Linux Administration Made Easy

by Steve Frampton, <[email protected]>

Linux Administration Made Easy
by by Steve Frampton, <[email protected]>
Published 09 October 1999
The Linux Administration Made Easy (LAME) guide attempts to describe
day-to-day administration and maintenance issues commonly faced by Linux system
administrators. Part of the Linux Documentation Project.
Table of Contents
1. Preface ........................................................................................................................6
1.1. Acknowledgements...........................................................................................6
1.2. Copyright Information and Legal Disclaimers .................................................6
1.3. A Plea for Help.................................................................................................7
2. Introduction................................................................................................................8
2.1. Scope ................................................................................................................8
2.2. Choosing a Linux Distribution .........................................................................8
3. Linux Overview........................................................................................................12
3.1. What is Linux?................................................................................................12
3.2. Breaking the Myths ........................................................................................13
3.3. One Users Perspective ...................................................................................15
4. Installation and Hardware Conguration.............................................................18
4.1. Creating an Installation Diskette ....................................................................18
4.2. Booting Linux Installation Program...............................................................19
4.3. Partitioning Hard Drive(s) ..............................................................................22
4.4. Setting up Swap Space....................................................................................28
4.5. Choosing Partitions to Format ........................................................................28
4.6. Choosing Desired Packages to Install.............................................................29
4.7. Hardware Conguration .................................................................................30
4.8. Booting with LILO.........................................................................................30
4.8.1. Multi-boot with Other Operating Systems ..........................................31
4.9. Downloading and Installing Red Hat Updates ...............................................32
5. Conguring the X Window System........................................................................34
5.1. Getting the X Window System Working with X-Congurator.......................34
5.2. Using the X Desktop Manager .......................................................................36
5.3. Improving Font Appearance Under X............................................................37
5.4. Choosing a Window Manager for X...............................................................38
5.5. GNOME Installation and Conguration.........................................................39
5.6. KDE Installation and Conguration...............................................................40
6. General System Administration Issues..................................................................42
3
6.1. Root Account ..................................................................................................42
6.2. Creating User Accounts..................................................................................42
6.3. Changing User Passwords ..............................................................................45
6.4. Disabling User Accounts ................................................................................45
6.5. Removing User Accounts ...............................................................................46
6.6. Linux Password & Shadow File Formats .......................................................47
6.7. System Shutdown and Restart ........................................................................49
7. Custom Conguration and Administration Issues ...............................................51
7.1. Web Server and HTTP Caching Proxy Administration..................................51
7.2. Domain Name Server (DNS) Conguration and Administration...................52
7.3. Internet User Authentication with TACACS ..................................................58
7.4. Windows-style File and Print Services with Samba.......................................60
7.5. Macintosh-style File and Print Services with Netatalk ..................................67
7.6. Network File System (NFS) Services.............................................................70
7.7. Conguration from A-Z with Linuxconf........................................................72
8. Backup and Restore Procedures ............................................................................73
8.1. Server Backup Procedures..............................................................................73
8.1.1. Backing up with tar: .........................................................................75
8.1.2. Backing up with KDat: ....................................................................78
8.2. Server Restore Procedures..............................................................................80
8.2.1. Restoring with tar:............................................................................80
8.2.2. Restoring with KDat: .......................................................................82
8.3. Cisco Router Conguration Backups .............................................................83
9. Various & Sundry Administrative Tasks...............................................................87
9.1. Checking Storage Space .................................................................................87
9.2. Managing Processes .......................................................................................90
9.3. Starting and Stopping Processes.....................................................................91
9.4. Automating Tasks with Cron and Crontab les..............................................92
10. Upgrading Linux and Other Applications ..........................................................94
10.1. Using the Red Hat Package Manager (RPM) ...............................................94
10.2. Installing or Upgrading Without RPM .........................................................96
10.3. Strategies for Keeping an Up-to-date System...............................................98
4
10.4. Linux Kernel Upgrades.................................................................................99
10.5. Upgrading a Red Hat Stock Kernel ............................................................101
10.6. Building a Custom Kernel ..........................................................................101
10.7. Moving to the Linux 2.2.x Kernels.............................................................107
10.8. Conguring the Apache Web Server ..........................................................110
10.9. Conguring the Squid HTTP Caching Proxy Daemon ..............................110
10.10. Conguring the Sendmail E-mail Daemon ..............................................111
11. Enterprise Computing with Linux.....................................................................115
11.1. Performance Tuning ...................................................................................115
11.2. High Availability with RAID......................................................................115
11.3. Server Migration and Scalability Issues .....................................................117
12. Strategies for Keeping a Secure Server..............................................................121
13. Help! Trouble in Paradise!..................................................................................127
13.1. Getting Linux Installed on new, Unsupported Hardware ...........................127
13.2. File System Corruption after Power Outage or System Crash ...................127
13.3. Where to Turn for Help ..............................................................................128
13.4. Pointers to Additional Documentation .......................................................131
5
Chapter 1. Preface
1.1. Acknowledgements
I would like to thank the Linux community; particularly those members who have
participated in USENET and mailing lists with lots of helpful tips, answers, and
suggestions on how to use Linux at its best. Your contributions have beneted us all.
This document was written in the DocBook SGML format, and then rendered using
SGMLTools 2.x to a variety of document formats, including HTML, postscript,
Rich-Text-Format, and PDF. For more information on SGMLTools, see the project web
site at http://www.sgmltools.org/
1.2. Copyright Information and Legal
Disclaimers
Copyright 1997-1999 by Steve Frampton. This material may be distributed only
subject to the terms and conditions set forth in the Open Publication License, v0.4 or
later (the latest version is presently available at http://www.opencontent.org/openpub/).
Ive written this documentation and am providing it free to the Linux community as a
public-service. I have made every attempt to ensure that the information contained
herein is timely, accurate, and helpful, but in no way will I be held liable for any
damage(s) caused directly or indirectly by any misinformation contained herein.
I will not appreciate being amed for any errors or omissions. However, if you notice a
glaring inaccuracy, or have suggestions for further improvement, please, let me know.
However, please check the version number and date of this document (see the table of
contents) to ensure you are looking at the most recent version. If this document is more
than three months old, please check the Linux Documentation Project home page at
http://metalab.unc.edu/LDP/ in case a newer version is available.
6
Chapter 1. Preface
This document, currently, should be considered moderate-beta. I began writing it in
1997, and continue to update it as time permits. Development in the Open Source
community continues at a rapid pace, and at times it is a challenge to keep this
document up to date. As such, this document may have one or more sections which
contain obsolete information.
In short, I make no guarantees for any of this information to be correct. If it helps you
out, thats great!
1.3. A Plea for Help
If you nd this document useful and would like to express your appreciation for it,
please consider donating a food item or two to your local food bank.
7
Chapter 2. Introduction
Linux 2.2.0, released 25-Jan-99: Onwards to World Domination...
Perhaps you are fairly new to Linux and were hoping to nd a summary of the kinds of
conguration and administrative tasks that may be required of you from time to time. If
this sounds like you, perhaps this document is just what youve been looking for!
2.1. Scope
This documentation will attempt to summarize the installation and conguration, as
well as the day-to-day administrative and maintenance procedures that should be
followed to keep a Linux-based server or desktop system up and running. It is geared to
an audience of both corporate as well as home users. It is not intended to be a full
overview of Unix operations, as there are several good texts available as well as on-line
documentation which can be referred to in cases where more detailed information is
required.
In general, your Linux system can operate with a minimum of user maintenance.
Routine tasks, such as rotating and discarding of system logs, are automated.
Therefore, for the most part, even with very little user intervention, Linux will hum
along doing its job. However, in cases of custom needs or system failure this
documentation may prove useful.
I currently use Linux both at home and at my place of employment. It has served me
well, and has worked as a reliable Internet and le/print service for my employer for
over four years now.
2.2. Choosing a Linux Distribution
There is quite a variety of Linux distributions from which to choose from. Each
distribution offers the same base Linux kernel and system tools, but differ on
8
Chapter 2. Introduction
installation method and bundled applications. Each distribution has its own advantages
as well as disadvantages, so it is wise to spend a bit of time researching which features
are available in a given distribution before deciding on one.
The following is a list of a few web sites you can visit, which will describe a given
Linux distribution as well as provide information on how you can download or
purchase it:
http://www.redhat.com/
The Red Hat distribution, by commercial vendor Red Hat Software, Inc. is one of
the most popular distributions. With a choice of GUI- and text-based installation
procedures, Red Hat 6.1 is possibly the easiest Linux distribution to install. It
offers easy upgrade and package management via the RPM utility, and includes
both the GNU Network Object Model Environment (GNOME) and the K
Desktop Environment (KDE), both popular GUI window managers for the X
Window System. This distribution is available for the Intel, Alpha, and Sparc
platforms.
http://www.debian.org/
The Debian distribution, by non-prot organization known as The Debian
Project is the darling of the Open Source community. It also offers easy upgrade
and package management via the DEB utility. This distribution is available for
the Intel, Alpha, Sparc, and Motorola (Macintosh, Amiga, Atari) platforms.
http://www.suse.com/
The S.u.S.E. distribution, by commercial vendor S.u.S.E., is another popular
distribution, and is the leading distribution in Europe. It includes the K Desktop
Environment (KDE), and also offers easy upgrade and package management via
the YaST utility. This distribution is available for both Intel and Alpha
platforms.
http://www.caldera.com/
The OpenLinux distribution, by commercial vendor Caldera, is aimed towards
9
Chapter 2. Introduction
corporate users. With the new OpenLinux 2.2 release, Caldera has raised the bar
with what appears to be the easiest to install distribution of Linux available today.
In addition, it comes standard with the K Desktop Environment (KDE). This
distribution is available for the Intel platform only.
http://www.linux-mandrake.com/
The Mandrake distribution, by commercial vendor MandrakeSoft S.A., integrates
the Red Hat or Debian distributions (your choice) with additional value-add
software packages than those included with the original distributions.
http://www.slackware.com/
The Slackware distribution, by Patrick Volkerding of Walnut Creek Software, is
the grandfather of modern distributions of Linux. Offers a fairly simple
installation procedure, but poor upgrade and package management. Still based on
the libc libraries but the next version will probably migrate to the newer glibc.
Recommended for users who are more technical and familiar with Linux. This
distribution is available for the Intel platform only.
Listing all the available distributions is beyond the scope of this document, so Ive
listed only the most popular. However, further information on the available
distributions can be found in the Distribution-HOWTO guide, available at
http://metalab.unc.edu/LDP/HOWTO/Distribution-HOWTO.html
Tip: If you decide to buy your distribution on CD-ROM, you might be able to nd
better pricing at other resellers (for example, Ive been quite satised on several
dealings with Internet-based software vendor http://www.cheapbytes.com/). On
the other hand, you may wish to pay the higher price to the distribution vendors to
ensure that their offerings continue to improve.
My distribution of choice is Red Hat Linux (it also happens to be, unarguably, the most
popular distribution among Linux users). For almost three years, I was a die-hard
Slackware fanatic (before that I had messed around a bit with a small distribution from
tsx-11 way back in the kernel 0.90a days), and although Ive tried Red Hat in the past, I
10
Chapter 2. Introduction
never could bring myself to say anything good about their distributions. Then, I tried
Red Hat 5.1, and found myself quickly converted! In my opinion, with 5.1, Red Hat
nally got it right.
Some of the reasons I have become a fan of the Red Hat distribution include the ease of
installation, multi-platform support (until recently, Red Hat was the only distribution
vendor to provide its distribution for Intel, Alpha, and Solaris platforms), and, above
all, the RPM package manager. In addition, they put updates to included RPMs on
their FTP site (at ftp://ftp.redhat.com/redhat/updates/) as they become available, which
is a good way of keeping ones system up to date and free of any bugs or security
problems that are discovered from time to time.
Since rst loading Red Hat 5.1 on an otherwise unused computer at work for testing
purposes, I have converted two of our main Internet/File & Print servers over from
Slackware to Red Hat and havent regretted it. Ive also loaded it on my system and
home, and installed it on three other systems as light servers as well. In addition, I have
had the opportunity to not only play with the Intel-based versions but with Alpha- and
Sparc-based versions as well. Recently, Ive moved all the Linux systems I am
responsible for over to Red Hat 6.1.
Therefore, this document has a denite Red Hat feel to it, and is most relevant for the
Intel-based 6.1 version. However, hopefully most or at least some of the information
contained in this document will be useful to users of other distributions.
11
Chapter 3. Linux Overview
Welcome to Linux!
3.1. What is Linux?
Linux is a true 32-bit operating system that runs on a variety of different platforms,
including Intel, Sparc, Alpha, and Power-PC (on some of these platforms, such as
Alpha, Linux is actually 64-bit). There are other ports available as well, but I do not
have any experience with them.
Linux was rst developed back in the early 1990s, by a young Finnish then-university
student named Linus Torvalds. Linus had a state-of-the-art 386 box at home and
decided to write an alternative to the 286-based Minix system (a small unix-like
implementation primarily used in operating systems classes), to take advantage of the
extra instruction set available on the then-new chip, and began to write a small
bare-bones kernel.
Eventually he announced his little project in the USENET group comp.os.minix, asking
for interested parties to take a look and perhaps contribute to the project. The results
have been phenomenal!
The interesting thing about Linux is, it is completely free! Linus decided to adopt the
GNU Copyleft license of the Free Software Foundation, which means that the code is
protected by a copyright but protected in that it must always be available to others.
Free means free you can get it for free, use it for free, and you are even free to sell it
for a prot (this isnt as strange as it sounds; several organizations, including Red Hat,
have packaged up the standard Linux kernel, a collection of GNU utilities, and put their
own avour of included applications, and sell them as distributions. Some common
and popular distributions are Slackware, Red Hat, SuSe, and Debian)! The great thing
is, you have access to source code which means you can customize the operating
systems to your own needs, not those of the target market of most commercial
vendors.
12
Chapter 3. Linux Overview
Linux can and should be considered a full-blown implementation of unix. However, it
can not be called Unix; not because of incompatibilities or lack of functionality, but
because the word Unix is a registered trademark owned by AT&T, and the use of the
word is only allowable by license agreement.
Linux is every bit as supported, as reliable, and as viable as any other operating system
solution (well, in my opinion, quite a bit more so!). However, due to its origin, the
philosophy behind it, and the lack of a multi-million dollar marketing campaign
promoting it, there are lot of myths about it. People have a lot to learn about this
wonderful OS!
3.2. Breaking the Myths
Ive been using Linux for several years, and I like to think I know a bit about the
operating system and what it can and cannot do. As Im an avid USENET reader, I
follow the latest developments and of course, the various ame-wars that invariably
crop up (those darn cross-posting advocacy people! ;-) ). Ive seen my share of myths
(often called FUD Fear, Uncertainty, Doubt which seems to be a common tactic
used by commercial technology vendors to frighten their market away from competing
technologies) that more than a few people believe. So, let me try to run down a few of
the more common ones and attempt to shatter them. :-)
Linux is freeware, hence, it is a toy.
Some people seem to have the notion that, because a piece of software was written by
volunteers with no prot motive in mind, that the results must clearly be inferior to
commercial-grade offerings.
This may have been true in the past (I mean, there was a lot of freeware which was
absolute garbage in the DOS and early Windows world), but it is most certainly not true
in recent days.
The power of the Internet has made it possible to bring together some of the brightest
minds in the globe, allowing collaboration on projects they nd interesting. The people
13
Chapter 3. Linux Overview
who have put a hand into developing Linux or the thousands of GNU utilities and
applications packages are from a diverse background, and all of them have different
personal reasons for wanting to contribute.
Some are hard-core hackers who develop for the love of coding, others have a need for
something (for example, a network trafc monitor for a LAN at work) and decide to
write it themselves, others are academics and computer scientists who are using Linux
for its research qualities.
Unlike a commercial offering where a package is developed and sold, source code
excluded, to the end-user, code used in Linux is scrutinized, debugged, and improved
upon by anyone who has the interest and ability. This act of peer-review is one of the
reasons that Linux offers the high reliability and high performance that it does.
Dont forget: The Internet itself was built and runs almost exclusively on Open Source
projects. The e-mail you exchange on a daily basis with people around the world has an
80% chance of being handled on one or both ends by Sendmail, the web pages you
browse while Surn the Web are served to you by Apache on over 50% of the
worlds web sites. Reliable enough for you?
There is no support for Linux.
Hearing this myth somewhat sickens me. And supposedly the other vendors do offer
support? Ive had personal experience with one very popular commercial operating
system, where the vendors so-called support was completely useless.
First of all, there is support for Linux. Yes, commercial support. There are some
companies that can provide as much support as you are willing to pay for; offering
telephone and e-mail support, many offering to come right to your door to deal with the
problem!
However, in 99% of the situations you will run into with Linux, you will be able to
accomplish what you wish if you can simply get the answer to a question or two. This
is easily accomplished on USENET or on any of the many mailing lists available!
Ive never had a problem I couldnt nd a solution to, by either searching on
http://www.dejanews.com/, or by asking in one of the comp.os.linux.* newsgroups.
14
Chapter 3. Linux Overview
Normally I can receive an answer to any of the support issues I ask about within three
to twelve hours of my posting.
Another interesting aspect of Linux is that, because the source code for the entire
kernel and most of the other operating system components is freely available,
key-support issues such as security, denial of service, or CPU bugs (such as Intels
F00F fatal exception) are tracked down and solved very quickly usually an order of
magnitude faster than solutions offered for similar or identical problems on the
commercial offerings. So, wheres the commercial support!?
There are countless others that I would like to debunk, but that is beyond the scope of
this document. However, for further myth debunking, check out the Linux Myth
Dispeller at http://www.KenAndTed.com/KensBookmark/linux/index.html as well as
The Linux FUDfactor FAQ at
http://www.geocities.com/SiliconValley/Hills/9267/fud2.html
3.3. One Users Perspective
I use Linux both at work and at home.
At my place of employment, we are using Linux to provide Internet services for
hundreds of users. These services include TACACS (dial-in modem user)
authentication, web page hosting and proxy caching, as well as SMTP and POP
services. In addition, we are using Linux to provide NFS services, and also for
providing and mounting SMB-protocol (WfW/Win95/WinNT) le & print and FAX
services using the Samba package.
At home, I use Linux for my personal needs, such as Internet services, software
development, and of course game playing (seeing Quake II running on a Linux box is a
thing of beauty)! One of the things I love about Linux is, no matter how hard I pound
on it, it does not crash! Its also a great way to learn, develop, and maintain my Unix
skills.
I am using the Red Hat 6.1 distribution of Linux (see http://www.redhat.com/ for more
information). This distribution includes all the necessary software for a full-blown unix
15
Chapter 3. Linux Overview
system shells, compilers & interpreters, networking support, the X Window System,
and all Internet services (eg. Mail, news, web server, telnet, etc.). The distribution
comes standard with Linux kernel 2.2.5.
At my place of employment, the Linux-based system we use as our primary Internet
server has the following conguration:
Kernel: 2.2.5
Machine: Pentium II @ 300 MHz (bogo-mips 299.83) with PCI-bus, 256 Mb RAM
one 3 Gb Fujitsu IDE hard drive (/dev/hda)
four 4.4 Gb Quantum Fireball SCSI hard drives (/dev/sd0 through /dev/sd3),
24x speed SCSI CD-ROM (/dev/scd0),
Adaptec AHA-131 SCSI controller
HP SCSI DAT tape drive (/dev/st0 and /dev/nst0),
Intel EtherExpress Pro 10/100 Ethernet card
We have a second system an even nicer Intel box also running Red Hat 5.2, running
in another ofce location. It provides networked le & print services via Samba, local
web caching via Squid, and secondary DNS services. Unfortunately, this box is over 50
km away from where I usually work, and therefore its left pretty much on its own yet
this baby is really my pride and joy! Here are some specs:
Kernel: 2.2.5
Machine: Pentium II @ 350 MHz (bogo-mips 349.80) with PCI-bus, 256 Mb RAM
one 4.1 Gb Quantum Fireball SCSI hard drive (/dev/sda)
four 9.4 Gb Quantum Fireball SCSI hard drives (/dev/rd/c0d0, /dev/rd/c0d1) as
hardware RAID level 5 array,
36x speed SCSI CD-ROM (/dev/scd0),
BusLogic BT-948 SCSI controller
Mylex AcceleRAID 250 (DAC960) RAID controller,
HP SCSI DAT tape drive (/dev/st0 and /dev/nst0),
Intel EtherExpress Pro 10/100 Ethernetcard
Having an incredible 24+ Gb of available storage space, with redundant storage
congured as a hardware RAID5 array is a humbling feeling. The Mylex RAID
16
Chapter 3. Linux Overview
controller works great, and I would not hesitate to recommend it to others seeking a
hardware RAID solution! (If you are interested in conguring your Linux system with
a RAID array, see Section 11.2 for details.)
We have four other Linux systems in place; an Alpha, a Sparc, and two Intel boxes; two
of which are being used in production, and then there is my own personal system at
home, but I wont bore you with the details.
This document will attempt to remain as hardware independent as possible but it may
be helpful to you if you know where I am coming from as far as hardware is concerned.
17
Chapter 4. Installation and Hardware
Conguration
This chapter will detail the procedures needed to install Red Hat 6.1 onto an Intel
system; the procedures are similar whether you choose to install using either GUI- or
text-based installation. Since much of this information is already well documented in
the Red Hat Users Guide (provided as a paper manual in the Ofcial boxed sets,
included in the /doc directory on the CD, as well as available online at
ftp://ftp.redhat.com/pub/redhat/redhat-6.1/i386/doc/rhinst/index.htm), Ive skimmed
over much of the details. However, there are a few things which I think are lacking in
the Red Hat guide, and therefore I will attempt to cover those items in greater detail.
4.1. Creating an Installation Diskette
The rst step in getting Red Hats distribution of Linux onto a system, you need to nd
a way of starting the installation program. The usual method of doing so is to create an
installation disk, although if you are installing from CD-ROM, and your systems BIOS
supports it, you should be able to boot directly into the installation program from the
CD.
Otherwise, to create an installation diskette, youll need to copy the boot.img (which
is simply an image of an ext2-formatted Linux boot diskette with an additional
installation program) onto a oppy diskette. The boot.img le can be obtained from
the /images directory of the Red Hat CD-ROM disk, or downloaded via FTP from
ftp://ftp.redhat.com in the /pub/redhat/redhat-6.1/i386/images directory (assuming you
are installing Linux on an Intel box).
You can create the boot diskette either from a DOS or Windows system, or from an
existing Linux or Unix system. For your destination diskette, you can use either an
unformatted or a pre-formatted (for DOS) diskette it makes no difference.
Under DOS: Assuming your CD-ROM is accessible as drive D:, you can type:
18
Chapter 4. Installation and Hardware Conguration
d:
cd \images
..\dosutils\rawrite
For the source le, enter boot.img. For the destination le, enter a: (assuming the
diskette you are created is inserted into the A: drive). The rawrite program will then
copy the boot.img le onto diskette.
Under Linux/Unix: Assuming the boot.img le is located in the current directory
(you may need to mount the CD-ROM under /mnt/cdrom and nd the le in
/mnt/cdrom/images), you can type:
dd if=boot.img of=/dev/fd0
The dd utility will copy, as its input le (if), the boot.img le, onto the output le
(of) /dev/fd0 (assuming your oppy drive is accessible from /dev/fd0).
Unless your Linux or Unix system allows write permissions to the oppy device, you may
need to do this command as the superuser. (If you know the root password, type su to
become the superuser, execute the dd command, and then type exit to return to
normal user status).
With either of the above schemes, you should now have a bootable Red Hat 6.1
installation diskette that you can use to install your new Red Hat Linux system!
4.2. Booting Linux Installation Program
To begin setting up your new Red Hat system, either boot from the installation CD, or
insert the installation diskette in the systems A: drive, and reboot or power-on the
system. After a few moments, the Red Hat installation program screen should appear.
In most cases, you can just press <Enter> to begin the installation process, but if you
are a more experienced user who knows exactly how your hardware devices should be
set up, you can enter expert for the additional information and prompts this feature
provides. (If you do nothing, the default installation procedure will start in about 10 to
15 seconds after the installation screen rst appears.)
19
Chapter 4. Installation and Hardware Conguration
You will then be asked to choose your language (usually English) and your
keyboard type (even in Canada I choose US 101-key), as well as where you are
installing from (such as from your CD-ROM or over the network). Red Hat is very
exible in where it can be installed from.
Most likely you will choose Local CDROM to install from your Red Hat CD-ROM
(which should be inserted into your CD-ROM device). However, if your system is not
equipped with a CD-ROM device, there are a number of other installation methods you
can choose.
If you have another Linux system (or any other operating system that supports NFS le
mounting), you can use NFS to install from an NFS mount. To do this, youll need to
have your CD-ROM mounted in the other system (or otherwise have the Red Hat
distribution tree somewhere on the other system it is possible to download everything
via FTP and then install from your other systems hard drive), make sure you have an
entry in your /etc/exports le allowing access by the new system to the appropriate
directory (see Section 7.6 for details on how to set up and use NFS), and then enter the
appropriate details. Heres an example walk-through:
Insert the Red Hat CD into the other system (eg. a system called spock).
To mount the CD, type:
mount /dev/cdrom /mnt/cdrom -t iso9660
Edit, as the superuser, your /etc/exports le and put an entry like:
/mnt/cdrom newsys.mydomain.name(ro)
(This says that the new system at newsys.mydomain.name is allowed read-only access to
the directory /mnt/cdrom/ and any subdirectories under it).
If your new system does not yet have a domain name assigned to it, you can instead use
its IP address:
/mnt/cdrom 10.23.14.8(ro)
(Assuming your new system has 10.23.14.8 as its IP address).
Again, as superuser, type:
20
Chapter 4. Installation and Hardware Conguration
killall -HUP rpc.nfsd ; killall -HUP rpc.mountd
This will restart your NFS and mountd daemons, which is necessary before your new
NFS export will work.
Now, from your new system, you can choose NFS as your installation source. Youll be
asked to provide information on your network card, as well as your IP settings. Youll
likely use static IP settings if your system is sitting on a local LAN, or DHCP settings if,
for example, your system is connected to a cable modem. Enter the settings as
appropriate for your new system.
Youll then be asked to enter the NFS server name and Red Hat directory. For our
example system, we would type in spock as the NFS server name, and
/mnt/cdrom/ as the Red Hat directory.
There are other ways of installing Red Hat, such as using a Samba (Windows-style
networking) connection, from an existing partition (such as your DOS or Windows 95
partition) on your hard drive, or via FTP. Check the Red Hat users guide for more
details on installing using these methods, or just try to struggle through them (the
procedures are really not very difcult!)
Once you have chosen your installation source, Red Hat will ask you if you wish to
Install or Upgrade your system. As you are installing a new system, you
should choose Install. (As an aside, Im a fairly anal person who never upgrades
new distribution releases over existing systems I guess having suffered through so
many problems with Microsoft products I have developed a signicant mistrust for
upgrading systems as a whole. I prefer to install from scratch, and simply restore from
backup my personal/user and local site les.)
The installation program will then ask you if you have a SCSI adapter. If you answer
yes, youll be asked to choose the appropriate driver. In some circumstances, Red Hat
will be able to detect your adapter automatically.
Next, youll be asked to set up your le systems (ie. partition one or more drives for
Linux). There are two tools available for setting up these partitions, including the Red
Hat-supplied Disk Druid, and the standard Linux /fdisk utility.
Both tools are similar in function, allowing you to specify the partition types and sizes.
However, Disk Druid seems to be a bit more user friendly, and a bit more complete
21
Chapter 4. Installation and Hardware Conguration
than fdisk. In fact, if you use fdisk to partition your drives, youll then be presented
with the Disk Druid screen for specifying your mount points anyway. That being said,
as an ex-Slackware user, I personally always use fdisk force of habit, I guess! :-)
The next section will detail how and why you should set up your partition information.
4.3. Partitioning Hard Drive(s)
Why partition, anyway? Well, although it is possible to get a perfectly functioning
Linux system running on a single-partition system, and, in fact, is a bit easier to
congure this way, there are a number of benets from partitioning one or more of your
storage devices into multiple partitions.
While it is true that Linux will operate just ne on a disk with only one large partition
dened, there are several advantages to partitioning your disk for at least the four main
le systems (root, usr, home, and swap). These include:
First, it may reduce the time required to perform le system checks (both upon bootup
and when doing a manual fsck), because these checks can be done in parallel. (By the
way, NEVER run an fsck on a mounted le system!!! You will almost certainly regret
what happens to it. The exception to this is if the le system is mounted read-only, in
which case it is safe to do so.) Also, le system checks are a lot easier to do on a
system with multiple partitions. For example, if I knew my /home partition had
problems, I could simply unmount it, perform a le system check, and then remount the
repaired le system (as opposed to booting my system with a rescue diskette into
single-user mode and doing the repairs).
Second, with multiple partitions, you can, if you wish, mount one or more of your
partitions as read-only. For example, if you decide that everything in /usr will not be
touched even by root, you can mount the /usr partition as read-only.
Finally, the most important benet that partitioning provides is protection of your le
systems. If something should happen to a le system (either through user error or
system failure), on a partitioned system you would probably only lose les on a single
le system. On a non-partitioned system, you would probably lose them on all le
22
Chapter 4. Installation and Hardware Conguration
systems.
This little fact can be a big plus. For example, if your root partition is so corrupted you
cant boot, you can basically boot from the rescue diskette set, mount your root
partition, and copy what you can (or restore from backup; see Chapter 8 for details on
how les can be backed up and restored), to another partition such as home, and then
reboot once again using the emergency boot disk, typing mount root=/dev/hda3
(assuming the partition containing your temporary root le system is on the third
partition of hda) and boot your fully functional Linux box. Then you can run an fsck on
your unmounted corrupt root partition.
I have had personal experience in le system catastrophies, and I was very grateful for
having had the damage limited due to the use of multiple partitions.
Finally, since Linux allows you to set up other operating system(s) (such as Windows
95/98/NT, BeOS, or what-have-you), and then dual- (or triple-, ...) boot your system,
you might wish to set up additional partitions to take advantage of this. Typically, you
would want to set up at least one separate partition for each operating system. Linux
includes a decent boot loader (called LILO on Intel-based systems, although much the
same thing is available as MILO on Alpha, and SILO on Sparc) which allows you to
specify which operating system you want to boot at power on, with a time-out default
boot of your favorite operating system (probably Linux, right?)
You should partition a disk (or disks) according to your needs. In my experience on
Intel, Alpha, and Sparc platforms, for a fairly loaded system (feature-wise), doing a fair
amount of tasks (as a desktop system at home, or as an Internet server at work), I have
found the following approximation of space works pretty effectively for determining a
partition size.
Given:
A given disk of X Mb/Gb (eg. 2 Gb)
(Or, more than one disk with a combined total of X Mb/Gb)
Calculate:
23
Chapter 4. Installation and Hardware Conguration
(swap) about double main RAM (eg. 64 Mb sys-
tem gets 128 Mb swap)
/ (root) about 10% of available (eg. 200 Mb)
/home about 20% of available (eg. 400 Mb)
/usr any remaining space (eg. 1272 Mb)
/var (optional - see below)
/boot (optional - see below)
/archive (optional - see below)
Of course, the above amounts are approximate guidelines only. Obviously you are
going to want to juggle those percentages around a bit depending on what you are
going to use your Linux system for. If you are going to be doing stuff like adding lots
of bulky applications such as WordPerfect or Netscape, or perhaps adding Japanese
character support, you would probably benet from a bit more /usr space.
I always seem to have a lot of space available on /home, so if your users arent doing
much (or you have imposed strict quota sizes), or you arent offering shell accounts and
personal web pages, etc., you probably could lower /home space and raise /usr.
Here is a description of the various mount points and le system information, which
may give you a better idea of how to best dene your partition sizes for your own needs:
/ (root) - used to store things like temporary les, the Linux kernel and boot image,
important binary les (things that are needed before Linux can mount the /usr
partition), and more importantly log les, spool areas for print jobs and outgoing
e-mail, and users incoming e-mail. It is also used for temporary space when
performing certain operations, such as building RPM packages from source RPM
les. Therefore, if you have a lot of users with a lot of e-mail, or think you will need
plenty of temporary space, you might want more space available. The partition type
should be left as the default of 83 (Linux native). In addition, youll probably toggle
the bootable ag on this partition to allow boot information to be stored here.
/usr/ - should be the largest partition, because most of the binary les required by
Linux, as well as any locally installed software, web pages, Squid proxy cache,
24
Chapter 4. Installation and Hardware Conguration
Samba share services, some locally-installed software log les, etc. are stored here.
The partition type should be left as the default of 83 (Linux native).
/home/ - typically if you arent providing shell accounts to your users, you dont
need to make this partition very big. The exception is if you are providing user home
pages (such as school web pages), in which case you might benet from making this
partition larger. Again, the partition type should be left as the default of 83 (Linux
native).
(swap) - Linux provides something called virtual memory to make a larger amount
of memory available than the physical RAM installed in your system. The swap
partition is used with main RAM by Linux to accomplish this. As a rule of thumb,
your swap partition should be at least double the amount of physical RAM installed
in your system.
If you have more than one physical hard drive in your system, you can create
multiple swap partitions. This can improve the performance of swapping by taking
advantage of parallel disk access. For example, on a 256 Mb system with four drives,
I would probably create four 128 Mb swap partitions, for a total of 256 Mb RAM,
512 Mb swap (for a combined total of 768 Mb available as virtual memory). The
partition type needs to be changed to 82 (Linux swap).
Note: It is a common misconception that Linux has a 128 Mb swap size limit.
This was true in the past, but in modern Linux distributions, the size depends on
your architecture (for example, Intel systems can have swap sizes as large as 2
Gb). Type man mkswap for more information.
/var/ (optional) - You may wish to consider splitting up your / (root) partition a bit
further. The /var directory is used for a great deal of runtime storage, including mail
spools (both ingoing and outgoing), print jobs, process locks, etc. Having this
directory mounted under / (root) may be a bit dangerous because a large amount of
incoming e-mail (for example), may suddenly ll up the partition. Since bad things
can happen (eg. system crash?) when the / (root) partition lls up, having /var on its
own partition may avoid such problems. Ive had success in taking whatever space
25
Chapter 4. Installation and Hardware Conguration
Ive allocated to / (root), perhaps doubling it, and then creating separate partitions for
/ (root) and for /var. The partition type should be left as the default of 83 (Linux
native).
/boot/ (optional) - In some circumstances (such as a system set up in a software
RAID conguration) it may be necessary to have a separate partition from which to
boot the Linux system. This partition would allow booting and then loading of
whatever drivers are required to read the other le systems. The size of this partition
can be as small as a couple Mb; I recommend approximately 10 Mb (which should
give you plenty of room to store the kernel, initial RAMdisk image, and perhaps a
backup kernel or two). The partition type should be left as the default of 83 (Linux
native).
/archive/ (optional) - If you have any extra space lying around, perhaps you would
benet from a partition for a directory called, for example, /archive. You can then
use the /archive directory to store backup material, large or infrequently accessed
les, samba le services, or whatever else you can nd a use for it. The partition type
can be left as the default of 83 (Linux native), or if you want to access it from both
Linux as well as from another operating system, you could change it to a different
ID, such as 6 (DOS 16-bit >=32M).
As extra drive(s) are added, further partitions can be added to the new drives, mounted
at various mount-points as required this means a Linux system never needs to worry
about running out of space. As an example, if in the future it is clear that sda6 is
starting to get lled up, we could add another drive, set a nicely sized partition with a
mount-point at /usr/local and then transfer all the information from /usr/local over to
the new drive. But no system or application component would break because Linux
would see /usr/local no matter where it was located.
To give you an example of how one might set up partitions, I have used the following
partitioning scheme on an Intel system (dual boot, Windows 95 and Linux):
Device Boot Begin Start End Blocks Id System
/dev/hda1 * 1 1 254 1024096+ 6 DOS 16-
bit >=32M
/dev/hda2 255 255 782 2128896 5 Extended
/dev/hda5 255 255 331 310432+ 83 Linux native
26
Chapter 4. Installation and Hardware Conguration
/dev/hda6 332 332 636 1229728+ 83 Linux native
/dev/hda7 637 637 749 455584+ 83 Linux native
/dev/hda8 750 750 782 133024+ 82 Linux swap
The rst partition, /dev/hda1, is a DOS-formatted le system used to store the
alternative operating system (Windows 95). This gives me 1 Gb of space for that
operating system.
The second partition, /dev/hda2, is a physical partition (called extended) that
encompasses the remaining space on the drive. It is used only to encapsulate the
remaining logical partitions (there can only be 4 physical partitions on a disk; in my
case I required more than 4 partitions, therefore I had to use a logical partitioning
scheme for the others).
The third through fth partitions, /dev/hda5, /dev/hda6, and /dev/hda7, are all
e2fs-formatted le systems used for the / (root), /usr, and the /home partitions,
respectively.
Finally, the sixth partition, /dev/hda8, is used for the swap partition.
For yet another example, this time an Alpha box with two hard drives (sole boot, Linux
only), I have chosen the following partitioning scheme:
Device Boot Begin Start End Blocks Id System
/dev/sda1 1 1 1 2046 4 DOS 16-
bit <32M
/dev/sda2 2 2 168 346859 83 Linux native
/dev/sda3 169 169 231 130851 82 Linux swap
/dev/sda4 232 232 1009 1615906 5 Extended
/dev/sda5 232 232 398 346828 83 Linux native
/dev/sda6 399 399 1009 1269016 83 Linux native
/dev/sdb1 1 1 509 2114355 83 Linux native
/dev/sdb2 510 510 1019 2118540 83 Linux na-
tive
The rst partition, /dev/sda1, is a DOS-formatted le system used to store the MILO
boot loader. The Alpha platform has a slightly different method of booting than an Intel
system does, therefore Linux stores its boot information in a FAT partition. This
27
Chapter 4. Installation and Hardware Conguration
partition only needs to be as large as the smallest possible partition allowed in this
case, 2Mb.
The second partition, /dev/sda2, is an e2fs-formatted le system used for the / (root)
partition.
The third partition, /dev/sda3, is used for the swap partition.
The fourth partition, /dev/sda4, is an extended partition (see previous example for
details).
The fth and sixth partitions, /dev/sda5, and /dev/sda6, are e2fs-formatted le systems
used for the /home and /usr partitions, respectively.
The seventh partition, /dev/sdb1, is an e2fs-formatted le system used for the /archive
partition.
The eighth and nal partition, /dev/sdb2, is an e2fs-formatted le system used for the
/archive2 partition.
After you nish setting up your partition information, youll need to write the new
partition to disk. After this, the Red Hat installation program reloads the partition table
into memory, so you can continue on to the next step of the installation process.
4.4. Setting up Swap Space
Once youve set up your partition information, and have assigned mount points (ie.
/usr is the mount point for the /usr le system), the installation program will ask you
which partition(s) it should used for swap space. Since your swap partitions should
already be identied as such (partition ID # 82), you can press <Enter> to begin
formatting those partition(s) for swap usage. I recommend you enable the Check for
bad blocks during format to ensure the partition is free of potentially damaging
problems. It does slow down the formatting process substantially but I believe it is
worth the tradeoff.
28
Chapter 4. Installation and Hardware Conguration
4.5. Choosing Partitions to Format
Now, the installation program will display a list of the partitions you have assigned to
Linux, and ask you to select which, if any, of these partitions you want to format as new
le systems. Likely, you will want to format all of them, except if you are upgrading
your system or perhaps have some information (eg. on /home) that you dont want to
lose.
Again, I recommend you enable the Check for bad blocks during format
option.
4.6. Choosing Desired Packages to Install
Next, youll be presented with a list of system components and asked to specify which
ones should be installed. If you are an experienced Linux user, you can pick and choose
according to your needs. If you are new to Linux, youll likely want to select the
bottom option, Everything.
What I usually do is select the components I know Ill need, and then enable the
Select individual packages option, which allows me to control the
installation in ner detail.
Once you have chosen your desired components, select Ok to begin installation. If
you have enabled the Select individual packages, youll be asked the specify
which individual packages should be installed. This is fairly straightforward, and if you
are unsure of what a given package is for, you can press the <F1> key for a brief
description of what it does.
Dont worry if you make a mistake choosing (or not choosing) a package or two. After
all, all the packages are on your CD-ROM (or other source media), so you can use the
handy Red Hat RPM tool to make adjustments after your system is up and running (see
Section 10.1 for details).
After you have chosen the packages you wish to install, the installation program will
now format the partitions you have dened. This may take several minutes, especially
29
Chapter 4. Installation and Hardware Conguration
for larger partitions or if youve enabled bad block checking, so please dont think your
system has frozen during this procedure!
After the format completes, Red Hat Linux will begin installation of the selected
packages. This should take between ve and fteen minutes to complete, depending on
the speed of your system.
4.7. Hardware Conguration
After package installation, Red Hat will begin conguring the devices on your system.
In most cases, except with very new hardware that may not be fully supported by
Linux, the installation program does a good job of automatic conguration.
The prompts you will see are very straightforward:
Detection of your mouse (including choosing between 2- and 3-button models. If
you have a 2-button mouse youll likely want to enable 3-button emulation.)
Detection of your video card
Choosing your monitor
Running of XConfigurator to congure the X Window System (youll want to
Probe your card. If you get an error here, dont worry as you can take care of X
conguration later, after your system is up and running; see Chapter 5 for details.)
Selection of video modes (you can choose the defaults, or you can ne- tune the
video modes youll want to use under the X Window System)
LAN conguration
Clock and timezone conguration
Startup services (the default selection is probably best, but again, you can press <F1>
for a description of what a given service does)
Printer conguration
Assignment of root password (choose something secure!)
Creation of a boot disk [ dont be lazy! Make one! :-) ]
30
Chapter 4. Installation and Hardware Conguration
4.8. Booting with LILO
Next, the installation program needs to write a boot loader to your hard drive. The boot
loader (LILO on Intel systems) is responsible for booting Linux along with any other
operating systems if you have set up your system for multi-boot (see Section 4.8.1 for
details on this).
The Lilo Installation dialog box will ask you to choose where the boot loader
image should be written to. Youll likely want to install it on the master boot record of
your rst drive (usually /dev/hda for IDE, /dev/sda for SCSI).
Once you have selected the location for writing the boot loader, a second dialog box
will appear, allowing you to enter extra boot-time conguration parameters. Usually
you dont need to enter anything here, but if you have more than 64 Mb of RAM youll
need to enter a special parameter in order to have Linux make use of the extra RAM
(otherwise, it will only use the rst 64 Mb). For example, if your system has 128 Mb of
RAM, you should enter:
append="mem=128M"
If your system has SCSI drives, or you wish to install LILO on a partition with more
than 1023 cylinders, it may be necessary to enable the option to Use linear mode.
If it is not, enabling this option shouldnt hurt anything, so it is probably a good idea to
do so.
4.8.1. Multi-boot with Other Operating Systems
Finally, if youve set up your system to multi-boot Linux with other operating
system(s), youll be presented with a third dialog box which lists the available
partitions. Here, you can assign names to your other operating systems (which you
enter at the LILO prompt at boot time to boot your desired operating system. The
installation program does assign default names to each bootable partition, so it isnt
necessary to change them unless you dont like the defaults.
The default operating system that will boot upon system start up will, of course, be
Linux. However, if you wish, you can change the default to any of the other operating
31
Chapter 4. Installation and Hardware Conguration
systems you have dened.
After installing the boot loader on your hard drive, the installation program should
hopefully present you with a Congratulations dialog box, indicating that Linux has
been successfully installed. Remove the installation oppy diskette (if any), and press
<Enter> to reboot your system...into Linux!
Linux will boot, and if all goes well you should see a login prompt. From here, you
should be able to log in as root using whatever password you have assigned during
the installation process.
4.9. Downloading and Installing Red Hat
Updates
Red Hat has produced some pretty impressive versions of their distribution so far, but
seems to have a history of releasing them when they are not quite ready for prime
time. Therefore in order to take full advantage of your Linux system, it is necessary to
download and apply updated packages. These packages, also called rpm les are
applied using the RPM utility (for details on this utility, see Section 10.1).
This will prove to be one of the more time-consuming parts of getting your Linux
system ready (unless you have a stellarly fast Internet connection). However, take the
time to do this! You will likely save yourself a lot of grief!
First, download all les from:
ftp://ftp.redhat.com/redhat/updates/6.1/i386/
(The above assumes you are using Linux on an Intel box).
You should probably download everything into a single directory, and then you can
simply type: rpm -Uvh * which will upgrade all the packages. If youve
downloaded any kernel rpm les, you should probably move them to another directory
for now. Upgrading or customizing your kernel is a bit more complicated and needs to
32
Chapter 4. Installation and Hardware Conguration
be done with great care (see Section 10.4 for details on this). Therefore before you
apply the upgrades, you may wish to consider moving all the kernel-*.rpm les out of
your temporary upgrade directory.
To apply the upgrades, you can simply run rpm against all the packages at once (ie.
rpm -Uvh *), or if you prefer, you can upgrade them one at a time (ie. rpm -Uvh
file_to_upgrade.rpm). The latter method is for us anal types who wish to ensure
that each update is applied correctly without error. :-)
Perhaps you are curious to see if a given package is installed before you attempt to
upgrade it. Or perhaps you wish to nd out what version of a given package is
installed. All this can be done with the RPM utility; see Section 10.1 for details.
33
Chapter 5. Conguring the X Window
System
The X Window System, aka X (commonly and incorrectly known by many as
X-Windows) is a GUI which sits on top of Linux. Unlike Microsoft Windows, the X
Window System can look and operate in a large variety of different ways. It can operate
very primitively or very advanced, look beautiful or ugly, be sleek and fast or bloated
and slow (each of which are subjective qualities which cause as many arguments
among users as the Linux vs. Microsoft NT debate seems to).
Getting X working properly can range from simple to hair-pulling complicated! It is a
common complaint among users who are new to Linux, and Ive fought with
conguration settings countless times myself, so Im completely empathic about this.
Fortunately, such conguration is becoming easier and more automated in the newer
distributions of Linux. In fact, if you are using Red Hat 6.1 you will probably not have
to worry about this issue.
Although in a majority of cases X can be congured automatically, there are
exceptions; I would recommend you know or nd out the type of video card and
amount of video RAM your system has installed, as well as the type of monitor and its
horizontal and vertical synch rates (this information is usually available in the back
pages of the monitors users guide, or can be found on the WWW).
5.1. Getting the X Window System Working
with X-Congurator
There are two main methods of getting X working under Red Hats distribution of
Linux. The rst and easiest method, is to use Red Hats own Xconfigurator utility.
The utility tries to detect your hardware and installs the applicable X software with the
appropriate conguration settings.
If you are still unsuccessful after trying out various settings with Xcongurator, you
34
Chapter 5. Conguring the X Window System
may have better luck with the xf86config utility. Although certainly not as
user-friendly or attractive as Xcongurator is, it gives you ner control over the
conguration process.
Finally, if you are still out of luck you may have to resort to editing the
/etc/X11/XF86Config le by hand and tweaking various settings. If this is the case,
you may need to get help from the Linux community (see Section 13.3 for details).
Relax, however in a majority of cases Xcongurator does an adequate job!
After getting X working properly, you may be disappointed in the lack of rich colours.
This is because X uses a default 8-bit per pixel (bpp) colour depth. You can use
higher colour depths, however, assuming your video hardware will support them.
The various colour depths are listed in your /etc/X11/XF86Config le, and look like
this:
Subsection "Display"
Depth 24
Modes "800x600" "1024x768"
ViewPort 0 0
Virtual 1024 768
EndSubsection
The above section shows the possible resolutions which are available when using the
24-bit colour depth (800x600 and 1024x768, as listed in the Modes line); these
resolutions can be switched between on-the-y using the <Alt><+> and <Alt><->
keys.
Tip: As a default, when X starts up it does so using the lowest resolution. If you
dislike this behaviour as much as I do, simply edit the /etc/X11/XF86Config le
and reverse the resolutions (ie. 1024x768 800x600).
When you are getting things set up, you can test each colour depth manually by typing,
startx - -bpp 24 (for the 24-bit depth) and make sure X is working properly for
the colour depth you wish to use.)
35
Chapter 5. Conguring the X Window System
If you are able to successfully use a higher colour depth and wish to use it as the
default, you will need to create a /etc/X11/xinit/xserverrc le as follows:
exec X :0 -bpp 24
The above change will allow X to use 24 bits per pixel (if you have problems with this,
try 16 or 32 instead of 24).
Assuming you have congured X properly, starting it is a simple matter of typing
startx as any user. The X GUI will start, and after you have nished your session
and quit X, you will be returned to the regular Linux console.
Optionally, X can start up at system boot, and always run (see Section 5.2 for details on
how to accomplish this). This can be handy for those users who dislike seeing the
boring black & white console, or for those who wish to avoid dealing with command
line shells as much as possible.
5.2. Using the X Desktop Manager
If you wish, you may use the X Desktop Manager (xdm) to start up the X Window
System automatically at system boot time. This allows your Linux system to always
run under X (although you can switch between the GUI and regular consoles with
<Alt>-<F1> and <Alt>-<F7> as needed). This is a nice way of providing an
attractive and friendly environment for your users, and avoid having to type startx
all the time.
To enable xdm, simply edit the /etc/inittab le and change the line that reads
id:3:initdefault: to the following:
id:5:initdefault:
The above change will switch Linux to run level 5 upon system boot up; this run level,
by default, will start xdm. You may also wish to check your /etc/inittab le,
probably near the bottom, to ensure the following line is present:
36
Chapter 5. Conguring the X Window System
x:5:respawn:/usr/bin/X11/xdm -nodaemon
If you have enabled xdm and wish to use a higher bpp value than the default of 8
(and your video card and monitor will support it), you will need to modify the
/etc/X11/xdm/Xservers le as follows:
:0 local /usr/X11R6/bin/X -bpp 24
The above change will start the xdm at 24 bits per pixel.
You may also wish to edit the /etc/X11/xdm/Xsetup_0 le and with a # character,
comment out the line that starts xbanner as shown:
#/usr/X11R6/bin/xbanner
This will prevent the default xdm banner screen from displaying for a split second
between KDE sessions. Aesthestics, I know, but...
Tip: Sometimes you may nd it necessary to switch back to the console (for
example, certain games run under the console but not under X). There are two
ways of doing this. To temporarily switch away from X to the console, press
<Alt><F1>, and to switch back to X again, press <Alt><F7>. Or, if you wish to
terminate X altogether (thus freeing up your available memory), you can type
/sbin/telinit 3 as root to switch the system run-level; this tells XDM to
terminate. To switch back, type /sbin/telinit 5.
5.3. Improving Font Appearance Under X
Quite frankly, X has never been known for having particularly attractive fonts. In fact,
many people resign themselves to the notion that having ugly, nasty fonts is an
unfortunate fact of life under X.
Fortunately, it is possible to dramatically improve the look of, and increase the number
of fonts you can use, under X. In fact, if you own a copy of Windows, you can even
37
Chapter 5. Conguring the X Window System
copy over the TrueType fonts from that platform and use them under X as well! Such
font support is accomplished by using a font server such as xfstt or xfs.
Red Hat 6.1 now includes support for xfs built in, and as a result provides attractive
font support right out of the box. Therefore, if youre using this version of Linux, you
may be satised with the way things are. However, there are a couple of things you can
do to improve things still further, as well as make use of your TrueType fonts if you
have them available.
To enable TrueType font support, create a directory (eg.
/usr/local/share/ttfonts) and copy any or all of the font les from your
Windows system (where they can be found in the c:\windows\fonts directory) into
the new directory.
Tip: If you do not have any TrueType fonts available to you, you can download
them directly from Microsoft at
http://www.microsoft.com/typography/fontpack/default.htm.
To make use of the fonts, from within your new ttfonts directory, type the following
(as root):
ttmkfdir -o fonts.scale
mkfontdir
Next, edit the /etc/X11/fs/config le, add add your new font directory to the list
of existing directories. Also, change the default-point-size from 120 to 140,
which will give you larger, more readable fonts.
Finally, exit X (if you havent done so already), and restart your xfs server as follows:
/etc/rc.d/init.d/xfs restart
Finally, restart X and enjoy your glorious new fonts!
For more detailed information on improving font support under X, there is a very
excellent resource called the XFree86 Font Deuglication Mini HOW-TO at
http://www.frii.com/~meldroc/Font-Deuglication.html.
38
Chapter 5. Conguring the X Window System
5.4. Choosing a Window Manager for X
Now, you should decide on a window manager. The X Window System is simply the
environment which allows graphics to be displayed on your systems hardware; the
window manager is responsible for how X looks and how it interacts with you and your
applications.
The Red Hat distribution of Linux contains several window managers, including fvwm,
olvm, twm, AfterStep, and others. The default one that you will probably see when
starting up X for the rst time is fvwm95, a Win95-like environment.
Personally, I nd the usual offerings differ from my own tastes, and I recommend using
either GNOME or KDE (or both!), whose installation are covered in the next two
sections.
5.5. GNOME Installation and Conguration
The GNU Network Object Model Environment (GNOME) is a windowing environment
that enhances your X window environment. It is full-featured, including a large
selection of applications you may nd useful. However, at the time of this writing,
GNOME still has a few minor bugs, meaning you may have to put up with errant
behaviour at times. However, it is fairly stable and denitely usable!
If youre using Red Hat 6.1, the latest version of GNOME (at least, the latest at the time
of this writing!) is included with the distribution. Otherwise, you will need to
download the latest RPM distribution of the package. At the time of this writing, the
RPM les for Red Hat 6.0 i386 systems can be found at
ftp://ftp.gnome.org/pub/GNOME/RHAD/redhat-6.0/i386/ (or from a mirror site).
Note: If youre using Red Hat 6.0, you should be aware that it was shipped with a
fairly buggy version of GNOME. You should download the latest RPMs from the
FTP site as described above.
39
Chapter 5. Conguring the X Window System
After you have all the necessary les, the GNOME package can be installed with a
simple command, typed as root:
rpm -Uvh gtk*.rpm *.rpm
(The above command ensures the GTK libraries are installed rst, to avoid dependency
errors from occurring).
Contrary to popular belief, GNOME is actually not a Window manager, but instead sits
on top of your favorite one, providing added functionality to it. Therefore, once you
have installed GNOME, you should decide which window manager you wish to use,
and create a .xinitrc le in your directory which loads the appropriate window
manager and starts GNOME. The le should look something like this:
afterstep &
exec gnome-session
The above le will load AfterStep for the window manager, and then run GNOME on
top of it.
More information on the GNU Network Object Model Environment can be found on
the GNOME web page at http://www.gnome.org/
5.6. KDE Installation and Conguration
The K Desktop Package (KDE) is another popular window manager that is somewhat
more mature than GNOME is at the time of this writing. However, it seems to require a
bit more memory resources than GNOME does, so take into consideration the amount
of RAM you have available on your system (if you have anything less than 64 Mb of
RAM and 128 Mb of swap, you might be better off using GNOME).
The rst step for installing KDE is to download the latest RPM distribution of the
package. To do so, locate an FTP mirror at http://www.kde.org/mirrors.html. Try to
choose a mirror that is close to your geographic location, but make sure whichever one
you choose is updated often (which can be determined by looking at the list of mirrors).
40
Chapter 5. Conguring the X Window System
When you have found a suitable mirror, download all the RPM les which are
applicable to your version of Red Hat and your platform. For example, if you are using
Red Hat 5.2 (or above) on an Intel platform, you will likely want to download the
package from the
/pub/mirrors/kde/stable/latest/distribution/rpm/RedHat-5.2/i386/
directory on the FTP mirror.
After you have all the necessary les, the KDE package can be installed with the
following simple commands, typed as root (make sure you are in the directory where
all your KDE rpm les are):
rpm -Uvh qt*.rpm
install-kde-1.1-base
The above commands will install the Qt libraries rst, and then install the KDE base
package. Once this is done, you should log off and log back in (or if you are sued as
root, just exit and su again) so that your path environment is set appropriately, then
type:
install-kde-1.1-apps
The above command will install the applications programs.
This installation procedure is discussed in more detail in the le
readme-redhat-rpms.txt that should have been included with the KDE les you
downloaded.
If all goes well, and KDE has been installed without any error messages, you may, if
you wish, congure KDE to be the default window manager for any of your users (the
one they will see immediately after typing startx), by typing the following, again
as root:
/opt/kde/bin/usekde userid
(Make sure you replace userid with an actual user id!)
More information on the K Desktop Environment can be found on the KDE web page
at http://www.kde.org/
41
Chapter 6. General System
Administration Issues
6.1. Root Account
The root account is the most privileged account on a Unix system. This account gives
you the ability to carry out all facets of system administration, including adding
accounts, changing user passwords, examining log les, installing software, etc.
When using this account it is crucial to be as careful as possible. The root account
has no security restrictions imposed upon it. This means it is easy to perform
administrative duties without hassle. However, the system assumes you know what you
are doing, and will do exactly what you request no questions asked. Therefore it is
easy, with a mistyped command, to wipe out crucial system les.
When you are signed in as, or acting as root, the shell prompt displays # as the last
character (if you are using bash). This is to serve as a warning to you of the absolute
power of this account.
The rule of thumb is, never sign in as root unless absolutely necessary. While root,
type commands carefully and double-check them before pressing return. Sign off from
the root account as soon as you have accomplished the task you signed on for.
Finally, (as with any account but especially important with this one), keep the password
secure!
6.2. Creating User Accounts
(WARNING: SLACKWARE-CENTRIC. NEEDS UPDATE FOR RED HAT)
42
Chapter 6. General System Administration Issues
This section assumes you are using the Shadow password suite on your Linux system.
If you are not, you should consider doing so, as it helps to tighten up security
somewhat. The Shadow suite is fairly easy to install and will automatically convert
your non-shadow password le format over to the new shadow format.
There are two steps to creating a new user account. The rst is to actually create the
account itself, the second is to provide an alias to their e-mail address (at my place of
employment, we follow the convention of [email protected].)
To create the account, decide on the username you are going to assign to the user. The
username is at most 8 characters long, and wherever possible you should choose their
last name, or last name and rst initial if a user account already exists (the adduser
script will detect and prevent you from adding duplicate account names).
You will then be prompted to enter other information: full name of user, user group
(usually the default value), a user id # (automatically assigned), home directory
(automatically assigned), a user shell, some password expiration values, and nally the
desired password (which wont echo to the screen; you should have the user choose a
password between 6 to 8 characters in length for security reasons).
Please note that everything should be entered in lowercase, except for the full name of
the user which can be entered in a pleasing format (eg. Joe Smith) and the password.
Case is sensitive, so inform your user(s) they must use identical case when entering
their username and password.
Here is a sample session where we will add a user named Joe Smith:
mail:~# /sbin/adduser
User to add (^C to quit): smith
That name is in use, choose another.
User to add (^C to quit): smithj
Editing information for new user [smithj]
Full Name: Joe Smith
GID [100]:
Checking for an available UID after 500
First unused uid is 859
UID [859]:
Home Directory [/home/smithj]:
43
Chapter 6. General System Administration Issues
Shell [/bin/bash]:
Min. Password Change Days [0]:
Max. Password Change Days [30]: 90
Password Warning Days [15]:
Days after Password Expiry for Account Locking [10]: 0
Password [smithj]:</ FL1539
Retype Password:</ Fl1539
Sorry, they do not match.
Password:</> FL1539
Retype Password:</ FL1539
Information for new user [smithj]:
Name: Joe Smith
Home directory: /home/smithj
Shell: /bin/bash
Password: <hidden>
Uid: 859 Gid: 100
Min pass: 0 maX pass: 99999
Warn pass: 7 Lock account: 0
public home Directory: no
Type y if this is correct, q to cancel and quit the program,
or the letter of the item you wish to change: Y
The next step is to create the alias for the persons e-mail account. This gives people
the choice of using their account name for their e-mail address, or their full name
(First.Last combination) to make it easier for the outside world to guess their e-mail
address when trying to contact them for the rst time.
To add the e-mail alias, edit the /etc/aliases le as follows:
mail# pico -w /etc/aliases
Add the new alias at the bottom of the le. The format for an alias is:
First.Lastname:username
You should ask the user what preference they have for this (eg. Joseph.Smith or
Joe.Smith). For our new Joe Smith user, the entry would be as follows:
44
Chapter 6. General System Administration Issues
Joe.Smith:smith
When nished adding the alias, press <Ctrl>-<X> and save the le. Then, type
newaliases to update the aliases database.
At this point the user account has been created and is ready for use. It is a good idea to
remind the user that his username and password must be entered in lowercase
characters, and what their e-mail address would be (eg.
[email protected]).
6.3. Changing User Passwords
To change a password on behalf of a user, rst sign on or su to the root account.
Then type, passwd user (where user is the username for the password you are
changing). The system will prompt you to enter a password. Passwords do not echo to
the screen when you enter them.
You can also change your own password, by typing passwd (without specifying a
username). You will be prompted to enter your old password for verication, and then
a new password.
6.4. Disabling User Accounts
To disable a user account, edit, as root, the /etc/shadow le (assuming youre using
shadow passwords; if not, edit the /etc/passwd le instead), and replace the
password (which is stored in its encrypted form) with a * asterisk character. All Unix
passwords, regardless of length (up to a maximum of 8 characters), are stored in the
password le as encrypted strings of 13 characters. Therefore, by replacing the
password with a single * character, it is impossible for the user to sign in.
Note: This method will require you to assign a new password to the user if you
45
Chapter 6. General System Administration Issues
re-enable the account, since the encrypted password eld will have been
replaced. One solution to this which seems to be popular among system
administrators is to simply prex the * asterisk character in front of the encrypted
password to disable the account, and simply removing the asterisk to enable it.
For more information on the /etc/passwd and /etc/shadow les, see Section 6.6
below.
6.5. Removing User Accounts
On occasion, you may wish to remove a users access from your server altogether.
If you are a Red Hat user, the easiest way to remove an unneeded user account is with
the userdel command, which must be typed as root. An example follows:
/usr/sbin/userdel baduser
The above command will remove the entry matching the username baduser from the
/etc/passwd, le, and, if youre using the Shadow password format (which you
should be; see Section 6.6 for details), the /etc/shadow.
Note: The /etc/group is not modied, to avoid removing a group that other
user(s) may also belong to. This isnt much of a big deal, but if this bothers use,
you can edit the group le and remove the entry manually.
Should you wish to remove the users home directory as well, add the -r option to
the userdel command. For example:
/usr/sbin/userdel -r baduser
I recommend not removing an account right away, but rst simply disable it, especially
if you are working with a corporate server with lots of users. After all, the former user
may one day require the use of his or her account again, or may request a le or two
which was stored in their home directory. Or perhaps a new user (such as an employee
46
Chapter 6. General System Administration Issues
replacement) may require access to the former users les. In any event, make sure you
have backups of the former users home directory, just-in-case. See Section 6.4 for
details on disabling an account, and Chapter 8 for details on how to perform backups.
6.6. Linux Password & Shadow File Formats
Traditional Unix systems keep user account information, including one-way encrypted
passwords, in a text le called /etc/passwd. As this le is used by many tools (such
as ls) to display le ownerships, etc. by matching user id #s with the users names,
the le needs to be world-readable. Consequentally, this can be somewhat of a security
risk.
Another method of storing account information, one that I always use, is with the
shadow password format. As with the traditional method, this method stores account
information in the /etc/passwd le in a compatible format. However, the password is
stored as a single x character (ie. not actually stored in this le). A second le, called
/etc/shadow, contains encrypted password as well as other information such as
account or password expiration values, etc. The /etc/shadow le is readable only by the
root account and is therefore less of a security risk.
While some other Linux distributions forces you to install the Shadow Password Suite
in order to use the shadow format, Red Hat makes it simple. To switch between the two
formats, type (as root):
/usr/sbin/pwconv To convert to the shadow format
/usr/sbin/pwunconv To convert back to the traditional format
With shadow passwords, the /etc/passwd le contains account information, and
looks like this:
smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash
Each eld in a passwd entry is separated with : colon characters, and are as follows:
47
Chapter 6. General System Administration Issues
Username, up to 8 characters. Case-sensitive, usually all lowercase
An x in the password eld. Passwords are stored in the /etc/shadow le.
Numeric user id. This is assigned by the adduser script. Unix uses this eld, plus
the following group eld, to identify which les belong to the user.
Numeric group id. Red Hat uses group ids in a fairly unique manner for enhanced
le security. Usually the group id will match the user id.
Full name of user. Im not sure what the maximum length for this eld is, but try to
keep it reasonable (under 30 characters).
Users home directory. Usually /home/username (eg. /home/smithj). All users
personal les, web pages, mail forwarding, etc. will be stored here.
Users shell account. Often set to /bin/bash to provide access to the bash shell
(my personal favorite shell).
Perhaps you do not wish to provide shell accounts for your users. You could create a
script le called /bin/sorrysh, for example, that would display some kind of error
message and log the user off, and then set this script as their default shell.
Note: If the account needs to provide FTP transfers to update web pages, etc.
then the shell account will need to be set to /bin/bash and then special
permissions will need to be set up in the users home directory to prevent shell
logins. See Section 7.1 for details on this.
The /etc/shadow le contains password and account expiration information for
users, and looks like this:
smithj:Ep6mckrOLChF.:10063:0:99999:7:::
As with the passwd le, each eld in the shadow le is also separated with : colon
characters, and are as follows:
Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match
to the username in the /etc/passwd le.
Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not
required to log in (usually a bad idea), and a * entry (eg. :*:) indicates the account
48
Chapter 6. General System Administration Issues
has been disabled.
The number of days (since January 1, 1970) since the password was last changed.
The number of days before password may be changed (0 indicates it may be changed
at any time)
The number of days after which password must be changed (99999 indicates user
can keep his or her password unchanged for many, many years)
The number of days to warn user of an expiring password (7 for a full week)
The number of days after password expires that account is disabled
The number of days since January 1, 1970 that an account has been disabled
A reserved eld for possible future use
6.7. System Shutdown and Restart
To shut down the system from a terminal session, sign in or su to the root account.
Then type /sbin/shutdown -r now. It may take several moments for all
processes to be terminated, and then Linux will shut down. The computer will reboot
itself. If you are in front of the console, a faster alternative to this is to press
<Ctrl>-<Alt>-<Del> to shut down. Please be patient as it may take a couple of
minutes for Linux to terminate.
You can also shut down the system to a halt (ie. it will shut down and not reboot the
system). The system will be unavailable until power-cycled or rebooted with
<Ctrl>-<Alt>-<Del>. This can be useful if you need to power down the system and
move it to a different location, for example. To do this, type /sbin/shutdown -h
now when signed into or sued to the root account. Linux will shut itself down then
display a message, System halted. At this point you can power down the computer.
It is probably a good idea to only shut down the system when you are at the console.
Although you can shut it down remotely via a shell session, if anything goes wrong and
the system does not restart properly, the system will be unavailable until action is taken
at the system unit. (I havent experienced any problems doing this myself, however).
Upon system bootup, Linux will start automatically, and load all necessary services
including networking support, and Internet services.
49
Chapter 6. General System Administration Issues
Tip: If you wish to provide some kind of warning to any online users (online
meaning logged in to shell accounts), you can substitute a time value instead of
the now keyword. You can also customize the shutdown warning message. For
example, /sbin/shutdown -r +5 Hardware upgrade would inform users that
the system was about to shutdown for the given reason. They are then given
periodic warnings that they should close les and log off before the big moment
arrives.
50
Chapter 7. Custom Conguration and
Administration Issues
For both personal use as well as at work, I was able to start with a standard installation
of the Red Hat Linux distribution and provide services out-of-the-box with little or
no changes to default conguration settings.
However, there were a number of small changes and extra services that were necessary
to provide all the Internet, le & print services, and other services that are in use at my
place of employment. The local administrator should be aware of the following:
The /etc/rc.d/rc.local le is executed upon system start-up and contains any
extra services you have added to your server that should be executed upon bootup.
Look in /etc for any site-specic changes that may be required. These may include:
/etc/inetd.conf (you should ensure unnecessary services were disabled such
as nger, echo, chargen; as well as add or change any services you may need)
/etc/exports (contains a list of hosts allowed to mount NFS volumes; see
Section 7.6 for details)
/etc/organization, /etc/nntpserver, /etc/NNTP_INEWS_DOMAIN (set as
appropriate)
/etc/lilo.conf (contains information for the LILO boot loader the process
which loads the Linux kernel upon bootup; see Section 4.8 for details)
/etc/sudoers (a list of users who should be given special privileges, along with
the commands they are allowed to execute)
/etc/named.boot (for DNS use; see Section 7.2 for details)
Anything in /usr/local/ (and subdirectories) are extra packages or modications
to existing ones that you have installed here, if you have installed from things like
tarballs instead of using RPM. (Or at least, you should have installed them here.)
These les, particularly in /usr/local/src/, should be kept up-to-date. See Chapter 10
for details.
51
Chapter 7. Custom Conguration and Administration Issues
7.1. Web Server and HTTP Caching Proxy
Administration
(WARNING: DISREGARD THIS SECTION!)
1. Create an Internet user as per normal. The shell account should be /bin/bash
(as FTP requires a valid shell).
2. cd /home ; chown root.root theuser This makes theusers directory
belong to root, for security reasons.
3. cd /home/theuser ; mkdir www ; chown theuser.theuser This
creates their www directory, and sets ownership so they can read/write to it.
4. echo "exit" > .profile This creates a .profile le with the single line
exit in it. If the user tries to log in via telnet, they will get disconnected
immediately.
5. Do an ls -l and make sure there are only 2 les in the directory (not including
.. and .):
.prole (owned by root.root)
www (owned by theuser.theuser)
All other les can be deleted (eg. rm .less ; rm .lessrc)
6. If the user needs to have e-mail forwarding enabled you could create a .forward le
which simply has the proper e-mail as the rst and only line in the le.
Thats it. The user can use FTP to update the pages.
7.2. Domain Name Server (DNS) Conguration
52
Chapter 7. Custom Conguration and Administration Issues
and Administration
At my place of employment, we are using Linux as a DNS server. It performs
exceptionally well. This section will address conguration of DNS tables for these
services using the BIND 8.x package which comes standard with the Red Hat
distribution.
Note: Red Hat versions 5.1 and earlier used the BIND 4.x package, which used a
slightly different format for its conguration le. BIND 8.x offers more functionality
over that offered by BIND 4.x, and as 4.x is no longer being developed, you should
probably consider upgrading your BIND package to the latest version. Simply
install the BIND RPM package (see Section 10.1 for details on using the RPM
utility), then convert your conguration le to the new format.
Fortunately, converting your existing BIND 4.x conguration le to be compliant
with BIND 8.x is easy! In the documentation directory provided as part of BIND
(for example, /usr/doc/bind-8.1.2/ for BIND version 8.1.2), there exists a
le called named-bootconf.pl, which is an executable Perl program. Assuming
you have Perl installed on your system, you can use this program to convert your
conguration le. To do so, type the following commands (as root):
cd /usr/doc/bind-8.1.2
./named-bootconf.pl < /etc/named.boot > /etc/named.conf
mv /etc/named.boot /etc/named.boot-obsolete
You should now have an /etc/named.conf le which should work with BIND
8.x out-of-the-box. Your existing DNS tables will work as-is with the new
version of BIND, as the format of the tables remains the same.
Conguration of DNS services under Linux involves the following steps:
1. To enable DNS services, the /etc/host.conf le should look like this:
# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
53
Chapter 7. Custom Conguration and Administration Issues
# We dont have machines with multiple addresses
multi on
# Check for IP address spoofing
nospoof on
# Warn us if someone attempts to spoof
alert on
The extra spoof detection adds a bit of a performance hit to DNS lookups
(although negligible), so if youre not too worried about this you may wish to
disable the nospool and alert entries.
2. Congure the /etc/hosts le as needed. Typically there doesnt need to be
much in here, but for improved performance you can add any hosts you access
often (such as local servers) to avoid performing DNS lookups on them.
3. The /etc/named.conf le should be congured to point to your DNS tables
according to the example below.
(Note: IP addresses shown are examples only and must be replaced with
your own class addresses!):
options {
// DNS tables are located in the /var/named directory
directory "/var/named";
// Forward any unresolved requests to our ISPs name server
// (this is an example IP address only - do not use!)
forwarders {
123.12.40.17;
};
/*
* If there is a firewall between you and name-
servers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
54
Chapter 7. Custom Conguration and Administration Issues
* port by default.
*/
// query-source address * port 53;
};
// Enable caching and load root server info
zone "named.root" {
type hint;
file "";
};
// All our DNS informa-
tion is stored in /var/named/mydomain_name.db
// (eg. if mydomain.name = foobar.com then use foobar_com.db)
zone "mydomain.name" {
type master;
file "mydomain_name.db";
allow-transfer { 123.12.41.40; };
};
// Re-
verse lookups for 123.12.41.*, .42.*, .43.*, .44.* class Cs
// (these are example Class Cs only - do not use!)
zone "12.123.IN-ADDR.ARPA" {
type master;
file "123_12.rev";
allow-transfer { 123.12.41.40; };
};
// Reverse lookups for 126.27.18.*, .19.*, .20.* class Cs
// (these are example Class Cs only - do not use!)
zone "27.126.IN-ADDR.ARPA" {
type master;
file "126_27.rev";
allow-transfer { 123.12.41.40; };
};
55
Chapter 7. Custom Conguration and Administration Issues
Tip: Make note of the allow-transfer options above, which restricts DNS
zone transfers to a given IP address. In our example, we are allowing the host
at 123.12.41.40 (probably a slave DNS server in our domain) to request zone
transfers. If you omit this option, anyone on the Internet will be able to request
such transfers. As the information provided is often used by spammers and IP
spoofers, I strongly recommend you restrict zone transfers except to your
slave DNS server(s), or use the loopback address, 127.0.0.1 instead.
4. Now you can set up your DNS tables in the var/named/ directory as congured
in the /etc/named.conf le in step three. Conguring DNS database les for
the rst time is a major undertaking, and is beyond the scope of this document.
There are several guides, online and in printed form that should be referred to.
However, several examples are provided below.
Sample entries in the /var/named/mydomain_name.db forward lookup le:
; This is the Start of Authority (SOA) record. Contains con-
tact
; & other information about the name server. The se-
rial number
; must be changed whenever the file is updated (to in-
form secondary
; servers that zone information has changed).
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
; List the name servers in use. Unresolved (en-
tries in other zones)
; will go to our ISPs name server isp.domain.name.com
IN NS mydomain.name.
IN NS isp.domain.name.com.
; This is the mail-exchanger. You can list more than one (if
56
Chapter 7. Custom Conguration and Administration Issues
; applicable), with the integer field indicating prior-
ity (lowest
; being a higher priority)
IN MX mail.mydomain.name.
; Provides optional information on the machine type & operat-
ing system
; used for the server
IN HINFO Pentium/350 LINUX
; A list of machine names & addresses
spock.mydomain.name. IN A 123.12.41.40 ; Open-
VMS Alpha
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
kirk.mydomain.name. IN A 123.12.41.42 ; Win-
dows NT (blech!)
; Including any in our other class Cs
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
fox-
one.mydomain.name. IN A 126.27.18.162 ; Linux de-
vel. kernel
; Alias (canonical) names
gopher IN CNAME mail.mydomain.name.
ftp IN CNAME mail.mydomain.name.
www IN CNAME mail.mydomain.name.
Sample entries in the /var/named/123_12.rev reverse lookup le:
; This is the Start of Authority record. Same as in for-
ward lookup table.
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
57
Chapter 7. Custom Conguration and Administration Issues
; Name servers listed as in forward lookup table
IN NS mail.mydomain.name.
IN NS isp.domain.name.com.
; A list of machine names & addresses, in re-
verse. We are mapping
; more than one class C here, so we need to list the class B portion
; as well.
40.41 IN PTR spock.mydomain.name.
41.41 IN PTR mail.mydomain.name.
42.41 IN PTR kirk.mydomain.name.
; As you can see, we can map our other class Cs as long as they are
; under the 123.12.* class B addresses
24.42 IN PTR tsingtao.mydomain.name.
250.42 IN PTR redstripe.mydomain.name.
24.43 IN PTR kirin.mydomain.name.
66.44 IN PTR sapporo.mydomain.name.
; No alias (canonical) names should be listed in the re-
verse lookup
; file (for obvious reasons).
Any other reverse lookup les needed to map addresses in a different class B (such
as 126.27.*) can be created, and would look much the same as the example reverse
lookup le above.
5. Make sure the named daemon is running. This daemon is usually started from the
/etc/rc.d/init.d/named le upon system boot. You can also start and stop the
daemon manually; type named start and named stop, respectively.
6. Whenever changes are made to the DNS tables, the DNS server should be restarted
by typing /etc/rc.d/init.d/named restart. You may then wish to test
your changes by using a tool such as nslookup to query the machine you have
added or changed.
58
Chapter 7. Custom Conguration and Administration Issues
More information on conguring DNS services can be found in the DNS-HOWTO
guide at http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html.
7.3. Internet User Authentication with TACACS
At my place of employment, for TACACS authentication of dial-up Internet users (who
are connecting to our modem pool which are in turn connected to a couple of Cisco
250x access servers), we are using the Vikas version of xtacacsd.
After compiling and installing the Vikas package (latest versions are available from
ftp://ftp.navya.com/pub/vikas; I dont believe the package is available in RPM format),
you should add the following entries to the /etc/inetd.conf le so that the daemon
will be loaded by the inetd daemon whenever a TACACS request is received.
# TACACS is a user authentication proto-
col used for Cisco Router products.
tacacs dgram udp wait root /etc/xtacacsd xtacacsd -
c /etc/xtacacsd-conf
Next, you should edit the /etc/xtacacsd-conf le and customize it, as necessary,
for your system (however you will probably be able to use the default settings as-is).
Note: If you are using shadow passwords (see Section 6.6 for details), you will
have some problems with this package. Unfortunately, PAM (Pluggable
Authentication Module), which Red Hat uses for user authentication, is not
supported by this package. One workaround that I use is to keep a separate
passwd le in /usr/local/xtacacs/etc/ which matches the one in /etc/ but is
non-shadowed. This is a bit of a hassle, and if you choose to do this make sure
you set permissions on the other password le to make sure it is only readable by
root:
chmod a-wr,u+r /usr/local/xtacacs/etc/passwd
59
Chapter 7. Custom Conguration and Administration Issues
If you do indeed use shadow, you will most certainly need to edit the
/etc/xtacacsd-conf le and location of the non-shadowed password le (assuming
you are using the workaround I have suggested above).
The next step is to congure your access server(s) to authenticate logins for the desired
devices (such as dial-up modems) with TACACS. Here is a sample session on how this
is done:
mail:/tftpboot# telnet xyzrouter
Escape character is ^].
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
xyzrouter(config)# tacacs-server attempts 3
xyzrouter(config)# tacacs-server authenticate connections
xyzrouter(config)# tacacs-server extended
xyzrouter(config)# tacacs-server host 123.12.41.41
xyzrouter(config)# tacacs-server notify connections
xyzrouter(config)# tacacs-server notify enable
xyzrouter(config)# tacacs-server notify logouts
xyzrouter(config)# tacacs-server notify slip
xyzrouter(config)# line 2 10
xyzrouter(config-line)# login tacacs
xyzrouter(config-line)# exit
xyzrouter(config)# exit
xyzrouter# write
Building configuration...
[OK]
xyzrouter# exit
Connection closed by foreign host.
60
Chapter 7. Custom Conguration and Administration Issues
All TACACS activity log messages will be recorded in /var/log/messages for your
perusal.
7.4. Windows-style File and Print Services with
Samba
Linux can provide SMB services (eg. WfW, Win95, and NT-style network le &
printer sharing), using the Samba package. This section will describe how to congure
shares, and how to access them from client machines.
The Samba package is included with the Red Hat distribution, you can check if it is
installed and what version you have by typing:
rpm -q samba
If it isnt installed, you will need to install it using the RPM utility. See Section 10.1 for
details on how to do this.
The most important Samba les you should concern yourself with are:
/etc/smb.conf
Samba conguration le where shares and other conguration parameters are set
up (see below)
/var/log/samba/
Location of Samba log les
/home/samba/
Suggested location where le shares should be set up. However, you should
choose a location where you have enough space on the le system to accomodate
the les you will store. Personally, I usually set up a large partition mounted on
/archive/ and place my shares here.
61
Chapter 7. Custom Conguration and Administration Issues
The le /etc/smb.conf contains conguration information on le & print shares.
The rst few lines of the le contain global conguration directives, which are common
to all shares (unless they are over-ridden on a per-share basis), followed by share
sections.
The Samba installation includes a default smb.conf le which in many cases should be
adequate for your needs and require only a few changes.
Here is an example of this le (which I have heavily customized to show you some of
the more important and interesting options):
# Items common to all shares (unless over-ridden on a per-
share basis)
[global]
# Number of minutes of inactivity be-
fore client is disconnected
# to avoid consuming re-
sources. Most clients will automatically
# reconnect so this is a good idea to enable.
dead time = 10
# Dont let users connect as root, just-in-case. :-)
invalid users = root
# Specify the ac-
count for guest shares (shares that dont require
# a password to connect to. This user-
name must be a valid user
# in the /etc/passwd file.
guest account = guest
# Specify where log files should be writ-
ten to. The %m suffix
# means that log files will be created in the format
# log.machine-name (eg. log.twixel)
log file = /usr/local/samba/logs/log.%m
# Maximum size of log file, in Kilobytes.
62
Chapter 7. Custom Conguration and Administration Issues
max log size = 1000
# Password level 3 means that case is not an is-
sue when entering
# passwords. A little less se-
cure than level 1 or 2 would be,
# but seems to be a fair compromise for user convenience.
password level = 3
# Specify that all shares should appear in the browse list
# (override any you dont want on a per-share basis).
browseable = yes
# If this is enabled, you can see active connections us-
ing the
# smbstatus command.
status = yes
# The level of debugging informa-
tion that is recorded in the log
# files. Higher values generate more information (which is
# probably not very useful, most of the time).
debug level = 2
# This will send any Windows-
style POPUP messages received on
# the server to the postmaster by e-
mail. Not very useful, but
# an interesting demonstration of what can be accomplished.
message command = /bin/mail -
s Message from %f on %m postmaster < %s; rm %s &
# This is a form of caching that, when enabled, may improve
# performance when reading files.
read prediction = true
63
Chapter 7. Custom Conguration and Administration Issues
# A list of services that should be added automati-
cally to the
# browse-list.
auto services = cdrom
# The location of your print-
cap file, a text file containing
# definitions for your printers.
printcap name = /etc/printcap
# If enabled all printers in the /etc/printcap file will be
# loaded into the browse-list.
load printers = yes
# The print command by which data is spooled to a printer un-
der Linux.
print command = lpr -r -P%p %s
# The print command by which job queue informa-
tion (printer status)
# can be obtained.
lpq command = lpq -P%p
# The print command by which un-
wanted print jobs can be deleted
# from the queue.
lprm command = lprm -P%p %j
# The level at which Samba advertises it-
self for browse elections.
# Currently set to a high value to give it an even foot-
hold with
# any swarmy NT servers on the network. :-)
os level = 34
# These are users personal shares. If the clients user-
name matches on the
64
Chapter 7. Custom Conguration and Administration Issues
# server, they can access their home directory (pro-
vided they enter the
# correct password).
[homes]
# The comments appear in the browse list.
comment = Home Directories
# This matches the user-
name of the client to that of the share.
# If they do not match, no share will be dis-
played in the browse
# list, or available to connect to.
user = %S
# The path to the share. For example, smithj would map to
# /home/smithj
path = /home/%S
# If enabled, allow read/write access to the shares.
writeable = yes
# Just an inverted synonym for writeable. We dont *re-
ally* need
# to use both. :-)
read only = no
# Keep this disabled so that a password is required to ac-
cess these
# shares.
public = no
# We dont want this share (after all, it is private) to ap-
pear in
# the browse-list of other users.
browseable = no
65
Chapter 7. Custom Conguration and Administration Issues
# This is a publicly avail-
able print share, called hp_laser. It appears
# on the browse lists and can be accessed without a pass-
word by any client.
[hp_laser]
# The comment that appears in the browse-list.
comment = Main office printer (HP Laserjet 400)
# The username that this share is ac-
cessed as (guest means all users).
user = guest
# All generated print files will first be created in the /tmp
# directory.
path = /tmp
# Do not allow file creation except through print spooling.
writeable = no
# Set permissions accordingly -
root access to print jobs only.
create mode = 0700
# If this is enabled a password is not required to ac-
cess the share.
public = yes
# This should be enabled to indi-
cate that this is a printer share.
printable = yes
# Here is a service providing access to the CD-ROM device.
[cdrom]
comment = Shared CD-ROM drive on Linux
user = guest
path = /cdrom
writeable = no
66
Chapter 7. Custom Conguration and Administration Issues
read only = true
browseable = yes
public = yes
guest ok = yes
Tip: Recent versions of Samba, from 2.0 onwards, provide a very slick
web-based conguration utility called swat , which makes the process much
more user-friendly. The utility listens on TCP port 901 of your server, so to use the
utility just point your favourite web browser as follows:
mydomain.name:901
(Of course, in order to use the SWAT utility you will need to have a web server
running, such as Apache. See Section 7.1 for details.)
The latest Samba versions also add considerable features in comparison with versions
prior to 2.0. It is worth taking the time to upgrade this package.
A client must have a TCP/IP network stack running in order to connect to shares.
Further, for browsing to work, the TCP/IP protocol must be bound to NETBEUI. Under
Windows 95 this can be congured from the Network icon from within the Control
Panel.
Assuming the client has been congured properly, you should see the server shares
appear in their Network Neighborhood (or equivalent browsing scheme if you are not
using Windows 95/NT). You can then map network drives from the network
neighborhood, or type in an absolute path to the share (eg. \\mail\cdrom). If the
shared service requires a password to be entered, you will be prompted for one.
More information on Samba can be obtained from the Samba Home Page at
http://samba.anu.edu.au/samba/.
7.5. Macintosh-style File and Print Services
67
Chapter 7. Custom Conguration and Administration Issues
with Netatalk
Linux can also provide Appleshare services (eg. Macintosh-style network le & printer
sharing), using the Netatalk package. This section will describe how to congure
shares, and how to access them from client machines.
In order to use Netatalk, you will need to have Appletalk networking support in your
Linux kernel. Stock kernels from Red Hat usually already include this support as a
module, or you can compile your own custom kernel with such support.
Note: Make sure Appletalk support is compiled in as a module and not included
as part of the kernel (see Section 10.4 for details on how to upgrade or customize
the Linux kernel). Otherwise you will have difculties when stopping and then
restarting the Netatalk daemon.
Once you have ensured your kernel is capable of supporting Appletalk, you will need
to install the Netatalk package. Because Netatalk is not included with the Red Hat
distribution, you will have to download and install a copy. The Netatalk package can be
found on Red Hats contrib site, at ftp://ftp.redhat.com/contrib/libc6/i386/.
After Netatalk has been installed, you may need to modify one or more conguration
les in /etc/atalk/. Most of the les contain sample conguration examples, and
therefore are at least somewhat self-documenting. The les are:
cong
This le contains conguration information for tuning your Netatalk daemon. This
information is specied in environment variables, and this le is sourced (ie.
read) by the Netatalk start up script before the service is started. You can specify
the number of simultaneous connections, whether or not guest logins are allowed,
etc. You will almost certainly want to modify this le according to your needs.
atalk.conf
This le contains information on which network interface to use, as well as your
68
Chapter 7. Custom Conguration and Administration Issues
Appletalk routing, name registration, and other related information. You will
likely not need to modify this le; the required network information is detected
and added to this le the rst time you start the Netatalk server. However, you
may wish to add your server name.
Note: Type man atalkd for more information on this le.
afpd.conf
This le allows you to specify additional parameters which are passed to Netatalk
by means of command-line options. You can specify which port or IP address you
wish to run the Netatalk server on, add a login message that is displayed to
connecting users, as well as other related options. You will likely not need to
modify this le.
Note: Type man afpd for more information on this le.
papd.conf
The le contains conguration information for enabling Mac users to print to
network printer shares. I havent played with this yet, so unfortunately I cant
offer any advice on it.
Note: Type man papd for more information on this le.
AppleVolumes.default
This le lists the available le shares that a Mac user will see after logging in. To
enable a share, enter the path to the le directory, followed by a textual description
of it. For example:
~ "Home"
/archive/busdept "Business Department Common Files"
69
Chapter 7. Custom Conguration and Administration Issues
(The above will provide two shares to connecting Mac users: their home directory,
as well as a shared area for the business department.)
Tip: A neat trick here is to set up shares with the same le paths under
Samba, which would provide your users with platform- independent le
shares for both your Mac as well as your Windows users. See Section 7.4 for
details on using Samba.
AppleVolumes.system
This le also lists le shares just like AppleVolumes.default does, the
difference being that these shares will be made available to all users, regardless of
whether or not they log in. This le also contains le-type mappings. You will
likely not need to modify this le unless you want to add general shares available
to anyone; this is probably a bad idea for most people.
Once everything has been set up with appropriate conguration information, you can
start the Netatalk services manually by typing:
/etc/rc.d/init.d/atalk start
(The services should start up automatically at system boot).
More information on Netatalk can be obtained from the Netatalk Home Page at
http://www.umich.edu/~rsug/netatalk/. In addition, very helpful conguration
information is available in the Linux Netatalk HOWTO, available at
http://thehamptons.com/anders/netatalk/.
7.6. Network File System (NFS) Services
Linux can act as both client and server for le systems shared using the Network File
System (NFS) protocol, which is the defacto standard for providing le system mounts
among Unix systems.
70
Chapter 7. Custom Conguration and Administration Issues
Note: Please be aware that having an NFS service available on your system can
be a security risk. Personally, I dont recommend using it.
In order to use NFS, you will need to ensure that NFS support has been included in
your kernel or kernel modules. See Section 10.4 for details on how to upgrade or
customize the Linux kernel.
NFS shares are congured by modifying the /etc/exports le. Here are some
example entries, showing some of the options available:
/archive spock.mydomain.name(ro)
/archive2 spock.mydomain.name(ro)
/mnt/cdrom other.domain(ro)
/archive2 10.23.14.8(ro,insecure)
The rst couple of lines allow the host, spock.mydomain.name access to both the
/archive as well as the /archive2 directories via NFS. These shares are made
available read-only with the (ro) option. For security reasons, it is a good idea to do
this for all of your NFS shares if at all possible.
The third line will allow any host in the domain.name domain name space to access
the CD-ROM drive. Of course, it is necessary to mount the CD-ROM device to
/mnt/cdrom rst.
Note: Using the (ro)) option to mark this device read-only may seem a bit
redundant, however doing so will prevent a miscreant from writing to a real le
system should the CD-ROM device not be mounted.
After you have made changes to the /etc/exports le, you will need to restart the
NFS daemon. To do so, type:
/etc/rc.d/init.d/nfs restart
You can also congure your NFS mount points with the Network Configurator
tool included in the Linuxconf utility. For more information on the Linuxconf
71
Chapter 7. Custom Conguration and Administration Issues
utility, see Section 7.7.
More information on NFS can be found in the NFS-HOWTO guide at
http://metalab.unc.edu/LDP/HOWTO/NFS-HOWTO.html, as well as in the man pages
on nfsd and exports.
7.7. Conguration from A-Z with Linuxconf
There is an excellent tool called linuxconf which can make many conguration
issues easier to do. Linuxconf runs on whatever means of display environment it has
available to it you can run it from the console, over a telnet session, and as a
GUI-based tool under X and it will automatically start up in the appropriate manner.
If you need to adjust your system time, modify your network settings, set up le
systems, perform user administration, as well as perform many other administrative and
conguration duties, you should give this tool a try. The only caveat I would give is
that, at the time of this writing, the GUI-based tool is still a bit buggy and at times
may stop responding to mouse clicks. However, this tool is a promising work in
progress, and future revisions should become quite usable.
72
Chapter 8. Backup and Restore
Procedures
Performing regular backups should be considered one of a responsible system
administrators top priorities. Although Linux is an extremely reliable operating
system, failures can, do, and probably will occur. They may be caused by hardware
failure, power outages, or other unforeseen problems.
More likely will be those problems caused by human error, resulting in undesired
changes to, or even deletions of, crucial les. If you are hosting users on your system,
you will most certainly be requested to restore an inadvertently deleted le or two.
If you perform regular backups, preferably on a daily basis (at least for user les which
are updated often), you will hopefully reduce the possibility of, and increase your
recovery from, such le lossage.
The safest method of doing backups is to record them on separate media, such as tape,
removable drive, writeable CD, etc., and then store your backup sets in a location
separate from your Linux system. Sometimes this may not be practical perhaps you
do not have a re-proof vault in which you can store your backup tapes! Or perhaps
you do not have access to such an external backup system in the rst place.
Nonetheless, backups can still be performed, albeit on a slightly limited basis.
At my place of employment, I perform backups on several Linux servers. Depending
on the situation, some of these backup sets are written to tapes, others are written to a
separate server over the network, while still others are simply written to a separate disk
partition (for example, in the /archive/ le system) by an automatic cron job
(perhaps because the server is in a remote location, for which a daily visit to perform a
tape backup is impractical or impossible).
At home, I do not have an external backup system, nor do I have massive amounts of
available disk space to write a backup image. Therefore, I instead back up only my user
les on /home/ as well as some customized conguration les in /etc/, writing
the backup set to a separate disk partition.
73
Chapter 8. Backup and Restore Procedures
8.1. Server Backup Procedures
There are a variety of methods of performing backups with Linux. These include
command-line tools included with every Linux distribution, such as dd, dump,
cpio, as well as tar. Also available are text-based utilities, such as Amanda and
Taper, which is designed to add a more user-friendly interface to the backup and
restore procedures. There are GUI-based utilities as well, such as KDat. Finally,
commercial backup utilities are also available, such as BRU and PerfectBackup+.
Any one of these backup solutions can provide protection for your valuable data.
A brief listing of some of the tools available, including where they can be obtained, can
be found on the Linux Applications and Utilities Page, at
http://www.xnet.com/~blatura/linapp2.html#back. When deciding on a backup
solution, you will need to consider the following factors:
Portability - Is backup portability (ie. the ability to backup on one Linux distribution
or implementation of Unix and restore to another; for example from Solaris to Red
Hat Linux) important to you? If so, youll probably want to choose one of the
command-line tools (eg. dd, dump, cpio, or tar), because you can be
reasonably sure that such tools will be available on any *nix system.
Unattended or automated backups - Is the ability to automate backups so that they
can be performed at regular intervals without human intervention important to you?
If so, you will need to choose both a tool and a backup medium which will support
such a backup scheme.
User-friendliness - Is a user-friendly interface important to you? If so, you will likely
want to choose a tool which provides a text- or GUI-based interface. The commercial
utilities may provide the easiest interfaces as well as added technical support.
Remote backups - Is the ability to start backups and restores from a remote machine
important to you? If so, youll probably want to choose one of the command-line
tools or text-based utilities instead of the GUI-based utilities (unless you have a
reasonably fast network connection and the ability to run remote X sessions).
Network backups - Is performing backups and restores to and from networked hosts
important to you? If so, youll probably want to use one of several of the
74
Chapter 8. Backup and Restore Procedures
command-line utilities (such as tar) which support network access to backup
devices, or a specialized utility such as Amanda or one of several commercial
utilities.
Media types - Backups can be stored on a variety of medium, such as tape, an extra
hard drive, ZIP drives, or rewritable CDs. Consider cost vs. reliability, storage
capacitity, and transfer speed.
Caution: When backing up your le systems, do not include the /proc
pseudo-lesystem! The les in /proc are not actually les but are simply le-like
links which describe and point to kernel data structures. Backing up a le like
/proc/kcore, which is actually a pseudo-le containing the contents of your
entire memory, seems like a pretty big waste of tape to me! :-) You will also likely
want to avoid backing up the /mnt le system, unless you have the peculiar
desire to back up the les from your CD-ROM device, oppy drive, network le
shares, or other mounted devices.
Obviously, the procedures for performing a backup and restore will differ depending on
your choice of a backup solution. However, in this section, I will discuss methods for
performing backups with the two tools I use most: tar (whose name stands for Tape
ARchiver), which is a command-line backup tool largely portable across *nix
systems; as well as KDat, a GUI-based tape backup utility which comes included
with the KDE packages (see Section 5.6 for more information on KDE).
Finally, I should add that, depending on your choice of backup solution, even if the tool
doesnt have the ability built-in to schedule automated or unattended backups, you may
be able to automate such backups by using the cron facilities. See Section 9.4 for
details on using cron and on creating crontab schedule les.
8.1.1. Backing up with tar:
If you decide to use tar as your backup solution, you should probably take the time to
get to know the various command-line options that are available; type man tar for a
comprehensive list. You will also need to know how to access the appropriate backup
75
Chapter 8. Backup and Restore Procedures
media; although all devices are treated like les in the Unix world, if you are writing to
a character device such as a tape, the name of the le is the device name itself (eg.
/dev/nst0 for a SCSI-based tape drive).
The following command will perform a backup of your entire Linux system onto the
/archive/ le system, with the exception of the /proc/ pseudo-lesystem, any
mounted le systems in /mnt/, the /archive/ le system (no sense backing up our
backup sets!), as well as Squids rather large cache les (which are, in my opinion, a
waste of backup media and unnecessary to back up):
tar -zcvpf /archive/full-backup-date +%d-%B-%Y.tar.gz \
-directory / -exclude=mnt -exclude=proc -
exclude=var/spool/squid .
Dont be intimidated by the length of the command above! As we break it down into its
components, you will see the beauty of this powerful utility.
The above command species the options z (compress; the backup data will be
compressed with gzip), c (create; an archive le is begin created), v (verbose;
display a list of les as they get backed up), p (preserve permissions; le protection
information will be remembered so they can be restored). The f (le) option states
that the very next argument will be the name of the archive le (or device) being
written. Notice how a lename which contains the current date is derived, simply by
enclosing the date command between two back-quote characters. A common naming
convention is to add a tar sufx for non-compressed archives, and a tar.gz sufx
for compressed ones.
The directory option tells tar to rst switch to the following directory path (the /
directory in this example) prior to starting the backup. The exclude options tell tar
not to bother backing up the specied directories or les. Finally, the . character tells
tar that it should back up everything in the current directory.
Note: It is important to realize that the options to tar are cAsE-sEnSiTiVe! In
addition, most of the options can be specied as either single mneumonic
characters (eg. f), or by their easier-to-memorize full option names (eg. le).
76
Chapter 8. Backup and Restore Procedures
The mneumonic representations are identied by prexing them with a -
character, while the full names are prexed with two such characters. Again, see
the man pages for information on using tar.
Another example, this time writing only the specied le systems (as opposed to
writing them all with exceptions as demonstrated in the example above) onto a SCSI
tape drive follows:
tar -cvpf /dev/nst0 -label="Backup set created on date +%d-%B-
%Y." \
-directory / -
exclude=var/spool/ etc home usr/local var/spool
In the above command, notice that the z (compress) option is not used. I strongly
recommend against writing compressed data to tape, because if data on a portion of the
tape becomes corrupted, you will lose your entire backup set! However, archive les
stored without compression have a very high recoverability for non-affected les, even
if portions of the tape archive are corrupted.
Because the tape drive is a character device, it is not possible to specify an actual le
name. Therefore, the le name used as an argument to tar is simply the name of the
device, /dev/nst0, the rst tape device on the SCSI bus.
Note: The /dev/nst0 device does not rewind after the backup set is written;
therefore it is possible to write multiple sets on one tape. (You may also refer to
the device as /dev/st0, in which case the tape is automatically rewound after the
backup set is written.)
Since we arent able to specify a lename for the backup set, the label option can be
used to write some information about the backup set into the archive le itself.
Finally, only the les contained in the /etc/, /home/, /usr/local, and
/var/spool/ (with the exception of Squids cache data les) are written to the tape.
When working with tapes, you can use the following commands to rewind, and then
eject your tape:
77
Chapter 8. Backup and Restore Procedures
mt -f /dev/nst0 rewind
mt -f /dev/nst0 offline
Tip: You will notice that leading / (slash) characters are stripped by tar when an
archive le is created. This is tars default mode of operation, and it is intended to
protect you from overwriting critical les with older versions of those les, should
you mistakenly recover the wrong le(s) in a restore operation. If you really dislike
this behavior (remember, its a feature!) you can specify the -absolute-paths
option to tar, which will preserve the leading slashes. However, I dont recommend
doing so, as it is Dangerous!
8.1.2. Backing up with KDat:
If you are using the KDE desktop environment, I believe you will nd the KDat
utility both powerful as well as user-friendly. In addition, an added bonus is that KDat
uses tar as its backup engine. Therefore, backup sets written with KDat can be read
not only with KDat but with tar as well! This makes KDat a very nice choice for both
user-friendliness as well as backup portability.
Tip: Even if you choose not to use nor install the full KDE package, you can still
use KDat as long as you have the Qt libraries installed.
The rst time you run the KDat program, you will need to create a backup prole. Such
a prole tells KDat which les on your system you would like to back up. If you wish,
you can create more than one backup prole, depending on your needs (for example,
you could create a prole called Full Backup for a full system backup, and Quick
Backup for a backup of user les only).
To create a backup prole, either choose Create Backup Profile from the
File option on menu bar (or right-click on the Backup Profiles folder, then
choose Create Backup Profile). On the right hand side of the KDat window,
78
Chapter 8. Backup and Restore Procedures
you can change various settings, such as the prole name, archive name, tar options, as
well as others. Click the Help menu for more information on what these settings are
for.
To specify which les should be included in your backup prole, left-click the
checkbox beside the / directory folder. This will enable all les in and below this
directory for backups. Then, left-click on the small + sign beside the folder. This will
expand the folder, showing a list of les in and below it. This will allow you to exclude
any les you do not wish to backup; simply left-click the checkbox beside each le or
directory you wish to exclude. For example, a full backup should probably have every
le and directory checkmarked, with the exception of the /proc (a pseudo-lesystem
containing information about your running system), /mnt (a directory below which
CD-ROM drives, oppies, and network shares are usually mounted), and, if you are a
Squid user, /var/spool/squid (Squids cache data les). Once you have selected
the appropriate les, left-click on the backup prole you are creating, then left-click the
Files button to move the selected les list to your backup prole.
Note: Should your server data be larger in size than can be physically stored on a
tape, you will need to create separate backup proles, one for each portion of your
backup set.
To actually perform a backup, insert a tape into the drive, and then choose Mount
Tape from the File menu (or left-click the icon that looks like a tape). This will
mount the tape (actually, because a tape device is a character device, it isnt actually
possible to mount it what KDat actually does is to rst rewind the tape, attempts to
read in header information, and if successful, nd the corresponding tape index on your
hard drive. Otherwise, KDat will prompt you to format the tape.
(Note: If KDat keeps complaining that a tape isnt in the drive and it actually is in
the drive, you should ensure the correct tape device name is specied in the
preferences; left-click the Edit option on the menu bar and choose User
Preferences.)
79
Chapter 8. Backup and Restore Procedures
Once KDat has mounted the tape, before you start the backup you must rst choose the
backup prole you wish to use for the backup. To start the backup, simply right-click
on the desired backup prole, and then left-click on the Backup option. KDat will
rst display a dialog box showing you the details of the backup prole you have
selected; left-click the Ok button to start the backup.
While the backup is in progress, KDat will display a dialog box showing various
statistical information (elapsed time, backup size, backup rate, estimated time
remaining, as well as the number of les and total bytes written), and display a list of
les as they are backed up. A full backup containing several gigabytes of data might
take several hours to complete. If you nd it necessary, you can left-click the Abort
button at any time to interrupt the backup process.
Once the backup is complete, you can unmount the tape by choosing Edit from the
menu bar, and then Unmount Tape, or left-click on the tape icon, which will rewind
and eject the tape.
8.2. Server Restore Procedures
Unarguably, the one thing that is more important than performing regular backups is
having them available when it comes time to recover an important le!
Obviously, as discussed in Section 8.1, the procedures for performing a restore will
differ depending on your choice of a backup solution. In this section, I will discuss
methods for restoring les which have been backed up with tar and KDat.
8.2.1. Restoring with tar:
The following command will restore all les from the
full-backup-09-October-1999.tar.gz archive, which is an example backup of our
Linux system (as created in the example commands shown in Section 8.1.1:
tar -zxvpf /archive/full-backup-09-October-1999.tar.gz
80
Chapter 8. Backup and Restore Procedures
The above command extracts all les contained in the compressed archive, preserving
original le ownership and permissions. The x option stands for extract. (The other
options are described in Section 8.1.1.
Caution: Extracting les from a tar archive can be a dangerous thing to do, and
should therefore be done with caution. Perhaps the les were not archived without
a le path prepended (a few misguided or uninformed developers distribute
tarballs of their software offerings like this), meaning they will all be extracted into
the current directory. Perhaps the les were archived with leading / slashes (by
specify the -absolute-paths option when the archive was created), meaning
the les will be restored to their absolute locations (even if you didnt want them to
be). Or, perhaps the les were archived without leading / slashes, meaning the
les will be restored under the current directory (even if you didnt want them to
be). This of course, depends on how the backup was created. For this reason, I
strongly recommend testing your tar command with a t (type) option rst, and
then replace the t with an x (extract ) when you are absolutely sure the
command will do what you expect it to.
If you do not need to restore all les contained in the archive, you can specify one or
more les that you wish to restore, as in the following example:
tar -zxvpf /archive/full-backup-09-October-1999.tar.gz \
etc/profile usr/local/bin/tolower
The above command restores the etc/profile and usr/local/bin/tolower les
from the example archive.
If you are trying to restore only one or a few les from your archive, you will not be
successful unless you specify the < le name and directory path exactly as stored
in the archive. The following example might help out:
tar -ztvpf /archive/full-backup-09-October-1999.tar.gz \
| grep -i profile
81
Chapter 8. Backup and Restore Procedures
In the above example, all les contained in the archive are listed by le name. The
resulting output is then piped to the grep command (using greps i option to
ignore mixed case), displaying any les containing prole in either the directory
path or le name. Once you determine the exact le name you wish to restore, you
can then specify it for extraction in a regular tar command expression.
As mentioned in Section 8.1, when creating an archive le, tar will strip leading /
(slash) characters from le path names. This means that restore les may not end up in
the same locations they were backed up from. Therefore, either change to the / root
directory, or use the -directory / option.
Note: A far safer solution is to restore the desired les under a different directory
(for example, your home directory), and then compare, move, or update the les
to their original locations afterward.
8.2.2. Restoring with KDat:
To restore one or more les from a KDat-created backup set, insert the backup tape into
the drive, choose Mount Tape from the File menu option (or left-click on the
icon that looks like a tape).
KDat will try to read header information from the tape, and if successful, will then try
to nd the tape index which matches the identication found in the tape header. This
tape index is stored on your hard drive, and is a unique le created for each backup tape
formatted by KDat, and is updated each time you perform a backup.
If this corresponding tape index is missing (perhaps you are restoring from a backup set
created on another machine, or the index le was deleted or somehow corrupted on
your hard drive), KDat will inform you of this fact, and ask you if it is okay to recreate
the index by reading the tape. Because you will need to recreate it before you will be
able to restore your desired les, it makes perfect sense to left-click Yes.
82
Chapter 8. Backup and Restore Procedures
(Note: Once a tape is reindexed, its name is changed to Reindexed Tape. You
should rename the tape to its original name.)
Once the tape index has been successfully read, it can then used to select the directories
or les you wish to restore from the backup set, in much the same manner you used
when creating your backup proles (see Section 8.1 for detailed instructions on the le
selection process).
Once you have selected the appropriate les, you can start the restoration process by
choosing Restore... from the File option on the menu bar (or left-click the tape
restore icon). KDat will display a dialog box, allowing you to conrm which les will
be restored. In addition, you have the option of specifying a directory into which les
will be restored. This will allow you to restore critical system les into your home
directory, and then compare, move, or update those les to their intended location later
on. This is actually the safest way of restoring les.
To begin the recovery process, click the Okay button. KDat will then scan the tape
and restore the selected les.
On occasion, you may nd it necessary or useful to restore one or more les from a
backup set created with KDat without using KDat to do so. Perhaps you would like to
restore such les on a system that does not offer a GUI-based environment, or would
like to do so over a slow network connection through which remote execution of KDat
would be impractical. Fortunately, KDat writes its backup data sets using the tar tool,
a command-line based tool that is available on any *nix system.
Should you wish to restore your KDat-created backup set using tar, simply do so using
whatever options you would with any normal backup set created with tar itself. Bear in
mind, however, that data sets are not stored in compressed format.
Note: You will almost certainly get an error message when trying to access the
KDat backup set with tar. This is because of the header and other information that
KDat added to the tape when it was rst formatted. Simply repeat the tar
command two or three times to skip to the beginning of the actual tar archive le.
83
Chapter 8. Backup and Restore Procedures
8.3. Cisco Router Conguration Backups
At my place of employment, we have a WAN connecting several remote locations.
These remote locations have Cisco routers connected via ISDN, or in some instances,
Centrex data circuits, to provide Internet and WAN connectivity. Cisco router products
allow using TFTP (Trivial File Transfer Protocol) on a network server to read and
write conguration les. Whenever a router conguration is changed, it is important to
save the conguration le on the Linux server so that a backup is maintained.
Please note that Red Hat disables the TFTP service by default, because it can be a real
security hole if not congured properly. The TFTP daemon allows anyone to read and
write les without performing authentication. The way I personally set things up is to
create a /tftpboot/ directory, owned by root, and then modify the existing
conguration line in the /etc/inetd.conf le to specify the le location:
tftpd dgram udp wait root /usr/sbin/tcpd in.tftpd /tftp-
boot
Note: Adding the /tftpboot path at the end of the above line specically
indicates where the TFTP daemon is allowed to access les. Although you can
actually leave this part out and allow TFTP to access les anywhere on your
system, as TFTP is considered somewhat of a security risk, this would probably
be a very bad idea.
Once you have enabled the TFTP service, dont forget to type:
killall -HUP inetd
The above command restarts the INETD daemon to recognize whatever changes you
have made to the inetd.conf le.
Creating a backup of a router conguration le involves a 3-step process: setting
permissions on an existing le (or creating a new one) to allow writes, writing the
backup le, and then resetting permissions to restrict access to the le. An example
router backup session follows:
84
Chapter 8. Backup and Restore Procedures
mail:~# cd /tftpboot
mail:/tftpboot# chmod a+w xyzrouter-confg
chmod: xyzrouter-confg: No such file or directory
mail:/tftpboot# touch xyzrouter-confg
mail:/tftpboot# chmod a+w loyola-confg
mail:/tftpboot# telnet xyzrouter
Escape character is ^].
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# write network
Remote host []? 123.12.41.41
Name of configuration file to write [xyzrouter-confg]?
Write file xyzrouter-confg on host 123.12.41.41? [confirm]
Building configuration...
Writing xyzrouter-confg !! [OK]
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit
In case of router failure (caused, for example, by a power surge during a lightning
storm), these backup les can be helpful to reload the router conguration. Again,
restoring from a conguration le involves a 3-step process: setting permissions on the
existing le, loading the le, and then resetting permissions to restrict access to the le.
An example router restoration session follows.
mail:~# cd /tftpboot
mail:/tftpboot# chmod a+r xyzrouter-confg
mail:/tftpboot# telnet xyzrouter
Escape character is ^].
User Access Verification
Password: ****
85
Chapter 8. Backup and Restore Procedures
xyzrouter> enable
Password: ****
xyzrouter# config network
Host or network configuration file [host]?
Address of remote host [255.255.255.255]? 123.12.41.41
Name of configuration file [xyzrouter-confg]?
Configure using loyola-confg from 123.12.41.41? [confirm]
Loading xyzrouter-confg from 123.12.41.41 (via BRI0): !
[OK - 1265/32723 bytes]
xyzrouter# write
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit
86
Chapter 9. Various & Sundry
Administrative Tasks
Linux has proven itself to be extremely reliable during the over four years I have had it
in service as an Internet server and requires very little hands-on administration to keep
it running. Where possible, many repetitive or tedious administrative tasks can and
should be automated through crontab entries and script les. However, to ensure that
Linux continues to operate in a trouble-free manner, various quick checks can be done
from time to time. These include:
9.1. Checking Storage Space
It is important to check from time to time that adequate free space remains on the
storage devices. Use the df command to get a report of available space. It will look
as follows (information shown is from the Internet server at my place of employment):
Filesystem 1024-
blocks Used Available Capacity Mounted on
/dev/sda1 1888052 135908 1654551 8% /
/dev/sdd1 4299828 100084 3977246 2% /archive
/dev/hda2 3048303 897858 1992794 31% /archive2
/dev/hda1 11677 1380 9694 12% /boot
/dev/sdc1 4299828 350310 3727020 9% /home
/dev/sdb1 4299828 598504 3478826 15% /usr
/dev/sda2 1888083 700414 1090075 39% /var
/dev/scd0 593958 593958 0 100% /cdrom
These le-systems are pretty stable in that they have a fairly slow growth pattern.
The / (aka root) le-system, mounted on /dev/hda1, contains the Linux kernel, device
drivers, and other directories. It also is where user mail messages are stored
(/var/spool/mail/ ) as well as log les (/var/adm/ ) but as mail messages are received and
log les are recycled, the available capacity stays fairly stable (an estimated growth of
87
Chapter 9. Various & Sundry Administrative Tasks
about 1% per month). Log les are rotated and purged automatically on a weekly basis,
so youll always have about a months worth of log information available to you.
Tip: If this le-system is growing rapidly, concentrate your efforts in the
/var/spool/mail directory look for huge mailboxes (something like find
/var/spool/mail -size +1000k would display a list of mailboxes larger than
1Mb in size). If you nd a le much larger than 1,000,000 bytes in size, the user
probably isnt retrieving their mail, is on a high-volume mailing list, or their e-mail
package isnt congured to remove the mail from the server. Contact the user
and/or clear the mail le, using > mailbox, (eg. >smithj to clear Joe Smiths
mail box). Also check the /tmp/ directory, which may need to be cleaned out on
an occasional basis (usually old tin* les left over from aborted newsreader
sessions, old print les, etc).
The /usr/ (aka user) le-system, mounted on /dev/hda2, contains user-installable
(user meaning user-installed by system administrator) software, things like your web
site pages, etc. This is the largest le-system, and is also fairly slow-growth. The log
les for the web pages may also be stored here, and grow in size; check and trim them
periodically as needed. On my machines, at the beginning of each month the current
web log les are moved to month summary logs (eg. access_log.11 for Novembers log
entries). At the end of the year these logs are all deleted and the cycle starts again
(which means each January 1st should see a fair improvement in available space).
Tip: If this le-system is growing rapidly, check the
/usr/local/etc/httpd/logs and the /usr/local/squid/logs/ directories
(if you have them). There may be log le(s) that are getting too large (if, perhaps,
the web site received a high number of visits). If, however, the logs are purged
automatically on a regular basis as I have them, you shouldnt run into any
problems with space here (indeed, as the logs are used for statistical analysis of
my sites trafc Id rather not have to delete them if possible). Another place to
check for potentially deletable les is in /usr/tmp/.
The /home/ (aka users personal home) le-system, mounted on /dev/hda3, contains
88
Chapter 9. Various & Sundry Administrative Tasks
all the user directories and personal les. Unless you are giving out shell accounts,
most of these will be useless and inaccessible to the user (these directories are created
when each users accounts are created, and can later be used to forward the users mail,
etc.). However shell account users, as well as any non-shell accounts which have web
pages (eg. personal web pages) will probably have them stored here. In addition, main
server pages are stored here in the /home/httpd directory under Red Hat, while other
distributions usually place them in the /usr le system (see Section 7.1 for more
information).
This le-system is probably the slowest growth unless you are offering a lot of shell
accounts.
Tip: If this le-system suddenly grows in size, it is probably because one of your
users is adding web pages or binary les in his/her personal space. Check the
/var/adm/xferlog.* log les for recent activity, which should show you which
user has added to their web pages.
I also have an /archive/ (aka archive les) le-system, mounted on /dev/hdb1, which
is a spare 1.02 Gb hard drive that can be used for any purpose (eg. data les, software
kits, etc.) I am using a good portion (approximately 70%) of this drive for disk-to-disk
full current backups of the system). Generally speaking you can add your own devices
and mount them as you wish.
I also have a CD-ROM drive, mounted as /mnt/cdrom/ on /dev/scd0, which is a
24X-speed SCSI CD-ROM device that can read any ISO9660 formatted CD. It is used
primarily for software installation, but DOS/Windows CDs can be mounted and then
accessed from Windows 3.x/95/NT network shares as needed via a Samba service (see
Section 7.4 for details).
The rm command will delete a le. Usage is rm filename. If you want
conrmation of deletion, use the -i option (eg. rm -i *). You would then be
asked to conrm each le before it is deleted.
(Note: This is the default for normal shell users, but beware the root account will
89
Chapter 9. Various & Sundry Administrative Tasks
not conrm before deleting les unless you specify the -i option!)
Be careful you dont make a silly typo with this command particularly when logged
in as root because you may end up regretting deleting the wrong le.
9.2. Managing Processes
From time to time you may wish to view processes that are running on Linux. To obtain
a list of these processes, type ps -aux, which will look similar to the following:
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COM-
MAND
bin 69 0.0 1.0 788 320 ? S Nov 30 0:00 /usr/sbin/rpc.portmap
frampton 10273 0.0 2.1 1136 664 p0 S 14:12 0:00 -bash
frampton 10744 0.0 1.1 820 360 p0 R 17:25 0:00 ps -
aux
frampton 10745 0.0 0.8 788 264 p0 S 17:25 0:00 more
nobody 10132 0.0 1.8 1016 588 ? S 13:36 0:00 httpd
nobody 10133 0.0 1.8 988 568 ? S 13:36 0:00 httpd
nobody 10413 0.0 1.8 1012 580 ? S 14:56 0:00 httpd
nobody 10416 0.0 1.8 1012 580 ? S 14:56 0:00 httpd
nobody 10418 0.0 1.8 1012 588 ? S 14:57 0:00 httpd
nobody 10488 0.0 1.7 976 556 ? S 15:34 0:00 httpd
nobody 10564 0.0 1.8 988 564 ? S 16:06 0:00 httpd
nobody 10600 0.0 1.8 988 564 ? S 16:15 0:00 httpd
nobody 10670 0.0 1.8 988 568 ? S 16:45 0:00 httpd
nobody 10704 0.0 1.7 976 552 ? S 17:03 0:00 httpd
root 1 0.0 1.0 776 312 ? S Nov 30 1:13 init [3]
root 2 0.0 0.0 0 0 ? SW Nov 30 0:00 (kflushd)
root 3 0.0 0.0 0 0 ? SW Nov 30 0:00 (kswapd)
The list shows you the owner of the process (nobody for special services such as web
servers), the process identication number, the % of CPU time the process is currently
using, the % of memory the process is consuming, and other related information, as
well as a description of the task itself.
90
Chapter 9. Various & Sundry Administrative Tasks
To get more information on a given process, type ps pid (where pid is the
process identication number). Looking at our example above, ps 10704 would
display:
10704 ? S 0:00 /usr/local/etc/httpd/httpd
This would tell you that this particular process is a web server (the Apache web server
appears multiple times in the process list; for information on why see Section 7.1).
If you happen to notice a service is not operating, you can use the kill -HUP pid
(where pid is the process identication number as shown in the process list produced
with ps). For example, if Internet services (a process called inetd, process #123 in
our example) are not working as they should, a kill -HUP 123 (or even safer,
specify the process name: kill -HUP inetd) should restart the process. The -HUP
option to the kill command means hang up; the process knows that it is supposed to
reload itself.
Another thing to try if you are unable to resolve the problem would be to shut the
system down and reboot it (see Section 6.7 for details).
At times, you may nd it necessary to temporarily suspend a process, and then resume
its execution at a later time. For example, you may be running a CPU-intensive job and
wish to burn an IDE-based CDRecordable. Since IDE-based devices rely on the CPU
for much of the work behind input/output, they are prone to buffer starvation if your
CPU is too busy, and you end up with a useless coaster instead of a properly prepared
CD! The following two commands will suspend a process, and the resume it,
respectively:
kill -STOP 945
kill -CONT 945
Red Hat provides a better way of starting and stopping some processes, which are
covered in Section 9.3 below.
91
Chapter 9. Various & Sundry Administrative Tasks
9.3. Starting and Stopping Processes
The Red Hat distribution of Linux provides a slightly more organized way of managing
processes. Instead of hunting and killing them by nding their process id in the process
table, Red Hat provides a collection of scripts in the /etc/rc.d/init.d directory
which will allow you to start and stop processes as desired.
For example, to shut down the httpd (Apache web server) service, simply run the
httpd script, as follows:
/etc/rc.d/init.d/httpd stop
In much the same manner, you can use the start option to start a service. Or, if you
have made changes to a conguration le and wish to restart a service so those changes
are recognized, you can use the restart option.
(Note: Oddly enough, the restart option does not seem to be supported for
some services.)
9.4. Automating Tasks with Cron and Crontab
les
Like most Linux users, you may nd it necessary to schedule repetitive tasks to be run
at a certain time. Such tasks can occur as frequently as once a minute, to as
infrequently as once a year. This scheduling can be done by using the cron facilities.
The cron facilities as implemented in Linux are fairly similar to those available in other
Unix implementations. However, Red Hat has adopted a slightly different way of
scheduling tasks than is usually done in other distributions of Linux. Just as in other
distributions, scheduling information is placed in the system crontab le (locating in
the /etc/ directory), using the following format:
92
Chapter 9. Various & Sundry Administrative Tasks
minute hour day month year command
You can specify each time component as an integer number (eg. 1 through 12 for the
months January through December), or specify one or more components as *
characters which will be treated as wildcards (eg. * in the month component means the
command will run at the given day and time in every month. Here are some examples:
# Mail the system logs at 4:30pm every June 15th.
30 16 15 06 * for x in /var/log/*; do cat ${x} | mail postmas-
ter; done
# Inform the administrator, at midnight, of the chang-
ing seasons.
00 00 20 04 * echo Woohoo, spring is here!
00 00 20 06 * echo Yeah, summer has ar-
rived, time to hit the beach!
00 00 20 10 * echo Fall has arrived. Get those jack-
ets out. :-(
00 00 20 12 * echo Time for 5 months of misery. ;-(
Note that commands which produce output to standard out (ie. a terminal) such as the
examples above using echo will have their output mailed to the root account. If
you want to avoid this, simply pipe the output to the null device as follows:
00 06 * * * echo I bug the system administra-
tor daily at 6:00am! >/dev/null
In addition to the standard crontab entries, Red Hat adds several directories:
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
As their names suggest, executable les can be placed in any of these directories, and
will be executed on an hourly, daily, or weekly basis. This saves a bit of time when
setting up frequent tasks; just place the executable script or program (or a symbolic link
to one stores elsewhere) in the appropriate directory and forget about it.
93
Chapter 10. Upgrading Linux and Other
Applications
To get the most out of your Linux system, such as adding features, getting rid of
potential bugs, and ensuring it is reasonably free of security holes, it is a good idea to
keep your server including the Linux kernel, modules, and user applications
upgraded. At times it may also be necessary to upgrade hardware components such as a
larger hard drive. This chapter will address these issues.
10.1. Using the Red Hat Package Manager
(RPM)
The Red Hat distribution of Linux, including kernel, libraries, and applications are
provided as RPM les. An RPM le, also known as a package is a way of
distributing software so that it can be easily installed, upgraded, queried, and deleted.
RPM les contain information on the packages name, version, other le dependency
information (if applicable), platform (such as Intel or Alpha, etc.), as well as default le
install locations.
The RPM utility was rst developed by Red Hat and provided as an Open Source
product as is common in the Linux community. Other developers picked it up and
added extra functionality. The RPM method of packaging les has become popular and
is used not only on Red Hats but on some other distributions as well.
Popular Linux applications are almost always released as RPM les, usually in fairly
short order. However, in the Unix world the defacto-standard for package distribution
continues to be by way of so-called tarballs. Tarballs are simply les that are
readable with the tar utility. Installing from tar is usually signicantly more tedious
than using RPM. So why would people choose to do so? Unfortunately, sometimes it
takes a few weeks for developers to get the latest version of a package converted to
RPM (many developers rst release them as tarballs).
94
Chapter 10. Upgrading Linux and Other Applications
If you start installing or upgrading your system or applications with tar, your RPM
database will become out-of-date and inconsistent. This isnt really a big deal (when I
used Slackware, I used tar exclusively there was no other choice without too much
discomfort), but wherever possible I try to be patient and wait until an RPM becomes
available, or perhaps send a polite request to the developer of the package. (You can
also build your own RPM les and distribute them to others, which is sometimes
helpful to developers who dont have the ability or time to produce such les
themselves.)
A really good place to check if a piece of software is available in RPM form is the
RPM repository at http://rufus.w3.org/linux/RPM/. The repository provides indexed
categories which can be helpful to locate a given RPM le, and contains pointers to
thousands of such les.
To query a package, use rpm -q pkg-name (eg. rpm -q pine). RPM will either
tell you what version of the package is already installed, or that the package is not
installed.
Assuming the package is installed already, and is an earlier version than the update
package you downloaded (which it should be), then you should be able to apply the
update with rpm -Uvh pkg-name. If all goes well, the package will be
automatically installed and immediately ready for use. If not, RPM will give you a
pretty good reason (for example, perhaps a supporting package needs to be upgraded
rst). This may require a bit of thinking, but problems such as these are very
straightforward to gure out.
If, on the other hand, the package is not yet installed, and you decide you wish to install
it, type rpm -ivh pkg-name. If there are any supporting packages that are
required, RPM will tell you.
Sometimes, you will want to install a package that is only available in source format. In
fact, unless you are installing packages from a trusted source (such as the Red Hat FTP
site), you probably should install from source in case the binaries contain a trojan horse
or other nasty thing (of course, a source RPM could also contain such a thing, but they
are unlikely to because they would probably be exposed in short order by another
developer).
95
Chapter 10. Upgrading Linux and Other Applications
The way to install a package from source is to specify the rebuild switch to the
RPM utility. For example:
rpm -ivh -rebuild foo.src.rpm
The above command would congure and compile the foo package, producing a
binary RPM le in the /usr/src/redhat/RPMS/i386/ directory (assuming you are
using Linux on the Intel platform). You can then install the package as you normally
would.
Finally, if you are having problems getting a source package to compile (perhaps you
need to modify a makele, or change a conguration option, etc.) you can use the
following steps (again, illustrating our cticious foo package example) to compile
the source, build a new binary package, and then install from the binary package:
rpm -ivh foo.src.rpm
cd /usr/src/redhat/SPECS
pico -w foo.spec
Make whatever changes you feel are needed to the .spec le, and then type:
rpm -ba foo.spec
This will rebuild the package using whatever changes you have made to the .spec le.
As above, the resultant binary RPM le will be located in
/usr/src/redhat/RPMS/i386/, and can be installed as you normally would.
You should look at the Red Hat documentation for more information on RPM. It is an
extremely powerful tool that is worth learning in ner detail. The best source of
information on RPM is Maximum RPM, which is available in both book form, as
well as in postscript format at http://www.rpm.org/maximum-rpm.ps.gz. (If you decide
to print the postscript document, be advised that youll need a lot of paper to do so!)
There is a smaller guide, the RPM-HOWTO, at
http://www.rpm.org/support/RPM-HOWTO.html available as well.
96
Chapter 10. Upgrading Linux and Other Applications
10.2. Installing or Upgrading Without RPM
Sometimes, you may nd it necessary to install or upgrade an application for which an
RPM package is not available. Of course, it is certainly possible to do such a thing (in
fact, it is the defacto-standard way of doing things in the so-called real Unix
world), but I would recommend against it unless absolutely necessary (for reasons why,
see Section 10.1).
Should you need to install anything from tarballs, the general rule of thumb for
system-wide software installations is to place things in your /usr/local/ lesystem.
Therefore, source tarballs would be untarred in /usr/local/src/, while resultant
binaries would probably be installed in /usr/local/bin, with their conguration
les in /usr/local/etc/. Following such a scheme will make the administration of
your system a bit easier (although, not as easy as on an RPM-only system).
Finally, end-users who wish to install software from tarballs for their own private use
will probably do so under their own home directory.
After downloading the tarball from your trusted software archive site, change to the
appropriate top-level directory and untar the archive by typing commands (as root, if
necessary) as in the following example:
tar zxvpf cardgame.tar.gz
The above command will extract all les from the example cardgame.tar.gz
compressed archive. The z option tells tar that the archive is compressed with gzip
(so omit this option if your tarball is not compressed); the x option tells tar to extract
all les from the archive. The v option is for verbose, listing all lenames to the
display as they are extracted. The p option maintains the original and permissions the
les had as the archive was created. Finally, the f option tells tar that the very next
argument is the le name. Dont forget that options to tar are cAsE-sEnSiTiVe.
Caution: As mentioned in Section 8.2.1, I recommend rst using the t option to
display the archive contents to verify the contents prior to actually extracting the
les. Doing so may help avoid extracting les to unintended locations, or even
97
Chapter 10. Upgrading Linux and Other Applications
worse, inadvertently overwriting existing les.
Once the tarball has been installed into the appropriate directory, you will almost
certainly nd a README or a INSTALL le included with the newly installed les,
with further instructions on how to prepare the software package for use. Likely, you
will need to enter commands similar to the following example:
./configure
make
make install
The above commands would congure the software to ensure your system has the
necessary functionality and libraries to successfully compile the package, compile all
source les into executable binaries, and then install the binaries and any supporting
les into the appropriate locations. The actual procedures you will need to follow may,
of course, vary between various software packages, so you should read any included
documentation thoroughly.
Again, unless it is absolutely necessary, I really recommend avoiding tarballs and
sticking to RPM if you can.
10.3. Strategies for Keeping an Up-to-date
System
From time to time you may hear of signicant upgrades to the Linux kernel or user
applications from various sources. These sources may be magazines, newsgroups, web
pages, etc.
Probably the best single online resource that a Linux administrator should nay, must
keep an eye on is the http://freshmeat.net/ web site. This site contains descriptions of
new Open Source applications and projects, documentation, and other announcements
of interest to the Linux community.
98
Chapter 10. Upgrading Linux and Other Applications
Another resource for keeping track of new applications announcements is through the
comp.os.linux.announce newsgroup. This newsgroup contains postings of new
applications, some kernel or application upgrades, web pages, etc. available for Linux.
It is a moderated newsgroup and therefore has a high signal to noise ratio.
Not all product upgrade announcements are made to comp.os.linux.announce, however.
Therefore, visiting the web pages or FTP sites for the applications you are using is
probably a very good idea as well.
10.4. Linux Kernel Upgrades
From time to time it may be wise to upgrade your Linux kernel. This will allow you to
keep up with the new features and bug xes as they become available. Or, perhaps, you
are running Linux on new or specialty hardware, or wish to enable certain features for
which a custom kernel is needed.
This section will describe upgrading and customizing a new kernel. It isnt as difcult
as you might think!
Announcements of new kernel versions can be obtained through various sources,
including the comp.os.linux.announce newsgroup, as well as on the
http://freshmeat.net/ and http://slashdot.org/ web sites.
Please note that there are currently two streams of kernel development one stream
is considered stable releases, while the other stream is considered development
releases. For mission critical applications such as an Internet server, it is highly
recommended that you use the stable releases and stay away from the development
kernels.
The difference between the two streams is that, with the development kernels, new
as-yet untested hardware drivers, lesystems, and other cutting edge developments
are introduced on a regular basis. These kernels are for use by hackers only people
who dont mind having to reboot their system, should a kernel bug rear its ugly head.
The stable kernels introduce new features and drivers only after they have been
thoroughly tested. Minor releases in this stream also serve to clean up any remaining
99
Chapter 10. Upgrading Linux and Other Applications
bugs that are found and corrected.
The two streams use version numbers which are numbered differently to help
distinguish between them. The stable kernels are numbered with the second number
even (eg. 2.0.35, 2.0.36, 2.2.4) while the development kernels are numbered with the
second number odd (eg. 2.1.120, 2.1.121, 2.3.0).
The latest stable kernel is always made available in source as well as pre-compiled
binary formats on the ftp://ftp.redhat.com/redhat/updates/ FTP site. Download the
desired kernel packages for your version and platform (for example, you would want to
navigate to the /6.1/i386/ directory and download the kernel-*.i386.rpm les
for the 6.1 version on the Intel platform).
Note: You do not need to download the kernel sources le unless you are
planning on building a custom kernel yourself (see Section 10.6 for details on
building a custom kernel).
Sometimes, you may nd it necessary to use a kernel that has not yet been made
available as an RPM. In this case, you can nd the latest kernels from the
ftp://ftp.kernel.org FTP site, in the /pub/linux/kernel/ directory. Change to the
appropriate major version subdirectory (eg. v2.0), which contains all kernel releases
up to the most current one. Download the desired kernel package (for example, the
compressed tarball for version 2.0.36 would be called linux-2.0.36.tar.gz for the
Intel platform) and untar it in the /usr/src directory.
Note: Most user-installed applications not installed from RPM should be untarred
under the /usr/local/src/ directory by convention, but this is a kernel tree so
well make an exception in this case. :-)
Please be aware that if you decide to upgrade your kernel by downloading a tarball, you
will most certainly need to congure, compile, and install it yourself. Unless you have
special needs that require the very latest development kernel, I strongly recommend
you upgrade your kernel through Red Hat-provided RPM les these are
100
Chapter 10. Upgrading Linux and Other Applications
precongured and precompiled for you, although you can compile a custom kernel
from RPM les as well should you wish.
10.5. Upgrading a Red Hat Stock Kernel
By far the easiest way of upgrading your kernel is to do so using a stock kernel RPM as
provided by Red Hat. These RPM les contain pre-compiled binary kernel code, with
support for a large variety of hardware and popular features.
Installing a stock kernel is easy to do and involves little risk. Simply type, as root, the
following sequence of commands:
rpm -Uvh kernel-2.0.36.i386.rpm
cd /boot
ls
Make note of the new kernel name, as reported by the ls command above. You are
interested in the vmlinuz le; for example the third RPM release of kernel 2.0.36
would look like vmlinuz-2.0.36-3.
Now, use an editor to edit the LILO conguation le (type: pico -w
/etc/lilo.conf) and change the image=/boot/... line to point to the new
kernel le. After you have done so, type /sbin/lilo. If LILO reports an error
message, double-check the le name in your lilo.conf le with the le name in the
/boot/ directory.
Caution: Do not forget this step!
(The above commands assume you are using the Intel platform and use LILO to boot
your system. See Section 4.8 for details on the LILO boot loader).
After you have upgraded your stock kernel and have updated your boot loader
information, you should be able to shutdown and reboot using the new kernel (see
Section 6.7 for details on shutting down your system).
101
Chapter 10. Upgrading Linux and Other Applications
10.6. Building a Custom Kernel
If you are running Linux on a system with hardware or wish to use features not
supported in the stock kernels, or perhaps you wish to reduce the kernel memory
footprint to make better use of your system memory, you may nd it necessary to build
your own custom kernel.
Upgrading the kernel involves conguring desired modules, compiling the kernel and
modules, and nally installing the kernel image. This is followed by a system reboot
(with ngers crossed!) to load the new kernel. All of this is documented in the
README le which comes with each kernel package. Further information can be found
in the Documentation/ subdirectory. A particularly helpful le there is
Configure.help which contains detailed information on the available kernel
compile options and modules.
The following is a sample session demonstrating the build of a custom kernel, version
2.0.36 on the Intel platform. While building a custom kernel is usually just a matter of
conguring, compiling & installing, sometimes (usually in the case of new hardware) it
is necessary to download additional driver software should your hardware not yet be
supported by the kernel version you are compiling.
The rst step in building a custom kernel is to download and install the kernel sources
from either RPM (preferred) or from tarball. See Section 10.4 for details on obtaining
the appropriate les.
Next, use the rpm utility (or tar, as appropriate) to install the kernel source tree
and header les. For example, to install the 2.0.36-3 kernel RPM les:
rpm -Uvh kernel-source-2.0.36-3.i386.rpm kernel-headers-2.0.36-
3.i386.rpm
rpm -Uvh kernel-ibcs-2.0.36-3.i386.rpm
(If you are running Linux on a notebook, you would also likely install the
kernel-pcmcia-cs-2.0.36-3.i386.rpm le, which provides power management
features.)
After installing the kernel les, you should be able to nd the new source tree in the
/usr/src/linux/ directory.
102
Chapter 10. Upgrading Linux and Other Applications
The next step is to download any additional driver les (if applicable) and install them
in the new kernel source tree. For example, to add support for the Mylex DAC960
hardware RAID controller, I would download the driver software from the
http://www.dandelion.com/ web site. Unfortunately, such driver software are usually
only offered as tarballs and need to be installed using the tar utility. For example:
cd /usr/src/
tar zxvpf DAC960-2.0.0-Beta4.tar.gz
You should read the documentation provided with your additional driver software, if
applicable. For example, the DAC960 driver includes a README le which gives
instructions on where the newly downloaded les should be located, and how to apply
the kernel patch:
mv README.DAC960 DAC960.[ch] /usr/src/linux/drivers/block
patch -p0 < DAC960.patch
The next step is to ensure your systems symbolic le links are consistent with the new
kernel tree. Actually, this step only needs to be done once, so the following needs to be
done only if you havent compiled a custom kernel before:
mail:/usr/src# cd /usr/include
mail:/usr/include# rm -rf asm linux scsi
mail:/usr/include# ln -s /usr/src/linux/include/asm-i386 asm
mail:/usr/include# ln -s /usr/src/linux/include/linux linux
mail:/usr/include# ln -s /usr/src/linux/include/scsi scsi
Note: The above step is no longer necessary for 2.2.x or higher kernel versions.
The next step is to congure your kernel settings. This is the most important step in
building the custom kernel. If you disable the wrong settings, you may leave out
support for features or hardware you need. However, if you enable the wrong settings,
you will be needlessly enlarging the kernel and wasting your valuable system memory
103
Chapter 10. Upgrading Linux and Other Applications
(that being said, it is probably better to err on the side of the latter rather than the
former).
The best way of ensuring you compile the kernel properly is to know what features you
will need to use, and what hardware is in your system that you will require support for.
After you have gained experience in customizing your kernel a few times, the process
will become old hat and wont seem so intimidating!
Type the following to begin the conguration process:
mail:/usr/include# cd /usr/src/linux
mail:/usr/src/linux# make mrproper
mail:/usr/src/linux# make menuconfig
(You could type make xconfig instead of make menuconfig if you have the X
Window System running; see Chapter 5 for details on how to get X working.)
To congure your kernel, go through the various settings and select (enable) whichever
ones you require, and de-select (disable) the ones you do not require. You can choose
between having such support built right into the kernel, or having it built as a module
which is loaded and unloaded by the kernel as needed. (If you compile a feature that is
actually needed to boot your system, such as a SCSI driver, as a module, you will need
to create a RAMdisk image or your system will not boot. This is done with the
mkinitrd command; this procedure is described a little further down.)
When going through the conguration settings, you can select <Help> for a description
of what a given kernel option is for.
After you have congured your kernel settings, type the following commands to
compile your kernel:
mail:/usr/src/linux# make dep ; make clean
mail:/usr/src/linux# make bzImage
mail:/usr/src/linux# make modules
If you are recompiling the same kernel as you have previously (2.0.36-3 in this
example), you will likely want to move the existing modules to a backup directory as
with the following command:
104
Chapter 10. Upgrading Linux and Other Applications
mail:/usr/src/linux# mv /lib/modules/2.0.36-3 /lib/modules/2.0.36-
3-backup
Now, type the following command to actually install the new modules:
mail:/usr/src/linux# make modules_install
The next step is to copy the kernel into the /boot/ directory and use LILO to update
the boot record so that the new kernel is recognized. The following commands will
make a backup copy of your existing kernel, copy the new kernel over, and then refresh
the LILO boot record:
mail:/usr/src/linux# cd /boot
mail:/boot# cp vmlinuz vmlinuz.OLD
mail:/boot# cp /usr/src/linux/arch/i386/boot/bzImage vmlinuz-
2.0.36
mail:/boot# /sbin/lilo
Finally, you will need to edit your /etc/lilo.conf le, and make sure the image
reference is pointing to the new kernel. You should also add a section which points to
your backup kernel, called, perhaps, OldLinux. Here is an example le:
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
image=/boot/vmlinuz
label=Linux
root=/dev/hdb1
read-only
image=/boot/vmlinuz.OLD
label=OldLinux
read-only
By adding your backup kernel information in this way, should your new kernel fail to
boot properly (perhaps a device is not recognized, or a daemon doesnt start as it
105
Chapter 10. Upgrading Linux and Other Applications
should), you can simply type OldLinux to boot from the old kernel and investigate
the problem.
Note: As mentioned previously, if youve compiled a feature required to boot your
system as a module, you will need to create an initial RAMdisk image in order to
boot your system. (Dont forget to compile your kernel with support for such an
initial boot image.)
The procedure to create and use an initial RAMdisk image is as follows:
Add an entry in your /etc/lilo.conf to boot off the initial RAMdisk image; this
is shown as an addition to the example conguration le shown earlier:
image=/boot/vmlinuz
label=Linux
root=/dev/hdb1
initrd=/boot/initrd-2.2.4-4.img
read-only
The loopback device needs to be loaded before you are able to use the mkinitrd
command. Make sure the loopback device module is loaded:
/sbin/insmod loop
(If you get an error message about not being able to load the loopback module, you
may need to specify the full path to the module for the current kernel your system is
still running on, for example /lib/modules/2.0.35/loop.)
Use the mkinitrd command to actually create the image:
/sbin/mkinitrd /boot/initrd-2.0.36-3.img 2.0.36-3
Run /sbin/lilo to update your boot loader.
Now, shut down your system and boot the new kernel!
mail:/boot# /sbin/shutdown -r now
106
Chapter 10. Upgrading Linux and Other Applications
If your kernel refuses to boot altogether, dont panic. Boot off the boot disk that was
created during the installation of Linux . If you dont have copies of this disks, you
should be able to create one from the Red Hat CD. Insert the boot diskette into the drive
and reboot the computer. When you see the boot: prompt, type:
mount root=/dev/hda1
The above command assumes your / (root) partition is located on /dev/hda1.
Linux should then boot normally (although since you are using the kernel from the boot
disk, not all services or devices may operate properly for this session), and then you
can restore your old kernel and reinstall the LILO boot loader information (ie. mv
/vmlinuz.old /vmlinuz ; /sbin/lilo) and shutdown/restart. You can then try
recompiling the kernel with different options and try again.
10.7. Moving to the Linux 2.2.x Kernels
The Linux kernel 2.2.0 was released on January 25, 1999, bringing with it many new
features, performance enhancements, and hardware support. Any existing Linux
system can be upgraded with one of these new kernels in much the same fashion as
described in Section 10.4 (with caveats).
This section will describe how to upgrade your Red Hat system to the new kernels. As
Red Hat 6.0 (and above) already ships with the new kernel and supporting packages by
default, this section will only be useful to those of you who are still using an earlier
version, such as 5.2. I will likely remove this section from future versions of this
document, once I believe a majority of users have migrated to 6.0 and beyond.
Warning! If you decide to upgrade your older system to support the new kernels,
be advised that as the process involves a number of package upgrades, it is
possible that something will go horribly wrong. As always, have recent backups
available to you in case something goes wrong. If you dont have experience with
upgrading les with RPM as well as compiling kernels, perhaps you might wish to
107
Chapter 10. Upgrading Linux and Other Applications
upgrade to Red Hat 6.1.
You have the choice of upgrading to either a stock kernel as provided by Red Hat, or
upgrading by compiling a custom kernel. I would recommend getting things going with
a stock kernel rst, and then build a customized kernel later as you normally would (see
Section 10.5 for details.)
In order to use the latest kernel, it is rst necessary to upgrade to the newest utilities
and libraries. Red Hat has identied which packages need to be upgraded to support the
newest kernel, and have placed the appropriate RPM les on their FTP site at
ftp://ftp.redhat.com/redhat/updates/5.2/kernel-2.2/i386/ (for Red Hat 5.2 users on the
i386 platform).
A very good web page, detailing the appropriate system tools that are necessary for
moving to 2.2.x is available at
http://www-stu.calvin.edu/~clug/users/jnieho38/goto22.html; I will attempt to
summarize the information below (items marked with a leading ** indicate you will
most likely need to upgrade the item for Red Hat 5.2; items not indicated as such are
probably okay but probably worth checking).
** initscripts-3.78-2.4 or better (Type rpm -q initscripts to check your
version)
** modutils-2.1.121 or better (Type rpm -q modutils to check your version)
** mount-2.9-0 or better (Type rpm -q mount to check your version)
gcc-2.7.2.3 or better (rpm -q gcc)
binutils-2.8.1.0.23 or better (rpm -q binutils)
libc-5.4.46 or better (Red Hat uses the newer glibc. Not needed.)
glibc-2.0.7-6 or better (rpm -q glibc)
ld.so 1.9.9 or better (ls -l /lib/ld.so.*)
libg++-2.7.2.8 or better (rpm -q libg++)
procps-1.2.9 or better (rpm -q procps)
** procinfo-15 or better (rpm -q procinfo)
psmisc-17 or better (rpm -q psmisc)
** net-tools-1.50 or better (rpm -q net-tools)
108
Chapter 10. Upgrading Linux and Other Applications
loadlin-1.6 or better (Needed only if you are booting Linux from DOS using
Loadlin. Not sure how to calculate the version number; download the latest version
to be sure.)
sh-utils-1.16 or better (rpm -q sh-utils)
autofs-3.1.1 or better (rpm -q autofs)
nfs-server2.2beta37 or better (rpm -q nfs-server; needed only if you are
serving NFS le shares.)
bash-1.14.7 or better (rpm -q bash)
ncpfs-2.2.0 or better (rpm -q ncpfs; needed only if you are mounting Novell
le systems.)
kernel-pcmcia-cs-3.0.6 or better (rpm -q kernel-pcmcia-cs; needed only for
laptops which need PCMCIA card support.)
ppp-2.3.5 or better (rpm -q ppp; needed only if you are connecting to the
Internet with a modem and PPP.)
dhcpcd-1.3.16-0 or better (rpm -q dhcpcd; needed only if you need a DHCP
client to connect to the Internet, such as with a cable modem).
** util-linux-2.9.0 (rpm -q util-linux)
setserial-2.1 or better (rpm -q setserial)
ipfwadmin/ipchains (Only needed if you are doing IP rewalling; see the
IPCHAINS-HOWTO guide at
http://isunix.it.iltu.edu/resources/ldp/HOWTO/IPCHAINS-HOWTO.html.)
You should download and upgrade any packages using RPM as required (see Section
10.1 for details on how to use RPM).
Caution: Upgrading to the new modutils package will result in modules no
longer functioning for the older 2.0.x kernels! Therefore, do not upgrade this
package until you have installed the new kernel in /usr/src/linux.
After bringing your systems tools up to date, you can install the kernel sources. You
can nd them on Red Hats FTP site as well; I recommend downloading the ones
provided as updates for Red Hat 6.1, at ftp://ftp.redhat.com/redhat/updates/6.1/i386/.
To do so, type the following:
109
Chapter 10. Upgrading Linux and Other Applications
rpm -Uvh kernel-source*.rpm kernel-headers*.rpm
Now that the new kernel sources have been installed, it should be safe to upgrade your
modutils package. However, the new kernel no longer uses the kerneld module for
on-demand loading of kernel modules. Therefore, you should disable this module
before updating modutils. To disable kerneld and upgrade the modutils package, type
the following as root:
/sbin/chkconfig kerneld off
/etc/rc.d/init.d/kerneld stop
rpm -Uvh modutils*.rpm
You should now be able to congure, compile, and install your 2.2 kernel as you
normally would (see Section 10.6 for details). You may be surprised to see the dizzying
amount of new conguration settings available. Take your time and read the help text
for any options you are unfamiliar with!
With any luck, the next time you boot your system you will be running the latest and
greatest Linux kernel version!
Much more detailed information on these procedures can be found on Red Hats web
site at http://www.redhat.com/corp/support/docs/kernel-2.2/kernel2.2-upgrade.html.
10.8. Conguring the Apache Web Server
At my place of employment, we are using the Apache package to provide web services.
Apache is a full-featured web server with full support for the HTTP 1.1 standard, proxy
caching, password authenticated web pages, and many other features. Apache is one of
the most popular web servers available (according to a recent site survey done by
Netcraft, more than 54% of all web sites on the Internet are using Apache or one of its
derivatives), and provides performance equal or better to commercial servers.
( Under construction. :-p )
To keep up with added features and bug-xes that are made to Apache, it is a probably
a good idea to upgrade your server from time to time. The Apache web site is located at
110
Chapter 10. Upgrading Linux and Other Applications
http://www.apache.org/ and contains information on the latest versions.
10.9. Conguring the Squid HTTP Caching
Proxy Daemon
At my place of employment, we use the Squid package to provide proxy caching of
web pages. Squid offers high-performance caching of web clients, and also supports
FTP, Gopher, and HTTP requests. In addition, Squid can be hierarchically linked to
other Squid-based proxy servers for streamlined caching of pages.
There are two versions of Squid currently available. One, the regular version, seems
to work well on machines with lots of RAM. The second version, SquidNOVM is
suitable for machines with less RAM (I recommend using this version if you have 64
MB of RAM or less). Basically, the NOVM version uses less memory at the expense
of more le descriptors. Its the one I use, and it works well.
( Under construction :-p )
To keep up with new features and bug-xes, it is a probably a good idea to upgrade the
Squid server from time to time. More information on Squid can be found on web site at
http://squid.nlanr.net/Squid/.
10.10. Conguring the Sendmail E-mail
Daemon
I use the Sendmail package to provide e-mail services. Sendmail is the denitive mail
handler; in fact it is so popular that it is estimated that over 80% of e-mail passing over
the Internet will be handled at one or both ends by it. It does just about anything and I
couldnt imagine running an Internet server without it (another e-mail server package
called Qmail seems to be quite popular as well but I havent had a reason yet to give it
a try).
111
Chapter 10. Upgrading Linux and Other Applications
To keep up with new features and bug-xes, and most importantly, for reasons of
security, it is a probably a good idea to upgrade Sendmail from time to time. In
addition, the very latest versions of Sendmail include powerful anti-spam features
which can help prevent your mail server being abused by unauthorized users.
This section will discuss some of the things you should do if you wish to use Sendmail
as an incoming e-mail server. This would be the likely scenario for server systems. If,
instead, you have no need to use it for incoming mail and wish to only use it as an
outgoing mail queue, you should ((need some info here)).
For this section, it is assumed that you are using the very latest version of Sendmail
(8.9.3 at the time of this writing), have it installed and running.
As packaged with the Red Hat distribution, Sendmail usually contains appropriate
conguration information to operate correctly in the majority of server setups.
Nonetheless, you may nd it necessary to edit the /etc/sendmail.cf le and
customize some settings as required. This, however, is beyond the scope of this
document.
One thing I nd helpful, however, is to make a couple of changes to the conguration
le to thwart off spammers. These include:
O PrivacyOptions=authwarnings
change to:
O PrivacyOptions=authwarnings,noexpn,novrfy
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
change to:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b NO UCE C=xx L=xx
(The rst change prevents spammers from using the EXPN and VRFY commands in
sendmail. I nd that these commands are too often abused by unethical individuals.
The second change modies the banner which Sendmail displays upon receiving a
connection. You should replace the xx in the C=xx L=xx entries with your country
and location codes. For example, in my case, I would use C=CA L=ON for Ontario,
Canada. (The latter change doesnt actually affect anything, but was recommended by
folks in the news.admin.net-abuse.email newsgroup as a legal precaution.
112
Chapter 10. Upgrading Linux and Other Applications
Next, if your mail server will have a different host name than the actual machine it is
running on, you can add one or more aliases in the /etc/sendmail.cw le. For
example, if you have a system called kirk.mydomain.name which is set up as the mail
exchanger for mydomain.name, but want incoming mail addressed in the format
[email protected] to be delivered to your users on kirk, simply add this alias
as follows:
mydomain.name
Finally, If you need to restrict a domain (or subdomain) from connecting to your
sendmail service, you can edit the /etc/mail/access and add the domain
information as well as type of restriction. For example:
some.domain REJECT
hax0r.another.domain 550 Contact site administra-
tor at (555) 555-1234.
The above examples would reject all e-mail connections from the some.domain site,
as well as reject the specic machine name hax0r.another.domain with a descriptive
message.
After making changes to this le, you will need to update the access.db le, and
then restart sendmail as follows:
/usr/sbin/makemap hash /etc/mail/access.db < /etc/mail/access
/etc/rc.d/init.d/sendmail restart
Tip: If you are concerned with e-mail abuse, you can get some very helpful
information from the Mail Abuse Prevention System (MAPS) project on dealing
with such abuse; see the web pages at http://www.mail-abuse.org/
If youre using Sendmail version 8.9 or above, RBL support is already built in, but
not enabled by default. To enable this support, add the following to your
sendmail.mc le:
113
Chapter 10. Upgrading Linux and Other Applications
FEATURE(rbl)
Then, recongure and restart the Sendmail daemon.
For more detailed information, including conguration instructions for other mail
transport agents, see http://www.mail-abuse.org/rbl/usage.html.
Sometimes, a domain may end up in the RBL list with which you wish to continue
communications with. Perhaps it is vital for you to communicate with certain users
at the black-listed domain. In this case, Sendmail allows you to override these
domains to allow their e-mail to be received. Simply edit the /etc/mail/access
le in the manner described above with the appropriate domain information. For
example:
blacklisted.domain OK
Dont forget to rebuild your access.db le (described above)!
If you do decide to subscribe to the RBL, it is probably a wise idea to inform your
mail users, if applicable, so they can make other service arrangements if they
disagree with your decision.
For more information on Sendmail, see the FAQ document located at
http://www.sendmail.org/faq/.
114
Chapter 11. Enterprise Computing with
Linux
As Linux has earned a solid reputation for its stability and reliability, it is being used
for more mission critical applications in the corporate and scientic world.
This chapter will discuss issues which are most relevant to those using Linux in the
enterprise, such as tuning your server for better performance under higher loads,
keeping your data safe with RAID technologies, as well as discuss the general
procedures to migrate across servers.
11.1. Performance Tuning
( Under construction. :-p )
11.2. High Availability with RAID
As storage needs increase, it sometimes becomes necessary to put additional drives
with larger capacities online. Yet ironically, the law of probability dictates that as the
number of storage devices increases, so too does the likelihood of a device failure.
Therefore, a system with a single hard drive is only 25% as likely to suffer a hardware
failure as a system with four drives. [ Well, theoretically speaking, anyway :-) ]
Fortunately, such failures can be handled gracefully, and more importantly without
downtime, using a technique called Redundant Array of Inexpensive Disks (RAID)
which uses one of several methods of distributing data over multiple disks. This
redundancy allows for automatic recovery of data should a device fail.
This section will describe the installation, conguration, and setup of a RAID disk
array using the Mylex AcceleRAID DAC960 controller. I have been very impressed
with not only the performance and reliability of the controller itself, but also with the
115
Chapter 11. Enterprise Computing with Linux
technical support Ive gotten from Mylex they are very Linux-friendly! (However,
there are a wide variety of hardware RAID solutions for Linux, and RAID can be
implemented in software by the Linux kernel itself.) The type of RAID implementation
that is most useful is probably RAID level 5.
The rst step in getting the RAID controller usable under Linux is to build a custom
kernel with driver support for the hardware. The driver for the Mylex DAC960 can be
downloaded from the Dandelion Digital Linux page at
http://www.dandelion.com/Linux/DAC960-2.0.tar.gz.
The nal step in getting your RAID array usable under Linux is to use the fdisk
utility to create valid partitions. This is done in exactly the same manner as you would
use on an IDE or regular SCSI drive. See Section 4.3 for details on how to set up
partition information.
Note: The DAC960 driver supports a maximum of 7 partitions per logical drive. If
you need to dene more, you will need to dene multiple logical drives in the RAID
conguration utility (press <Alt>-<R> at system boot time to enter the setup
utility).
Once you are able to see your RAID array, you should initialize any swap areas and le
systems you wish to dene. The following is an example of initializing a swap area on
the third partition of the second drive, as well as an ext2-formatted le system on the
rst partition of the rst drive:
/sbin/mkswap -c /dev/rd/c0d1p3
/sbin/swapon /dev/rd/c0d1p3
/sbin/mkfs.ext2 -c /dev/rd/c0d0p1
Note: The -c option in the above mkswap and mkfs.ext2 commands enable
bad-block checking as the appropriate swap/le systems are created. This adds
substantially to the time it takes to complete the process, but it is probably a very
good idea to perform such checks.
116
Chapter 11. Enterprise Computing with Linux
For any new swap areas you have dened, you should make an entry in the
/etc/fstab le to ensure the swap area is actually used from subsequent bootups.
As per the above example, the following line should be added:
/dev/rd/c0d1p3 swap swap defaults 0 0
Finally, once your le systems have been initialized, you can create mount points there
and move your large le systems onto the array as you desire. It is probably a good
idea to test the array for a few days before using it in a production environment.
For further information on the Mylex AcceleRAID controller, visit the Mylex web site
at http://www.mylex.com/ as well as the Dandelion Digital DAC960 driver page at
http://www.dandelion.com/Linux/DAC960.html. For further information on RAID in
general (including both software- as well as hardware-based solutions), see the Linux
High Availability web site at http://linas.org/linux/raid.html.
11.3. Server Migration and Scalability Issues
With support for a diverse selection of hardware, as well as proven speed and
reliability, Linux is up to the challenge of scaling up to meet resource demands as they
increase. This can include moving to an SMP (Symmetric Multi Processing)
conguration for greater processing needs, RAID levels 0 through 5 (either in software
or hardware driven modes), etc.
On occasion, you may feel that your Linux server has outgrown the hardware it is
running on, perform a major Linux version upgrade, or perhaps move to a different
distribution of Linux. There are, of course, two ways of doing this. Either you will be
leaving your server on existing or upgraded hardware (in which case you need simply
shut down services, back up your data, perform the required modications, and then
restore data if needed), or in the more radical case, migrate your server to new
hardware.
This section will concentrate more on the latter situation, where you will be actually
migrating your various services from the old server to a new one. There are, of course,
several migration strategies, however this section will attempt to provide some rough
117
Chapter 11. Enterprise Computing with Linux
guidelines which you can follow in order to ensure your migration effort succeeds with
minimal disruption to your users.
Prepare your new server as necessary; install and congure Linux so that your new
hardware devices are supported, and any required daemons and kernel-based features
(such as rewalling) are enabled. See Chapter 4, as well as Section 10.6 for details.
Set up your existing services (such as the Apache web server, Samba or Netatalk le
& print services, etc.) and make use of them with test data for at least several days to
ensure everything is working as desired. See Section 7.4, as well as Section 7.5 for
details. Dont forget to ensure that any changes or custom scripts you have made in
the /etc/ directory, including anything in /etc/rc.d/ have also been done on
the new server as required. It is especially important that you remember to move
over your user account information in the /etc/passwd, /etc/group, and, if
you are using shadow passwords, /etc/shadow!
Shut down services on your old server, so that your le systems will see a minimal
amount of le update activity. Obviously you dont want users uploading web pages
and receiving e-mail on the old server, while you are restoring the data onto the new
one! As root, you can shut down most services with the following command:
killall httpd atalkd smbd nmbd squid sendmail ftpd
The above command will shut down the web server, le & print services, e-mail
server, and FTP service. (You may be running less or more services than the ones I
have listed above. Check your process list and terminate any other service you feel
appropriate; see Section 9.2 for details.)
You might also want to edit the /etc/inetd.conf le on your old server, and with
the # character, comment out any services (such as FTP, IMAP, and POP3
services) which might result in le system updates. Then, again as root, type:
killall -HUP inetd
The above command will reload the TCP wrappers (security wrappers to Internet
services) so that future connections to any services you have disabled in the
/etc/inet.conf le will not be loaded).
118
Chapter 11. Enterprise Computing with Linux
Now you should be able to move over the data from one system to another. Likely,
you will have prepared your new server to have everything it needs to function,
including any additional software that you wish to install that did not come with your
Red Hat distribution. Therefore, you will likely need to backup any data stored in
/home, /var/spool, as well as optional le systems, such as /archive, if
applicable. Here is an example command that uses the tar utility to make a
compressed backup le of data:
cd /
tar zcvpf /tmp/backup_data.tar.gz -exclude=var/spool/squid \
home archive var/spool
The above command will write a backup of your /archive, /home, and
/var/spool le systems (or subdirectories, depending on how you have set up
your system), to a le called /tmp/backup_data.tar.gz in compressed tar format.
Make sure you have enough space to create the backup, or write it elsewhere!
Tip: You can use the du utility to help determine required space. For example,
to determine the requirements of the /archive/ and /home/ directory trees,
type:
du -h -s /archive /home
Bear in mind that the above command will report the actual size of your data,
but if you are using tars z option (as above) to compress the image le, your
usage requirements will likely be signicantly less. Consider the output from
the du command a worst-case estimate of the space required.
Now, you can restore the backup data from the tar le onto the new server. You can
restore it directly over NFS (see Section 7.6 for details on how to congure NFS), or
simply use FTP to transfer it over and untar it locally. Here is an example that will
restore the les that were backed up as above:
cd /
tar zxvpf /tmp/backup_data.tar.gz
119
Chapter 11. Enterprise Computing with Linux
Next, if necessary, swap your IP addresses so that your new server is seen on the old
address.
Finally, you may wish to shutdown and restart your server to ensure there are no
unexpected error messages that appear. See Section 6.7 for details.
Once you are done, make sure everything is working as expected! If not, you can
always re-enable any services you disabled on the old server and restart them so that
users can continue using it until you resolve the problems on the new one (bear in mind,
however, that youll need to repeat the above steps again if you choose to do that).
120
Chapter 12. Strategies for Keeping a
Secure Server
Linux can certainly be considered to be as secure or more secure than operating
systems from other vendors. Admittedly, with Linux becoming more and more popular,
it is becoming a very attractive target for crackers to concentrate their break-in efforts
on. There are exploits that are discovered from time to time, however the open nature
of Linux usually means that such exploits are patched quickly, and security
announcements are disseminated widely, containing either temporary workarounds or
pointers to updated software.
I wont pretend to be an expert on security issues, however I am at least aware of these
issues, which I believe to be a large part of the battle towards making ones systems as
secure as possible. Although being aware and diligent in keeping up with security
updates will in no way guarantee that a systems security measures wont be
circumvented, the likelihood of a break-in is greatly reduced.
Although there have been security exploits found in external services which could have
been used by crackers to break into a system (for example, the IMAP daemon exploit),
I believe that it is far more likely that a determined cracker will penetrate the system
from within. Compared to the handful of services communicating with the outside
world, there are thousands of commands and utilities available from the shell, one or
more of which may contain bugs which can be exploited to penetrate security (that
being said, I must admit to recently discovering one of the servers I maintain had been
compromised through an external service).
For this reason, I recommend avoiding giving out shell accounts to users unless they
are absolutely necessary. Even if you consider your users completely trustworthy and
have no qualms in providing them with access to the shell, all it takes is just one of
these users to have a weak password. An outside cracker, nding its way into your
system by exploiting this weak password, will then be able to work at his or her leisure
internally, looking for further weaknesses.
There are, fortunately, things you can do to greatly increase the security of your Linux
121
Chapter 12. Strategies for Keeping a Secure Server
system. While a detailed discussion of security issues is beyond the scope of this
document, the following checklist provides some of the most important things you
should do to enhance security:
Upgrade system tools, applications, and kernel: By far the most common cause of
system break-ins is by not exercising diligence in keeping an up-to-date server.
Performing regular upgrades of the system kernel, tools and utilities will ensure that
your system is not lled with older items for which known exploits are available. For
details on keeping an up-to-date server, see Section 4.9, as well as Section 10.3.
Shadow passwords: You should denitely be using Shadow passwords; switching to
this password format is easy! For details, see Section 6.6.
Smart password management: Make sure passwords, especially for users you are
providing with shell access, are strong and changed often. Also, if you use multiple
servers, resist the temptation to use the same password for all of them (otherwise, if a
cracker breaks into one server using a discovered password, he or she can break into
them all).
Use secure shell (ssh): Switch to using ssh instead of telnet. Telnet is insecure
for two reasons: One, sessions are unencrypted, which means everything, including
username and passwords, are transmitted as clear text. Second, an open telnet port is
one of the rst places a cracker will try to connect to.
Ssh provides encrypted and compressed connections and provide substantially more
security than telnet connections. You can run a ssh server (which allows incoming
secure connections) as well as a client (for outgoing secure connections) under
Linux. You can nd binary RPM packages at
ftp://ftp.replay.com/pub/replay/redhat/i386/. You will need the following les (newer
versions may be available by the time you read this):
ssh-1.2.27-5i.i386.rpm The base package.
ssh-clients-1.2.27-5i.i386.rpm Clients for outgoing connections.
ssh-extras-1.2.27-5i.i386.rpm Some handy perl-based scripts.
ssh-server-1.2.27-5i.i386.rpm Server for incoming connections.
122
Chapter 12. Strategies for Keeping a Secure Server
Note: The SSH RPM les listed above are the international versions. If you
reside in the U.S. or Canada, you can choose to download the U.S. packages
(which may have stronger encryption algorithms); these packages have a us
instead of an i sufx after their version numbers. Under U.S. law, it is illegal to
export strong crypto products outside of the U.S. or Canada. Hopefully one day
the morons in the U.S. Department of Justice will nally see the light, and
remove this silly restriction (Red Hat doesnt include SSH with their distribution
because of this very reason, and we all suffer).
Should your Windows users be up-in-arms about no longer being able to connect to
your system, they will be happy to know that several free ssh clients for Windows are
available:
TeraTerm Pro client software
http://hp.vector.co.jp/authors/VA002416/teraterm.html
TTSSH client software
http://www.zip.com.au/~roca/download.html
Cryptlib client software
http://www.doc.ic.ac.uk/~ci2/ssh
Putty client software
http://www.chiark.greenend.org.uk/~sgtatham/putty.html
Note: If you do decide to switch to using ssh, make sure you install and use it
on all your servers. Having ve secure servers and one insecure one is a waste
of time, especially if you are foolish enough to use the same password for more
than one server.
123
Chapter 12. Strategies for Keeping a Secure Server
Restrict access to external services: Next, you should edit the
/etc/hosts.allow as well as the /etc/hosts.deny le to restrict access to
services to external hosts. Here is an example of how to restrict telnet and ftp access.
First, the /etc/hosts.allow le:
# hosts.allow
in.telnetd: 123.12.41., 126.27.18., .mydo-
main.name, .another.name
in.ftpd: 123.12.41., 126.27.18., .mydomain.name, .another.name
The above would allow any hosts in the IP class Cs 123.12.41.* and 126.27.18.*, as
well as any host within the mydomain.name and another.name domains to make
telnet and ftp connections.
Next, the /etc/hosts.deny le:
# hosts.deny
in.telnetd: ALL
in.ftpd: ALL
Turn off and uninstall unneeded services: Edit your /etc/inetd.conf le, and
disable (ie. comment out using a # character) any services that are not needed (if
youre using ssh as recommended above, you might wish to disable the telnet
service). After you have done so, as root type /etc/rc.d/init.d/inet
restart to restart the inetd daemon with the changes.
Install a security detection system: Consider installing security programs such as
Tripwire (see http://www.tripwiresecurity.com/) which can detect intrusions, and
Abacus Sentry (see http://www.psionic.com/abacus/) which can help prevent them.
Due diligence: Keeping your eye on your system, performing random security audits
(which can be as simple as checking for suspicious entries in the password les,
examining your process list, and checking your log les for suspicious entries) can
go a long way towards keeping a secure system. In addition, report any break-in
attempts to the appropriate authorities it may be a hassle to do this, particularly if
your system sees several of these attacks in a given week, but such reports ensures
124
Chapter 12. Strategies for Keeping a Secure Server
that would-be crackers are deterred by threat of punishment, as well as ensuring that
others systems (which may themselves have been compromised) are kept secure.
Assuming you install and upgrade system tools and applications using the RPM
utility, you may wish to verify the integrity of your installed packages by auditing
them with the following command:
rpm -verify -a > /tmp/rpm-audit.txt
The above command will check your systems RPM database with all relevant les,
and indicate any les which have been modied, by displaying a 5. Here is some
example output of such an audit:
S.5....T /bin/ls
S.5....T /usr/bin/du
......G. /dev/tty5
.....U.. /dev/vcs5
.....U.. /dev/vcsa5
S.5....T c /etc/lynx.cfg
S.5....T c /etc/sendmail.cf
In the sample output above, you can see a list of seven les, four of which have been
modied. Now, obviously there are going to be several, perhaps many, les which
have been modied if you have customized your system at all. A brief check of the
/etc/lynx.cfg and /etc/sendmail.cf les, perhaps visually or perhaps from
backup, might reveal legitimate conguration changes that you have made to your
system.
However, notice in the sample above, two of the modied les are binary executable
les? It is likely that these two binaries, the ls command as well as the du
command, are actually trojan binaries which a system cracker has installed to
perform some nefarious purposes (a diff command performed on any modied
binaries with those restored from backup or RPM might reveal signicant size or
other differences; further evidence of trojans.)
(For more information on RPM, see Section 10.1.)
For more information on security-related issues, an excellent resource entitled,
Securing RedHat 5.x document is available at http://redhat-security.ens.utulsa.edu/.
125
Chapter 12. Strategies for Keeping a Secure Server
An excellent resource for Linux crypto and related software is at
http://replay.com/redhat/.
126
Chapter 13. Help! Trouble in Paradise!
Linux is earning a reputation world-wide for its performance and reliability.
Nevertheless, no system is perfect, and from time to time you are bound to hit a snag.
Fortunately, with uptimes measuring in the months (compared to those measuring in
the days or weeks as with NT), such snags will likely be few and far between.
13.1. Getting Linux Installed on new,
Unsupported Hardware
( Under construction :-p )
13.2. File System Corruption after Power
Outage or System Crash
Although Linux is a stable operating system, should it happen to crash unexpectantly
(perhaps due to a kernel bug, or perhaps due to a power outage), your le system(s) will
not have been unmounted and therefore will be automatically checked for errors when
Linux is restarted.
Most of the time, any le system problems are minor ones caused by le buffers not
being written to the disk, such as deleted inodes still marked in use. In the majority of
cases, the le system check will be able to detect and repair such anomolies
automatically, and upon completion the Linux boot process will continue normally.
Should a le system problem be more severe (such problems tend to be caused by
faulty hardware such as a bad hard drive or memory chip; something to keep in mind
should le system corruption happen frequently), the le system check may not be able
to repair the problem automatically. This is usually, but not always, the case when the
root le system itself is corrupted. In this case, the Red Hat boot process will display
127
Chapter 13. Help! Trouble in Paradise!
an error message and drop you into a shell, allowing you to attempt le system repairs
manually.
As the recovery shell unmounts all le systems, and then mounts the root le system
read-only, you will be able to perform full le system checks using the appropriate
utilities. Likely you will be able to run e2fsck on the corrupted le system(s) which
should hopefully resolve all the problems found.
After you have (hopefully) repaired any le system problems, simply exit the shell to
have Linux reboot the system and attempt a subsequent restart.
Naturally, to be prepared for situations such as a non-recoverable le system problem,
you should have one or more of the following things available to you:
The boot/root emergency disk set, AND/OR
The LILO emergency boot disk, AND
A recent backup copy of your important les just in case!
13.3. Where to Turn for Help
As Linux is developed by members of the Internet community, the best place to get
help is probably by posting a message to any of the following newsgroups:
Miscellaneous postings not covered by other groups
comp.os.linux.misc
Networking-related issues under Linux
comp.os.linux.networking
Security-related issues under Linux
comp.os.linux.security
128
Chapter 13. Help! Trouble in Paradise!
Linux installation & system administration
comp.os.linux.setup
Everybody is entitled to their opinion :-p
alt.linux.sux
For non Linux-specic topics, there are a variety of groups in the comp.* heirarchy that
may suit your needs. Here are just a few of them:
Cisco router/access-server line of products
comp.dcom.sys.cisco
Miscellaneous web server questions
comp.infosystems.www.servers.misc
General unix (not Linux-specic) questions
comp.os.unix
The SMB protocol (WfW/95/NT-style le/print services)
comp.protocols.smb
There are also several resources on the Web that may be useful. Do a web search for
Linux, or visit any of the following:
Linux Resources
http://www.linuxresources.com/
The Linux Documentation Project
http://metalab.unc.edu/LDP/
The RPM repository
http://rufus.w3.org/linux/RPM/
129
Chapter 13. Help! Trouble in Paradise!
The Linux Software Map
http://www.boutell.com/lsm
Linux Applications & Utilities Guide
http://www.xnet.com/~blatura/linapps.shtml
LinuxHardware.net: Hardware Driver Support
http://www.linuxhardware.net/
Linux User Support Team
http://www.ch4549.org/lust
The Linux v2 Information Headquarters
http://www.linuxhq.com/
The Samba Home Page (WfW/95/NT-style le/print services)
http://samba.anu.edu.au/samba/
The Apache Web Server
http://www.apache.org/
The Squid HTTP Proxy Caching Daemon
http://squid.nlanr.net/Squid/
There are a myriad of mailing lists that may prove helpful in providing answers to your
questions as well. These can usually be found through a simple web search (for
example, searching for linux raid mailing list might help you nd mailing lists
devoted to RAID issues under Linux). Here are some I recommend; to subscribe to any
of these lists, simply send an e-mail message to the subscription address listed with the
word subscribe in the body of your message:
130
Chapter 13. Help! Trouble in Paradise!
Red Hat Mailing Lists
Description of available Red Hat lists: http://www.redhat.com/
GNOME Mailing Lists
Description of available GNOME lists:
http://www.gnome.org/mailing-lists/index.shtml
KDE Mailing Lists
Description of available KDE lists: http://www.kde.org/contact.html
Linux SCSI Mailing List
Subscription address: [email protected]
Linux RAID Mailing List
Subscription address: [email protected]
Finally, you may be interested in checking out the following two sites, both of which
are my personal daily must read favorites. SlashDot covers the latest technology
news in general with a denite Linux slant, while FreshMeat provides an up-to-date
listing of Open Source applications announcements.
SlashDot: News For Nerds
http://slashdot.org/
FreshMeat: Open Source Applications Announcements
http://freshmeat.net/
13.4. Pointers to Additional Documentation
131
Chapter 13. Help! Trouble in Paradise!
There is an incredible amount of documentation available for Linux and its
applications. Most of this can be found on the web and in your local bookstore, but you
will probably nd that a large quantity of useful documentation is already available to
you, having been loaded as part of the Red Hat Linux installation procedure.
The man pages are a must-view when you are trying to gure out how a command
works. For example, if you are trying to gure out how to use the tar utility, you
could type man tar and be provided with a very verbose description of tar including
all of its command-line options.
You can nd more general information in the /usr/doc/ directory. Here you will
nd subdirectories which include documentation on utilities and commands,
Frequently Asked Questions (FAQ) documents, as well as HOWTO documents
providing good instruction on a variety of topics, such as how to set up networking, or
install support for the Japanese language.
You should also look in the /usr/info/ directory which contains tutorials on
utilities, libraries, and applications such as emacs.
Finally, you should visit the Red Hat Users Frequently Asked Questions (FAQ)
document at http://www.pobox.com/~aturner/RedHat-FAQ/ which contains a lot of
helpful information specic to the Red Hat distribution of Linux.
132