Professional Documents
Culture Documents
Cristian-Mihai AMARANDEI
Email: cristian-mihai.amarandei@academic.tuiasi.ro
”Network Service Management” – Course Notes
System services
●
chkconfig – usage example
$ echo "ndbd" > /etc/rc.d/init.d/ndbd $ chkconfig --add ndbd
$ chmod +x /etc/rc.d/init.d/ndbd $ for i in 0 1 2 3 4 5 6; do ls rc$i.d/*ndb* ;
done
$ cat ndbd rc0.d/K50ndbd
#!/bin/bash rc1.d/K50ndbd
# chkconfig: 345 98 50 rc2.d/K50ndbd
rc3.d/S98ndbd
# | | |
rc4.d/S98ndbd
# | | | - priority for kill scripts
rc5.d/S98ndbd
# | |---- priority for start scripts rc6.d/K50ndbd
# |-------- run levels at which to start $ chkconfig --list ndbd
service
ndbd 0:off 1:off 2:off 3:on 4:on 5:on
# description: MySQL Cluster NDB daemon Ndbd% 6:off
Systemd services
●
Customize systemd services - see course #2!!!
●
start, stop and restart services
– The following command can be used
systemctl action service_name
– action can be one of the following parameters:
●
start – start the service
●
stop – stop the service
●
restart – restart the service
●
status – check the service status
●
The list of services can be configured with:
– systemctl list-unit-files
– systemctl [enable | disable ] service_name
Processes
●
Processes – user programs and daemons
●
Process state codes
– running “R” - Running or runnable (on run queue)
– sleep “S” - Interruptible sleep (waiting for an event to complete)
– wait “D” - Uninterruptible sleep (usually IO)
– stopped “T” - Process is stopped or halted and can be restarted by some other process
– paging “W” - not valid since the 2.6.xx kernel
– dead “X” - should never be seen
– zombie “Z” - process terminated, but information is still there in the process table.
●
Running mode
– foreground – interaction with user
– background
Processes
●
All processes are created by a parent process
●
At boot: pseudoprocess with PID=0 ,which executes the init process (PID=1)
●
Init – ancestor of all processes
●
Process = is an instance of a computer program that is being executed.
●
Each process has an owner and a group
●
Access rights
– When user starts the program, the process itself and all processes started by that process will be owned by that
user
– Processes permissions to access files and system resources are determined by using permissions for that user.
– Users can control only their processes (except root)
– Access rights inherited from parent
●
orphaned child process - PPID will be set to 1
Processes
●
Useful commands
– ps – list running processes
●
“a” all processes
●
“u” extended format
●
“x” include daemon processes
●
“w” print long lines
– top – displays currently running processes and important information about them including their memory and
CPU usage
●
Program can run in background by adding “&” at the end of the command line (become “job”)
– jobs – print all jobs
– CTRL+Z -> process supended and moved to background
– fg job – move a process to foreground
– bg job – move a process to background
Process priority
●
Processes have different priorities
●
Priority range:
– -20 (high priority)
– 20 (less priority)
– default 10
● nice –n priority program
– run a process with given priority
Interprocess communication
●
Signals – is a limited form of inter-process communication used in Unix, Unix-like, and other POSIX-
compliant operating systems
●
Signal - a number
●
Processes can redefine their signal handler or can ignore some signals (except SIGKILL and SIGSTOP)
●
Usual signals:
– SIGHUP (1) - parent is terminated (used by system daemons to reload the configuration file)
– SIGINT (2) - interrupt a process
– SIGQUIT (3) - terminate a process (CTRL+C)
– SIGILL (4) - illegal instruction
– SIGSEGV (11) - segmentation violation
– SIGPIPE (13) - Write to pipe with no one reading
– SIGTERM (15) – process termination (request to terminate)
Interprocess communication
– SIGUSR1 (16) - user define signal
– SIGUSR2 (17) - user define signal
– SIGCHLD (18) - child process terminated, stopped (or continued)
– SIGSTOP (23) - stop executing temporarily
– SIGCONT (25) - continue if stopped
●
kill signal PID – send a signal to a process identified by PID
– Users can sent signals only to its own processes
– Root – can send signals to all processes
Processes - /proc
● /proc filesystem is a virtual filesystem that permits
communication between the Linux kernel and user space.
●
Almost all files are read-only
● Can be used to modify kernel parameters (/proc/sys)
● /proc includes a directory for each running process (including
kernel processes) at /proc/PID
– Directory name is the same with the process PID-ul
– contains information about processes
/proc
●
Some examples:
– /proc/PID/cwd - a symlink to the current working directory of the process.
– /proc/PID/exe - a symlink to the original executable file
– /proc/PID/maps - the memory map showing which addresses currently visible to
that process are mapped to which regions in RAM or to files.
– /proc/PID/environ - a file containing the names and contents of the
environment variables that affect the process.
– /proc/PID/status - a file containing basic information about a process including
its run state and memory usage
– /proc/PID/mem - the memory of the process that accesses the /dev/mem device
/proc
●
/proc/self/
– A symbolic link to the process directory of the program that is looking at /proc
● /proc/bus/
– containing directories representing various buses on the computer
● /proc/filesystems
– A text listing of the file systems which are supported by the kernel
● /proc/fs
– Exported filesystems
● /proc/ide/
– exists on systems with the IDE bus
/proc
●
/proc/net/
– really useful information about the network stack
●
/proc/scsi/
– information about any devices connected via a SCSI or RAID controller
● /proc/sys/
– Access to dynamically-configurable kernel options
– Directories representing the areas of kernel, containing readable and writable virtual files.
– It is recommended to use sysctl to change the kernel parameters
● /proc/sysvipc/
– containing memory sharing and IPC information – message queues (msg), semaphores (sem) and
shared memory (shm).
/sys
●
The sysfs filesystem is a special filesystem similar to /proc that is usually mounted on
the /sys directory
●
A goal of the sysfs filesystem is to expose the hierarchical relationships among the
components of the device driver model
●
starting with kernel 2.6 there's a new /sys directory for PnP configuration.
●
it's something like the /proc filesystem since the "files" represent information in the kernel
memory and are not on your hard drive.
●
each device which exists on your system has it's own directory which contains files
showing the resources allocated to it.
●
is also used for configuration using sysctl - interface for examining and dynamically
changing parameters in the BSD and Linux operating systems
/sys
●
In Linux, the sysctl is implemented as a wrapper around file system routines that access
contents of files in the /proc directory
●
The top level sysfs directory looks like:
block/
bus/
class/
dev/
devices/
firmware/
net/
fs/
/sys
● /sys/devices/
– contains a filesystem representation of the device tree. It maps directly to the internal kernel
device tree, which is a hierarchy of struct device.
● /sys/bus/
– contains flat directory layout of the various bus types in the kernel.
● /sys/drivers/
– contains a directory for each device driver that is loaded for devices on that particular bus (this
assumes that drivers do not span multiple bus types).
● /sys/dev/
– contains two directories char/ and block/. Inside these two directories there are symlinks
named <major>:<minor>. These symlinks point to the sysfs directory for the given device
/sys
● /sys/fs/
– contains a directory for some filesystems. Currently each
filesystem wanting to export attributes must create its own
hierarchy below fs/ (see ./fuse.txt)
● The /sbin/sysctl command is used to view, set, and
automate kernel settings in the /proc/sys/ directory
●
To preserve custom settings, add them to the
/etc/sysctl.conf file.
Disk partitioning
●
Disk partitioning commands
– fdisk, parted
●
Create filesystem
– mkfs (mkfs.ext3, mkfs.vfat, ...)
●
Tune filesystem parameters
– tune2fs (for ext2 and ext3)
Filesystem automount
●
Filesystem mounting process is controlled via /etc/fstab file.
●
/etc/fstab ftructure: lines with 6 fields
– Device name
– Mount point
– Filesystem type
– Options (coma separated)
– command to determine which filesystems need to be dumped. If the field is not present, a
value of zero is returned and dump will assume that the filesystem does not need to be
dumped.
– order in which filesystem checks are done at reboot time (1 for root, 0 for swap and other
filesystems)
Filesystem automount
●
All filesystem in /etc/fstab are automatically mounted at system boot
(except the ones with noauto) and unmounted at system shutdown
●
Mount options
– defaults – Use default options: rw, suid, dev, exec, auto, nouser, and async.
– ro – readonly
– nosuid – Do not allow SUID or SGID bits to take effect.
– noauto – Can only be mounted explicitly
– user – Allow an ordinary user to mount the filesystem.
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#mirrorlist=http://mirrorlist.centos.org/?release=6.5&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
#baseurl=http://mirror.centos.org/centos/6.5/updates/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
User management
●
User -> user account
●
User management – one of the main duties of the Unix system administrator
●
user = agent (end-user), who run programs or access system services or resources
(i.e. access file system to store files)
– Access to resources is granted to registered users, based on their access rights
●
Users – real person or system users
●
User account – can be shared by many real users; an user is a person who can log
in to an account an run programs
●
System users – reserved for some applications
– (i.e. apache user for httpd server)
User management
●
Each user account has an username – must be unique
●
Each user has an unique id (User ID, UID) – used by the system to identify users
●
Users – can be organized in groups
●
groups = users that shares the same role or access rights
●
Each group has an unique is (Group ID, GID)
●
UID and GID provides access rights to files and system resources
●
UID and GID – created when user account in created
●
system-config-users : application used to configure users and groups
(RedHat Linux based distro)
Users database
●
stored in /etc/passwd
●
Text file, each line describing a user account. Each record consists of seven fields separated by colons
●
Passwords encrypted in /etc/shadow
●
Line structure:
account:password:UID:GID:GECOS:directory:shell
– account – user name; unique
– password - the encrypted user password; x - replaces the encrypted password, kept for backward compatibility
– UID – numeric user identifier (reserved up to 500)
– GID – numeric group id (reserved up to 500)
– User Info (GECOS filed) – The comment field. It allow you to add extra information about the users such as user's full name, phone number
etc (comma-delimited list). This field use by finger command.
– directory – user home directory usual located under /home
– shell – login shell started every time the user logs into the system (bash, sh, csh, …); If set to a nonexistent executable, the user will be
unable to login.
●
access rights: 644
Groups database
● Stored in /etc/group
●
File structure:
group_name:password:GID:user_list
name : x : GID : [ lista_utilizatori ]
– nume – name of group
– Password - the (encrypted) group password. If this field is empty, no password is needed.
(gpasswd command)
– GID – group identyfier (primii 500 sunt rezervati)
– user_list – list of user names of users who are members of the group (separated by commas)
●
access rights: 644
Password database
●
Stored using shadow system
●
Encrypted passwords stored in /etc/shadow
●
Cannot be accessed by users (access rights: 400)
●
Same format with /etc/passwd file:
– name – username
– password – encrypted password
– lastchanged – Days since password was last changed
– minimum – The minimum number of days required between password changes i.e. the number of days left before
the user is allowed to change his/her password
– maximum – The maximum number of days the password is valid (after that user is forced to change his/her
password)
– inactive – The number of days after password expires that account is disabled
– expire - days since that account is disabled i.e. an absolute date specifying when the login may no longer be used
Password attributes
●
passwd command
● -n no_days – Set the minimum password lifetime, in days
● -x no_days – set the maximum password lifetime, in days
● -w no_days – set the number of days in advance the user will begin receiving warnings that
her password will expire
● -i no_days – set the number of days which will pass before an expired password for this
account will be taken to mean that the account is inactive and should be disabled
● -f – Force the user to change password at the next login by expiring the password for name.
● -l – Locks account by adding the ! prefix
● -u – unlock the account password by removing the ! prefix
● -d – This is a quick way to delete a password for an account. (not recommended!)
root account
●
root = is the most privileged account on a Linux/Unix system, with UID=0
●
Total control over the system (process execution, modify any file, open any port etc.)
●
! use it only for administrative purposes
●
Processes has two identities:
– Real user ID – identify the real owner of the process – the UID of the user that created the
process
– Effective user ID (EUID) – available during the process lifetime
– Identity transfer is accepted by the owner by setting the SUID bit
● Some programs require the SUID bit to be set in order to work properly (i.e. passwd
comand)
root account
● su (Substitute User) command: run a shell with substitute user and group IDs
– User must type the password of the new user (except root)
● To avoid root password typing – use sudo
●
Requirements for system security:
– All users must have a password
– all new users must have an first password (must be changed at the first login)
– Password:
●
must be as safe is possible (no dictionary based password)
●
must be easy to remember, but hard to guess
●
do not use names, numbers or other user important information
●
use unusual characters, wrong words written etc.
●
Two ways: system level or user level using rshd service
●
Files: /etc/hosts.equiv or .rhosts (in $HOME ) – this order!
●
File format:
– hostname [ user ]
●
Specifies remote users that can use a local user account on a network.
●
Defines which remote hosts (computers on a network) can invoke certain commands on the local host
without supplying a password.
– If no user name is specified, the remote user name must match the local user name.
– [+ -] hostname [ + - ] user
●
“+” access is granted
●
“-” access is denied
root access
● Must be allowed only from terminals described in /etc/securetty file
● Not recommended from system terminals other than tty*
●
Remote access must be performed using an unprivileged user via ssh and then use the su command
● su [ username] [ options ]
– “-” – run as a login shell (read shell config files)
– -c command – run the command
●
assumes that, in the absence of a username, the user wants to change to a root session, and thus the
user is prompted for the root password as soon as the ENTER key is pressed.
● /etc/nologin
– If a user attempts to log in to a system where this file exists, the contents of the nologin file is displayed, and the
user login is terminated. Superuser logins are not affected.
– The /etc/nologin file is removed when you reboot the system.
Getting help
●
man
– short for manual and provides in depth information about the requested command or allows users to search for commands related to a particular keyword.
●
appropos
– searches the manual pages for a keyword or regular expression.
$ apropos find
●
whereis
– locate a binary, source, and manual page files for a command.
●
info
– reads documentation in the info format.
●
which
– locate a command.
●
whatis
– displays short manual page descriptions.
●
locate
– list files in databases that match a pattern.
– you may need to run the "updatedb" command to update the database in order to find the file you are searching for.
Reading assignment
●
The Linux System Administrator's Guide Chapters 5,6,7
References
This presentation is intended for lecturing purposes only and it is based on the references listed below. Therefore, the students are encouraged to (and they should) read
thoroughly the original documents listed below in order to improve their skills.