openSAP

Introduction to SUSE Linux Enterprise Server

(SLES)
Week 3 Unit 1

00:00:08 Hello, and welcome to week three of our openSAP course, Introduction to SUSE Linux
Enterprise Server.
00:00:15 My name is Craig Cole. I am an instructional designer
00:00:18 and training engineer at SUSE. This week, you will learn about
00:00:22 software and network management. This is a short week, but you will learn about
00:00:27 management of RPM packages, software management with libzypp, and finally, network
management
00:00:33 with SUSE Linux Enterprise Server. Let's begin with the first unit
00:00:37 on management of RPM packages. RPM is the installer piece for packages and software
00:00:49 in SUSE Linux Enterprise Server. RPM is made up of several components.
00:00:54 There is an RPM database, which contains information on all of the installed RPM packages
on a system,
00:01:02 it also keeps track of all of the files that have been changed or created as a user installs
RPMs,
00:01:11 and it works in the background with the package manager, which we're going to discuss later.

00:01:18 Now, the RPM package manager is a utility that handles installing and uninstalling of the RPM
packages themselves.
00:01:28 And then of course, the smallest of these building blocks is the RPM package itself,
00:01:34 which is software that's packaged, software or other files actually,
00:01:40 that are packaged for easy installation onto a SUSE Linux Enterprise Server.
00:01:46 So, let's talk about the individual components of an RPM package.
00:01:52 The RPM itself has an informational header. This is a package label
00:01:59 that has information about the software that is going to be installed or has already been
installed.
00:02:06 It also has a GPG signature. That's a key signature to validate
00:02:12 the integrity and the source of the package, it came from somewhere reliable and we can trust
it.
00:02:19 There's also a CPIO archive. This is like a zip file of all of the files in the package
00:02:28 that are prepared to be deployed or pushed out to the target system.
00:02:34 And then you have your installation scripts. So, sometimes these scripts have to make
modifications
00:02:42 before the packages are copied out, during the installation of the software itself,
00:02:49 and of course, after it's done it might need to clean up or perform other tasks as well,
00:02:55 in order for that package to be successfully installed, all defined by the package maintainer or
creator.
00:03:03 So that's an RPM package itself. Now, when we name our RPM packages
00:03:10 in SUSE Linux Enterprise Server, they are named in a very particular manner,
00:03:14 in order to be clear as to where they are, where they came from, what versions they are,
00:03:20 and where they're intended to be installed. And they're broken down, as you can see on this
slide,
00:03:25 in the following manner. You have the name of the software.
00:03:29 You have the version of the software. You have the release number.
00:03:33 So, if we release a different version or different number on the same version of the software.
00:03:40 Let's say we change the release notes or update some non-important file
00:03:44 or just informational file, we'll change the release number without changing the software
version.
00:03:50 And then of course, the architecture. It's possible you're installing this on x86-64,
00:03:56 but it might also be on System z or on ARM, and so you'll want to know which package to
install,
00:04:03 and thus it's included in the name of the package so there's no confusion.
00:04:08 So, that's the RPM name. It's important that you understand that,
00:04:13 so that going forward you can identify what it is, what version it is,
00:04:18 and where it should be installed. Now, installation of RPMs
00:04:23 can be done with multiple different tools. But the most common tool,
00:04:28 or the tool that is always included, is the RPM command itself.
00:04:33 "rpm -i", and then the name of the package will install a package onto a SUSE Linux
Enterprise Server.
00:04:42 You can also use "rpm -u", which stands for upgrade or update. However, if it is not already
installed,
00:04:52 a version of that software is not already installed, it will install that software as well.
00:04:58 There's also the "rpm -f". Now, the -f stands for freshen.
00:05:03 It means, if there's already a version of the software on the machine, update it or reinstall it at
that version,
00:05:12 but it does require that the software already be installed. There must be a pre-existing version
on the machine
00:05:20 in order for it to work. Now, RPMs can also be uninstalled with the RPM command
00:05:26 "rpm -e", for erase, which will remove or uninstall an RPM from a SUSE Linux Enterprise
Server.
00:05:36 So that's installation and working with RPMs with the RPM command.
00:05:42 Another very important and frequently-used function of RPM is the query of an RPM database.

00:05:50 Remember that the RPM database contains useful information about the package
00:05:56 and about the files that have been installed with a package, including modifications, dates and
times, and so forth.
00:06:06 As an administrator, being able to query and to work with this information
00:06:11 is very useful and frequently used. So, the command to query this database
00:06:17 is the "rpm -q" option, for query. If you do something like "rpm -qp",
00:06:24 you can query, instead of the database, you can query a package, the "p" in that option will
say,
00:06:32 read this RPM itself and tell me about it. It reads the header information
00:06:37 and gives you that information. Now, some options that you'll use
00:06:41 with the "rpm -q" frequently, "a". So, "rpm -qa" would give you a list of all installed packages.
00:06:51 You might also do an "rpm -qi" for information about a package.
00:06:58 So, "rpm -qi zypper" would tell you information about an installed package called zypper.
00:07:07 "rpm -ql", that's a lowercase L, will display a file list for a package,
00:07:14 so you can see which files were included with the package as it was installed.

2
00:07:21 "rpm -qf", which package does the specific or the specified file belong to?
00:07:27 This is useful when you know where the file is but you don't know what package it came from.

00:07:32 "rpm qf", space, and the name of the file, it will tell you where that came from.
00:07:40 "rpm -qd". I want to see the documentation files
00:07:44 that were installed with a package, so I can see if that package has documentation,
00:07:49 so I can go read it and make sure I understand how the software or the components that were
installed
00:07:54 with that package are to be used. If you do an "rpm -qc", that is for configuration files.
00:08:02 So, for a given piece of software, what configuration files were included
00:08:07 as part of that particular RPM? So, that's just a small subset
00:08:14 of what you can do with RPM queries. But this is a good start in helping you to understand
00:08:20 how to extract information from RPMs when working with them. There are additional queries
that you can do.
00:08:27 Sometimes you want to display or dump information about the RPM database, the "--dump"
option is used.
00:08:36 We can also use "--provides" so we can see what other services
00:08:40 or other packages might provide that service. We also have "--requires".
00:08:47 When we are looking for capabilities of packages, we can use that to query it.
00:08:52 We can also take a look at what scripts are going to be run. Sometimes you don't want all of
the scripts
00:08:57 that are included with an RPM to be run, and so you can check to make sure
00:09:01 that you understand what's going to happen. And of course, there's the ability to look at the
changelog,
00:09:06 what's different in this version of the package versus a previous version of the package.
00:09:13 Now, another component with RPM itself is the ability to validate that a package is both intact,
00:09:22 but that it hasn't been compromised by any, perhaps malicious, individuals or programs out
there.
00:09:31 So, the RPM command can be used with a checksig, that's check the signature of an RPM,
00:09:40 we can make sure that the signature is correct. So, does it actually match where we got it
from?
00:09:46 And then we can do an "rpm -V" and then the package name, and it will return codes
00:09:52 that will tell us information about it. Like an M says that the mode has changed.
00:09:59 Remember, mode is another way of saying permissions. If it gives us a five,
00:10:04 then it says that the size is different. It might give us a U, where the ownership
00:10:12 on a file or directory is changed as well. So we can see what's happened,
00:10:16 using this verification system, to validate that the software has done
00:10:21 what we expected it to do and that it hasn't been manipulated in some
00:10:25 possibly malicious or maybe just buggy way. This concludes our first unit for this week.
00:10:33 In the next unit, you will learn about software management with libzypp.
00:10:38 Thank you.

3
Week 3 Unit 2

00:00:08 Hello and welcome to week three, unit two of our openSAP course,
00:00:13 Introduction to SUSE Linux Enterprise Server. My name is Craig Cole
00:00:17 and I am an instructional designer and training engineer at SUSE.
00:00:21 In this unit, you will learn about the library for software management called libzypp.
00:00:27 Let's get started. libzypp is a package manager,
00:00:33 a library and a set of utilities that allow for package management on Linux systems.
00:00:40 It has a built-in resolver for package dependencies called SAT solver
00:00:46 and it supports various software repository types. And it supports signed repositories,
00:00:53 delta packages, package updates, and so forth. And there's a basic diagram
00:00:58 that kind of points out that files live inside of RPMs, delivered to the system by RPMs,
00:01:05 but RPMs are delivered to the system via libzypp in SUSE Linux Enterprise Server.
00:01:12 Now, we mentioned them in the previous slide, software repositories, but what is a software
repository?
00:01:19 A software repository is a directory that contains RPM packages themselves
00:01:25 along with metadata files about those packages. They can be accessed via RPM package
managers
00:01:33 such as libzypp and can be accessed from different media and file systems.
00:01:38 It can be a regular directory, it could be an actual part of a hard drive,
00:01:43 it could be on an ISO or CD-ROM or DVD image. It could be on a DVD itself.
00:01:50 There's lot of potential directories you can point to. Now, how do we access those?
00:01:56 Well, we can access those directly. It could be on the local system,
00:02:01 it could also be via an NFS share, it could be via FTP or HTTP or HTTPS
00:02:08 or it could be a SMB or CIFS share, a Windows share. These are all possibilities.
00:02:13 This is not the exhaustive list, but it does give you some idea
00:02:17 that software repositories sit in a directory, they have information about what's in that directory.

00:02:24 They can sit on various different types of media and they can be accessed via different
protocols.
00:02:32 Now, the goal of libzypp itself is to allow for access to RPMs on a repository
00:02:40 and allow you to install them. There are four Ps in libzypp categorization.
00:02:48 There are packages, which are the RPM "packages" themselves.
00:02:52 This includes patch RPMs and delta RPMs, we'll talk more about those in a minute.
00:02:58 And they contain the actual files that will be installed on a system.
00:03:03 You then have "patterns", which reference one or more packages, and typically a pattern is a
set of packages
00:03:13 that need to be installed in order to fulfill a specific role.
00:03:18 As an example, if I'm installing an Apache Web server with scripting languages with scripting
languages that might be used on it,
00:03:25 that might be a pattern that I would install that would include all of the necessary RPMs
00:03:31 to provide that particular service or role. We then have "products".
00:03:37 Products contain one or more patterns. So we have the packages, the smallest piece,
00:03:43 you have the patterns, which are a collection of those packages, we have our products which
contain one or more patterns
00:03:49 inside them, and they're associated usually with its own product for support
00:03:56 and maybe even a subscription and maintenance agreement. And then you have "patches".

4
00:04:01 These reference one or more update packages that could either be a full RPM, a patch RPM,
00:04:08 or a delta RPM. So those are the four Ps - packages,
00:04:12 patterns, products, and then of course patches to provide those updates to software.
00:04:18 So those are the four Ps of libzypp. Let's look at libzypp a little bit more closely.
00:04:23 libzypp is actually kind of a back end and a bunch of utilities that provide installation
00:04:30 and update functionality for RPMs that are installed on a SUSE Linux Enterprise Server.
00:04:36 You could use various different utilities to perform that task though. Since libzypp is the back
end,
00:04:42 you need front-end utilities to provide that function.
00:04:46 We use YaST, which is a graphical or ncurses interface,
00:04:52 even a non-interactive interface for installing and upgrading packages.
00:04:58 You can also use PackageKit. This is the graphical desktop toolkit.
00:05:04 So if I have, and am booting into a graphical environment, and I log in to the desktop,
00:05:10 there will be an updater as part of that environment
00:05:14 that will allow for the upgrade and patching and even installation of patches
00:05:20 and other software on that machine. Now, the other utility is zypper.
00:05:26 Now, zypper is very frequently used. In fact, in most cases,
00:05:29 it's the most frequently used. It's a command line tool
00:05:33 that allows for all of the software management, from repositories, patterns, packages,
products,
00:05:39 all the way down the line. But remember that all three of these things,
00:05:43 YaSt, PackageKit, and zypper, are all just front ends.
00:05:47 They simply communicate with the libraries and the utilities that sit on the back end, libzypp,
00:05:53 and provide the ability to install RPMs as files onto a system.
00:06:00 So let's kind of recap that. There are some terms that we've defined here.
00:06:05 A repository is a local or a remote directory containing packages and metadata about those
packages.
00:06:16 You have products, which represent an entire product. You have patterns, which are
installable groups of packages
00:06:24 that are dedicated to a particular role or purpose. Then you have the packages themselves.
00:06:29 These are compressed files in an RPM format
00:06:33 that contains the files for a particular program or purpose.
00:06:38 Then you have patch, which consists of one or more packages that may be applied by means
of a delta RPM
00:06:46 that simply update an existing program. Then you have delta RPMs.
00:06:51 Now, delta RPMs are similar to a regular RPM but they are meant to only provide the binary
differences
00:06:59 between two different versions of software or packages that are available.
00:07:04 So if I have a package that's version one and I need to update to version two,
00:07:10 I can imply, in a lot of cases, a delta RPM that will replace just the things
00:07:15 that have changed between those two versions. Now, the last thing we need to describe
00:07:20 is what is called package dependencies. Certain packages might depend on other packages
00:07:27 in order for them to function. In other words, there may be libraries
00:07:31 or other things that are needed in order for, let's say, the Apache Web server
00:07:35 to run on top of SUSE Linux Enterprise Server. And those package dependencies need
00:07:40 to be calculated when running an install on that machine. Package managers, such as libzypp,

5
00:07:47 can do that kind of calculation and make sure that the necessary pieces
00:07:52 are installed during the installation process. Now, zypper, the command line utility,
00:07:59 is the most frequently used utility for performing the management of repositories
00:08:05 and the management of software. We're going to talk about zypper quite extensively
00:08:10 for this very reason because, in most cases,
00:08:13 this is what administrators use the most to perform tasks.
00:08:18 Now, zypper can be used for both repositories and individual package installation.
00:08:23 So let's talk about, first of all, repositories and then we'll talk about the other functions
00:08:27 that zypper provides. If we want to, let's say, list all of the repositories
00:08:33 that we currently have on a system, we can do a zypper, that's "zypper lr",
00:08:41 that's list repositories. And that would list all of the repositories
00:08:46 that are on that system. That's actually the screenshot that's on the screen here.
00:08:52 We can add a repository as well. "Zypper ar"
00:08:57 and then the location of it and the alias. An alias is just a short name
00:09:02 that we use to make it easier for us to remember or reference that repository.
00:09:07 We can also modify repositories. We could change the alias or maybe change the location
00:09:12 of where it's sitting with "zypper mr" for modify repository
00:09:18 in order to get to it. So that's using zypper for repositories.
00:09:22 We can also use zypper to manage packages themselves. We can search for packages
00:09:29 inside of the available repositories with the "zypper se" command.
00:09:34 You can also spell out the word "search" if you want, "zypper search"
00:09:39 and then the string that you want to search for. Let's say I want to install Emacs,
00:09:44 "zypper se emacs" and it will search for and show me what is available to me.
00:09:51 You can also display information about a package using the zypper command,
00:09:57 "zypper if", space, the command. Give me information about the zypper
00:10:05 or, excuse me, about the Emacs tool. You can see that on the right-hand side
00:10:10 in that screenshot. We can also install packages,
00:10:15 "zypper in" for install. You can also type out the word "install".
00:10:20 And we can remove a package with zypper as well, "zypper rm" and the name of the package

00:10:26 you wish to install. In most cases,

00:10:29 when we put in here "package", we just mean the name of the package itself.
00:10:34 We don't mean the entire name of the RPM that was used to install it.
00:10:38 As an example, Emacs. We don't have to specify the version,
00:10:43 the release number, and the architecture as well. Now, we can also do all of those things
00:10:51 that I've described inside of YaST, both for the repositories
00:10:56 and for the individual software packages themselves if I want to install them.
00:11:02 YaST can do it graphically for us if that's what we choose to do.
00:11:06 This is the graphical version and the ncurses, that blue and white version
00:11:10 that we run from the command line, can also do all of these functions as well,
00:11:15 or you can add a repository, edit, delete, or even make inactive
00:11:22 inside of that. We can also search for and add software
00:11:25 as we need inside of the tool just using the search functions
00:11:30 as is shown on the right side of this slide. This concludes our unit on software management
with libzypp.

6
00:11:39 In the next unit, you will learn about network management with SUSE Linux Enterprise Server.

00:11:44 Thank you.

7
Week 3 Unit 3

00:00:09 Hello and welcome to week three, unit three of our openSAP course,
00:00:14 Introduction to SUSE Linux Enterprise Server. My name is Craig Cole and I am an instructional
designer
00:00:19 and training engineer at SUSE. In this unit, you will learn network management
00:00:24 with SUSE Linux Enterprise Server. Let's begin.
00:00:29 Now, before we get too far in, we need to define some terms.
00:00:34 When we start talking about Linux networking and SUSE Linux Enterprise Server networking
in particular,
00:00:41 we start talking about things called devices, interfaces, link, address, broadcast, and route.
00:00:48 Now, let's define those. A device is a network adapter found within the system,
00:00:53 usually a physical device but of course it could be represented by virtual hardware
00:00:58 inside of a virtual machine. An interface is a software component
00:01:04 that is created as an interface to a physical device itself.
00:01:11 So an interface is something that the Linux operating system uses to represent a device, a
physical device
00:01:20 for networking on a Linux host. Now, a link is a connection of a device
00:01:28 to the network itself, its actual physical or virtualized
00:01:33 connection to the network. The address is exactly what you think it is.
00:01:37 It's an IP address assigned to an interface. Notice that the address is assigned to the interface,

00:01:46 not to the device, although they're associated. Then you have the broadcast,
00:01:51 which is an address that's given to reach all the hosts on a local network or a specific set
00:01:58 depending on the version of IP that you're using, TCP/IP. And then you have route, which is a
path
00:02:05 a network packet would take from the source to a destination host.
00:02:14 So within SUSE Linux Enterprise Server, there are, for each interface,
00:02:20 there are configuration files that are created that store the configuration information for that
device,
00:02:27 for the interface associated with a device. Each file is contained inside
00:02:33 of the etc/sysconfig/network subdirectory. And they're given a very obvious name
00:02:40 such as ifcfg, that's the interface configuration, dash, and then the device name, such as eth0,

00:02:48 the first network card or network device interface in the system.
00:02:55 As you can see, in the slide, you can see a printout of the contents of the ifcfg for device eth0.

00:03:06 You can see that the boot protocol is DHCP, meaning it doesn't have a static IP address
assigned,
00:03:12 and thus it doesn't need the netmask or anything else defined for it
00:03:18 as the DHCP protocol usually handles such things. Now, on top of this, name resolution is
configured,
00:03:29 and as you see here, via various files. You have the /etc/hostname,
00:03:35 which refers to the local system. Then you have where do I go
00:03:40 for resolution on my local system? So /etc/hostname is the name of the current system,
00:03:48 /etc/hosts is a list of maybe the current system but also any other hosts on the network
00:03:54 or that can be reached remotely. Then you have the resolution of names themselves
00:04:04 with the DNS servers. That information is stored in the /etc/resolv.conf,

8
00:04:09 resolv.conf. And then of course you have to decide
00:04:16 in what order I should look up those things. and that's in the /etc/nsswitch.conf.
00:04:23 What I mean by that - do I look at the local /etc/hosts file
00:04:28 before looking at the remote DNS servers? That's the case in most places
00:04:33 but sometimes you might not want that, and you can reconfigure that in /etc/nsswitch
00:04:41 if you wish to change that. So those are just some network-related files,
00:04:46 those for the interface card itself and of course the name resolution
00:04:54 configuration files as well. Now on top of having these interfaces,
00:05:01 let's say you need to start up a network interface. How would you do that?
00:05:06 Well, in SUSE Linux, there are some sysconfig or utilities that are included with the sysconfig
packages
00:05:13 that allow for an interface to be turned on, turned off, or even just check the status on.
00:05:21 The ifup command, as an example, along with an interface you want to start, would start up or
configure,
00:05:29 bring up a configured Ethernet interface and start it, get it started performing its task
00:05:37 as an interface, ifdown and the device would turn it down or turn it off.
00:05:44 Then you have ifstatus. What if you just need to see the status
00:05:47 of any particular device? And there's a nice screenshot showing that as well.
00:05:53 So there are tools for manipulating or working with these interfaces, should we need to -
00:05:58 the ifup, ifdown, and ifstatus commands are just some of them.
00:06:04 Now a lot of what we're talking about can also be done from inside of the YaST configuration
tool.
00:06:11 It is recommended that most networking functions that you will perform as an administrator
00:06:17 be done inside of the YaST lan module. This is the module in YaST that manages
00:06:25 all of the networking functions, or the vast majority of the networking functions
00:06:30 that you will likely perform in a SUSE Linux Enterprise Server.
00:06:34 As you can see here, we have a screenshot showing where I can configure the IP address,
00:06:39 whether it's DHCP or static. I can configure more than a single IP address
00:06:44 on a single interface. So it can have multiple IP addresses assigned to it.
00:06:49 I can set up its own host name. I can tell it where to look for name resolution.
00:06:55 These are all things that we've talked about before. We can even add additional devices as
shown to the right.
00:07:01 And add things like network bridges, VLANs, and so forth
00:07:07 that we may need in order to perform our jobs on a SUSE Linux Enterprise Server.
00:07:13 So YaST allows for the configuration of network interfaces from creation, configuration, name
resolution,
00:07:23 and even more complex setups like VLANs, bridges, bonds, and so forth.
00:07:30 Now there are times when you want to test a given IP setting before you write it
00:07:36 into a configuration file, which is what happens when you make changes
00:07:41 with the YaST lan module. The IP command is the most commonly used tool
00:07:47 and it can add IP addresses, it can remove an IP address, it can also affect routes,
00:07:53 it can do bonds and bridges, and all sorts of functions that will likely be something that you are
addressing
00:08:00 as a network administrator or as a Linux administrator. IP, space, the name of the address,
00:08:10 or the subcommand that you want to perform, the specific task you want, and any arguments
00:08:16 that go with it are the basic syntax. So "ip addr add",
00:08:23 that's add an address, and then you specify the address,

9
00:08:27 and the device you want to add it to, as it's shown in the screenshot on the right on the top.
00:08:34 And as you can see, it adds that address to an existing machine.
00:08:39 You can see under two the address 10.0.0.10 has been added successfully.
00:08:47 The IP command can also be shown or be used to show what IP addresses are configured,
00:08:52 "ip a s", IP address show is what that stands for, and it will show you information
00:09:00 about a particular device, if you want to, or all of them, which is what this one is doing.
00:09:07 We can remove an IP address. We can add an IP address.
00:09:11 We can delete an IP address. We can also add or work with the routes
00:09:16 that are required in order to perform routing functions using the IP command.
00:09:23 Now one thing I want to point out, although we can do all of these with the IP command,
00:09:27 one of the things I mentioned previously is that the IP command is not permanent.
00:09:32 In other words, if I want to test out a configuration, I can use the IP command to validate
00:09:39 that a setting works the way I want, and then generally I go into YaST,
00:09:43 and I make the change there in order to make it a permanent setting.
00:09:47 But being able to test with the IP command is very useful, especially in test environments
00:09:54 and in lab environments. Now there are several other
00:10:01 network management tools out there, some of them you're probably already familiar with,
00:10:05 and they work for the most part just like they do on other operating systems.
00:10:09 With the ping command, we send out an ICMP packet just to validate the reachability of a host,

00:10:17 and it comes back with it. The ping command is slightly different on Linux,
00:10:23 by default it doesn't time out after four, so it will keep going until you tell it not to.
00:10:30 You can put a count number on it, so you can tell it only do it four times and then stop,
00:10:36 otherwise it will keep going indefinitely. You also have the traceroute command,
00:10:43 traceroute allows you to display the route that a certain packet will take
00:10:50 in order to get from host, your origination, to your destination.
00:10:57 And it uses UDP or datagrams in order to do that. And we can also tell it with the -n,
00:11:03 which is a frequently used option, don't display the fully qualified domain name,
00:11:09 just give us the IP address as well. So those are the management tools of Linux
00:11:16 or SUSE Linux Enterprise Server for the network. Both the IP command, the ping, the
traceroute commands
00:11:24 that we've mentioned, but also the YaST tool that allows you to configure most of those things
00:11:30 that as an administrator you will be using when performing management tasks
00:11:35 on SUSE Linux Enterprise Server. Now there's one more topic that almost always comes up
00:11:42 when we start talking about networking on an operating system, and that is, can we do
firewalling?
00:11:48 Well, of course we can with SUSE Linux. We can use a firewall.
00:11:52 But what is a firewall? It's just a term that says it's something
00:11:56 that controls the data flow between networks. And in this particular section,
00:12:03 when we start talking about that, what we mean is a packet filter.
00:12:07 A packet filter is something that inspects the traffic as it comes toward the host,
00:12:12 and then based on rules, performs a filtering function, either allowing it through or denying it.
00:12:20 Now it could also mean forwarding or other functions but that's a little bit deeper in.
00:12:27 The firewall in SUSE Linux Enterprise Server is managed via a tool called firewalld.
00:12:37 Although the functions of the firewall are part of the Linux kernel, the iptables tools,
00:12:43 the firewalld manages the launch, the startup, the rule determination and application

10
00:12:51 within that environment. It's a daemon that resides on the system
00:12:57 that manages those rules, and it includes various components.
00:13:00 We need to talk about them. First is iptables, that's a rule-based firewall
00:13:05 that's included with the Linux kernel and has been in play and used since the 2.4 release
00:13:12 back in the early 2000s. firewall-cmd is a command line utility
00:13:18 for interacting with firewalld, and then there's firewall-config,
00:13:24 which is a graphical tool for configuring or interacting with that firewall.
00:13:30 As you can see, in the bottom left, we can see the firewall-cmd command
00:13:36 does some basic examples of interacting with the various firewalld tools
00:13:43 for changing iptables. On the right, you have an example
00:13:47 of the firewall-config tool for interacting with firewalld. Now firewalld implements what are
called security zones.
00:13:58 And several zones are already predetermined or predefined, but of course the administrator
has the option
00:14:04 to define their own custom zones if they want to. Each zone has its own set of iptables rules.
00:14:13 And each network interface is a member of exactly one zone. So as traffic is coming in through
an interface,
00:14:21 it can only belong in a particular zone. Generally, these zones are things like public and
private,
00:14:28 meaning external or internal, depending on how things are defined.
00:14:34 Now, connections can be assigned to the zone based on the source addresses.
00:14:38 And each zone represents a level of trust. Obviously, we don't trust as much traffic
00:14:43 that's coming in from, let's say, the Internet, versus traffic that might be behind our corporate
firewall.
00:14:51 Each zone, again, allows us to control whether something is trusted or is not to be trusted.
00:14:58 Now there are two different configurations in firewalld that we should talk about.
00:15:03 They are the Runtime and the Permanent. Now, Permanent, we're going to talk about first
00:15:09 despite being listed second here, it represents the saved rules that will be applied
00:15:14 when restarting the firewall, or firewalld. Runtime, however, it represents
00:15:23 the currently active rules, and allows for temporary rules to be tested.
00:15:28 And then once you've validated that the rules work as you want, you can push them into
Permanent.
00:15:35 Otherwise, they will be discarded when firewalld is restarted.
00:15:42 This concludes this week's topic on software and network management.
00:15:46 Next week, you'll learn about storage administration and shells.
00:15:50 See you in a bit. Thank you.

11
www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices.