the nterpreter n the text box besde t. For exampe,
}usr}bin}python2.2 can be specfed for a Python scrpt. Ths opton corresponds to
usng %post --nterpreter /usr/bn/python2.2 n your kckstart fe.
12. Saving the File
60
To revew the contents of the kckstart fe after you have fnshed choosng your
kckstart optons, seect File => Preview from the pu-down menu.
Figure 2.17. Preview
To save the kckstart fe, cck the Save to File button n the prevew wndow. To
save the fe wthout prevewng t, seect File => Save File or press Ctrl-S. A
daog box appears. Seect where to save the fe.
After savng the fe, refer to Secton 10, "Startng a Kckstart Instaaton" for
nformaton on how to start the kckstart nstaaton.
Saving the File
61
62
PXE Network lnstallations
Red Hat Enterprse Lnux aows for nstaaton over a network usng the NFS, FTP,
or HTTP protocos. A network nstaaton can be started from a boot CD-ROM, a
bootabe fash memory drve, or by usng the askmethod boot opton wth the Red
Hat Enterprse Lnux CD #1. Aternatvey, f the system to be nstaed contans a
network nterface card (NIC) wth Pre-Executon Envronment (PXE) support, t can
be confgured to boot from fes on another networked system rather than oca
meda such as a CD-ROM.
For a PXE network nstaaton, the cent's NIC wth PXE support sends out a
broadcast request for DHCP nformaton. The DHCP server provdes the cent wth
an IP address, other network nformaton such as name server, the IP address or
hostname of the tftp server (whch provdes the fes necessary to start the
nstaaton program), and the ocaton of the fes on the tftp server. Ths s possbe
because of PXELINUX, whch s part of the sysnux package.
The foowng steps must be performed to prepare for a PXE nstaaton:
1. Confgure the network (NFS, FTP, HTTP) server to export the nstaaton tree.
2. Confgure the fes on the tftp server necessary for PXE bootng.
3. Confgure whch hosts are aowed to boot from the PXE confguraton.
4. Start the tftp servce.
5. Confgure DHCP.
6. Boot the cent, and start the nstaaton.
1. Setting up the Network Server
Frst, confgure an NFS, FTP, or HTTP server to export the entre nstaaton tree for
the verson and varant of Red Hat Enterprse Lnux to be nstaed. Refer to the
secton Preparng for a Network Instaaton n the Red Hat Enterprse Lnux
Instaaton Gude for detaed nstructons.
2. PXE Boot Configuration
The next step s to copy the fes necessary to start the nstaaton to the tftp server
Chapter 3.
63
so they can be found when the cent requests them. The tftp server s usuay the
same server as the network server exportng the nstaaton tree.
To copy these fes, run the Network Booting Tool on the NFS, FTP, or HTTP
server. A separate PXE server s not necessary.
For the command ne verson of these nstructons, refer to Secton 2.1, "Command
Lne Confguraton".
To use the graphca verson of the Network Booting Tool, you must be runnng
the X Wndow System, have root prveges, and have the system-confg-netboot RPM
package nstaed. To start the Network Booting Tool from the desktop, go to
Appcatons (the man menu on the pane) => System Settings => Server
Settings => Network Booting Service. Or, type the command
system-confg-netboot at a she prompt (for exampe, n an XTerm or a GNOME
terminal).
If startng the Network Booting Tool for the frst tme, seect Network lnstall
from the First Time Druid. Otherwse, seect Configure => Network
lnstallation from the pudown menu, and then cck Add. The daog n Fgure 3.1,
"Network Instaaton Setup" s dspayed.
Figure 3.1. Network lnstallation Setup
Chapter 3. PXE Network lnstal...
64
Operating system identifier - Provde a unque name usng one word to
dentfy the Red Hat Enterprse Lnux verson and varant. It s used as the
drectory name n the /tftpboot/nux-nsta/ drectory.
Description - Provde a bref descrpton of the Red Hat Enterprse Lnux verson
and varant.
Selects protocol for installation - Seects NFS, FTP, or HTTP as the network
nstaaton type dependng on whch one was confgured prevousy. If FTP s
seected and anonymous FTP s not beng used, uncheck Anonymous FTP and
provde a vad username and password combnaton.
Kickstart - Specfy the ocaton of the kckstart fe. The fe can be a URL or a
fe stored ocay (dskette). The kckstart fe can be created wth the Kickstart
Configurator. Refer to Chapter 2, Kickstart Configurator for detas.
Server - Provde the IP address or doman name of the NFS, FTP, or HTTP server.
Location - Provde the drectory shared by the network server. If FTP or HTTP
was seected, the drectory must be reatve to the defaut drectory for the FTP
server or the document root for the HTTP server. For a network nstaatons, the
drectory provded must contan the RedHat/ drectory of the nstaaton tree.
After cckng OK, the ntrd.mg and vmnuz fes necessary to boot the nstaaton
program are transfered from mages/pxeboot/ n the provded nstaaton tree to
/tftpboot/nux-nsta/<os-dentfer>/ on the tftp server (the one you are runnng the
Network Booting Tool on).
2.1. Command Line Configuration
If the network server s not runnng X, the pxeos command ne utty, whch s part
of the system-confg-netboot package, can be used to confgure the tftp server fes :
pxeos -a - "<descrpton>" -p <NFS|HTTP|FTP> -D 0 -s cent.exampe.com \ -L
<net-ocaton> -k <kerne> -K <kckstart><os-dentfer>
The foowng st expans the optons:
-a - Specfes that an OS nstance s beng added to the PXE confguraton.
- "<descrpton>" - Repace "<descrpton>" wth a descrpton of the OS nstance.
Ths corresponds to the Description fed n Fgure 3.1, "Network Instaaton
Command Line Configuration
65
Setup".
-p <NFS|HTTP|FTP> - Specfy whch of the NFS, FTP, or HTTP protocos to use for
nstaaton. Ony one may be specfed. Ths corresponds to the Select protocol
for installation menu n Fgure 3.1, "Network Instaaton Setup".
-D <0|1> - Specfy "0" whch ndcates that t s not a dskess confguraton snce
pxeos can be used to confgure a dskess envronment as we.
-scent.exampe.com - Provde the name of the NFS, FTP, or HTTP server after the
-s opton. Ths corresponds to the Server fed n Fgure 3.1, "Network Instaaton
Setup".
-L<net-ocaton> - Provde the ocaton of the nstaaton tree on that server after
the -L opton. Ths corresponds to the Location fed n Fgure 3.1, "Network
Instaaton Setup".
-k<kerne> - Provde the specfc kerne verson of the server nstaaton tree for
bootng.
-K<kckstart> - Provde the ocaton of the kckstart fe, f avaabe.
<os-dentfer> - Specfy the OS dentfer, whch s used as the drectory name n
the /tftpboot/nux-nsta/ drectory. Ths corresponds to the Operating system
identifier fed n Fgure 3.1, "Network Instaaton Setup".
If FTP s seected as the nstaaton protoco and anonymous ogn s not avaabe,
specfy a username and password for ogn, wth the foowng optons before
<os-dentfer> n the prevous command:
-A 0 -u <username> -p <password>
For more nformaton on command ne optons avaabe for the pxeos command,
refer to the pxeos man page.
3. Adding PXE Hosts
After confgurng the network server, the nterface as shown n Fgure 3.2, "Add
Hosts" s dspayed.
66
Figure 3.2. Add Hosts
The next step s to confgure whch hosts are aowed to connect to the PXE boot
server. For the command ne verson of ths step, refer to Secton 3.1, "Command
Lne Confguraton".
To add hosts, cck the New button.
Figure 3.3. Add a Host
Enter the foowng nformaton:
Adding PXE Hosts
67
Hostname or lP Address}Subnet - The IP address, fuy quafed hostname, or
a subnet of systems that shoud be aowed to connect to the PXE server for
nstaatons.
Operating System - The operatng system dentfer to nsta on ths cent. The
st s popuated from the network nsta nstances created from the Network
lnstallation Dialog.
Serial Console - Ths opton aows use of a sera consoe.
Kickstart File - The ocaton of a kckstart fe to use, such as
http:}}server.example.com}kickstart}ks.cfg. Ths fe can be created wth the
Kickstart Configurator. Refer to Chapter 2, Kickstart Configurator for
detas.
Ignore the Snapshot name and Ethernet optons. They are ony used for dskess
envronments. For more nformaton on confgurng a dskess envronment, refer to
Chapter 4, Dskess Envronments for detas.
If the network server s not runnng X, the pxeboot utty, a part of the
system-confg-netboot package, can be used to add hosts whch are aowed to
connect to the PXE server:
pxeboot -a -K <kckstart> -O <os-dentfer> -r <vaue><host>
The foowng st expans the optons:
-a - Specfes that a host s to be added.
-K<kckstart> - The ocaton of the kckstart fe, f avaabe.
-O<os-dentfer> - Specfes the operatng system dentfer as defned n
Secton 2, "PXE Boot Confguraton".
-r<vaue> - Specfes the ram dsk sze.
<host> - Specfes the IP address or hostname of the host to add.
For more nformaton on command ne optons avaabe for the pxeboot command,
refer to the pxeboot man page.
68
4. Adding a Custom Boot Message
Optonay, modfy /tftpboot/nux-nsta/msgs/boot.msg to use a custom boot message.
5. Performing the PXE lnstallation
For nstructons on how to confgure the network nterface card wth PXE support to
boot from the network, consut the documentaton for the NIC. It vares sghty per
card.
After the system boots the nstaaton program, refer to the Red Hat Enterprse
Lnux Instaaton Gude.
Performing the PXE lnstallation
69
70
Diskless Environments
Some networks requre mutpe systems wth the same confguraton. They aso
requre that these systems be easy to reboot, upgrade, and manage. One souton s
to use a dskess envronment n whch most of the operatng system, whch can be
read-ony, s shared from a centra server between the cents. The ndvdua cents
have ther own drectores on the centra server for the rest of the operatng system,
whch must be read/wrte. Each tme the cent boots, t mounts most of the OS from
the NFS server as read-ony and another drectory as read-wrte. Each cent has ts
own read-wrte drectory so that one cent can not affect the others.
The foowng steps are necessary to confgure Red Hat Enterprse Lnux to run on a
dskess cent:
1. Insta Red Hat Enterprse Lnux on a system so that the fes can be coped to the
NFS server. (Refer to the Red Hat Enterprse Lnux Instaaton Gude for detas.)
Any software to be used on the cents must be nstaed on ths system and the
busybox-anaconda package must be nstaed.
2. Create a drectory on the NFS server to contan the dskess envronment such as
/dskess/386/RHEL4-AS/. For exampe:
mkdr -p /dskess/386/RHEL4-AS/
Ths drectory s referred to as the dskess drectory.
3. Create a subdrectory of ths drectory named root/:
mkdr -p /dskess/386/RHEL4-AS/root/
4. Copy Red Hat Enterprse Lnux from the cent system to the server usng rsync.
For exampe:
rsync -a -e ssh nstaed-system.exampe.com:/ /dskess/386/RHEL4-AS/root/
The ength of ths operaton depends on the network connecton speed as we as
the sze of the fe system on the nstaed system. Dependng on these factors,
ths operaton may take a whe.
Chapter 4.
71
5. Start the tftp server
6. Confgure the DHCP server
7. Fnsh creatng the dskess envronment as dscussed n Secton 2, "Fnsh
Confgurng the Dskess Envronment".
8. Confgure the dskess cents as dscussed n Secton 3, "Addng Hosts".
9. Confgure each dskess cent to boot va PXE and boot them.
1. Configuring the NFS Server
The shared read-ony part of the operatng system s shared va NFS.
Confgure NFS to export the root/ and snapshot/ drectores by addng them to
/etc/exports. For exampe:
/dskess/386/RHEL4-AS/root/ *(ro,sync,no_root_squash)
/dskess/386/RHEL4-AS/snapshot/ *(rw,sync,no_root_squash)
Repace * wth one of the hostname formats dscussed n Secton 3.2, "Hostname
Formats". Make the hostname decaraton as specfc as possbe, so unwanted
systems can not access the NFS mount.
If the NFS servce s not runnng, start t:
servce nfs start
If the NFS servce s aready runnng, reoad the confguraton fe:
servce nfs reoad
2. Finish Configuring the Diskless
Environment
To use the graphca verson of the Network Booting Tool, you must be runnng
the X Wndow System, have root prveges, and have the system-confg-netboot RPM
package nstaed. To start the Network Booting Tool from the desktop, go to
Chapter 4. Diskless Environments
72
Appcatons (the man menu on the pane) => System Settings => Server
Settings => Network Booting Service. Or, type the command
system-confg-netboot at a she prompt (for exampe, n an XTerm or a GNOME
terminal).
If startng the Network Booting Tool for the frst tme, seect Diskless from the
First Time Druid. Otherwse, seect Configure => Diskless from the pu-down
menu, and then cck Add.
A wzard appears to step you through the process:
1. Cck Forward on the frst page.
2. On the Diskless ldentifier page, enter a Name and Description for the
dskess envronment. Cck Forward.
3. Enter the IP address or doman name of the NFS server confgured n Secton 1,
"Confgurng the NFS Server" as we as the drectory exported as the dskess
envronment. Cck Forward.
4. The kerne versons nstaed n the dskess envronment are sted. Seect the
kerne verson to boot on the dskess system.
5. Cck Apply to fnsh the confguraton.
After cckng Apply, the dskess kerne and mage fe are created based on the
kerne seected. They are coped to the PXE boot drectory
/tftpboot/nux-nsta/<os-dentfer>/. The drectory snapshot/ s created n the same
drectory as the root/ drectory (for exampe, /dskess/386/RHEL4-AS/snapshot/) wth a
fe caed fes n t. Ths fe contans a st of fes and drectores that must be
read/wrte for each dskess system. Do not modfy ths fe. If addtona entres
must be added to the st, create a fes.custom fe n the same drectory as the fes
fe, and add each addtona fe or drectory on a separate ne.
3. Adding Hosts
Each dskess cent must have ts own snapshot drectory on the NFS server that s
used as ts read/wrte fe system. The Network Booting Tool can be used to
create these snapshot drectores.
After competng the steps n Secton 2, "Fnsh Confgurng the Dskess
Envronment", a wndow appears to aow hosts to be added for the dskess
envronment. Cck the New button. In the daog shown n Fgure 4.1, "Add
Adding Hosts
73
Dskess Host", provde the foowng nformaton:
Hostname or lP Address}Subnet - Specfy the hostname or IP address of a
system to add t as a host for the dskess envronment. Enter a subnet to specfy
a group of systems.
Operating System - Seect the dskess envronment for the host or subnet of
hosts.
Serial Console - Seect ths checkbox to perform a sera nstaaton.
Snapshot name - Provde a subdrectory name to be used to store a of the
read/wrte content for the host.
Ethernet - Seect the Ethernet devce on the host to use to mount the dskess
envronment. If the host ony has one Ethernet card, seect eth0.
Ignore the Kickstart File opton. It s ony used for PXE nstaatons.
Figure 4.1. Add Diskless Host
In the exstng snapshot/ drectory n the dskess drectory, a subdrectory s created
wth the Snapshot name specfed as the fe name. Then, a of the fes sted n
snapshot/fes and snapshot/fes.custom are coped copy from the root/ drectory to ths
new drectory.
4. Booting the Hosts
Consut the documentaton for your PXE card to confgure the host to boot va PXE.
Chapter 4. Diskless Environments
74
When the dskess cent boots, t mounts the remote root/ drectory n the dskess
drectory as read-ony. It aso mounts ts ndvdua snapshot drectory as read/wrte.
Then t mounts a the fes and drectores n the fes and fes.custom fes usng the
mount -o bnd over the read-ony dskess drectory to aow appcatons to wrte to
the root drectory of the dskess envronment f they need to.
Booting the Hosts
75
76
Basic System Recovery
When thngs go wrong, there are ways to fx probems. However, these methods
requre that you understand the system we. Ths chapter descrbes how to boot
nto rescue mode, snge-user mode, and emergency mode, where you can use your
own knowedge to repar the system.
1. Common Problems
You mght need to boot nto one of these recovery modes for any of the foowng
reasons:
You are unabe to boot normay nto Red Hat Enterprse Lnux (runeve 3 or 5).
You are havng hardware or software probems, and you want to get a few
mportant fes off of your system's hard drve.
You forgot the root password.
1.1. Unable to Boot into Red Hat Enterprise Linux
Ths probem s often caused by the nstaaton of another operatng system after
you have nstaed Red Hat Enterprse Lnux. Some other operatng systems assume
that you have no other operatng system(s) on your computer. They overwrte the
Master Boot Record (MBR) that orgnay contaned the GRUB boot oader. If the
boot oader s overwrtten n ths manner, you cannot boot Red Hat Enterprse Lnux
uness you can get nto rescue mode and reconfgure the boot oader.
Another common probem occurs when usng a parttonng too to resze a partton
or create a new partton from free space after nstaaton, and t changes the order
of your parttons. If the partton number of your / partton changes, the boot oader
mght not be abe to fnd t to mount the partton. To fx ths probem, boot n
rescue mode and modfy the /boot/grub/grub.conf fe.
For nstructons on how to rensta the GRUB boot oader from a rescue
envronment, refer to Secton 2.1, "Renstang the Boot Loader".
1.2. Hardware}Software Problems
Ths category ncudes a wde varety of dfferent stuatons. Two exampes ncude
fang hard drves and specfyng an nvad root devce or kerne n the boot oader
Chapter 5.
77
1
Refer to the earer sectons of ths gude for more detas.
confguraton fe. If ether of these occur, you mght not be abe to reboot nto Red
Hat Enterprse Lnux. However, f you boot nto one of the system recovery modes,
you mght be abe to resove the probem or at east get copes of your most
mportant fes.
1.3. Root Password
What can you do f you forget your root password? To reset t to a dfferent
password, boot nto rescue mode or snge-user mode, and use the passwd
command to reset the root password.
2. Booting into Rescue Mode
Rescue mode provdes the abty to boot a sma Red Hat Enterprse Lnux
envronment entrey from CD-ROM, or some other boot method, nstead of the
system's hard drve.
As the name mpes, rescue mode s provded to rescue you from somethng.
Durng norma operaton, your Red Hat Enterprse Lnux system uses fes ocated on
your system's hard drve to do everythng - run programs, store your fes, and
more.
However, there may be tmes when you are unabe to get Red Hat Enterprse Lnux
runnng competey enough to access fes on your system's hard drve. Usng
rescue mode, you can access the fes stored on your system's hard drve, even f
you cannot actuay run Red Hat Enterprse Lnux from that hard drve.
To boot nto rescue mode, you must be abe to boot the system usng one of the
foowng methods
1
:
By bootng the system from an nstaaton boot CD-ROM.
By bootng the system from other nstaaton boot meda, such as USB fash
devces.
By bootng the system from the Red Hat Enterprse Lnux CD-ROM #1.
Once you have booted usng one of the descrbed methods, add the keyword rescue
as a kerne parameter. For exampe, for an x86 system, type the foowng
command at the nstaaton boot prompt:
Chapter 5. Basic System Recovery
78
linux rescue
You are prompted to answer a few basc questons, ncudng whch anguage to use.
It aso prompts you to seect where a vad rescue mage s ocated. Seect from
Local CD-ROM, Hard Drive, NFS image, FTP, or HTTP. The ocaton seected
must contan a vad nstaaton tree, and the nstaaton tree must be for the same
verson of Red Hat Enterprse Lnux as the Red Hat Enterprse Lnux dsk from whch
you booted. If you used a boot CD-ROM or other meda to start rescue mode, the
nstaaton tree must be from the same tree from whch the meda was created. For
more nformaton about how to setup an nstaaton tree on a hard drve, NFS
server, FTP server, or HTTP server, refer to the earer secton of ths gude.
If you seect a rescue mage that does not requre a network connecton, you are
asked whether or not you want to estabsh a network connecton. A network
connecton s usefu f you need to backup fes to a dfferent computer or nsta
some RPM packages from a shared network ocaton, for exampe.
The foowng message s dspayed:
The rescue envronment w now attempt to fnd your Lnux nstaaton and mount t under
the drectory /mnt/sysmage. You can then make any changes requred to your system. If you
want to proceed wth ths step choose 'Contnue'. You can aso choose to mount your fe
systems read-ony nstead of read-wrte by choosng 'Read-ony'. If for some reason ths
process fas you can choose 'Skp' and ths step w be skpped and you w go drecty to a
command she.
If you seect Continue, t attempts to mount your fe system under the drectory
/mnt/sysmage/. If t fas to mount a partton, t notfes you. If you seect
Read-Only, t attempts to mount your fe system under the drectory
/mnt/sysmage/, but n read-ony mode. If you seect Skip, your fe system s not
mounted. Choose Skip f you thnk your fe system s corrupted.
Once you have your system n rescue mode, a prompt appears on VC (vrtua
consoe) 1 and VC 2 (use the Ctrl-Alt-F1 key combnaton to access VC 1 and
Ctrl-Alt-F2 to access VC 2):
sh-3.00b#
If you seected Continue to mount your parttons automatcay and they were
mounted successfuy, you are n snge-user mode.
Booting into Rescue Mode
79
Even f your fe system s mounted, the defaut root partton whe n rescue mode
s a temporary root partton, not the root partton of the fe system used durng
norma user mode (runeve 3 or 5). If you seected to mount your fe system and t
mounted successfuy, you can change the root partton of the rescue mode
envronment to the root partton of your fe system by executng the foowng
command:
chroot /mnt/sysmage
Ths s usefu f you need to run commands such as rpm that requre your root
partton to be mounted as /. To ext the chroot envronment, type ext to return to
the prompt.
If you seected Skip, you can st try to mount a partton or LVM2 ogca voume
manuay nsde rescue mode by creatng a drectory such as /foo, and typng the
foowng command:
mount -t ext3 /dev/mapper/VoGroup00-LogVo02/foo
In the above command, /foo s a drectory that you have created and
/dev/mapper/VoGroup00-LogVo02 s the LVM2 ogca voume you want to mount. If
the partton s of type ext2, repace ext3 wth ext2.
If you do not know the names of a physca parttons, use the foowng command
to st them:
fdsk -
If you do not know the names of a LVM2 physca voumes, voume groups, or
ogca voumes, use the foowng commands to st them:
pvdspay
vgdspay
vdspay
From the prompt, you can run many usefu commands, such as:
80
ssh, scp, and png f the network s started
dump and restore for users wth tape drves
parted and fdsk for managng parttons
rpm for nstang or upgradng software
|oe for edtng confguraton fes
Note
If you try to start other popuar edtors such as emacs, pco, or v, the |oe
edtor s started.
2.1. Reinstalling the Boot Loader
In many cases, the GRUB boot oader can mstakeny be deeted, corrupted, or
repaced by other operatng systems.
The foowng steps deta the process on how GRUB s renstaed on the master
boot record:
Boot the system from an nstaaton boot medum.
Type nux rescue at the nstaaton boot prompt to enter the rescue envronment.
Type chroot /mnt/sysmage to mount the root partton.
Type /sbn/grub-nsta /dev/hda to rensta the GRUB boot oader, where /dev/hda s
the boot partton.
Revew the /boot/grub/grub.conf fe, as addtona entres may be needed for GRUB
to contro addtona operatng systems.
Reboot the system.
3. Booting into Single-User Mode
One of the advantages of snge-user mode s that you do not need a boot CD-ROM;
however, t does not gve you the opton to mount the fe systems as read-ony or
not mount them at a.
Reinstalling the Boot Loader
81
If your system boots, but does not aow you to og n when t has competed
bootng, try snge-user mode.
In snge-user mode, your computer boots to runeve 1. Your oca fe systems are
mounted, but your network s not actvated. You have a usabe system mantenance
she. Unke rescue mode, snge-user mode automatcay tres to mount your fe
system. Do not use snge-user mode f your fe system cannot be mounted
successfuy. You cannot use snge-user mode f the runeve 1 confguraton on
your system s corrupted.
On an x86 system usng GRUB, use the foowng steps to boot nto snge-user
mode:
1. At the GRUB spash screen at boot tme, press any key to enter the GRUB
nteractve menu.
2. Seect Red Hat Enterprise Linux wth the verson of the kerne that you wsh to
boot and type a to append the ne.
3. Go to the end of the ne and type single as a separate word (press the Spacebar
and then type single). Press Enter to ext edt mode.
4. Booting into Emergency Mode
In emergency mode, you are booted nto the most mnma envronment possbe.
The root fe system s mounted read-ony and amost nothng s set up. The man
advantage of emergency mode over snge-user mode s that the nt fes are not
oaded. If nt s corrupted or not workng, you can st mount fe systems to recover
data that coud be ost durng a re-nstaaton.
To boot nto emergency mode, use the same method as descrbed for snge-user
mode n Secton 3, "Bootng nto Snge-User Mode" wth one excepton, repace the
keyword single wth the keyword emergency.
82
Part ll. File Systems
Fe system refers to the fes and drectores stored on a computer. A fe system
can have dfferent formats caed fe system types. These formats determne how
the nformaton s stored as fes and drectores. Some fe system types store
redundant copes of the data, whe some fe system types make hard drve access
faster. Ths part dscusses the ext3, swap, RAID, and LVM fe system types. It aso
dscusses the parted utty to manage parttons and access contro sts (ACLs) to
customze fe permssons.
The ext3 File System
The defaut fe system s the |ournang ext3 fe system.
1. Features of ext3
The ext3 fe system s essentay an enhanced verson of the ext2 fe system.
These mprovements provde the foowng advantages:
Avaabty
After an unexpected power faure or system crash (aso caed an uncean
system shutdown), each mounted ext2 fe system on the machne must be
checked for consstency by the e2fsck program. Ths s a tme-consumng process
that can deay system boot tme sgnfcanty, especay wth arge voumes
contanng a arge number of fes. Durng ths tme, any data on the voumes s
unreachabe.
The |ournang provded by the ext3 fe system means that ths sort of fe
system check s no onger necessary after an uncean system shutdown. The
ony tme a consstency check occurs usng ext3 s n certan rare hardware
faure cases, such as hard drve faures. The tme to recover an ext3 fe system
after an uncean system shutdown does not depend on the sze of the fe
system or the number of fes; rather, t depends on the sze of the |ourna used
to mantan consstency. The defaut |ourna sze takes about a second to
recover, dependng on the speed of the hardware.
Data Integrty
The ext3 fe system provdes stronger data ntegrty n the event that an
uncean system shutdown occurs. The ext3 fe system aows you to choose the
type and eve of protecton that your data receves. By defaut, the ext3
voumes are confgured to keep a hgh eve of data consstency wth regard to
the state of the fe system.
Speed
Despte wrtng some data more than once, ext3 has a hgher throughput n
most cases than ext2 because ext3's |ournang optmzes hard drve head
moton. You can choose from three |ournang modes to optmze speed, but
dong so means trade-offs n regards to data ntegrty.
Easy Transton
Chapter 6.
85
It s easy to mgrate from ext2 to ext3 and gan the benefts of a robust
|ournang fe system wthout reformattng. Refer to Secton 3, "Convertng to
an ext3 Fe System" for more on how to perform ths task.
The foowng sectons wak you through the steps for creatng and tunng ext3
parttons. For ext2 parttons, skp the parttonng and formatng sectons beow
and go drecty to Secton 3, "Convertng to an ext3 Fe System".
2. Creating an ext3 File System
After nstaaton, t s sometmes necessary to create a new ext3 fe system. For
exampe, f you add a new dsk drve to the system, you may want to partton the
drve and use the ext3 fe system.
The steps for creatng an ext3 fe system are as foows:
1. Create the partton usng parted or fdsk.
2. Format the partton wth the ext3 fe system usng mkfs.
3. Labe the partton usng e2abe.
4. Create the mount pont.
5. Add the partton to the /etc/fstab fe.
3. Converting to an ext3 File System
The tune2fs program can add a |ourna to an exstng ext2 fe system wthout
aterng the data aready on the partton. If the fe system s aready mounted whe
t s beng transtoned, the |ourna s vsbe as the fe .|ourna n the root drectory of
the fe system. If the fe system s not mounted, the |ourna s hdden and does not
appear n the fe system at a.
Note
A defaut nstaaton of Red Hat Enterprse Lnux uses ext3 for a fe
systems.
To convert an ext2 fe system to ext3, og n as root and type,
Chapter 6. The ext3 File System
86
/sbn/tune2fs -| <fe_system>
where <fe_system> s an approprate LVM2 fe system.
A vad LVM2 fe system coud be one of two types of entres:
A mapped devce - A ogca voume n a voume group, for exampe,
/dev/mapper/VoGroup00-LogVo02.
A statc devce - A tradtona storage voume, for exampe, /dev/hdbX, where hdb
s a storage devce name and X s the partton number.
Issue the df command to dspay mounted fe systems. For more detaed
nformaton on the LVM fe system, refer to Chapter 8, LVM Confguraton.
For the remander of ths secton, the sampe commands use the foowng vaue:
/dev/mapper/VoGroup00-LogVo02
After dong ths, be certan to change the partton type from ext2 to ext3 n the
/etc/fstab fe.
If you are transtonng your root fe system, you must use an ntrd mage (or RAM
dsk) to boot. To create ths, run the mkntrd program. For nformaton on usng the
mkntrd command, type man mkntrd. Aso, make sure your GRUB confguraton
oads the ntrd.
If you fa to make ths change, the system st boots, but the fe system s mounted
as ext2 nstead of ext3.
4. Reverting to an ext2 File System
Because ext3 s reatvey new, some dsk uttes do not yet support t. For
exampe, you may need to shrnk a partton wth resze2fs, whch does not yet
support ext3. In ths stuaton, t may be necessary to temporary revert a fe
system to ext2.
To revert a partton, you must frst unmount the partton by oggng n as root and
typng,
umount /dev/mapper/VoGroup00-LogVo02
Reverting to an ext2 File System
87
Next, change the fe system type to ext2 by typng the foowng command as root:
/sbn/tune2fs -O has_|ourna /dev/mapper/VoGroup00-LogVo02
Check the partton for errors by typng the foowng command as root:
/sbn/e2fsck -y /dev/mapper/VoGroup00-LogVo02
Then mount the partton agan as ext2 fe system by typng:
mount -t ext2 /dev/mapper/VoGroup00-LogVo02/mount/pont
In the above command, repace /mount/pont wth the mount pont of the partton.
Next, remove the .|ourna fe at the root eve of the partton by changng to the
drectory where t s mounted and typng:
rm -f .|ourna
You now have an ext2 partton.
If you want to permanenty change the partton to ext2, remember to update the
/etc/fstab fe.
Tip
You can ncrease the sze of an ext3 fe system usng ext2onne.
ext2onne aows you to ncrease the sze of an ext3 fe system once t
s mounted (onne) and on a reszabe ogca voume. The root fe
system s set up by defaut on LVM2 ogca voumes durng
nstaaton.
Note that ext2onne w ony work on ext3 fe systems. For more
nformaton, refer to man ext2onne.
Chapter 6. The ext3 File System
88
Logical Volume Manager (LVM)
1. What is LVM7
LVM s a method of aocatng hard drve space nto ogca voumes that can be
easy reszed nstead of parttons.
Wth LVM, a hard drve or set of hard drves s aocated to one or more physca
voumes. A physca voume cannot span over more than one drve.
The physca voumes are combned nto ogca voume groups, wth the excepton
of the /boot/ partton. The /boot/ partton cannot be on a ogca voume group
because the boot oader cannot read t. If the root (/) partton s on a ogca
voume, create a separate /boot/ partton whch s not a part of a voume group.
Snce a physca voume cannot span over mutpe drves, to span over more than
one drve, create one or more physca voumes per drve.
Figure 7.1. Logical Volume Group
The ogca voume group s dvded nto ogca voumes, whch are assgned mount
ponts, such as /home and / m and fe system types, such as ext2 or ext3. When
"parttons" reach ther fu capacty, free space from the ogca voume group can
Chapter 7.
89
be added to the ogca voume to ncrease the sze of the partton. When a new
hard drve s added to the system, t can be added to the ogca voume group, and
parttons that are ogca voumes can be expanded.
Figure 7.2. Logical Volumes
On the other hand, f a system s parttoned wth the ext3 fe system, the hard
drve s dvded nto parttons of defned szes. If a partton becomes fu, t s not
easy to expand the sze of the partton. Even f the partton s moved to another
hard drve, the orgna hard drve space has to be reaocated as a dfferent
partton or not used.
LVM support must be comped nto the kerne, and the defaut Red Hat kerne s
comped wth LVM support.
To earn how to confgure LVM durng the nstaaton process, refer to Chapter 8,
LVM Confguraton.
2. What is LVM27
LVM verson 2, or LVM2, s the defaut for Red Hat Enterprse Lnux, whch uses the
devce mapper drver contaned n the 2.6 kerne. LVM2, whch s amost competey
compatbe wth the earer LVM1 verson, can be upgraded from versons of Red Hat
Enterprse Lnux runnng the 2.4 kerne.
Athough upgradng from LVM1 to LVM2 s usuay seamess, refer to Secton 3,
"Addtona Resources" for further detas on more compex requrements and
upgradng scenaros.
Chapter 7. Logical Volume Man...
90
3. Additional Resources
Use these sources to earn more about LVM.
3.1. lnstalled Documentation
rpm -qd vm - Ths command shows a the documentaton avaabe from the vm
package, ncudng man pages.
vm hep - Ths command shows a LVM commands avaabe.
3.2. Useful Websites
http://sourceware.org/vm2 - LVM2 webpage, whch contans an overvew, nk to
the mang sts, and more.
http://tdp.org/HOWTO/LVM-HOWTO/ - LVM HOWTO from the Lnux
Documentaton Pro|ect.
lnstalled Documentation
91
92
LVM Configuration
LVM can be confgured durng the graphca nstaaton process, the text-based
nstaaton process, or durng a kckstart nstaaton. You can use the uttes from
the vm package to create your own LVM confguraton post-nstaaton, but these
nstructons focus on usng Disk Druid durng nstaaton to compete ths task.
Read Chapter 7, Logca Voume Manager (LVM) frst to earn about LVM. An
overvew of the steps requred to confgure LVM ncude:
Creatng physca voumes from the hard drves.
Creatng voume groups from the physca voumes.
Creatng ogca voumes from the voume groups and assgn the ogca voumes
mount ponts.
Note
Athough the foowng steps are ustrated durng a GUI nstaaton,
the same can be done durng a text-based nstaaton.
Two 9.1 GB SCSI drves (/dev/sda and /dev/sdb) are used n the foowng exampes.
They deta how to create a smpe confguraton usng a snge LVM voume group
wth assocated ogca voumes durng nstaaton.
1. Automatic Partitioning
On the Disk Partitioning Setup screen, seect Automatically partition.
For Red Hat Enterprse Lnux, LVM s the defaut method for dsk parttonng. If you
do not wsh to have LVM mpemented, or f you requre RAID parttonng, manua
dsk parttonng through Disk Druid s requred.
The foowng propertes make up the automatcay created confguraton:
The /boot/ partton resdes on ts own non-LVM partton. In the foowng exampe,
t s the frst partton on the frst drve (/dev/sda1). Bootabe parttons cannot
Chapter 8.
93
resde on LVM ogca voumes.
A snge LVM voume group (VoGroup00) s created, whch spans a seected drves
and a remanng space avaabe. In the foowng exampe, the remander of the
frst drve (/dev/sda2), and the entre second drve (/dev/sdb1) are aocated to the
voume group.
Two LVM ogca voumes (LogVo00 and LogVo01) are created from the newy
created spanned voume group. In the foowng exampe, the recommended swap
space s automatcay cacuated and assgned to LogVo01, and the remander s
aocated to the root fe system, LogVo00.
Figure 8.1. Automatic LVM Configuration With Two SCSl
Drives
Note
If enabng quotas are of nterest to you, t may be best to modfy the
Chapter 8. LVM Configuration
94
automatc confguraton to ncude other mount ponts, such as /home/
or /var/, so that each fe system has ts own ndependent quota
confguraton mts.
In most cases, the defaut automatc LVM parttonng s suffcent, but
advanced mpementatons coud warrant modfcaton or manua
confguraton of the LVM partton tabes.
Note
If you antcpate future memory upgrades, eavng some free space n
the voume group woud aow for easy future expanson of the swap
space ogca voume on the system; n whch case, the automatc LVM
confguraton shoud be modfed to eave avaabe space for future
growth.
2. Manual LVM Partitioning
The foowng secton expans how to manuay confgure LVM for Red Hat
Enterprse Lnux. Because there are numerous ways to manuay confgure a system
wth LVM, the foowng exampe s smar to the defaut confguraton done n
Secton 1, "Automatc Parttonng".
On the Disk Partitioning Setup screen, seect Manually partition with Disk
Druid.
2.1. Creating the }boot} Partition
In a typca stuaton, the dsk drves are new, or formatted cean. The foowng
fgure, Fgure 8.2, "Two Bank Drves, Ready For Confguraton", shows both drves
as raw devces wth no parttonng confgured.
Manual LVM Partitioning
95
Figure 8.2. Two Blank Drives, Ready For Configuration
Warning
The /boot/ partton cannot resde on an LVM voume group because the
GRUB boot oader cannot read t.
1. Seect New.
2. Seect }boot from the Mount Point pudown menu.
3. Seect ext3 from the File System Type pudown menu.
4. Seect ony the sda checkbox from the Allowable Drives area.
5. Leave 100 (the defaut) n the Size (MB) menu.
6. Leave the Fixed size (the defaut) rado button seected n the Additional Size
96
Options area.
7. Seect Force to be a primary partition to make the partton be a prmary
partton. A prmary partton s one of the frst four parttons on the hard drve. If
unseected, the partton s created as a ogca partton. If other operatng
systems are aready on the system, unseectng ths opton shoud be consdered.
For more nformaton on prmary versus ogca/extended parttons, refer to the
appendx secton of the Red Hat Enterprse Lnux Instaaton Gude.
Refer to Fgure 8.3, "Creaton of the Boot Partton" to verfy your nputted vaues:
Figure 8.3. Creation of the Boot Partition
Cck OK to return to the man screen. The foowng fgure dspays the boot
partton correcty set:
Creating the }boot} Partition
97
Figure 8.4. The }boot} Partition Displayed
2.2. Creating the LVM Physical Volumes
Once the boot partton s created, the remander of a dsk space can be aocated
to LVM parttons. The frst step n creatng a successfu LVM mpementaton s the
creaton of the physca voume(s).
1. Seect New.
2. Seect physical volume (LVM) from the File System Type pudown menu as
shown n Fgure 8.5, "Creatng a Physca Voume".
98
Figure 8.5. Creating a Physical Volume
3. You cannot enter a mount pont yet (you can once you have created a your
physca voumes and then a voume groups).
4. A physca voume must be constraned to one drve. For Allowable Drives,
seect the drve on whch the physca voume are created. If you have mutpe
drves, a drves are seected, and you must deseect a but one drve.
5. Enter the sze that you want the physca voume to be.
6. Seect Fixed size to make the physca voume the specfed sze, seect Fill all
space up to (MB) and enter a sze n MBs to gve range for the physca voume
sze, or seect Fill to maximum allowable size to make t grow to f a
avaabe space on the hard dsk. If you make more than one growabe, they
share the avaabe free space on the dsk.
7. Seect Force to be a primary partition f you want the partton to be a prmary
partton.
Creating the LVM Physical Volumes
99
8. Cck OK to return to the man screen.
Repeat these steps to create as many physca voumes as needed for your LVM
setup. For exampe, f you want the voume group to span over more than one drve,
create a physca voume on each of the drves. The foowng fgure shows both
drves competed after the repeated process:
Figure 8.6. Two Physical Volumes Created
2.3. Creating the LVM Volume Groups
Once a the physca voumes are created, the voume groups can be created:
1. Cck the LVM button to coect the physca voumes nto voume groups. A
voume group s bascay a coecton of physca voumes. You can have mutpe
ogca voume groups, but a physca voume can ony be n one voume group.
100
Note
There s overhead dsk space reserved n the ogca voume group. The
summaton of the physca voumes may not equa the sze of the
voume group; however, the sze of the ogca voumes shown s
correct.
Figure 8.7. Creating an LVM Volume Group
2. Change the Volume Group Name f desred.
3.
A ogca voumes nsde the voume group must be aocated n physca extent
unts. By defaut, the physca extent s set to 32 MB; thus, ogca voume szes
Creating the LVM Volume Groups
101
must be dvsbe by 32 MBs. If you enter a sze that s not a unt of 32 MBs, the
nstaaton program automatcay seects the cosest sze n unts of 32 MBs. It s
not recommended that you change ths settng.
4. Seect whch physca voumes to use for the voume group.
2.4. Creating the LVM Logical Volumes
Create ogca voumes wth mount ponts such as /, /home/, and swap space.
Remember that /boot cannot be a ogca voume. To add a ogca voume, cck the
Add button n the Logical Volumes secton. A daog wndow as shown n
Fgure 8.8, "Creatng a Logca Voume" appears.
Figure 8.8. Creating a Logical Volume
Repeat these steps for each voume group you want to create.
Tip
You may want to eave some free space n the ogca voume group so
you can expand the ogca voumes ater. The defaut automatc
confguraton does not do ths, but ths manua confguraton exampe
does - approxmatey 1 GB s eft as free space for future expanson.
102
Figure 8.9. Pending Logical Volumes
Cck OK to appy the voume group and a assocated ogca voumes.
The foowng fgure shows the fna manua confguraton:
Creating the LVM Logical Volumes
103
Figure 8.10. Final Manual Configuration
104
Redundant Array of
lndependent Disks (RAlD)
1. What is RAlD7
The basc dea behnd RAID s to combne mutpe sma, nexpensve dsk drves
nto an array to accompsh performance or redundancy goas not attanabe wth
one arge and expensve drve. Ths array of drves appears to the computer as a
snge ogca storage unt or drve.
RAID s a method n whch nformaton s spread across severa dsks. RAID uses
technques such as dsk strpng (RAID Leve 0), dsk mrrorng (RAID eve 1), and
dsk strpng wth party (RAID Leve 5) to acheve redundancy, ower atency and/or
to ncrease bandwdth for readng or wrtng to dsks, and to maxmze the abty to
recover from hard dsk crashes.
The underyng concept of RAID s that data may be dstrbuted across each drve n
the array n a consstent manner. To do ths, the data must frst be broken nto
consstenty-szed chunks (often 32K or 64K n sze, athough dfferent szes can be
used). Each chunk s then wrtten to a hard drve n the RAID array accordng to the
RAID eve used. When the data s to be read, the process s reversed, gvng the
uson that the mutpe drves n the array are actuay one arge drve.
2. Who Should Use RAlD7
Those who need to keep arge quanttes of data on hand (such as system
admnstrators) woud beneft by usng RAID technoogy. Prmary reasons to use
RAID ncude:
Enhanced speed
Increased storage capacty usng a snge vrtua dsk
Lessened mpact of a dsk faure
3. Hardware RAlD versus Software RAlD
There are two possbe RAID approaches: Hardware RAID and Software RAID.
Chapter 9.
105
1
A hot-swap chasss aows you to remove a hard drve wthout havng to power-down your system.
3.1. Hardware RAlD
The hardware-based array manages the RAID subsystem ndependenty from the
host and presents to the host ony a snge dsk per RAID array.
An exampe of a Hardware RAID devce woud be one that connects to a SCSI
controer and presents the RAID arrays as a snge SCSI drve. An externa RAID
system moves a RAID handng "ntegence" nto a controer ocated n the
externa dsk subsystem. The whoe subsystem s connected to the host va a
norma SCSI controer and appears to the host as a snge dsk.
RAID controers aso come n the form of cards that act ke a SCSI controer to the
operatng system but hande a of the actua drve communcatons themseves. In
these cases, you pug the drves nto the RAID controer |ust ke you woud a SCSI
controer, but then you add them to the RAID controer's confguraton, and the
operatng system never knows the dfference.
3.2. Software RAlD
Software RAID mpements the varous RAID eves n the kerne dsk (bock devce)
code. It offers the cheapest possbe souton, as expensve dsk controer cards or
hot-swap chasss
1
are not requred. Software RAID aso works wth cheaper IDE
dsks as we as SCSI dsks. Wth today's fast CPUs, Software RAID performance can
exce aganst Hardware RAID.
The MD drver n the Lnux kerne s an exampe of a RAID souton that s
competey hardware ndependent. The performance of a software-based array s
dependent on the server CPU performance and oad.
For nformaton on confgurng Software RAID durng nstaaton, refer to the
Chapter 10, Software RAID Confguraton.
For those nterested n earnng more about what Software RAID has to offer, here
are the most mportant features:
Threaded rebud process
Kerne-based confguraton
Portabty of arrays between Lnux machnes wthout reconstructon
Chapter 9. Redundant Array of...
106
2
RAID eve 1 comes at a hgh cost because you wrte the same nformaton to a of the dsks n the
array, whch wastes drve space. For exampe, f you have RAID eve 1 set up so that your root (/)
partton exsts on two 40G drves, you have 80G tota but are ony abe to access 40G of that 80G. The
other 40G acts ke a mrror of the frst 40G.
3
Party nformaton s cacuated based on the contents of the rest of the member dsks n the array. Ths
nformaton can then be used to reconstruct data when one dsk n the array fas. The reconstructed data
can then be used to satsfy I/O requests to the faed dsk before t s repaced and to repopuate the
faed dsk after t has been repaced.
4
RAID eve 4 takes up the same amount of space as RAID eve 5, but eve 5 has more advantages. For
ths reason, eve 4 s not supported.
Backgrounded array reconstructon usng de system resources
Hot-swappabe drve support
Automatc CPU detecton to take advantage of certan CPU optmzatons
4. RAlD Levels and Linear Support
RAID supports varous confguratons, ncudng eves 0, 1, 4, 5, and near. These
RAID types are defned as foows:
Leve 0 - RAID eve 0, often caed "strpng," s a performance-orented strped
data mappng technque. Ths means the data beng wrtten to the array s broken
down nto strps and wrtten across the member dsks of the array, aowng hgh
I/O performance at ow nherent cost but provdes no redundancy. The storage
capacty of a eve 0 array s equa to the tota capacty of the member dsks n a
Hardware RAID or the tota capacty of member parttons n a Software RAID.
Leve 1 - RAID eve 1, or "mrrorng," has been used onger than any other form
of RAID. Leve 1 provdes redundancy by wrtng dentca data to each member
dsk of the array, eavng a "mrrored" copy on each dsk. Mrrorng remans
popuar due to ts smpcty and hgh eve of data avaabty. Leve 1 operates
wth two or more dsks that may use parae access for hgh data-transfer rates
when readng but more commony operate ndependenty to provde hgh I/O
transacton rates. Leve 1 provdes very good data reabty and mproves
performance for read-ntensve appcatons but at a reatvey hgh cost.
2
The
storage capacty of the eve 1 array s equa to the capacty of one of the
mrrored hard dsks n a Hardware RAID or one of the mrrored parttons n a
Software RAID.
Leve 4 - Leve 4 uses party
3
concentrated on a snge dsk drve to protect data.
It s better suted to transacton I/O rather than arge fe transfers. Because the
dedcated party dsk represents an nherent botteneck, eve 4 s sedom used
wthout accompanyng technooges such as wrte-back cachng. Athough RAID
eve 4 s an opton n some RAID parttonng schemes, t s not an opton aowed
n Red Hat Enterprse Lnux RAID nstaatons.
4
The storage capacty of Hardware
RAlD Levels and Linear Support
107
RAID eve 4 s equa to the capacty of member dsks, mnus the capacty of one
member dsk. The storage capacty of Software RAID eve 4 s equa to the
capacty of the member parttons, mnus the sze of one of the parttons f they
are of equa sze.
Leve 5 - Ths s the most common type of RAID. By dstrbutng party across
some or a of an array's member dsk drves, RAID eve 5 emnates the wrte
botteneck nherent n eve 4. The ony performance botteneck s the party
cacuaton process. Wth modern CPUs and Software RAID, that usuay s not a
very bg probem. As wth eve 4, the resut s asymmetrca performance, wth
reads substantay outperformng wrtes. Leve 5 s often used wth wrte-back
cachng to reduce the asymmetry. The storage capacty of Hardware RAID eve 5
s equa to the capacty of member dsks, mnus the capacty of one member dsk.
The storage capacty of Software RAID eve 5 s equa to the capacty of the
member parttons, mnus the sze of one of the parttons f they are of equa sze.
Lnear RAID - Lnear RAID s a smpe groupng of drves to create a arger vrtua
drve. In near RAID, the chunks are aocated sequentay from one member
drve, gong to the next drve ony when the frst s competey fed. Ths groupng
provdes no performance beneft, as t s unkey that any I/O operatons w be
spt between member drves. Lnear RAID aso offers no redundancy and, n fact,
decreases reabty - f any one member drve fas, the entre array cannot be
used. The capacty s the tota of a member dsks.
Chapter 9. Redundant Array of...
108
Software RAlD Configuration
Software RAID can be confgured durng the graphca nstaaton process, the
text-based nstaaton process, or durng a kckstart nstaaton. Ths chapter
dscusses how to confgure software RAID durng nstaaton, usng the Disk Druid
nterface.
Read Chapter 9, Redundant Array of Independent Dsks (RAID) frst to earn about
RAID, the dfferences between hardware and software RAID, and the dfferences
between RAID 0, 1, and 5. An overvew of the steps requred to confgure RAID
ncude:
Appyng software RAID parttons to the physca hard drves.
If you wsh to have the boot partton (/boot/) resde on a RAID parton, t must be
on a RAID 1 partton.
Creatng RAID devces from the software RAID parttons.
Optona: Confgurng LVM from the RAID devces. Refer to Chapter 8, LVM
Confguraton for more nformaton on confgurng LVM after frst confgurng RAID.
Creatng fe systems from the RAID devces.
Note
Athough the foowng steps are ustrated durng a GUI nstaaton,
the same can be done durng a text-based nstaaton.
Confguraton of software RAID must be done manuay n Disk Druid
durng the nstaaton process.
Two 9.1 GB SCSI drves (/dev/sda and /dev/sdb) are used n the foowng exampes.
They deta how to create a smpe RAID 1 confguraton by mpementng mutpe
RAID devces.
On the Disk Partitioning Setup screen, seect Manually partition with Disk
Druid.
1. Creating the RAlD Partitions
Chapter 10.
109
In a typca stuaton, the dsk drves are new or are formatted. Both drves are
shown as raw devces wth no partton confguraton n Fgure 10.1, "Two Bank
Drves, Ready For Confguraton".
Figure 10.1. Two Blank Drives, Ready For Configuration
1. In Disk Druid, choose RAlD to enter the software RAID creaton screen.
2. Choose Create a software RAlD partition to create a RAID partton as shown
n Fgure 10.2, "RAID Partton Optons". Note that no other RAID optons (such as
enterng a mount pont) are avaabe unt RAID parttons, as we as RAID
devces, are created.
Chapter 10. Software RAlD Con...
110
Figure 10.2. RAlD Partition Options
3. A software RAID partton must be constraned to one drve. For Allowable
Drives, seect the drve on whch RAID s to be created. If you have mutpe
drves, a drves are seected, and you must deseect a but one drve.
Creating the RAlD Partitions
111
Figure 10.3. Adding a RAlD Partition
4. Enter the sze that you want the partton to be.
5. Seect Fixed size to make the partton the specfed sze, seect Fill all space
up to (MB) and enter a sze n MBs to gve range for the partton sze, or seect
Fill to maximum allowable size to make t grow to f a avaabe space on
the hard dsk. If you make more than one partton growabe, they share the
avaabe free space on the dsk.
6. Seect Force to be a primary partition f you want the partton to be a prmary
partton. A prmary partton s one of the frst four parttons on the hard drve. If
unseected, the partton s created as a ogca partton. If other operatng
systems are aready on the system, unseectng ths opton shoud be consdered.
For more nformaton on prmary versus ogca/extended parttons, refer to the
appendx secton of the Red Hat Enterprse Lnux Instaaton Gude.
7. Cck OK to return to the man screen.
112
Repeat these steps to create as many parttons as needed for your RAID setup.
Notce that a the parttons do not have to be RAID parttons. For exampe, you can
confgure ony the /boot/ partton as a software RAID devce, eavng the root
partton (/), /home/, and swap as reguar fe systems. Fgure 10.4, "RAID 1
Parttons Ready, Pre-Devce and Mount Pont Creaton" shows successfuy aocated
space for the RAID 1 confguraton (for /boot/), whch s now ready for RAID devce
and mount pont creaton:
Figure 10.4. RAlD 1 Partitions Ready, Pre-Device and Mount
Point Creation
2. Creating the RAlD Devices and Mount
Points
Once you have a of your parttons created as software RAlD parttons, the
foowng steps create the RAID devce and mount pont:
Creating the RAlD Devices and Mount
113
1. Seect the RAlD button on the Disk Druid man parttonng screen (refer to
Fgure 10.5, "RAID Optons").
2. Fgure 10.5, "RAID Optons" appears. Seect Create a RAlD device.
Figure 10.5. RAlD Options
3. Next, Fgure 10.6, "Makng a RAID Devce and Assgnng a Mount Pont" appears,
where you can make a RAID devce and assgn a mount pont.
114
Figure 10.6. Making a RAlD Device and Assigning a Mount
Point
4. Enter a mount pont.
5. Choose the fe system type for the partton. At ths pont you can ether
confgure a dynamc LVM fe system or a tradtona statc ext2/ext3 fe system.
For more nformaton on confgurng LVM on a RAID devce, seect physical
volume (LVM) and then refer to Chapter 8, LVM Confguraton. If LVM s not
requred, contnue on wth the foowng nstructons.
6. Seect a devce name such as md0 for the RAID devce.
7. Choose your RAID eve. You can choose from RAlD 0, RAlD 1, and RAlD 5. If
you need assstance n determnng whch RAID eve to mpement, refer to
Chapter 9, Redundant Array of Independent Dsks (RAID).
Points
115
Note
If you are makng a RAID partton of /boot/, you must choose RAID eve
1, and t must use one of the frst two drves (IDE frst, SCSI second). If
you are not creatng a seperate RAID partton of /boot/, and you are
makng a RAID partton for the root fe system (/), t must be RAID
eve 1 and must use one of the frst two drves (IDE frst, SCSI second).
Figure 10.7. The }boot} Mount Error
8. The RAID parttons created appear n the RAlD Members st. Seect whch of
these parttons shoud be used to create the RAID devce.
9. If confgurng RAID 1 or RAID 5, specfy the number of spare parttons. If a
software RAID partton fas, the spare s automatcay used as a repacement.
For each spare you want to specfy, you must create an addtona software RAID
partton (n addton to the parttons for the RAID devce). Seect the parttons
for the RAID devce and the partton(s) for the spare(s).
10. After cckng OK, the RAID devce appears n the Drive Summary st.
11. Repeat ths chapter's entre process for confgurng addtona parttons, devces,
and mount ponts, such as the root partton (/), /home/, or swap.
After competng the entre confguraton, the fgure as shown n Fgure 10.8, "Fna
Sampe RAID Confguraton" resembes the defaut confguraton, except for the use
of RAID.
116
Figure 10.8. Final Sample RAlD Configuration
The fgure as shown n Fgure 10.9, "Fna Sampe RAID Wth LVM Confguraton" s
an exampe of a RAID and LVM confguraton.
Creating the RAlD Devices and Mount
117
Figure 10.9. Final Sample RAlD With LVM Configuration
You can contnue wth your nstaaton process. Refer to the Red Hat Enterprse
Lnux Instaaton Gude for further nstructons.
118
Swap Space
1. What is Swap Space7
Swap space n Lnux s used when the amount of physca memory (RAM) s fu. If
the system needs more memory resources and the RAM s fu, nactve pages n
memory are moved to the swap space. Whe swap space can hep machnes wth a
sma amount of RAM, t shoud not be consdered a repacement for more RAM.
Swap space s ocated on hard drves, whch have a sower access tme than
physca memory.
Swap space can be a dedcated swap partton (recommended), a swap fe, or a
combnaton of swap parttons and swap fes.
The sze of your swap shoud be equa to twce your computer's physca RAM for up
to 2 GB of physca RAM. For physca RAM above 2 GB, the sze of your swap shoud
be equa to the amount of physca RAM above 2 GB. The sze of your swap shoud
never be ess than 32 MB.
Usng ths basc formua, a system wth 2 GB of physca RAM woud have 4 GB of
swap, whe one wth 3 GB of physca RAM woud have 5 GB of swap.
Note
Unfortunatey, decdng on the amount of swap to aocate to Red Hat
Enterprse Lnux s more of an art than a scence, so hard rues are not
possbe. Each system's most used appcatons shoud be accounted
for when determnng swap sze.
lmportant
Fe systems and LVM2 voumes assgned as swap space cannot be n
use when beng modfed. For exampe, no system processes can be
assgned the swap space, as we as no amount of swap shoud be
aocated and used by the kerne. Use the free and cat /proc/swaps
commands to verfy how much and where swap s n use.
The best way to acheve swap space modfcatons s to boot your
Chapter 11.
119
system n rescue mode, and then foow the nstructons (for each
scenaro) n the remander of ths chapter. Refer to Chapter 5, Basc
System Recovery for nstructons on bootng nto rescue mode. When
prompted to mount the fe system, seect Skip.
2. Adding Swap Space
Sometmes t s necessary to add more swap space after nstaaton. For exampe,
you may upgrade the amount of RAM n your system from 128 MB to 256 MB, but
there s ony 256 MB of swap space. It mght be advantageous to ncrease the
amount of swap space to 512 MB f you perform memory-ntense operatons or run
appcatons that requre a arge amount of memory.
You have three optons: create a new swap partton, create a new swap fe, or
extend swap on an exstng LVM2 ogca voume. It s recommended that you
extend an exstng ogca voume.
2.1. Extending Swap on an LVM2 Logical Volume
To extend an LVM2 swap ogca voume (assumng /dev/VoGroup00/LogVo01 s the
voume you want to extend):
1. Dsabe swappng for the assocated ogca voume:
# swapoff -v /dev/VoGroup00/LogVo01
2. Resze the LVM2 ogca voume by 256 MB:
# vm vresze /dev/VoGroup00/LogVo01 -L +256M
3. Format the new swap space:
# mkswap /dev/VoGroup00/LogVo01
4. Enabe the extended ogca voume:
# swapon -va
Chapter 11. Swap Space
120
5. Test that the ogca voume has been extended propery:
# cat /proc/swaps # free
2.2. Creating an LVM2 Logical Volume for Swap
To add a swap voume group (assumng /dev/VoGroup00/LogVo02 s the swap voume
you want to add):
1. Create the LVM2 ogca voume of sze 256 MB:
# vm vcreate VoGroup00 -n LogVo02 -L 256M
3. Add the foowng entry to the /etc/fstab fe:
/dev/VoGroup00/LogVo02 swap swap defauts 0 0
# swapon -va
2.3. Creating a Swap File
To add a swap fe:
1. Determne the sze of the new swap fe n megabytes and mutpy by 1024 to
Creating an LVM2 Logical Volume for
121
determne the number of bocks. For exampe, the bock sze of a 64 MB swap fe
s 65536.
2. At a she prompt as root, type the foowng command wth count beng equa to
the desred bock sze:
dd f=/dev/zero of=/swapfe bs=1024 count=65536
3. Setup the swap fe wth the command:
mkswap /swapfe
4. To enabe the swap fe mmedatey but not automatcay at boot tme:
swapon /swapfe
5. To enabe t at boot tme, edt /etc/fstab to ncude the foowng entry:
/swapfe swap swap defauts 0 0
The next tme the system boots, t enabes the new swap fe.
6. After addng the new swap fe and enabng t, verfy t s enabed by vewng the
output of the command cat /proc/swaps or free.
3. Removing Swap Space
Sometmes t can be prudent to reduce swap space after nstaaton. For exampe,
say you downgraded the amount of RAM n your system from 1 GB to 512 MB, but
there s 2 GB of swap space st assgned. It mght be advantageous to reduce the
amount of swap space to 1 GB, snce the arger 2 GB coud be wastng dsk space.
You have three optons: remove an entre LVM2 ogca voume used for swap,
remove a swap fe, or reduce swap space on an exstng LVM2 ogca voume.
3.1. Reducing Swap on an LVM2 Logical Volume
To reduce an LVM2 swap ogca voume (assumng /dev/VoGroup00/LogVo01 s the
voume you want to extend):
122
2. Reduce the LVM2 ogca voume by 512 MB:
# vm vreduce /dev/VoGroup00/LogVo01 -L -512M
# swapon -va
5. Test that the ogca voume has been reduced propery:
3.2. Removing an LVM2 Logical Volume for Swap
The swap ogca voume cannot be n use (no system ocks or processes on the
voume). The easest way to acheve ths t to boot your system n rescue mode.
Refer to Chapter 5, Basc System Recovery for nstructons on bootng nto rescue
mode. When prompted to mount the fe system, seect Skip.
To remove a swap voume group (assumng /dev/VoGroup00/LogVo02 s the swap
voume you want to remove):
2. Remove the LVM2 ogca voume of sze 512 MB:
# vm vremove /dev/VoGroup00/LogVo02
Swap
123
3. Remove the foowng entry from the /etc/fstab fe:
3.3. Removing a Swap File
To remove a swap fe:
1. At a she prompt as root, execute the foowng command to dsabe the swap fe
(where /swapfe s the swap fe):
# swapoff -v /swapfe
2. Remove ts entry from the /etc/fstab fe.
3. Remove the actua fe:
# rm /swapfe
4. Moving Swap Space
To move swap space from one ocaton to another, foow the steps for removng
swap space, and then foow the steps for addng swap space.
124
Managing Disk Storage
Introducton to dfferent methods........
1. Standard Partitions using parted
Many users need to vew the exstng partton tabe, change the sze of the
parttons, remove parttons, or add parttons from free space or addtona hard
drves. The utty parted aows users to perform these tasks. Ths chapter dscusses
how to use parted to perform fe system tasks.
If you want to vew the system's dsk space usage or montor the dsk space usage,
refer to Secton 3, "Fe Systems".
You must have the parted package nstaed to use the parted utty. To start parted,
at a she prompt as root, type the command parted /dev/sda, where /dev/sda s the
devce name for the drve you want to confgure. The (parted) prompt s dspayed.
Type hep to vew a st of avaabe commands.
If you want to create, remove, or resze a partton, the devce cannot be n use
(parttons cannot be mounted, and swap space cannot be enabed). The partton
tabe shoud not be modfed whe n use because the kerne may not propery
recognze the changes. Data coud be overwrtten by wrtng to the wrong partton
because the partton tabe and parttons mounted do not match. The easest way
to acheve ths t to boot your system n rescue mode. Refer to Chapter 5, Basc
System Recovery for nstructons on bootng nto rescue mode. When prompted to
mount the fe system, seect Skip.
Aternatey, f the drve does not contan any parttons n use (system processes
that use or ock the fe system from beng unmounted), you can unmount them
wth the umount command and turn off a the swap space on the hard drve wth the
swapoff command.
Tabe 12.1, "parted commands" contans a st of commony used parted commands.
The sectons that foow expan some of them n more deta.
Command Description
check mnor-num Perform a smpe check of the fe
system
cp fromto Copy fe system from one partton to
another; from and to are the mnor
Chapter 12.
125
Command Description
numbers of the parttons
hep Dspay st of avaabe commands
mkabe abe Create a dsk abe for the partton tabe
mkfs mnor-numfe-system-type Create a fe system of type
fe-system-type
mkpart part-typefs-typestart-mbend-mb Make a partton wthout creatng a new
fe system
mkpartfs part-typefs-typestart-mbend-mb Make a partton and create the
specfed fe system
move mnor-numstart-mbend-mb Move the partton
name mnor-numname Name the partton for Mac and PC98
dskabes ony
prnt Dspay the partton tabe
qut Out parted
rescuestart-mbend-mb Rescue a ost partton from start-mb to
end-mb
resze mnor-numstart-mbend-mb Resze the partton from start-mb to
end-mb
rm mnor-num Remove the partton
seect devce Seect a dfferent devce to confgure
set mnor-numfagstate Set the fag on a partton; state s ether
on or off
Table 12.1. parted commands
1.1. Viewing the Partition Table
After startng parted, type the foowng command to vew the partton tabe:
prnt
A tabe smar to the foowng appears:
Chapter 12. Managing Disk Storage
126
Dsk geometry for /dev/sda: 0.000-8678.789 megabytes
Dsk abe type: msdos
Mnor Start End Type Fesystem Fags
1 0.031 101.975 prmary ext3 boot
2 101.975 5098.754 prmary ext3
3 5098.755 6361.677 prmary nux-swap
4 6361.677 8675.727 extended
5 6361.708 7357.895 ogca ext3
Dsk geometry for /dev/hda: 0.000-9765.492 megabytes
Dsk abe type: msdos
Mnor Start End Type Fesystem Fags
1 0.031 101.975 prmary ext3 boot
2 101.975 611.850 prmary nux-swap
3 611.851 760.891 prmary ext3
4 760.891 9758.232 extended ba
5 760.922 9758.232 ogca ext3
The frst ne dspays the sze of the dsk, the second ne dspays the dsk abe
type, and the remanng output shows the partton tabe.
In the partton tabe, the Minor number s the partton number. For exampe, the
partton wth mnor number 1 corresponds to /dev/sda1. The Start and End vaues
are n megabytes. The Type s one of prmary, extended, or ogca. The
Filesystem s the fe system type, whch can be one of ext2, ext3, fat16, fat32,
hfs, |fs, nux-swap, ntfs, reserfs, hp-ufs, sun-ufs, or xfs. The Flags coumn sts the
fags set for the partton. Avaabe fags are boot, root, swap, hdden, rad, vm, or
ba.
In ths exampe, mnor number 1 refers to the /boot/ fe system, mnor number 2
refers to the root fe system (/), mnor number 3 refers to the swap, and mnor
number 5 refers to the /home/ fe system.
Tip
To seect a dfferent devce wthout havng to restart parted, use the
seect command foowed by the devce name such as /dev/sda. Then,
you can vew ts partton tabe or confgure t.
Creating a Partition
127
1.2. Creating a Partition
Warning
Do not attempt to create a partton on a devce that s n use.
Before creatng a partton, boot nto rescue mode (or unmount any parttons on the
devce and turn off any swap space on the devce).
Start parted, where /dev/sda s the devce on whch to create the partton:
parted /dev/sda
Vew the current partton tabe to determne f there s enough free space:
prnt
If there s not enough free space, you can resze an exstng partton. Refer to
Secton 1.4, "Reszng a Partton" for detas.
1.2.1. Making the Partition
From the partton tabe, determne the start and end ponts of the new partton and
what partton type t shoud be. You can ony have four prmary parttons (wth no
extended partton) on a devce. If you need more than four parttons, you can have
three prmary parttons, one extended partton, and mutpe ogca parttons
wthn the extended. For an overvew of dsk parttons, refer to the appendx An
Introducton to Dsk Parttons n the Red Hat Enterprse Lnux Instaaton Gude.
For exampe, to create a prmary partton wth an ext3 fe system from 1024
megabytes unt 2048 megabytes on a hard drve type the foowng command:
mkpart prmary ext3 1024 2048
Tip
If you use the mkpartfs command nstead, the fe system s created
128
after the partton s created. However, parted does not support
creatng an ext3 fe system. Thus, f you wsh to create an ext3 fe
system, use mkpart and create the fe system wth the mkfs command
as descrbed ater. mkpartfs works for fe system type nux-swap.
The changes start takng pace as soon as you press Enter, so revew the command
before executng to t.
After creatng the partton, use the prnt command to confrm that t s n the
partton tabe wth the correct partton type, fe system type, and sze. Aso
remember the mnor number of the new partton so that you can abe t. You
shoud aso vew the output of
cat /proc/parttons
to make sure the kerne recognzes the new partton.
1.2.2. Formating the Partition
The partton st does not have a fe system. Create the fe system:
/sbn/mkfs -t ext3 /dev/sda6
Warning
Formattng the partton permanenty destroys any data that currenty
exsts on the partton.
1.2.3. Labeling the Partition
Next, gve the partton a abe. For exampe, f the new partton s /dev/sda6 and you
want to abe t /work:
e2abe /dev/sda6 /work
By defaut, the nstaaton program uses the mount pont of the partton as the
Creating a Partition
129
abe to make sure the abe s unque. You can use any abe you want.
1.2.4. Creating the Mount Point
As root, create the mount pont:
mkdr /work
1.2.5. Add to }etc}fstab
As root, edt the /etc/fstab fe to ncude the new partton. The new ne shoud ook
smar to the foowng:
LABEL=/work /work ext3 defauts 1 2
The frst coumn shoud contan LABEL= foowed by the abe you gave the partton.
The second coumn shoud contan the mount pont for the new partton, and the
next coumn shoud be the fe system type (for exampe, ext3 or swap). If you need
more nformaton about the format, read the man page wth the command man
fstab.
If the fourth coumn s the word defauts, the partton s mounted at boot tme. To
mount the partton wthout rebootng, as root, type the command:
mount /work
1.3. Removing a Partition
Warning
Do not attempt to remove a partton on a devce that s n use.
Before removng a partton, boot nto rescue mode (or unmount any parttons on
the devce and turn off any swap space on the devce).
Start parted, where /dev/sda s the devce on whch to remove the partton:
parted /dev/sda
130
Vew the current partton tabe to determne the mnor number of the partton to
remove:
prnt
Remove the partton wth the command rm. For exampe, to remove the partton
wth mnor number 3:
rm 3
The changes start takng pace as soon as you press Enter, so revew the command
before commttng to t.
After removng the partton, use the prnt command to confrm that t s removed
from the partton tabe. You shoud aso vew the output of
cat /proc/parttons
to make sure the kerne knows the partton s removed.
The ast step s to remove t from the /etc/fstab fe. Fnd the ne that decares the
removed partton, and remove t from the fe.
1.4. Resizing a Partition
Warning
Do not attempt to resze a partton on a devce that s n use.
Before reszng a partton, boot nto rescue mode (or unmount any parttons on the
devce and turn off any swap space on the devce).
Start parted, where /dev/sda s the devce on whch to resze the partton:
parted /dev/sda
Vew the current partton tabe to determne the mnor number of the partton to
Resizing a Partition
131
resze as we as the start and end ponts for the partton:
prnt
Warning
The used space of the partton to resze must not be arger than the
new sze.
To resze the partton, use the resze command foowed by the mnor number for
the partton, the startng pace n megabytes, and the end pace n megabytes. For
exampe:
resze 3 1024 2048
After reszng the partton, use the prnt command to confrm that the partton has
been reszed correcty, s the correct partton type, and s the correct fe system
type.
After rebootng the system nto norma mode, use the command df to make sure the
partton was mounted and s recognzed wth the new sze.
2. LVM Partition Management
The foowng commands can be found by ssung vm hep at a command prompt.
Command Description
dumpconfg Dump the actve confguraton
formats Lst the avaabe metadata formats
hep Dspay the hep commands
vchange Change the attrbutes of ogca
voume(s)
vcreate Create a ogca voume
vdspay Dspay nformaton about a ogca
voume
vextend Add space to a ogca voume
132
Command Description
vmchange Due to use of the devce mapper, ths
command has been deprecated
vmdskscan Lst devces that may be used as
physca voumes
vmsadc Coect actvty data
vmsar Create actvty report
vreduce Reduce the sze of a ogca voume
vremove Remove ogca voume(s) from the
system
vrename Rename a ogca voume
vresze Resze a ogca voume
vs Dspay nformaton about ogca
voumes
vscan Lst a ogca voumes n a voume
groups
pvchange Change attrbutes of physca voume(s)
pvcreate Intaze physca voume(s) for use by
LVM
pvdata Dspay the on-dsk metadata for
physca voume(s)
pvdspay Dspay varous attrbutes of physca
voume(s)
pvmove Move extents from one physca voume
to another
pvremove Remove LVM abe(s) from physca
voume(s)
pvresze Resze a physca voume n use by a
voume group
pvs Dspay nformaton about physca
voumes
pvscan Lst a physca voumes
segtypes Lst avaabe segment types
vgcfgbackup Backup voume group confguraton
LVM Partition Management
133
Command Description
vgcfgrestore Restore voume group confguraton
vgchange Change voume group attrbutes
vgck Check the consstency of a voume
group
vgconvert Change voume group metadata format
vgcreate Create a voume group
vgdspay Dspay voume group nformaton
vgexport Unregster a voume group from the
system
vgextend Add physca voumes to a voume group
vgmport Regster exported voume group wth
system
vgmerge Merge voume groups
vgmknodes Create the speca fes for voume group
devces n /dev/
vgreduce Remove a physca voume from a
voume group
vgremove Remove a voume group
vgrename Rename a voume group
vgs Dspay nformaton about voume
groups
vgscan Search for a voume groups
vgspt Move physca voumes nto a new
voume group
verson Dspay software and drver verson
nformaton
Table 12.2. LVM commands
134
lmplementing Disk uotas
Dsk space can be restrcted by mpementng dsk quotas whch aert a system
admnstrator before a user consumes too much dsk space or a partton becomes
fu.
Dsk quotas can be confgured for ndvdua users as we as user groups. Ths knd
of fexbty makes t possbe to gve each user a sma quota to hande "persona"
fes (such as ema and reports), whe aowng the pro|ects they work on to have
more szabe quotas (assumng the pro|ects are gven ther own groups).
In addton, quotas can be set not |ust to contro the number of dsk bocks
consumed but to contro the number of nodes (data structures that contan
nformaton about fes n UNIX fe systems). Because nodes are used to contan
fe-reated nformaton, ths aows contro over the number of fes that can be
created.
The quota RPM must be nstaed to mpement dsk quotas.
1. Configuring Disk uotas
To mpement dsk quotas, use the foowng steps:
1. Enabe quotas per fe system by modfyng the /etc/fstab fe.
2. Remount the fe system(s).
3. Create the quota database fes and generate the dsk usage tabe.
4. Assgn quota poces.
Each of these steps s dscussed n deta n the foowng sectons.
1.1. Enabling uotas
As root, usng a text edtor, edt the /etc/fstab fe. Add the usrquota and/or grpquota
optons to the fe systems that requre quotas:
/dev/VoGroup00/LogVo00 / ext3 defauts 1 1
LABEL=/boot /boot ext3 defauts 1 2
none /dev/pts devpts gd=5,mode=620 0 0
Chapter 13.
135
none /dev/shm tmpfs defauts 0 0
none /proc proc defauts 0 0
none /sys sysfs defauts 0 0
/dev/VoGroup00/LogVo02 /home ext3 defauts,usrquota,grpquota 1 2
.
.
.
In ths exampe, the /home fe system has both user and group quotas enabed.
Note
The foowng exampes assume that a separate /home partton was
created durng the nstaaton of Red Hat Enterprse Lnux. Athough
not dea, the root (/) partton (the nstaaton defaut created
partton) can be used for settng quota poces n the /etc/fstab fe.
1.2. Remounting the File Systems
After addng the usrquota and/or grpquota optons, remount each fe system whose
fstab entry has been modfed. If the fe system s not n use by any process, use
one of the foowng methods:
Issue the umount command foowed by the mount command to remount the fe
system.
Issue the mount -o remount /home command to remount the fe system.
If the fe system s currenty n use, the easest method for remountng the fe
system s to reboot the system.
1.3. Creating the uota Database Files
After each quota-enabed fe system s remounted, the system s capabe of
workng wth dsk quotas. However, the fe system tsef s not yet ready to support
quotas. The next step s to run the quotacheck command.
The quotacheck command examnes quota-enabed fe systems and buds a tabe of
Chapter 13. lmplementing Disk...
136
the current dsk usage per fe system. The tabe s then used to update the
operatng system's copy of dsk usage. In addton, the fe system's dsk quota fes
are updated.
To create the quota fes (aquota.user and aquota.group) on the fe system, use the -c
opton of the quotacheck command. For exampe, f user and group quotas are
enabed for the /home fe system, create the fes n the /home drectory:
quotacheck -cug /home
The -c opton specfes that the quota fes shoud be created for each fe system
wth quotas enabed, the -u opton specfes to check for user quotas, and the -g
opton specfes to check for group quotas.
If nether the -u or -g optons are specfed, ony the user quota fe s created. If ony
-g s specfed, ony the group quota fe s created.
After the fes are created, run the foowng command to generate the tabe of
current dsk usage per fe system wth quotas enabed:
quotacheck -avug
The optons used are as foows:
a - Check a quota-enabed, ocay-mounted fe systems
v - Dspay verbose status nformaton as the quota check proceeds
u - Check user dsk quota nformaton
g - Check group dsk quota nformaton
After quotacheck has fnshed runnng, the quota fes correspondng to the enabed
quotas (user and/or group) are popuated wth data for each quota-enabed
ocay-mounted fe system such as /home.
1.4. Assigning uotas per User
The ast step s assgnng the dsk quotas wth the edquota command.
To confgure the quota for a user, as root n a she prompt, execute the command:
edquota username
Assigning uotas per User
137
Perform ths step for each user who needs a quota. For exampe, f a quota s
enabed n /etc/fstab for the /home partton (/dev/VoGroup00/LogVo02) and the
command edquota testuser s executed, the foowng s shown n the edtor
confgured as the defaut for the system:
Dsk quotas for user testuser (ud 501):
Fesystem bocks soft hard nodes soft hard
/dev/VoGroup00/LogVo02 440436 0 0 37418 0 0
Note
The text edtor defned by the EDITOR envronment varabe s used by
edquota. To change the edtor, set the EDITOR envronment varabe n
your -/.bash_profe fe to the fu path of the edtor of your choce.
The frst coumn s the name of the fe system that has a quota enabed for t. The
second coumn shows how many bocks the user s currenty usng. The next two
coumns are used to set soft and hard bock mts for the user on the fe system.
The nodes coumn shows how many nodes the user s currenty usng. The ast two
coumns are used to set the soft and hard node mts for the user on the fe
system.
A hard mt s the absoute maxmum amount of dsk space that a user or group can
use. Once ths mt s reached, no further dsk space can be used.
The soft mt defnes the maxmum amount of dsk space that can be used.
However, unke the hard mt, the soft mt can be exceeded for a certan amount
of tme. That tme s known as the grace perod. The grace perod can be expressed
n seconds, mnutes, hours, days, weeks, or months.
If any of the vaues are set to 0, that mt s not set. In the text edtor, change the
desred mts. For exampe:
Dsk quotas for user testuser (ud 501):
138
To verfy that the quota for the user has been set, use the command:
quota testuser
1.5. Assigning uotas per Group
Ouotas can aso be assgned on a per-group bass. For exampe, to set a group
quota for the deve group (the group must exst pror to settng the group quota),
use the command:
edquota -g deve
Ths command dspays the exstng quota for the group n the text edtor:
Dsk quotas for group deve (gd 505):
Modfy the mts, save the fe, and then confgure the quota.
To verfy that the group quota has been set, use the command:
quota -g deve
1.6. Assigning uotas per File System
To assgn quotas based on each fe system enabed for quotas, use the command:
edquota -t
Lke the other edquota commands, ths one opens the current quotas for the fe
system n the text edtor:
Grace perod before enforcng soft mts for users:
Tme unts may be: days, hours, mnutes, or seconds
Fesystem Bock grace perod Inode grace perod
/dev/mapper/VoGroup00-LogVo02 7days 7days
Assigning uotas per Group
139
Change the bock grace perod or node grace perod, save the changes to the fe,
and ext the text edtor.
2. Managing Disk uotas
If quotas are mpemented, they need some mantenance - mosty n the form of
watchng to see f the quotas are exceeded and makng sure the quotas are
accurate. Of course, f users repeatedy exceeds ther quotas or consstenty
reaches ther soft mts, a system admnstrator has a few choces to make
dependng on what type of users they are and how much dsk space mpacts ther
work. The admnstrator can ether hep the user determne how to use ess dsk
space or ncrease the user's dsk quota f needed.
2.1. Enabling and Disabling
It s possbe to dsabe quotas wthout settng them to be 0. To turn a user and
group quotas off, use the foowng command:
quotaoff -vaug
If nether the -u or -g optons are specfed, ony the user quotas are dsabed. If ony
-g s specfed, ony group quotas are dsabed.
To enabe quotas agan, use the quotaon command wth the same optons.
For exampe, to enabe user and group quotas for a fe systems, use the foowng
command:
quotaon -vaug
To enabe quotas for a specfc fe system, such as /home, use the foowng
command:
quotaon -vug /home
If nether the -u or -g optons are specfed, ony the user quotas are enabed. If ony
-g s specfed, ony group quotas are enabed.
2.2. Reporting on Disk uotas
140
Creatng a dsk usage report entas runnng the repquota utty. For exampe, the
command repquota /home produces ths output:
*** Report for user quotas on devce /dev/mapper/VoGroup00-LogVo02
Bock grace tme: 7days; Inode grace tme: 7days
Bock mts Fe mts
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 36 0 0 4 0 0
krstn -- 540 0 0 125 0 0
testuser -- 440400 500000 550000 37418 0 0
To vew the dsk usage report for a (opton -a) quota-enabed fe systems, use the
command:
repquota -a
Whe the report s easy to read, a few ponts shoud be expaned. The -- dspayed
after each user s a quck way to determne whether the bock or node mts have
been exceeded. If ether soft mt s exceeded, a + appears n pace of the
correspondng -; the frst - represents the bock mt, and the second represents the
node mt.
The grace coumns are normay bank. If a soft mt has been exceeded, the coumn
contans a tme specfcaton equa to the amount of tme remanng on the grace
perod. If the grace perod has expred, none appears n ts pace.
2.3. Keeping uotas Accurate
Whenever a fe system s not unmounted ceany (due to a system crash, for
exampe), t s necessary to run quotacheck. However, quotacheck can be run on a
reguar bass, even f the system has not crashed. Runnng the foowng command
perodcay keeps the quotas more accurate (the optons used have been descrbed
n Secton 1.1, "Enabng Ouotas"):
quotacheck -avug
The easest way to run t perodcay s to use cron. As root, ether use the crontab -e
command to schedue a perodc quotacheck or pace a scrpt that runs quotacheck n
Keeping uotas Accurate
141
any one of the foowng drectores (usng whchever nterva best matches your
needs):
/etc/cron.houry
/etc/cron.day
/etc/cron.weeky
/etc/cron.monthy
The most accurate quota statstcs can be obtaned when the fe system(s)
anayzed are not n actve use. Thus, the cron task shoud be schedue durng a tme
where the fe system(s) are used the east. If ths tme s varous for dfferent fe
systems wth quotas, run quotacheck for each fe system at dfferent tmes wth
mutpe cron tasks.
Refer to Chapter 34, Automated Tasks for more nformaton about confgurng cron.
For more nformaton on dsk quotas, refer to the foowng resources.
The quotacheck, edquota, repquota, quota, quotaon, and quotaoff man pages
3.2. Related Books
Red Hat Enterprse Lnux Introducton to System Admnstraton ; Red Hat, Inc. -
Avaabe at http://www.redhat.com/docs/ and on the Documentaton CD, ths
manua contans background nformaton on storage management (ncudng dsk
quotas) for new Red Hat Enterprse Lnux system admnstrators.
142
Access Control Lists
Fes and drectores have permsson sets for the owner of the fe, the group
assocated wth the fe, and a other users for the system. However, these
permsson sets have mtatons. For exampe, dfferent permssons cannot be
confgured for dfferent users. Thus, Access Contro Lsts (ACLs) were mpemented.
The Red Hat Enterprse Lnux 5.0.0 kerne provdes ACL support for the ext3 fe
system and NFS-exported fe systems. ACLs are aso recognzed on ext3 fe
systems accessed va Samba.
Aong wth support n the kerne, the ac package s requred to mpement ACLs. It
contans the uttes used to add, modfy, remove, and retreve ACL nformaton.
The cp and mv commands copy or move any ACLs assocated wth fes and
drectores.
1. Mounting File Systems
Before usng ACLs for a fe or drectory, the partton for the fe or drectory must
be mounted wth ACL support. If t s a oca ext3 fe system, t can mounted wth
the foowng command:
mount -t ext3 -o ac <devce-name><partton>
For exampe:
mount -t ext3 -o ac /dev/VoGroup00/LogVo02 /work
Aternatvey, f the partton s sted n the /etc/fstab fe, the entry for the partton
can ncude the ac opton:
LABEL=/work /work ext3 ac 1 2
If an ext3 fe system s accessed va Samba and ACLs have been enabed for t, the
ACLs are recognzed because Samba has been comped wth the --wth-ac-support
opton. No speca fags are requred when accessng or mountng a Samba share.
1.1. NFS
Chapter 14.
143
By defaut, f the fe system beng exported by an NFS server supports ACLs and the
NFS cent can read ACLs, ACLs are utzed by the cent system.
To dsabe ACLs on NFS shares when confgurng the server, ncude the no_ac
opton n the /etc/exports fe. To dsabe ACLs on an NFS share when mountng t on a
cent, mount t wth the no_ac opton va the command ne or the /etc/fstab fe.
2. Setting Access ACLs
There are two types of ACLs: access ACLs and defaut ACLs. An access ACL s the
access contro st for a specfc fe or drectory. A defaut ACL can ony be
assocated wth a drectory; f a fe wthn the drectory does not have an access
ACL, t uses the rues of the defaut ACL for the drectory. Defaut ACLs are optona.
ACLs can be confgured:
1. Per user
2. Per group
3. Va the effectve rghts mask
4. For users not n the user group for the fe
The setfac utty sets ACLs for fes and drectores. Use the -m opton to add or
modfy the ACL of a fe or drectory:
setfac -m <rues><fes>
Rues (<rues>) must be specfed n the foowng formats. Mutpe rues can be
specfed n the same command f they are separated by commas.
u:<ud>:<perms>
Sets the access ACL for a user. The user name or UID may be specfed. The user
may be any vad user on the system.
g:<gd>:<perms>
Sets the access ACL for a group. The group name or GID may be specfed. The
group may be any vad group on the system.
m:<perms>
Chapter 14. Access Control Lists
144
Sets the effectve rghts mask. The mask s the unon of a permssons of the
ownng group and a of the user and group entres.
o:<perms>
Sets the access ACL for users other than the ones n the group for the fe.
Whte space s gnored. Permssons (<perms>) must be a combnaton of the
characters r, w, and x for read, wrte, and execute.
If a fe or drectory aready has an ACL, and the setfac command s used, the
addtona rues are added to the exstng ACL or the exstng rue s modfed.
For exampe, to gve read and wrte permssons to user andrus:
setfac -m u:andrus:rw /pro|ect/somefe
To remove a the permssons for a user, group, or others, use the -x opton and do
not specfy any permssons:
setfac -x <rues><fes>
For exampe, to remove a permssons from the user wth UID 500:
setfac -x u:500 /pro|ect/somefe
3. Setting Default ACLs
To set a defaut ACL, add d: before the rue and specfy a drectory nstead of a fe
name.
For exampe, to set the defaut ACL for the /share/ drectory to read and execute for
users not n the user group (an access ACL for an ndvdua fe can overrde t):
setfac -m d:o:rx /share
4. Retrieving ACLs
To determne the exstng ACLs for a fe or drectory, use the getfac command:
getfac <fename>
Setting Default ACLs
145
It returns output smar to the foowng:
# fe: fe
# owner: andrus
# group: andrus
user::rw-
user:smoore:r--
group::r--
mask::r--
other::r--
If a drectory s specfed, and t has a defaut ACL, the defaut ACL s aso dspayed
such as:
# fe: fe
# owner: andrus
# group: andrus
user::rw-
user:smoore:r--
group::r--
mask::r--
other::r--
defaut:user::rwx
defaut:user:andrus:rwx
defaut:group::r-x
defaut:mask::rwx
defaut:other::r-x
5. Archiving File Systems With ACLs
Warning
The tar and dump commands do not backup ACLs.
The star utty s smar to the tar utty n that t can be used to generate archves
of fes; however, some of ts optons are dfferent. Refer to Tabe 14.1, "Command
Lne Optons for star" for a stng of more commony used optons. For a avaabe
146
optons, refer to the star man page. The star package s requred to use ths utty.
Option Description
-c Creates an archve fe.
-n Do not extract the fes; use n con|uncton wth
-x to show what extractng the fes does.
-r Repaces fes n the archve. The fes are
wrtten to the end of the archve fe, repacng
any fes wth the same path and fe name.
-t Dspays the contents of the archve fe.
-u Updates the archve fe. The fes are wrtten to
the end of the archve f they do not exst n the
archve or f the fes are newer than the fes of
the same name n the archve. Ths opton ony
work f the archve s a fe or an unbocked tape
that may backspace.
-x Extracts the fes from the archve. If used wth
-U and a fe n the archve s oder than the
correspondng fe on the fe system, the fe s
not extracted.
-hep Dspays the most mportant optons.
-xhep Dspays the east mportant optons.
-/ Do not strp eadng sashes from fe names
when extractng the fes from an archve. By
defaut, they are strped when fes are
extracted.
-ac When creatng or extractng, archve or restore
any ACLs assocated wth the fes and
drectores.
Table 14.1. Command Line Options for star
6. Compatibility with Older Systems
If an ACL has been set on any fe on a gven fe system, that fe system has the
ext_attr attrbute. Ths attrbute can be seen usng the foowng command:
Compatibility with Older Systems
147
tune2fs - <fesystem-devce>
A fe system that has acqured the ext_attr attrbute can be mounted wth oder
kernes, but those kernes do not enforce any ACLs whch have been set.
Versons of the e2fsck utty ncuded n verson 1.22 and hgher of the e2fsprogs
package (ncudng the versons n Red Hat Enterprse Lnux 2.1 and 5.0.0) can
check a fe system wth the ext_attr attrbute. Oder versons refuse to check t.
Refer to the foow resources for more nformaton.
ac man page - Descrpton of ACLs
getfac man page - Dscusses how to get fe access contro sts
setfac man page - Expans how to set fe access contro sts
star man page - Expans more about the star utty and ts many optons
http://ac.bestbts.at/ - Webste for ACLs
148
Part lll. Package
Management
A software on a Red Hat Enterprse Lnux system s dvded nto RPM packages
whch can be nstaed, upgraded, or removed. Ths part descrbes how to manage
the RPM packages on a Red Hat Enterprse Lnux system usng graphca and
command ne toos.
Package Management with
RPM
The RPM Package Manager (RPM) s an open packagng system, avaabe for
anyone to use, whch runs on Red Hat Enterprse Lnux as we as other Lnux and
UNIX systems. Red Hat, Inc. encourages other vendors to use RPM for ther own
products. RPM s dstrbutabe under the terms of the GPL.
For the end user, RPM makes system updates easy. Instang, unnstang, and
upgradng RPM packages can be accompshed wth short commands. RPM
mantans a database of nstaed packages and ther fes, so you can nvoke
powerfu queres and verfcatons on your system. If you prefer a graphca
nterface, you can use the Package Management Tool to perform many RPM
commands.
Durng upgrades, RPM handes confguraton fes carefuy, so that you never ose
your customzatons - somethng that you cannot accompsh wth reguar .tar.gz
fes.
For the deveoper, RPM aows you to take software source code and package t nto
source and bnary packages for end users. Ths process s qute smpe and s drven
from a snge fe and optona patches that you create. Ths cear deneaton
between prstne sources and your patches aong wth bud nstructons eases the
mantenance of the package as new versons of the software are reeased.
Note
Because RPM makes changes to your system, you must be root to
nsta, remove, or upgrade an RPM package.
1. RPM Design Goals
To understand how to use RPM, t can be hepfu to understand RPM's desgn goas:
Upgradabty
Usng RPM, you can upgrade ndvdua components of your system wthout
competey renstang. When you get a new reease of an operatng system
Chapter 15.
151
based on RPM (such as Red Hat Enterprse Lnux), you do not need to rensta
on your machne (as you do wth operatng systems based on other packagng
systems). RPM aows ntegent, fuy-automated, n-pace upgrades of your
system. Confguraton fes n packages are preserved across upgrades, so you
do not ose your customzatons. There are no speca upgrade fes needed to
upgrade a package because the same RPM fe s used to nsta and upgrade the
package on your system.
Powerfu Oueryng
RPM s desgned to provde powerfu queryng optons. You can do searches
through your entre database for packages or |ust for certan fes. You can aso
easy fnd out what package a fe beongs to and from where the package
came. The fes an RPM package contans are n a compressed archve, wth a
custom bnary header contanng usefu nformaton about the package and ts
contents, aowng you to query ndvdua packages qucky and easy.
System Verfcaton
Another powerfu feature s the abty to verfy packages. If you are worred that
you deeted an mportant fe for some package, verfy the package. You are
notfed of any anomaes. At that pont, you can rensta the package f
necessary. Any confguraton fes that you modfed are preserved durng
renstaaton.
Prstne Sources
A cruca desgn goa was to aow the use of "prstne" software sources, as
dstrbuted by the orgna authors of the software. Wth RPM, you have the
prstne sources aong wth any patches that were used, pus compete bud
nstructons. Ths s an mportant advantage for severa reasons. For nstance, f
a new verson of a program comes out, you do not necessary have to start from
scratch to get t to compe. You can ook at the patch to see what you mght
need to do. A the comped-n defauts, and a of the changes that were made
to get the software to bud propery, are easy vsbe usng ths technque.
The goa of keepng sources prstne may ony seem mportant for deveopers,
but t resuts n hgher quaty software for end users, too.
2. Using RPM
RPM has fve basc modes of operaton (not countng package budng): nstang,
unnstang, upgradng, queryng, and verfyng. Ths secton contans an overvew
of each mode. For compete detas and optons, try rpm --hep or refer to Secton 5,
"Addtona Resources" for more nformaton on RPM.
Chapter 15. Package Managemen...
152
2.1. Finding RPM Packages
Before usng an RPM, you must know where to fnd them. An Internet search returns
many RPM repostores, but f you are ookng for RPM packages but by Red Hat,
they can be found at the foowng ocatons:
The Red Hat Enterprse Lnux CD-ROMs
The Red Hat Errata Page avaabe at http://www.redhat.com/apps/support/errata/
A Red Hat FTP Mrror Ste avaabe at
http://www.redhat.com/downoad/mrror.htm
Red Hat Network - Refer to Chapter 16, Red Hat Network for more detas on
Red Hat Network
2.2. lnstalling
RPM packages typcay have fe names ke foo-1.0-1.386.rpm. The fe name
ncudes the package name (foo), verson (1.0), reease (1), and archtecture (386).
To nsta a package, og n as root and type the foowng command at a she
prompt:
rpm -Uvh foo-1.0-1.386.rpm
If nstaaton s successfu, the foowng output s dspayed:
Preparng...
########################################### |100%|
1:foo ###########################################
|100%|
As you can see, RPM prnts out the name of the package and then prnts a
successon of hash marks as the package s nstaed as a progress meter.
The sgnature of a package s checked automatcay when nstang or upgradng a
package. The sgnature confrms that the package was sgned by an authorzed
party. For exampe, f the verfcaton of the sgnature fas, an error message such
as the foowng s dspayed:
lnstalling
153
error: V3 DSA sgnature: BAD, key ID 0352860f
If t s a new, header-ony, sgnature, an error message such as the foowng s
dspayed:
error: Header V3 DSA sgnature: BAD, key ID 0352860f
If you do not have the approprate key nstaed to verfy the sgnature, the message
contans the word NOKEY such as:
warnng: V3 DSA sgnature: NOKEY, key ID 0352860f
Refer to Secton 3, "Checkng a Package's Sgnature" for more nformaton on
checkng a package's sgnature.
Warning
If you are nstang a kerne package, you shoud use rpm -vh nstead.
Refer to Chapter 36, Manuay Upgradng the Kerne for detas.
Instang packages s desgned to be smpe, but you may sometmes see errors.
2.2.1. Package Already lnstalled
If the package of the same verson s aready nstaed, the foowng s dspayed:
Preparng...
########################################### |100%|
package foo-1.0-1 s aready nstaed
If the same verson you are tryng to nsta s aready nstaed, and you want to
nsta the package anyway, you can use the --repacepkgs opton, whch tes RPM to
gnore the error:
rpm -vh --repacepkgs foo-1.0-1.386.rpm
154
Ths opton s hepfu f fes nstaed from the RPM were deeted or f you want the
orgna confguraton fes from the RPM to be nstaed.
2.2.2. Conflicting Files
If you attempt to nsta a package that contans a fe whch has aready been
nstaed by another package or an earer verson of the same package, the
foowng s dspayed:
Preparng...
########################################### |100%|
fe /usr/bn/foo from nsta of foo-1.0-1 confcts wth fe from package bar-2.0.20
To make RPM gnore ths error, use the --repacefes opton:
rpm -vh --repacefes foo-1.0-1.386.rpm
2.2.3. Unresolved Dependency
RPM packages can, essentay, depend on other packages, whch means that they
requre other packages to be nstaed to run propery. If you try to nsta a package
whch has an unresoved dependency, output smar to the foowng s dspayed:
error: Faed dependences:
bar.so.2 s needed by foo-1.0-1
Suggested resoutons:
bar-2.0.20-3.386.rpm
If you are nstang a package from the Red Hat Enterprse Lnux CD-ROM set, t
usuay suggest the package(s) needed to resove the dependency. Fnd the
suggested package(s) on the Red Hat Enterprse Lnux CD-ROMs or from the Red
Hat FTP ste (or mrror), and add t to the command:
rpm -vh foo-1.0-1.386.rpm bar-2.0.20-3.386.rpm
If nstaaton of both packages s successfu, output smar to the foowng s
dspayed:
lnstalling
155
Preparng...
########################################### |100%|
1:foo ###########################################
| 50%|
2:bar
########################################### |100%|
If t does not suggest a package to resove the dependency, you can try the
--redhatprovdes opton to determne whch package contans the requred fe. You
need the rpmdb-redhat package nstaed to use ths opton.
rpm -q --redhatprovdes bar.so.2
If the package that contans bar.so.2 s n the nstaed database from the
rpmdb-redhat package, the name of the package s dspayed:
bar-2.0.20-3.386.rpm
To force the nstaaton anyway (whch s not recommended snce the package may
not run correcty), use the --nodeps opton.
2.3. Uninstalling
Unnstang a package s |ust as smpe as nstang one. Type the foowng
command at a she prompt:
rpm -e foo
Note
Notce that we used the package namefoo, not the name of the orgna
package fefoo-1.0-1.386.rpm. To unnsta a package, repace foo wth
the actua package name of the orgna package.
You can encounter a dependency error when unnstang a package f another
nstaed package depends on the one you are tryng to remove. For exampe:
156
error: Faed dependences:
foo s needed by (nstaed) bar-2.0.20-3.386.rpm
To cause RPM to gnore ths error and unnsta the package anyway, whch may
break the package dependng on t, use the --nodeps opton.
2.4. Upgrading
Upgradng a package s smar to nstang one. Type the foowng command at a
she prompt:
rpm -Uvh foo-2.0-1.386.rpm
As part of upgradng a package, RPM automatcay unnstas any od versons of the
foo package. In fact, you may want to aways use -U to nsta packages whch works
even when there are no prevous versons of the package nstaed.
Tip
You don't want to use the -U opton for nstang kerne packages
because RPM repaces the prevous kerne package. Ths does not
affect a runnng system, but f the new kerne s unabe to boot durng
your next restart, there woud be no other kerne to boot nstead.
Usng the - opton adds the kerne to your GRUB boot menu
(/etc/grub.conf). Smary, removng an od, unneeded kerne removes
the kerne from GRUB.
Because RPM performs ntegent upgradng of packages wth confguraton fes,
you may see a message ke the foowng:
savng /etc/foo.conf as /etc/foo.conf.rpmsave
Ths message means that your changes to the confguraton fe may not be forward
compatbe wth the new confguraton fe n the package, so RPM saved your
orgna fe and nstaed a new one. You shoud nvestgate the dfferences between
Upgrading
157
the two confguraton fes and resove them as soon as possbe, to ensure that your
system contnues to functon propery.
Upgradng s reay a combnaton of unnstang and nstang, so durng an RPM
upgrade you can encounter unnstang and nstang errors, pus one more. If RPM
thnks you are tryng to upgrade to a package wth an oder verson number, the
output s smar to the foowng:
package foo-2.0-1 (whch s newer than foo-1.0-1) s aready nstaed
To force RPM to upgrade anyway, use the --odpackage opton:
rpm -Uvh --odpackage foo-1.0-1.386.rpm
2.5. Freshening
Freshenng a package s smar to upgradng one. Type the foowng command at a
she prompt:
rpm -Fvh foo-1.2-1.386.rpm
RPM's freshen opton checks the versons of the packages specfed on the
command ne aganst the versons of packages that have aready been nstaed on
your system. When a newer verson of an aready-nstaed package s processed by
RPM's freshen opton, t s upgraded to the newer verson. However, RPM's freshen
opton does not nsta a package f no prevousy-nstaed package of the same
name exsts. Ths dffers from RPM's upgrade opton, as an upgrade does nsta
packages, whether or not an oder verson of the package was aready nstaed.
RPM's freshen opton works for snge packages or package groups. If you have |ust
downoaded a arge number of dfferent packages, and you ony want to upgrade
those packages that are aready nstaed on your system, freshenng does the |ob.
If you use freshenng, you do not have to deete any unwanted packages from the
group that you downoaded before usng RPM.
In ths case, ssue the foowng command:
rpm -Fvh *.rpm
158
RPM automatcay upgrades ony those packages that are aready nstaed.
2.6. uerying
Use the rpm -q command to query the database of nstaed packages. The rpm -q foo
command dspays the package name, verson, and reease number of the nstaed
package foo:
foo-2.0-1
Note
To query a package, repace foo wth the actua package name.
Instead of specfyng the package name, use the foowng optons wth -q to specfy
the package(s) you want to query. These are caed Package Seecton Optons.
-a queres a currenty nstaed packages.
-f <fe> queres the package whch owns <fe>. When specfyng a fe, you must
specfy the fu path of the fe (for exampe, /bn/s).
-p <packagefe> queres the package <packagefe>.
There are a number of ways to specfy what nformaton to dspay about quered
packages. The foowng optons are used to seect the type of nformaton for whch
you are searchng. These are caed Informaton Ouery Optons.
- dspays package nformaton ncudng name, descrpton, reease, sze, bud
date, nsta date, vendor, and other msceaneous nformaton.
- dspays the st of fes that the package contans.
-s dspays the state of a the fes n the package.
-d dspays a st of fes marked as documentaton (man pages, nfo pages,
READMEs, etc.).
uerying
159
-c dspays a st of fes marked as confguraton fes. These are the fes you
change after nstaaton to adapt the package to your system (for exampe,
sendma.cf, passwd, nttab, etc.).
For the optons that dspay sts of fes, add -v to the command to dspay the sts
n a famar s - format.
2.7. Verifying
Verfyng a package compares nformaton about fes nstaed from a package wth
the same nformaton from the orgna package. Among other thngs, verfyng
compares the sze, MD5 sum, permssons, type, owner, and group of each fe.
The command rpm -V verfes a package. You can use any of the Package Verfy
Optons sted for queryng to specfy the packages you wsh to verfy. A smpe use
of verfyng s rpm -V foo, whch verfes that a the fes n the foo package are as
they were when they were orgnay nstaed. For exampe:
To verfy a package contanng a partcuar fe:
rpm -Vf /usr/bn/vm
To verfy ALL nstaed packages:
rpm -Va
To verfy an nstaed package aganst an RPM package fe:
rpm -Vp foo-1.0-1.386.rpm
Ths command can be usefu f you suspect that your RPM databases are corrupt.
If everythng verfed propery, there s no output. If there are any dscrepances,
they are dspayed. The format of the output s a strng of eght characters (a c
denotes a confguraton fe) and then the fe name. Each of the eght characters
denotes the resut of a comparson of one attrbute of the fe to the vaue of that
attrbute recorded n the RPM database. A snge perod (.) means the test passed.
The foowng characters denote faure of certan tests:
160
5 - MD5 checksum
S - fe sze
L - symboc nk
T - fe modfcaton tme
D - devce
U - user
G - group
M - mode (ncudes permssons and fe type)
? - unreadabe fe
If you see any output, use your best |udgment to determne f you shoud remove or
rensta the package, or fx the probem n another way.
3. Checking a Package's Signature
If you wsh to verfy that a package has not been corrupted or tampered wth,
examne ony the md5sum by typng the foowng command at a she prompt
(<rpm-fe> wth fe name of the RPM package):
rpm -K --nosgnature <rpm-fe>
The message <rpm-fe>: md5 OK s dspayed. Ths bref message means that the fe
was not corrupted by the downoad. To see a more verbose message, repace -K
wth -Kvv n the command.
On the other hand, how trustworthy s the deveoper who created the package? If
the package s sgned wth the deveoper's GnuPG key, you know that the deveoper
reay s who they say they are.
An RPM package can be sgned usng Gnu Prvacy Guard (or GnuPG), to hep you
make certan your downoaded package s trustworthy.
GnuPG s a too for secure communcaton; t s a compete and free repacement for
the encrypton technoogy of PGP, an eectronc prvacy program. Wth GnuPG, you
can authentcate the vadty of documents and encrypt/decrypt data to and from
other recpents. GnuPG s capabe of decryptng and verfyng PGP 5.x fes as we.
Checking a Package's Signature
161
Durng nstaaton, GnuPG s nstaed by defaut. That way you can mmedatey
start usng GnuPG to verfy any packages that you receve from Red Hat. Frst, you
must mport Red Hat's pubc key.
3.1. lmporting Keys
To verfy Red Hat packages, you must mport the Red Hat GPG key. To do so,
execute the foowng command at a she prompt:
rpm --mport /usr/share/rhn/RPM-GPG-KEY
To dspay a st of a keys nstaed for RPM verfcaton, execute the command:
rpm -qa gpg-pubkey*
For the Red Hat key, the output ncudes:
gpg-pubkey-db42a60e-37ea5438
To dspay detas about a specfc key, use rpm -q foowed by the output from the
prevous command:
rpm -q gpg-pubkey-db42a60e-37ea5438
3.2. Verifying Signature of Packages
To check the GnuPG sgnature of an RPM fe after mportng the buder's GnuPG
key, use the foowng command (repace <rpm-fe> wth fename of the RPM
package):
rpm -K <rpm-fe>
If a goes we, the foowng message s dspayed: md5 gpg OK. That means that the
sgnature of the package has been verfed and that t s not corrupt.
4. lmpressing Your Friends with RPM
RPM s a usefu too for both managng your system and dagnosng and fxng
162
probems. The best way to make sense of a of ts optons s to ook at some
exampes.
Perhaps you have deeted some fes by accdent, but you are not sure what you
deeted. To verfy your entre system and see what mght be mssng, you coud
try the foowng command:
rpm -Va
If some fes are mssng or appear to have been corrupted, you shoud probaby
ether re-nsta the package or unnsta and then re-nsta the package.
At some pont, you mght see a fe that you do not recognze. To fnd out whch
package owns t, enter:
rpm -qf /usr/bn/ggv
The output woud ook ke the foowng:
ggv-2.6.0-2
We can combne the above two exampes n the foowng scenaro. Say you are
havng probems wth /usr/bn/paste. You woud ke to verfy the package that owns
that program, but you do not know whch package owns paste. Enter the foowng
command,
rpm -Vf /usr/bn/paste
and the approprate package s verfed.
Do you want to fnd out more nformaton about a partcuar program? You can try
the foowng command to ocate the documentaton whch came wth the
package that owns that program:
rpm -qdf /usr/bn/free
The output woud be smar to the foowng:
lmpressing Your Friends with RPM
163
/usr/share/doc/procps-3.2.3/BUGS
/usr/share/doc/procps-3.2.3/FAO
/usr/share/doc/procps-3.2.3/NEWS
/usr/share/doc/procps-3.2.3/TODO
/usr/share/man/man1/free.1.gz
/usr/share/man/man1/pgrep.1.gz
/usr/share/man/man1/pk.1.gz
/usr/share/man/man1/pmap.1.gz
/usr/share/man/man1/ps.1.gz
/usr/share/man/man1/sk.1.gz
/usr/share/man/man1/sabtop.1.gz
/usr/share/man/man1/snce.1.gz
/usr/share/man/man1/toad.1.gz
/usr/share/man/man1/top.1.gz
/usr/share/man/man1/uptme.1.gz
/usr/share/man/man1/w.1.gz
/usr/share/man/man1/watch.1.gz
/usr/share/man/man5/sysct.conf.5.gz
/usr/share/man/man8/sysct.8.gz
/usr/share/man/man8/vmstat.8.gz
You may fnd a new RPM, but you do not know what t does. To fnd nformaton
about t, use the foowng command:
rpm -qp crontabs-1.10-7.noarch.rpm
The output woud be smar to the foowng:
Name : crontabs Reocatons: (not reocatabe)
Verson : 1.10 Vendor: Red Hat, Inc.
Reease : 7 Bud Date: Mon 20 Sep 2004 05:58:10 PM EDT
Insta Date: (not nstaed) Bud Host: tweety.bud.redhat.com
Group : System Envronment/Base Source RPM: crontabs-1.10-7.src.rpm
Sze : 1004 Lcense: Pubc Doman
Sgnature : DSA/SHA1, Wed 05 |an 2005 06:05:25 PM EST, Key ID 219180cddb42a60e
Packager : Red Hat, Inc. <http://bugza.redhat.com/bugza>
Summary : Root crontab fes used to schedue the executon of programs.
Descrpton :
The crontabs package contans root crontab fes. Crontab s the
program used to nsta, unnsta, or st the tabes used to drve the
164
cron daemon. The cron daemon checks the crontab fes to see when
partcuar commands are schedued to be executed. If commands are
schedued, then t executes them.
Perhaps you now want to see what fes the crontabs RPM nstas. You woud enter
the foowng:
rpm -qp crontabs-1.10-5.noarch.rpm
The output s smar to the foowng:
/etc/cron.day
/etc/cron.houry
/etc/cron.monthy
/etc/cron.weeky
/etc/crontab
/usr/bn/run-parts
These are |ust a few exampes. As you use t, you w fnd many more uses for RPM.
RPM s an extremey compex utty wth many optons and methods for queryng,
nstang, upgradng, and removng packages. Refer to the foowng resources to
earn more about RPM.
rpm --hep - Ths command dspays a quck reference of RPM parameters.
man rpm - The RPM man page gves more deta about RPM parameters than the
rpm --hep command.
http://www.rpm.org/ - The RPM webste.
Additional Resources
165
http://www.redhat.com/maman/stnfo/rpm-st/ - The RPM mang st s
archved here. To subscrbe, send ma to <rpm-st-request@redhat.com> wth the
word subscrbe n the sub|ect ne.
5.3. Related Books
Red Hat RPM Gude by Erc Foster-|ohnson; Wey, |ohn &Sons, Incorporated -
Ths book s a comprehensve gude to RPM, from nstang package to budng
RPMs.
166
Red Hat Network
Red Hat Network s an Internet souton for managng one or more Red Hat
Enterprse Lnux systems. A Securty Aerts, Bug Fx Aerts, and Enhancement
Aerts (coectvey known as Errata Aerts) can be downoaded drecty from Red Hat
usng the Package Updater standaone appcaton or through the RHN webste
avaabe at https://rhn.redhat.com/.
Figure 16.1. Your RHN
Red Hat Network saves you tme because you receve ema when updated
packages are reeased. You do not have to search the Web for updated packages or
securty aerts. By defaut, Red Hat Network nstas the packages as we. You do
not have to earn how to use RPM or worry about resovng software package
dependences; RHN does t a.
Red Hat Network features ncude:
Chapter 16.
167
Errata Aerts - earn when Securty Aerts, Bug Fx Aerts, and Enhancement
Aerts are ssued for a the systems n your network
Figure 16.2. Relevant Errata
Automatc ema notfcatons - Receve an ema notfcaton when an Errata Aert
s ssued for your system(s)
Schedued Errata Updates - Schedue devery of Errata Updates
Package nstaaton - Schedue package nstaaton on one or more systems
wth the cck of a button
Package Updater - Use the Package Updater to downoad the atest software
packages for your system (wth optona package nstaaton)
Red Hat Network webste - Manage mutpe systems, downoaded ndvdua
packages, and schedue actons such as Errata Updates through a secure Web
browser connecton from any computer
Chapter 16. Red Hat Network
168
Caution
You must actvate your Red Hat Enterprse Lnux product before
regsterng your system wth Red Hat Network to make sure your
system s entted to the correct servces. To actvate your product, go
to:
http://www.redhat.com/apps/actvate/
After actvatng your product, regster t wth Red Hat Network to receve Errata
Updates. The regstraton process gathers nformaton about the system that s
requred to notfy you of updates. For exampe, a st of packages nstaed on the
system s comped so you are ony notfed about updates that are reevant to your
system.
The frst tme the system s booted, the Software Update Setup Assistant
prompts you to regster. If you dd not regster then, seect Applications (the man
menu on the pane) => System Tools => Package Updater on your desktop to
start the regstraton process. Aternatey, execute the command yum update from a
she prompt.
169
Figure 16.3. Registering with RHN
After regsterng, use one of the foowng methods to start recevng updates:
Seect Applications (the man menu on the pane) => System Tools =>
Package Updater on your desktop
Execute the command yum from a she prompt
Use the RHN webste at https://rhn.redhat.com/
Cck on the package con when t appears n the pane to aunch the Package
Updater.
For more detaed nstructons, refer to the documentaton avaabe at:
http://www.redhat.com/docs/manuas/RHNetwork/
Chapter 16. Red Hat Network
170
Tip
Red Hat Enterprse Lnux ncudes a convenent pane con that
dspays vsbe aerts when there s an update for your Red Hat
Enterprse Lnux system. Ths pane con s not present f no updates
are avaabe.
171
172
Part lV. Network-Related
Configuration
After expanng how to confgure the network, ths part dscusses topcs reated to
networkng such as how to aow remote ogns, share fes and drectores over the
network, and set up a Web server.
Network Configuration
To communcate wth each other, computers must have a network connecton. Ths
s accompshed by havng the operatng system recognze an nterface card (such
as Ethernet, ISDN modem, or token rng) and confgurng the nterface to connect to
the network.
The Network Administration Tool can be used to confgure the foowng types of
network nterfaces:
Ethernet
ISDN
modem
xDSL
token rng
CIPE
wreess devces
It can aso be used to confgure IPsec connectons, manage DNS settngs, and
manage the /etc/hosts fe used to store addtona hostnames and IP address
combnatons.
To use the Network Administration Tool, you must have root prveges. To start
the appcaton, go to the Appcatons (the man menu on the pane) => System
Settings => Network, or type the command system-confg-network at a she
prompt (for exampe, n an XTerm or a GNOME terminal). If you type the
command, the graphca verson s dspayed f X s runnng; otherwse, the
text-based verson s dspayed.
To use the command ne verson, execute the command system-confg-network-cmd
--hep as root to vew a of the optons.
Chapter 17.
175
Figure 17.1. Network Administration Tool
Tip
Use the Red Hat Hardware Compatbty Lst
(http://hardware.redhat.com/hc/) to determne f Red Hat Enterprse
Lnux supports your hardware devce.
1. Overview
To confgure a network connecton wth the Network Administration Tool,
perform the foowng steps:
Chapter 17. Network Configuration
176
1. Add a network devce assocated wth the physca hardware devce.
2. Add the physca hardware devce to the hardware st, f t does not aready exst.
3. Confgure the hostname and DNS settngs.
4. Confgure any hosts that cannot be ooked up through DNS.
Ths chapter dscusses each of these steps for each type of network connecton.
2. Establishing an Ethernet Connection
To estabsh an Ethernet connecton, you need a network nterface card (NIC), a
network cabe (usuay a CAT5 cabe), and a network to connect to. Dfferent
networks are confgured to use dfferent network speeds; make sure your NIC s
compatbe wth the network to whch you want to connect.
To add an Ethernet connecton, foow these steps:
1. Cck the Devices tab.
2. Cck the New button on the toobar.
3. Seect Ethernet connection from the Device Type st, and cck Forward.
4. If you have aready added the network nterface card to the hardware st, seect
t from the Ethernet card st. Otherwse, seect Other Ethernet Card to add
the hardware devce.
Note
The nstaaton program detects supported Ethernet devces and
prompts you to confgure them. If you confgured any Ethernet devces
durng the nstaaton, they are dspayed n the hardware st on the
Hardware tab.
5. If you seected Other Ethernet Card, the Select Ethernet Adapter wndow
appears. Seect the manufacturer and mode of the Ethernet card. Seect the
devce name. If ths s the system's frst Ethernet card, seect eth0 as the devce
name; f ths s the second Ethernet card, seect eth1 (and so on). The Network
Administration Tool aso aows you to confgure the resources for the NIC. Cck
Establishing an Ethernet Connection
177
Forward to contnue.
6. In the Configure Network Settings wndow shown n Fgure 17.2, "Ethernet
Settngs", choose between DHCP and a statc IP address. If the devce receves a
dfferent IP address each tme the network s started, do not specfy a hostname.
Cck Forward to contnue.
7. Cck Apply on the Create Ethernet Device page.
Figure 17.2. Ethernet Settings
After confgurng the Ethernet devce, t appears n the devce st as shown n
Fgure 17.3, "Ethernet Devce".
178
Figure 17.3. Ethernet Device
Be sure to seect File => Save to save the changes.
After addng the Ethernet devce, you can edt ts confguraton by seectng the
devce from the devce st and cckng Edit. For exampe, when the devce s
added, t s confgured to start at boot tme by defaut. To change ths settng, seect
to edt the devce, modfy the Activate device when computer starts vaue, and
save the changes.
When the devce s added, t s not actvated mmedatey, as seen by ts lnactive
status. To actvate the devce, seect t from the devce st, and cck the Activate
button. If the system s confgured to actvate the devce when the computer starts
(the defaut), ths step does not have to be performed agan.
Establishing an Ethernet Connection
179
If you assocate more than one devce wth an Ethernet card, the subsequent
devces are devce aases. A devce aas aows you to setup mutpe vrtua
devces for one physca devce, thus gvng the one physca devce more than one
IP address. For exampe, you can confgure an eth1 devce and an eth1:1 devce.
For detas, refer to Secton 11, "Devce Aases".
3. Establishing an lSDN Connection
An ISDN connecton s an Internet connecton estabshed wth a ISDN modem card
through a speca phone ne nstaed by the phone company. ISDN connectons are
popuar n Europe.
To add an ISDN connecton, foow these steps:
3. Seect lSDN connection from the Device Type st, and cck Forward.
4. Seect the ISDN adapter from the pudown menu. Then confgure the resources
and D channe protoco for the adapter. Cck Forward to contnue.
Figure 17.4. lSDN Settings
180
5. If your Internet Servce Provder (ISP) s n the pre-confgured st, seect t.
Otherwse, enter the requred nformaton about your ISP account. If you do not
know the vaues, contact your ISP. Cck Forward.
6. In the lP Settings wndow, seect the Encapsulation Mode and whether to
obtan an IP address automatcay or to set a statc IP nstead. Cck Forward
when fnshed.
7. On the Create Dialup Connection page, cck Apply.
After confgurng the ISDN devce, t appears n the devce st as a devce wth type
lSDN as shown n Fgure 17.5, "ISDN Devce".
After addng the ISDN devce, you can edt ts confguraton by seectng the devce
from the devce st and cckng Edit. For exampe, when the devce s added, t s
confgured not to start at boot tme by defaut. Edt ts confguraton to modfy ths
settng. Compresson, PPP optons, ogn name, password, and more can be
changed.
Establishing an lSDN Connection
181
Figure 17.5. lSDN Device
4. Establishing a Modem Connection
A modem can be used to confgure an Internet connecton over an actve phone
ne. An Internet Servce Provder (ISP) account (aso caed a da-up account) s
requred.
To add a modem connecton, foow these steps:
182
3. Seect Modem connection from the Device Type st, and cck Forward.
4. If there s a modem aready confgured n the hardware st (on the Hardware
tab), the Network Administration Tool assumes you want to use t to estabsh
a modem connecton. If there are no modems aready confgured, t tres to
detect any modems n the system. Ths probe mght take a whe. If a modem s
not found, a message s dspayed to warn you that the settngs shown are not
vaues found from the probe.
5. After probng, the wndow n Fgure 17.6, "Modem Settngs" appears.
Figure 17.6. Modem Settings
6. Confgure the modem devce, baud rate, fow contro, and modem voume. If you
do not know these vaues, accept the defauts f the modem was probed
successfuy. If you do not have touch tone dang, uncheck the correspondng
checkbox. Cck Forward.
7. If your ISP s n the pre-confgured st, seect t. Otherwse, enter the requred
nformaton about your ISP account. If you do not know these vaues, contact your
ISP. Cck Forward.
8. On the lP Settings page, seect whether to obtan an IP address automatcay or
whether to set one statcay. Cck Forward when fnshed.
Establishing a Modem Connection
183
9. On the Create Dialup Connection page, cck Apply.
After confgurng the modem devce, t appears n the devce st wth the type
Modem as shown n Fgure 17.7, "Modem Devce".
Figure 17.7. Modem Device
After addng the modem devce, you can edt ts confguraton by seectng the
added, t s confgured not to start at boot tme by defaut. Edt ts confguraton to
modfy ths settng. Compresson, PPP optons, ogn name, password, and more can
aso be changed.
184
5. Establishing an xDSL Connection
DSL stands for Dgta Subscrber Lnes. There are dfferent types of DSL such as
ADSL, IDSL, and SDSL. The Network Administration Tool uses the term xDSL to
mean a types of DSL connectons.
Some DSL provders requre that the system s confgured to obtan an IP address
through DHCP wth an Ethernet card. Some DSL provders requre you to confgure a
PPPoE (Pont-to-Pont Protoco over Ethernet) connecton wth an Ethernet card. Ask
your DSL provder whch method to use.
If you are requred to use DHCP, refer to Secton 2, "Estabshng an Ethernet
Connecton" to confgure your Ethernet card.
If you are requred to use PPPoE, foow these steps:
2. Cck the New button.
3. Seect xDSL connection from the Device Type st, and cck Forward.
4. If your Ethernet card s n the hardware st, seect the Ethernet Device from the
pudown menu from the page shown n Fgure 17.8, "xDSL Settngs". Otherwse,
the Select Ethernet Adapter wndow appears.
Note
The nstaaton program detects supported Ethernet devces and
prompts you to confgure them. If you confgured any Ethernet devces
Hardware tab.
Establishing an xDSL Connection
185
Figure 17.8. xDSL Settings
5. If the Select Ethernet Adapter wndow appears, seect the manufacturer and
mode of the Ethernet card. Seect the devce name. If ths s the system's frst
Ethernet card, seect eth0 as the devce name; f ths s the second Ethernet
card, seect eth1 (and so on). The Network Administration Tool aso aows
you to confgure the resources for the NIC. Cck Forward to contnue.
6. Enter the Provider Name, Login Name, and Password. If you have a T-Onne
account, nstead of enterng a Login Name and Password n the defaut
wndow, cck the T-Online Account Setup button and enter the requred
nformaton. Cck Forward to contnue.
7. On the Create DSL Connection page, cck Apply.
After confgurng the DSL connecton, t appears n the devce st as shown n
Fgure 17.7, "Modem Devce".
186
Figure 17.9. xDSL Device
After addng the xDSL connecton, you can edt ts confguraton by seectng the
added, t s confgured not to start at boot tme by defaut. Edt ts confguraton to
modfy ths settng.
Establishing a Token Ring
187
6. Establishing a Token Ring Connection
A token rng network s a network n whch a the computers are connected n a
crcuar pattern. A token, or a speca network packet, traves around the token rng
and aows computers to send nformaton to each other.
Tip
For more nformaton on usng token rngs under Lnux, refer to the
Lnux Token Rng Pro|ect webste avaabe at http://www.nuxtr.net/.
To add a token rng connecton, foow these steps:
3. Seect Token Ring connection from the Device Type st and cck Forward.
4. If you have aready added the token rng card to the hardware st, seect t from
the Tokenring card st. Otherwse, seect Other Tokenring Card to add the
hardware devce.
5. If you seected Other Tokenring Card, the Select Token Ring Adapter
wndow as shown n Fgure 17.10, "Token Rng Settngs" appears. Seect the
manufacturer and mode of the adapter. Seect the devce name. If ths s the
system's frst token rng card, seect tr0; f ths s the second token rng card,
seect tr1 (and so on). The Network Administration Tool aso aows the user
to confgure the resources for the adapter. Cck Forward to contnue.
188
Figure 17.10. Token Ring Settings
6. On the Configure Network Settings page, choose between DHCP and statc IP
address. You may specfy a hostname for the devce. If the devce receves a
dynamc IP address each tme the network s started, do not specfy a hostname.
7. Cck Apply on the Create Tokenring Device page.
After confgurng the token rng devce, t appears n the devce st as shown n
Fgure 17.11, "Token Rng Devce".
Connection
189
Figure 17.11. Token Ring Device
After addng the devce, you can edt ts confguraton by seectng the devce from
the devce st and cckng Edit. For exampe, you can confgure whether the devce
s started at boot tme.
7. Establishing a Wireless Connection
190
Wreess Ethernet devces are becomng ncreasngy popuar. The confguraton s
smar to the Ethernet confguraton except that t aows you to confgure settngs
such as the SSID and key for the wreess devce.
To add a wreess Ethernet connecton, foow these steps:
3. Seect Wireless connection from the Device Type st and cck Forward.
4. If you have aready added the wreess network nterface card to the hardware
st, seect t from the Wireless card st. Otherwse, seect Other Wireless
Card to add the hardware devce.
Note
The nstaaton program usuay detects supported wreess Ethernet
devces and prompts you to confgure them. If you confgured them
Hardware tab.
5. If you seected Other Wireless Card, the Select Ethernet Adapter wndow
appears. Seect the manufacturer and mode of the Ethernet card and the devce.
If ths s the frst Ethernet card for the system, seect eth0; f ths s the second
Ethernet card for the system, seect eth1 (and so on). The Network
Administration Tool aso aows the user to confgure the resources for the
wreess network nterface card. Cck Forward to contnue.
6. On the Configure Wireless Connection page as shown n Fgure 17.12,
"Wreess Settngs", confgure the settngs for the wreess devce.
Establishing a Wireless Connection
191
Figure 17.12. Wireless Settings
7. On the Configure Network Settings page, choose between DHCP and statc IP
address. You may specfy a hostname for the devce. If the devce receves a
dynamc IP address each tme the network s started, do not specfy a hostname.
8. Cck Apply on the Create Wireless Device page.
After confgurng the wreess devce, t appears n the devce st as shown n
Fgure 17.13, "Wreess Devce".
192
Figure 17.13. Wireless Device
After addng the wreess devce, you can edt ts confguraton by seectng the
devce from the devce st and cckng Edit. For exampe, you can confgure the
devce to actvate at boot tme.
8. Managing DNS Settings
Managing DNS Settings
193
The DNS tab aows you to confgure the system's hostname, doman, name
servers, and search doman. Name servers are used to ook up other hosts on the
network.
If the DNS server names are retreved from DHCP or PPPoE (or retreved from the
ISP), do not add prmary, secondary, or tertary DNS servers.
If the hostname s retreved dynamcay from DHCP or PPPoE (or retreved from the
ISP), do not change t.
Figure 17.14. DNS Configuration
194
Note
The name servers secton does not confgure the system to be a name
server. Instead, t confgures whch name servers to use when
resovng IP addresses to hostnames and vce-versa.
Warning
If the hostname s changed and system-confg-network s started on the
oca host, you may not be abe to start another X11 appcaton. As
such, you may have to re-ogn to a new desktop sesson.
9. Managing Hosts
The Hosts tab aows you to add, edt, or remove hosts from the /etc/hosts fe. Ths
fe contans IP addresses and ther correspondng hostnames.
When your system tres to resove a hostname to an IP address or tres to determne
the hostname for an IP address, t refers to the /etc/hosts fe before usng the name
servers (f you are usng the defaut Red Hat Enterprse Lnux confguraton). If the IP
address s sted n the /etc/hosts fe, the name servers are not used. If your network
contans computers whose IP addresses are not sted n DNS, t s recommended
that you add them to the /etc/hosts fe.
To add an entry to the /etc/hosts fe, go to the Hosts tab, cck the New button on
the toobar, provde the requested nformaton, and cck OK. Seect File => Save
or press Ctrl-S to save the changes to the /etc/hosts fe. The network or network
servces do not need to be restarted snce the current verson of the fe s referred
to each tme an address s resoved.
Warning
Do not remove the ocahost entry. Even f the system does not have a
network connecton or have a network connecton runnng constanty,
some programs need to connect to the system va the ocahost
oopback nterface.
Managing Hosts
195
Figure 17.15. Hosts Configuration
Tip
To change ookup order, edt the /etc/host.conf fe. The ne order hosts,
bnd specfes that /etc/hosts takes precedence over the name servers.
Changng the ne to order bnd, hosts confgures the system to resove
hostnames and IP addresses usng the name servers frst. If the IP
address cannot be resoved through the name servers, the system
then ooks for the IP address n the /etc/hosts fe.
196
10. Working with Profiles
Mutpe ogca network devces can be created for each physca hardware devce.
For exampe, f you have one Ethernet card n your system (eth0), you can create
ogca network devces wth dfferent ncknames and dfferent confguraton
optons, a to be specfcay assocated wth eth0.
Logca network devces are dfferent from devce aases. Logca network devces
assocated wth the same physca devce must exst n dfferent profes and cannot
be actvated smutaneousy. Devce aases are aso assocated wth the same
physca hardware devce, but devce aases assocated wth the same physca
hardware can be actvated at the same tme. Refer to Secton 11, "Devce Aases"
for detas about creatng devce aases.
Profes can be used to create mutpe confguraton sets for dfferent networks. A
confguraton set can ncude ogca devces as we as hosts and DNS settngs. After
confgurng the profes, you can use the Network Administration Tool to swtch
back and forth between them.
By defaut, there s one profe caed Common. To create a new profe, seect
Profile => New from the pu-down menu, and enter a unque name for the profe.
You are now modfyng the new profe as ndcated by the status bar at the bottom
of the man wndow.
Cck on an exstng devce aready n the st and cck the Copy button to copy the
exstng devce to a ogca network devce. If you use the New button, a network
aas s created, whch s ncorrect. To change the propertes of the ogca devce,
seect t from the st and cck Edit. For exampe, the nckname can be changed to
a more descrptve name, such as eth0_office, so that t can be recognzed more
easy.
In the st of devces, there s a coumn of checkboxes abeed Profile. For each
profe, you can check or uncheck devces. Ony the checked devces are ncuded
for the currenty seected profe. For exampe, f you create a ogca devce named
eth0_office n a profe caed Office and want to actvate the ogca devce f the
profe s seected, uncheck the eth0 devce and check the eth0_offce devce.
For exampe, Fgure 17.16, "Offce Profe" shows a profe caed Office wth the
ogca devce eth0_office. It s confgured to actvate the frst Ethernet card usng
DHCP.
Working with Profiles
197
Figure 17.16. Office Profile
Notce that the Home profe as shown n Fgure 17.17, "Home Profe" actvates
the eth0_home ogca devce, whch s assocated wth eth0.
198
Figure 17.17. Home Profile
You can aso confgure eth0 to actvate n the Office profe ony and to actvate a
PPP (modem) devce n the Home profe ony. Another exampe s to have the
Common profe actvate eth0 and an Away profe actvate a PPP devce for use
whe traveng.
To actvate a profe at boot tme, modfy the boot oader confguraton fe to
ncude the netprofe=<profename> opton. For exampe, f the system uses GRUB
as the boot oader and /boot/grub/grub.conf contans:
tte Red Hat Enterprse Lnux (2.6.9-5.EL) root (hd0,0) kerne /vmnuz-2.6.9-5.EL ro
root=/dev/VoGroup00/LogVo00 rhgb quet ntrd /ntrd-2.6.9-5.EL.mg
Working with Profiles
199
Modfy t to the foowng (where <profename> s the name of the profe to be
actvated at boot tme):
tte Red Hat Enterprse Lnux (2.6.9-5.EL) root (hd0,0) kerne /vmnuz-2.6.9-5.EL ro
root=/dev/VoGroup00/LogVo00 \ netprofile=<profilename> \ rhgb quet ntrd
/ntrd-2.6.9-5.EL.mg
To swtch profes after the system has booted, go to Appcatons (the man menu
on the pane) => System Tools => Network Device Control (or type the
command system-contro-network) to seect a profe and actvate t. The actvate
profe secton ony appears n the Network Device Control nterface f more than
the defaut Common nterface exsts.
Aternatvey, execute the foowng command to enabe a profe (repace
<profename> wth the name of the profe):
system-confg-network-cmd --profe <profename> --actvate
11. Device Aliases
Devce aases are vrtua devces assocated wth the same physca hardware, but
they can be actvated at the same tme to have dfferent IP addresses. They are
commony represented as the devce name foowed by a coon and a number (for
exampe, eth0:1). They are usefu f you want to have mutpe IP addresses for a
system that ony has one network card.
After confgurng the Ethernet devce -such as eth0 -to use a statc IP address
(DHCP does not work wth aases), go to the Devices tab and cck New. Seect the
Ethernet card to confgure wth an aas, set the statc IP address for the aas, and
cck Apply to create t. Snce a devce aready exsts for the Ethernet card, the one
|ust created s the aas, such as eth0:1.
Warning
If you are confgurng an Ethernet devce to have an aas, nether the
devce nor the aas can be confgured to use DHCP. You must
confgure the IP addresses manuay.
200
Fgure 17.18, "Network Devce Aas Exampe" shows an exampe of one aas for
the eth0 devce. Notce the eth0:1 devce - the frst aas for eth0. The second aas
for eth0 woud have the devce name eth0:2, and so on. To modfy the settngs for
the devce aas, such as whether to actvate t at boot tme and the aas number,
seect t from the st and cck the Edit button.
Figure 17.18. Network Device Alias Example
Seect the aas and cck the Activate button to actvate the aas. If you have
confgured mutpe profes, seect whch profes n whch to ncude t.
To verfy that the aas has been actvated, use the command /sbn/fconfg. The
output shoud show the devce and the devce aas wth dfferent IP addresses:
eth0 Lnk encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 net addr:192.168.100.5
Device Aliases
201
Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST
MTU:1500 Metrc:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX
packets:244570 errors:0 dropped:0 overruns:0 carrer:0 cosons:475 txqueueen:100 RX
bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base
address:0x9000 eth0:1 Lnk encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 net
addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST
RUNNING MULTICAST MTU:1500 Metrc:1 Interrupt:10 Base address:0x9000 o Lnk
encap:Loca Loopback net addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING
MTU:16436 Metrc:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX
packets:5998 errors:0 dropped:0 overruns:0 carrer:0 cosons:0 txqueueen:0 RX
bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
12. Saving and Restoring the Network
Configuration
The command ne verson of Network Administration Tool can be used to save
the system's network confguraton to a fe. Ths fe can then be used to restore the
network settngs to a Red Hat Enterprse Lnux system.
Ths feature can be used as part of an automated backup scrpt, to save the
confguraton before upgradng or renstang, or to copy the confguraton to a
dfferent Red Hat Enterprse Lnux system.
To save, or export, the network confguraton of a system to the fe
/tmp/network-confg, execute the foowng command as root:
system-confg-network-cmd -e > /tmp/network-confg
To restore, or mport, the network confguraton from the fe created from the
prevous command, execute the foowng command as root:
system-confg-network-cmd - -c -f /tmp/network-confg
The - opton means to mport the data, the -c opton means to cear the exstng
confguraton pror to mportng, and the -f opton specfes that the fe to mport s
as foows.
202
Firewalls
Informaton securty s commony thought of as a process and not a product.
However, standard securty mpementatons usuay empoy some form of
dedcated mechansm to contro access prveges and restrct network resources to
users who are authorzed, dentfabe, and traceabe. Red Hat Enterprse Lnux
ncudes severa toos to assst admnstrators and securty engneers wth
network-eve access contro ssues.
Frewas are one of the core components of a network securty mpementaton.
Severa vendors market frewa soutons caterng to a eves of the marketpace:
from home users protectng one PC to data center soutons safeguardng vta
enterprse nformaton. Frewas can be stand-aone hardware soutons, such as
frewa appances by Csco, Noka, and Soncwa. Vendors such as Checkpont,
McAfee, and Symantec have aso deveoped propretary software frewa soutons
for home and busness markets.
Apart from the dfferences between hardware and software frewas, there are aso
dfferences n the way frewas functon that separate one souton from another.
Tabe 18.1, "Frewa Types" detas three common types of frewas and how they
functon:
MethodDescription Advantages Disadvantages
NAT Network Address
Transaton (NAT)
paces prvate IP
subnetworks behnd
one or a sma poo of
pubc IP addresses,
masqueradng a
requests to one source
rather than severa.
The Lnux kerne has
but-n NAT
functonaty through
the Netfter kerne
subsystem.
Can be confgured
transparenty to
machnes on a LAN
Protecton of many
machnes and servces
behnd one or more
externa IP addresses
smpfes
admnstraton dutes
Restrcton of user
access to and from the
LAN can be confgured
by openng and cosng
ports on the NAT
frewa/gateway
Cannot prevent
macous actvty once
users connect to a
servce outsde of the
frewa
Packet A packet fterng
Chapter 18.
203
Fter frewa reads each
data packet that
passes through a LAN.
It can read and process
packets by header
nformaton and fters
the packet based on
sets of programmabe
rues mpemented by
the frewa
admnstrator. The
Lnux kerne has
but-n packet fterng
functonaty through
the Netfter kerne
subsystem.
Customzabe through
the ptabes front-end
utty
Does not requre any
customzaton on the
cent sde, as a
network actvty s
ftered at the router
eve rather than the
appcaton eve
Snce packets are not
transmtted through a
proxy, network
performance s faster
due to drect
connecton from cent
to remote host
Cannot fter packets
for content ke proxy
frewas
Processes packets at
the protoco ayer, but
cannot fter packets at
an appcaton ayer
Compex network
archtectures can make
estabshng packet
fterng rues dffcut,
especay f couped
wth IP masqueradng
or oca subnets and
DMZ networks
Proxy Proxy frewas fter a
requests of a certan
protoco or type from
LAN cents to a proxy
machne, whch then
makes those requests
to the Internet on
behaf of the oca
cent. A proxy machne
acts as a buffer
between macous
remote users and the
nterna network cent
machnes.
Gves admnstrators
contro over what
appcatons and
protocos functon
outsde of the LAN
Some proxy servers
can cache
frequenty-accessed
data ocay rather than
havng to use the
Internet connecton to
request t. Ths heps to
reduce bandwdth
consumpton
Proxy servces can be
ogged and montored
cosey, aowng tghter
contro over resource
utzaton on the
network
Proxes are often
appcaton-specfc
(HTTP, Tenet, etc.), or
protoco-restrcted
(most proxes work
wth TCP-connected
servces ony)
Appcaton servces
cannot run behnd a
proxy, so your
appcaton servers
must use a separate
form of network
securty
Proxes can become a
network botteneck, as
a requests and
transmssons are
passed through one
source rather than
Chapter 18. Firewalls
204
drecty from a cent to
a remote servce
Table 18.1. Firewall Types
1. Netfilter and lPTables
The Lnux kerne features a powerfu networkng subsystem caed Netfter. The
Netfter subsystem provdes statefu or stateess packet fterng as we as NAT and
IP masqueradng servces. Netfter aso has the abty to mange IP header
nformaton for advanced routng and connecton state management. Netfter s
controed usng the ptabes too.
1.1. lPTables Overview
The power and fexbty of Netfter s mpemented usng the ptabes admnstraton
too, a command ne too smar n syntax to ts predecessor, pchans.
A smar syntax does not mean smar mpementaton, however. pchans requres
ntrcate rue sets for: fterng source paths; fterng destnaton paths; and fterng
both source and destnaton connecton ports.
By contrast, ptabes uses the Netfter subsystem to enhance network connecton,
nspecton, and processng. ptabes features advanced oggng, pre- and
post-routng actons, network address transaton, and port forwardng, a n one
command ne nterface.
Ths secton provdes an overvew of ptabes.
2. Basic Firewall Configuration
|ust as a frewa n a budng attempts to prevent a fre from spreadng, a computer
frewa attempts to prevent macous software from spreadng to your computer. It
aso heps to prevent unauthorzed users from accessng your computer.
In a defaut Red Hat Enterprse Lnux nstaaton, a frewa exsts between your
computer or network and any untrusted networks, for exampe the Internet. It
determnes whch servces on your computer remote users can access. A propery
confgured frewa can greaty ncrease the securty of your system. It s
Netfilter and lPTables
205
recommended that you confgure a frewa for any Red Hat Enterprse Lnux system
wth an Internet connecton.
2.1. Security Level Configuration Tool
Durng the Firewall Configuration screen of the Red Hat Enterprse Lnux
nstaaton, you were gven the opton to enabe a basc frewa as we as to aow
specfc devces, ncomng servces, and ports.
After nstaaton, you can change ths preference by usng the Security Level
Configuration Tool.
To start ths appcaton, use the foowng command:
|root@myServer -| # system-confg-senux
206
Figure 18.1. Security Level Configuration Tool
Note
The Security Level Configuration Tool ony confgures a basc
frewa.
2.2. Enabling and Disabling the Firewall
Seect one of the foowng optons for the frewa:
Enabling and Disabling the Firewall
207
Disabled - Dsabng the frewa provdes compete access to your system and
does no securty checkng. Ths shoud ony be seected f you are runnng on a
trusted network (not the Internet) or need to confgure a custom frewa usng the
ptabes command ne too.
Warning
Frewa confguratons and any customzed frewa rues are stored n
the /etc/sysconfg/ptabes fe. If you choose Disabled and cck OK,
these confguratons and frewa rues w be ost.
Enabled - Ths opton confgures the system to re|ect ncomng connectons that
are not n response to outbound requests, such as DNS repes or DHCP requests.
If access to servces runnng on ths machne s needed, you can choose to aow
specfc servces through the frewa.
If you are connectng your system to the Internet, but do not pan to run a server,
ths s the safest choce.
2.3. Trusted Services
Enabng optons n the Trusted services st aows the specfed servce to pass
through the frewa.
WWW (HTTP)
The HTTP protoco s used by Apache (and by other Web servers) to serve web
pages. If you pan on makng your Web server pubcy avaabe, seect ths
check box. Ths opton s not requred for vewng pages ocay or for deveopng
web pages. Ths servce requres that the httpd package be nstaed.
Enabng WWW (HTTP) w not open a port for HTTPS, the SSL verson of HTTP.
If ths servce s requred, seect the Secure WWW (HTTPS) check box.
FTP
The FTP protoco s used to transfer fes between machnes on a network. If you
pan on makng your FTP server pubcy avaabe, seect ths check box. Ths
servce requres that the vsftpd package be nstaed.
SSH
208
Secure She (SSH) s a sute of toos for oggng nto and executng commands
on a remote machne. To aow remote access to the machne va ssh, seect ths
check box. Ths servce requres that the openssh-server package be nstaed.
Telnet
Tenet s a protoco for oggng nto remote machnes. Tenet communcatons
are unencrypted and provde no securty from network snoopng. Aowng
ncomng Tenet access s not recommended. To aow remote access to the
machne va tenet, seect ths check box. Ths servce requres that the
tenet-server package be nstaed.
Mail (SMTP)
SMTP s a protoco that aows remote hosts to connect drecty to your machne
to dever ma. You do not need to enabe ths servce f you coect your ma
from your ISP's server usng POP3 or IMAP, or f you use a too such as fetchma.
To aow devery of ma to your machne, seect ths check box. Note that an
mpropery confgured SMTP server can aow remote machnes to use your
server to send spam.
NFS4
The Network Fe System (NFS) s a fe sharng protoco commony used on *NIX
systems. Verson 4 of ths protoco s more secure than ts predecessors. If you
want to share fes or drectores on your system wth other network users, seect
ths check box.
Samba
Samba s an mpementaton of Mcrosoft's propretary SMB networkng protoco.
If you need to share fes, drectores, or ocay-connected prnters wth Mcrosoft
Wndows machnes, seect ths check box.
2.4. Other Ports
The Security Level Configuration Tool ncudes an Other ports secton for
specfyng custom IP ports as beng trusted by ptabes. For exampe, to aow IRC
and Internet prntng protoco (IPP) to pass through the frewa, add the foowng to
the Other ports secton:
194:tcp,631:tcp
2.5. Saving the Settings
Cck OK to save the changes and enabe or dsabe the frewa. If Enable firewall
was seected, the optons seected are transated to ptabes commands and wrtten
Other Ports
209
to the /etc/sysconfg/ptabes fe. The ptabes servce s aso started so that the
frewa s actvated mmedatey after savng the seected optons. If Disable
firewall was seected, the /etc/sysconfg/ptabes fe s removed and the ptabes
servce s stopped mmedatey.
The seected optons are aso wrtten to the /etc/sysconfg/system-confg-senux fe so
that the settngs can be restored the next tme the appcaton s started. Do not
edt ths fe by hand.
Even though the frewa s actvated mmedatey, the ptabes servce s not
confgured to start automatcay at boot tme. Refer to Secton 2.6, "Actvatng the
IPTabes Servce" for more nformaton.
2.6. Activating the lPTables Service
The frewa rues are ony actve f the ptabes servce s runnng. To manuay start
the servce, use the foowng command:
|root@myServer -| # servce ptabes restart
To ensure that ptabes starts when the system s booted, use the foowng
command:
|root@myServer -| # chkconfg --eve 345 ptabes on
The pchans servce s not ncuded n Red Hat Enterprse Lnux. However, f pchans
s nstaed (for exampe, an upgrade was performed and the system had pchans
prevousy nstaed), the pchans and ptabes servces shoud not be actvated
smutaneousy. To make sure the pchans servce s dsabed and confgured not to
start at boot tme, use the foowng two commands:
|root@myServer -| # servce pchans stop
|root@myServer -| # chkconfg --eve 345 pchans off
3. Using lPTables
The frst step n usng ptabes s to start the ptabes servce. Use the foowng
210
command to start the ptabes servce:
|root@myServer -| # servce ptabes start
Note
The p6tabes servce can be turned off f you ntend to use the ptabes
servce ony. If you deactvate the p6tabes servce, remember to
deactvate the IPv6 network aso. Never eave a network devce actve
wthout the matchng frewa.
To force ptabes to start by defaut when the system s booted, use the foowng
command:
|root@myServer -| # chkconfg --eve 345 ptabes on
Ths forces ptabes to start whenever the system s booted nto runeve 3, 4, or 5.
3.1. lPTables Command Syntax
The foowng sampe ptabes command ustrates the basc command syntax:
|root@myServer - | # ptabes -A <chan> -| <target>
The -A opton specfes that the rue be appended to <chan>. Each chan s
comprsed of one or more rues, and s therefore aso known as a rueset.
The three but-n chans are INPUT, OUTPUT, and FORWARD. These chans are
permanent and cannot be deeted. The chan specfes the pont at whch a packet s
manpuated.
The -| <target> opton specfes the target of the rue; .e., what to do f the packet
matches the rue. Exampes of but-n targets are ACCEPT, DROP, and RE|ECT.
Refer to the ptabes man page for more nformaton on the avaabe chans, optons,
and targets.
lPTables Command Syntax
211
3.2. Basic Firewall Policies
Estabshng basc frewa poces creates a foundaton for budng more detaed,
user-defned rues.
Each ptabes chan s comprsed of a defaut pocy, and zero or more rues whch
work n concert wth the defaut pocy to defne the overa rueset for the frewa.
The defaut pocy for a chan can be ether DROP or ACCEPT. Securty-mnded
admnstrators typcay mpement a defaut pocy of DROP, and ony aow specfc
packets on a case-by-case bass. For exampe, the foowng poces bock a
ncomng and outgong packets on a network gateway:
|root@myServer - | # ptabes -P INPUT DROP
|root@myServer - | # ptabes -P OUTPUT DROP
It s aso recommended that any forwarded packets - network traffc that s to be
routed from the frewa to ts destnaton node - be dened as we, to restrct
nterna cents from nadvertent exposure to the Internet. To do ths, use the
foowng rue:
|root@myServer - | # ptabes -P FORWARD DROP
When you have estabshed the defaut poces for each chan, you can create and
save further rues for your partcuar network and securty requrements.
The foowng sectons descrbe how to save ptabes rues and outne some of the
rues you mght mpement n the course of budng your ptabes frewa.
3.3. Saving and Restoring lPTables Rules
Changes to ptabes are transtory; f the system s rebooted or f the ptabes servce
s restarted, the rues are automatcay fushed and reset. To save the rues so that
they are oaded when the ptabes servce s started, use the foowng command:
|root@myServer - | # servce ptabes save
The rues are stored n the fe /etc/sysconfg/ptabes and are apped whenever the
212
servce s started or the machne s rebooted.
4. Common lPTables Filtering
Preventng remote attackers from accessng a LAN s one of the most mportant
aspects of network securty. The ntegrty of a LAN shoud be protected from
macous remote users through the use of strngent frewa rues.
However, wth a defaut pocy set to bock a ncomng, outgong, and forwarded
packets, t s mpossbe for the frewa/gateway and nterna LAN users to
communcate wth each other or wth externa resources.
To aow users to perform network-reated functons and to use networkng
appcatons, admnstrators must open certan ports for communcaton.
For exampe, to aow access to port 80 on the frewa, append the foowng rue:
|root@myServer - | # ptabes -A INPUT -p tcp -m tcp --dport 80 -| ACCEPT
Ths aows users to browse webstes that communcate usng the standard port 80.
To aow access to secure webstes (for exampe, https://www.exampe.com/), you
aso need to provde access to port 443, as foows:
|root@myServer - | # ptabes -A INPUT -p tcp -m tcp --dport 443 -| ACCEPT
lmportant
When creatng an ptabes rueset, order s mportant.
If a rue specfes that any packets from the 192.168.100.0/24 subnet
be dropped, and ths s foowed by a rue that aows packets from
192.168.100.13 (whch s wthn the dropped subnet), then the second
rue s gnored.
The rue to aow packets from 192.168.100.13 must precede the rue
that drops the remander of the subnet.
To nsert a rue n a specfc ocaton n an exstng chan, use the -I
opton. For exampe:
Common lPTables Filtering
213
|root@myServer - | # ptabes -I INPUT 1 - o -p a -| ACCEPT
Ths rue s nserted as the frst rue n the INPUT chan to aow oca
oopback devce traffc.
There may be tmes when you requre remote access to the LAN. Secure servces,
for exampe SSH, can be used for encrypted remote connecton to LAN servces.
Admnstrators wth PPP-based resources (such as modem banks or buk ISP
accounts), da-up access can be used to securey crcumvent frewa barrers.
Because they are drect connectons, modem connectons are typcay behnd a
frewa/gateway.
For remote users wth broadband connectons, however, speca cases can be made.
You can confgure ptabes to accept connectons from remote SSH cents. For
exampe, the foowng rues aow remote SSH access:
|root@myServer - | # ptabes -A INPUT -p tcp --dport 22 -| ACCEPT
|root@myServer - | # ptabes -A OUTPUT -p tcp --sport 22 -| ACCEPT
These rues aow ncomng and outbound access for an ndvdua system, such as a
snge PC drecty connected to the Internet or a frewa/gateway. However, they do
not aow nodes behnd the frewa/gateway to access these servces. To aow LAN
access to these servces, you can use Network Address Transaton (NAT) wth
ptabes fterng rues.
5. FORWARD and NAT Rules
Most ISPs provde ony a mted number of pubcy routabe IP addresses to the
organzatons they serve.
Admnstrators must, therefore, fnd aternatve ways to share access to Internet
servces wthout gvng pubc IP addresses to every node on the LAN. Usng prvate
IP addresses s the most common way of aowng a nodes on a LAN to propery
access nterna and externa network servces.
214
Edge routers (such as frewas) can receve ncomng transmssons from the
Internet and route the packets to the ntended LAN node. At the same tme,
frewas/gateways can aso route outgong requests from a LAN node to the remote
Internet servce.
Ths forwardng of network traffc can become dangerous at tmes, especay wth
the avaabty of modern crackng toos that can spoof nterna IP addresses and
make the remote attacker's machne act as a node on your LAN.
To prevent ths, ptabes provdes routng and forwardng poces that can be
mpemented to prevent abnorma usage of network resources.
The FORWARD chan aows an admnstrator to contro where packets can be routed
wthn a LAN. For exampe, to aow forwardng for the entre LAN (assumng the
frewa/gateway s assgned an nterna IP address on eth1), use the foowng rues:
|root@myServer - | # ptabes -A FORWARD - eth1 -| ACCEPT
|root@myServer - | # ptabes -A FORWARD -o eth1 -| ACCEPT
Ths rue gves systems behnd the frewa/gateway access to the nterna network.
The gateway routes packets from one LAN node to ts ntended destnaton node,
passng a packets through ts eth1 devce.
Note
By defaut, the IPv4 pocy n Red Hat Enterprse Lnux kernes dsabes
support for IP forwardng. Ths prevents machnes that run Red Hat
Enterprse Lnux from functonng as dedcated edge routers. To enabe
IP forwardng, use the foowng command:
|root@myServer - | # sysct -w net.pv4.p_forward=1
Ths confguraton change s ony vad for the current sesson; t does
not persst beyond a reboot or network servce restart. To permanenty
set IP forwardng, edt the /etc/sysct.conf fe as foows:
Locate the foowng ne:
FORWARD and NAT Rules
215
net.pv4.p_forward = 0
Edt t to read as foows:
net.pv4.p_forward = 1
Use the foowng command to enabe the change to the sysct.conf fe:
|root@myServer - | # sysct -p /etc/sysct.conf
5.1. Postrouting and lP Masquerading
Acceptng forwarded packets va the frewa's nterna IP devce aows LAN nodes to
communcate wth each other; however they st cannot communcate externay to
the Internet.
To aow LAN nodes wth prvate IP addresses to communcate wth externa pubc
networks, confgure the frewa for IP masqueradng, whch masks requests from
LAN nodes wth the IP address of the frewa's externa devce (n ths case, eth0):
|root@myServer - | # ptabes -t nat -A POSTROUTING -o eth0 -| MASOUERADE
Ths rue uses the NAT packet matchng tabe (-t nat) and specfes the but-n
POSTROUTING chan for NAT (-A POSTROUTING) on the frewa's externa networkng
devce (-o eth0).
POSTROUTING aows packets to be atered as they are eavng the frewa's
externa devce.
The -| MASOUERADE target s specfed to mask the prvate IP address of a node wth
the externa IP address of the frewa/gateway.
5.2. Prerouting
216
If you have a server on your nterna network that you want make avaabe
externay, you can use the -| DNAT target of the PREROUTING chan n NAT to
specfy a destnaton IP address and port where ncomng packets requestng a
connecton to your nterna servce can be forwarded.
For exampe, f you want to forward ncomng HTTP requests to your dedcated
Apache HTTP Server at 172.31.0.23, use the foowng command:
|root@myServer - | # ptabes -t nat -A PREROUTING - eth0 -p tcp --dport 80 -| DNAT --to
172.31.0.23:80
Ths rue specfes that the nat tabe use the but-n PREROUTING chan to forward
ncomng HTTP requests excusvey to the sted destnaton IP address of
172.31.0.23.
Note
If you have a defaut pocy of DROP n your FORWARD chan, you must
append a rue to forward a ncomng HTTP requests so that
destnaton NAT routng s possbe. To do ths, use the foowng
command:
|root@myServer - | # ptabes -A FORWARD - eth0 -p tcp --dport 80 -d 172.31.0.23 -|
ACCEPT
Ths rue forwards a ncomng HTTP requests from the frewa to the
ntended destnaton; the Apache HTTP Server behnd the frewa.
5.3. DMZs and lPTables
You can create ptabes rues to route traffc to certan machnes, such as a
dedcated HTTP or FTP server, n a demtarzed zone (DMZ). A DMZ s a speca
oca subnetwork dedcated to provdng servces on a pubc carrer, such as the
Internet.
For exampe, to set a rue for routng ncomng HTTP requests to a dedcated HTTP
server at 10.0.4.2 (outsde of the 192.168.1.0/24 range of the LAN), NAT uses the
DMZs and lPTables
217
PREROUTING tabe to forward the packets to the approprate destnaton:
|root@myServer - | # ptabes -t nat -A PREROUTING - eth0 -p tcp --dport 80 -| DNAT
--to-destnaton 10.0.4.2:80
Wth ths command, a HTTP connectons to port 80 from outsde of the LAN are
routed to the HTTP server on a network separate from the rest of the nterna
network. Ths form of network segmentaton can prove safer than aowng HTTP
connectons to a machne on the network.
If the HTTP server s confgured to accept secure connectons, then port 443 must
be forwarded as we.
6. Malicious Software and Spoofed lP
Addresses
More eaborate rues can be created that contro access to specfc subnets, or even
specfc nodes, wthn a LAN. You can aso restrct certan dubous appcatons or
programs such as tro|ans, worms, and other cent/server vruses from contactng
ther server.
For exampe, some tro|ans scan networks for servces on ports from 31337 to 31340
(caed the ete ports n crackng termnoogy).
Snce there are no egtmate servces that communcate va these non-standard
ports, bockng them can effectvey dmnsh the chances that potentay nfected
nodes on your network ndependenty communcate wth ther remote master
servers.
The foowng rues drop a TCP traffc that attempts to use port 31337:
|root@myServer - | # ptabes -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -|
DROP
|root@myServer - | # ptabes -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -|
DROP
You can aso bock outsde connectons that attempt to spoof prvate IP address
ranges to nftrate your LAN.
For exampe, f your LAN uses the 192.168.1.0/24 range, you can desgn a rue that
218
nstructs the Internet-facng network devce (for exampe, eth0) to drop any packets
to that devce wth an address n your LAN IP range.
Because t s recommended to re|ect forwarded packets as a defaut pocy, any
other spoofed IP address to the externa-facng devce (eth0) s re|ected
automatcay.
|root@myServer - | # ptabes -A FORWARD -s 192.168.1.0/24 - eth0 -| DROP
Note
There s a dstncton between the DROP and RE|ECT targets when
deang wth appended rues.
The RE|ECT target denes access and returns a connecton refused error
to users who attempt to connect to the servce. The DROP target, as
the name mpes, drops the packet wthout any warnng.
Admnstrators can use ther own dscreton when usng these targets.
However, to avod user confuson and attempts to contnue connectng,
the RE|ECT target s recommended.
7. lPTables and Connection Tracking
You can nspect and restrct connectons to servces based on ther connecton
state. A modue wthn ptabes uses a method caed connecton trackng to store
nformaton about ncomng connectons. You can aow or deny access based on the
foowng connecton states:
NEW - A packet requestng a new connecton, such as an HTTP request.
ESTABLISHED - A packet that s part of an exstng connecton.
RELATED - A packet that s requestng a new connecton but s part of an exstng
connecton. For exampe, FTP uses port 21 to estabsh a connecton, but data s
transferred on a dfferent port (typcay port 20).
INVALID - A packet that s not part of any connectons n the connecton trackng
lPTables and Connection Tracking
219
tabe.
You can use the statefu functonaty of ptabes connecton trackng wth any
network protoco, even f the protoco tsef s stateess (such as UDP). The foowng
exampe shows a rue that uses connecton trackng to forward ony the packets
that are assocated wth an estabshed connecton:
|root@myServer - | # ptabes -A FORWARD -m state --state ESTABLISHED,RELATED -|
ACCEPT
8. lPv6
The ntroducton of the next-generaton Internet Protoco, caed IPv6, expands
beyond the 32-bt address mt of IPv4 (or IP). IPv6 supports 128-bt addresses, and
carrer networks that are IPv6 aware are therefore abe to address a arger number
of routabe addresses than IPv4.
Red Hat Enterprse Lnux supports IPv6 frewa rues usng the Netfter 6 subsystem
and the p6tabes command. In Red Hat Enterprse Lnux 5, both IPv4 and IPv6
servces are enabed by defaut.
The p6tabes command syntax s dentca to ptabes n every aspect except that t
supports 128-bt addresses. For exampe, use the foowng command to enabe SSH
connectons on an IPv6-aware network server:
|root@myServer - | # p6tabes -A INPUT - eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -|
ACCEPT
For more nformaton about IPv6 networkng, refer to the IPv6 Informaton Page at
http://www.pv6.org/.
There are severa aspects to frewas and the Lnux Netfter subsystem that coud
not be covered n ths chapter. For more nformaton, refer to the foowng
resources.
220
The ptabes man page contans a bref summary of the varous optons.
http://www.netfter.org/ - The offca homepage of the Netfter and ptabes
pro|ect.
http://www.tdp.org/ - The Lnux Documentaton Pro|ect contans severa usefu
gudes reatng to frewa creaton and admnstraton.
http://www.ana.org/assgnments/port-numbers - The offca st of regstered
and common servce ports as assgned by the Internet Assgned Numbers
Authorty.
9.3. Related Documentation
Red Hat Lnux Frewas, by B McCarty; Red Hat Press - a comprehensve
reference to budng network and server frewas usng open source packet
fterng technoogy such as Netfter and ptabes. It ncudes topcs that cover
anayzng frewa ogs, deveopng frewa rues, and customzng your frewa
usng varous graphca toos.
Lnux Frewas, by Robert Zeger; New Rders Press - contans a weath of
nformaton on budng frewas usng both 2.2 kerne pchans as we as Netfter
and ptabes. Addtona securty topcs such as remote access ssues and ntruson
detecton systems are aso covered.
Useful Websites
221
222
Controlling Access to Services
Mantanng securty on your system s extremey mportant, and one approach for
ths task s to manage access to system servces carefuy. Your system may need to
provde open access to partcuar servces (for exampe, httpd f you are runnng a
Web server). However, f you do not need to provde a servce, you shoud turn t off
to mnmze your exposure to possbe bug expots.
There are severa dfferent methods for managng access to system servces.
Decde whch method of management to use based on the servce, your system's
confguraton, and your eve of Lnux expertse.
The easest way to deny access to a servce s to turn t off. Both the servces
managed by xnetd and the servces n the /etc/rc.d/nt.d herarchy (aso known as
SysV servces) can be confgured to start or stop usng three dfferent appcatons:
Services Configuration Tool - a graphca appcaton that dspays a
descrpton of each servce, dspays whether each servce s started at boot tme
(for runeves 3, 4, and 5), and aows servces to be started, stopped, and
restarted.
ntsysv - a text-based appcaton that aows you to confgure whch servces are
started at boot tme for each runeve. Non-xnetd servces can not be started,
stopped, or restarted usng ths program.
chkconfg - a command ne utty that aows you to turn servces on and off for
the dfferent runeves. Non-xnetd servces can not be started, stopped, or
restarted usng ths utty.
You may fnd that these toos are easer to use than the aternatves - edtng the
numerous symboc nks ocated n the drectores beow /etc/rc.d by hand or edtng
the xnetd confguraton fes n /etc/xnetd.d.
Another way to manage access to system servces s by usng ptabes to confgure
an IP frewa. If you are a new Lnux user, pease reaze that ptabes may not be the
best souton for you. Settng up ptabes can be compcated and s best tacked by
experenced Lnux system admnstrators.
On the other hand, the beneft of usng ptabes s fexbty. For exampe, f you
need a customzed souton whch provdes certan hosts access to certan servces,
ptabes can provde t for you. Refer to the Red Hat Enterprse Lnux Reference
Chapter 19.
223
Gude and the Red Hat Enterprse Lnux Securty Gude for more nformaton about
ptabes.
Aternatvey, f you are ookng for a utty to set genera access rues for your
home machne, and/or f you are new to Lnux, try the Security Level
Configuration Tool (system-confg-securtyeve), whch aows you to seect the
securty eve for your system, smar to the Firewall Configuration screen n the
nstaaton program.
If you need more specfc frewa rues, refer to the ptabes chapter n the Red Hat
Enterprse Lnux Reference Gude.
1. Runlevels
Before you can confgure access to servces, you must understand Lnux runeves.
A runeve s a state, or mode, that s defned by the servces sted n the drectory
/etc/rc.d/rc<x>.d, where <x> s the number of the runeve.
The foowng runeves exst:
0 - Hat
1 - Snge-user mode
2 - Not used (user-defnabe)
3 - Fu mut-user mode
4 - Not used (user-defnabe)
5 - Fu mut-user mode (wth an X-based ogn screen)
6 - Reboot
If you use a text ogn screen, you are operatng n runeve 3. If you use a graphca
ogn screen, you are operatng n runeve 5.
The defaut runeve can be changed by modfyng the /etc/nttab fe, whch contans
a ne near the top of the fe smar to the foowng:
d:5:ntdefaut:
Change the number n ths ne to the desred runeve. The change does not take
Chapter 19. Controlling Acces...
224
effect unt you reboot the system.
To change the runeve mmedatey, use the command tent foowed by the
runeve number. You must be root to use ths command. The tent command does
not change the /etc/nttab fe; t ony changes the runeve currenty runnng. When
the system s rebooted, t contnues to boot the runeve as specfed n /etc/nttab.
2. TCP Wrappers
Many UNIX system admnstrators are accustomed to usng TCP wrappers to
manage access to certan network servces. Any network servces managed by
xnetd (as we as any program wth but-n support for bwrap) can use TCP
wrappers to manage access. xnetd can use the /etc/hosts.aow and /etc/hosts.deny
fes to confgure access to system servces. As the names mpy, hosts.aow contans
a st of rues that aow cents to access the network servces controed by xnetd,
and hosts.deny contans rues to deny access. The hosts.aow fe takes precedence
over the hosts.deny fe. Permssons to grant or deny access can be based on
ndvdua IP address (or hostnames) or on a pattern of cents. Refer to the Red Hat
Enterprse Lnux Reference Gude and hosts_access n secton 5 of the man pages
(man 5 hosts_access) for detas.
2.1. xinetd
To contro access to Internet servces, use xnetd, whch s a secure repacement for
netd. The xnetd daemon conserves system resources, provdes access contro and
oggng, and can be used to start speca-purpose servers. xnetd can be used to
provde access ony to partcuar hosts, to deny access to partcuar hosts, to
provde access to a servce at certan tmes, to mt the rate of ncomng
connectons and/or the oad created by connectons, and more
xnetd runs constanty and stens on a ports for the servces t manages. When a
connecton request arrves for one of ts managed servces, xnetd starts up the
approprate server for that servce.
The confguraton fe for xnetd s /etc/xnetd.conf, but the fe ony contans a few
defauts and an nstructon to ncude the /etc/xnetd.d drectory. To enabe or dsabe
an xnetd servce, edt ts confguraton fe n the /etc/xnetd.d drectory. If the dsabe
attrbute s set to yes, the servce s dsabed. If the dsabe attrbute s set to no, the
servce s enabed. You can edt any of the xnetd confguraton fes or change ts
enabed status usng the Services Configuration Tool, ntsysv, or chkconfg. For a
st of network servces controed by xnetd, revew the contents of the /etc/xnetd.d
TCP Wrappers
225
drectory wth the command s /etc/xnetd.d.
3. Services Configuration Tool
The Services Configuration Tool s a graphca appcaton deveoped by Red Hat
to confgure whch SysV servces n the /etc/rc.d/nt.d drectory are started at boot
tme (for runeves 3, 4, and 5) and whch xnetd servces are enabed. It aso aows
you to start, stop, and restart SysV servces as we as restart xnetd.
To start the Services Configuration Tool from the desktop, go to the Main Menu
Button (on the Pane) => System Settings => Server Settings => Services or
type the command system-confg-servces at a she prompt (for exampe, n an
XTerm or a GNOME terminal).
226
Figure 19.1. Services Configuration Tool
The Services Configuration Tool dspays the current runeve as we as the
runeve you are currenty edtng. To edt a dfferent runeve, seect Edit Runlevel
from the pudown menu and seect runeve 3, 4, or 5. Refer to Secton 1,
"Runeves" for a descrpton of runeves.
The Services Configuration Tool sts the servces from the /etc/rc.d/nt.d drectory
as we as the servces controed by xnetd. Cck on the name of the servce from
the st on the eft-hand sde of the appcaton to dspay a bref descrpton of that
servce as we as the status of the servce. If the servce s not an xnetd servce, the
status wndow shows whether the servce s currenty runnng. If the servce s
controed by xnetd, the status wndow dspays the phrase xinetd service.
To start, stop, or restart a servce mmedatey, seect the servce from the st and
cck the approprate button on the toobar (or choose the acton from the Actions
pudown menu). If the servce s an xnetd servce, the acton buttons are dsabed
because they can not be started or stopped ndvduay.
If you enabe/dsabe an xnetd servce by checkng or uncheckng the checkbox next
to the servce name, you must seect File => Save Changes from the pudown
menu to restart xnetd and mmedatey enabe/dsabe the xnetd servce that you
changed. xnetd s aso confgured to remember the settng. You can enabe/dsabe
mutpe xnetd servces at a tme and save the changes when you are fnshed.
For exampe, assume you check rsync to enabe t n runeve 3 and then save the
changes. The rsync servce s mmedatey enabed. The next tme xnetd s started,
rsync s st enabed.
Warning
When you save changes to xnetd servces, xnetd s restarted, and the
changes take pace mmedatey. When you save changes to other
servces, the runeve s reconfgured, but the changes do not take
effect mmedatey.
To enabe a non-xnetd servce to start at boot tme for the currenty seected
runeve, check the checkbox besde the name of the servce n the st. After
confgurng the runeve, appy the changes by seectng File => Save Changes
Services Configuration Tool
227
from the pudown menu. The runeve confguraton s changed, but the runeve s
not restarted; thus, the changes do not take pace mmedatey.
For exampe, assume you are confgurng runeve 3. If you change the vaue for the
httpd servce from checked to unchecked and then seect Save Changes, the
runeve 3 confguraton changes so that httpd s not started at boot tme. However,
runeve 3 s not rentazed, so httpd s st runnng. Seect one of foowng optons
at ths pont:
1. Stop the httpd servce - Stop the servce by seectng t from the st and cckng
the Stop button. A message appears statng that the servce was stopped
successfuy.
2. Rentaze the runeve - Rentaze the runeve by gong to a she prompt and
typng the command tent 3 (where 3 s the runeve number). Ths opton s
recommended f you change the Start at Boot vaue of mutpe servces and
want to actvate the changes mmedatey.
3. Do nothng ese - You do not have to stop the httpd servce. You can wat unt
the system s rebooted for the servce to stop. The next tme the system s
booted, the runeve s ntazed wthout the httpd servce runnng.
To add a servce to a runeve, seect the runeve from the Edit Runlevel pudown
menu, and then seect Actions => Add Service. To deete a servce from a
runeve, seect the runeve from the Edit Runlevel pudown menu, seect the
servce to be deeted from the st on the eft, and seect Actions => Delete
Service.
4. ntsysv
The ntsysv utty provdes a smpe nterface for actvatng or deactvatng
servces. You can use ntsysv to turn an xnetd-managed servce on or off. You can
aso use ntsysv to confgure runeves. By defaut, ony the current runeve s
confgured. To confgure a dfferent runeve, specfy one or more runeves wth the
--eve opton. For exampe, the command ntsysv --eve 345 confgures runeves 3, 4,
and 5.
The ntsysv nterface works ke the text mode nstaaton program. Use the up and
down arrows to navgate up and down the st. The space bar seects/unseects
servces and s aso used to "press" the Ok and Cancel buttons. To move between
the st of servces and the Ok and Cancel buttons, use the Tab key. A * sgnfes
228
that a servce s set to on. Pressng the F1 key dspays a short descrpton of the
seected servce.
Warning
Servces managed by xnetd are mmedatey affected by ntsysv. For
a other servces, changes do not take effect mmedatey. You must
stop or start the ndvdua servce wth the command servce daemon
stop. In the prevous exampe, repace daemon wth the name of the
servce you want to stop; for exampe, httpd. Repace stop wth start or
restart to start or restart the servce.
5. chkconfig
The chkconfg command can aso be used to actvate and deactvate servces. The
chkconfg --st command dspays a st of system servces and whether they are
started (on) or stopped (off) n runeves 0-6. At the end of the st s a secton for the
servces managed by xnetd.
If the chkconfg --st command s used to query a servce managed by xnetd, t
dspays whether the xnetd servce s enabed (on) or dsabed (off). For exampe, the
command chkconfg --st fnger returns the foowng output:
fnger on
As shown, fnger s enabed as an xnetd servce. If xnetd s runnng, fnger s enabed.
If you use chkconfg --st to query a servce n /etc/rc.d, servce's settngs for each
runeve are dspayed. For exampe, the command chkconfg --st httpd returns the
foowng output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfg can aso be used to confgure a servce to be started (or not) n a specfc
runeve. For exampe, to turn nscd off n runeves 3, 4, and 5, use the foowng
command:
chkconfg --eve 345 nscd off
chkconfig
229
Warning
Servces managed by xnetd are mmedatey affected by chkconfg. For
exampe, f xnetd s runnng, fnger s dsabed, and the command
chkconfg fnger on s executed, fnger s mmedatey enabed wthout
havng to restart xnetd manuay. Changes for other servces do not
take effect mmedatey after usng chkconfg. You must stop or start
the ndvdua servce wth the command servce daemon stop. In the
prevous exampe, repace daemon wth the name of the servce you
want to stop; for exampe, httpd. Repace stop wth start or restart to
start or restart the servce.
For more nformaton, refer to the foowng resources.
The man pages for ntsysv, chkconfg, xnetd, and xnetd.conf.
man 5 hosts_access - The man page for the format of host access contro fes (n
secton 5 of the man pages).
http://www.xnetd.org - The xnetd webpage. It contans a more detaed st of
features and sampe confguraton fes.
6.3. Related Books
Red Hat Enterprse Lnux Reference Gude , Red Hat, Inc. - Ths companon
manua contans detaed nformaton about how TCP wrappers and xnetd aow or
deny access as we as how to confgure network access usng them. It aso
provdes nstructons for creatng ptabes frewa rues.
Red Hat Enterprse Lnux Securty Gude Red Hat, Inc. - Ths manua dscusses
230
securng servces wth TCP wrappers and xnetd such as oggng dened connecton
attempts.
Related Books
231
232
OpenSSH
OpenSSH s a free, open source mpementaton of the SSH (S ecure SH e)
protocos. It repaces tenet, ftp, rogn, rsh, and rcp wth secure, encrypted network
connectvty toos. OpenSSH supports versons 1.3, 1.5, and 2 of the SSH protoco.
Snce OpenSSH verson 2.9, the defaut protoco s verson 2, whch uses RSA keys
as the defaut.
1. Why Use OpenSSH7
If you use OpenSSH toos, you are enhancng the securty of your machne. A
communcatons usng OpenSSH toos, ncudng passwords, are encrypted. Tenet
and ftp use pan text passwords and send a nformaton unencrypted. The
nformaton can be ntercepted, the passwords can be retreved, and your system
coud be compromsed by an unauthorzed person oggng n to your system usng
one of the ntercepted passwords. The OpenSSH set of uttes shoud be used
whenever possbe to avod these securty probems.
Another reason to use OpenSSH s that t automatcay forwards the DISPLAY
varabe to the cent machne. In other words, f you are runnng the X Wndow
System on your oca machne, and you og n to a remote machne usng the ssh
command, when you run a program on the remote machne that requres X, t w
be dspayed on your oca machne. Ths feature s convenent f you prefer
graphca system admnstraton toos but do not aways have physca access to
your server.
2. Configuring an OpenSSH Server
To run an OpenSSH server, you must frst make sure that you have the proper RPM
packages nstaed. The openssh-server package s requred and depends on the
openssh package.
The OpenSSH daemon uses the confguraton fe /etc/ssh/sshd_confg. The defaut
confguraton fe shoud be suffcent for most purposes. If you want to confgure the
daemon n ways not provded by the defaut sshd_confg, read the sshd man page for
a st of the keywords that can be defned n the confguraton fe.
To start the OpenSSH servce, use the command /sbn/servce sshd start. To stop the
OpenSSH server, use the command /sbn/servce sshd stop. If you want the daemon to
start automatcay at boot tme, refer to Chapter 19, Controng Access to Servces
for nformaton on how to manage servces.
Chapter 20.
233
If you rensta, the renstaed system creates a new set of dentfcaton keys. Any
cents who had connected to the system wth any of the OpenSSH toos before the
rensta w see the foowng message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone coud be eavesdroppng on you rght now (man-n-the-mdde attack)!
It s aso possbe that the RSA host key has |ust been changed.
If you want to keep the host keys generated for the system, backup the
/etc/ssh/ssh_host*key* fes and restore them after the rensta. Ths process retans
the system's dentty, and when cents try to connect to the system after the
rensta, they w not receve the warnng message.
3. Configuring an OpenSSH Client
To connect to an OpenSSH server from a cent machne, you must have the
openssh-cents and openssh packages nstaed on the cent machne.
3.1. Using the ssh Command
The ssh command s a secure repacement for the rogn, rsh, and tenet commands. It
aows you to og n to a remote machne as we as execute commands on a remote
machne.
Loggng n to a remote machne wth ssh s smar to usng tenet. To og n to a
remote machne named pengun.exampe.net, type the foowng command at a
she prompt:
ssh pengun.exampe.net
The frst tme you ssh to a remote machne, you w see a message smar to the
foowng:
The authentcty of host 'pengun.exampe.net' can't be estabshed.
DSA key fngerprnt s 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
Are you sure you want to contnue connectng (yes/no)?
Chapter 20. OpenSSH
234
Type yes to contnue. Ths w add the server to your st of known hosts
(-/.ssh/known_hosts/) as seen n the foowng message:
Warnng: Permanenty added 'pengun.exampe.net' (RSA) to the st of known hosts.
Next, you w see a prompt askng for your password for the remote machne. After
enterng your password, you w be at a she prompt for the remote machne. If you
do not specfy a username the username that you are ogged n as on the oca
cent machne s passed to the remote machne. If you want to specfy a dfferent
username, use the foowng command:
ssh username@pengun.exampe.net
You can aso use the syntax ssh - username pengun.exampe.net.
The ssh command can be used to execute a command on the remote machne
wthout oggng n to a she prompt. The syntax s ssh hostnamecommand. For
exampe, f you want to execute the command s /usr/share/doc on the remote
machne pengun.exampe.net, type the foowng command at a she prompt:
ssh pengun.exampe.net s /usr/share/doc
After you enter the correct password, the contents of the remote drectory
/usr/share/doc w be dspayed, and you w return to your oca she prompt.
3.2. Using the scp Command
The scp command can be used to transfer fes between machnes over a secure,
encrypted connecton. It s smar to rcp.
The genera syntax to transfer a oca fe to a remote system s as foows:
scp <ocafe>username@tohostname:<remotefe>
The <ocafe> specfes the source ncudng path to the fe, such as /var/og/maog.
The <remotefe> specfes the destnaton, whch can be a new fename such as
/tmp/hostname-maog. For the remote system, f you do not have a precedng /, the
Using the scp Command
235
path w be reatve to the home drectory of username, typcay /home/username/.
To transfer the oca fe shadowman to the home drectory of your account on
pengun.exampe.net, type the foowng at a she prompt (repace username wth
your username):
scp shadowman username@pengun.exampe.net:shadowman
Ths w transfer the oca fe shadowman to /home/username/shadowman on
pengun.exampe.net. Aternatey, you can eave off the fna shadowman n the scp
command.
The genera syntax to transfer a remote fe to the oca system s as foows:
scp username@tohostname:<remotefe><newocafe>
The <remotefe> specfes the source ncudng path, and <newocafe> specfes the
destnaton ncudng path.
Mutpe fes can be specfed as the source fes. For exampe, to transfer the
contents of the drectory downoads/ to an exstng drectory caed upoads/ on the
remote machne pengun.exampe.net, type the foowng at a she prompt:
scp downoads/* username@pengun.exampe.net:upoads/
3.3. Using the sftp Command
The sftp utty can be used to open a secure, nteractve FTP sesson. It s smar to
ftp except that t uses a secure, encrypted connecton. The genera syntax s sftp
username@hostname.com. Once authentcated, you can use a set of commands
smar to those used by FTP. Refer to the sftp man page for a st of these
commands. To read the man page, execute the command man sftp at a she
prompt. The sftp utty s ony avaabe n OpenSSH verson 2.5.0p1 and hgher.
3.4. Generating Key Pairs
If you do not want to enter your password every tme you use ssh, scp, or sftp to
connect to a remote machne, you can generate an authorzaton key par.
Keys must be generated for each user. To generate keys for a user, use the
foowng steps as the user who wants to connect to remote machnes. If you
Chapter 20. OpenSSH
236
compete the steps as root, ony root w be abe to use the keys.
Startng wth OpenSSH verson 3.0, -/.ssh/authorzed_keys2, -/.ssh/known_hosts2, and
/etc/ssh_known_hosts2 are obsoete. SSH Protoco 1 and 2 share the
-/.ssh/authorzed_keys, -/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts fes.
Red Hat Enterprse Lnux 5.0.0 uses SSH Protoco 2 and RSA keys by defaut.
Tip
If you rensta and want to save your generated key par, backup the
.ssh drectory n your home drectory. After renstang, copy ths
drectory back to your home drectory. Ths process can be done for a
users on your system, ncudng root.
3.4.1. Generating an RSA Key Pair for Version 2
Use the foowng steps to generate an RSA key par for verson 2 of the SSH
protoco. Ths s the defaut startng wth OpenSSH 2.9.
1. To generate an RSA key par to work wth verson 2 of the protoco, type the
foowng command at a she prompt:
ssh-keygen -t rsa
Accept the defaut fe ocaton of -/.ssh/d_rsa. Enter a passphrase dfferent from
your account password and confrm t by enterng t agan.
The pubc key s wrtten to -/.ssh/d_rsa.pub. The prvate key s wrtten to
-/.ssh/d_rsa. Never dstrbute your prvate key to anyone.
2. Change the permssons of the .ssh drectory usng the foowng command:
chmod 755 -/.ssh
3. Copy the contents of -/.ssh/d_rsa.pub nto the fe -/.ssh/authorzed_keys on the
machne to whch you want to connect. If the fe -/.ssh/authorzed_keys exst,
append the contents of the fe -/.ssh/d_rsa.pub to the fe -/.ssh/authorzed_keys on
the other machne.
Generating Key Pairs
237
4. Change the permssons of the authorzed_keys fe usng the foowng command:
chmod 644 -/.ssh/authorzed_keys
5. If you are runnng GNOME, skp to Secton 3.4.4, "Confgurng ssh-agent wth
GNOME". If you are not runnng the X Wndow System, skp to Secton 3.4.5,
"Confgurng ssh-agent".
3.4.2. Generating a DSA Key Pair for Version 2
Use the foowng steps to generate a DSA key par for verson 2 of the SSH Protoco.
1. To generate a DSA key par to work wth verson 2 of the protoco, type the
foowng command at a she prompt:
ssh-keygen -t dsa
Accept the defaut fe ocaton of -/.ssh/d_dsa. Enter a passphrase dfferent from
your account password and confrm t by enterng t agan.
Tip
A passphrase s a strng of words and characters used to authentcate
a user. Passphrases dffer from passwords n that you can use spaces
or tabs n the passphrase. Passphrases are generay onger than
passwords because they are usuay phrases nstead of a snge word.
The pubc key s wrtten to -/.ssh/d_dsa.pub. The prvate key s wrtten to
-/.ssh/d_dsa. It s mportant never to gve anyone the prvate key.
2. Change the permssons of the .ssh drectory wth the foowng command:
chmod 755 -/.ssh
3. Copy the contents of -/.ssh/d_dsa.pub nto the fe -/.ssh/authorzed_keys on the
machne to whch you want to connect. If the fe -/.ssh/authorzed_keys exst,
append the contents of the fe -/.ssh/d_dsa.pub to the fe -/.ssh/authorzed_keys on
Chapter 20. OpenSSH
238
the other machne.
4. Change the permssons of the authorzed_keys fe usng the foowng command:
chmod 644 -/.ssh/authorzed_keys
GNOME". If you are not runnng the X Wndow System, skp to Secton 3.4.5,
"Confgurng ssh-agent".
3.4.3. Generating an RSA Key Pair for Version 1.3 and
1.5
Use the foowng steps to generate an RSA key par, whch s used by verson 1 of
the SSH Protoco. If you are ony connectng between systems that use DSA, you do
not need an RSA verson 1.3 or RSA verson 1.5 key par.
1. To generate an RSA (for verson 1.3 and 1.5 protoco) key par, type the foowng
ssh-keygen -t rsa1
Accept the defaut fe ocaton (-/.ssh/dentty). Enter a passphrase dfferent from
your account password. Confrm the passphrase by enterng t agan.
The pubc key s wrtten to -/.ssh/dentty.pub. The prvate key s wrtten to
-/.ssh/dentty. Do not gve anyone the prvate key.
2. Change the permssons of your .ssh drectory and your key wth the commands
chmod 755 -/.ssh and chmod 644 -/.ssh/dentty.pub.
3. Copy the contents of -/.ssh/dentty.pub nto the fe -/.ssh/authorzed_keys on the
machne to whch you wsh to connect. If the fe -/.ssh/authorzed_keys does not
exst, you can copy the fe -/.ssh/dentty.pub to the fe -/.ssh/authorzed_keys on
the remote machne.
GNOME". If you are not runnng GNOME, skp to Secton 3.4.5, "Confgurng
ssh-agent".
Generating Key Pairs
239
3.4.4. Configuring ssh-agent with GNOME
The ssh-agent utty can be used to save your passphrase so that you do not have to
enter t each tme you ntate an ssh or scp connecton. If you are usng GNOME, the
openssh-askpass-gnome package contans the appcaton used to prompt you for your
passphrase when you og n to GNOME and save t unt you og out of GNOME. You
w not have to enter your password or passphrase for any ssh or scp connecton
made durng that GNOME sesson. If you are not usng GNOME, refer to
Secton 3.4.5, "Confgurng ssh-agent".
To save your passphrase durng your GNOME sesson, foow the foowng steps:
1. You w need to have the package openssh-askpass-gnome nstaed; you can use
the command rpm -q openssh-askpass-gnome to determne f t s nstaed or not. If
t s not nstaed, nsta t from your Red Hat Enterprse Lnux CD-ROM set, from a
Red Hat FTP mrror ste, or usng Red Hat Network.
2. Seect Main Menu Button (on the Pane) => Preferences => More
Preferences => Sessions, and cck on the Startup Programs tab. Cck Add
and enter }usr}bin}ssh-add n the Startup Command text area. Set t a prorty
to a number hgher than any exstng commands to ensure that t s executed
ast. A good prorty number for ssh-add s 70 or hgher. The hgher the prorty
number, the ower the prorty. If you have other programs sted, ths one shoud
have the owest prorty. Cck Close to ext the program.
3. Log out and then og back nto GNOME; n other words, restart X. After GNOME s
started, a daog box w appear promptng you for your passphrase(s). Enter the
passphrase requested. If you have both DSA and RSA key pars confgured, you
w be prompted for both. From ths pont on, you shoud not be prompted for a
password by ssh, scp, or sftp.
3.4.5. Configuring ssh-agent
The ssh-agent can be used to store your passphrase so that you do not have to enter
t each tme you make a ssh or scp connecton. If you are not runnng the X Wndow
System, foow these steps from a she prompt. If you are runnng GNOME but you
do not want to confgure t to prompt you for your passphrase when you og n (refer
to Secton 3.4.4, "Confgurng ssh-agent wth GNOME"), ths procedure w work n a
termna wndow, such as an XTerm. If you are runnng X but not GNOME, ths
procedure w work n a termna wndow. However, your passphrase w ony be
Chapter 20. OpenSSH
240
remembered for that termna wndow; t s not a goba settng.
1. At a she prompt, type the foowng command:
exec /usr/bn/ssh-agent $SHELL
2. Then type the command:
ssh-add
and enter your passphrase(s). If you have more than one key par confgured, you
w be prompted for each one.
3. When you og out, your passphrase(s) w be forgotten. You must execute these
two commands each tme you og n to a vrtua consoe or open a termna
wndow.
The OpenSSH and OpenSSL pro|ects are n constant deveopment, and the most
up-to-date nformaton for them s avaabe from ther webstes. The man pages for
OpenSSH and OpenSSL toos are aso good sources of detaed nformaton.
The ssh, scp, sftp, sshd, and ssh-keygen man pages - These man pages ncude
nformaton on how to use these commands as we as a the parameters that can
be used wth them.
http://www.openssh.com/ - The OpenSSH FAO page, bug reports, mang sts,
pro|ect goas, and a more technca expanaton of the securty features.
http://www.openss.org/ - The OpenSSL FAO page, mang sts, and a descrpton
of the pro|ect goa.
http://www.freessh.org/ - SSH cent software for other patforms.
241
4.3. Related Books
Red Hat Enterprse Lnux Reference Gude - Learn the event sequence of an SSH
connecton, revew a st of confguraton fes, and dscover how SSH can be used
for X forwardng.
Chapter 20. OpenSSH
242
Network File System (NFS)
Network Fe System (NFS) s a way to share fes between machnes on a network
as f the fes were ocated on the cent's oca hard drve. Red Hat Enterprse Lnux
can be both an NFS server and an NFS cent, whch means that t can export fe
systems to other systems and mount fe systems exported from other machnes.
1. Why Use NFS7
NFS s usefu for sharng drectores of fes between mutpe users on the same
network. For exampe, a group of users workng on the same pro|ect can have
access to the fes for that pro|ect usng a shared drectory of the NFS fe system
(commony known as an NFS share) mounted n the drectory /mypro|ect. To access
the shared fes, the user goes nto the /mypro|ect drectory on hs machne. There
are no passwords to enter or speca commands to remember. Users work as f the
drectory s on ther oca machnes.
2. Mounting NFS File Systems
Use the mount command to mount a shared NFS drectory from another machne:
mount shadowman.exampe.com:/msc/export/msc/oca
Warning
The mount pont drectory on the oca machne (/msc/oca n the above
exampe) must exst before ths command can be executed.
In ths command, shadowman.exampe.com s the hostname of the NFS fe server,
/msc/export s the drectory that shadowman s exportng, and /msc/oca s the
ocaton to mount the fe system on the oca machne. After the mount command
runs (and f the cent has proper permssons from the shadowman.exampe.com NFS
server) the cent user can execute the command s /msc/oca to dspay a stng of
the fes n /msc/export on shadowman.exampe.com.
2.1. Mounting NFS File Systems using }etc}fstab
An aternate way to mount an NFS share from another machne s to add a ne to
Chapter 21.
243
the /etc/fstab fe. The ne must state the hostname of the NFS server, the drectory
on the server beng exported, and the drectory on the oca machne where the NFS
share s to be mounted. You must be root to modfy the /etc/fstab fe.
The genera syntax for the ne n /etc/fstab s as foows:
server:/usr/oca/pub /pub nfs rsze=8192,wsze=8192,tmeo=14,ntr
The mount pont /pub must exst on the cent machne before ths command can be
executed. After addng ths ne to /etc/fstab on the cent system, type the command
mount /pub at a she prompt, and the mount pont /pub s mounted from the server.
2.2. Mounting NFS File Systems using autofs
A thrd opton for mountng an NFS share s the use of the autofs servce. Autofs
uses the automount daemon to manage your mount ponts by ony mountng them
dynamcay when they are accessed.
Autofs consuts the master map confguraton fe /etc/auto.master to determne
whch mount ponts are defned. It then starts an automount process wth the
approprate parameters for each mount pont. Each ne n the master map defnes a
mount pont and a separate map fe that defnes the fe systems to be mounted
under ths mount pont. For exampe, the /etc/auto.msc fe mght defne mount
ponts n the /msc drectory; ths reatonshp woud be defned n the /etc/auto.master
fe.
Each entry n auto.master has three feds. The frst fed s the mount pont. The
second fed s the ocaton of the map fe, and the thrd fed s optona. The thrd
fed can contan nformaton such as a tmeout vaue.
For exampe, to mount the drectory /pro|52 on the remote machne
pengun.exampe.net at the mount pont /msc/mypro|ect on your machne, add the
foowng ne to auto.master:
/msc /etc/auto.msc --tmeout 60
Next, add the foowng ne to /etc/auto.msc:
mypro|ect -rw,soft,ntr,rsze=8192,wsze=8192 pengun.exampe.net:/pro|52
Chapter 21. Network File Syst...
244
The frst fed n /etc/auto.msc s the name of the /msc subdrectory. Ths
subdrectory s created dynamcay by automount. It shoud not actuay exst on
the cent machne. The second fed contans mount optons such as rw for read and
wrte access. The thrd fed s the ocaton of the NFS export ncudng the hostname
and drectory.
Note
The drectory /msc must exst on the oca fe system. There shoud be
no subdrectores n /msc on the oca fe system.
To start the autofs servce, at a she prompt, type the foowng command:
/sbn/servce autofs restart
To vew the actve mount ponts, type the foowng command at a she prompt:
/sbn/servce autofs status
If you modfy the /etc/auto.master confguraton fe whe autofs s runnng, you must
te the automount daemon(s) to reoad by typng the foowng command at a she
prompt:
/sbn/servce autofs reoad
To earn how to confgure autofs to start at boot tme, and for nformaton on
managng servces, refer to Chapter 19, Controng Access to Servces.
2.3. Using TCP
The defaut transport protoco for NFSv4 s TCP; however, the Red Hat Enterprse
Lnux 5.0.0 kerne ncudes support for NFS over UDP. To use NFS over UDP, ncude
the -o udp opton to mount when mountng the NFS-exported fe system on the cent
system.
There are three ways to confgure an NFS fe system export. On demand va the
Using TCP
245
command ne (cent sde), automatcay va the /etc/fstab fe (cent sde), and
automatcay va autofs confguraton fes, such as /etc/auto.master and /etc/auto.msc
(server sde wth NIS).
For exampe, on demand va the command ne (cent sde):
mount -o udp shadowman.exampe.com:/msc/export /msc/oca
When the NFS mount s specfed n /etc/fstab (cent sde):
server:/usr/oca/pub /pub nfs rsze=8192,wsze=8192,tmeo=14,ntr,udp
When the NFS mount s specfed n an autofs confguraton fe for a NIS server,
avaabe for NIS enabed workstatons:
mypro|ect -rw,soft,ntr,rsze=8192,wsze=8192,udp pengun.exampe.net:/pro|52
Snce the defaut s TCP, f the -o udp opton s not specfed, the NFS-exported fe
system s accessed va TCP.
The advantages of usng TCP ncude the foowng:
Improved connecton durabty, thus ess NFS stae fe handes messages.
Performance gan on heavy oaded networks because TCP acknowedges every
packet, unke UDP whch ony acknowedges competon.
TCP has better congeston contro than UDP (whch has none). On a very
congested network, UDP packets are the frst packets that are dropped. Ths
means that f NFS s wrtng data (n 8K chunks) a of that 8K must be
retransmtted over UDP. Because of TCP's reabty, ony parts of that 8K data are
transmtted at a tme.
Error detecton. When a TCP connecton breaks (due to the server beng
unavaabe) the cent stops sendng data and restarts the connecton process
once the server becomes avaabe. Wth UDP, snce t's connecton-ess, the cent
contnues to pound the network wth data unt the server reestabshes a
connecton.
246
The man dsadvantage s that there s a very sma performance ht due to the
overhead assocated wth the TCP protoco.
2.4. Preserving ACLs
The Red Hat Enterprse Lnux 5.0.0 kerne provdes ACL support for the ext3 fe
system and ext3 fe systems mounted wth the NFS or Samba protocos. Thus, f an
ext3 fe system has ACLs enabed for t and s NFS exported, and f the NFS cent
can read ACLs, they are used by the NFS cent as we.
For more nformaton about mountng NFS fe systems wth ACLs, refer to
Chapter 14, Access Contro Lsts.
3. Exporting NFS File Systems
Sharng or servng fes from an NFS server s known as exportng the drectores.
The NFS Server Configuration Tool can be used to confgure a system as an NFS
server.
To use the NFS Server Configuration Tool, you must be runnng the X Wndow
System, have root prveges, and have the system-confg-nfs RPM package nstaed.
To start the appcaton, seect the Main Menu Button (on the Pane) => System
Settings => Server Settings => NFS, or type the command system-confg-nfs.
Figure 21.1. NFS Server Configuration Tool
To add an NFS share, cck the Add button. The daog box shown n Fgure 21.2,
"Add Share" appears.
The Basic tab requres the foowng nformaton:
Preserving ACLs
247
Directory - Specfy the drectory to share, such as /tmp.
Host(s) - Specfy the host(s) wth whch to share the drectory. Refer to
Secton 3.2, "Hostname Formats" for an expanaton of possbe formats.
Basic permissions - Specfy whether the drectory shoud have read-ony or
read/wrte permssons.
Figure 21.2. Add Share
The General Options tab aows the foowng optons to be confgured:
Allow connections from port 1024 and higher - Servces started on port
numbers ess than 1024 must be started as root. Seect ths opton to aow the
NFS servce to be started by a user other than root. Ths opton corresponds to
nsecure.
Allow insecure file locking - Do not requre a ock request. Ths opton
corresponds to nsecure_ocks.
Disable subtree checking - If a subdrectory of a fe system s exported, but
the entre fe system s not exported, the server checks to see f the requested
fe s n the subdrectory exported. Ths check s caed subtree checkng. Seect
ths opton to dsabe subtree checkng. If the entre fe system s exported,
seectng to dsabe subtree checkng can ncrease the transfer rate. Ths opton
248
corresponds to no_subtree_check.
Sync write operations on request - Enabed by defaut, ths opton does not
aow the server to repy to requests before the changes made by the request are
wrtten to the dsk. Ths opton corresponds to sync. If ths s not seected, the
async opton s used.
Force sync of write operations immediately - Do not deay wrtng to dsk.
Ths opton corresponds to no_wdeay.
The User Access tab aows the foowng optons to be confgured:
Treat remote root user as local root - By defaut, the user and group IDs of
the root user are both 0. Root squashng maps the user ID 0 and the group ID 0 to
the user and group IDs of anonymous so that root on the cent does not have root
prveges on the NFS server. If ths opton s seected, root s not mapped to
anonymous, and root on a cent has root prveges to exported drectores.
Seectng ths opton can greaty decrease the securty of the system. Do not
seect t uness t s absoutey necessary. Ths opton corresponds to
no_root_squash.
Treat all client users as anonymous users - If ths opton s seected, a user
and group IDs are mapped to the anonymous user. Ths opton corresponds to
a_squash.
Specify local user lD for anonymous users - If Treat all client users as
anonymous users s seected, ths opton ets you specfy a user ID for the
anonymous user. Ths opton corresponds to anonud.
Specify local group lD for anonymous users - If Treat all client users as
anonymous users s seected, ths opton ets you specfy a group ID for the
anonymous user. Ths opton corresponds to anongd.
To edt an exstng NFS share, seect the share from the st, and cck the
Properties button. To deete an exstng NFS share, seect the share from the st,
and cck the Delete button.
After cckng OK to add, edt, or deete an NFS share from the st, the changes take
pace mmedatey - the server daemon s restarted and the od confguraton fe s
saved as /etc/exports.bak. The new confguraton s wrtten to /etc/exports.
The NFS Server Configuration Tool reads and wrtes drecty to the /etc/exports
Exporting NFS File Systems
249
confguraton fe. Thus, the fe can be modfed manuay after usng the too, and
the too can be used after modfyng the fe manuay (provded the fe was
modfed wth correct syntax).
If you prefer edtng confguraton fes usng a text edtor or f you do not have the X
Wndow System nstaed, you can modfy the confguraton fe drecty.
The /etc/exports fe contros what drectores the NFS server exports. Its format s as
foows:
drectoryhostname(optons)
The ony opton that needs to be specfed s one of sync or async (sync s
recommended). If sync s specfed, the server does not repy to requests before the
changes made by the request are wrtten to the dsk.
For exampe,
/msc/export speedy.exampe.com(sync)
woud aow users from speedy.exampe.com to mount /msc/export wth the defaut
read-ony permssons, but,
/msc/export speedy.exampe.com(rw,sync)
woud aow users from speedy.exampe.com to mount /msc/export wth read/wrte
prveges.
Refer to Secton 3.2, "Hostname Formats" for an expanaton of possbe hostname
formats.
Refer to the Red Hat Enterprse Lnux Reference Gude for a st of optons that can
be specfed.
Caution
Be carefu wth spaces n the /etc/exports fe. If there are no spaces
between the hostname and the optons n parentheses, the optons
250
appy ony to the hostname. If there s a space between the hostname
and the optons, the optons appy to the rest of the word. For
exampe, examne the foowng nes:
/msc/export speedy.exampe.com(rw,sync)
/msc/export speedy.exampe.com (rw,sync)
The frst ne grants users from speedy.exampe.com read-wrte access
and denes a other users. The second ne grants users from
speedy.exampe.com read-ony access (the defaut) and aows the rest
of the word read-wrte access.
Each tme you change /etc/exports, you must nform the NFS daemon of the change,
or reoad the confguraton fe wth the foowng command:
/sbn/servce nfs reoad
3.2. Hostname Formats
The host(s) can be n the foowng forms:
Snge machne - A fuy quafed doman name (that can be resoved by the
server), hostname (that can be resoved by the server), or an IP address.
Seres of machnes specfed wth wdcards - Use the * or ? character to specfy a
strng match. Wdcards are not to be used wth IP addresses; however, they may
accdentay work f reverse DNS ookups fa. When specfyng wdcards n fuy
quafed doman names, dots (.) are not ncuded n the wdcard. For exampe,
*.exampe.com ncudes one.exampe.com but does not ncude
one.two.exampe.com.
IP networks - Use a.b.c.d/z, where a.b.c.d s the network and z s the number of
bts n the netmask (for exampe 192.168.0.0/24). Another acceptabe format s
a.b.c.d/netmask, where a.b.c.d s the network and netmask s the netmask (for
exampe, 192.168.100.8/255.255.255.0).
Netgroups - In the format @group-name, where group-name s the NIS netgroup
Hostname Formats
251
name.
3.3. Starting and Stopping the Server
On the server that s exportng NFS fe systems, the nfs servce must be runnng.
Vew the status of the NFS daemon wth the foowng command:
/sbn/servce nfs status
Start the NFS daemon wth the foowng command:
/sbn/servce nfs start
Stop the NFS daemon wth the foowng command:
/sbn/servce nfs stop
To start the nfs servce at boot tme, use the command:
/sbn/chkconfg --eve 345 nfs on
You can aso use chkconfg, ntsysv or the Services Configuration Tool to
confgure whch servces start at boot tme. Refer to Chapter 19, Controng Access
to Servces for detas.
Ths chapter dscusses the bascs of usng NFS. For more detaed nformaton, refer
to the foowng resources.
The man pages for nfsd, mountd, exports, auto.master, and autofs (n manua
sectons 5 and 8) - These man pages show the correct syntax for the NFS and
autofs confguraton fes.
252
http://nfs.sourceforge.net/ - the NFS webpage, ncudes nks to the mang sts
and FAOs.
http://www.tdp.org/HOWTO/NFS-HOWTO/ndex.htm - The Lnux NFS-HOWTO
from the Lnux Documentaton Pro|ect.
4.3. Related Books
Managng NFS and NIS Servces by Ha Stern; O'Rey &Assocates, Inc.
Related Books
253
254
Samba
Samba uses the SMB protoco to share fes and prnters across a network
connecton. Operatng systems that support ths protoco ncude Mcrosoft
Wndows, OS/2, and Lnux.
The Red Hat Enterprse Lnux 5.0.0 kerne contans Access Contro Lst (ACL) support
for ext3 fe systems. If the Samba server shares an ext3 fe system wth ACLs
enabed for t, and the kerne on the cent system contans support for readng ACLs
from ext3 fe systems, the cent automatcay recognzes and uses the ACLs. Refer
to Chapter 14, Access Contro Lsts for more nformaton on ACLs.
1. Why Use Samba7
Samba s usefu f you have a network of both Wndows and Lnux machnes. Samba
aows fes and prnters to be shared by a the systems n a network. To share fes
between Lnux machnes ony, use NFS as dscussed n Chapter 21, Network Fe
System (NFS). To share prnters between Lnux machnes ony, you do not need to
use Samba; refer to Chapter 33, Prnter Confguraton.
2. Configuring a Samba Server
The defaut confguraton fe (/etc/samba/smb.conf) aows users to vew ther home
drectores as a Samba share. It aso shares a prnters confgured for the system as
Samba shared prnters. In other words, you can attach a prnter to the system and
prnt to t from the Wndows machnes on your network.
2.1. Graphical Configuration
To confgure Samba usng a graphca nterface, use the Samba Server
Configuration Tool. For command ne confguraton, skp to Secton 2.2,
"Command Lne Confguraton".
The Samba Server Configuration Tool s a graphca nterface for managng
Samba shares, users, and basc server settngs. It modfes the confguraton fes n
the /etc/samba/ drectory. Any changes to these fes not made usng the appcaton
are preserved.
To use ths appcaton, you must be runnng the X Wndow System, have root
prveges, and have the system-confg-samba RPM package nstaed. To start the
Samba Server Configuration Tool from the desktop, go to the Main Menu
Chapter 22.
255
Button (on the Pane) => System Settings => Server Settings => Samba or
type the command system-confg-samba at a she prompt (for exampe, n an XTerm
or a GNOME termna).
Figure 22.1. Samba Server Configuration Tool
Note
The Samba Server Configuration Tool does not dspay shared
prnters or the defaut stanza that aows users to vew ther own home
drectores on the Samba server.
2.1.1. Configuring Server Settings
The frst step n confgurng a Samba server s to confgure the basc settngs for the
server and a few securty optons. After startng the appcaton, seect Preferences
=> Server Settings from the pudown menu. The Basic tab s dspayed as shown
n Fgure 22.2, "Confgurng Basc Server Settngs".
Chapter 22. Samba
256
Figure 22.2. Configuring Basic Server Settings
On the Basic tab, specfy whch workgroup the computer shoud be n as we as a
bref descrpton of the computer. They correspond to the workgroup and server strng
optons n smb.conf.
Figure 22.3. Configuring Security Server Settings
The Security tab contans the foowng optons:
Graphical Configuration
257
Authentication Mode - Ths corresponds to the securty opton. Seect one of
the foowng types of authentcaton.
ADS - The Samba server acts as a doman member n an Actve Drectory
Doman (ADS) ream. For ths opton, Kerberos must be nstaed and confgured
on the server, and Samba must become a member of the ADS ream usng the
net utty, whch s part of the samba-cent package. Refer to the net man page
for detas. Ths opton does not confgure Samba to be an ADS Controer.
Specfy the ream of the Kerberos server n the Kerberos Realm fed.
Note
The Kerberos Realm fed must be supped n a uppercase etters,
such as EXAMPLE.COM.
Use of your Samba server as a doman member n an ADS ream
assumes proper confguraton of Kerberos, ncudng the /etc/krb5.conf
fe.
Domain - The Samba server rees on a Wndows NT Prmary or Backup
Doman Controer to verfy the user. The server passes the username and
password to the Controer and wats for t to return. Specfy the NetBIOS name
of the Prmary or Backup Doman Controer n the Authentication Server
fed.
The Encrypted Passwords opton must be set to Yes f ths s seected.
Server - The Samba server tres to verfy the username and password
combnaton by passng them to another Samba server. If t can not, the server
tres to verfy usng the user authentcaton mode. Specfy the NetBIOS name of
the other Samba server n the Authentication Server fed.
Share - Samba users do not have to enter a username and password
combnaton on a per Samba server bass. They are not prompted for a
username and password unt they try to connect to a specfc shared drectory
from a Samba server.
User - (Defaut) Samba users must provde a vad username and password on
a per Samba server bass. Seect ths opton f you want the Windows
Username opton to work. Refer to Secton 2.1.2, "Managng Samba Users" for
detas.
Chapter 22. Samba
258
Encrypt Passwords - Ths opton must be enabed f the cents are connectng
from a system wth Wndows 98, Wndows NT 4.0 wth Servce Pack 3, or other
more recent versons of Mcrosoft Wndows. The passwords are transfered
between the server and the cent n an encrypted format nstead of as a
pan-text word that can be ntercepted. Ths corresponds to the encrypted
passwords opton. Refer to Secton 2.3, "Encrypted Passwords" for more
nformaton about encrypted Samba passwords.
Guest Account - When users or guest users og nto a Samba server, they must
be mapped to a vad user on the server. Seect one of the exstng usernames on
the system to be the guest Samba account. When guests og n to the Samba
server, they have the same prveges as ths user. Ths corresponds to the guest
account opton.
After cckng OK, the changes are wrtten to the confguraton fe and the daemon
s restart; thus, the changes take effect mmedatey.
2.1.2. Managing Samba Users
The Samba Server Configuration Tool requres that an exstng user account be
actve on the system actng as the Samba server before a Samba user can be
added. The Samba user s assocated wth the exstng user account.
Graphical Configuration
259
Figure 22.4. Managing Samba Users
To add a Samba user, seect Preferences => Samba Users from the pudown
menu, and cck the Add User button. In the Create New Samba User wndow
seect a Unix Username from the st of exstng users on the oca system.
If the user has a dfferent username on a Wndows machne and needs to og nto
the Samba server from the Wndows machne, specfy that Wndows username n
the Windows Username fed. The Authentication Mode on the Security tab of
the Server Settings preferences must be set to User for ths opton to work.
Aso confgure a Samba Password for the Samba User and confrm t by typng t
agan. Even f you seect to use encrypted passwords for Samba, t s recommended
that the Samba passwords for a users are dfferent from ther system passwords.
To edt an exstng user, seect the user from the st, and cck Edit User. To deete
an exstng Samba user, seect the user, and cck the Delete User button. Deetng
a Samba user does not deete the assocated system user account.
The users are modfed mmedatey after cckng the OK button.
2.1.3. Adding a Share
To create a Samba share, cck the Add button from the man Samba confguraton
wndow.
Chapter 22. Samba
260
Figure 22.5. Adding a Share
The Basic tab confgures the foowng optons:
Directory - The drectory to share va Samba. The drectory must exst before t
can be entered here.
Share name - The actua name of the share that s seen from remote machnes.
By defaut, t s the same vaue as Directory, but can be confgured.
Descriptions - A bref descrpton of the share.
Basic Permissions - Whether users shoud ony be abe to read the fes n the
shared drectory or whether they shoud be abe to read and wrte to the shared
drectory.
On the Access tab, seect whether to aow ony specfed users to access the share
or whether to aow a Samba users to access the share. If you seect to aow
access to specfc users, seect the users from the st of avaabe Samba users.
The share s added mmedatey after cckng OK.
Command Line Configuration
261
Samba uses /etc/samba/smb.conf as ts confguraton fe. If you change ths
confguraton fe, the changes do not take effect unt you restart the Samba
daemon wth the command servce smb restart.
To specfy the Wndows workgroup and a bref descrpton of the Samba server, edt
the foowng nes n your smb.conf fe:
workgroup = WORKGROUPNAME
server strng = BRIEF COMMENT ABOUT SERVER
Repace WORKGROUPNAME wth the name of the Wndows workgroup to whch ths
machne shoud beong. The BRIEF COMMENT ABOUT SERVER s optona and s used as
the Wndows comment about the Samba system.
To create a Samba share drectory on your Lnux system, add the foowng secton
to your smb.conf fe (after modfyng t to refect your needs and your system):
|sharename|
comment = Insert a comment here
path = /home/share/
vad users = tfox caroe
pubc = no
wrtabe = yes
prntabe = no
create mask = 0765
The above exampe aows the users tfox and caroe to read and wrte to the
drectory /home/share, on the Samba server, from a Samba cent.
2.3. Encrypted Passwords
Encrypted passwords are enabed by defaut because t s more secure. If encrypted
passwords are not used, pan text passwords are used, whch can be ntercepted by
someone usng a network packet snffer. It s recommended that encrypted
passwords be used.
The Mcrosoft SMB Protoco orgnay used pan text passwords. However, Wndows
NT 4.0 wth Servce Pack 3 or hgher, Wndows 98, Wndows 2000, Wndows ME, and
Wndows XP requre encrypted Samba passwords. To use Samba between a Lnux
Chapter 22. Samba
262
system and a system runnng one of these Wndows operatng systems, you can
ether edt your Wndows regstry to use pantext passwords or confgure Samba on
your Lnux system to use encrypted passwords. If you choose to modfy your
regstry, you must do so for a of your Wndows machnes - ths s rsky and may
cause further confcts. It s recommended that you use encrypted passwords for
better securty.
To confgure Samba to use encrypted passwords, foow these steps:
1. Create a separate password fe for Samba. To create one based on your exstng
/etc/passwd fe, at a she prompt, type the foowng command:
cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
If the system uses NIS, type the foowng command:
ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
The mksmbpasswd.sh scrpt s nstaed n your /usr/bn drectory wth the samba
package.
2. Change the permssons of the Samba password fe so that ony root has read
and wrte permssons:
chmod 600 /etc/samba/smbpasswd
3. The scrpt does not copy user passwords to the new fe, and a Samba user
account s not actve unt a password s set for t. For hgher securty, t s
recommended that the user's Samba password be dfferent from the user's
system password. To set each Samba user's password, use the foowng
command (repace username wth each user's username):
smbpasswd username
4. Encrypted passwords must be enabed. Snce they are enabed by defaut, they
do not have to be specfcay enabed n the confguraton fe. However, they can
not be dsabed n the confguraton fe ether. In the fe /etc/samba/smb.conf,
verfy that the foowng ne does not exst:
Encrypted Passwords
263
encrypt passwords = no
If t does exst but s commented out wth a sem-coon (;) at the begnnng of the
ne, then the ne s gnored, and encrypted passwords are enabed. If ths ne
exsts but s not commented out, ether remove t or comment t out.
To specfcay enabe encrypted passwords n the confguraton fe, add the
foowng nes to etc/samba/smb.conf:
encrypt passwords = yes
smb passwd fe = /etc/samba/smbpasswd
5. Make sure the smb servce s started by typng the command servce smb restart at
a she prompt.
6. If you want the smb servce to start automatcay, use ntsysv, chkconfg, or the
Services Configuration Tool to enabe t at runtme. Refer to Chapter 19,
Controng Access to Servces for detas.
The pam_smbpass PAM modue can be used to sync users' Samba passwords wth
ther system passwords when the passwd command s used. If a user nvokes the
passwd command, the password he uses to og n to the Red Hat Enterprse Lnux
system as we as the password he must provde to connect to a Samba share are
changed.
To enabe ths feature, add the foowng ne to /etc/pam.d/system-auth beow the
pam_crackb.so nvocaton:
password requred /b/securty/pam_smbpass.so nuok use_authtok try_frst_pass
On the server that s sharng drectores va Samba, the smb servce must be
runnng.
Vew the status of the Samba daemon wth the foowng command:
Chapter 22. Samba
264
/sbn/servce smb status
Start the daemon wth the foowng command:
/sbn/servce smb start
Stop the daemon wth the foowng command:
/sbn/servce smb stop
To start the smb servce at boot tme, use the command:
/sbn/chkconfg --eve 345 smb on
You can aso use chkconfg, ntsysv, or the Services Configuration Tool to
confgure whch servces start at boot tme. Refer to Chapter 19, Controng Access
to Servces for detas.
Tip
To vew actve connectons to the system, execute the command
smbstatus.
3. Connecting to a Samba Share
You can use Nautilus to vew avaabe Samba shares on your network. Seect Main
Menu Button (on the Pane) => Network Servers to vew a st of Samba
workgroups on your network. You can aso type smb: n the Location: bar of
Nautus to vew the workgroups.
As shown n Fgure 22.6, "SMB Workgroups n Nautus", an con appears for each
avaabe SMB workgroup on the network.
Connecting to a Samba Share
265
Figure 22.6. SMB Workgroups in Nautilus
Doube-cck one of the workgroup cons to vew a st of computers wthn the
workgroup.
Chapter 22. Samba
266
Figure 22.7. SMB Machines in Nautilus
As you can see from Fgure 22.7, "SMB Machnes n Nautus", there s an con for
each machne wthn the workgroup. Doube-cck on an con to vew the Samba
shares on the machne. If a username and password combnaton s requred, you
are prompted for them.
Aternatey, you can aso specfy the Samba server and sharename n the Location:
bar for Nautilus usng the foowng syntax (repace <servername> and <sharename>
wth the approprate vaues):
smb://<servername>/<sharename>/
3.1. Command Line
To query the network for Samba servers, use the fndsmb command. For each server
found, t dspays ts IP address, NetBIOS name, workgroup name, operatng system,
and SMB server verson.
To connect to a Samba share from a she prompt, type the foowng command:
Command Line
267
smbcent //<hostname>/<sharename> -U <username>
Repace <hostname> wth the hostname or IP address of the Samba server you want
to connect to, <sharename> wth the name of the shared drectory you want to
browse, and <username> wth the Samba username for the system. Enter the
correct password or press Enter f no password s requred for the user.
If you see the smb:\> prompt, you have successfuy ogged n. Once you are ogged
n, type help for a st of commands. If you wsh to browse the contents of your
home drectory, repace sharename wth your username. If the -U swtch s not used,
the username of the current user s passed to the Samba server.
To ext smbcent, type exit at the smb:\> prompt.
3.2. Mounting the Share
Sometmes t s usefu to mount a Samba share to a drectory so that the fes n the
drectory can be treated as f they are part of the oca fe system.
To mount a Samba share to a drectory, create the drectory f t does not aready
exst, and execute the foowng command as root:
mount -t smbfs -o username=<username> //<servername>/<sharename>/mnt/pont/
Ths command mounts <sharename> from <servername> n the oca drectory
/mnt/pont/.
For confguraton optons not covered here, pease refer to the foowng resources.
smb.conf man page - expans how to confgure the Samba confguraton fe
smbd man page - descrbes how the Samba daemon works
smbcent and fndsmb man pages - earn more about these cent toos
/usr/share/doc/samba-<verson-number>/docs/ - hep fes ncuded wth the samba
package
Chapter 22. Samba
268
http://www.samba.org/ - The Samba webpage contans usefu documentaton,
nformaton about mang sts, and a st of GUI nterfaces.
http://www.samba.org/samba/docs/usng_samba/toc.htm - an onne verson of
Usng Samba, 2nd Edton by |ay Ts, Robert Ecksten, and Davd Coer-Brown;
O'Rey &Assocates
Useful Websites
269
270
Dynamic Host Configuration
Protocol (DHCP)
Dynamc Host Confguraton Protoco (DHCP) s a network protoco for automatcay
assgnng TCP/IP nformaton to cent machnes. Each DHCP cent connects to the
centray-ocated DHCP server whch returns that cent's network confguraton,
ncudng the IP address, gateway, and DNS servers.
1. Why Use DHCP7
DHCP s usefu for automatc confguraton of cent network nterfaces. When
confgurng the cent system, the admnstrator can choose DHCP and nstead of
enterng an IP address, netmask, gateway, or DNS servers. The cent retreves ths
nformaton from the DHCP server. DHCP s aso usefu f an admnstrator wants to
change the IP addresses of a arge number of systems. Instead of reconfgurng a
the systems, he can |ust edt one DHCP confguraton fe on the server for the new
set of IP addresses. If the DNS servers for an organzaton changes, the changes are
made on the DHCP server, not on the DHCP cents. Once the network s restarted
on the cents (or the cents are rebooted), the changes take effect.
Furthermore, f a aptop or any type of mobe computer s confgured for DHCP, t
can be moved from offce to offce wthout beng reconfgured as ong as each offce
has a DHCP server that aows t to connect to the network.
2. Configuring a DHCP Server
To confgure a DHCP server, the /etc/dhcpd.conf confguraton fe must be created. A
sampe fe can be found at /usr/share/doc/dhcp-<verson>/dhcpd.conf.sampe.
DHCP aso uses the fe /var/b/dhcp/dhcpd.eases to store the cent ease database.
Refer to Secton 2.2, "Lease Database" for more nformaton.
2.1. Configuration File
The frst step n confgurng a DHCP server s to create the confguraton fe that
stores the network nformaton for the cents. Goba optons can be decared for a
cents, whe other optons can be decared for ndvdua cent systems.
The confguraton fe can contan extra tabs or bank nes for easer formattng.
Chapter 23.
271
Keywords are case-nsenstve and nes begnnng wth a hash mark (#) are
consdered comments.
Two DNS update schemes are currenty mpemented - the ad-hoc DNS update
mode and the nterm DHCP-DNS nteracton draft update mode. If and when these
two are accepted as part of the Internet Engneerng Task Force (IETF) standards
process, there w be a thrd mode - the standard DNS update method. The DHCP
server must be confgured to use one of the two current schemes. Verson
3.0b2p11 and prevous versons used the ad-hoc mode; however, t has been
deprecated. To keep the same behavor, add the foowng ne to the top of the
confguraton fe:
ddns-update-stye ad-hoc;
To use the recommended mode, add the foowng ne to the top of the
confguraton fe:
ddns-update-stye nterm;
Refer to the dhcpd.conf man page for detas about the dfferent modes.
There are two types of statements n the confguraton fe:
Parameters - State how to perform a task, whether to perform a task, or what
network confguraton optons to send to the cent.
Decaratons - Descrbe the topoogy of the network, descrbe the cents, provde
addresses for the cents, or appy a group of parameters to a group of
decaratons.
Some parameters must start wth the opton keyword and are referred to as optons.
Optons confgure DHCP optons; whereas, parameters confgure vaues that are not
optona or contro how the DHCP server behaves.
Parameters (ncudng optons) decared before a secton encosed n cury brackets
({ }) are consdered goba parameters. Goba parameters appy to a the sectons
beow t.
Chapter 23. Dynamic Host Conf...
272
lmportant
If the confguraton fe s changed, the changes do not take effect unt
the DHCP daemon s restarted wth the command servce dhcpd restart.
Tip
Instead of changng a DHCP confguraton fe and restartng the
servce each tme, usng the omshe command provdes an nteractve
way to connect to, query, and change the confguraton of a DHCP
server. By usng omshe, a changes can be made whe the server s
runnng. For more nformaton on omshe, refer to the omshe man
page.
In Exampe 23.1, "Subnet Decaraton", the routers, subnet-mask, doman-name,
doman-name-servers, and tme-offset optons are used for any host statements
decared beow t.
Addtonay, a subnet can be decared, a subnet decaraton must be ncuded for
every subnet n the network. If t s not, the DHCP server fas to start.
In ths exampe, there are goba optons for every DHCP cent n the subnet and a
range decared. Cents are assgned an IP address wthn the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
opton routers 192.168.1.254;
opton subnet-mask 255.255.255.0;
opton doman-name "exampe.com";
opton doman-name-servers 192.168.1.1;
opton tme-offset -18000; # Eastern Standard Tme
range 192.168.1.10 192.168.1.100;
}
Configuration File
273
Example 23.1. Subnet Declaration
A subnets that share the same physca network shoud be decared wthn a
shared-network decaraton as shown n Exampe 23.2, "Shared-network
Decaraton". Parameters wthn the shared-network, but outsde the encosed subnet
decaratons, are consdered to be goba parameters. The name of the
shared-network shoud be a descrptve tte for the network, such as usng the tte
'test-ab' to descrbe a the subnets n a test ab envronment.
shared-network name {
opton doman-name "test.redhat.com";
opton doman-name-servers ns1.redhat.com, ns2.redhat.com;
more parameters for EXAMPLE shared-network
subnet 192.168.1.0 netmask 255.255.252.0 {
parameters for subnet
range 192.168.1.1 192.168.1.254;
}
subnet 192.168.2.0 netmask 255.255.252.0 {
parameters for subnet
range 192.168.2.1 192.168.2.254;
}
}
Example 23.2. Shared-network Declaration
As demonstrated n Exampe 23.3, "Group Decaraton", the group decaraton can
be used to appy goba parameters to a group of decaratons. For exampe, shared
networks, subnets, and hosts can be grouped.
group {
opton doman-name-servers 192.168.1.1;
274
opton tme-offset -18000; # Eastern Standard Tme
host apex {
opton host-name "apex.exampe.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fxed-address 192.168.1.4;
}
host raegh {
opton host-name "raegh.exampe.com";
hardware ethernet 00:A1:DD:74:C3:F2;
}
}
Example 23.3. Group Declaration
To confgure a DHCP server that eases a dynamc IP address to a system wthn a
subnet, modfy Exampe 23.4, "Range Parameter" wth your vaues. It decares a
defaut ease tme, maxmum ease tme, and network confguraton vaues for the
cents. Ths exampe assgns IP addresses n the range 192.168.1.10 and
192.168.1.100 to cent systems.
defaut-ease-tme 600;
max-ease-tme 7200;
opton broadcast-address 192.168.1.255;
opton doman-name-servers 192.168.1.1, 192.168.1.2;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}
Example 23.4. Range Parameter
Configuration File
275
To assgn an IP address to a cent based on the MAC address of the network
nterface card, use the hardware ethernet parameter wthn a host decaraton. As
demonstrated n Exampe 23.5, "Statc IP Address usng DHCP", the host apex
decaraton specfes that the network nterface card wth the MAC address
00:A0:78:8E:9E:AA aways receves the IP address 192.168.1.4.
Note that the optona parameter host-name can aso be used to assgn a host name
to the cent.
host apex {
opton host-name "apex.exampe.com";
hardware ethernet 00:A0:78:8E:9E:AA;
}
Example 23.5. Static lP Address using DHCP
Tip
The sampe confguraton fe provded can be used as a startng pont
and custom confguraton optons can be added to t. To copy t to the
proper ocaton, use the foowng command:
cp /usr/share/doc/dhcp-<verson-number>/dhcpd.conf.sampe /etc/dhcpd.conf
(where <verson-number> s the DHCP verson number).
For a compete st of opton statements and what they do, refer to the dhcp-optons
man page.
2.2. Lease Database
On the DHCP server, the fe /var/b/dhcp/dhcpd.eases stores the DHCP cent ease
database. Ths fe shoud not be modfed by hand. DHCP ease nformaton for each
recenty assgned IP address s automatcay stored n the ease database. The
nformaton ncudes the ength of the ease, to whom the IP address has been
assgned, the start and end dates for the ease, and the MAC address of the network
276
nterface card that was used to retreve the ease.
A tmes n the ease database are n Greenwch Mean Tme (GMT), not oca tme.
The ease database s recreated from tme to tme so that t s not too arge. Frst, a
known eases are saved n a temporary ease database. The dhcpd.eases fe s
renamed dhcpd.eases- and the temporary ease database s wrtten to dhcpd.eases.
The DHCP daemon coud be ked or the system coud crash after the ease
database has been renamed to the backup fe but before the new fe has been
wrtten. If ths happens, the dhcpd.eases fe does not exst, but t s requred to start
the servce. Do not create a new ease fe. If you do, a od eases are ost whch
causes many probems. The correct souton s to rename the dhcpd.eases- backup
fe to dhcpd.eases and then start the daemon.
lmportant
When the DHCP server s started for the frst tme, t fas uness the
dhcpd.eases fe exsts. Use the command touch /var/b/dhcp/dhcpd.eases
to create the fe f t does not exst.
If the same server s aso runnng BIND as a DNS server, ths step s not
necessary, as startng the named servce automatcay checks for a
dhcpd.eases fe.
To start the DHCP servce, use the command /sbn/servce dhcpd start. To stop the
DHCP server, use the command /sbn/servce dhcpd stop.
By defaut, the DHCP servce does not start at boot tme. To confgure the daemon
to start automatcay at boot tme, refer to Chapter 19, Controng Access to
Servces for nformaton on how to manage servces.
If more than one network nterface s attached to the system, but the DHCP server
shoud ony be started on one of the nterfaces, confgure the DHCP server to start
ony on that devce. In /etc/sysconfg/dhcpd, add the name of the nterface to the st
of DHCPDARGS:
# Command ne optons here
DHCPDARGS=eth0
Starting and Stopping the Server
277
Ths s usefu for a frewa machne wth two network cards. One network card can
be confgured as a DHCP cent to retreve an IP address to the Internet. The other
network card can be used as a DHCP server for the nterna network behnd the
frewa. Specfyng ony the network card connected to the nterna network makes
the system more secure because users can not connect to the daemon va the
Internet.
Other command ne optons that can be specfed n /etc/sysconfg/dhcpd ncude:
-p <portnum> - Specfy the UDP port number on whch dhcpd shoud sten. The
defaut s port 67. The DHCP server transmts responses to the DHCP cents at a
port number one greater than the UDP port specfed. For exampe, f the defaut
port 67 s used, the server stens on port 67 for requests and responses to the
cent on port 68. If a port s specfed here and the DHCP reay agent s used, the
same port on whch the DHCP reay agent shoud sten must be specfed. Refer to
Secton 2.4, "DHCP Reay Agent" for detas.
-f - Run the daemon as a foreground process. Ths s mosty used for debuggng.
-d - Log the DHCP server daemon to the standard error descrptor. Ths s mosty
used for debuggng. If ths s not specfed, the og s wrtten to /var/og/messages.
-cf <fename> - Specfy the ocaton of the confguraton fe. The defaut ocaton
s /etc/dhcpd.conf.
-f <fename> - Specfy the ocaton of the ease database fe. If a ease database
fe aready exsts, t s very mportant that the same fe be used every tme the
DHCP server s started. It s strongy recommended that ths opton ony be used
for debuggng purposes on non-producton machnes. The defaut ocaton s
/var/b/dhcp/dhcpd.eases.
-q - Do not prnt the entre copyrght message when startng the daemon.
2.4. DHCP Relay Agent
The DHCP Reay Agent (dhcreay) aows for the reay of DHCP and BOOTP requests
from a subnet wth no DHCP server on t to one or more DHCP servers on other
subnets.
When a DHCP cent requests nformaton, the DHCP Reay Agent forwards the
278
1
Kudzu s a hardware probng too run at system boot tme to determne what hardware has been added
or removed from the system.
request to the st of DHCP servers specfed when the DHCP Reay Agent s started.
When a DHCP server returns a repy, the repy s broadcast or uncast on the
network that sent the orgna request.
The DHCP Reay Agent stens for DHCP requests on a nterfaces uness the
nterfaces are specfed n /etc/sysconfg/dhcreay wth the INTERFACES drectve.
To start the DHCP Reay Agent, use the command servce dhcreay start.
3. Configuring a DHCP Client
The frst step for confgurng a DHCP cent s to make sure the kerne recognzes the
network nterface card. Most cards are recognzed durng the nstaaton process
and the system s confgured to use the correct kerne modue for the card. If a card
s added after nstaaton, Kudzu
1
shoud recognze t and prompt for the
confguraton of the correspondng kerne modue for t. Be sure to check the
Hardware Compatbty Lst avaabe at http://hardware.redhat.com/hc/. If the
network card s not confgured by the nstaaton program or Kudzu and you know
whch kerne modue to oad for t, refer to Chapter 37, Kerne Modues for detas
on oadng kerne modues.
To confgure a DHCP cent manuay, modfy the /etc/sysconfg/network fe to enabe
networkng and the confguraton fe for each network devce n the
/etc/sysconfg/network-scrpts drectory. In ths drectory, each devce shoud have a
confguraton fe named fcfg-eth0, where eth0 s the network devce name.
The /etc/sysconfg/network fe shoud contan the foowng ne:
NETWORKING=yes
The NETWORKING varabe must be set to yes f you want networkng to start at boot
tme.
The /etc/sysconfg/network-scrpts/fcfg-eth0 fe shoud contan the foowng nes:
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
Configuring a DHCP Client
279
A confguraton fe s needed for each devce to be confgured to use DHCP.
Other optons for the network scrpt ncude:
DHCP_HOSTNAME - Ony use ths opton f the DHCP server requres the cent to
specfy a hostname before recevng an IP address. (The DHCP server daemon n
Red Hat Enterprse Lnux does not support ths feature.)
PEERDNS=<answer> , where <answer> s one of the foowng:
yes - Modfy /etc/resov.conf wth nformaton from the server. If usng DHCP,
then yes s the defaut.
no - Do not modfy /etc/resov.conf.
SRCADDR=<address> , where <address> s the specfed source IP address for
outgong packets.
USERCTL=<answer> , where <answer> s one of the foowng:
yes - Non-root users are aowed to contro ths devce.
no - Non-root users are not aowed to contro ths devce.
If you prefer usng a graphca nterface, refer to Chapter 17, Network Confguraton
for detas on usng the Network Administration Tool to confgure a network
nterface to use DHCP.
Tip
For advanced confguratons of cent DHCP optons such as protoco
tmng, ease requrements and requests, dynamc DNS support,
aases, as we as a wde varety of vaues to overrde, prepend, or
append to cent-sde confguratons, refer to the dhcent and
dhcent.conf man pages.
For confguraton optons not covered here, refer to the foowng resources.
280
dhcpd man page - Descrbes how the DHCP daemon works.
dhcpd.conf man page - Expans how to confgure the DHCP confguraton fe;
ncudes some exampes.
dhcpd.eases man page - Expans how to confgure the DHCP eases fe; ncudes
some exampes.
dhcp-optons man page - Expans the syntax for decarng DHCP optons n
dhcpd.conf; ncudes some exampes.
dhcreay man page - Expans the DHCP Reay Agent and ts confguraton optons.
/usr/share/doc/dhcp-<verson>/ - Contans sampe fes, README fes, and reease
notes for the specfc verson of the DHCP servce.
lnstalled Documentation
281
282
Apache HTTP Server
Configuration
Red Hat Enterprse Lnux provdes verson 2.0 of the Apache HTTP Server. If you
want to mgrate an exstng confguraton fe by hand, refer to the mgraton gude
at /usr/share/doc/httpd-<ver>/mgraton.htm or the Red Hat Enterprse Lnux Reference
Gude for detas.
If you confgured the Apache HTTP Server wth the HTTP Configuration Tool n
prevous versons of Red Hat Enterprse Lnux and then performed an upgrade, you
can use the HTTP Configuration Tool to mgrate the confguraton fe to the new
format for verson 2.0. Start the HTTP Configuration Tool, make any changes to
the confguraton, and save t. The confguraton fe saved w be compatbe wth
verson 2.0.
The httpd and system-confg-httpd RPM packages need to be nstaed to use the
HTTP Configuration Tool. It aso requres the X Wndow System and root access.
To start the appcaton, go to the Main Menu Button => System Settings =>
Server Settings => HTTP or type the command system-confg-httpd at a she
prompt (for exampe, n an XTerm or GNOME Termna).
The HTTP Configuration Tool aows you to confgure the /etc/httpd/conf/httpd.conf
confguraton fe for the Apache HTTP Server. It does not use the od srm.conf or
access.conf confguraton fes; eave them empty. Through the graphca nterface,
you can confgure drectves such as vrtua hosts, oggng attrbutes, and maxmum
number of connectons.
Ony modues provded wth Red Hat Enterprse Lnux can be confgured wth the
HTTP Configuration Tool. If addtona modues are nstaed, they can not be
confgured usng ths too.
Caution
Do not edt the /etc/httpd/conf/httpd.conf confguraton fe by hand f you
wsh to use ths too. The HTTP Configuration Tool generates ths fe
after you save your changes and ext the program. If you want to add
addtona modues or confguraton optons that are not avaabe n
HTTP Configuration Tool, you cannot use ths too.
Chapter 24.
283
The genera steps for confgurng the Apache HTTP Server usng the HTTP
Configuration Tool are as foows:
1. Confgure the basc settngs under the Main tab.
2. Cck on the Virtual Hosts tab and confgure the defaut settngs.
3. Under the Virtual Hosts tab, confgure the Defaut Vrtua Host.
4. To serve more than one URL or vrtua host, add any addtona vrtua hosts.
5. Confgure the server settngs under the Server tab.
6. Confgure the connectons settngs under the Performance Tuning tab.
7. Copy a necessary fes to the DocumentRoot and cg-bn drectores.
8. Ext the appcaton and seect to save your settngs.
1. Basic Settings
Use the Main tab to confgure the basc server settngs.
Chapter 24. Apache HTTP Serve...
284
Figure 24.1. Basic Settings
Enter a fuy quafed doman name that you have the rght to use n the Server
Name text area. Ths opton corresponds to the ServerName
|http://httpd.apache.org/docs-2.0/mod/core.htm#servername| drectve n
httpd.conf. The ServerName drectve sets the hostname of the Web server. It s used
when creatng redrecton URLs. If you do not defne a server name, the Web server
attempts to resove t from the IP address of the system. The server name does not
have to be the doman name resoved from the IP address of the server. For
exampe, you mght set the server name to www.exampe.com whe the server's
rea DNS name s foo.exampe.com.
Enter the ema address of the person who mantans the Web server n the
Webmaster email address text area. Ths opton corresponds to the ServerAdmn
|http://httpd.apache.org/docs-2.0/mod/core.htm#serveradmn| drectve n
httpd.conf. If you confgure the server's error pages to contan an ema address, ths
ema address s used so that users can report a probem to the server's
admnstrator. The defaut vaue s root@ocahost.
Basic Settings
285
Use the Available Addresses area to defne the ports on whch the server accepts
ncomng requests. Ths opton corresponds to the Lsten
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#sten| drectve n
httpd.conf. By defaut, Red Hat confgures the Apache HTTP Server to sten to port
80 for non-secure Web communcatons.
Cck the Add button to defne addtona ports on whch to accept requests. A
wndow as shown n Fgure 24.2, "Avaabe Addresses" appears. Ether choose the
Listen to all addresses opton to sten to a IP addresses on the defned port or
specfy a partcuar IP address over whch the server accepts connectons n the
Address fed. Ony specfy one IP address per port number. To specfy more than
one IP address wth the same port number, create an entry for each IP address. If at
a possbe, use an IP address nstead of a doman name to prevent a DNS ookup
faure. Refer to http://httpd.apache.org/docs-2.0/dns-caveats.htm for more
nformaton about Issues Regardng DNS and Apache.
Enterng an astersk (*) n the Address fed s the same as choosng Listen to all
addresses. Cckng the Edit button n the Available Addresses frame shows the
same wndow as the Add button except wth the feds popuated for the seected
entry. To deete an entry, seect t and cck the Delete button.
Tip
If you set the server to sten to a port under 1024, you must be root to
start t. For port 1024 and above, httpd can be started as a reguar
user.
Figure 24.2. Available Addresses
286
2. Default Settings
After defnng the Server Name, Webmaster email address, and Available
Addresses, cck the Virtual Hosts tab and cck the Edit Default Settings
button. A wndow as shown n Fgure 24.3, "Ste Confguraton" appears. Confgure
the defaut settngs for your Web server n ths wndow. If you add a vrtua host, the
settngs you confgure for the vrtua host take precedence for that vrtua host. For
a drectve not defned wthn the vrtua host settngs, the defaut vaue s used.
2.1. Site Configuration
The defaut vaues for the Directory Page Search List and Error Pages work for
most servers. If you are unsure of these settngs, do not modfy them.
Site Configuration
287
Figure 24.3. Site Configuration
The entres sted n the Directory Page Search List defne the DrectoryIndex
|http://httpd.apache.org/docs-2.0/mod/mod_dr.htm#drectoryndex| drectve. The
DrectoryIndex s the defaut page served by the server when a user requests an
ndex of a drectory by specfyng a forward sash (/) at the end of the drectory
name.
For exampe, when a user requests the page http://www.exampe.com/ths_drectory/,
they are gong to get ether the DrectoryIndex page, f t exsts, or a
server-generated drectory st. The server tres to fnd one of the fes sted n the
DrectoryIndex drectve and returns the frst one t fnds. If t does not fnd any of
these fes and f Optons Indexes s set for that drectory, the server generates and
returns a st, n HTML format, of the subdrectores and fes n the drectory.
Use the Error Code secton to confgure Apache HTTP Server to redrect the cent
to a oca or externa URL n the event of a probem or error. Ths opton corresponds
to the ErrorDocument
|http://httpd.apache.org/docs-2.0/mod/core.htm#errordocument| drectve. If a
probem or error occurs when a cent tres to connect to the Apache HTTP Server,
the defaut acton s to dspay the short error message shown n the Error Code
coumn. To overrde ths defaut confguraton, seect the error code and cck the
Edit button. Choose Default to dspay the defaut short error message. Choose
URL to redrect the cent to an externa URL and enter a compete URL, ncudng
the http://, n the Location fed. Choose File to redrect the cent to an nterna URL
and enter a fe ocaton under the document root for the Web server. The ocaton
must begn the a sash (/) and be reatve to the Document Root.
For exampe, to redrect a 404 Not Found error code to a webpage that you created
n a fe caed 404.htm, copy 404.htm to DocumentRoot/../error/404.htm. In ths case,
DocumentRoot s the Document Root drectory that you have defned (the defaut s
/var/www/htm/). If the Document Root s eft as the defaut ocaton, the fe shoud
be coped to /var/www/error/404.htm. Then, choose File as the Behavor for 404 -
Not Found error code and enter /error/404.htm as the Location.
From the Default Error Page Footer menu, you can choose one of the foowng
optons:
Show footer with email address - Dspay the defaut footer at the bottom of
288
a error pages aong wth the ema address of the webste mantaner specfed
by the ServerAdmn |http://httpd.apache.org/docs-2.0/mod/core.htm#serveradmn|
drectve. Refer to Secton 3.1.1, "Genera Optons" for nformaton about
confgurng the ServerAdmn drectve.
Show footer - Dspay |ust the defaut footer at the bottom of error pages.
No footer - Do not dspay a footer at the bottom of error pages.
2.2. Logging
Use the Logging tab to confgure optons for specfc transfer and error ogs.
By defaut, the server wrtes the transfer og to the /var/og/httpd/access_og fe and
the error og to the /var/og/httpd/error_og fe.
The transfer og contans a st of a attempts to access the Web server. It records
the IP address of the cent that s attemptng to connect, the date and tme of the
attempt, and the fe on the Web server that t s tryng to retreve. Enter the name
of the path and fe n whch to store ths nformaton. If the path and fe name do
not start wth a sash (/), the path s reatve to the server root drectory as
confgured. Ths opton corresponds to the TransferLog
|http://httpd.apache.org/docs-2.0/mod/mod_og_confg.htm#transferog| drectve.
Logging
289
Figure 24.4. Logging
You can confgure a custom og format by checkng Use custom logging facilities
and enterng a custom og strng n the Custom Log String fed. Ths confgures
the LogFormat
|http://httpd.apache.org/docs-2.0/mod/mod_og_confg.htm#ogformat| drectve.
Refer to http://httpd.apache.org/docs-2.0/mod/mod_og_confg.htm#formats
|http://httpd.apache.org/docs-2.0/mod/mod_og_confg.htm#formats| for detas on
the format of ths drectve.
The error og contans a st of any server errors that occur. Enter the name of the
290
path and fe n whch to store ths nformaton. If the path and fe name do not start
wth a sash (/), the path s reatve to the server root drectory as confgured. Ths
opton corresponds to the ErrorLog
|http://httpd.apache.org/docs-2.0/mod/core.htm#errorog| drectve.
Use the Log Level menu to set the verbosty of the error messages n the error
ogs. It can be set (from east verbose to most verbose) to emerg, aert, crt, error,
warn, notce, nfo or debug. Ths opton corresponds to the LogLeve
|http://httpd.apache.org/docs-2.0/mod/core.htm#ogeve| drectve.
The vaue chosen wth the Reverse DNS Lookup menu defnes the
HostnameLookups
|http://httpd.apache.org/docs-2.0/mod/core.htm#hostnameookups| drectve.
Choosng No Reverse Lookup sets the vaue to off. Choosng Reverse Lookup
sets the vaue to on. Choosng Double Reverse Lookup sets the vaue to doube.
If you choose Reverse Lookup, your server automatcay resoves the IP address
for each connecton whch requests a document from your Web server. Resovng
the IP address means that your server makes one or more connectons to the DNS
n order to fnd out the hostname that corresponds to a partcuar IP address.
If you choose Double Reverse Lookup, your server performs a doube-reverse
DNS. In other words, after a reverse ookup s performed, a forward ookup s
performed on the resut. At east one of the IP addresses n the forward ookup must
match the address from the frst reverse ookup.
Generay, you shoud eave ths opton set to No Reverse Lookup, because the
DNS requests add a oad to your server and may sow t down. If your server s busy,
the effects of tryng to perform these reverse ookups or doube reverse ookups
may be qute notceabe.
Reverse ookups and doube reverse ookups are aso an ssue for the Internet as a
whoe. Each ndvdua connecton made to ook up each hostname adds up.
Therefore, for your own Web server's beneft, as we as for the Internet's beneft,
you shoud eave ths opton set to No Reverse Lookup.
2.3. Environment Variables
Use the Environment tab to confgure optons for specfc varabes to set, pass, or
unset for CGI scrpts.
Sometmes t s necessary to modfy envronment varabes for CGI scrpts or
server-sde ncude (SSI) pages. The Apache HTTP Server can use the mod_env
Environment Variables
291
modue to confgure the envronment varabes whch are passed to CGI scrpts and
SSI pages. Use the Environment Variables page to confgure the drectves for
ths modue.
Use the Set for CGl Scripts secton to set an envronment varabe that s passed
to CGI scrpts and SSI pages. For exampe, to set the envronment varabe MAXNUM
to 50, cck the Add button nsde the Set for CGl Script secton, as shown n
Fgure 24.5, "Envronment Varabes", and type MAXNUM n the Environment
Variable text fed and 50 n the Value to set text fed. Cck OK to add t to the
st. The Set for CGl Scripts secton confgures the SetEnv
|http://httpd.apache.org/docs-2.0/mod/mod_env.htm#setenv| drectve.
Use the Pass to CGl Scripts secton to pass the vaue of an envronment varabe
when the server s frst started to CGI scrpts. To see ths envronment varabe, type
the command env at a she prompt. Cck the Add button nsde the Pass to CGl
Scripts secton and enter the name of the envronment varabe n the resutng
daog box. Cck OK to add t to the st. The Pass to CGl Scripts secton
confgures the PassEnv
|http://httpd.apache.org/docs-2.0/mod/mod_env.htm#passenv| drectve.
292
Figure 24.5. Environment Variables
To remove an envronment varabe so that the vaue s not passed to CGI scrpts
and SSI pages, use the Unset for CGl Scripts secton. Cck Add n the Unset for
CGl Scripts secton, and enter the name of the envronment varabe to unset. Cck
OK to add t to the st. Ths corresponds to the UnsetEnv
|http://httpd.apache.org/docs-2.0/mod/mod_env.htm#unsetenv| drectve.
To edt any of these envronment vaues, seect t from the st and cck the
correspondng Edit button. To deete any entry from the st, seect t and cck the
correspondng Delete button.
Environment Variables
293
To earn more about envronment varabes n the Apache HTTP Server, refer to the
foowng:
http://httpd.apache.org/docs-2.0/env.htm
2.4. Directories
Use the Directories page n the Performance tab to confgure optons for specfc
drectores. Ths corresponds to the <Drectory>
|http://httpd.apache.org/docs-2.0/mod/core.htm#drectory| drectve.
294
Figure 24.6. Directories
Cck the Edit button n the top rght-hand corner to confgure the Default
Directory Options for a drectores that are not specfed n the Directory st
beow t. The optons that you choose are sted as the Optons
|http://httpd.apache.org/docs-2.0/mod/core.htm#optons| drectve wthn the
<Drectory> |http://httpd.apache.org/docs-2.0/mod/core.htm#drectory| drectve.
You can confgure the foowng optons:
ExecCGl - Aow executon of CGI scrpts. CGI scrpts are not executed f ths
opton s not chosen.
FollowSymLinks - Aow symboc nks to be foowed.
lncludes - Aow server-sde ncudes.
lncludesNOEXEC - Aow server-sde ncudes, but dsabe the #exec and
#ncude commands n CGI scrpts.
lndexes - Dspay a formatted st of the drectory's contents, f no DrectoryIndex
(such as ndex.htm) exsts n the requested drectory.
Multiview - Support content-negotated mutvews; ths opton s dsabed by
defaut.
SymLinkslfOwnerMatch - Ony foow symboc nks f the target fe or
drectory has the same owner as the nk.
To specfy optons for specfc drectores, cck the Add button besde the
Directory st box. A wndow as shown n Fgure 24.7, "Drectory Settngs" appears.
Enter the drectory to confgure n the Directory text fed at the bottom of the
wndow. Seect the optons n the rght-hand st and confgure the Order
|http://httpd.apache.org/docs-2.0/mod/mod_access.htm#order| drectve wth the
eft-hand sde optons. The Order drectve contros the order n whch aow and
deny drectves are evauated. In the Allow hosts from and Deny hosts from text
fed, you can specfy one of the foowng:
Aow a hosts - Type all to aow access to a hosts.
Parta doman name - Aow a hosts whose names match or end wth the
Directories
295
specfed strng.
Fu IP address - Aow access to a specfc IP address.
A subnet - Such as 192.168.1.0}255.255.255.0
A network CIDR specfcaton - such as 10.3.0.0}16
Figure 24.7. Directory Settings
If you check the Let .htaccess files override directory options, the
confguraton drectves n the .htaccess fe take precedence.
3. Virtual Hosts Settings
Vrtua hosts aow you to run dfferent servers for dfferent IP addresses, dfferent
host names, or dfferent ports on the same machne. For exampe, you can run the
webste for http://www.exampe.com and http://www.anotherexampe.com on the
same Web server usng vrtua hosts. Ths opton corresponds to the <VrtuaHost>
|http://httpd.apache.org/docs-2.0/mod/core.htm#vrtuahost| drectve for the
defaut vrtua host and IP based vrtua hosts. It corresponds to the
<NameVrtuaHost>
|http://httpd.apache.org/docs-2.0/mod/core.htm#namevrtuahost| drectve for a
296
name based vrtua host.
The drectves set for a vrtua host ony appy to that partcuar vrtua host. If a
drectve s set server-wde usng the Edit Default Settings button and not defned
wthn the vrtua host settngs, the defaut settng s used. For exampe, you can
defne a Webmaster email address n the Main tab and not defne ndvdua
ema addresses for each vrtua host.
The HTTP Configuration Tool ncudes a defaut vrtua host as shown n
Fgure 24.8, "Vrtua Hosts".
Figure 24.8. Virtual Hosts
http://httpd.apache.org/docs-2.0/vhosts/ and the Apache HTTP Server
documentaton on your machne provde more nformaton about vrtua hosts.
3.1. Adding and Editing a Virtual Host
To add a vrtua host, cck the Virtual Hosts tab and then cck the Add button.
You can aso edt a vrtua host by seectng t and cckng the Edit button.
Adding and Editing a Virtual Host
297
3.1.1. General Options
The General Options settngs ony appy to the vrtua host that you are
confgurng. Set the name of the vrtua host n the Virtual Host Name text area.
Ths name s used by HTTP Configuration Tool to dstngush between vrtua
hosts.
Set the Document Root Directory vaue to the drectory that contans the root
document (such as ndex.htm) for the vrtua host. Ths opton corresponds to the
DocumentRoot |http://httpd.apache.org/docs-2.0/mod/core.htm#documentroot|
drectve wthn the <VrtuaHost>
|http://httpd.apache.org/docs-2.0/mod/core.htm#vrtuahost| drectve. The defaut
DocumentRoot s /var/www/htm.
The Webmaster email address corresponds to the ServerAdmn
|http://httpd.apache.org/docs-2.0/mod/core.htm#serveradmn| drectve wthn the
VrtuaHost |http://httpd.apache.org/docs-2.0/mod/core.htm#vrtuahost| drectve.
Ths ema address s used n the footer of error pages f you choose to show a footer
wth an ema address on the error pages.
In the Host lnformation secton, choose Default Virtual Host, lP based Virtual
Host, or Name based Virtual Host.
Default Virtual Host
You shoud ony confgure one defaut vrtua host (remember that there s one
setup by defaut). The defaut vrtua host settngs are used when the requested
IP address s not expcty sted n another vrtua host. If there s no defaut
vrtua host defned, the man server settngs are used.
lP based Virtual Host
If you choose lP based Virtual Host, a wndow appears to confgure the
<VrtuaHost> |http://httpd.apache.org/docs-2.0/mod/core.htm#vrtuahost|
drectve based on the IP address of the server. Specfy ths IP address n the lP
address fed. To specfy mutpe IP addresses, separate each IP address wth
spaces. To specfy a port, use the syntax IP Address:Port. Use "coon, astersk" (:*)
to confgure a ports for the IP address. Specfy the host name for the vrtua
host n the Server Host Name fed.
Name based Virtual Host
If you choose Name based Virtual Host, a wndow appears to confgure the
NameVrtuaHost
298
http://httpd.apache.org/docs-2.0/mod/core.htm#namevrtuahost| drectve
based on the host name of the server. Specfy the IP address n the lP address
fed. To specfy mutpe IP addresses, separate each IP address wth spaces. To
specfy a port, use the syntax IP Address:Port. Use "coon, astersk" (:*) to
confgure a ports for the IP address. Specfy the host name for the vrtua host
n the Server Host Name fed. In the Aliases secton, cck Add to add a host
name aas. Addng an aas here adds a ServerAas
|http://httpd.apache.org/docs-2.0/mod/core.htm#serveraas| drectve wthn
the NameVrtuaHost
|http://httpd.apache.org/docs-2.0/mod/core.htm#namevrtuahost| drectve.
3.1.2. SSL
Note
You cannot use name based vrtua hosts wth SSL because the SSL
handshake (when the browser accepts the secure Web server's
certfcate) occurs before the HTTP request, whch dentfes the
approprate name based vrtua host. If you pan to use name-based
vrtua hosts, remember that they ony work wth your non-secure Web
server.
Adding and Editing a Virtual Host
299
Figure 24.9. SSL Support
If an Apache HTTP Server s not confgured wth SSL support, communcatons
between an Apache HTTP Server and ts cents are not encrypted. Ths s
approprate for webstes wthout persona or confdenta nformaton. For exampe,
an open source webste that dstrbutes open source software and documentaton
has no need for secure communcatons. However, an ecommerce webste that
requres credt card nformaton shoud use the Apache SSL support to encrypt ts
communcatons. Enabng Apache SSL support enabes the use of the mod_ss
securty modue. To enabe t through the HTTP Configuration Tool, you must
aow access through port 443 under the Main tab => Available Addresses. Refer
300
to Secton 1, "Basc Settngs" for detas. Then, seect the vrtua host name n the
Virtual Hosts tab, cck the Edit button, choose SSL from the eft-hand menu, and
check the Enable SSL Support opton as shown n Fgure 24.9, "SSL Support".
The SSL Configuration secton s pre-confgured wth the dummy dgta
certfcate. The dgta certfcate provdes authentcaton for your secure Web server
and dentfes the secure server to cent Web browsers. You must purchase your
own dgta certfcate. Do not use the dummy one provded for your webste. For
detas on purchasng a CA-approved dgta certfcate, refer to the Chapter 25,
Apache HTTP Secure Server Confguraton.
3.1.3. Additional Virtual Host Options
The Site Configuration, Environment Variables, and Directories optons for
the vrtua hosts are the same drectves that you set when you ccked the Edit
Default Settings button, except the optons set here are for the ndvdua vrtua
hosts that you are confgurng. Refer to Secton 2, "Defaut Settngs" for detas on
these optons.
4. Server Settings
The Server tab aows you to confgure basc server settngs. The defaut settngs
for these optons are approprate for most stuatons.
Server Settings
301
Figure 24.10. Server Configuration
The Lock File vaue corresponds to the LockFe
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#ockfe| drectve. Ths
drectve sets the path to the ockfe used when the server s comped wth ether
USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be
stored on the oca dsk. It shoud be eft to the defaut vaue uness the ogs
drectory s ocated on an NFS share. If ths s the case, the defaut vaue shoud be
changed to a ocaton on the oca dsk and to a drectory that s readabe ony by
root.
The PlD File vaue corresponds to the PdFe
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#pdfe| drectve. Ths
drectve sets the fe n whch the server records ts process ID (pd). Ths fe shoud
ony be readabe by root. In most cases, t shoud be eft to the defaut vaue.
The Core Dump Directory vaue corresponds to the CoreDumpDrectory
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#coredumpdrectory|
drectve. The Apache HTTP Server tres to swtch to ths drectory before executng
302
a core dump. The defaut vaue s the ServerRoot. However, f the user that the
server runs as can not wrte to ths drectory, the core dump can not be wrtten.
Change ths vaue to a drectory wrtabe by the user the server runs as, f you want
to wrte the core dumps to dsk for debuggng purposes.
The User vaue corresponds to the User
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#user| drectve. It sets
the userd used by the server to answer requests. Ths user's settngs determne the
server's access. Any fes naccessbe to ths user are aso naccessbe to your
webste's vstors. The defaut for User s apache.
The user shoud ony have prveges so that t can access fes whch are supposed
to be vsbe to the outsde word. The user s aso the owner of any CGI processes
spawned by the server. The user shoud not be aowed to execute any code whch
s not ntended to be n response to HTTP requests.
Warning
Uness you know exacty what you are dong, do not set the User
drectve to root. Usng root as the User creates arge securty hoes for
your Web server.
The parent httpd process frst runs as root durng norma operatons, but s then
mmedatey handed off to the apache user. The server must start as root because t
needs to bnd to a port beow 1024. Ports beow 1024 are reserved for system use,
so they can not be used by anyone but root. Once the server has attached tsef to
ts port, however, t hands the process off to the apache user before t accepts any
connecton requests.
The Group vaue corresponds to the Group
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#group| drectve. The
Group drectve s smar to the User drectve. Group sets the group under whch the
server answers requests. The defaut group s aso apache.
5. Performance Tuning
Cck on the Performance Tuning tab to confgure the maxmum number of chd
server processes you want and to confgure the Apache HTTP Server optons for
cent connectons. The defaut settngs for these optons are approprate for most
stuatons. Aterng these settngs may affect the overa performance of your Web
Performance Tuning
303
server.
Figure 24.11. Performance Tuning
Set Max Number of Connections to the maxmum number of smutaneous cent
requests that the server can hande. For each connecton, a chd httpd process s
created. After ths maxmum number of processes s reached, no one ese can
connect to the Web server unt a chd server process s freed. You can not set ths
vaue to hgher than 256 wthout recompng. Ths opton corresponds to the
MaxCents |http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#maxcents|
drectve.
Connection Timeout defnes, n seconds, the amount of tme that your server
wats for recepts and transmssons durng communcatons. Specfcay,
Connection Timeout defnes how ong your server wats to receve a GET request,
how ong t wats to receve TCP packets on a POST or PUT request, and how ong t
wats between ACKs respondng to TCP packets. By defaut, Connection Timeout
s set to 300 seconds, whch s approprate for most stuatons. Ths opton
corresponds to the TmeOut
304
http://httpd.apache.org/docs-2.0/mod/core.htm#tmeout| drectve.
Set the Max requests per connection to the maxmum number of requests
aowed per persstent connecton. The defaut vaue s 100, whch shoud be
approprate for most stuatons. Ths opton corresponds to the MaxRequestsPerChd
|http://httpd.apache.org/docs-2.0/mod/mpm_common.htm#maxrequestsperchd|
drectve.
If you check the Allow unlimited requests per connection opton, the
MaxKeepAveRequests
|http://httpd.apache.org/docs-2.0/mod/core.htm#maxkeepaverequests| drectve
s set to 0 and unmted requests are aowed.
If you uncheck the Allow Persistent Connections opton, the KeepAve
|http://httpd.apache.org/docs-2.0/mod/core.htm#keepave| drectve s set to fase.
If you check t, the KeepAve
|http://httpd.apache.org/docs-2.0/mod/core.htm#keepave| drectve s set to true,
and the KeepAveTmeout
|http://httpd.apache.org/docs-2.0/mod/core.htm#keepavetmeout| drectve s set
to the number that s seected as the Timeout for next Connection vaue. Ths
drectve sets the number of seconds your server wats for a subsequent request,
after a request has been served, before t coses the connecton. Once a request has
been receved, the Connection Timeout vaue appes nstead.
Settng the Persistent Connections to a hgh vaue may cause the server to sow
down, dependng on how many users are tryng to connect to t. The hgher the
number, the more server processes are watng for another connecton from the ast
cent that connected to t.
6. Saving Your Settings
If you do not want to save your Apache HTTP Server confguraton settngs, cck the
Cancel button n the bottom rght corner of the HTTP Configuration Tool wndow.
You are prompted to confrm ths decson. If you cck Yes to confrm ths choce,
your settngs are not saved.
If you want to save your Apache HTTP Server confguraton settngs, cck the OK
button n the bottom rght corner of the HTTP Configuration Tool wndow. A
daog wndow appears. If you answer Yes, your settngs are saved n
/etc/httpd/conf/httpd.conf. Remember that your orgna confguraton fe s
overwrtten wth your new settngs.
If ths s the frst tme that you have used the HTTP Configuration Tool, a daog
Saving Your Settings
305
wndow appears, warnng you that the confguraton fe has been manuay
modfed. If the HTTP Configuration Tool detects that the httpd.conf confguraton
fe has been manuay modfed, t saves the manuay modfed fe as
/etc/httpd/conf/httpd.conf.bak.
lmportant
After savng your settngs, you must restart the httpd daemon wth the
command servce httpd restart. You must be ogged n as root to execute
ths command.
To earn more about the Apache HTTP Server, refer to the foowng resources.
/usr/share/docs/httpd-<verson>/mgraton.htm - The Apache Mgraton HOWTO
document contans a st of changes from verson 1.3 to verson 2.0 as we as
nformaton about how to mgraton the confguraton fe manuay.
http://www.apache.org/ - The Apache Software Foundaton.
http://httpd.apache.org/docs-2.0/ - The Apache Software Foundaton's
documentaton on Apache HTTP Server verson 2.0, ncudng the Apache HTTP
Server Verson 2.0 User's Gude.
7.3. Related Books
Apache: The Defntve Gude by Ben Laure and Peter Laure; O'Rey &
Assocates, Inc.
Red Hat Enterprse Lnux Reference Gude ; Red Hat, Inc. - Ths companon
manua ncudes nstructons for mgratng from Apache HTTP Server verson 1.3
to Apache HTTP Server verson 2.0 manuay, more detas about the Apache HTTP
306
Server drectves, and nstructons for addng modues to the Apache HTTP Server.
Related Books
307
308
Apache HTTP Secure Server
Configuration
1. lntroduction
Ths chapter provdes basc nformaton on the Apache HTTP Server wth the mod_ss
securty modue enabed to use the OpenSSL brary and tookt. The combnaton of
these three components are referred to n ths chapter as the secure Web server or
|ust as the secure server.
The mod_ss modue s a securty modue for the Apache HTTP Server. The mod_ss
modue uses the toos provded by the OpenSSL Pro|ect to add a very mportant
feature to the Apache HTTP Server - the abty to encrypt communcatons. In
contrast, reguar HTTP communcatons between a browser and a Web server are
sent n pan text, whch coud be ntercepted and read by someone aong the route
between the browser and the server.
Ths chapter s not meant to be compete and excusve documentaton for any of
these programs. When possbe, ths gude ponts to approprate paces where you
can fnd more n-depth documentaton on partcuar sub|ects.
Ths chapter shows you how to nsta these programs. You can aso earn the steps
necessary to generate a prvate key and a certfcate request, how to generate your
own sef-sgned certfcate, and how to nsta a certfcate to use wth your secure
server.
The mod_ss confguraton fe s ocated at /etc/httpd/conf.d/ss.conf. For ths fe to be
oaded, and hence for mod_ss to work, you must have the statement Incude
conf.d/*.conf n the /etc/httpd/conf/httpd.conf fe. Ths statement s ncuded by defaut
n the defaut Apache HTTP Server confguraton fe.
2. An Overview of Security-Related Packages
To enabe the secure server, you must have the foowng packages nstaed at a
mnmum:
httpd
The httpd package contans the httpd daemon and reated uttes, confguraton
Chapter 25.
309
fes, cons, Apache HTTP Server modues, man pages, and other fes used by
the Apache HTTP Server.
mod_ss
The mod_ss package ncudes the mod_ss modue, whch provdes strong
cryptography for the Apache HTTP Server va the Secure Sockets Layer (SSL)
and Transport Layer Securty (TLS) protocos.
openss
The openss package contans the OpenSSL tookt. The OpenSSL tookt
mpements the SSL and TLS protocos, and aso ncudes a genera purpose
cryptography brary.
Addtonay, other software packages provde certan securty functonates (but
are not requred by the secure server to functon):
httpd-deve
The httpd-deve package contans the Apache HTTP Server ncude fes, header
fes, and the APXS utty. You need a of these f you ntend to oad any extra
modues, other than the modues provded wth ths product. Refer to the Red
Hat Enterprse Lnux Reference Gude for more nformaton on oadng modues
onto your secure server usng Apache's dynamc shared ob|ect (DSO)
functonaty.
If you do not ntend to oad other modues onto your Apache HTTP Server, you
do not need to nsta ths package.
OpenSSH packages
The OpenSSH packages provde the OpenSSH set of network connectvty toos
for oggng nto and executng commands on a remote machne. OpenSSH toos
encrypt a traffc (ncudng passwords), so you can avod eavesdroppng,
connecton h|ackng, and other attacks on the communcatons between your
machne and the remote machne.
The openssh package ncudes core fes needed by both the OpenSSH cent
programs and the OpenSSH server. The openssh package aso contans scp, a
secure repacement for rcp (for securey copyng fes between machnes).
The openssh-askpass package supports the dspay of a daog wndow whch
prompts for a password durng use of the OpenSSH agent.
The openssh-askpass-gnome package can be used n con|uncton wth the GNOME
Chapter 25. Apache HTTP Secur...
310
desktop envronment to dspay a graphca daog wndow when OpenSSH
programs prompt for a password. If you are runnng GNOME and usng OpenSSH
uttes, you shoud nsta ths package.
The openssh-server package contans the sshd secure she daemon and reated
fes. The secure she daemon s the server sde of the OpenSSH sute and must
be nstaed on your host to aow SSH cents to connect to your host.
The openssh-cents package contans the cent programs needed to make
encrypted connectons to SSH servers, ncudng the foowng: ssh, a secure
repacement for rsh; sftp, a secure repacement for ftp (for transferrng fes
between machnes); and sogn, a secure repacement for rogn (for remote ogn)
and tenet (for communcatng wth another host va the Tenet protoco).
For more nformaton about OpenSSH, see Chapter 20, OpenSSH, the Red Hat
Enterprse Lnux Reference Gude, and the OpenSSH webste at
http://www.openssh.com/ |http://www.openssh.com|.
openss-deve
The openss-deve package contans the statc brares and the ncude fe
needed to compe appcatons wth support for varous cryptographc
agorthms and protocos. You need to nsta ths package ony f you are
deveopng appcatons whch ncude SSL support - you do not need ths
package to use SSL.
stunne
The stunne package provdes the Stunne SSL wrapper. Stunne supports the SSL
encrypton of TCP connectons. It provdes encrypton for non-SSL aware
daemons and protocos (such as POP, IMAP, and LDAP) wthout requrng any
changes to the daemon's code.
Note
Newer mpementatons of varous daemons now provde ther servces
natvey over SSL, such as dovecot or OpenLDAP's sapd server, whch
may be more desrabe than usng stunne.
For exampe, use of stunne ony provdes wrappng of protocos, whe
the natve support n OpenLDAP's sapd can aso hande n-band
upgrades for usng encrypton n response to a StartTLS cent request.
An Overview of Security-Related
311
Tabe 25.1, "Securty Packages" dspays a summary of the secure server packages
and whether each package s optona for the nstaaton of a secure server.
Package Name Optional7
httpd no
mod_ss no
openss no
httpd-deve yes
openssh yes
openssh-askpass yes
openssh-askpass-gnome yes
openssh-cents yes
openssh-server yes
openss-deve yes
stunne yes
Table 25.1. Security Packages
3. An Overview of Certificates and Security
Your secure server provdes securty usng a combnaton of the Secure Sockets
Layer (SSL) protoco and (n most cases) a dgta certfcate from a Certfcate
Authorty (CA). SSL handes the encrypted communcatons as we as the mutua
authentcaton between browsers and your secure server. The CA-approved dgta
certfcate provdes authentcaton for your secure server (the CA puts ts reputaton
behnd ts certfcaton of your organzaton's dentty). When your browser s
communcatng usng SSL encrypton, the https:// prefx s used at the begnnng of
the Unform Resource Locator (URL) n the navgaton bar.
Encrypton depends upon the use of keys (thnk of them as secret encoder/decoder
rngs n data format). In conventona or symmetrc cryptography, both ends of the
transacton have the same key, whch they use to decode each other's
transmssons. In pubc or asymmetrc cryptography, two keys co-exst: a pubc key
and a prvate key. A person or an organzaton keeps ther prvate key a secret and
pubshes ther pubc key. Data encoded wth the pubc key can ony be decoded
wth the prvate key; data encoded wth the prvate key can ony be decoded wth
312
the pubc key.
To set up your secure server, use pubc cryptography to create a pubc and prvate
key par. In most cases, you send your certfcate request (ncudng your pubc
key), proof of your company's dentty, and payment to a CA. The CA verfes the
certfcate request and your dentty, and then sends back a certfcate for your
secure server.
A secure server uses a certfcate to dentfy tsef to Web browsers. You can
generate your own certfcate (caed a "sef-sgned" certfcate), or you can get a
certfcate from a CA. A certfcate from a reputabe CA guarantees that a webste s
assocated wth a partcuar company or organzaton.
Aternatvey, you can create your own sef-sgned certfcate. Note, however, that
sef-sgned certfcates shoud not be used n most producton envronments.
Sef-sgned certfcates are not automatcay accepted by a user's browser - users
are prompted by the browser to accept the certfcate and create the secure
connecton. Refer to Secton 5, "Types of Certfcates" for more nformaton on the
dfferences between sef-sgned and CA-sgned certfcates.
Once you have a sef-sgned certfcate or a sgned certfcate from the CA of your
choce, you must nsta t on your secure server.
4. Using Pre-Existing Keys and Certificates
If you aready have an exstng key and certfcate (for exampe, f you are nstang
the secure server to repace another company's secure server product), you can
probaby use your exstng key and certfcate wth the secure server. The foowng
two stuatons provde nstances where you are not abe to use your exstng key
and certfcate:
If you are changng your IP address or doman name - Certfcates are ssued for
a partcuar IP address and doman name par. You must get a new certfcate f
you are changng your IP address or doman name.
If you have a certfcate from VerSgn and you are changng your server software
- VerSgn s a wdey used CA. If you aready have a VerSgn certfcate for
another purpose, you may have been consderng usng your exstng VerSgn
certfcate wth your new secure server. However, you are not be aowed to
because VerSgn ssues certfcates for one specfc server software and IP
Packages
313
address/doman name combnaton.
If you change ether of those parameters (for exampe, f you prevousy used a
dfferent secure server product), the VerSgn certfcate you obtaned to use wth
the prevous confguraton w not work wth the new confguraton. You must
obtan a new certfcate.
If you have an exstng key and certfcate that you can use, you do not have to
generate a new key and obtan a new certfcate. However, you may need to move
and rename the fes whch contan your key and certfcate.
Move your exstng key fe to:
/etc/httpd/conf/ss.key/server.key
Move your exstng certfcate fe to:
/etc/httpd/conf/ss.crt/server.crt
After you have moved your key and certfcate, skp to Secton 9, "Testng The
Certfcate".
If you are upgradng from the Red Hat Secure Web Server, your od key (httpsd.key)
and certfcate (httpsd.crt) are ocated n /etc/httpd/conf/. Move and rename your key
and certfcate so that the secure server can use them. Use the foowng two
commands to move and rename your key and certfcate fes:
mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ss.key/server.key mv
/etc/httpd/conf/httpsd.crt /etc/httpd/conf/ss.crt/server.crt
Then, start your secure server wth the command:
/sbn/servce httpd start
You are prompted to enter your passphrase. After you type t n and press Enter,
the server starts.
5. Types of Certificates
If you nstaed your secure server from the RPM package provded by Red Hat, a
314
random key and a test certfcate are generated and put nto the approprate
drectores. Before you begn usng your secure server, however, you must generate
your own key and obtan a certfcate whch correcty dentfes your server.
You need a key and a certfcate to operate your secure server - whch means that
you can ether generate a sef-sgned certfcate or purchase a CA-sgned certfcate
from a CA. What are the dfferences between the two?
A CA-sgned certfcate provdes two mportant capabtes for your server:
Browsers (usuay) automatcay recognze the certfcate and aow a secure
connecton to be made, wthout promptng the user.
When a CA ssues a sgned certfcate, they are guaranteeng the dentty of the
organzaton that s provdng the webpages to the browser.
If your secure server s beng accessed by the pubc at arge, your secure server
needs a certfcate sgned by a CA so that peope who vst your webste know that
the webste s owned by the organzaton who cams to own t. Before sgnng a
certfcate, a CA verfes that the organzaton requestng the certfcate was actuay
who they camed to be.
Most Web browsers that support SSL have a st of CAs whose certfcates they
automatcay accept. If a browser encounters a certfcate whose authorzng CA s
not n the st, the browser asks the user to ether accept or decne the connecton.
You can generate a sef-sgned certfcate for your secure server, but be aware that
a sef-sgned certfcate does not provde the same functonaty as a CA-sgned
certfcate. A sef-sgned certfcate s not automatcay recognzed by most Web
browsers and does not provde any guarantee concernng the dentty of the
organzaton that s provdng the webste. A CA-sgned certfcate provdes both of
these mportant capabtes for a secure server. If your secure server s to be used
n a producton envronment, a CA-sgned certfcate s recommended.
The process of gettng a certfcate from a CA s fary easy. A quck overvew s as
foows:
1. Create an encrypton prvate and pubc key par.
2. Create a certfcate request based on the pubc key. The certfcate request
contans nformaton about your server and the company hostng t.
Types of Certificates
315
3. Send the certfcate request, aong wth documents provng your dentty, to a CA.
Red Hat does not make recommendatons on whch certfcate authorty to
choose. Your decson may be based on your past experences, on the
experences of your frends or coeagues, or purey on monetary factors.
Once you have decded upon a CA, you need to foow the nstructons they
provde on how to obtan a certfcate from them.
4. When the CA s satsfed that you are ndeed who you cam to be, they provde
you wth a dgta certfcate.
5. Insta ths certfcate on your secure server and begn handng secure
transactons.
Whether you are gettng a certfcate from a CA or generatng your own sef-sgned
certfcate, the frst step s to generate a key. Refer to Secton 6, "Generatng a
Key" for nstructons.
6. Generating a Key
You must be root to generate a key.
Frst, use the cd command to change to the /etc/httpd/conf/ drectory. Remove the
fake key and certfcate that were generated durng the nstaaton wth the
foowng commands:
rm ss.key/server.keyrm ss.crt/server.crt
Next, create your own random key. Change to the /usr/share/ss/certs/ drectory and
type n the foowng command:
make genkey
Your system dspays a message smar to the foowng:
umask 77 ; \
/usr/bn/openss genrsa -des3 1024 > /etc/httpd/conf/ss.key/server.key
Generatng RSA prvate key, 1024 bt ong moduus
.......++++++
................................................................++++++
e s 65537 (0x10001)
316
Enter pass phrase:
You now must enter n a passphrase. For securty reason, t shoud contan at east
eght characters, ncude numbers and/or punctuaton, and t shoud not be a word
n a dctonary. Aso, remember that your passphrase s case senstve.
Note
You are requred to remember and enter ths passphrase every tme
you start your secure server. If you forget ths passphrase, the key
must be competey re-generated.
Re-type the passphrase to verfy that t s correct. Once you have typed t n
correcty, /etc/httpd/conf/ss.key/server.key, the fe contanng your key, s created.
Note that f you do not want to type n a passphrase every tme you start your
secure server, you must use the foowng two commands nstead of make genkey to
create the key.
Use the foowng command to create your key:
/usr/bn/openss genrsa 1024 > /etc/httpd/conf/ss.key/server.key
Then, use the foowng command to make sure the permssons are set correcty for
the fe:
chmod go-rwx /etc/httpd/conf/ss.key/server.key
After you use the above commands to create your key, you do not need to use a
passphrase to start your secure server.
Caution
Dsabng the passphrase feature for your secure server s a securty
rsk. It s not recommended that you dsabe the passphrase feature for
secure server.
Generating a Key
317
Probems assocated wth not usng a passphrase are drecty reated to the securty
mantaned on the host machne. For exampe, f an unscrupuous ndvdua
compromses the reguar UNIX securty on the host machne, that person coud
obtan your prvate key (the contents of your server.key fe). The key coud be used
to serve webpages that appear to be from your secure server.
If UNIX securty practces are rgorousy mantaned on the host computer (a
operatng system patches and updates are nstaed as soon as they are avaabe,
no unnecessary or rsky servces are operatng, and so on), secure server's
passphrase may seem unnecessary. However, snce your secure server shoud not
need to be re-booted very often, the extra securty provded by enterng a
passphrase s a worthwhe effort n most cases.
The server.key fe shoud be owned by the root user on your system and shoud not
be accessbe to any other user. Make a backup copy of ths fe and keep the
backup copy n a safe, secure pace. You need the backup copy because f you ever
ose the server.key fe after usng t to create your certfcate request, your
certfcate no onger works and the CA s not abe to hep you. Your ony opton s to
request (and pay for) a new certfcate.
If you are gong to purchase a certfcate from a CA, contnue to Secton 7,
"Generatng a Certfcate Request to Send to a CA". If you are generatng your own
sef-sgned certfcate, contnue to Secton 8, "Creatng a Sef-Sgned Certfcate".
7. Generating a Certificate Request to Send to
a CA
Once you have created a key, the next step s to generate a certfcate request
whch you need to send to the CA of your choce. Make sure you are n the
/usr/share/ss/certs/ drectory, and type the foowng command:
make certreq
Your system dspays the foowng output and asks you for your passphrase (uness
you dsabed the passphrase opton):
umask 77 ; \
/usr/bn/openss req -new -key /etc/httpd/conf/ss.key/server.key
-out /etc/httpd/conf/ss.csr/server.csr
Usng confguraton from /usr/share/ss/openss.cnf
318
Enter pass phrase:
Type n the passphrase that you chose when you were generatng your key uness
you don't need to. Next, your system dspays some nstructons and then ask for a
seres of responses from you. Your nputs are ncorporated nto the certfcate
request. The dspay, wth exampe responses, ooks smar to the foowng:
You are about to be asked to enter nformaton that w be ncorporated
nto your certfcate request.
What you are about to enter s what s caed a Dstngushed Name or a
DN.
There are qute a few feds but you can eave some bank
For some feds there w be a defaut vaue,
If you enter '.', the fed w be eft bank.
-----
Country Name (2 etter code) |GB|:USState or Provnce Name (fu name)
|Berkshre|: North CarolinaLocaty Name (eg, cty) |Newbury|:RaleighOrganzaton Name
(eg, company) |My Company Ltd|:Test CompanyOrganzatona Unt Name (eg, secton)
||:TestingCommon Name (your name or server's hostname) ||:test.example.comEma
Address ||:admin@example.comPease enter the foowng 'extra' attrbutes
to be sent wth your certfcate request
A chaenge password ||:
An optona company name ||:
The defaut answers appear n brackets (||) mmedatey after each request for
nput. For exampe, the frst nformaton requred s the name of the country where
the certfcate s to be used, shown ke the foowng:
Country Name (2 etter code) |GB|:
The defaut nput, n brackets, s GB. Accept the defaut by pressng Enter or f n
your country's two etter code.
You have to type n the rest of the vaues. A of these shoud be sef-expanatory,
but you must foow these gudenes:
Do not abbrevate the ocaty or state. Wrte them out (for exampe, St. Lous
Generating a Certificate Request to
319
shoud be wrtten out as Sant Lous).
If you are sendng ths CSR to a CA, be very carefu to provde correct nformaton
for a of the feds, but especay for the Organzaton Name and the Common Name.
CAs check the nformaton provded n the CSR to determne whether your
organzaton s responsbe for what you provded as the Common Name. CAs
re|ects CSRs whch ncude nformaton they perceve as nvad.
For Common Name, make sure you type n the rea name of your secure server (a
vad DNS name) and not any aases whch the server may have.
The Ema Address shoud be the ema address for the webmaster or system
admnstrator.
Avod speca characters ke @, #, & !, and etc. Some CAs re|ect a certfcate
request whch contans a speca character. If your company name ncudes an
ampersand (&), spe t out as "and" nstead of "&."
Do not use ether of the extra attrbutes (A chaenge password and An optona
company name). To contnue wthout enterng these feds, |ust press Enter to
accept the bank defaut for both nputs.
The fe /etc/httpd/conf/ss.csr/server.csr s created when you have fnshed enterng
your nformaton. Ths fe s your certfcate request, ready to send to your CA.
After you have decded on a CA, foow the nstructons they provde on ther
webste. Ther nstructons te you how to send your certfcate request, any other
documentaton that they requre, and your payment to them.
After you have fufed the CA's requrements, they send a certfcate to you (usuay
by ema). Save (or cut and paste) the certfcate that they send you as
/etc/httpd/conf/ss.crt/server.crt. Be sure to keep a backup of ths fe.
8. Creating a Self-Signed Certificate
You can create your own sef-sgned certfcate. Note that a sef-sgned certfcate
does not provde the securty guarantees of a CA-sgned certfcate. Refer to
Secton 5, "Types of Certfcates" for more detas about certfcates.
To make your own sef-sgned certfcate, frst create a random key usng the
nstructons provded n Secton 6, "Generatng a Key". Once you have a key, make
sure you are n the /usr/share/ss/certs/ drectory, and type the foowng command:
make testcert
320
The foowng output s shown and you are prompted for your passphrase (uness
you generated a key wthout a passphrase):
umask 77 ; \
/usr/bn/openss req -new -key /etc/httpd/conf/ss.key/server.key
-x509 -days 365 -out /etc/httpd/conf/ss.crt/server.crt
Usng confguraton from /usr/share/ss/openss.cnf
Enter pass phrase:
Next, you are asked for more nformaton. The computer's output and a set of nputs
ooks ke the foowng (provde the correct nformaton for your organzaton and
host):
You are about to be asked to enter nformaton that w be ncorporated
nto your certfcate request.
What you are about to enter s what s caed a Dstngushed Name or a
DN.
There are qute a few feds but you can eave some bank
For some feds there w be a defaut vaue,
If you enter '.', the fed w be eft bank.
-----
Country Name (2 etter code) |GB|:US
State or Provnce Name (fu name) |Berkshre|: North CarolinaLocaty Name (eg, cty)
|Newbury|:RaleighOrganzaton Name (eg, company) |My Company Ltd|:My Company,
lnc.Organzatona Unt Name (eg, secton) ||:DocumentationCommon Name (your name
or server's hostname) ||:myhost.example.comEma Address
||:myemail@example.com
After you provde the correct nformaton, a sef-sgned certfcate s created n
/etc/httpd/conf/ss.crt/server.crt. Restart the secure server after generatng the
certfcate wth foowng the command:
/sbn/servce httpd restart
9. Testing The Certificate
To test the test certfcate nstaed by defaut, ether a CA-sgned certfcate, or a
Send to a CA
321
sef-sgned certfcate, pont your Web browser to the foowng home page
(repacng server.exampe.com wth your doman name):
https://server.exampe.com
Note
Note the s after http. The https: prefx s used for secure HTTP
transactons.
If you are usng a CA-sgned certfcate from a we-known CA, your browser
probaby automatcay accepts the certfcate (wthout promptng you for nput) and
creates the secure connecton. Your browser does not automatcay recognze a test
or a sef-sgned certfcate, because the certfcate s not sgned by a CA. If you are
not usng a certfcate from a CA, foow the nstructons provded by your browser to
accept the certfcate.
Once your browser accepts the certfcate, your secure server dspays a defaut
home page.
10. Accessing The Server
To access your secure server, use a URL smar to the foowng:
https://server.exampe.com
Your non-secure server can be accessed usng an URL smar to the foowng:
http://server.exampe.com
The standard port for secure Web communcatons s port 443. The standard port for
non-secure Web communcatons s port 80. The secure server defaut confguraton
stens on both of the two standard ports. Therefore, do not need to specfy the port
number n a URL (the port number s assumed).
322
However, f you confgure your server to sten on a non-standard port (for exampe,
anythng other than 80 or 443), you must specfy the port number n every URL
whch s ntended to connect to the server on the non-standard port.
For exampe, you may have confgured your server so that you have a vrtua host
runnng non-secured on port 12331. Any URLs ntended to connect to that vrtua
host must specfy the port number n the URL. The foowng URL exampe attempts
to connect to a non-secure server stenng on port 12331:
http://server.exampe.com:12331
Refer to Secton 7, "Addtona Resources" for more nformaton about the Apache
HTTP Server.
http://www.modss.org/ - The mod_ss webste s the defntve source for
nformaton about mod_ss. The webste ncudes a weath of documentaton,
ncudng a User Manua at http://www.modss.org/docs/.
11.2. Related Books
Apache: The Defntve Gude , 3rd edton, by Ben Laure and Peter Laure,
O'Rey & Assocates, Inc.
323
324
Authentication Configuration
When a user ogs n to a Red Hat Enterprse Lnux system, the username and
password combnaton must be verfed, or authentcated, as a vad and actve user.
Sometmes the nformaton to verfy the user s ocated on the oca system, and
other tmes the system defers the authentcaton to a user database on a remote
system.
The Authentication Configuration Tool provdes a graphca nterface for
confgurng NIS, LDAP, and Hesod to retreve user nformaton as we as for
confgurng LDAP, Kerberos, and SMB as authentcaton protocos.
Note
If you confgured a medum or hgh securty eve durng nstaaton or
wth the Security Level Configuration Tool, network authentcaton
methods, ncudng NIS and LDAP, are not aowed through the frewa.
Ths chapter does not expan each of the dfferent authentcaton types n deta.
Instead, t expans how to use the Authentication Configuration Tool to
confgure them. For more nformaton about the specfc authentcaton types, refer
to the Red Hat Enterprse Lnux Reference Gude.
To start the graphca verson of the Authentication Configuration Tool from the
desktop, seect the Main Menu Button (on the Pane) => System Settings =>
Authentication or type the command system-confg-authentcaton at a she prompt
(for exampe, n an XTerm or a GNOME terminal). To start the text-based verson,
type the command authconfg as root at a she prompt.
lmportant
After extng the authentcaton program, the changes made take
effect mmedatey.
1. User lnformation
The User lnformation tab has severa optons. To enabe an opton, cck the
Chapter 26.
325
empty checkbox besde t. To dsabe an opton, cck the checkbox besde t to cear
the checkbox. Cck OK to ext the program and appy the changes.
Figure 26.1. User lnformation
The foowng st expans what each opton confgures:
Enable NlS Support - Seect ths opton to confgure the system as an NIS
cent whch connects to an NIS server for user and password authentcaton. Cck
the Configure NlS button to specfy the NIS doman and NIS server. If the NIS
server s not specfed, the daemon attempts to fnd t va broadcast.
The ypbnd package must be nstaed for ths opton to work. If NIS support s
enabed, the portmap and ypbnd servces are started and are aso enabed to start
at boot tme.
Enable LDAP Support - Seect ths opton to confgure the system to retreve
user nformaton va LDAP. Cck the Configure LDAP button to specfy the LDAP
Search Base DN and LDAP Server. If Use TLS to encrypt connections s
seected, Transport Layer Securty s used to encrypt passwords sent to the LDAP
server.
The opendap-cents package must be nstaed for ths opton to work.
For more nformaton about LDAP, refer to the Red Hat Enterprse Lnux Reference
Gude.
Chapter 26. Authentication Co...
326
Enable Hesiod Support - Seect ths opton to confgure the system to retreve
nformaton from a remote Hesod database, ncudng user nformaton.
The hesod package must be nstaed.
Winbind - Seect ths opton to confgure the system to connect to a Wndows

Actve Drectory or a Wndows doman controer. User nformaton can be
accessed, as we as server authentcaton optons can be confgured.
Cache User lnformation - Seect ths opton to enabe the name servce cache
daemon (nscd) and confgure t to start at boot tme.
The nscd package must be nstaed for ths opton to work.
2. Authentication
The Authentication tab aows for the confguraton of network authentcaton
methods. To enabe an opton, cck the empty checkbox besde t. To dsabe an
opton, cck the checkbox besde t to cear the checkbox.
Figure 26.2. Authentication
The foowng expans what each opton confgures:
Authentication
327
Enable Kerberos Support - Seect ths opton to enabe Kerberos
authentcaton. Cck the Configure Kerberos button to confgure:
Realm - Confgure the ream for the Kerberos server. The ream s the network
that uses Kerberos, composed of one or more KDCs and a potentay arge
number of cents.
KDC - Defne the Key Dstrbuton Center (KDC), whch s the server that ssues
Kerberos tckets.
Admin Servers - Specfy the admnstraton server(s) runnng kadmnd.
The krb5-bs and krb5-workstaton packages must be nstaed for ths opton to
work. Refer to the Red Hat Enterprse Lnux Reference Gude for more nformaton
on Kerberos.
Enable LDAP Support - Seect ths opton to have standard PAM-enabed

appcatons use LDAP for authentcaton. Cck the Configure LDAP button to
specfy the foowng:
Use TLS to encrypt connections - Use Transport Layer Securty to encrypt
passwords sent to the LDAP server.
LDAP Search Base DN - Retreve user nformaton by ts Dstngushed Name
(DN).
LDAP Server - Specfy the IP address of the LDAP server.
The opendap-cents package must be nstaed for ths opton to work. Refer to the
Red Hat Enterprse Lnux Reference Gude for more nformaton about LDAP.
Use Shadow Passwords - Seect ths opton to store passwords n shadow

password format n the /etc/shadow fe nstead of /etc/passwd. Shadow passwords
are enabed by defaut durng nstaaton and are hghy recommended to
ncrease the securty of the system.
The shadow-uts package must be nstaed for ths opton to work. For more
nformaton about shadow passwords, refer to the Users and Groups chapter n
the Red Hat Enterprse Lnux Reference Gude.
Enable SMB Support - Ths opton confgures PAM to use an SMB server to
authentcate users. Cck the Configure SMB button to specfy:
328
Workgroup - Specfy the SMB workgroup to use.
Domain Controllers - Specfy the SMB doman controers to use.
Winbind - Seect ths opton to confgure the system to connect to a Wndows

Actve Drectory or a Wndows doman controer. User nformaton can be
accessed, as we as server authentcaton optons can be confgured.
Use MD5 Passwords - Seect ths opton to enabe MD5 passwords, whch
aows passwords to be up to 256 characters nstead of eght characters or ess. It
s seected by defaut durng nstaaton and s hghy recommended for ncreased
securty.
3. Command Line Version
The Authentication Configuration Tool can aso be run as a command ne too
wth no nterface. The command ne verson can be used n a confguraton scrpt or
a kckstart scrpt. The authentcaton optons are summarzed n Tabe 26.1,
"Command Lne Optons".
Tip
These optons can aso be found n the authconfg man page or by
typng authconfg --hep at a she prompt.
Option Description
--enabeshadow Enabe shadow passwords
--dsabeshadow Dsabe shadow passwords
--enabemd5 Enabe MD5 passwords
--dsabemd5 Dsabe MD5 passwords
--enabens Enabe NIS
--dsabens Dsabe NIS
--nsdoman=<doman> Specfy NIS doman
--nsserver=<server> Specfy NIS server
--enabedap Enabe LDAP for user
nformaton
Command Line Version
329
Option Description
--dsabedap Dsabe LDAP for user
nformaton
--enabedapts Enabe use of TLS wth LDAP
--dsabedapts Dsabe use of TLS wth LDAP
--enabedapauth Enabe LDAP for authentcaton
--dsabedapauth Dsabe LDAP for authentcaton
--dapserver=<server> Specfy LDAP server
--dapbasedn=<dn> Specfy LDAP base DN
--enabekrb5 Enabe Kerberos
--dsabekrb5 Dsabe Kerberos
--krb5kdc=<kdc> Specfy Kerberos KDC
--krb5admnserver=<server> Specfy Kerberos admnstraton
server
--krb5ream=<ream> Specfy Kerberos ream
--enabekrb5kdcdns Enabe use of DNS to fnd
Kerberos KDCs
--dsabekrb5kdcdns Dsabe use of DNS to fnd
Kerberos KDCs
--enabekrb5reamdns Enabe use of DNS to fnd
Kerberos reams
--dsabekrb5reamdns Dsabe use of DNS to fnd
Kerberos reams
--enabesmbauth Enabe SMB
--dsabesmbauth Dsabe SMB
--smbworkgroup=<workgroup> Specfy SMB workgroup
--smbservers=<server> Specfy SMB servers
--enabewnbnd Enabe wnbnd for user
nformaton by defaut
--dsabewnbnd Dsabe wnbnd for user
nformaton by defaut
--enabewnbndauth Enabe wnbndauth for
authentcaton by defaut
--dsabewnbndauth Dsabe wnbndauth for
330
Option Description
authentcaton by defaut
--smbsecurty=<user|server|doman|ads> Securty mode to use for Samba
and wnbnd
--smbream=<STRING> Defaut ream for Samba and
wnbnd when securty=ads
--smbdmapud=<owest-hghest> UID range wnbnd assgns to
doman or ADS users
--smbdmapgd=<owest-hghest> GID range wnbnd assgns to
doman or ADS users
--wnbndseparator=<\> Character used to separate the
doman and user part of
wnbnd usernames f
wnbndusedefautdoman s not
enabed
--wnbndtempatehomedr=</home/%D/%U> Drectory that wnbnd users
have as ther home
--wnbndtempateprmarygroup=<nobody> Group that wnbnd users have
as ther prmary group
--wnbndtempateshe=</bn/fase> She that wnbnd users have
as ther defaut ogn she
--enabewnbndusedefautdoman Confgures wnbnd to assume
that users wth no doman n
ther usernames are doman
users
--dsabewnbndusedefautdoman Confgures wnbnd to assume
that users wth no doman n
ther usernames are not doman
users
--wnbnd|on=<Admnstrator> |ons the wnbnd doman or
ADS ream now as ths
admnstrator
--enabewns Enabe WINS for hostname
resouton
--dsabewns Dsabe WINS for hostname
resouton
Command Line Version
331
Option Description
--enabehesod Enabe Hesod
--dsabehesod Dsabe Hesod
--hesodhs=<hs> Specfy Hesod LHS
--hesodrhs=<rhs> Specfy Hesod RHS
--enabecache Enabe nscd
--dsabecache Dsabe nscd
--nostart Do not start or stop the
portmap, ypbnd, or nscd servces
even f they are confgured
--kckstart Do not dspay the user
nterface
--probe Probe and dspay network
defauts
Table 26.1. Command Line Options
332
Part V. System
Configuration
Part of a system admnstrator's |ob s confgurng the system for varous tasks,
types of users, and hardware confguratons. Ths secton expans how to confgure
a Red Hat Enterprse Lnux system.
Console Access
When norma (non-root) users og nto a computer ocay, they are gven two types
of speca permssons:
1. They can run certan programs that they woud not otherwse be abe to run
2. They can access certan fes (normay speca devce fes used to access
dskettes, CD-ROMs, and so on) that they woud not otherwse be abe to access
Snce there are mutpe consoes on a snge computer and mutpe users can be
ogged nto the computer ocay at the same tme, one of the users has to
essentay wn the race to access the fes. The frst user to og n at the consoe
owns those fes. Once the frst user ogs out, the next user who ogs n owns the
fes.
In contrast, every user who ogs n at the consoe s aowed to run programs that
accompsh tasks normay restrcted to the root user. If X s runnng, these actons
can be ncuded as menu tems n a graphca user nterface. As shpped, the
consoe-accessbe programs ncude hat, poweroff, and reboot.
1. Disabling Shutdown Via Ctrl-Alt-Del
By defaut, /etc/nttab specfes that your system s set to shutdown and reboot n
response to a Ctrl-Alt-Del key combnaton used at the consoe. To competey
dsabe ths abty, comment out the foowng ne n /etc/nttab by puttng a hash
mark (#) n front of t:
ca::ctratde:/sbn/shutdown -t3 -r now
Aternatvey, you may want to aow certan non-root users the rght to shutdown or
reboot the system from the consoe usng Ctrl-Alt-Del. You can restrct ths
prvege to certan users, by takng the foowng steps:
1. Add the -a opton to the /etc/nttab ne shown above, so that t reads:
ca::ctratde:/sbn/shutdown -a -t3 -r now
Chapter 27.
335
The -a fag tes shutdown to ook for the /etc/shutdown.aow fe.
2. Create a fe named shutdown.aow n /etc. The shutdown.aow fe shoud st the
usernames of any users who are aowed to shutdown the system usng
Ctrl-Alt-Del. The format of the shutdown.aow fe s a st of usernames, one per
ne, ke the foowng:
stephen
|ack
sophe
Accordng to ths exampe shutdown.aow fe, the users stephen, |ack, and sophe
are aowed to shutdown the system from the consoe usng Ctrl-Alt-Del. When that
key combnaton s used, the shutdown -a command n /etc/nttab checks to see f any
of the users n /etc/shutdown.aow (or root) are ogged n on a vrtua consoe. If one
of them s, the shutdown of the system contnues; f not, an error message s wrtten
to the system consoe nstead.
For more nformaton on shutdown.aow, refer to the shutdown man page.
2. Disabling Console Program Access
To dsabe access by users to consoe programs, run the foowng command as root:
rm -f /etc/securty/consoe.apps/*
In envronments where the consoe s otherwse secured (BIOS and boot oader
passwords are set, Ctrl-Alt-Delete s dsabed, the power and reset swtches are
dsabed, and so forth), you may not want to aow any user at the consoe to run
poweroff, hat, and reboot, whch are accessbe from the consoe by defaut.
To remove these abtes, run the foowng commands as root:
rm -f /etc/securty/consoe.apps/poweroffrm -f /etc/securty/consoe.apps/hatrm -f
/etc/securty/consoe.apps/reboot
Chapter 27. Console Access
336
3. Defining the Console
The pam_consoe.so modue uses the /etc/securty/consoe.perms fe to determne the
permssons for users at the system consoe. The syntax of the fe s very fexbe;
you can edt the fe so that these nstructons no onger appy. However, the defaut
fe has a ne that ooks ke ths:
<consoe>=tty|0-9||0-9|* vc/|0-9||0-9|* :|0-9|\.|0-9| :|0-9|
When users og n, they are attached to some sort of named termna, ether an X
server wth a name ke :0 or mymachne.exampe.com:1.0, or a devce ke /dev/ttyS0 or
/dev/pts/2. The defaut s to defne that oca vrtua consoes and oca X servers are
consdered oca, but f you want to consder the sera termna next to you on port
/dev/ttyS1 to aso be oca, you can change that ne to read:
<consoe>=tty|0-9||0-9|* vc/|0-9||0-9|* :|0-9|\.|0-9| :|0-9| /dev/ttyS1
4. Making Files Accessible From the Console
In /etc/securty/consoe.perms, there s a secton wth nes ke:
<foppy>=/dev/fd|0-1|* \
/dev/foppy/* /mnt/foppy*
<sound>=/dev/dsp* /dev/audo* /dev/md* \
/dev/mxer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwrter* /mnt/cdrom*
You can add your own nes to ths secton, f necessary. Make sure that any nes
you add refer to the approprate devce. For exampe, you coud add the foowng
ne:
<scanner>=/dev/scanner /dev/usb/scanner*
(Of course, make sure that /dev/scanner s reay your scanner and not, say, your
hard drve.)
Making Files Accessible From the
337
That s the frst step. The second step s to defne what s done wth those fes. Look
n the ast secton of /etc/securty/consoe.perms for nes smar to:
<consoe> 0660 <foppy> 0660 root.foppy
<consoe> 0600 <sound> 0640 root
<consoe> 0600 <cdrom> 0600 root.dsk
and add a ne ke:
<consoe> 0600 <scanner> 0600 root
Then, when you og n at the consoe, you are gven ownershp of the /dev/scanner
devce wth the permssons of 0600 (readabe and wrtabe by you ony). When you
og out, the devce s owned by root and st has the permssons 0600 (now
readabe and wrtabe by root ony).
5. Enabling Console Access for Other
Applications
To make other appcatons accessbe to consoe users, a bt more work s requred.
Frst of a, consoe access ony works for appcatons whch resde n /sbn/ or
/usr/sbn/, so the appcaton that you wsh to run must be there. After verfyng that,
do the foowng steps:
1. Create a nk from the name of your appcaton, such as our sampe foo program,
to the /usr/bn/consoeheper appcaton:
cd /usr/bnn -s consoeheper foo
2. Create the fe /etc/securty/consoe.apps/foo:
touch /etc/securty/consoe.apps/foo
3. Create a PAM confguraton fe for the foo servce n /etc/pam.d/. An easy way to
do ths s to start wth a copy of the hat servce's PAM confguraton fe, and then
modfy the fe f you want to change the behavor:
338
cp /etc/pam.d/hat /etc/pam.d/foo
Now, when /usr/bn/foo s executed, consoeheper s caed, whch authentcates the
user wth the hep of /usr/sbn/userheper. To authentcate the user, consoeheper asks
for the user's password f /etc/pam.d/foo s a copy of /etc/pam.d/hat (otherwse, t does
precsey what s specfed n /etc/pam.d/foo) and then runs /usr/sbn/foo wth root
permssons.
In the PAM confguraton fe, an appcaton can be confgured to use the
pam_tmestamp modue to remember (or cache) a successfu authentcaton
attempt. When an appcaton s started and proper authentcaton s provded (the
root password), a tmestamp fe s created. By defaut, a successfu authentcaton
s cached for fve mnutes. Durng ths tme, any other appcaton that s confgured
to use pam_tmestamp and run from the same sesson s automatcay authentcated
for the user - the user does not have to enter the root password agan.
Ths modue s ncuded n the pam package. To enabe ths feature, the PAM
confguraton fe n etc/pam.d/ must ncude the foowng nes:
auth suffcent /b/securty/pam_tmestamp.so
sesson optona /b/securty/pam_tmestamp.so
The frst ne that begns wth auth shoud be after any other auth suffcent nes, and
the ne that begns wth sesson shoud be after any other sesson optona nes.
If an appcaton confgured to use pam_tmestamp s successfuy authentcated from
the Main Menu Button (on the Pane), the con s dspayed n the notfcaton
area of the pane f you are runnng the GNOME or KDE desktop envronment. After
the authentcaton expres (the defaut s fve mnutes), the con dsappears.
The user can seect to forget the cached authentcaton by cckng on the con and
seectng the opton to forget authentcaton.
6. The floppy Group
If, for whatever reason, consoe access s not approprate for you and your non-root
users are requred access to your system's dskette drve, ths can be done usng
the foppy group. Add the user(s) to the foppy group usng the too of your choce.
Console
339
For exampe, the gpasswd command can be used to add user fred to the foppy
group:
gpasswd -a fred foppy
Now, user fred s abe to access the system's dskette drve from the consoe.
340
Date and Time Configuration
The Time and Date Properties Tool aows the user to change the system date
and tme, to confgure the tme zone used by the system, and to setup the Network
Tme Protoco (NTP) daemon to synchronze the system cock wth a tme server.
You must be runnng the X Wndow System and have root prveges to use the too.
There are three ways to start the appcaton:
From the desktop, go to Appcatons (the man menu on the pane) => System
Settings => Date & Time
From the desktop, rght-cck on the tme n the toobar and seect Adjust Date
and Time.
Type the command system-confg-date, system-confg-tme, or dateconfg at a she
prompt (for exampe, n an XTerm or a GNOME termna).
1. Time and Date Properties
As shown n Fgure 28.1, "Tme and Date Propertes", the frst tabbed wndow that
appears s for confgurng the system date and tme.
Chapter 28.
341
Figure 28.1. Time and Date Properties
To change the date, use the arrows to the eft and rght of the month to change the
month, use the arrows to the eft and rght of the year to change the year, and cck
on the day of the week to change the day of the week.
To change the tme, use the up and down arrow buttons besde the Hour, Minute,
and Second n the Time secton.
Cckng the OK button appes any changes made to the date and tme, the NTP
Chapter 28. Date and Time Con...
342
daemon settngs, and the tme zone settngs. It aso exts the program.
2. Network Time Protocol (NTP) Properties
As shown n Fgure 28.2, "NTP Propertes", the second tabbed wndow that appears
s for confgurng NTP.
Figure 28.2. NTP Properties
The Network Tme Protoco (NTP) daemon synchronzes the system cock wth a
remote tme server or tme source. The appcaton aows you to confgure an NTP
Network Time Protocol (NTP)
343
daemon to synchronze your system cock wth a remote server. To enabe ths
feature, seect Enable Network Time Protocol. Ths enabes the NTP Servers st
and other optons. You can choose one of the predefned servers, edt a predefned
server by cckng the Edit or add a new server name by cckng Add. Your system
does not start synchronzng wth the NTP server unt you cck OK. After cckng
OK, the confguraton s saved and the NTP daemon s started (or restarted f t s
aready runnng).
Cckng the OK button appes any changes made to the date and tme, the NTP
daemon settngs, and the tme zone settngs. It aso exts the program.
3. Time Zone Configuration
As shown n Fgure 28.3, "Tmezone Propertes", the thrd tabbed wndow that
appears s for confgurng the system tme zone.
To confgure the system tme zone, cck the Time Zone tab. The tme zone can be
changed by ether usng the nteractve map or by choosng the desred tme zone
from the st beow the map. To use the map, cck on the desred regon. The map
zooms nto the regon seected, after whch you may choose the cty specfc to your
tme zone. A red X appears and the tme zone seecton changes n the st beow
the map.
Aternatvey, you can aso use the st beow the map. In the same way that the
map ets you choose a regon before choosng a cty, the st of tme zones s now a
treest, wth ctes and countres grouped wthn ther specfc contnents.
Non-geographc tme zones have aso been added to address needs n the scentfc
communty.
Cck OK to appy the changes and ext the program.
Chapter 28. Date and Time Con...
344
Figure 28.3. Timezone Properties
If your system cock s set to use UTC, seect the System clock uses UTC opton.
UTC stands for the Unversa Tme, Coordnated, aso known as Greenwch Mean
Tme (GMT). Other tme zones are determned by addng or subtractng from the
UTC tme.
Properties
345
346
Keyboard Configuration
The nstaaton program aows users to confgure a keyboard ayout for ther
systems. To confgure a dfferent keyboard ayout after nstaaton, use the
Keyboard Configuration Tool.
To start the Keyboard Configuration Tool, seect Appcatons (the man menu on
the pane) => System Settings => Keyboard, or type the command
system-confg-keyboard at a she prompt.
Figure 29.1. Keyboard Configuration
Seect a keyboard ayout from the st (for exampe, U.S. English) and cck OK. For
changes to take effect, you shoud og out of your graphca desktop sesson and og
back n.
Chapter 29.
347
348
Mouse Configuration
The nstaaton program aows users to seect the type of mouse connected to the
system. To confgure a dfferent mouse type for the system, use the Mouse
Configuration Tool.
To start the Mouse Configuration Tool, type the command system-confg-mouse at
a she prompt (for exampe, n an XTerm or GNOME termna). If the X Wndow
System s not runnng, the text-based verson of the too s started.
Figure 30.1. Mouse Configuration
Seect the new mouse type for the system. If the specfc mouse mode s not sted,
seect one of the Generic entres, based on the mouse's number of buttons and ts
nterface. If there s not an exact match, seect the generc match that s most
compatbe wth the system and the mouse.
Tip
Seect the Generic - Wheel Mouse entry, wth the proper mouse
port, to enabe the scro button on the mouse.
The scro button on a whee mouse can be used as the mdde mouse button for
cuttng text, pastng text, and other mdde mouse button functons. If the mouse
ony has two buttons, seect Emulate 3 buttons to use a two-button mouse as a
three-button mouse. When ths opton enabed, cckng the two mouse buttons
smutaneousy emuates a mdde mouse button cck.
If a sera port mouse s seected, cck the Serial devices button to confgure the
correct sera devce number, such as /dev/ttyS0 for the mouse.
Cck OK to save the new mouse type. The seecton s wrtten to the fe
/etc/sysconfg/mouse, and the consoe mouse servce, gpm s restarted. The changes
are aso wrtten to the X Wndow System confguraton fe /etc/X11/xorg.conf;
however, the mouse type change s not automatcay apped to the current X
sesson. To enabe the new mouse type, og out of the graphca desktop and og
back n.
Chapter 30.
349
Tip
To reset the order of the mouse buttons for a eft-handed user, go to
Appcatons (the man menu on the pane) => Preferences =>
Mouse, and seect Left-handed mouse for the mouse orentaton.
Chapter 30. Mouse Configuration
350
X Window System
Configuration
Durng nstaaton, the system's montor, vdeo card, and dspay settngs are
confgured. To change any of these settngs after nstaaton, use the X
Configuration Tool.
To start the X Configuration Tool, go to System (on the pane) =>
Administration => Display, or type the command system-confg-dspay at a she
prompt (for exampe, n an XTerm or GNOME termna). If the X Wndow System s
not runnng, a sma verson of X s started to run the program.
After changng any of the settngs, og out of the graphca desktop and og back n
to enabe the changes.
1. Display Settings
The Settings tab aows users to change the resouton and coor depth. The dspay
of a montor conssts of tny dots caed pxes. The number of pxes dspayed at
one tme s caed the resouton. For exampe, the resouton 1024x768 means that
1024 horzonta pxes and 768 vertca pxes are used. The hgher the resouton
vaues, the more mages the montor can dspay at one tme.
The coor depth of the dspay determnes how many possbe coors are dspayed.
A hgher coor depth means more contrast between coors.
Chapter 31.
351
Figure 31.1. Display Settings
2. Display Hardware Settings
When the X Configuration Tool s started, t probes the montor and vdeo card. If
the hardware s probed propery, the nformaton for t s shown on the Hardware
tab as shown n Fgure 31.2, "Dspay Hardware Settngs".
Chapter 31. X Window System C...
352
Figure 31.2. Display Hardware Settings
To change the montor type or any of ts settngs, cck the correspondng
Configure button. To change the vdeo card type or any of ts settngs, cck the
Configure button besde ts settngs.
3. Dual Head Display Settings
If mutpe vdeo cards are nstaed on the system, dua head montor support s
avaabe and s confgured va the Dual head tab, as shown n Fgure 31.3, "Dua
Head Dspay Settngs".
Dual Head Display Settings
353
Figure 31.3. Dual Head Display Settings
To enabe use of Dua head, check the Use dual head checkbox.
To confgure the second montor type, cck the correspondng Configure button.
You can aso confgure the other Dua head settngs by usng the correspondng
drop-down st.
For the Desktop layout opton, seectng Spanning Desktops aows both
montors to use an enarged usabe workspace. Seectng lndividual Desktops
shares the mouse and keyboard among the dspays, but restrcts wndows to a
snge dspay.
Chapter 31. X Window System C...
354
Users and Groups
The contro of users and groups s a core eement of Red Hat Enterprse Lnux
system admnstraton.
Users can be ether peope (meanng accounts ted to physca users) or accounts
whch exst for specfc appcatons to use.
Groups are ogca expressons of organzaton, tyng users together for a common
purpose. Users wthn a group can read, wrte, or execute fes owned by that group.
Each user and group has a unque numerca dentfcaton number caed a userd
(UID) and a groupd (GID), respectvey.
A user who creates a fe s aso the owner and group owner of that fe. The fe s
assgned separate read, wrte, and execute permssons for the owner, the group,
and everyone ese. The fe owner can be changed ony by the root user, and access
permssons can be changed by both the root user and fe owner.
Red Hat Enterprse Lnux aso supports access contro sts (ACLs) for fes and
drectores whch aow permssons for specfc users outsde of the owner to be set.
For more nformaton about ACLs, refer to Chapter 14, Access Contro Lsts.
1. User and Group Configuration
The User Manager aows you to vew, modfy, add, and deete oca users and
groups.
To use the User Manager, you must be runnng the X Wndow System, have root
prveges, and have the system-confg-users RPM package nstaed. To start the User
Manager from the desktop, go to System (on the pane) => Administration =>
Users & Groups. You can aso type the command system-confg-users at a she
prompt (for exampe, n an XTerm or a GNOME termna).
Chapter 32.
355
Figure 32.1. User Manager
To vew a st of oca users on the system, cck the Users tab. To vew a st of oca
groups on the system, cck the Groups tab.
To fnd a specfc user or group, type the frst few etters of the name n the Search
filter fed. Press Enter or cck the Apply filter button. The ftered st s
dspayed.
To sort the users or groups, cck on the coumn name. The users or groups are
sorted accordng to the vaue of that coumn.
Red Hat Enterprse Lnux reserves user IDs beow 500 for system users. By defaut,
User Manager does not dspay system users. To vew a users, ncudng the
system users, go to Edit => Preferences and uncheck Hide system users and
groups from the daog box.
1.1. Adding a New User
To add a new user, cck the Add User button. A wndow as shown n Fgure 32.2,
"New User" appears. Type the username and fu name for the new user n the
approprate feds. Type the user's password n the Password and Confirm
Password feds. The password must be at east sx characters.
Tip
It s advsabe to use a much onger password, as ths makes t more
dffcut for an ntruder to guess t and access the account wthout
permsson. It s aso recommended that the password not be based on
Chapter 32. Users and Groups
356
a dctonary term; use a combnaton of etters, numbers and speca
characters.
Seect a ogn she. If you are not sure whch she to seect, accept the defaut
vaue of /bn/bash. The defaut home drectory s /home/<username>/. You can change
the home drectory that s created for the user, or you can choose not to create the
home drectory by unseectng Create home directory.
If you seect to create the home drectory, defaut confguraton fes are coped
from the /etc/ske/ drectory nto the new home drectory.
Red Hat Enterprse Lnux uses a user prvate group (UPG) scheme. The UPG scheme
does not add or change anythng n the standard UNIX way of handng groups; t
offers a new conventon. Whenever you create a new user, by defaut, a unque
group wth the same name as the user s created. If you do not want to create ths
group, unseect Create a private group for the user.
To specfy a user ID for the user, seect Specify user lD manually. If the opton s
not seected, the next avaabe user ID above 500 s assgned to the new user.
Because Red Hat Enterprse Lnux reserves user IDs beow 500 for system users, t
s not advsabe to manuay assgn user IDs 1-499.
Cck OK to create the user.
Adding a New User
357
Figure 32.2. New User
To confgure more advanced user propertes, such as password expraton, modfy
the user's propertes after addng the user. Refer to Secton 1.2, "Modfyng User
Propertes" for more nformaton.
1.2. Modifying User Properties
To vew the propertes of an exstng user, cck on the Users tab, seect the user
from the user st, and cck Properties from the menu (or choose File =>
Properties from the pudown menu). A wndow smar to Fgure 32.3, "User
Propertes" appears.
358
Figure 32.3. User Properties
The User Properties wndow s dvded nto mutpe tabbed pages:
User Data - Shows the basc user nformaton confgured when you added the
user. Use ths tab to change the user's fu name, password, home drectory, or
ogn she.
Account lnfo - Seect Enable account expiration f you want the account to
expre on a certan date. Enter the date n the provded feds. Seect Local
password is locked to ock the user account and prevent the user from oggng
nto the system.
Password lnfo - Dspays the date that the user's password ast changed. To
force the user to change passwords after a certan number of days, seect Enable
password expiration and enter a desred vaue n the Days before change
required: fed. The number of days before the user's password expres, the
number of days before the user s warned to change passwords, and days before
the account becomes nactve can aso be changed.
Modifying User Properties
359
Groups - Aows you to vew and confgure the Prmary Group of the user, as we
as other groups that you want the user to be a member of.
1.3. Adding a New Group
To add a new user group, cck the Add Group button. A wndow smar to
Fgure 32.4, "New Group" appears. Type the name of the new group to create. To
specfy a group ID for the new group, seect Specify group lD manually and
seect the GID. Note that Red Hat Enterprse Lnux aso reserves group IDs ower
than 500 for system groups.
Figure 32.4. New Group
Cck OK to create the group. The new group appears n the group st.
1.4. Modifying Group Properties
To vew the propertes of an exstng group, seect the group from the group st and
cck Properties from the menu (or choose File => Properties from the pudown
menu). A wndow smar to Fgure 32.5, "Group Propertes" appears.
360
Figure 32.5. Group Properties
The Group Users tab dspays whch users are members of the group. Use ths tab
to add or remove users from the group. Cck OK to save your changes.
2. User and Group Management Tools
Managng users and groups can be a tedous task; ths s why Red Hat Enterprse
Lnux provdes toos and conventons to make them easer to manage.
The easest way to manage users and groups s through the graphca appcaton,
User Manager (system-confg-users). For more nformaton on User Manager, refer
to Secton 1, "User and Group Confguraton".
The foowng command ne toos can aso be used to manage users and groups:
useradd, usermod, and userde - Industry-standard methods of addng, deetng
and modfyng user accounts
groupadd, groupmod, and groupde - Industry-standard methods of addng,
User and Group Management Tools
361
deetng, and modfyng user groups
gpasswd - Industry-standard method of admnsterng the /etc/group fe
pwck, grpck - Toos used for the verfcaton of the password, group, and
assocated shadow fes
pwconv, pwunconv - Toos used for the converson of passwords to shadow
passwords and back to standard passwords
If you prefer command ne toos or do not have the X Wndow System nstaed, use
ths secton to confgure users and groups.
2.2. Adding a User
To add a user to the system:
1. Issue the useradd command to create a ocked user account:
useradd <username>
2. Unock the account by ssung the passwd command to assgn a password and set
password agng gudenes:
passwd <username>
Command ne optons for useradd are detaed n Tabe 32.1, "useradd Command
Lne Optons".
Option Description
-c '<comment>' <comment> can be repaced wth any strng. Ths opton s
generay used to specfy the fu name of a user.
-d<home-dr> Home drectory to be used nstead of defaut
/home/<username>/
-e<date> Date for the account to be dsabed n the format
YYYY-MM-DD
-f<days> Number of days after the password expres unt the
362
Option Description
account s dsabed. If 0 s specfed, the account s
dsabed mmedatey after the password expres. If -1 s
specfed, the account s not be dsabed after the
password expres.
-g<group-name> Group name or group number for the user's defaut group.
The group must exst pror to beng specfed here.
-G<group-st> Lst of addtona (other than defaut) group names or
group numbers, separated by commas, of whch the user
s a member. The groups must exst pror to beng
specfed here.
-m Create the home drectory f t does not exst.
-M Do not create the home drectory.
-n Do not create a user prvate group for the user.
-r Create a system account wth a UID ess than 500 and
wthout a home drectory
-p<password> The password encrypted wth crypt
-s User's ogn she, whch defauts to /bn/bash
-u<ud> User ID for the user, whch must be unque and greater
than 499
Table 32.1. useradd Command Line Options
2.3. Adding a Group
To add a group to the system, use the command groupadd:
groupadd <group-name>
Command ne optons for groupadd are detaed n Tabe 32.2, "groupadd Command
Lne Optons".
Option Description
-g<gd> Group ID for the group, whch must be unque and greater
than 499
-r Create a system group wth a GID ess than 500
Adding a Group
363
Option Description
-f When used wth -g<gd> and <gd> aready exsts,
groupadd w choose another unque <gd> for the group.
Table 32.2. groupadd Command Line Options
2.4. Password Aging
For securty reasons, t s advsabe to requre users to change ther passwords
perodcay. Ths can be done when addng or edtng a user on the Password lnfo
tab of the User Manager.
To confgure password expraton for a user from a she prompt, use the chage
command, foowed by an opton from Tabe 32.3, "chage Command Lne Optons",
foowed by the username of the user.
lmportant
Shadow passwords must be enabed to use the chage command.
Option Description
-m<days> Specfes the mnmum number of days between whch the
user must change passwords. If the vaue s 0, the
password does not expre.
-M<days> Specfes the maxmum number of days for whch the
password s vad. When the number of days specfed by
ths opton pus the number of days specfed wth the -d
opton s ess than the current day, the user must change
passwords before usng the account.
-d<days> Specfes the number of days snce |anuary 1, 1970 the
password was changed
-I<days> Specfes the number of nactve days after the password
expraton before ockng the account. If the vaue s 0, the
account s not ocked after the password expres.
-E<date> Specfes the date on whch the account s ocked, n the
format YYYY-MM-DD. Instead of the date, the number of
364
Option Description
days snce |anuary 1, 1970 can aso be used.
-W<days> Specfes the number of days before the password
expraton date to warn the user.
Table 32.3. chage Command Line Options
Tip
If the chage command s foowed drecty by a username (wth no
optons), t dspays the current password agng vaues and aows
them to be changed.
You can confgure a password to expre the frst tme a user ogs n. Ths forces
users to change passwords the frst tme they og n.
Note
Ths process w not work f the user ogs n usng the SSH protoco.
1. Lock the user password - If the user does not exst, use the useradd command to
create the user account, but do not gve t a password so that t remans ocked.
If the password s aready enabed, ock t wth the command:
usermod -L username
2. Force mmedate password expraton - Type the foowng command:
chage -d 0 username
Ths command sets the vaue for the date the password was ast changed to the
epoch (|anuary 1, 1970). Ths vaue forces mmedate password expraton no
matter what password agng pocy, f any, s n pace.
Password Aging
365
3. Unock the account - There are two common approaches to ths step. The
admnstrator can assgn an nta password or assgn a nu password.
Warning
Do not use the passwd command to set the password as t dsabes the
mmedate password expraton |ust confgured.
To assgn an nta password, use the foowng steps:
Start the command ne Python nterpreter wth the python command. It dspays
the foowng:
Python 2.4.3 (#1, |u 21 2006, 08:46:09) |GCC 4.1.1 20060718 (Red Hat 4.1.1-9)| on
nux2 Type "hep", "copyrght", "credts" or "cense" for more nformaton. >>>
At the prompt, type the foowng commands. Repace <password> wth the
password to encrypt and <sat> wth a random combnaton of at east 2 of the
foowng: any aphanumerc character, the sash (/) character or a dot (.):
mport crypt; prnt crypt.crypt("<password>","<sat>")
The output s the encrypted password, smar to '12CsGd8FRcMSM'.
Press Ctrl-D to ext the Python nterpreter.
At the she, enter the foowng command (repacng <encrypted-password> wth
the encrypted output of the Python nterpreter):
usermod -p "<encrypted-password>" <username>
Aternatvey, you can assgn a nu password nstead of an nta password. To do
ths, use the foowng command:
usermod -p "" username
366
Caution
Usng a nu password, whe convenent, s a hghy unsecure practce,
as any thrd party can og n frst an access the system usng the
unsecure username. Aways make sure that the user s ready to og n
before unockng an account wth a nu password.
In ether case, upon nta og n, the user s prompted for a new password.
2.5. Explaining the Process
The foowng steps ustrate what happens f the command useradd |uan s ssued on
a system that has shadow passwords enabed:
1. A new ne for |uan s created n /etc/passwd. The ne has the foowng
characterstcs:
It begns wth the username |uan.
There s an x for the password fed ndcatng that the system s usng shadow
passwords.
A UID greater than 499 s created. (Under Red Hat Enterprse Lnux, UIDs and
GIDs beow 500 are reserved for system use.)
A GID greater than 499 s created.
The optona GECOS nformaton s eft bank.
The home drectory for |uan s set to /home/|uan/.
The defaut she s set to /bn/bash.
2. A new ne for |uan s created n /etc/shadow. The ne has the foowng
characterstcs:
It begns wth the username |uan.
Two excamaton ponts (!!) appear n the password fed of the /etc/shadow fe,
whch ocks the account.
Explaining the Process
367
Note
If an encrypted password s passed usng the -p fag, t s paced n the
/etc/shadow fe on the new ne for the user.
The password s set to never expre.
3. A new ne for a group named |uan s created n /etc/group. A group wth the same
name as a user s caed a user prvate group. For more nformaton on user
prvate groups, refer to Secton 1.1, "Addng a New User".
The ne created n /etc/group has the foowng characterstcs:
It begns wth the group name |uan.
An x appears n the password fed ndcatng that the system s usng shadow
group passwords.
The GID matches the one sted for user |uan n /etc/passwd.
4. A new ne for a group named |uan s created n /etc/gshadow. The ne has the
foowng characterstcs:
It begns wth the group name |uan.
An excamaton pont (!) appears n the password fed of the /etc/gshadow fe,
whch ocks the group.
A other feds are bank.
5. A drectory for user |uan s created n the /home/ drectory. Ths drectory s owned
by user |uan and group |uan. However, t has read, wrte, and execute prveges
ony for the user |uan. A other permssons are dened.
6. The fes wthn the /etc/ske/ drectory (whch contan defaut user settngs) are
coped nto the new /home/|uan/ drectory.
At ths pont, a ocked account caed |uan exsts on the system. To actvate t, the
admnstrator must next assgn a password to the account usng the passwd
command and, optonay, set password agng gudenes.
368
3. Standard Users
Tabe 32.4, "Standard Users" sts the standard users confgured n the /etc/passwd
fe by an Everything nstaaton. The groupd (GID) n ths tabe s the prmary
group for the user. See Secton 4, "Standard Groups" for a stng of standard
groups.
User UlD GlD Home Directory Shell
root 0 0 /root /bn/bash
bn 1 1 /bn /sbn/noogn
daemon 2 2 /sbn /sbn/noogn
adm 3 4 /var/adm /sbn/noogn
p 4 7 /var/spoo/pd /sbn/noogn
sync 5 0 /sbn /bn/sync
shutdown 6 0 /sbn /sbn/shutdown
hat 7 0 /sbn /sbn/hat
ma 8 12 /var/spoo/ma /sbn/noogn
news 9 13 /etc/news
uucp 10 14 /var/spoo/uucp /sbn/noogn
operator 11 0 /root /sbn/noogn
games 12 100 /usr/games /sbn/noogn
gopher 13 30 /var/gopher /sbn/noogn
ftp 14 50 /var/ftp /sbn/noogn
nobody 99 99 / /sbn/noogn
rpm 37 37 /var/b/rpm /sbn/noogn
vcsa 69 69 /dev /sbn/noogn
dbus 81 81 / /sbn/noogn
ntp 38 38 /etc/ntp /sbn/noogn
canna 39 39 /var/b/canna /sbn/noogn
nscd 28 28 / /sbn/noogn
rpc 32 32 / /sbn/noogn
postfx 89 89 /var/spoo/postfx /sbn/noogn
maman 41 41 /var/maman /sbn/noogn
named 25 25 /var/named /bn/fase
Standard Users
369
User UlD GlD Home Directory Shell
amanda 33 6 var/b/amanda/ /bn/bash
postgres 26 26 /var/b/pgsq /bn/bash
exm 93 93 /var/spoo/exm /sbn/noogn
sshd 74 74 /var/empty/sshd /sbn/noogn
rpcuser 29 29 /var/b/nfs /sbn/noogn
nsfnobody 65534 65534 /var/b/nfs /sbn/noogn
pvm 24 24 /usr/share/pvm3 /bn/bash
apache 48 48 /var/www /sbn/noogn
xfs 43 43 /etc/X11/fs /sbn/noogn
gdm 42 42 /var/gdm /sbn/noogn
htt 100 101 /usr/b/m /sbn/noogn
mysq 27 27 /var/b/mysq /bn/bash
webazer 67 67 /var/www/usage /sbn/noogn
manu 47 47 /var/spoo/mqueue /sbn/noogn
smmsp 51 51 /var/spoo/mqueue /sbn/noogn
squd 23 23 /var/spoo/squd /sbn/noogn
dap 55 55 /var/b/dap /bn/fase
netdump 34 34 /var/crash /bn/bash
pcap 77 77 /var/arpwatch /sbn/noogn
radusd 95 95 / /bn/fase
radvd 75 75 / /sbn/noogn
quagga 92 92 /var/run/quagga /sbn/ogn
wnn 49 49 /var/b/wnn /sbn/noogn
dovecot 97 97 /usr/bexec/dovecot /sbn/noogn
Table 32.4. Standard Users
4. Standard Groups
Tabe 32.5, "Standard Groups" sts the standard groups confgured by an
Everything nstaaton. Groups are stored n the /etc/group fe.
370
Group GlD Members
root 0 root
bn 1 root, bn, daemon
daemon 2 root, bn, daemon
sys 3 root, bn, adm
adm 4 root, adm, daemon
tty 5
dsk 6 root
p 7 daemon, p
mem 8
kmem 9
whee 10 root
ma 12 ma, postfx, exm
news 13 news
uucp 14 uucp
man 15
games 20
gopher 30
dp 40
ftp 50
ock 54
nobody 99
users 100
rpm 37
utmp 22
foppy 19
vcsa 69
dbus 81
ntp 38
canna 39
nscd 28
rpc 32
Standard Groups
371
Group GlD Members
postdrop 90
postfx 89
maman 41
exm 93
named 25
postgres 26
sshd 74
rpcuser 29
nfsnobody 65534
pvm 24
apache 48
xfs 43
gdm 42
htt 101
mysq 27
webazer 67
manu 47
smmsp 51
squd 23
dap 55
netdump 34
pcap 77
quaggavt 102
quagga 92
radvd 75
socate 21
wnn 49
dovecot 97
radusd 95
Table 32.5. Standard Groups
372
5. User Private Groups
Red Hat Enterprse Lnux uses a user prvate group (UPG) scheme, whch makes
UNIX groups easer to manage.
A UPG s created whenever a new user s added to the system. A UPG has the same
name as the user for whch t was created and that user s the ony member of the
UPG.
UPGs make t safe to set defaut permssons for a newy created fe or drectory,
aowng both the user and the group of that user to make modfcatons to the fe
or drectory.
The settng whch determnes what permssons are apped to a newy created fe
or drectory s caed a umask and s confgured n the /etc/bashrc fe. Tradtonay
on UNIX systems, the umask s set to 022, whch aows ony the user who created
the fe or drectory to make modfcatons. Under ths scheme, a other users,
ncudng members of the creator's group, are not aowed to make any
modfcatons. However, under the UPG scheme, ths "group protecton" s not
necessary snce every user has ther own prvate group.
5.1. Group Directories
Many IT organzatons ke to create a group for each ma|or pro|ect and then assgn
peope to the group f they need to access that pro|ect's fes. Usng ths tradtona
scheme, managng fes has been dffcut; when someone creates a fe, t s
assocated wth the prmary group to whch they beong. When a snge person
works on mutpe pro|ects, t s dffcut to assocate the rght fes wth the rght
group. Usng the UPG scheme, however, groups are automatcay assgned to fes
created wthn a drectory wth the setgd bt set. The setgd bt makes managng
group pro|ects that share a common drectory very smpe because any fes a user
creates wthn the drectory are owned by the group whch owns the drectory.
Let us say, for exampe, that a group of peope need to work on fes n the
/usr/share/emacs/ste-sp/ drectory. Some peope are trusted to modfy the drectory,
but certany not everyone s trusted. Frst create an emacs group, as n the foowng
command:
/usr/sbn/groupadd emacs
To assocate the contents of the drectory wth the emacs group, type:
Group Directories
373
chown -R root.emacs /usr/share/emacs/ste-sp
Now, t s possbe to add the proper users to the group wth the gpasswd command:
/usr/bn/gpasswd -a <username> emacs
To aow users to create fes wthn the drectory, use the foowng command:
chmod 775 /usr/share/emacs/ste-sp
When a user creates a new fe, t s assgned the group of the user's defaut prvate
group. Next, set the setgd bt, whch assgns everythng created n the drectory the
same group permsson as the drectory tsef (emacs). Use the foowng command:
chmod 2775 /usr/share/emacs/ste-sp
At ths pont, because the defaut umask of each user s 002, a members of the
emacs group can create and edt fes n the /usr/share/emacs/ste-sp/ drectory
wthout the admnstrator havng to change fe permssons every tme users wrte
new fes.
6. Shadow Passwords
In mutuser envronments t s very mportant to use shadow passwords (provded
by the shadow-uts package). Dong so enhances the securty of system
authentcaton fes. For ths reason, the nstaaton program enabes shadow
passwords by defaut.
The foowng sts the advantages pf shadow passwords have over the tradtona
way of storng passwords on UNIX-based systems:
Improves system securty by movng encrypted password hashes from the
word-readabe /etc/passwd fe to /etc/shadow, whch s readabe ony by the root
user.
Stores nformaton about password agng.
Aows the use the /etc/ogn.defs fe to enforce securty poces.
374
Most uttes provded by the shadow-uts package work propery whether or not
shadow passwords are enabed. However, snce password agng nformaton s
stored excusvey n the /etc/shadow fe, any commands whch create or modfy
password agng nformaton do not work.
The foowng s a st of commands whch do not work wthout frst enabng shadow
passwords:
chage
gpasswd
/usr/sbn/usermod-e or -f optons
/usr/sbn/useradd-e or -f optons
For more nformaton about users and groups, and toos to manage them, refer to
the foowng resources.
Reated man pages - There are a number of man pages for the varous
appcatons and confguraton fes nvoved wth managng users and groups.
Some of the more mportant man pages have been sted here:
User and Group Admnstratve Appcatons
man chage - A command to modfy password agng poces and account
expraton.
man gpasswd - A command to admnster the /etc/group fe.
man groupadd - A command to add groups.
man grpck - A command to verfy the /etc/group fe.
man groupde - A command to remove groups.
man groupmod - A command to modfy group membershp.
man pwck - A command to verfy the /etc/passwd and /etc/shadow fes.
375
man pwconv - A too to convert standard passwords to shadow passwords.
man pwunconv - A too to convert shadow passwords to standard passwords.
man useradd - A command to add users.
man userde - A command to remove users.
man usermod - A command to modfy users.
Confguraton Fes
man 5 group - The fe contanng group nformaton for the system.
man 5 passwd - The fe contanng user nformaton for the system.
man 5 shadow - The fe contanng passwords and account expraton
nformaton for the system.
376
Printer Configuration
Printer Configuration Tool aows users to confgure a prnter. Ths too heps
mantan the prnter confguraton fe, prnt spoo drectores, prnt fters, and
prnter casses.
Red Hat Enterprse Lnux 5.0.0 uses the Common Unx Prntng System (CUPS). If a
system was upgraded from a prevous Red Hat Enterprse Lnux verson that used
CUPS, the upgrade process preserves the confgured queues.
Usng Printer Configuration Tool requres root prveges. To start the appcaton,
seect System (on the pane) => Administration => Printing, or type the
command system-confg-prnter at a she prompt.
Figure 33.1. Printer Configuration Tool
The foowng types of prnt queues can be confgured:
AppSocket}HP ]etDirect - a prnter connected drecty to the network through
HP |etDrect or Appsocket nterface nstead of a computer.
lnternet Printing Protocol (lPP) - a prnter that can be accessed over a TCP/IP
network va the Internet Prntng Protoco (for exampe, a prnter attached to
another Red Hat Enterprse Lnux system runnng CUPS on the network).
LPD}LPR Host or Printer - a prnter attached to a dfferent UNIX system that
Chapter 33.
377
can be accessed over a TCP/IP network (for exampe, a prnter attached to
another Red Hat Enterprse Lnux system runnng LPD on the network).
Networked Windows (SMB) - a prnter attached to a dfferent system whch s
sharng a prnter over an SMB network (for exampe, a prnter attached to a
Mcrosoft Wndows machne).
Networked ]etDirect - a prnter connected drecty to the network through HP
|etDrect nstead of a computer.
lmportant
If you add a new prnt queue or modfy an exstng one, you must appy
the changes for them to take effect.
Cckng the Apply button prompts the prnter daemon to restart wth the changes
you have confgured.
Cckng the Revert button dscards unapped changes.
1. Adding a Local Printer
To add a oca prnter, such as one attached through a parae port or USB port on
your computer, cck the New Printer button n the man Printer Configuration
Tool wndow to dspay the wndow n Fgure 33.2, "Adding a Printer".
Chapter 33. Printer Configuration
378
Figure 33.2. Adding a Printer
Cck Forward to proceed.
Enter a unque name for the prnter n the Printer Name fed. The prnter name
can contan etters, numbers, dashes (-), and underscores (_); t must not contan
any spaces.
You can aso use the Description and Location feds to further dstngush ths
prnter from others that may be confgured on your system. Both of these feds are
optona, and may contan spaces.
Cck Forward to open the New Printer daogue (refer to Fgure 33.3, "Addng a
Loca Prnter"). If the prnter has been automatcay detected, the prnter mode
appears n Select Connection. Seect the prnter mode and cck Forward to
contnue.
If the devce does not automatcay appear, seect the devce to whch the prnter s
connected (such as LPT #1 or Serial Port #1) n Select Connection.
Adding a Local Printer
379
Figure 33.3. Adding a Local Printer
Next, seect the prnter type. Refer to Secton 5, "Seectng the Prnter Mode and
Fnshng" for detas.
2. Adding an lPP Printer
An IPP prnter s a prnter attached to a dfferent system on the same TCP/IP
network. The system ths prnter s attached to may ether be runnng CUPS or
smpy confgured to use IPP.
If a frewa s enabed on the prnter server, then the frewa shoud be confgured
to aow send / receve connectons on the ncomng UDP port 631. If a frewa s
enabed on on the cent (the system sendng the prnt request) then the frewa
must be aowed to accept and create connectons through port 631.
You can add a networked IPP prnter by cckng the New Printer button n the man
Printer Configuration Tool wndow to dspay the wndow n Fgure 33.2,
"Adding a Printer". Enter the Printer Name (prnter names cannot contan
spaces and may contan etters, numbers, dashes (-), and underscores (_)),
Description, and Location to dstngush ths prnter from others that you may
confgure on your system. Cck Forward to proceed.
In the wndow shown n Fgure 33.4, "Addng an IPP Prnter", enter the hostname of
380
the IPP prnter n the Hostname fed as we as a unque name for the prnter n the
Printername fed.
Figure 33.4. Adding an lPP Printer
Fnshng" for detas.
3. Adding a Samba (SMB) Printer
You can add a Samba (SMB) based prnter share by cckng the New Printer button
n the man Printer Configuration Tool wndow to dspay the wndow n
Fgure 33.2, "Adding a Printer". Enter a unque name for the prnter n the
Printer Name fed. The prnter name can contan etters, numbers, dashes (-), and
underscores (_); t must not contan any spaces.
Adding a Samba (SMB) Printer
381
Figure 33.5. Adding a SMB Printer
As shown n Fgure 33.5, "Addng a SMB Prnter", avaabe SMB shares are
automatcay detected and sted n the Share coumn. Cck the arrow ( ) besde a
Workgroup to expand t. From the expanded st, seect a prnter.
If the prnter you are ookng for does not appear n the st, enter the SMB address
n the smb:}} fed. Use the format computer name/prnter share. In Fgure 33.5,
"Addng a SMB Prnter", the computer name s debox, whe the prnter share s r2.
In the Username fed, enter the username to access the prnter. Ths user must
exst on the SMB system, and the user must have permsson to access the prnter.
The defaut user name s typcay guest for Wndows servers, or nobody for Samba
servers.
Enter the Password (f requred) for the user specfed n the Username fed.
You can then test the connecton by cckng Verify. Upon successfu verfcaton, a
daog box appears confrmng prnter share accessbty.
Fnshng" for detas.
382
Warning
Samba prnter usernames and passwords are stored n the prnter
server as unencrypted fes readabe by root and pd. Thus, other users
that have root access to the prnter server can vew the username and
password you use to access the Samba prnter.
As such, when you choose a username and password to access a
Samba prnter, t s advsabe that you choose a password that s
dfferent from what you use to access your oca Red Hat Enterprse
Lnux system.
If there are fes shared on the Samba prnt server, t s recommended
that they aso use a password dfferent from what s used by the prnt
queue.
4. Adding a ]etDirect Printer
To add a |etDrect or AppSocket connected prnter share, cck the New Printer
button n the man Printer Configuration Tool wndow to dspay the wndow n
Fgure 33.2, "Adding a Printer". Enter a unque name for the prnter n the
Printer Name fed. The prnter name can contan etters, numbers, dashes (-), and
underscores (_); t must not contan any spaces.
Adding a ]etDirect Printer
383
Figure 33.6. Adding a ]etDirect Printer
Text feds for the foowng optons appear:
Hostname - The hostname or IP address of the |etDrect prnter.
Port Number - The port on the |etDrect prnter that s stenng for prnt |obs.
The defaut port s 9100.
Fnshng" for detas.
5. Selecting the Printer Model and Finishing
Once you have propery seected a prnter queue type, you can choose ether
opton:
Seect a Prnter from database - If you seect ths opton, choose the make of your
prnter from the st of Makes. If your prnter make s not sted, choose Generic.
Provde PPD fe - A PostScrpt Prnter Descrpton (PPD) fe may aso be provded
384
wth your prnter. Ths fe s normay provded by the manufacturer. If you are
provded wth a PPD fe, you can choose ths opton and use the browser bar
beow the opton descrpton to seect the PPD fe.
Refer to Fgure 33.7, "Seectng a Prnter Mode".
Figure 33.7. Selecting a Printer Model
After choosng an opton, cck Forward to contnue. Fgure 33.7, "Seectng a
Prnter Mode" appears. You now have to choose the correspondng mode and
drver for the prnter.
The recommended prnted drver s automatcay seected based on the prnter
mode you chose. The prnt drver processes the data that you want to prnt nto a
format the prnter can understand. Snce a oca prnter s attached drecty to your
computer, you need a prnter drver to process the data that s sent to the prnter.
If you have a PPD fe for the devce (usuay provded by the manufacturer), you can
seect t by choosng Provide PPD file. You can then browse the fesystem for the
PPD fe by cckng Browse.
5.1. Confirming Printer Configuration
The ast step s to confrm your prnter confguraton. Cck Apply to add the prnt
queue f the settngs are correct. Cck Back to modfy the prnter confguraton.
Confirming Printer Configuration
385
After appyng the changes, prnt a test page to ensure the confguraton s correct.
Refer to Secton 6, "Prntng a Test Page" for detas.
6. Printing a Test Page
After you have confgured your prnter, you shoud prnt a test page to make sure
the prnter s functonng propery. To prnt a test page, seect the prnter that you
want to try out from the prnter st, then cck Print Test Page from the prnter's
Settings tab.
If you change the prnt drver or modfy the drver optons, you shoud prnt a test
page to test the dfferent confguraton.
7. Modifying Existing Printers
To deete an exstng prnter, seect the prnter and cck the Delete button on the
toobar. The prnter s removed from the prnter st once you confrm deeton of the
prnter confguraton.
To set the defaut prnter, seect the prnter from the prnter st and cck the Make
Default Printer button n the Settings tab.
7.1. The Settings Tab
To change prnter drver confguraton, cck the correspondng name n the Printer
st and cck the Settings tab.
You can modfy prnter settngs such as make and mode, make a prnter the
defaut, prnt a test page, change the devce ocaton (URI), and more.
Figure 33.8. Settings Tab
7.2. The Policies Tab
To change settngs n prnt output, cck the Policies tab.
For exampe, to create a banner page (a page that descrbes aspects of the prnt |ob
such as the orgnatng prnter, the username from the whch the |ob orgnated, and
the securty status of the document beng prnted) cck the Starting Banner or
Ending Banner drop-menu and choose the opton that best descrbes the nature of
the prnt |obs (such as topsecret, classified, or confidential).
386
Figure 33.9. Policies Tab
You can aso confgure the Error Policy of the prnter, by choosng an opton from
the drop-down menu. You can choose to abort the prnt |ob, retry, or stop t.
7.3. The Access Control Tab
You can change user-eve access to the confgured prnter by cckng the Access
Control tab.
Add users usng the text box and cck the Add button besde t. You can then
choose to ony aow use of the prnter to that subset of users or deny use to those
users.
Figure 33.10. Access Control Tab
7.4. The Printer and ]ob OptionsTab
The Printer Options tab contans varous confguraton optons for the prnter
meda and output.
Figure 33.11. Printer Options Tab
Page Size - Aows the paper sze to be seected. The optons ncude US Letter,
US Lega, A3, and A4
Media Source - set to Automatic by defaut. Change ths opton to use paper
from a dfferent tray.
Media Type - Aows you to change paper type. Optons ncude: Pan, thck,
bond, and transparency.
Resolution - Confgure the quaty and deta of the prntout (defaut s 300 dots
per nch (dp).
Toner Saving - Choose whether the prnter uses ess toner to conserve
resources.
The Access Control Tab
387
You can aso confgure prnter |ob optons usng the ]ob Options tab. Use the
drop-menu and choose the |ob optons you wsh to use, such as Landscape modes
(horzonta or vertca prntout), copies, or scaling (ncrease or decrease the sze of
the prntabe area, whch can be used to ft an oversze prnt area onto a smaer
physca sheet of prnt medum).
8. Managing Print ]obs
When you send a prnt |ob to the prnter daemon, such as prntng a text fe from
Emacs or prntng an mage from The GlMP, the prnt |ob s added to the prnt
spoo queue. The prnt spoo queue s a st of prnt |obs that have been sent to the
prnter and nformaton about each prnt request, such as the status of the request,
the the |ob number, and more.
Durng the prntng process, the Prnter Status con appears n the Notification
Area on the pane. To check the status of a prnt |ob, doube cck the Prnter Status,
whch dspays a wndow smar to Fgure 33.12, "GNOME Prnt Status".
Figure 33.12. GNOME Print Status
To cance a specfc prnt |ob sted n the GNOME Print Status, seect t from the
st and seect Edit => Cancel Documents from the pudown menu.
To vew the st of prnt |obs n the prnt spoo from a she prompt, type the
command pq. The ast few nes ook smar to the foowng:
Rank Owner/ID Cass |ob Fes Sze Tme
actve user@ocahost+902 A 902 sampe.txt 2050 01:20:46
Example 33.1. Example of lpq output
If you want to cance a prnt |ob, fnd the |ob number of the request wth the
command pq and then use the command prm |ob number. For exampe, prm 902
woud cance the prnt |ob n Exampe 33.1, "Exampe of pq output". You must have
proper permssons to cance a prnt |ob. You can not cance prnt |obs that were
started by other users uness you are ogged n as root on the machne to whch the
prnter s attached.
388
You can aso prnt a fe drecty from a she prompt. For exampe, the command pr
sampe.txt prnts the text fe sampe.txt. The prnt fter determnes what type of fe t
s and converts t nto a format the prnter can understand.
To earn more about prntng on Red Hat Enterprse Lnux, refer to the foowng
resources.
map pr - The manua page for the pr command that aows you to prnt fes from
the command ne.
man prm - The manua page for the command ne utty to remove prnt |obs
from the prnt queue.
man mpage - The manua page for the command ne utty to prnt mutpe
pages on one sheet of paper.
man cupsd - The manua page for the CUPS prnter daemon.
man cupsd.conf - The manua page for the CUPS prnter daemon confguraton fe.
man casses.conf - The manua page for the cass confguraton fe for CUPS.
http://www.nuxprntng.org - GNU/Lnux Prntng contans a arge amount of
nformaton about prntng n Lnux.
http://www.cups.org/ - Documentaton, FAOs, and newsgroups about CUPS.
389
390
Automated Tasks
In Lnux, tasks can be confgured to run automatcay wthn a specfed perod of
tme, on a specfed date, or when the system oad average s beow a specfed
number. Red Hat Enterprse Lnux s pre-confgured to run mportant system tasks
to keep the system updated. For exampe, the socate database used by the ocate
command s updated day. A system admnstrator can use automated tasks to
perform perodc backups, montor the system, run custom scrpts, and more.
Red Hat Enterprse Lnux comes wth severa automated tasks uttes: cron, at, and
batch.
1. Cron
Cron s a daemon that can be used to schedue the executon of recurrng tasks
accordng to a combnaton of the tme, day of the month, month, day of the week,
and week.
Cron assumes that the system s on contnuousy. If the system s not on when a
task s schedued, t s not executed. To schedue one-tme tasks, refer to Secton 2,
"At and Batch".
To use the cron servce, the vxe-cron RPM package must be nstaed and the crond
servce must be runnng. To determne f the package s nstaed, use the rpm -q
vxe-cron command. To determne f the servce s runnng, use the command
/sbn/servce crond status.
1.1. Configuring Cron Tasks
The man confguraton fe for cron, /etc/crontab, contans the foowng nes:
SHELL=/bn/bash
PATH=/sbn:/bn:/usr/sbn:/usr/bn
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.houry
02 4 * * * root run-parts /etc/cron.day
22 4 * * 0 root run-parts /etc/cron.weeky
42 4 1 * * root run-parts /etc/cron.monthy
Chapter 34.
391
The frst four nes are varabes used to confgure the envronment n whch the
cron tasks are run. The SHELL varabe tes the system whch she envronment to
use (n ths exampe the bash she), whe the PATH varabe defnes the path used
to execute commands. The output of the cron tasks are emaed to the username
defned wth the MAILTO varabe. If the MAILTO varabe s defned as an empty strng
(MAILTO=""), ema s not sent. The HOME varabe can be used to set the home
drectory to use when executng commands or scrpts.
Each ne n the /etc/crontab fe represents a task and has the foowng format:
mnute hour day month dayofweek command
mnute - any nteger from 0 to 59
hour - any nteger from 0 to 23
day - any nteger from 1 to 31 (must be a vad day f a month s specfed)
month - any nteger from 1 to 12 (or the short name of the month such as |an or
feb)
dayofweek - any nteger from 0 to 7, where 0 or 7 represents Sunday (or the short
name of the week such as sun or mon)
command - the command to execute (the command can ether be a command
such as s /proc >> /tmp/proc or the command to execute a custom scrpt)
For any of the above vaues, an astersk (*) can be used to specfy a vad vaues.
For exampe, an astersk for the month vaue means execute the command every
month wthn the constrants of the other vaues.
A hyphen (-) between ntegers specfes a range of ntegers. For exampe, 1-4
means the ntegers 1, 2, 3, and 4.
A st of vaues separated by commas (,) specfes a st. For exampe, 3, 4, 6, 8
ndcates those four specfc ntegers.
The forward sash (/) can be used to specfy step vaues. The vaue of an nteger can
be skpped wthn a range by foowng the range wth }<integer>. For exampe,
Chapter 34. Automated Tasks
392
0-59}2 can be used to defne every other mnute n the mnute fed. Step vaues can
aso be used wth an astersk. For nstance, the vaue *}3 can be used n the month
fed to run the task every thrd month.
Any nes that begn wth a hash mark (#) are comments and are not processed.
As shown n the /etc/crontab fe, the run-parts scrpt executes the scrpts n the
/etc/cron.houry/, /etc/cron.day/, /etc/cron.weeky/, and /etc/cron.monthy/ drectores on
an houry, day, weeky, or monthy bass respectvey. The fes n these drectores
shoud be she scrpts.
If a cron task s requred to be executed on a schedue other than houry, day,
weeky, or monthy, t can be added to the /etc/cron.d/ drectory. A fes n ths
drectory use the same syntax as /etc/crontab. Refer to Exampe 34.1, "Crontab
Exampes" for exampes.
# record the memory usage of the system every monday
# at 3:30AM n the fe /tmp/memnfo
30 3 * * mon cat /proc/memnfo >> /tmp/memnfo
# run custom scrpt the frst day of every month at 4:10AM
10 4 1 * * /root/scrpts/backup.sh
Example 34.1. Crontab Examples
Users other than root can confgure cron tasks by usng the crontab utty. A
user-defned crontabs are stored n the /var/spoo/cron/ drectory and are executed
usng the usernames of the users that created them. To create a crontab as a user,
ogn as that user and type the command crontab -e to edt the user's crontab usng
the edtor specfed by the VISUAL or EDITOR envronment varabe. The fe uses the
same format as /etc/crontab. When the changes to the crontab are saved, the
crontab s stored accordng to username and wrtten to the fe
/var/spoo/cron/username.
The cron daemon checks the /etc/crontab fe, the /etc/cron.d/ drectory, and the
/var/spoo/cron/ drectory every mnute for any changes. If any changes are found,
they are oaded nto memory. Thus, the daemon does not need to be restarted f a
crontab fe s changed.
1.2. Controlling Access to Cron
Controlling Access to Cron
393
The /etc/cron.aow and /etc/cron.deny fes are used to restrct access to cron. The
format of both access contro fes s one username on each ne. Whtespace s not
permtted n ether fe. The cron daemon (crond) does not have to be restarted f the
access contro fes are modfed. The access contro fes are read each tme a user
tres to add or deete a cron task.
The root user can aways use cron, regardess of the usernames sted n the access
contro fes.
If the fe cron.aow exsts, ony users sted n t are aowed to use cron, and the
cron.deny fe s gnored.
If cron.aow does not exst, users sted n cron.deny are not aowed to use cron.
1.3. Starting and Stopping the Service
To start the cron servce, use the command /sbn/servce crond start. To stop the
servce, use the command /sbn/servce crond stop. It s recommended that you start
the servce at boot tme. Refer to Chapter 19, Controng Access to Servces for
detas on startng the cron servce automatcay at boot tme.
2. At and Batch
Whe cron s used to schedue recurrng tasks, the at command s used to schedue
a one-tme task at a specfc tme and the batch command s used to schedue a
one-tme task to be executed when the systems oad average drops beow 0.8.
To use at or batch, the at RPM package must be nstaed, and the atd servce must
be runnng. To determne f the package s nstaed, use the rpm -q at command. To
determne f the servce s runnng, use the command /sbn/servce atd status.
2.1. Configuring At ]obs
To schedue a one-tme |ob at a specfc tme, type the command at tme, where tme
s the tme to execute the command.
The argument tme can be one of the foowng:
HH:MM format - For exampe, 04:00 specfes 4:00 a.m. If the tme s aready
past, t s executed at the specfed tme the next day.
mdnght - Specfes 12:00 a.m.
394
noon - Specfes 12:00 p.m.
teatme - Specfes 4:00 p.m.
month-name day year format - For exampe, |anuary 15 2002 specfes the 15th
day of |anuary n the year 2002. The year s optona.
MMDDYY, MM/DD/YY, or MM.DD.YY formats - For exampe, 011502 for the 15th
day of |anuary n the year 2002.
now + tme - tme s n mnutes, hours, days, or weeks. For exampe, now + 5
days specfes that the command shoud be executed at the same tme fve days
from now.
The tme must be specfed frst, foowed by the optona date. For more nformaton
about the tme format, read the /usr/share/doc/at-<verson>/tmespec text fe.
After typng the at command wth the tme argument, the at> prompt s dspayed.
Type the command to execute, press Enter, and type Ctrl-D. Mutpe commands
can be specfed by typng each command foowed by the Enter key. After typng
a the commands, press Enter to go to a bank ne and type Ctrl-D. Aternatvey, a
she scrpt can be entered at the prompt, pressng Enter after each ne n the
scrpt, and typng Ctrl-D on a bank ne to ext. If a scrpt s entered, the she used
s the she set n the user's SHELL envronment, the user's ogn she, or /bn/sh
(whchever s found frst).
If the set of commands or scrpt tres to dspay nformaton to standard out, the
output s emaed to the user.
Use the command atq to vew pendng |obs. Refer to Secton 2.3, "Vewng Pendng
|obs" for more nformaton.
Usage of the at command can be restrcted. For more nformaton, refer to
Secton 2.5, "Controng Access to At and Batch" for detas.
2.2. Configuring Batch ]obs
To execute a one-tme task when the oad average s beow 0.8, use the batch
command.
After typng the batch command, the at> prompt s dspayed. Type the command to
execute, press Enter, and type Ctrl-D. Mutpe commands can be specfed by
typng each command foowed by the Enter key. After typng a the commands,
press Enter to go to a bank ne and type Ctrl-D. Aternatvey, a she scrpt can be
Configuring Batch ]obs
395
entered at the prompt, pressng Enter after each ne n the scrpt, and typng
Ctrl-D on a bank ne to ext. If a scrpt s entered, the she used s the she set n
the user's SHELL envronment, the user's ogn she, or /bn/sh (whchever s found
frst). As soon as the oad average s beow 0.8, the set of commands or scrpt s
executed.
If the set of commands or scrpt tres to dspay nformaton to standard out, the
output s emaed to the user.
Use the command atq to vew pendng |obs. Refer to Secton 2.3, "Vewng Pendng
|obs" for more nformaton.
Usage of the batch command can be restrcted. For more nformaton, refer to
Secton 2.5, "Controng Access to At and Batch" for detas.
2.3. Viewing Pending ]obs
To vew pendng at and batch |obs, use the atq command. The atq command dspays
a st of pendng |obs, wth each |ob on a ne. Each ne foows the |ob number, date,
hour, |ob cass, and username format. Users can ony vew ther own |obs. If the root
user executes the atq command, a |obs for a users are dspayed.
2.4. Additional Command Line Options
Addtona command ne optons for at and batch ncude:
Option Description
-f Read the commands or she scrpt from a fe nstead of
specfyng them at the prompt.
-m Send ema to the user when the |ob has been competed.
-v Dspay the tme that the |ob s executed.
Table 34.1. at and batch Command Line Options
2.5. Controlling Access to At and Batch
The /etc/at.aow and /etc/at.deny fes can be used to restrct access to the at and
batch commands. The format of both access contro fes s one username on each
ne. Whtespace s not permtted n ether fe. The at daemon (atd) does not have to
be restarted f the access contro fes are modfed. The access contro fes are read
each tme a user tres to execute the at or batch commands.
396
The root user can aways execute at and batch commands, regardess of the access
contro fes.
If the fe at.aow exsts, ony users sted n t are aowed to use at or batch, and the
at.deny fe s gnored.
If at.aow does not exst, users sted n at.deny are not aowed to use at or batch.
2.6. Starting and Stopping the Service
To start the at servce, use the command /sbn/servce atd start. To stop the servce,
use the command /sbn/servce atd stop. It s recommended that you start the servce
at boot tme. Refer to Chapter 19, Controng Access to Servces for detas on
startng the cron servce automatcay at boot tme.
To earn more about confgurng automated tasks, refer to the foowng resources.
cron man page - overvew of cron.
crontab man pages n sectons 1 and 5 - The man page n secton 1 contans an
overvew of the crontab fe. The man page n secton 5 contans the format for the
fe and some exampe entres.
/usr/share/doc/at-<verson>/tmespec contans more detaed nformaton about the
tmes that can be specfed for cron |obs.
at man page - descrpton of at and batch and ther command ne optons.
Starting and Stopping the Service
397
398
Log Files
Log fes are fes that contan messages about the system, ncudng the kerne,
servces, and appcatons runnng on t. There are dfferent og fes for dfferent
nformaton. For exampe, there s a defaut system og fe, a og fe |ust for securty
messages, and a og fe for cron tasks.
Log fes can be very usefu when tryng to troubeshoot a probem wth the system
such as tryng to oad a kerne drver or when ookng for unauthorzed og n
attempts to the system. Ths chapter dscusses where to fnd og fes, how to vew
og fes, and what to ook for n og fes.
Some og fes are controed by a daemon caed sysogd. A st of og messages
mantaned by sysogd can be found n the /etc/sysog.conf confguraton fe.
1. Locating Log Files
Most og fes are ocated n the /var/og/ drectory. Some appcatons such as httpd
and samba have a drectory wthn /var/og/ for ther og fes.
You may notce mutpe fes n the og fe drectory wth numbers after them.
These are created when the og fes are rotated. Log fes are rotated so ther fe
szes do not become too arge. The ogrotate package contans a cron task that
automatcay rotates og fes accordng to the /etc/ogrotate.conf confguraton fe
and the confguraton fes n the /etc/ogrotate.d/ drectory. By defaut, t s
confgured to rotate every week and keep four weeks worth of prevous og fes.
2. Viewing Log Files
Most og fes are n pan text format. You can vew them wth any text edtor such
as V or Emacs. Some og fes are readabe by a users on the system; however,
root prveges are requred to read most og fes.
To vew system og fes n an nteractve, rea-tme appcaton, use the Log
Viewer. To start the appcaton, go to Appcatons (the man menu on the pane)
=> System Tools => System Logs, or type the command system-ogvewer at a
she prompt.
The appcaton ony dspays og fes that exst; thus, the st mght dffer from the
one shown n Fgure 35.1, "Log Viewer".
To fter the contents of the og fe for keywords, type the keyword(s) n the Filter
Chapter 35.
399
for text fed, and cck Filter. Cck Reset to reset the contents.
Figure 35.1. Log Viewer
By defaut, the currenty vewabe og fe s refreshed every 30 seconds. To change
the refresh rate, seect Edit => Preferences from the pudown menu. The wndow
shown n Fgure 35.2, "Log Fe Locatons" appears. In the Log Files tab, cck the
up and down arrows besde the refresh rate to change t. Cck Close to return to
the man wndow. The refresh rate s changed mmedatey. To refresh the currenty
vewabe fe manuay, seect File => Refresh Now or press Ctrl-R.
On the Log Files tab n the Preferences, the og fe ocatons can be modfed.
Seect the og fe from the st, and cck the Edit button. Type the new ocaton of
the og fe or cck the Browse button to ocate the fe ocaton usng a fe
seecton daog. Cck OK to return to the preferences, and cck Close to return to
the man wndow.
Chapter 35. Log Files
400
Figure 35.2. Log File Locations
3. Adding a Log File
To add a og fe to the st, seect Edit => Preferences, and cck the Add button
n the Log Files tab.
Adding a Log File
401
Figure 35.3. Adding a Log File
Provde a name, descrpton, and the ocaton of the og fe to add. After cckng
OK, the fe s mmedatey added to the vewng area, f the fe exsts.
4. Examining Log Files
Log Viewer can be confgured to dspay an aert con besde nes that contan key
aert words and a warnng con besde nes that contan key warnng words.
To add aerts words, seect Edit => Preferences from the pudown menu, and
cck on the Alerts tab. Cck the Add button to add an aert word. To deete an aert
word, seect the word from the st, and cck Delete.
The aert con s dspayed to the eft of the nes that contans any of the aert
words.
402
Figure 35.4. Alerts
To add warnng words, seect Edit => Preferences from the pu-down menu, and
cck on the Warnings tab. Cck the Add button to add a warnng word. To deete a
warnng word, seect the word from the st, and cck Delete.
The warnng con s dspayed to the eft of the nes that contans any of the
warnng words.
Examining Log Files
403
Figure 35.5. Warning
404
Manually Upgrading the Kernel
The Red Hat Enterprse Lnux kerne s custom but by the Red Hat kerne team to
ensure ts ntegrty and compatbty wth supported hardware. Before Red Hat
reeases a kerne, t must frst pass a rgorous set of quaty assurance tests.
Red Hat Enterprse Lnux kernes are packaged n RPM format so that they are easy
to upgrade and verfy usng the Red Hat Update Agent, or the up2date command.
The Red Hat Update Agent automatcay queres the Red Hat Network servers
and determnes whch packages need to be updated on your machne, ncudng the
kerne. Ths chapter s ony usefu for those ndvduas that requre manua updatng
of kerne packages, wthout usng the up2date command.
Warning
Pease note, that budng a custom kerne s not supported by the Red
Hat Goba Servces Support team, and therefore s not expored n ths
manua.
Tip
Use of up2date s hghy recommended by Red Hat for nstang
upgraded kernes.
For more nformaton on Red Hat Network, the Red Hat Update Agent, and
up2date, refer to Chapter 16, Red Hat Network.
1. Overview of Kernel Packages
Red Hat Enterprse Lnux contans the foowng kerne packages (some may not
appy to your archtecture):
kerne - Contans the kerne and the foowng key features:
Unprocessor support for x86 and Athon systems (can be run on a
mut-processor system, but ony one processor s utzed)
Chapter 36.
405
Mut-processor support for a other archtectures
For x86 systems, ony the frst 4 GB of RAM s used; use the kerne-hugemem
package for x86 systems wth over 4 GB of RAM
kerne-deve - Contans the kerne headers and makefes suffcent to bud
modues aganst the kerne package.
kerne-hugemem - (ony for 686 systems) In addton to the optons enabed for
the kerne package, the key confguraton optons are as foows:
Support for more than 4 GB of RAM (up to 64 GB for x86)
Note
kerne-hugemem s requred for memory confguratons hgher than 16
GB.
PAE (Physca Address Extenson) or 3 eve pagng on x86 processors that
support PAE
Support for mutpe processors
4GB/4GB spt - 4GB of vrtua address space for the kerne and amost 4GB for
each user process on x86 systems
kerne-hugemem-deve - Contans the kerne headers and makefes suffcent to
bud modues aganst the kerne-hugemem package.
kerne-smp - Contans the kerne for mut-processor systems. The foowng are
the key features:
Mut-processor support
Support for more than 4 GB of RAM (up to 16 GB for x86)
PAE (Physca Address Extenson) or 3 eve pagng on x86 processors that
support PAE
kerne-smp-deve - Contans the kerne headers and makefes suffcent to bud
modues aganst the kerne-smp package.
kerne-uts - Contans uttes that can be used to contro the kerne or system
Chapter 36. Manually Upgradin...
406
hardware.
kerne-doc - Contans documentaton fes from the kerne source. Varous portons
of the Lnux kerne and the devce drvers shpped wth t are documented n these
fes. Instaaton of ths package provdes a reference to the optons that can be
passed to Lnux kerne modues at oad tme.
By defaut, these fes are paced n the /usr/share/doc/kerne-doc-<verson>/
drectory.
Note
The kerne-source package has been removed and repaced wth an RPM
that can ony be retreved from Red Hat Network. Ths *.src.rpm must
then be rebut ocay usng the rpmbud command. Refer to the atest
dstrbuton Reease Notes, ncudng a updates, at
https://www.redhat.com/docs/manuas/enterprse/ for more nformaton
on obtanng and nstang the kerne source package.
2. Preparing to Upgrade
Before upgradng the kerne, take a few precautonary steps. The frst step s to
make sure workng boot meda exsts for the system n case a probem occurs. If the
boot oader s not confgured propery to boot the new kerne, the system cannot be
booted nto Red Hat Enterprse Lnux wthout workng boot meda.
For exampe, to create a boot dskette, ogn as root, and type the foowng
/sbn/mkbootdsk ùname -r`
Tip
Refer to the mkbootdsk man page for more optons. Creatng bootabe
meda va CD-Rs, CD-RWs, and USB fash drves are aso supported
gven the system BIOS aso supports t.
Preparing to Upgrade
407
Reboot the machne wth the boot meda and verfy that t works before contnung.
Hopefuy, the meda s not needed, but store t n a safe pace |ust n case.
To determne whch kerne packages are nstaed, execute the foowng command
at a she prompt:
rpm -qa | grep kerne
The output contans some or a of the foowng packages, dependng on the
system's archtecture (the verson numbers and packages may dffer):
kerne-2.6.9-5.EL kerne-deve-2.6.9-5.EL kerne-uts-2.6.9-5.EL kerne-doc-2.6.9-5.EL
kerne-smp-2.6.9-5.EL kerne-smp-deve-2.6.9-5.EL kerne-hugemem-deve-2.6.9-5.EL
From the output, determne whch packages need to be downoad for the kerne
upgrade. For a snge processor system, the ony requred package s the kerne
package. Refer to Secton 1, "Overvew of Kerne Packages" for descrptons of the
dfferent packages.
In the fe name, each kerne package contans the archtecture for whch the
package was but. The format s kerne-<varant>-<verson>.<arch>.rpm, where
<varant> s smp, uts, or so forth. The <arch> s one of the foowng:
x86_64 for the AMD64 archtecture
a64 for the InteItanum archtecture
ppc64 for the IBMeServerpSeres archtecture
ppc64 for the IBMeServerSeres archtecture
s390 for the IBMS/390 archtecture
s390x for the IBMeServerzSeres archtecture
x86 varant: The x86 kernes are optmzed for dfferent x86 versons. The optons
are as foows:
686 for IntePentum II, IntePentum III, IntePentum 4, AMD Athon,
and AMD Duron systems
408
3. Downloading the Upgraded Kernel
There are severa ways to determne f an updated kerne s avaabe for the
system.
Securty Errata - Go to the foowng ocaton for nformaton on securty errata,
ncudng kerne upgrades that fx securty ssues:
http://www.redhat.com/apps/support/errata/
Va Ouartery Updates - Refer to the foowng ocaton for detas:
http://www.redhat.com/apps/support/errata/rhas_errata_pocy.htm
Va Red Hat Network - Downoad and nsta the kerne RPM packages. Red Hat
Network can downoad the atest kerne, upgrade the kerne on the system, create
an nta RAM dsk mage f needed, and confgure the boot oader to boot the new
kerne. For more nformaton, refer to
http://www.redhat.com/docs/manuas/RHNetwork/
|http://www.redhat.com/docs/manuas/RHNetwork/|.
If Red Hat Network was used to downoad and nsta the updated kerne, foow the
nstructons n Secton 5, "Verfyng the Inta RAM Dsk Image" and Secton 6,
"Verfyng the Boot Loader", ony do not change the kerne to boot by defaut. Red
Hat Network automatcay changes the defaut kerne to the atest verson. To
nsta the kerne manuay, contnue to Secton 4, "Performng the Upgrade".
4. Performing the Upgrade
After retrevng a of the necessary packages, t s tme to upgrade the exstng
kerne. At a she prompt, as root, change to the drectory that contans the kerne
RPM packages and foow these steps.
lmportant
It s strongy recommended that the od kerne s kept n case there are
probems wth the new kerne.
Performing the Upgrade
409
Use the - argument wth the rpm command to keep the od kerne. Do not use the -U
opton, snce t overwrtes the currenty nstaed kerne, whch creates boot oader
probems. Issue the foowng command (the kerne verson may vary):
rpm -vh kerne-2.6.9-5.EL.<arch>.rpm
If the system s a mut-processor system, nsta the kerne-smp packages as we
(the kerne verson may vary):
rpm -vh kerne-smp-2.6.9-5.EL.<arch>.rpm
If the system s 686-based and contans more than 4 GB of RAM, nsta the
kerne-hugemem package but for the 686 archtecture as we (the kerne verson
mght vary):
rpm -vh kerne-hugemem-2.6.9-5.EL.686.rpm
The next step s to verfy that the nta RAM dsk mage has been created. Refer to
Secton 5, "Verfyng the Inta RAM Dsk Image" for detas.
5. Verifying the lnitial RAM Disk lmage
If the system uses the ext3 fe system, a SCSI controer, or uses abes to reference
parttons n /etc/fstab, an nta RAM dsk s needed. The nta RAM dsk aows a
moduar kerne to have access to modues that t mght need to boot from before
the kerne has access to the devce where the modues normay resde.
On the Red Hat Enterprse Lnux archtectures other than IBM eServer Seres, the
nta RAM dsk can be created wth the mkntrd command. However, ths step s
performed automatcay f the kerne and ts assocated packages are nstaed or
upgraded from the RPM packages dstrbuted by Red Hat, Inc.; thus, t does not
need to be executed manuay. To verfy that t was created, use the command s -
/boot to make sure the ntrd-<verson>.mg fe was created (the verson shoud
match the verson of the kerne |ust nstaed).
On Seres systems, the nta RAM dsk fe and vmnux fe are combned nto one
fe, whch s created wth the addRamDsk command. Ths step s performed
automatcay f the kerne and ts assocated packages are nstaed or upgraded
from the RPM packages dstrbuted by Red Hat, Inc.; thus, t does not need to be
410
executed manuay. To verfy that t was created, use the command s - /boot to
make sure the /boot/vmntrd-<kerne-verson> fe was created (the verson shoud
match the verson of the kerne |ust nstaed).
The next step s to verfy that the boot oader has been confgured to boot the new
kerne. Refer to Secton 6, "Verfyng the Boot Loader" for detas.
6. Verifying the Boot Loader
The kerne RPM package confgures the boot oader to boot the newy nstaed
kerne (except for IBM eServer Seres systems). However, t does not confgure the
boot oader to boot the new kerne by defaut.
It s aways a good dea to confrm that the boot oader has been confgured
correcty. Ths s a cruca step. If the boot oader s confgured ncorrecty, the
system does not boot nto Red Hat Enterprse Lnux propery. If ths happens, boot
the system wth the boot meda created earer and try confgurng the boot oader
agan.
6.1. x86 Systems
A x86 systems use GRUB as the boot oader, whch ncudes a AMD64 systems.
6.1.1. GRUB
Confrm that the fe /boot/grub/grub.conf contans a tte secton wth the same
verson as the kerne package |ust nstaed (f the kerne-smp or kerne-hugemem
package was nstaed, a secton exsts for t as we):
# Note that you do not have to rerun grub after makng changes to ths fe
# NOTICE: You have a /boot partton. Ths means that
# a kerne and ntrd paths are reatve to /boot/, eg.
# root (hd0,0)
# kerne /vmnuz-verson ro root=/dev/hda2
# ntrd /ntrd-verson.mg
#boot=/dev/hda
defaut=1
tmeout=10
spashmage=(hd0,0)/grub/spash.xpm.gz
tte Red Hat Enterprse Lnux (2.6.9-5.EL)
root (hd0,0)
kerne /vmnuz-2.6.9-5.EL ro root=LABEL=/
ntrd /ntrd-2.6.9-5.EL.mg
Verifying the Boot Loader
411
tte Red Hat Enterprse Lnux (2.6.9-1.906_EL)
root (hd0,0)
kerne /vmnuz-2.6.9-1.906_EL ro root=LABEL=/
ntrd /ntrd-2.6.9-1.906_EL.mg
If a separate /boot/ partton was created, the paths to the kerne and ntrd mage
are reatve to /boot/.
Notce that the defaut s not set to the new kerne. To confgure GRUB to boot the
new kerne by defaut, change the vaue of the defaut varabe to the tte secton
number for the tte secton that contans the new kerne. The count starts wth 0.
For exampe, f the new kerne s the frst tte secton, set defaut to 0.
Begn testng the new kerne by rebootng the computer and watchng the
messages to ensure that the hardware s detected propery.
6.2. ltanium Systems
Itanum systems use ELILO as the boot oader, whch uses /boot/ef/EFI/redhat/eo.conf
as the confguraton fe. Confrm that ths fe contans an mage secton wth the
same verson as the kerne package |ust nstaed:
prompt
tmeout=50
defaut=od
mage=vmnuz-2.6.9-5.EL
abe=nux
ntrd=ntrd-2.6.9-5.EL.mg
read-ony
append="root=LABEL=/"
mage=vmnuz-2.6.9-1.906_EL
abe=od
ntrd=ntrd-2.6.9-1.906.mg
read-ony
Notce that the defaut s not set to the new kerne. To confgure ELILO to boot the
new kerne, change the vaue of the defaut varabe to the vaue of the abe for the
mage secton that contans the new kerne.
412
6.3. lBM S}390 and lBM eServer zSeries Systems
The IBM S/390 and IBM eServer zSeres systems use z/IPL as the boot oader, whch
uses /etc/zp.conf as the confguraton fe. Confrm that the fe contans a secton
wth the same verson as the kerne package |ust nstaed:
|defautboot|
defaut=od
target=/boot/
|nux|
mage=/boot/vmnuz-2.6.9-5.EL
ramdsk=/boot/ntrd-2.6.9-5.EL.mg
parameters="root=LABEL=/"
|od|
mage=/boot/vmnuz-2.6.9-1.906_EL
ramdsk=/boot/ntrd-2.6.9-1.906_EL.mg
parameters="root=LABEL=/"
Notce that the defaut s not set to the new kerne. To confgure z/IPL to boot the
new kerne by defaut change the vaue of the defaut varabe to the name of the
secton that contans the new kerne. The frst ne of each secton contans the
name n brackets.
After modfyng the confguraton fe, run the foowng command as root to enabe
the changes:
/sbn/zp
6.4. lBM eServer iSeries Systems
The /boot/vmntrd-<kerne-verson> fe s nstaed when you upgrade the kerne.
However, you must use the dd command to confgure the system to boot the new
kerne:
lBM S}390 and lBM eServer zSeries
413
1. As root, ssue the command cat /proc/Seres/mf/sde to determne the defaut sde
(ether A, B, or C).
2. As root, ssue the foowng command, where <kerne-verson> s the verson of the
new kerne and <sde> s the sde from the prevous command:
dd f=/boot/vmntrd-<kerne-verson> of=/proc/Seres/mf/<sde>/vmnux bs=8k
6.5. lBM eServer pSeries Systems
IBM eServer pSeres systems use YABOOT as the boot oader, whch uses
/etc/aboot.conf as the confguraton fe. Confrm that the fe contans an mage
secton wth the same verson as the kerne package |ust nstaed:
boot=/dev/sda1
nt-message=Wecome to Red Hat Enterprse Lnux!
Ht <TAB> for boot optons
partton=2
tmeout=30
nsta=/usr/b/yaboot/yaboot
deay=10
nonvram
mage=/vmnux--2.6.9-5.EL
abe=od
read-ony
ntrd=/ntrd--2.6.9-5.EL.mg
mage=/vmnux-2.6.9-5.EL
abe=nux
read-ony
ntrd=/ntrd-2.6.9-5.EL.mg
Notce that the defaut s not set to the new kerne. The kerne n the frst mage s
booted by defaut. To change the defaut kerne to boot ether move ts mage
414
stanza so that t s the frst one sted or add the drectve defaut and set t to the
abe of the mage stanza that contans the new kerne.
Systems
415
416
Kernel Modules
The Lnux kerne has a moduar desgn. At boot tme, ony a mnma resdent kerne
s oaded nto memory. Thereafter, whenever a user requests a feature that s not
present n the resdent kerne, a kerne modue, sometmes referred to as a drver, s
dynamcay oaded nto memory.
Durng nstaaton, the hardware on the system s probed. Based on ths probng
and the nformaton provded by the user, the nstaaton program decdes whch
modues need to be oaded at boot tme. The nstaaton program sets up the
dynamc oadng mechansm to work transparenty.
If new hardware s added after nstaaton and the hardware requres a kerne
modue, the system must be confgured to oad the proper kerne modue for the
new hardware. When the system s booted wth the new hardware, the Kudzu
program runs, detects the new hardware f t s supported, and confgures the
modue for t. The modue can aso be specfed manuay by edtng the modue
confguraton fe, /etc/modprobe.conf.
Note
Vdeo card modues used to dspay the X Wndow System nterface are
part of the xorg-X11 packages, not the kerne; thus, ths chapter does
not appy to them.
For exampe, f a system ncuded an SMC EtherPower 10 PCI network adapter, the
modue confguraton fe contans the foowng ne:
aas eth0 tup
If a second network card s added to the system and s dentca to the frst card,
add the foowng ne to /etc/modprobe.conf:
aas eth1 tup
Refer to the Red Hat Enterprse Lnux Reference Gude for an aphabetca st of
kerne modues and supported hardware for those modues.
Chapter 37.
417
1. Kernel Module Utilities
A group of commands for managng kerne modues s avaabe f the
modue-nt-toos package s nstaed. Use these commands to determne f a modue
has been oaded successfuy or when tryng dfferent modues for a pece of new
hardware.
The command /sbn/smod dspays a st of currenty oaded modues. For exampe:
Modue Sze Used by
nfs 218437 1
ockd 63977 2 nfs
parport_pc 24705 1
p 12077 0
parport 37129 2 parport_pc,p
autofs4 23237 2
2c_dev 11329 0
2c_core 22081 1 2c_dev
sunrpc 157093 5 nfs,ockd
button 6481 0
battery 8901 0
ac 4805 0
md5 4033 1
pv6 232833 16
ohc_hcd 21713 0
e100 39493 0
m 4673 1 e100
foppy 58481 0
sg 33377 0
dm_snapshot 17029 0
dm_zero 2369 0
dm_mrror 22957 2
ext3 116809 2
|bd 71257 1 ext3
dm_mod 54741 6 dm_snapshot,dm_zero,dm_mrror
ps 46173 2
ac7xxx 148121 0
sd_mod 17217 3
scs_mod 121421 4 sg,ps,ac7xxx,sd_mod
For each ne, the frst coumn s the name of the modue, the second coumn s the
sze of the modue, and the thrd coumn s the use count.
Chapter 37. Kernel Modules
418
The /sbn/smod output s ess verbose and easer to read than the output from
vewng /proc/modues.
To oad a kerne modue, use the /sbn/modprobe command foowed by the kerne
modue name. By defaut, modprobe attempts to oad the modue from the
/b/modues/<kerne-verson>/kerne/drvers/ subdrectores. There s a subdrectory for
each type of modue, such as the net/ subdrectory for network nterface drvers.
Some kerne modues have modue dependences, meanng that other modues
must be oaded frst for t to oad. The /sbn/modprobe command checks for these
dependences and oads the modue dependences before oadng the specfed
modue.
For exampe, the command
/sbn/modprobe e100
oads any modue dependences and then the e100 modue.
To prnt to the screen a commands as /sbn/modprobe executes them, use the -v
opton. For exampe:
/sbn/modprobe -v e100
Output smar to the foowng s dspayed:
/sbn/nsmod /b/modues/2.6.9-5.EL/kerne/drvers/net/e100.ko Usng
/b/modues/2.6.9-5.EL/kerne/drvers/net/e100.ko Symbo verson prefx 'smp_'
The /sbn/nsmod command aso exsts to oad kerne modues; however, t does not
resove dependences. Thus, t s recommended that the /sbn/modprobe command
be used.
To unoad kerne modues, use the /sbn/rmmod command foowed by the modue
name. The rmmod utty ony unoads modues that are not n use and that are not a
dependency of other modues n use.
For exampe, the command
/sbn/rmmod e100
Kernel Module Utilities
419
unoads the e100 kerne modue.
Another usefu kerne modue utty s modnfo. Use the command /sbn/modnfo to
dspay nformaton about a kerne modue. The genera syntax s:
/sbn/modnfo |optons|<modue>
Optons ncude -d, whch dspays a bref descrpton of the modue, and -p, whch
sts the parameters the modue supports. For a compete st of optons, refer to the
modnfo man page (man modnfo).
2. Persistent Module Loading
Kerne modues are usuay oaded drecty by the facty that requres them, whch
s gven correct settngs n the /etc/modprobe.conf fe. However, t s sometmes
necessary to expcty force the oadng of a modue at boot tme.
Red Hat Enterprse Lnux checks for the exstence of the /etc/rc.modues fe at boot
tme, whch contans varous commands to oad modues. The rc.modues shoud be
used, and notrc.oca because rc.modues s executed earer n the boot process.
For exampe, the foowng commands confgure oadng of the foo modue at boot
tme (as root):
# echo modprobe foo >> /etc/rc.modues
# chmod +x /etc/rc.modues
Tip
Ths approach s not necessary for network and SCSI nterfaces
because they have ther own specfc mechansms.
For more nformaton on kerne modues and ther uttes, refer to the foowng
resources.
Chapter 37. Kernel Modules
420
smod man page - descrpton and expanaton of ts output.
nsmod man page - descrpton and st of command ne optons.
modprobe man page - descrpton and st of command ne optons.
rmmod man page - descrpton and st of command ne optons.
modnfo man page - descrpton and st of command ne optons.
/usr/share/doc/kerne-doc-<verson>/Documentaton/kbud/modues.txt - how to
compe and use kerne modues.
http://www.redhat.com/mrrors/LDP/HOWTO/Modue-HOWTO/ndex.htm - Lnux
Loadabe Kerne Modue HOWTO from the Lnux Documentaton Pro|ect.
Useful Websites
421
422
Mail Transport Agent (MTA)
Configuration
A Ma Transport Agent (MTA) s essenta for sendng ema. A Ma User Agent
(MUA) such as Evolution, Mozilla Mail, Thunderbird, and Mutt , s used to read
and compose ema. When a user sends an ema from an MUA, the message s
handed off to the MTA, whch sends the message through a seres of MTAs unt t
reaches ts destnaton.
Even f a user does not pan to send ema from the system, some automated tasks
or system programs mght use the /bn/ma command to send ema contanng og
messages to the root user of the oca system.
Red Hat Enterprse Lnux 5.0.0 provdes three MTAs: Sendma, Postfx, and Exm. If
a three are nstaed, sendma s the defaut MTA. The Mail Transport Agent
Switcher aows for the seecton of ether sendma, postfx, or exm as the defaut
MTA for the system.
The system-swtch-ma RPM package must be nstaed to use the text-based verson
of the Mail Transport Agent Switcher program. If you want to use the graphca
verson, the system-swtch-ma-gnome package must aso be nstaed.
To start the Mail Transport Agent Switcher, seect Appcatons (the man menu
on the pane) => Preferences => More Preferences => Mail Transport Agent
Switcher, or type the command system-swtch-ma at a she prompt (for exampe,
n an XTerm or GNOME termna).
The program automatcay detects f the X Wndow System s runnng. If t s
runnng, the program starts n graphca mode as shown n Fgure 38.1, "Mail
Transport Agent Switcher". If X s not detected, t starts n text-mode. To force
Mail Transport Agent Switcher to run n text-mode, use the command
system-swtch-ma-nox.
Chapter 38.
423
Figure 38.1. Mail Transport Agent Switcher
If you seect OK to change the MTA, the seected ma daemon s enabed to start at
boot tme, and the unseected ma daemons are dsabed so that they do not start
at boot tme. The seected ma daemon s started, and any other ma daemon s
stopped; thus makng the changes take pace mmedatey.
For more nformaton about ema protocos and MTAs, refer to the Red Hat
Enterprse Lnux Reference Gude.
Chapter 38. Mail Transport Ag...
424
Part Vl. System Monitoring
System admnstrators aso montor system performance. Red Hat Enterprse Lnux
contans toos to assst admnstrators wth these tasks.
Gathering System lnformation
Before you earn how to confgure your system, you shoud earn how to gather
essenta system nformaton. For exampe, you shoud know how to fnd the amount
of free memory, the amount of avaabe hard drve space, how your hard drve s
parttoned, and what processes are runnng. Ths chapter dscusses how to retreve
ths type of nformaton from your Red Hat Enterprse Lnux system usng smpe
commands and a few smpe programs.
1. System Processes
The ps ax command dspays a st of current system processes, ncudng processes
owned by other users. To dspay the owner aongsde each process, use the ps aux
command. Ths st s a statc st; n other words, t s a snapshot of what was
runnng when you nvoked the command. If you want a constanty updated st of
runnng processes, use top as descrbed beow.
The ps output can be ong. To prevent t from scrong off the screen, you can ppe t
through ess:
ps aux | ess
You can use the ps command n combnaton wth the grep command to see f a
process s runnng. For exampe, to determne f Emacs s runnng, use the foowng
command:
ps ax | grep emacs
The top command dspays currenty runnng processes and mportant nformaton
about them ncudng ther memory and CPU usage. The st s both rea-tme and
nteractve. An exampe of output from the top command s provded as foows:
top - 15:02:46 up 35 mn, 4 users, oad average: 0.17, 0.65, 1.00 Tasks: 110 tota, 1
runnng, 107 seepng, 0 stopped, 2 zombe Cpu(s): 41.1% us, 2.0% sy, 0.0% n, 56.6% d,
0.0% wa, 0.3% h, 0.0% s Mem: 775024k tota, 772028k used, 2996k free, 68468k buffers
Swap: 1048568k tota, 176k used, 1048392k free, 441172k cached PID USER PR NI VIRT
RES SHR S %CPU %MEM TIME+ COMMAND 4624 root 15 0 40192 18m 7228 S 28.4 2.4
1:23.21 X 4926 mhdeo 15 0 55564 33m 9784 S 13.5 4.4 0:25.96 gnome-termna 6475
mhdeo 16 0 3612 968 760 R 0.7 0.1 0:00.11 top 4920 mhdeo 15 0 20872 10m 7808 S 0.3
1.4 0:01.61 wnck-appet 1 root 16 0 1732 548 472 S 0.0 0.1 0:00.23 nt 2 root 34 19 0 0 0
Chapter 39.
427
S 0.0 0.0 0:00.00 ksoftrqd/0 3 root 5 -10 0 0 0 S 0.0 0.0 0:00.03 events/0 4 root 6 -10 0 0
0 S 0.0 0.0 0:00.02 kheper 5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kacpd 29 root 5 -10 0 0 0 S
0.0 0.0 0:00.00 kbockd/0 47 root 16 0 0 0 0 S 0.0 0.0 0:01.74 pdfush 50 root 11 -10 0 0 0
S 0.0 0.0 0:00.00 ao/0 30 root 15 0 0 0 0 S 0.0 0.0 0:00.05 khubd 49 root 16 0 0 0 0 S 0.0
0.0 0:01.44 kswapd0
To ext top, press the q key.
Tabe 39.1, "Interactve top commands" contans usefu nteractve commands that
you can use wth top. For more nformaton, refer to the top(1) manua page.
Command Description
Space Immedatey refresh the dspay
h Dspay a hep screen
k K a process. You are prompted for the
process ID and the sgna to send to t.
n Change the number of processes
dspayed. You are prompted to enter
the number.
u Sort by user.
M Sort by memory usage.
P Sort by CPU usage.
Table 39.1. lnteractive top commands
If you prefer a graphca nterface for top, you can use the GNOME System
Monitor. To start t from the desktop, seect System => Administration =>
System Monitor or type gnome-system-montor at a she prompt (such as an
XTerm). Seect the Process Listing tab.
The GNOME System Monitor aows you to search for a process n the st of
runnng processes. Usng the Gnome System Montor, you can aso vew a
processes, your processes, or actve processes.
The Edit menu tem aows you to:
Stop a process.
Chapter 39. Gathering System ...
428
Contnue or start a process.
End a processes.
K a process.
Change the prorty of a seected process.
Edt the System Montor preferences. These ncude changng the nterva seconds
to refresh the st and seectng process feds to dspay n the System Montor
wndow.
The View menu tem aows you to:
Vew ony actve processes.
Vew a processes.
Vew my processes.
Vew process dependences.
Hde a process.
Vew hdden processes.
Vew memory maps.
Vew the fes opened by the seected process.
To stop a process, seect t and cck End Process. Aternatvey you can aso stop a
process by seectng t, cckng Edit on your menu and seectng Stop Process.
To sort the nformaton by a specfc coumn, cck on the name of the coumn. Ths
sorts the nformaton by the seected coumn n ascendng order. Cck on the name
of the coumn agan to togge the sort between ascendng and descendng order.
System Processes
429
Figure 39.1. GNOME System Monitor
2. Memory Usage
The free command dspays the tota amount of physca memory and swap space
for the system as we as the amount of memory that s used, free, shared, n kerne
buffers, and cached.
tota used free shared buffers cached Mem: 645712 549720 95992 0 176248 224452 -/+
buffers/cache: 149020 496692 Swap: 1310712 0 1310712
The command free -m shows the same nformaton n megabytes, whch are easer
to read.
430
tota used free shared buffers cached Mem: 630 536 93 0 172 219 -/+ buffers/cache: 145
485 Swap: 1279 0 1279
If you prefer a graphca nterface for free, you can use the GNOME System
Monitor. To start t from the desktop, go to System => Administration =>
System Monitor or type gnome-system-montor at a she prompt (such as an
XTerm). Cck on the Resources tab.
Figure 39.2. GNOME System Monitor - Resources tab
3. File Systems
The df command reports the system's dsk space usage. If you type the command df
File Systems
431
at a she prompt, the output ooks smar to the foowng:
Fesystem 1K-bocks Used Avaabe Use% Mounted on /dev/mapper/VoGroup00-LogVo00
11675568 6272120 4810348 57% / /dev/sda1 100691 9281 86211 10% /boot none
322856 0 322856 0% /dev/shm
By defaut, ths utty shows the partton sze n 1 kobyte bocks and the amount of
used and avaabe dsk space n kobytes. To vew the nformaton n megabytes
and ggabytes, use the command df -h. The -h argument stands for human-readabe
format. The output ooks smar to the foowng:
Fesystem Sze Used Ava Use% Mounted on /dev/mapper/VoGroup00-LogVo00 12G
6.0G 4.6G 57% / /dev/sda1 99M 9.1M 85M 10% /boot none 316M 0 316M 0% /dev/shm
In the st of mounted parttons, there s an entry for /dev/shm. Ths entry represents
the system's vrtua memory fe system.
The du command dspays the estmated amount of space beng used by fes n a
drectory. If you type du at a she prompt, the dsk usage for each of the
subdrectores s dspayed n a st. The grand tota for the current drectory and
subdrectores are aso shown as the ast ne n the st. If you do not want to see
the totas for a the subdrectores, use the command du -hs to see ony the grand
tota for the drectory n human-readabe format. Use the du --hep command to see
more optons.
To vew the system's parttons and dsk space usage n a graphca format, use the
Gnome System Monitor by cckng on System => Administration => System
Monitor or type gnome-system-montor at a she prompt (such as an XTerm). Seect
the Fe Systems tab to vew the system's parttons. The fgure beow ustrates the
Fe Systems tab.
Figure 39.3. GNOME System Monitor - File Systems
4. Hardware
If you are havng troube confgurng your hardware or |ust want to know what
hardware s n your system, you can use the Hardware Browser appcaton to
dspay the hardware that can be probed. To start the program from the desktop,
seect System (the man menu on the pane) => Administration => Hardware
432
or type hwbrowser at a she prompt. As shown n Fgure 39.4, "Hardware
Browser", t dspays your CD-ROM devces, dskette drves, hard drves and ther
parttons, network devces, pontng devces, system devces, and vdeo cards. Cck
on the category name n the eft menu, and the nformaton s dspayed.
Figure 39.4. Hardware Browser
The Device Manager appcaton can aso be used to dspay your system
hardware. Ths appcaton can be started by seectng System (the man menu on
the pane) => Administration => Hardware ke the Hardware Browser. To
start the appcaton from a termna, type ha-devce-manager. Dependng on your
nstaaton preferences, the graphca menu above may start ths appcaton or the
Hardware Browser when ccked. The fgure beow ustrates the Device
Manager wndow.
Figure 39.5. Device Manager
You can aso use the spc command to st a PCI devces. Use the command spc -v
Hardware
433
for more verbose nformaton or spc -vv for very verbose output.
For exampe, spc can be used to determne the manufacturer, mode, and memory
sze of a system's vdeo card:
00:00.0 Host brdge: ServerWorks CNB20LE Host Brdge (rev 06) 00:00.1 Host brdge:
ServerWorks CNB20LE Host Brdge (rev 06) 00:01.0 VGA compatbe controer: S3 Inc.
Savage 4 (rev 04) 00:02.0 Ethernet controer: Inte Corp. 82557/8/9 |Ethernet Pro 100|
(rev 08) 00:0f.0 ISA brdge: ServerWorks OSB4 South Brdge (rev 50) 00:0f.1 IDE nterface:
ServerWorks OSB4 IDE Controer 00:0f.2 USB Controer: ServerWorks OSB4/CSB5 OHCI
USB Controer (rev 04) 01:03.0 SCSI storage controer: Adaptec AIC-7892P U160/m (rev
02) 01:05.0 RAID bus controer: IBM ServeRAID Controer
The spc s aso usefu to determne the network card n your system f you do not
know the manufacturer or mode number.
To earn more about gatherng system nformaton, refer to the foowng resources.
ps --hep - Dspays a st of optons that can be used wth ps.
top manua page - Type man top to earn more about top and ts many optons.
free manua page - type man free to earn more about free and ts many optons.
df manua page - Type man df to earn more about the df command and ts many
optons.
du manua page - Type man du to earn more about the du command and ts
many optons.
spc manua page - Type man spc to earn more about the spc command and ts
many optons.
/proc/ drectory - The contents of the /proc/ drectory can aso be used to gather
more detaed system nformaton.
434
OProfile
OProfe s a ow overhead, system-wde performance montorng too. It uses the
performance montorng hardware on the processor to retreve nformaton about
the kerne and executabes on the system, such as when memory s referenced, the
number of L2 cache requests, and the number of hardware nterrupts receved. On a
Red Hat Enterprse Lnux system, the oprofe RPM package must be nstaed to use
ths too.
Many processors ncude dedcated performance montorng hardware. Ths
hardware makes t possbe to detect when certan events happen (such as the
requested data not beng n cache). The hardware normay takes the form of one or
more counters that are ncremented each tme an event takes pace. When the
counter vaue, essentay ros over, an nterrupt s generated, makng t possbe to
contro the amount of deta (and therefore, overhead) produced by performance
montorng.
OProfe uses ths hardware (or a tmer-based substtute n cases where
performance montorng hardware s not present) to coect sampes of
performance-reated data each tme a counter generates an nterrupt. These
sampes are perodcay wrtten out to dsk; ater, the data contaned n these
sampes can then be used to generate reports on system-eve and appcaton-eve
performance.
OProfe s a usefu too, but be aware of some mtatons when usng t:
Use of shared brares - Sampes for code n shared brares are not attrbuted to
the partcuar appcaton uness the --separate=brary opton s used.
Performance montorng sampes are nexact - When a performance montorng
regster trggers a sampe, the nterrupt handng s not precse ke a dvde by
zero excepton. Due to the out-of-order executon of nstructons by the processor,
the sampe may be recorded on a nearby nstructon.
opreport does not assocate sampes for nne functons' propery - opreport uses a
smpe address range mechansm to determne whch functon an address s n.
Inne functon sampes are not attrbuted to the nne functon but rather to the
functon the nne functon was nserted nto.
OProfe accumuates data from mutpe runs - OProfe s a system-wde profer
and expects processes to start up and shut down mutpe tmes. Thus, sampes
Chapter 40.
435
from mutpe runs accumuate. Use the command opcontro --reset to cear out the
sampes from prevous runs.
Non-CPU-mted performance probems - OProfe s orented to fndng probems
wth CPU-mted processes. OProfe does not dentfy processes that are aseep
because they are watng on ocks or for some other event to occur (for exampe
an I/O devce to fnsh an operaton).
1. Overview of Tools
Tabe 40.1, "OProfe Commands" provdes a bref overvew of the toos provded
wth the oprofe package.
Command Description
op_hep
Dspays avaabe events for the system's processor aong
wth a bref descrpton of each.
op_mport
Converts sampe database fes from a foregn bnary
format to the natve format for the system. Ony use ths
opton when anayzng a sampe database from a dfferent
archtecture.
opannotate Creates annotated source for an executabe f the
appcaton was comped wth debuggng symbos. Refer
to Secton 5.3, "Usng opannotate" for detas.
opcontro
Confgures what data s coected. Refer to Secton 2,
"Confgurng OProfe" for detas.
opreport
Retreves profe data. Refer to Secton 5.1, "Usng
opreport" for detas.
oprofed
Runs as a daemon to perodcay wrte sampe data to
dsk.
Table 40.1. OProfile Commands
2. Configuring OProfile
Before OProfe can be run, t must be confgured. At a mnmum, seectng to
Chapter 40. OProfile
436
montor the kerne (or seectng not to montor the kerne) s requred. The foowng
sectons descrbe how to use the opcontro utty to confgure OProfe. As the
opcontro commands are executed, the setup optons are saved to the
/root/.oprofe/daemonrc fe.
2.1. Specifying the Kernel
Frst, confgure whether OProfe shoud montor the kerne. Ths s the ony
confguraton opton that s requred before startng OProfe. A others are optona.
To montor the kerne, execute the foowng command as root:
opcontro --setup --vmnux=/usr/b/debug/b/modues/ùname -r`/vmnux
Note
The debugnfo package must be nstaed (whch contans the
uncompressed kerne) n order to montor the kerne.
To confgure OProfe not to montor the kerne, execute the foowng command as
root:
opcontro --setup --no-vmnux
Ths command aso oads the oprofe kerne modue, f t s not aready oaded, and
creates the /dev/oprofe/ drectory, f t does not aready exst. Refer to Secton 6,
"Understandng /dev/oprofe/" for detas about ths drectory.
Note
Even f OProfe s confgured not to profe the kerne, the SMP kerne
st must be runnng so that the oprofe modue can be oaded from t.
Settng whether sampes shoud be coected wthn the kerne ony changes what
data s coected, not how or where the coected data s stored. To generate
dfferent sampe fes for the kerne and appcaton brares, refer to Secton 2.3,
"Separatng Kerne and User-space Profes".
Specifying the Kernel
437
2.2. Setting Events to Monitor
Most processors contan counters, whch are used by OProfe to montor specfc
events. As shown n Tabe 40.2, "OProfe Processors and Counters", the number of
counters avaabe depends on the processor.
Processor cpu_type Number of
Counters
Pentum Pro 386/ppro 2
Pentum II 386/p 2
Pentum III 386/p 2
Pentum 4 (non-hyper-threaded) 386/p4 8
Pentum 4 (hyper-threaded) 386/p4-ht 4
Athon 386/athon 4
AMD64 x86-64/hammer 4
Itanum a64/tanum 4
Itanum 2 a64/tanum2 4
TIMER_INT tmer 1
IBM eServer Seres and pSeres tmer 1
ppc64/power4 8
ppc64/power5 6
ppc64/970 8
IBM eServer S/390 and S/390x tmer 1
IBM eServer zSeres tmer 1
Table 40.2. OProfile Processors and Counters
Use Tabe 40.2, "OProfe Processors and Counters" to verfy that the correct
processor type was detected and to determne the number of events that can be
montored smutaneousy. tmer s used as the processor type f the processor does
not have supported performance montorng hardware.
If tmer s used, events cannot be set for any processor because the hardware does
not have support for hardware performance counters. Instead, the tmer nterrupt s
used for profng.
438
If tmer s not used as the processor type, the events montored can be changed,
and counter 0 for the processor s set to a tme-based event by defaut. If more than
one counter exsts on the processor, the counters other than counter 0 are not set
to an event by defaut. The defaut events montored are shown n Tabe 40.3,
"Defaut Events".
Processor Default Event for
Counter
Description
Pentum Pro,
Pentum II, Pentum
III, Athon, AMD64
CPU_CLK_UNHALTED The processor's cock s not
hated
Pentum 4 (HT and
non-HT)
GLOBAL_POWER_EVENTS The tme durng whch the
processor s not stopped
Itanum 2 CPU_CYCLES CPU Cyces
TIMER_INT (none) Sampe for each tmer nterrupt
ppc64/power4 CYCLES Processor Cyces
ppc64/power5 CYCLES Processor Cyces
ppc64/970 CYCLES Processor Cyces
Table 40.3. Default Events
The number of events that can be montored at one tme s determned by the
number of counters for the processor. However, t s not a one-to-one correaton; on
some processors, certan events must be mapped to specfc counters. To determne
the number of counters avaabe, execute the foowng command:
cat /dev/oprofe/cpu_type
The events avaabe vary dependng on the processor type. To determne the
events avaabe for profng, execute the foowng command as root (the st s
specfc to the system's processor type):
op_hep
The events for each counter can be confgured va the command ne or wth a
graphca nterface. For more nformaton on the graphca nterface, refer to
Secton 8, "Graphca Interface". If the counter cannot be set to a specfc event, an
Setting Events to Monitor
439
error message s dspayed.
To set the event for each confgurabe counter va the command ne, use opcontro:
opcontro --event=<event-name>:<sampe-rate>
Repace <event-name> wth the exact name of the event from op_hep, and repace
<sampe-rate> wth the number of events between sampes.
2.2.1. Sampling Rate
By defaut, a tme-based event set s seected. It creates a sampe every 100,000
cock cyces per processor. If the tmer nterrupt s used, the tmer s set to whatever
the |ffy rate s and s not user-settabe. If the cpu_type s not tmer, each event can
have a sampng rate set for t. The sampng rate s the number of events between
each sampe snapshot.
When settng the event for the counter, a sampe rate can aso be specfed:
opcontro --event=<event-name>:<sampe-rate>
Repace <sampe-rate> wth the number of events to wat before sampng agan.
The smaer the count, the more frequent the sampes. For events that do not
happen frequenty, a ower count may be needed to capture the event nstances.
Caution
Be extremey carefu when settng sampng rates. Sampng too
frequenty can overoad the system, causng the system to appear as f
t s frozen or causng the system to actuay freeze.
2.2.2. Unit Masks
If the cpu_type s not tmer, unt masks may aso be requred to further defne the
event.
Unt masks for each event are sted wth the op_hep command. The vaues for each
unt mask are sted n hexadecma format. To specfy more than one unt mask, the
hexadecma vaues must be combned usng a btwse or operaton.
opcontro --event=<event-name>:<sampe-rate>:<unt-mask>
440
2.3. Separating Kernel and User-space Profiles
By defaut, kerne mode and user mode nformaton s gathered for each event. To
confgure OProfe not to count events n kerne mode for a specfc counter, execute
the foowng command:
opcontro --event=<event-name>:<sampe-rate>:<unt-mask>:0
Execute the foowng command to start profng kerne mode for the counter agan:
opcontro --event=<event-name>:<sampe-rate>:<unt-mask>:1
To confgure OProfe not to count events n user mode for a specfc counter,
execute the foowng command:
opcontro --event=<event-name>:<sampe-rate>:<unt-mask>:<kerne>:0
Execute the foowng command to start profng user mode for the counter agan:
opcontro --event=<event-name>:<sampe-rate>:<unt-mask>:<kerne>:1
When the OProfe daemon wrtes the profe data to sampe fes, t can separate
the kerne and brary profe data nto separate sampe fes. To confgure how the
daemon wrtes to sampe fes, execute the foowng command as root:
opcontro --separate=<choce>
<choce> can be one of the foowng:
none - do not separate the profes (defaut)
brary - generate per-appcaton profes for brares
kerne - generate per-appcaton profes for the kerne and kerne modues
a - generate per-appcaton profes for brares and per-appcaton profes for
the kerne and kerne modues
Separating Kernel and User-space
441
If --separate=brary s used, the sampe fe name ncudes the name of the
executabe as we as the name of the brary.
3. Starting and Stopping OProfile
To start montorng the system wth OProfe, execute the foowng command as
root:
opcontro --start
Output smar to the foowng s dspayed:
Usng og fe /var/b/oprofe/oprofed.og
Daemon started.
Profer runnng.
The settngs n /root/.oprofe/daemonrc are used.
The OProfe daemon, oprofed, s started; t perodcay wrtes the sampe data to
the /var/b/oprofe/sampes/ drectory. The og fe for the daemon s ocated at
/var/b/oprofe/oprofed.og.
To stop the profer, execute the foowng command as root:
opcontro --shutdown
4. Saving Data
Sometmes t s usefu to save sampes at a specfc tme. For exampe, when
profng an executabe, t may be usefu to gather dfferent sampes based on
dfferent nput data sets. If the number of events to be montored exceeds the
number of counters avaabe for the processor, mutpe runs of OProfe can be
used to coect data, savng the sampe data to dfferent fes each tme.
To save the current set of sampe fes, execute the foowng command, repacng
<name> wth a unque descrptve name for the current sesson.
opcontro --save=<name>
442
The drectory /var/b/oprofe/sampes/name/ s created and the current sampe fes
are coped to t.
5. Analyzing the Data
Perodcay, the OProfe daemon, oprofed, coects the sampes and wrtes them to
the /var/b/oprofe/sampes/ drectory. Before readng the data, make sure a data
has been wrtten to ths drectory by executng the foowng command as root:
opcontro --dump
Each sampe fe name s based on the name of the executabe. For exampe, the
sampes for the defaut event on a Pentum III processor for /bn/bash becomes:
\{root\}/bn/bash/\{dep\}/\{root\}/bn/bash/CPU_CLK_UNHALTED.100000
The foowng toos are avaabe to profe the sampe data once t has been
coected:
opreport
opannotate
Use these toos, aong wth the bnares profed, to generate reports that can be
further anayzed.
Warning
The executabe beng profed must be used wth these toos to anayze
the data. If t must change after the data s coected, backup the
executabe used to create the sampes as we as the sampe fes.
Sampes for each executabe are wrtten to a snge sampe fe. Sampes from each
dynamcay nked brary are aso wrtten to a snge sampe fe. Whe OProfe s
runnng, f the executabe beng montored changes and a sampe fe for the
executabe exsts, the exstng sampe fe s automatcay deeted. Thus, f the
exstng sampe fe s needed, t must be backed up, aong wth the executabe used
Profiles
443
to create t before repacng the executabe wth a new verson. Refer to Secton 4,
"Savng Data" for detas on how to backup the sampe fe.
5.1. Using opreport
The opreport too provdes an overvew of a the executabes beng profed.
The foowng s part of an exampe output:
Profng through tmer nterrupt
TIMER:0|
sampes| %|
------------------
25926 97.5212 no-vmnux
359 1.3504 p
65 0.2445 Xorg
62 0.2332 bvte.so.4.4.0
56 0.2106 bc-2.3.4.so
34 0.1279 bgb-2.0.so.0.400.7
19 0.0715 bXft.so.2.1.2
17 0.0639 bash
8 0.0301 d-2.3.4.so
8 0.0301 bgdk-x11-2.0.so.0.400.13
6 0.0226 bgob|ect-2.0.so.0.400.7
5 0.0188 oprofed
4 0.0150 bpthread-2.3.4.so
4 0.0150 bgtk-x11-2.0.so.0.400.13
3 0.0113 bXrender.so.1.2.2
3 0.0113 du
1 0.0038 bcrypto.so.0.9.7a
1 0.0038 bpam.so.0.77
1 0.0038 btermcap.so.2.0.8
1 0.0038 bX11.so.6.2
1 0.0038 bgthread-2.0.so.0.400.7
1 0.0038 bwnck-1.so.4.9.0
Each executabe s sted on ts own ne. The frst coumn s the number of sampes
recorded for the executabe. The second coumn s the percentage of sampes
reatve to the tota number of sampes. The thrd coumn s the name of the
executabe.
Refer to the opreport man page for a st of avaabe command ne optons, such as
444
the -r opton used to sort the output from the executabe wth the smaest number
of sampes to the one wth the argest number of sampes.
5.2. Using opreport on a Single Executable
To retreve more detaed profed nformaton about a specfc executabe, use
opreport:
opreport <mode><executabe>
<executabe> must be the fu path to the executabe to be anayzed. <mode> must
be one of the foowng:
-
Lst sampe data by symbos. For exampe, the foowng s part of the output
from runnng the command opreport - /b/ts/bc-<verson>.so:
sampes % symbo name
12 21.4286 __gconv_transform_utf8_nterna
5 8.9286 _nt_maoc
4 7.1429 maoc
3 5.3571 __686.get_pc_thunk.bx
3 5.3571 _d_mcount_wrapper_check
3 5.3571 mbrtowc
3 5.3571 memcpy
2 3.5714 _nt_reaoc
2 3.5714 _n_ntern_ocae_data
2 3.5714 free
2 3.5714 strcmp
1 1.7857 __ctype_get_mb_cur_max
1 1.7857 __unregster_atfork
1 1.7857 __wrte_nocance
1 1.7857 _d_addr
1 1.7857 _nt_free
1 1.7857 _toa_word
1 1.7857 cac_ecosure_ter
1 1.7857 fopen@@GLIBC_2.1
1 1.7857 getpd
1 1.7857 memmove
1 1.7857 msort_wth_tmp
1 1.7857 strcpy
Using opreport on a Single Executable
445
1 1.7857 stren
1 1.7857 vfprntf
1 1.7857 wrte
The frst coumn s the number of sampes for the symbo, the second coumn s
the percentage of sampes for ths symbo reatve to the overa sampes for the
executabe, and the thrd coumn s the symbo name.
To sort the output from the argest number of sampes to the smaest (reverse
order), use -r n con|uncton wth the - opton.
- <symbo-name>
Lst sampe data specfc to a symbo name. For exampe, the foowng output s
from the command opreport - - __gconv_transform_utf8_nterna
/b/ts/bc-<verson>.so:
sampes % symbo name
12 100.000 __gconv_transform_utf8_nterna
The frst ne s a summary for the symbo/executabe combnaton.
The frst coumn s the number of sampes for the memory symbo. The second
coumn s the percentage of sampes for the memory address reatve to the
tota number of sampes for the symbo. The thrd coumn s the symbo name.
-d
Lst sampe data by symbos wth more deta than -. For exampe, the foowng
output s from the command opreport - -d __gconv_transform_utf8_nterna
/b/ts/bc-<verson>.so:
vma sampes % symbo name
00a98640 12 100.000 __gconv_transform_utf8_nterna
00a98640 1 8.3333
00a9868c 2 16.6667
00a9869a 1 8.3333
00a986c1 1 8.3333
00a98720 1 8.3333
00a98749 1 8.3333
00a98753 1 8.3333
00a98789 1 8.3333
446
00a98864 1 8.3333
00a98869 1 8.3333
00a98b08 1 8.3333
The data s the same as the - opton except that for each symbo, each vrtua
memory address used s shown. For each vrtua memory address, the number
of sampes and percentage of sampes reatve to the number of sampes for the
symbo s dspayed.
-x<symbo-name>
Excude the comma-separated st of symbos from the output.
sesson:<name>
Specfy the fu path to the sesson or a drectory reatve to the
/var/b/oprofe/sampes/ drectory.
5.3. Using opannotate
The opannotate too tres to match the sampes for partcuar nstructons to the
correspondng nes n the source code. The resutng fes generated shoud have
the sampes for the nes at the eft. It aso puts n a comment at the begnnng of
each functon stng the tota sampes for the functon.
For ths utty to work, the executabe must be comped wth GCC's -g opton. By
defaut, Red Hat Enterprse Lnux packages are not comped wth ths opton.
The genera syntax for opannotate s as foows:
opannotate --search-drs <src-dr> --source <executabe>
The drectory contanng the source code and the executabe to be anayzed must
be specfed. Refer to the opannotate man page for a st of addtona command ne
optons.
6. Understanding }dev}oprofile}
The /dev/oprofe/ drectory contans the fe system for OProfe. Use the cat
command to dspay the vaues of the vrtua fes n ths fe system. For exampe,
the foowng command dspays the type of processor OProfe detected:
cat /dev/oprofe/cpu_type
Using opannotate
447
A drectory exsts n /dev/oprofe/ for each counter. For exampe, f there are 2
counters, the drectores /dev/oprofe/0/ and dev/oprofe/1/ exst.
Each drectory for a counter contans the foowng fes:
count - The nterva between sampes.
enabed - If 0, the counter s off and no sampes are coected for t; f 1, the
counter s on and sampes are beng coected for t.
event - The event to montor.
kerne - If 0, sampes are not coected for ths counter event when the processor
s n kerne-space; f 1, sampes are coected even f the processor s n
kerne-space.
unt_mask - Defnes whch unt masks are enabed for the counter.
user - If 0, sampes are not coected for the counter event when the processor s
n user-space; f 1, sampes are coected even f the processor s n user-space.
The vaues of these fes can be retreved wth the cat command. For exampe:
cat /dev/oprofe/0/count
7. Example Usage
Whe OProfe can be used by deveopers to anayze appcaton performance, t can
aso be used by system admnstrators to perform system anayss. For exampe:
Determne whch appcatons and servces are used the most on a system -
opreport can be used to determne how much processor tme an appcaton or
servce uses. If the system s used for mutpe servces but s under performng,
the servces consumng the most processor tme can be moved to dedcated
systems.
Determne processor usage - The CPU_CLK_UNHALTED event can be montored to
determne the processor oad over a gven perod of tme. Ths data can then be
used to determne f addtona processors or a faster processor mght mprove
448
system performance.
8. Graphical lnterface
Some OProfe preferences can be set wth a graphca nterface. To start t, execute
the oprof_start command as root at a she prompt.
After changng any of the optons, save them by cckng the Save and quit button.
The preferences are wrtten to /root/.oprofe/daemonrc, and the appcaton exts.
Extng the appcaton does not stop OProfe from sampng.
On the Setup tab, to set events for the processor counters as dscussed n
Secton 2.2, "Settng Events to Montor", seect the counter from the pudown
menu and seect the event from the st. A bref descrpton of the event appears n
the text box beow the st. Ony events avaabe for the specfc counter and the
specfc archtecture are dspayed. The nterface aso dspays whether the profer
s runnng and some bref statstcs about t.
Graphical lnterface
449
450
Figure 40.1. OProfile Setup
On the rght sde of the tab, seect the Profile kernel opton to count events n
kerne mode for the currenty seected event, as dscussed n Secton 2.3,
"Separatng Kerne and User-space Profes". If ths opton s unseected, no sampes
are coected for the kerne.
Seect the Profile user binaries opton to count events n user mode for the
currenty seected event, as dscussed n Secton 2.3, "Separatng Kerne and
User-space Profes". If ths opton s unseected, no sampes are coected for user
appcatons.
Use the Count text fed to set the sampng rate for the currenty seected event as
dscussed n Secton 2.2.1, "Sampng Rate".
If any unt masks are avaabe for the currenty seected event, as dscussed n
Secton 2.2.2, "Unt Masks", they are dspayed n the Unit Masks area on the rght
sde of the Setup tab. Seect the checkbox besde the unt mask to enabe t for the
event.
On the Configuration tab, to profe the kerne, enter the name and ocaton of the
vmnux fe for the kerne to montor n the Kernel image file text fed. To
confgure OProfe not to montor the kerne, seect No kernel image.
Graphical lnterface
451
Figure 40.2. OProfile Configuration
If the Verbose opton s seected, the oprofed daemon og ncudes more
452
nformaton.
If Per-application kernel samples files s seected, OProfe generates
per-appcaton profes for the kerne and kerne modues as dscussed n
Secton 2.3, "Separatng Kerne and User-space Profes". Ths s equvaent to the
opcontro --separate=kerne command. If Per-application shared libs samples files
s seected, OProfe generates per-appcaton profes for brares. Ths s
equvaent to the opcontro --separate=brary command.
To force data to be wrtten to sampes fes as dscussed n Secton 5, "Anayzng
the Data", cck the Flush profiler data button. Ths s equvaent to the opcontro
--dump command.
To start OProfe from the graphca nterface, cck Start profiler. To stop the
profer, cck Stop profiler. Extng the appcaton does not stop OProfe from
sampng.
Ths chapter ony hghghts OProfe and how to confgure and use t. To earn more,
refer to the foowng resources.
9.1. lnstalled Docs
/usr/share/doc/oprofe-<verson>/oprofe.htm - OProfe Manua
oprofe man page - Dscusses opcontro, opreport, opannotate, and op_hep
http://oprofe.sourceforge.net/ - Contans the atest documentaton, mang sts,
IRC channes, and more.
453
454
lndex
Symbols
/dev/oprofe/, 447
/dev/shm, 432
/etc/auto.master, 244
/etc/exports, 249
/etc/fstab, 87, 243
/etc/fstab fe
enabng dsk quotas wth, 135
/etc/hosts, 195
/etc/httpd/conf/httpd.conf, 283
/etc/sysconfg/dhcpd, 277
/proc/ drectory, 434
/var/spoo/cron, 393
A
Access Contro Lsts (see ACLs)
ACLs
access ACLs, 144
addtona resources, 148
archvng wth, 146
defaut ACLs, 145
getfac, 145
mountng fe systems wth, 143
mountng NFS shares wth, 143
on ext3 fe systems, 143
retrevng, 145
setfac, 144
settng
access ACLs, 144
wth Samba, 143
addng
group, 363
user, 362
Apache HTTP Server (see HTTP
Confguraton Too)
reated books, 306
securng, 312
APXS, 310
at, 394
authconfg (see Authentcaton
Confguraton Too)
authentcaton, 325
Authentcaton Confguraton Too, 325
authentcaton, 327
Kerberos support, 327
LDAP support, 328
MD5 passwords, 329
shadow passwords, 328
SMB support, 328
Wnbnd, 329
command ne verson, 329
user nformaton, 325
cache, 327
Hesod, 327
LDAP, 326
NIS, 326
Wnbnd, 327
autofs, 244
/etc/auto.master, 244
Automated Tasks, 391
B
batch, 394
boot meda, 407
boot partton, 95
bootng
emergency mode, 82
rescue mode, 78
snge-user mode, 81
C
CA (see secure server)
chage command
455
forcng password expraton wth, 364
chkconfg, 229
coor depth, 351
command ne optons
prntng from, 388
confguraton
consoe access, 335
NFS, 243
consoe
makng fes accessbe from, 337
consoe access
confgurng, 335
defnng, 337
dsabng, 336
enabng, 338
Cron, 391
cron
confguraton fe, 391
exampe crontabs, 393
user-defned tasks, 393
crontab, 391
CtrAtDe
shutdown, dsabng, 335
CUPS, 377
D
date confguraton, 341
dateconfg (see Tme and Date
Propertes Too)
Demtarzed Zone, 217
deve package, 310
df, 431
DHCP, 271
cent confguraton, 279
command ne optons, 277
connectng to, 279
dhcpd.conf, 271
dhcpd.eases, 277
dhcreay, 278
goba parameters, 272
group, 274
optons, 272
reasons for usng, 271
Reay Agent, 278
server confguraton, 271
shared-network, 274
startng the server, 277
stoppng the server, 277
subnet, 273
dhcpd.conf, 271
dhcpd.eases, 277
dhcreay, 278
dsk quotas, 135
assgnng per fe system, 139
assgnng per group, 139
assgnng per user, 137
dsabng, 140
enabng, 135, 140
/etc/fstab, modfyng, 135
creatng quota fes, 136
quotacheck, runnng, 136
grace perod, 138
hard mt, 138
management of, 140
quotacheck command, usng to
check, 141
reportng, 140
soft mt, 138
dsk storage (see dsk quotas)
parted (see parted)
dskess envronment, 71
addng hosts, 73
Network Bootng Too, 72
NFS confguraton, 72
overvew, 71
dspay
settngs for X, 351
lndex
456
DMZ (see Demtarzed Zone)
documentaton
fndng nstaed, 163
DSA keys
generatng, 238
DSOs
oadng, 310
du, 432
Dynamc Host Confguraton Protoco
(see DHCP)
E
e2fsck, 87
e2abe, 129
emergency mode, 82
Ethernet connecton (see network
confguraton)
exm, 423
expraton of password, forcng, 364
exportng NFS fe Systems, 247
exports, 249
ext2
revertng from ext3, 87
ext2onne, 88
ext3
convertng from ext2, 86
creatng, 86
features, 85
ext3 fe system
reszng, 88
F
feedback, xx
fe systems, 431
ext2 (see ext2)
ext3 (see ext3)
LVM (see LVM)
NFS (see NFS)
fndsmb, 267
frewa confguraton (see Securty Leve
Confguraton Too)
frewa types, 203
network address transaton (NAT),
203
packet fter, 203
proxy, 203
frewas, 203
and connecton trackng, 219
and macous software, 218
poces, 212
statefu, 219
types, 203
Frewas
ptabes, 205
foppy group, use of, 339
free, 430
ftp, 233
G
getfac, 145
GNOME System Montor, 428
gnome-system-montor, 428
GnuPG
checkng RPM package sgnatures,
161
group confguraton
addng groups, 360
fterng st of groups, 356
groupadd, 363
modfy users n groups, 361
modfyng group propertes, 360
vewng st of groups, 355
groups (see group confguraton)
nstaed documentaton, 375
foppy, use of, 339
GID, 355
ntroducng, 355
shared drectores, 373
457
standard, 370
toos for management of
groupadd, 361, 373
system-confg-users, 373
User Manager, 361
user prvate, 373
H
hardware
vewng, 432
Hardware Browser, 432
Hardware RAID (see RAID)
hesod, 327
HTTP Confguraton Too
drectves (see HTTP drectves)
error og, 289
modues, 283
transfer og, 289
HTTP drectves
DrectoryIndex, 288
ErrorDocument, 288
ErrorLog, 290
Group, 303
HostnameLookups, 291
KeepAve, 305
KeepAveTmeout, 305
Lsten, 285
LogFormat, 290
LogLeve, 291
MaxCents, 304
MaxKeepAveRequests, 305
Optons, 288
ServerAdmn, 285
ServerName, 285
TmeOut, 304
TransferLog, 290
User, 303
httpd, 283
hwbrowser, 432
l
nformaton
about your system, 427
nsmod, 419
nstaaton
kckstart (see kckstart nstaatons)
LVM, 93
PXE (see PXE nstaatons)
software RAID, 109
Internet connecton (see network
confguraton)
ntroducton, xv
p6tabes, 220
ptabes, 205, 210
and DMZs, 217
and macous software, 218
chans, 211
FORWARD, 214
INPUT, 213
OUTPUT, 213
POSTROUTING, 216
PREROUTING, 216, 217
connecton trackng, 219
states, 219
poces, 212
rues, 212
common, 213
forwardng, 214
NAT, 216, 217
restorng, 212
savng, 212
statefu nspecton, 219
states, 219
usng, 210
ISDN connecton (see network
confguraton)
K
lndex
458
Kerberos, 327
kerne
downoadng, 409
arge memory support, 405
modues, 417
mutpe processor support, 405
upgradng, 405
kerne modues
/etc/rc.modues, 420
stng, 418
oadng, 419
persstent oadng, 420
unoad, 419
keyboard
confgurng, 347
Keyboard Confguraton Too, 347
keyboards, 347
confguraton, 347
kckstart
how the fe s found, 36
Kckstart Confgurator, 39
%post scrpt, 59
%pre scrpt, 58
authentcaton optons, 51
basc optons, 39
boot oader, 44
boot oader optons, 43
Dspay confguraton, 53
frewa confguraton, 52
nstaaton method seecton, 41
nteractve, 41
keyboard, 40
anguage, 40
anguage support, 41
mouse, 40
network confguraton, 50
package seecton, 57
parttonng, 45
software RAID, 47
prevew, 39
reboot, 41
root password, 40
encrypt, 40
savng, 60
SELnux confguraton, 53
text mode nstaaton, 41
tme zone, 40
kckstart fe
%ncude, 27
%post, 32
%pre, 30
auth, 6
authconfg, 6
autopart, 5
autostep, 6
bootoader, 8
CD-ROM-based, 34
cearpart, 9
cmdne, 10
creatng, 5
devce, 10
dskette-based, 34
drverdsk, 11
frewa, 11
frstboot, 12
fash-based, 34
format of, 3
hat, 12
gnoredsk, 5
ncude contents of another fe, 27
nsta, 13
nstaaton methods, 13
nteractve, 14
keyboard, 14
ang, 15
angsupport, 15
ogvo, 15
mouse, 16
network, 17
network-based, 34, 36
459
optons, 5
parttonng exampes, 27
package seecton specfcaton, 28
part, 19
partton, 19
post-nstaaton confguraton, 32
poweroff, 21
pre-nstaaton confguraton, 30
rad, 22
reboot, 23
rootpw, 24
senux, 24
shutdown, 24
skpx, 25
text, 25
tmezone, 25
upgrade, 25
vogroup, 26
what t ooks ke, 3
xconfg, 25
zerombr, 27
kckstart nstaatons, 3
CD-ROM-based, 34
dskette-based, 34
fe format, 3
fe ocatons, 33
fash-based, 34
nstaaton tree, 35
LVM, 15
network-based, 34, 36
startng, 36
from a boot CD-ROM, 37
from CD-ROM #1 wth a dskette, 36
L
LDAP, 326, 328
oadng kerne modues, 417
og fes, 399
(see aso Log Vewer)
descrpton, 399
examnng, 402
ocatng, 399
rotatng, 399
sysogd, 399
vewng, 399
Log Vewer
aerts, 402
fterng, 399
og fe ocatons, 400
refresh rate, 400
searchng, 399
ogca voume, 89, 102
ogca voume group, 89
Logca Voume Manager (see LVM)
ogrotate, 399
pd, 378
smod, 418
spc, 433
LVM, 89
confgurng LVM durng nstaaton, 93
expanaton of, 89
nstang
automatc parttonng, 93, 95
creatng a ogca voume, 102
creatng physca voumes, 98
creatng the boot partton, 95
creatng voume groups, 100
ogca voume, 89, 102
ogca voume group, 89
physca extent, 101
physca voume, 89, 98
voume groups, 100
wth kckstart, 15
vm
LVM toos and uttes, 132
LVM2
expanaton of, 90
M
lndex
460
Ma Transport Agent (see MTA)
Ma Transport Agent Swtcher, 423
startng n text mode, 423
Ma User Agent, 423
Master Boot Record, 77
renstang, 81
MD5 passwords, 329
memory usage, 430
mkfs, 129
mkpart, 128
modem connecton (see network
confguraton)
modprobe, 419
modprobe.conf, 417
montor
settngs for dua head, 353
settngs for X, 352
mountng
NFS fe systems, 243
MTA
settng defaut, 423
swtchng wth Ma Transport Agent
Swtcher, 423
MUA, 423
N
NAT (see Network Address Transaton)
neat (see network confguraton)
Netfter, 205
Netfter 6, 220
Network Address Transaton, 214
wth ptabes, 214
Network Admnstraton Too (see
network confguraton)
pxeboot, 68
pxeos, 65
usng wth dskess envronments, 72
usng wth PXE nstaatons, 64
network confguraton
devce aases, 200
DHCP, 178
Ethernet connecton, 177
actvatng, 179
ISDN connecton, 180
actvatng, 181
ogca network devces, 197
managng /etc/hosts, 195
managng DNS Settngs, 193
managng hosts, 195
modem connecton, 182
actvatng, 184
overvew, 176
PPPoE connecton, 185
profes, 197
actvatng, 199
restorng from fe, 202
savng to fe, 202
statc IP, 178
token rng connecton, 188
actvatng, 190
wreess connecton, 190
actvatng, 193
xDSL connecton, 185
actvatng, 187
Network Devce Contro, 199
Network Fe System (see NFS)
Network Tme Protoco (see NTP)
NFS
/etc/fstab, 243
autofs (see autofs)
command ne confguraton, 250
confguraton, 243
dskess envronment, confgurng for,
72
exportng, 247
hostname formats, 251
mountng, 243
461
over TCP, 245
status of the server, 252
NFS Server Confguraton Too, 247
NIS, 326
NTP
confgurng, 343
ntpd, 343
ntpd, 343
ntsysv, 228
O
O'Rey & Assocates, Inc., 306
O'Rey &Assocates, Inc., 253
opannotate (see OProfe)
opcontro (see OProfe)
OpenLDAP, 326, 328
opendap-cents, 326
OpenSSH, 233
cent, 234
scp, 235
sftp, 236
ssh, 234
DSA keys
generatng, 238
generatng key pars, 236
RSA keys
generatng, 237
RSA Verson 1 keys
generatng, 239
server, 233
/etc/ssh/sshd_confg, 233
startng and stoppng, 233
ssh-add, 241
ssh-agent, 240
wth GNOME, 240
ssh-keygen
DSA, 238
RSA, 237
RSA Verson 1, 239
OpenSSL
opreport (see OProfe)
OProfe, 435
/dev/oprofe/, 447
confgurng, 436
separatng profes, 441
events
sampng rate, 440
settng, 438
montorng the kerne, 437
opannotate, 447
opcontro, 436
--no-vmnux, 437
--start, 442
--vmnux=, 437
opreport, 444
on a snge executabe, 445
oprofed, 442
og fe, 442
op_hep, 439
overvew of toos, 436
readng data, 443
savng data, 442
startng, 442
unt mask, 440
oprofed (see OProfe)
oprof_start, 449
op_hep, 439
P
Package Updater, 167
packages
dependences, 155
determnng fe ownershp wth, 163
fndng deeted fes from, 163
freshenng wth RPM, 158
lndex
462
nstang, 153
ocatng documentaton for, 163
obtanng st of fes, 165
preservng confguraton fes, 157
queryng, 159
queryng unnstaed, 164
removng, 156
tps, 162
upgradng, 157
verfyng, 160
pam_smbpass, 264
pam_tmestamp, 339
parted, 125
creatng parttons, 128
overvew, 125
removng parttons, 130
reszng parttons, 131
seectng devce, 127
tabe of commands, 125
vewng partton tabe, 126
partton tabe
vewng, 126
parttons
creatng, 128
formatng
mkfs, 129
abeng
e2abe, 129
makng
mkpart, 128
removng, 130
reszng, 131
vewng st, 126
password
agng, 364
forcng expraton of, 364
passwords
shadow, 374
PCI devces
stng, 433
physca extent, 101
physca voume, 89, 98
pxes, 351
postfx, 423
PPPoE, 185
Pre-Executon Envronment, 63
prntconf (see prnter confguraton)
prnter confguraton, 377
addng
CUPS (IPP) prnter, 380
IPP prnter, 380
|etDrect prnter, 383
oca prnter, 378
Samba (SMB) prnter, 381
cance prnt |ob, 388
CUPS, 377
defaut prnter, 386
deete exstng prnter, 386
IPP prnter, 380
|etDrect prnter, 383
oca prnter, 378
managng prnt |obs, 388
networked CUPS (IPP) prnter, 380
prntng from the command ne, 388
Samba (SMB) prnter, 381
test page, 386
vewng prnt spoo, command ne,
388
Prnter Confguraton Too (see prnter
confguraton)
prnttoo (see prnter confguraton)
processes, 427
ps, 427
PXE, 63
PXE nstaatons, 63
addng hosts, 66
boot message, custom, 69
confguraton, 63
overvew, 63
463
performng, 69
settng up the network server, 63
pxeboot, 68
pxeos, 65
quotacheck, 136
quotacheck command
checkng quota accuracy wth, 141
quotaoff, 140
quotaon, 140
R
RAID, 105
confgurng software RAID durng
nstaaton, 109
expanaton of, 105
Hardware RAID, 105
nstang
creatng the boot partton, 109
creatng the mount ponts, 113
creatng the RAID devces, 113
creatng the RAID parttons, 109
eve 0, 107
eve 1, 107
eve 4, 107
eve 5, 107
eves, 107
reasons to use, 105
Software RAID, 105
RAM, 430
rcp, 235
Red Hat Network, 167
Red Hat Package Manager (see RPM)
Red Hat RPM Gude, 166
rescue mode
defnton of, 78
uttes avaabe, 80
resze2fs, 87
resouton, 351
RHN (see Red Hat Network)
rmmod, 419
RPM, 151
book about, 166
checkng package sgnatures, 161
dependences, 155
desgn goas, 151
determnng fe ownershp wth, 163
documentaton wth, 163
fe confcts
resovng, 155
fndng deeted fes wth, 163
freshen, 158
freshenng packages, 158
GnuPG, 161
nstang, 153
md5sum, 161
preservng confguraton fes, 157
queryng, 159
queryng for fe st, 165
queryng unnstaed packages, 164
tps, 162
unnstang, 156
upgradng, 157
usng, 152
verfyng, 160
webste, 165
RSA keys
generatng, 237
RSA Verson 1 keys
generatng, 239
runeve 1, 81
runeves, 224
S
Samba, 255
confguraton, 255, 261
defaut, 255
lndex
464
smb.conf, 255
encrypted passwords, 263
fndsmb, 267
graphca confguraton, 255
addng a share, 260
confgurng server settngs, 256
managng Samba users, 259
st of actve connectons, 265
pam_smbpass, 264
reasons for usng, 255
share
connectng to va the command
ne, 267
connectng to wth Nautus, 265
mountng, 268
smbcent, 267
status of the server, 264
syncng passwords wth passwd, 264
wth Wndows NT 4.0, 2000, ME, and
XP, 262
scp (see OpenSSH)
secure server
accessng, 322
books, 323
certfcate
authortes, 315
choosng a CA, 315
creaton of request, 318
movng t after an upgrade, 314
pre-exstng, 313
sef-sgned, 320
test vs. sgned vs. sef-sgned, 314
testng, 321
connectng to, 322
expanaton of securty, 312
nstang, 309
key
generatng, 316
packages, 309
port numbers, 322
provdng a certfcate for, 312
securty
expanaton of, 312
upgradng from, 314
URLs, 322
URLs for, 322
webstes, 323
securty, 223
securty eve (see Securty Leve
Confguraton Too)
Securty Leve Confguraton Too
enabng and dsabng, 207
ptabes servce, 210
savng, 209
settng custom ports, 209
trusted servces, 208
sendma, 423
servces
controng access to, 223
Servces Confguraton Too, 226
setfac, 144
Setup Agent
va Kckstart, 12
sftp (see OpenSSH)
shadow passwords, 328
overvew of, 374
shutdown
dsabngCtrAtDe, 335
snge-user mode, 81
SMB, 255, 328
smb.conf, 255
smbcent, 267
smbstatus, 265
Software RAID (see RAID)
ssh (see OpenSSH)
ssh-add, 241
ssh-agent, 240
wth GNOME, 240
465
star, 146
strpng
RAID fundamentas, 105
swap space, 119
creatng, 120
expandng, 120
expanaton of, 119
fe
creatng, 121, 124
LVM2
creatng, 121
extendng, 120
reducng, 122
removng, 123
movng, 124
recommended sze, 119
removng, 122
sysogd, 399
system anayss
OProfe (see OProfe)
system nformaton
fe systems, 431
/dev/shm, 432
gatherng, 427
hardware, 432
memory usage, 430
processes, 427
currenty runnng, 427
system recovery, 77
common probems, 77
forgettng the root password, 78
hardware/software probems, 77
renstang the boot oader, 81
unabe to boot nto Red Hat
Enterprse Lnux, 77
system-confg-authentcaton (see
Authentcaton Confguraton Too)
system-confg-date (see Tme and Date
Propertes Too)
system-confg-dspay (see X
Confguraton Too)
system-confg-httpd (see HTTP
Confguraton Too)
system-confg-keyboard, 347
system-confg-kckstart (see Kckstart
Confgurator)
system-confg-mouse (see Mouse
Confguraton Too)
system-confg-netboot, 64
system-confg-network (see network
confguraton)
system-confg-network-cmd, 175, 200,
202
system-confg-prnter (see prnter
confguraton)
system-confg-senux (see Securty
Leve Confguraton Too)
system-confg-tme (see Tme and Date
Propertes Too)
system-confg-users (see user
confguraton and group confguraton)
system-ogvewer (see Log Vewer)
system-swtch-ma (see Ma Transport
Agent Swtcher)
system-swtch-ma-nox (see Ma
Transport Agent Swtcher)
T
TCP wrappers, 225
tent, 225
tenet, 233
tftp, 63
tme confguraton, 341
synchronze wth NTP server, 343
tme zone confguraton, 344
tmetoo (see Tme and Date Propertes
Too)
token rng connecton (see network
confguraton)
top, 427
lndex
466
tune2fs
convertng to ext3 wth, 86
revertng to ext2 wth, 87
U
user confguraton
addng users, 356
addng users to groups, 360
changng fu name, 359
changng home drectory, 359
changng ogn she, 359
changng password, 359
command ne confguraton, 362
passwd, 362
useradd, 362
fterng st of users, 356
ockng user accounts, 359
modfy groups for a user, 358
modfyng users, 358
password
forcng expraton of, 364
password expraton, 359
settng user account expraton, 359
vewng st of users, 355
User Manager (see user confguraton)
user prvate groups (see groups)
and shared drectores, 373
useradd command
user account creaton usng, 362
users (see user confguraton)
/etc/passwd, 369
nstaed documentaton, 375
ntroducng, 355
standard, 369
toos for management of
User Manager, 361
useradd, 361
UID, 355
V
VerSgn
usng exstng certfcate, 313
vdeo card
settngs for dua head, 353
settngs for X, 352
voume group, 89
voume groups, 100
W
Wndows
fe and prnt sharng, 255
Wndows 2000
connectng to shares usng Samba,
262
Wndows 98
262
Wndows ME
262
Wndows NT 4.0
262
Wndows XP
262
X
X Confguraton Too
dspay settngs, 351
dua head dspay settngs, 353
hardware settngs, 352
X Wndow System
confguraton, 351
xDSL connecton (see network
confguraton)
xnetd, 225
467
Y
ypbnd, 326
lndex
468

Red Hat Linux System Administration Guide-450

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Red Hat Linux System Administration Guide-450

Uploaded by

Copyright:

Available Formats

Red Hat Enterprise Linux 4.5.

Winbind - Seect ths opton to confgure the system to connect to a Wndows

Enable LDAP Support - Seect ths opton to have standard PAM-enabed

Use Shadow Passwords - Seect ths opton to store passwords n shadow

Winbind - Seect ths opton to confgure the system to connect to a Wndows

You might also like