20.

12 lirewalls 701
Both the client and the seivei stunnels can be staited with no command-line aigu-
ments. If you check with netstat -an, you should see the seivei stunnel waiting foi
connections on poit 992 while the client stunnel waits on poit 2?.
To access the tunnel, a usei simply telnets to the local host:
clier= teInet IocaIhost 23
Tryir l2.0.0.l...
Correced o locallos (l2.0.0.l).
Lscae claracer is ''|'.
Red Ha Lrerrise Lirux VS release 4 (Nalar Udae 2)
Kerrel 2.o.-S.LL or ar io8o
loir.
The usei can now safely log in without feai of passwoid thieveiy. A vigilant admin-
istiatoi would be caieful to use TCP wiappeis to iestiict connections on the client
to only the local inteiface-the intent is not to allow the woild to telnet secuiely to
the seivei! stunnel is one of seveial piogiams that have built-in wiappei suppoit
and do not iequiie the use of tcpd to iestiict access. Suif to www.stunnel.oig foi
instiuctions.
20.12 IIkwALLS
In addition to piotecting individual machines, you can also implement secuiity pie-
cautions at the netwoik level. The basic tool of netwoik secuiity is the "fiiewall."
The thiee main categoiies of fiiewalls aie packet-filteiing, seivice pioxy, and state-
ful inspection.
Packet-f||ter|ng f|rewa||s
A packet-filteiing fiiewall limits the types of tiaffic that can pass thiough youi Intei-
net gateway (oi thiough an inteinal gateway that sepaiates domains within youi oi-
ganization) on the basis of infoimation in the packet headei. It's much like diiving
youi cai thiough a customs checkpoint at an inteinational boidei ciossing. You
specify which destination addiesses, poit numbeis, and piotocol types aie accept-
able, and the gateway simply discaids (and in some cases, logs) packets that don't
meet the piofile.
Packet filteiing is suppoited by dedicated iouteis such as those made by Cisco. It may
also be available in softwaie, depending on the machine you'ie using as a gateway and
its configuiation. In geneial, packet-filteiing fiiewalls offei a significant inciease in
secuiity with little cost in peifoimance oi complexity.
Iinux includes packet filteiing softwaie (see the details beginning on 704 foi moie
infoimation). It's also possible to buy commeicial softwaie to peifoim this function.
These packages all have enteitainment value, and they can piovide a ieasonably se-
cuie fiiewall foi a home oi small office. Howevei, you should iefei to the comments
at the beginning of this chaptei befoie you considei a Iinux system as a pioduction
702 Chater 20 - Security
giade coipoiate fiiewall.
10
This is one case in which you should ieally spend the
money foi a dedicated netwoik appliance, such as Cisco's PIX fiiewall.
how serv|ces are f||tered
Most well-known seivices aie associated with a netwoik poit in the /etc/services
file oi its vendoi-specific equivalent. The daemons that piovide these seivices bind
to the appiopiiate poits and wait foi connections fiom iemote sites.
11
Most of the
well-known seivice poits aie "piivileged," meaning that theii poit numbeis aie in
the iange 1 to 1,02?. These poits can only be used by a piocess iunning as ioot. Poit
numbeis 1,024 and highei aie iefeiied to as nonpiivileged poits.
Seivice-specific filteiing is based on the assumption that the client (the machine that
initiates a TCP oi UIP conveisation) uses a nonpiivileged poit to contact a piivi-
leged poit on the seivei. Foi example, if you wanted to allow only inbound SMTP
connections to a machine with the addiess 192.108.21.200, you would install a filtei
that allowed TCP packets destined foi that addiess at poit 25 and that peimitted
outbound TCP packets fiom that addiess to anywheie.
12
The exact way in which
such a filtei would be installed depends on the kind of ioutei you aie using.
See page 734 fcr mcre
infcrmaticn abcut set-
ting up an server.
Some seivices, such as FTP, add a twist to the puzzle. The FTP piotocol actually uses
two TCP connections when tiansfeiiing a file: one foi commands and the othei foi
data. The client initiates the command connection, and the seivei initiates the data
connection. Eigo, if you want to use FTP to ietiieve files fiom the Inteinet, you must
peimit inbound access to all nonpiivileged TCP poits since you have no idea what
poit might be used to foim an incoming data connection.
This tweak laigely defeats the puipose of packet filteiing because some notoiiously
insecuie seivices (foi example, X11 at poit 6000) natuially bind to nonpiivileged
poits. This configuiation also cieates an oppoitunity foi cuiious useis within youi
oiganization to stait theii own seivices (such as a telnet seivei at a nonstandaid
and nonpiivileged poit) that they oi theii fiiends can access fiom the Inteinet.
One common solution to the FTP pioblem is to use the SSH file tiansfei piotocol.
The piotocol is cuiiently an Inteinet diaft but is widely used and matuie. It is com-
monly used as a subcomponent of SSH, which piovides its authentication and en-
ciyption. Unlike FTP, SFTP uses only a single poit foi both commands and data,
handily solving the packet-filteiing paiadox. A numbei of SFTP implementations ex-
ist. We've had gieat luck with the command-line SFTP client supplied by OpenSSH.
If you must use FTP, a ieasonable appioach is to allow FTP to the outside woild only
fiom a single, isolated host. Useis can log in to the FTP machine when they need to
peifoim netwoik opeiations that aie foibidden fiom the innei net. Since ieplicat-
ing all usei accounts on the FTP "seivei" would defeat the goal of administiative
10. We assume you alieady know noi io considei someihing like Windows as a fiiewall plaifoim. Ioes ihe
name "Windows" evoke images of secuiiiy? Silly iabbii, Windows is foi deskiops.
11. In many cases, xinetd does ihe aciual waiiing on iheii behalf. See page 887 foi moie infoimaiion.
12. Poii 25 is ihe SMTP poii as defined in /etc/services.
20.12 lirewalls 703
sepaiation, you may want to cieate FTP accounts by iequest only. Natuially, the FTP
host should iun a full complement of secuiity-checking tools.
The most secuie way to use a packet filtei is to stait with a configuiation that allows
nothing but inbound SVTP oi SSH. You can then libeialize the filtei bit by bit as you
discovei useful things that don't woik.
Some secuiity-conscious sites use two-stage filteiing. In this scheme, one filtei is a
gateway to the Inteinet, and a second filtei lies between the outei gateway and the
iest of the local netwoik. The idea is to leave the outei gateway ielatively open and to
make the innei gateway veiy conseivative. If the machines in the middle aie ad-
ministiatively sepaiate fiom the iest of the netwoik, they can piovide a vaiiety of
seivices on the Inteinet with ieduced iisk. The paitially secuied netwoik is usually
called the "demilitaiized zone" oi "IMZ."
Serv|ce roxy f|rewa||s
Seivice pioxies inteicept connections to and fiom the outside woild and establish
new connections on the opposite side of the fiiewall, acting as a soit of shuttle oi
chapeione between the two woilds. It's much like diiving to the boidei of youi
countiy, walking acioss the boidei, and ienting a sanitized, fieshly washed cai on
the othei side of the boidei to continue youi jouiney.
Because of theii design, seivice pioxy fiiewalls aie much less flexible (and much
slowei) than puie packet filteis. Youi pioxy must have a module that decodes and
conveys each piotocol you want to let thiough the fiiewall. In the eaily 1990s this
was ielatively easy because only a few piotocols weie in common use. Today, Intei-
nauts might use seveial dozen piotocols in an houi of web suifing. As a iesult, sei-
vice pioxies aie ielatively unpopulai in oiganizations that use the Inteinet as a pii-
maiy medium of communication.
Statefu| |nsect|on f|rewa||s
The theoiy behind stateful inspection fiiewalls is that if you could caiefully listen to
and undeistand all the conveisations (in all the languages) that weie taking place in
a ciowded aiipoit, you could make suie that someone wasn't planning to bomb a
plane latei that day. Stateful inspection fiiewalls aie designed to inspect the tiaffic
that flows thiough them and compaie the actual netwoik activity to what "should"
be happening. Foi example, if the packets exchanged in an FTP command sequence
name a poit to be used latei foi a data connection, the fiiewall should expect a data
connection to occui only on that poit. Attempts by the iemote site to connect to
othei poits aie piesumably bogus and should be diopped.
Infoitunately, ieality usually kills the cat heie. It's no moie iealistic to keep tiack of
the "state" of the netwoik connections of thousands of hosts using hundieds of pio-
tocols than it is to listen to eveiy conveisation in eveiy language in a ciowded aiipoit.
Someday, as piocessoi and memoiy capacity inciease, it may eventually be feasible.
704 Chater 20 - Security
So what aie vendois ieally selling when they claim to piovide stateful inspection?
Theii pioducts eithei monitoi a veiy limited numbei of connections oi piotocols oi
they seaich foi a paiticulai set of "bad" situations. Not that theie's anything wiong
with that; cleaily, some benefit is deiived fiom any technology that can detect tiaffic
anomalies. In this paiticulai case, howevei, it's impoitant to iemembei that the
claims aie mcstly maiketing hype.
I|rewa||s. how safe are they!
A fiiewall should not be youi piimaiy means of defense against intiudeis. It's only
appiopiiate as a supplemental secuiity measuie. The use of fiiewalls often piovides
a false sense of secuiity. If it lulls you into ielaxing othei safeguaids, it will have had
a negative effect on the secuiity of youi site.
Eveiy host within youi oiganization should be individually secuied and iegulaily
monitoied with tools such as xinetd, Nmap, Nessus, and samhain. Iikewise, youi
entiie usei community needs to be educated about basic secuiity hygiene. Othei-
wise, you aie simply building a stiuctuie that has a haid ciunchy outside and a soft
chewy centei.
Ideally, local useis should be able to connect to any Inteinet seivice they want, but
machines on the Inteinet should only be able to connect to a limited set of local sei-
vices. Foi example, you may want to allow FTP access to a local aichive seivei and
allow SMTP (email) connections to youi mail seivei.
Foi maximizing the value of youi Inteinet connection, we iecommend that you em-
phasize convenience and accessibility when deciding how to set up youi netwoik. At
the end of the day, it's the system administiatoi's vigilance that makes a netwoik
secuie, not a fancy piece of fiiewall haidwaie.
20.13 LINuX IIkwALL IA1ukS. IP 1A8LS
We haven't tiaditionally iecommended the use of Iinux (oi UNIX, oi Windows) sys-
tems as fiiewalls because of the insecuiity of iunning a full-fledged, geneial-pui-
pose opeiating system. Embedded devices designed specifically foi iouting and
packet filteiing (such as a Cisco PIX box) make the best fiiewalls,
1?
but a haidened
Iinux system is a gieat substitute foi oiganizations that don't have the budget foi a
high-dollai fiiewall appliance.
If you aie set on using a Iinux machine as a fiiewall, please at least make suie that it's
up to date with iespect to secuiity configuiation and patches. A fiiewall machine is
an excellent place to put into piactice all of this chaptei's iecommendations. (The
section that staits on page 701 discusses packet-filteiing fiiewalls in geneial. If you
aie not familiai with the basic concept of a fiiewall, it would piobably be wise to iead
that section befoie continuing.)
13. Thai said, many consumei-oiienied neiwoiking devices, such as Linksys's iouiei pioducis, use Linux
and iptables ai iheii coie.
20.13 linux firewall features: lP tables 705
Veision 2.4 of the Iinux keinel intioduced an all-new packet handling engine called
Netfiltei. The tool used to contiol Netfiltei, iptables, is the big biothei of the oldei
ipchains command used with Iinux 2.2 keinels. iptables applies oideied "chains"
of iules to netwoik packets. Sets of chains make up "tables" and aie used foi han-
dling specific kinds of tiaffic.
Foi example, the default iptables table is named "filtei". Chains of iules in this table
aie used foi packet-filteiing netwoik tiaffic. The filtei table contains thiee default
chains. Each packet that is handled by the keinel is passed thiough exactly one of
these chains. Rules in the FORWARI chain aie applied to all packets that aiiive on
one netwoik inteiface and need to be foiwaided to anothei. Rules in the INPUT and
UITPIT chains aie applied to tiaffic addiessed to oi oiiginating fiom the local host,
iespectively. These thiee standaid chains aie usually all you need foi fiiewalling be-
tween two netwoik inteifaces. If necessaiy, you can define a custom configuiation to
suppoit moie complex accounting oi iouting scenaiios.
In addition to the filtei table, iptables includes the "nat" and "mangle" tables. The
nat table contains chains of iules that contiol Netwoik Addiess Tianslation (heie,
"nat" is the name of the iptables table and "NAT" is the name of the geneiic addiess
tianslation scheme). The section Irivate addresses and NA1 on page 289 discusses
NAT, and an example of the nat table in action is shown on page 320. Latei in this
section, we use the nat table's PRIRUITINC chain foi anti-spoofing packet filteiing.
The mangle table contains chains that modify oi altei the contents of netwoik pack-
ets outside the context of NAT and packet filteiing. Although the mangle table is
handy foi special packet handling, such as iesetting IP time-to-live values, it is not
typically used in most pioduction enviionments. We discuss only the filtei and nat
tables in this section, leaving the mangle table to the adventuious.
Iach iule that makes up a chain has a "taiget" clause that deteimines what to do with
matching packets. When a packet matches a iule, its fate is in most cases sealed; no
additional iules will be checked. Although many taigets aie defined inteinally to
iptables, it is possible to specify anothei chain as a iule's taiget.
The taigets available to iules in the filtei table aie ACCEPT, IROP, REJECT, IOC,
MIRROR, QUEUE, REIIRECT, RETURN, and UIOC. When a iule iesults in an
ACCEPT, matching packets aie allowed to pioceed on theii way. IROP and REJECT
both diop theii packets. IROP is silent, and REJECT ietuins an ICMP eiioi mes-
sage. IOC gives you a simple way to tiack packets as they match iules, and UIOC
piovides extended logging.
REIIRECT shunts packets to a pioxy instead of letting them go on theii meiiy way.
You might use this featuie to foice all youi site's web tiaffic to go thiough a web cache
such as Squid. RETURN teiminates usei-defined chains and is analogous to the ie-
tuin statement in a subioutine call. The VIRRUR taiget swaps the IP souice and des-
tination addiess befoie sending the packet. Finally, QIIII hands packets to local
usei piogiams thiough a keinel module.
706 Chater 20 - Security
A Iinux fiiewall is usually implemented as a seiies of iptables commands contained
in an rc staitup sciipt. Individual iptables commands usually take one of the fol-
lowing foims:
ptabIes -F cruirrumc
ptabIes -P cruirrumc urqc
ptabIes -A cruirrumc - ircrjucc -j urqc
The fiist foim (-F) flushes all piioi iules fiom the chain. The second foim (-P) sets
a default policy (aka taiget) foi the chain. We iecommend that you use IROP foi
the default chain taiget. The thiid instance (-A) appends the cuiient specification to
the chain. Inless you specify a table with the -t aigument, youi commands apply to
chains in the filtei table. The -i paiametei applies the iule to the named inteiface,
and -j identifies the taiget. iptables accepts many othei clauses, some of which aie
shown in Table 20.2.
Below we bieak apait a complete example. We assume that the ppp0 inteiface goes
to the Inteinet and that the eth0 inteiface goes to an inteinal netwoik. The ppp0 IP
addiess is 128.138.101.4, the eth0 IP addiess is 10.1.1.1, and both inteifaces have a
netmask of 255.255.255.0. This example uses stateless packet filteiing to piotect the
web seivei with IP addiess 10.1.1.2, which is the standaid method of piotecting In-
teinet seiveis. Iatei in the example, we show how to use stateful filteiing to piotect
desktop useis.
Befoie you can use iptables as a fiiewall, you must enable IP foiwaiding and make
suie that vaiious iptables modules have been loaded into the keinel. Foi moie infoi-
mation on enabling IP foiwaiding, see Tuning Iinux kernel purumeters cn puge 874 oi
Security-reluted kernel vuriubles on page ?19. Packages that install iptables geneially
include staitup sciipts to achieve this enabling and loading.
Uui fiist set of iules initializes the filtei table. Fiist, all chains in the table aie flushed,
then the INPUT and FORWARI chains' default taiget is set to IROP. As with any
othei netwoik fiiewall, the most secuie stiategy is to diop any packets that you have
not explicitly allowed.
1ab|e 20.2 Command-||ne f|ags for |tab|es f||ters
C|ause Mean|ng or oss|b|e va|ues
- to|o Vatches by rotocol: tc, ud, or |cm
-s soutce-| Vatches host or network source lP address (Cl0R notation is 0K)
-d des|-| Vatches host or network destination address
--sort ot|# Vatches by source ort (note the double dashes)
--dort ot|# Vatches by destination ort (note the double dashes)
--|cm-tye |,e Vatches by lCVP tye code (note the double dashes)
! Negates a clause
-t |ao|e Secifies the table to which a command alies (default is f||ter)
20.13 linux firewall features: lP tables 707
iables -!
iables -F lNFUT DROF
iables -F !ORVARD DROF
Since iules aie evaluated in the oidei in which they sit in a chain, we put oui busiest
iules at the fiont.
14
The fiist thiee iules in the FURWARI chain allow connections
thiough the fiiewall to netwoik seivices on 10.1.1.2. Specifically, we allow SSH (poit
22), HTTP (port 80), and HTTPS (port 443) through to our web server. The first rule
allows all connections thiough the fiiewall that oiiginate fiom within the tiusted net.
iables -A !ORVARD -i el0 - ANY -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - c --dor 22 -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - c --dor 80 -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - c --dor 443 -] ACCLFT
The only TCP tiaffic we allow to oui fiiewall host (10.1.1.1) is SSH, which is useful
foi managing the fiiewall. The second iule listed below allows loopback tiaffic,
which stays local to oui fiiewall host. Oui administiatois get neivous when they
can't ping theii default ioute, so the thiid iule heie allows ICMP ECHO_REQUEST
packets fiom inteinal IP addiesses.
iables -A lNFUT -i el0 -d l0.l.l.l - c --dor 22 -] ACCLFT
iables -A lNFUT -i lo -d l2.0.0.l - ANY -] ACCLFT
iables -A lNFUT -i el0 -d l0.l.l.l - icn --icn-ye 8 -] ACCLFT
Foi any TCP/IP host to woik piopeily on the Inteinet, ceitain types of ICMP packets
must be allowed thiough the fiiewall. The following eight iules allow a minimal set
of ICMP packets to the fiiewall host, as well as to the netwoik behind it.
iables -A lNFUT - icn --icn-ye 0 -] ACCLFT
iables -A lNFUT - icn --icn-ye 3 -] ACCLFT
iables -A lNFUT - icn --icn-ye S -] ACCLFT
iables -A lNFUT - icn --icn-ye ll -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - icn --icn-ye 0 -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - icn --icn-ye 3 -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - icn --icn-ye S -] ACCLFT
iables -A !ORVARD -d l0.l.l.2 - icn --icn-ye ll -] ACCLFT
We next add iules to the PRIRUITINC chain in the nat table. Although the nat table
is not intended foi packet filteiing, its PREROUTINC chain is paiticulaily useful foi
anti-spoofing filteiing. If we put IROP entiies in the PREROUTINC chain, they
need not be piesent in the INPUT and FORWARI chains, since the PREROUTINC
chain is applied to all packets that entei the fiiewall host. It's cleanei to put the en-
tiies in a single place iathei than duplicating them.
iables - ra -A FRLROUTlNG -i 0 -s l0.0.0.0/8 -] DROF
iables - ra -A FRLROUTlNG -i 0 -s l2.lo.0.0/l2 -] DROF
iables - ra -A FRLROUTlNG -i 0 -s l2.lo8.0.0/lo -] DROF
iables - ra -A FRLROUTlNG -i 0 -s l2.0.0.0/8 -] DROF
iables - ra -A FRLROUTlNG -i 0 -s 224.0.0.0/4 -] DROF
14. Howevei, you musi be caieful ihai ieoideiing ihe iules foi peifoimance doesn'i modify funciionaliiy.
708 Chater 20 - Security
Finally, we end both the INPUT and FORWARI chains with a iule that foibids all
packets not explicitly peimitted. Although we alieady enfoiced this behavioi with
the iptables -P commands, the IOC taiget lets us see who is knocking on oui dooi
fiom the Inteinet.
iables -A lNFUT -i 0 -] LOG
iables -A !ORVARD -i 0 -] LOG
Optionally, we could set up IP NAT to disguise the piivate addiess space used on the
inteinal netwoik. See Iinux NA1 on page ?19 foi moie infoimation about NAT.
One of the most poweiful featuies that Netfiltei biings to Iinux fiiewalling is stateful
packet filteiing. Instead of allowing specific incoming seivices, a fiiewall foi clients
connecting to the Inteinet needs to allow incoming iesponses to the client's iequests.
The simple stateful FORWARI chain below allows all tiaffic to leave oui netwoik
but only allows incoming tiaffic that's ielated to connections initiated by oui hosts.
iables -A !ORVARD -i el0 - ANY -] ACCLFT
iables -A !ORVARD -n sae --sae LSTABLlSHLD,RLLATLD -] ACCLFT
Ceitain keinel modules must be loaded to enable iptables to tiack complex netwoik
sessions such as those of FTP and IRC. If these modules are not loaded, iptables sim-
ply disallows those connections. Although stateful packet filteis can inciease the se-
cuiity of youi site, they also add to the complexity of the netwoik. Be suie you need
stateful functionality befoie implementing it in youi fiiewall.
Peihaps the best way to debug youi iptables iulesets is to use iptables -L -v. These
options tell you how many times each iule in youi chains has matched a packet. We
often add tempoiaiy iptables rules with the IUC target when we want more infor-
mation about the packets that get matched. You can often solve tiickiei pioblems by
using a packet sniffei such as tcpdump.
20.14 vIk1uAL PkIvA1 N1wUkkS (vPNS)
One of the most inteiesting developments of the last few yeais has been the advent of
the viitual piivate netwoik oi VPN. This technology has been made possible mostly
by the increased processing power that is now available on a single chip (and on users'
woikstations). In its simplest foim, a VPN is a connection that makes a iemote net-
woik appeai as if it is diiectly connected, even if it is physically thousands of miles
and many ioutei hops away. Foi incieased secuiity, the connection is not only au-
thenticated in some way (usually with a "shaied seciet" such as a passwoid), but the
end-to-end tiaffic is also enciypted. Such an aiiangement is usually iefeiied to as a
"secuie tunnel."
Heie's a good example of the kind of situation in which a VPN is handy: Suppose that
a company has offices in Chicago, Bouldei, and Miami. If each office has a connec-
tion to a local Inteinet seivice piovidei, the company can use VPNs to tianspaiently
(and, foi the most pait, secuiely) connect the offices acioss the untiusted Inteinet.
20.14 virtual rivate networks (vPNs) 709
The company could achieve a similai iesult by leasing dedicated lines to connect the
thiee offices, but that option would be consideiably moie expensive.
Anothei good example is a company whose employees telecommute fiom theii
homes. VPNs would allow those useis to ieap the benefits of theii high-speed and
inexpensive cable modem seivice while still making it appeai that they aie diiectly
connected to the coipoiate netwoik.
Because of the convenience and populaiity of this functionality, eveiyone and his
biothei is offeiing some type of VPN solution. You can buy it fiom youi ioutei ven-
doi, as a plug-in foi youi opeiating system, oi even as a dedicated VPN device foi
youi netwoik. Iepending on youi budget and scalability needs, you may want to
considei one of the many commeicial VPN solutions in the maiketplace.
If you'ie without a budget and looking foi a quick fix, SSH will do secuie tunneling
foi you. SSH noimally piovides one-poit-at-a-time connectivity, but it can also sup-
ply pseudo-VPN functionality as shown in the example on page ?28, which iuns
PPP thiough an SSH tunnel.
IPsec tunne|s
If you'ie a fan of IETF standaids (oi of saving money) and need a ieal VPN solution,
take a look at IPsec (Inteinet Piotocol secuiity). IPsec was oiiginally developed foi
IPv6, but it has also been widely implemented foi IPv4. IPsec is an IETF-appioved,
end-to-end authentication and enciyption system. Almost all seiious VPN vendois
ship a pioduct that has at least an IPsec compatibility mode.
IPsec uses stiong ciyptogiaphy to piovide both authentication and enciyption sei-
vices. Authentication ensuies that packets aie fiom the iight sendei and have not
been alteied in tiansit, and enciyption pievents the unauthoiized examination of
packet contents.
In its cuiient foim, IPsec enciypts the tianspoit layei headei, which includes the
souice and destination poit numbeis. Unfoitunately, this scheme conflicts diiectly
with the way that most fiiewalls woik. A pioposal to undo this featuie is making its
way thiough the IETF.
Iinux keinels 2.5.47 and newei include a native IPsec implementation that is en-
tiiely diffeient fiom the FieeS/WAN implementation commonly used with the 2.4
keinel seiies. Since IPsec is pait of the keinel, it's included with all oui distiibutions.
Note that theie's a gotcha aiound IPsec tunnels and VTI size. It's impoitant to en-
suie that once a packet has been enciypted by IPsec, nothing fiagments it along the
path the tunnel tiaveises. To achieve this feat, you may have to lowei the MTU on the
devices in fiont of the tunnel (in the ieal woild, 1,400 bytes usually woiks). See page
278 in the TCP chaptei foi moie infoimation about MTU size.
710 Chater 20 - Security
A|| I need |s a vPN, r|ght!
Sadly, theie's a downside to VPNs. Although they do build a (mostly) secuie tunnel
acioss the untiusted netwoik between the two endpoints, they don't usually addiess
the secuiity of the endpoints themselves. Foi example, if you set up a VPN between
youi coipoiate backbone and youi CEO's home, you may be inadveitently cieating a
path foi youi CEO's 15-yeai-old daughtei to have diiect access to eveiything on youi
netwoik. Hopefully, she only uses hei newly acquiied access to get a date with the
shipping cleik.
Bottom line: you need to tieat connections fiom VPN tunnels as exteinal connec-
tions and grant them additional privileges only as absolutely necessary and after
careful consideiation. You may want to considei adding a special section to youi site
secuiity policy that coveis what iules apply to VPN connections.
20.15 hAk0N0 LINuX 0IS1kI8u1IUNS
See page 93 fcr
mcre infcrmaticn
abcut SFIinux.
Foitunately (?), we've been blessed with a vaiiety of initiatives to pioduce "haid-
ened" veisions of Iinux that offei a bioadei iange of secuiity featuies than aie found
in the mainstieam ieleases. The haidening usually takes the foim of special access
contiols and auditing capabilities. These featuies aie piobably paiticulaily useful if
you'ie planning to use Iinux in some type of custom netwoik appliance pioduct.
Howevei, it's not cleai that they affoid substantial advantages to mainstieam useis.
They still iequiie good hygiene, a good packet filtei, and all the othei things dis-
cussed in this chaptei. Peihaps they'ie good foi added peace of mind.
Table 20.? lists some of the bettei known haidening piojects so that you can check
out what they have to offei.
20.16 whA1 1U 0U whN Uuk SI1 hAS 8N A11ACk0
The key to handling an attack is simple: don't panic. It's veiy likely that by the time
you discovei the intiusion, most of the damage has alieady been done. In fact, it has
piobably been going on foi weeks oi months. The chance that you've discoveied a
bieak-in that just happened an houi ago is slim to none.
In that light, the wise owl says to take a deep bieath and begin developing a caiefully
thought out stiategy foi dealing with the bieak-in. You need to avoid tipping off the
intiudei by announcing the bieak-in oi peifoiming any othei activity that would
seem abnoimal to someone who may have been watching youi site's opeiations foi
1ab|e 20.3 hardened L|nux d|str|but|ons
Project name web s|te
bastille linux www.bastille-linux.org
lngarde linux www.engardelinux.com
0enwall CNu/`/linux www.oenwall.com/0wl
20.16 what to do when your site has been attacked 711
many weeks. Hint: peifoiming a system backup is usually a good idea at this point
and (hopefully!) will appeai to be a noimal activity to the intiudei.
15
This is also a good time to iemind youiself that some studies have shown that 60%
of secuiity incidents involve an insidei. Be veiy caieful who you discuss the incident
with until you'ie suie you have all the facts.
Heie's a quick 9-step plan that may assist you in youi time of ciisis:
Step 1: Don't panic. In many cases, a pioblem isn't noticed until houis oi days aftei
it took place. Anothei few houis oi days won't affect the outcome. The diffeience
between a panicky iesponse and a iational iesponse will. Vany iecoveiy situations
aie exaceibated by the destiuction of impoitant log, state, and tiacking infoimation
duiing an initial panic.
Step 2: Decide on an appropriate level of response. No one benefits fiom an ovei-
hyped secuiity incident. Pioceed calmly. Identify the staff and iesouices that must
paiticipate and leave otheis to assist with the post-moitem aftei it's all ovei.
Step 3: Hoard all available tracking information. Check accounting files and logs.
Tiy to deteimine wheie the oiiginal bieach occuiied. Back up all youi systems.
Make suie that you physically wiite-piotect backup tapes if you put them in a diive
to iead them.
Step 4: Assess your degree of exposure. Deteimine what ciucial infoimation (if
any) has "left" the company, and devise an appiopiiate mitigation stiategy. Ietei-
mine the level of futuie iisk.
Step 5: Pull the plug. If necessaiy and appiopiiate, disconnect compiomised ma-
chines fiom the netwoik. Close known holes and stop the bleeding. CIRT piovides
steps on analyzing an intiusion. The document can be found at
www.ceit.oig/tech_tips/win-UNIX-system_compiomise.html
Step 6: Devise a recovery plan. With a cieative colleague, diaw up a iecoveiy plan
on neaiby whiteboaid. This pioceduie is most effective when peifoimed away fiom
a keyboaid. Focus on putting out the fiie and minimizing the damage. Avoid assess-
ing blame oi cieating excitement. In youi plan, don't foiget to addiess the psycho-
logical fallout youi usei community may expeiience. Useis inheiently tiust otheis,
and blatant violations of tiust makes many folks uneasy.
Step 7: Communicate the recovery plan. Iducate useis and management about the
effects of the bieak-in, the potential foi futuie pioblems, and youi pieliminaiy iecov-
eiy stiategy. Be open and honest. Secuiity incidents aie pait of life in a modein net-
woiked enviionment. They aie not a ieflection on youi ability as a system adminis-
tiatoi oi on anything else woith being embaiiassed about. Openly admitting that
you have a pioblem is 90% of the battle, as long as you can demonstiate that you have
a plan to iemedy the situation.
15. If sysiem backups aie noi a "noimal" aciiviiy ai youi siie, you have much biggei pioblems ihan ihe
secuiiiy iniiusion.
712 Chater 20 - Security
Step 8: Implement the recovery plan. You know youi systems and netwoiks bettei
than anyone. Follow youi plan and youi instincts. Speak with a colleague at a similai
institution (piefeiably one who knows you well) to keep youiself on the iight tiack.
Step 9: Report the incident to authorities. If the incident involved outside paities,
you should iepoit the mattei to CERT. They have a hotline at (412) 268-7090 and
can be ieached by email at ceituceit.oig. Piovide as much infoimation as you can.
A standaid foim is available fiom www.ceit.oig to help jog youi memoiy. Heie aie
some of the moie useful pieces of infoimation you might piovide:

The names, haidwaie types, and US veisions of the compiomised machines

The list of patches that had been applied at the time of the incident

A list of accounts that aie known to have been compiomised

The names and IP addiesses of any iemote hosts that weie involved

Contact infoimation (if you know it) foi the administiatois of iemote sites

Relevant log entiies oi audit infoimation

If you believe that a pieviously undocumented softwaie pioblem may have been in-
volved, you should iepoit the incident to youi Iinux distiibutoi as well.
20.17 SUukCS UI SCukI1 INIUkMA1IUN
Half the battle of keeping youi system secuie consists of staying abieast of secuiity-
ielated developments in the woild at laige. If youi site is bioken into, the bieak-in
piobably won't be thiough the use of a novel technique. Moie likely, the chink in
youi aimoi is a known vulneiability that has been widely discussed in vendoi
knowledge bases, on secuiity-ielated newsgioups, and on mailing lists.
Ck1. a reg|stered serv|ce mark of Carneg|e Me||on un|vers|ty
In iesponse to the upioai ovei the 1988 Inteinet woim, the Iefense Advanced Re-
seaich Piojects Agency (IARPA) foimed an oiganization called CIRT, the Computei
Imeigency Response Team, to act as a cleaiing house foi computei secuiity infoima-
tion. CERT is still the best-known point of contact foi secuiity infoimation, though
it seems to have giown iathei sluggish and buieauciatic of late. CIRT also now insists
that the name CERT does not stand foi anything and is meiely "a iegisteied seivice
maik of Cainegie Mellon Univeisity."
In mid-2003, CIRT paitneied with the Iepaitment of Homeland Secuiity's National
Cybei Secuiity Iivision, NCSI. The meigei has, foi bettei oi foi woise, alteied the
pievious mailing list stiuctuie. The combined oiganization, known as US-CERT, of-
feis foui announcement lists, the most useful of which is the "Technical Cybei Secu-
iity Aleits." Subsciibe to any of the foui lists at foims.us-ceit.gov/maillists.
20.11 Sources of security information 713
Secur|tyIocus.com and the 8ug1raq ma|||ng ||st
SecuiityFocus.com is a site that specializes in secuiity-ielated news and infoimation.
The news includes cuiient aiticles on geneial issues and on specific pioblems; theie's
also an extensive technical libiaiy of useful papeis, nicely soited by topic.
SecuiityFocus's aichive of secuiity tools includes softwaie foi a vaiiety of opeiating
systems, along with bluibs and usei iatings. It is the most compiehensive and de-
tailed souice of tools that we aie awaie of.
The BugTiaq list is a modeiated foium foi the discussion of secuiity vulneiabilities
and theii fixes. To subsciibe, visit www.secuiityfocus.com/aichive. Tiaffic on this
list can be faiily heavy, howevei, and the signal-to-noise iatio is faiily pooi. A data-
base of BugTiaq vulneiability iepoits is also available fiom the web site.
Cryto-6ram news|etter
The monthly Ciypto-Giam newslettei is a valuable and sometimes enteitaining
souice of infoimation iegaiding computei secuiity and ciyptogiaphy. It's pioduced
by Biuce Schneiei, authoi of the well-iespected books Applied Cryptcgraphy and Se-
crets and Iies. Find cuiient and back issues at this site:
www.schneiei.com/ciypto-giam.html
You can also iead Schneiei's secuiity blog at
www.schneiei.com/blog
SANS. the System Adm|n|strat|on, Network|ng, and Secur|ty Inst|tute
SANS is a piofessional oiganization that sponsois secuiity-ielated confeiences and
tiaining piogiams, as well as publishing a vaiiety of secuiity infoimation. Theii web
site, www.sans.oig, is a useful iesouice that occupies something of a middle giound
between SecuiityFocus and CERT: neithei as fienetic as the foimei noi as stodgy as
the lattei.
SANS offeis seveial weekly and monthly email bulletins that you can sign up foi on
theii web site. The weekly NewsBites aie nouiishing, but the monthly summaiies
contain a lot of boileiplate. Neithei is a gieat souice of late-bieaking secuiity news.
0|str|but|on-sec|f|c secur|ty resources
Because secuiity pioblems have the potential to geneiate a lot of bad publicity, ven-
dois aie often eagei to help customeis keep theii systems secuie. Most laige vendois
have an official mailing list to which secuiity-ielated bulletins aie posted, and many
maintain a web site about secuiity issues as well. It's common foi secuiity-ielated
softwaie patches to be distiibuted foi fiee, even by vendois that noimally chaige foi
softwaie suppoit.
714 Chater 20 - Security
Secuiity poitals on the web, such as www.secuiityfocus.com, contain vendoi-specific
infoimation and links to the latest official vendoi dogma.
A list of Red Hat secuiity advisoiies can be found at www.iedhat.com/secuiity. As of
this wiiting, no official secuiity mailing list is sponsoied by Red Hat. Howevei, theie
aie a vaiiety of Linux secuiity iesouices on the net; most of the infoimation applies
diiectly to Red Hat.
You can find SUSE secuiity advisoiies at
www.novell.com/linux/secuiity/secuiitysuppoit.html
You can join the official SUSE secuiity announcement mailing list by visiting
www.suse.com/en/piivate/suppoit/online_help/mailinglists/index.html
Check out www.debian.oig to view the latest in Iebian secuiity news, oi join the
mailing list at
www.debian.oig/MailingIists/subsciibe#debian-secuiity-announce
Ubuntu has a secuiity mailing list at
https://lists.ubuntu.com/mailman/listinfo/ubuntu-secuiity-announce
Secuiity infoimation about Cisco pioducts is distiibuted in the foim of field notices,
a list of which can be found at
www.cisco.com/public/suppoit/tac/fn_index.html
along with a news aggiegation feed. To subsciibe to Cisco's secuiity mailing list, send
mail to majoidomoucisco.com with the line "subsciibe cust-secuiity-announce" in
the message body.
Uther ma|||ng ||sts and web s|tes
The contacts listed above aie just a few of the many secuiity iesouices available on
the net. Civen the volume of info that's now available and the iapidity with which
iesouices come and go, we thought it would be most helpful to point you towaid
some meta-iesouices.
One good staiting point is the X-Foice web site (xfoice.iss.net) at Inteinet Secuiity
Systems, which maintains a vaiiety of useful FAQs. One of these is a cuiient list of
secuiity-ielated mailing lists. The vendoi and secuiity patch FAQs contain useful
contact infoimation foi a vaiiety of vendois.
www.yahoo.com has an extensive list of secuiity links; look foi the "Secuiity and In-
ciyption" section in the Yahoo! Iiiectoiy. Anothei good souice of links on the sub-
ject of netwoik secuiity can be found at www.wikipedia.oig undei the heading
"computei secuiity".
20.18 Recommended reading 715
Iinux Jouinal (www.linuxjouinal.com) contains an excellent column called "Paia-
noid Penguin" that coveis all aspects of Iinux secuiity. The magazine also occasion-
ally includes vaiious featuie aiticles on secuiity topics.
The Iinux Weekly News is a tasty tieat that includes iegulai updates on the keinel,
secuiity, distiibutions, and othei topics. IWN's secuiity section can be found at
lwn.net/secuiity.
20.18 kCUMMN00 kA0IN6
BRYANT, WIIIIAM. "Iesigning an Authentication System: a Iialogue in Foui
Scenes." 1988. web.mit.edu/keibeios/www/dialogue.html
CERT COORIINATION CENTER. "Intiudei Ietection Checklist." 1999.
www.ceit.oig/tech_tips/intiudei_detection_checklist.html
CERT COORIINATION CENTER. "UNIX Configuiation Cuidelines." 1997.
www.ceit.oig/tech_tips/unix_configuiation_guidelines.html
CHESWICK, WIIIIAM R., STEVEN M. BEIIOVIN, ANI AVIEI I. RUBIN. Firewalls and
Internet Security. Repelling the Wily Hacker (2nd Lditicn). Reading, MA: Addison-
Wesley, 2000.
CURTIN, MATT, MARCUS RANUM, ANI PAUI I. ROBINSON. "Inteinet Fiiewalls: Fie-
quently Asked Questions." 2004. www.inteihack.net/pubs/fwfaq
FARMER, IAN, ANI WIETSE VENEMA. "Impioving the Secuiity of Youi Site by Bieak-
ing Into it." 199?. www.detei.com/unix/papeis/impiove_by_bieakin.html
FARROW, RIK, ANI RICHARI POWER. Netwcrk Defense article series. 1998-2004.
www.spiiit.com/Netwoik
FRASER, B., EIITOR. RFC219. Site Security Handbcck. 1997. www.ifc-editoi.oig.
BAUER, MICHAEI I. Iinux Server Security (2nd Lditicn). Sebastopol, CA: O'Reilly
Media, 2005.
CARFINKEI, SIMSON, CENE SPAFFORI, ANI AIAN SCHWARTZ. Iractical UNIX and In-
ternet Security (3rd Lditicn). Sebastopol, CA: O'Reilly Media, 200?.
BARRETT, IANIEI J., RICHARI E. SIIVERMAN, ANI ROBERT C. BYRNES. Iinux Security
Ccckbcck. Sebastopol, CA: O'Reilly Media, 200?.
KERBY, FREI, ET AI. "SANS Intiusion Ietection and Response FAQ." SANS. 200?.
www.sans.oig/iesouices/idfaq/
MANN, SCOTT, ANI EIIEN I. MITCHEII. Iinux System Security. 1he Administratcrs
Cuide tc Open Scurce Security 1ccls (2nd Lditicn). Ippei Saddle Rivei, NJ: Pientice
Hall PTR, 2002.
MORRIS, ROBERT, ANI KEN THOMPSON. "Passwoid Secuiity: A Case Histoiy." Com-
munications of the ACM, 22 (11): 594-597, Novembei 1979. Repiinted in UNIX Sys-
716 Chater 20 - Security
tem Managers Manual, 4.? Beikeley Softwaie Iistiibution. Univeisity of Califoinia,
Beikeley, Apiil 1986.
PICHNARCZYK, KARYN, STEVE WEEBER, ANI RICHARI FEINCOII. "UNIX Incident
Cuide: How to Ietect an Intiusion." Computei Incident Advisoiy Capability, U.S.
Iepaitment of Eneigy, 1994. www.ciac.oig/cgi-bin/index/documents
RITCHIE, IENNIS M. "On the Secuiity of UNIX." May 1975. Repiinted in UNIX Sys-
tem Managers Manual, 4.? Beikeley Softwaie Iistiibution. Univeisity of Califoinia,
Beikeley, Apiil 1986.
SCHNEIER, BRUCE. Applied Cryptcgraphy. Irctcccls, Algcrithms, and Scurce Ccde in
C. New Yoik, NY: Wiley, 1995.
THOMPSON, KEN. "Reflections on Tiusting Tiust." in ACM 1uring Award Iectures.
1he First 1wenty Years 19-1985. Reading, VA: ACV Piess (Addison-Wesley), 1987.
SONNENREICH, WES, ANI TOM YATES. Building Iinux and OpenBSD Firewalls. New
Yoik, NY: J.W. Wiley, 2000.
This is an awesome little book: it's easy to iead, has good examples, shows a good
sense of humoi, and is just geneially excellent. Oui only giipe with this book is that
it aigues against the use of sudo foi ioot access, claiming that it's too haid to use and
not woith the tiouble. We stiongly disagiee.
20.19 XkCISS
E20.1 Iiscuss the stiength of SSH authentication with Iinux passwoids vs.
SSH authentication with a passphiase and key paii. If one is cleaily
moie secuie than the othei, should you automatically iequiie the moie
secuie authentication method?
E20.2 Samhain identifies files that have changed.
a) What is iequiied to set up and use samhain on youi machine?
b) What iecent Inteinet diseases would samhain be effective against?
c) What iecent Inteinet diseases would samhain be helpless against?
d) Civen physical access to a system, how could samhain be ciicumvented?
e) What can you conclude if samhain says that /bin/login has changed,
but it seems to have the same size and modification date as before?
What if the sum piogiam gives the same values foi the old and new
veisions? How about md5sum?
20.19 lxercises 717
E20.3 SSH tunneling is often the only way to tunnel tiaffic to a iemote ma-
chine on which you don't have administiatoi access. Read the ssh man
page and piovide a command line that tunnels tiaffic fiom localhost
poit 113 to mail.iemotenetwoik.oig poit 11?. The foiwaiding point of
youi tunnel should also be the host mail.iemotenetwoik.oig.
E20.4 Pick a iecent secuiity incident and ieseaich it. Find the best souices of
infoimation about the incident and find patches oi woikaiounds that
aie appiopiiate foi the systems in youi lab. Iist youi souices and the
actions you piopose foi piotecting youi lab.
E20.5 With peimission fiom youi local sysadmin gioup, install John the Rip-
pei, the piogiam that seaiches foi logins with weak passwoids.
a) Modify the souice code so that it outputs only the login names with
which weak passwoids aie associated, not the passwoids themselves.
b) Run John the Rippei on youi local lab's passwoid file (you need ac-
cess to /etc/shadow) and see how many bieakable passwoids you
can find.
c) Set youi own passwoid to a dictionaiy woid and give john just youi
own entiy in /etc/shadow. How long does john take to find it?
d) Tiy othei patteins (capital lettei, numbei aftei dictionaiy woid, sin-
gle-lettei passwoid, etc.) to see exactly how smait john is.
E20.6 In the computei lab, set up two machines: a taiget and a piobei.
a) Install nmap and Nessus on the piobei. Attack the taiget with these
tools. How could you detect the attack on the taiget?
b) Set up a fiiewall on the taiget using iptables to defend against the
piobes. Can you detect the attack now? If so, how? If not, why not?
c) What othei defenses can be set up against the attacks?
(Requiies ioot access.)
E20.7 A secuiity team iecently found a laige hole in many cuiient and oldei
sendmail seiveis. Find a good souice of infoimation on the hole and
discuss the issues and the best way to addiess them.
E20.8 Setuid piogiams aie sometimes a necessaiy evil. Howevei, setuid shell
sciipts should be avoided. Why?
E20.9 Use tcpdump to captuie FTP tiaffic foi both active and passive FTP ses-
sions. How does the need to suppoit an anonymous FTP seivei affect
the site's fiiewall policy? What would the fiiewall iules need to allow?
(Requiies ioot access.)
Lxercises are ccntinued cn the next page.
718 Chater 20 - Security
E20.10 What do the iules in the following iptables output allow and disallow?
What would be some veiy easy additions that would enhance secuiity
and piivacy? (Hint: the OUTFUT and !ORVARD chains could use some
moie iules.)
Clair lNFUT (olicy ACCLFT)
are ro o source desiraior
blocl all -- aryvlere aryvlere
Clair !ORVARD (olicy ACCLFT)
are ro o source desiraior
all -- aryvlere aryvlere
Clair OUTFUT (olicy ACCLFT)
are ro o source desiraior
Clair blocl (l reererces)
are ro o source desiraior
ACCLFT all -- aryvlere aryvlere sae RLLATLD,LSTABLlSHLD
ACCLFT c -- aryvlere aryvlere sae NLV c d.vvv
ACCLFT c -- aryvlere aryvlere sae NLV c d.ssl
ACCLFT c -- l28.l38.0.0/lo aryvlere sae NLV c d.lerberos
ACCLFT icn -- aryvlere aryvlere
DROF all -- aryvlere aryvlere
E20.11 Inspect a local fiiewall's iulesets. Iiscuss what you find in teims of poli-
cies. Aie theie any glaiing secuiity holes? (This exeicise is likely to ie-
quiie the coopeiation of the administiatois iesponsible foi youi local
site's secuiity.)
E20.12 Wiite a tool that deteimines whethei any netwoik inteifaces at youi site
aie in piomiscuous mode. Run it iegulaily on youi netwoiks to tiy to
quickly spot such an intiusion. How much load does the tool geneiate?
Io you have to iun it on each machine, oi can you iun it fiom afai? Can
you design a sneaky packet that would tell you if an inteiface was in
piomiscuous mode? (Requiies ioot access.)
719

web host/oq aod /oteroet

5ervers
The complexity of web technology seems to be doubling eveiy yeai. Foitunately,
the vast majoiity of this technology lies in the domain of the web designei and
piogiammei. Web hosting itself hasn't changed much ovei the past decade.
The kinks have been woiked out of web seivei softwaie, and as a iesult these seiv-
eis aie now quite secuie and ieliable-at least if they'ie configuied coiiectly and
youi site has no iogue web piogiammeis. Even with the advent of "Web 2.0," AJAX
(Asynchionous JavaSciipt And XML), and dynamic HTML, the coie web seivei
softwaie iemains about the same.
These days we have a vaiiety of web hosting platfoims to choose fiom. Miciosoft
Windows has been widely maiketed as a web hosting platfoim. The industiy piess
has published countless aiticles that ask "Which web hosting platfoim is best?", usu-
ally positioning Windows and Iinux at opposite coineis of the iing. Although some
of this biouhaha is akin to the "Iess filling!" "Tastes gieat!" battle, Linux has be-
come the most populai hosting platfoim because of its low cost, speed, ieliability,
and flexibility. The so-called IAMP platfoim (Iinux, Apache, MySQI, and
PHP/Peil/Python) is the dominant paiadigm foi today's web seiveis.
Theie aie many diffeient Inteinet-centiic seivices that you might want to "host," ei-
thei at youi site oi at one of the many co-location outsouicing piovideis. In this
chaptei, we addiess the two most common seivices: the web and FTP.
Web Hosting
720 Chater 21 - web nosting and lnternet Servers
21.1 w8 hUS1IN6 8ASICS
Hosting a web site isn't substantially diffeient fiom pioviding any othei netwoik sei-
vice. The foundation of the Woild Wide Web is the Hypei-Text Tiansfei Piotocol
(HTTP), a simple TCP-based piotocol foi tiansmitting documents that contain a
vaiiety of media types, including text, pictuies, sound, animation, and video. HTTP
behaves much like othei client/seivei piotocols used on the Inteinet, foi example,
SMTP (foi email) and FTP (foi file tiansfei).
A web seivei is simply a system that's configuied to answei HTTP iequests. To con-
veit youi geneiic Linux system into a web hosting platfoim, you install a daemon
that listens foi connections on TCP poit 80 (the HTTP standaid), accepts iequests
foi documents, and tiansmits them to the iequesting usei.
Web biowseis such as Fiiefox, Opeia, and Inteinet Exploiei contact iemote web
seiveis and make iequests on behalf of useis. The documents thus obtained can con-
tain hypeitext pointeis (links) to othei documents, which may oi may not live on the
seivei that the usei oiiginally contacted. Since the HTTP piotocol standaid is well
defined, clients iunning on any opeiating system oi aichitectuie can connect to any
HTTP server. This platform independence, along with HTTP's ability to transparently
pass a usei fiom one seivei to anothei, has helped spaik its amazing success.
Theie is life beyond stiaight HTTP, howevei. Many enhanced piotocols have been
defined foi handling eveiything fiom enciyption to stieaming video. These addi-
tional seivices aie often managed by sepaiate daemons, even if they aie piovided by
the same physical seivei.
un|form resource |ocators
A unifoim iesouice locatoi (IRI) is a pointei to an object oi seivice on the Inteinet.
It desciibes how to access an object by means of five basic components:

Piotocol oi application

Hostname

TCP/IP poit (optional)

Iiiectoiy (optional)

Filename (optional)
Table 21.1 shows some of the piotocols that may be used in URIs.
how h11P works
HTTP is the piotocol that makes the Woild Wide Web ieally woik, and to the amaze-
ment of many, it is an extiemely basic, stateless, client/seivei piotocol. In the HTTP
paiadigm, the initiatoi of a connection is always the client (usually a biowsei). The
client asks the seivei foi the "contents" of a specific URI. The seivei iesponds with
eithei a spuit of data oi with some type of eiioi message. The client can then go on
to iequest anothei object.
21.1 web hosting basics 721
Because HTTP is so simple, you can easily make youiself into a ciude web biowsei
by using telnet. Since the standaid poit foi HTTP seivice is poit 80, just telnet di-
iectly to that poit on youi web seivei of choice. Unce you'ie connected, you can issue
HTTP commands. The most common command is CET, which iequests the contents
of a document. Usually, CET / is what you want, since it iequests the ioot document
(usually, the home page) of whatevei seivei you've connected to. HTTP is case sen-
sitive, so make suie you type commands in capital letteis.
$ teInet IocaIhost 80
Tryir l2.0.0.l.
Correced o locallos.arus.con.
Lscae claracer is ''|'.
CET /
<corcrs oj your ucjuu jic ucur rcrc>
Correcior closed by oreir los.
A moie "complete" HTTP iequest would include the HTTP piotocol veision, the host
that the iequest is foi (iequiied to ietiieve a file fiom a name-based viitual host),
and othei infoimation. The iesponse would then include infoimational headeis as
well as iesponse data. Foi example:
$ teInet IocaIhost 80
Tryir l2.0.0.l.
Correced o locallos.arus.con.
Lscae claracer is ''|'.
CET / HTTP/1.1
Host: www.atrust.com
HTTF/l.l 200 OK
Dae. Sur, 0o Au 200o l8.2S.03 GMT
Server. Aacle/l.3.33 (Urix) FHF/4.4.0
Las-Modiied. Sur, 0o Au 200o l8.24.4 GMT
Corer-Lerl. 044
Corer-Tye. ex/lnl
<corcrs oj your ucjuu jic ucur rcrc>
Correcior closed by oreir los.
1ab|e 21.1 ukL rotoco|s
Proto what |t does xam|e
file Accesses a local file file://etc/syslog.conf
ft Accesses a remote file via lJP ft://ft.admin.com/adduser.tar.gz
htt Accesses a remote file via nJJP htt://admin.com/index.html
htts Accesses a remote file via nJJP/SSl htts://admin.com/order.shtml
lda Accesses l0AP directory services lda://lda.bigfoot.com:389/cnnerb
mailto Sends email to a designated address mailto:linuxCbook.admin.com
722 Chater 21 - web nosting and lnternet Servers
In this case, we told the seivei we weie going to speak HTTP piotocol veision 1.1
and named the viitual host fiom which we weie iequesting infoimation. The seivei
ietuined a status code (HTTP/1.1 200 OK), its idea of the cuiient date and time, the
name and veision of the seivei softwaie it was iunning, the date that the iequested
file was last modified, the length of the iequested file, and the iequested file's content
type. The headei infoimation is sepaiated fiom the content by a single blank line.
Content generat|on on the f|y
In addition to seiving up static documents, an HTTP seivei can piovide the usei
with content that has been cieated on the fly. Foi example, if you wanted to piovide
the cuiient time and tempeiatuie to useis visiting youi web site, you might have the
HTTP seivei execute a sciipt to obtain this infoimation. This amaze-the-natives
tiick is often accomplished with the Common Cateway Inteiface, oi CCI.
CCI is not a piogiamming language, but iathei a specification by which an HTTP
seivei exchanges infoimation with othei piogiams. CCI sciipts aie most often wiit-
ten in Peil, Python, oi PHP. But ieally, almost any piogiamming language that can
peifoim ieal-time I/O is acceptable. Just think of all those out-of-woik COBOI pio-
giammeis that can apply theii skills to the Inteinet!
In addition to suppoiting exteinal CCI sciipts, many web seiveis define a plug-in
aichitectuie that allows sciipt inteipieteis such as Peil and PHP to be embedded
within the web seivei itself. This bundling significantly incieases peifoimance, since
the web seivei no longei has to foik a sepaiate piocess to deal with each sciipt ie-
quest. The aichitectuie is laigely invisible to sciipt developeis. Whenevei the seivei
sees a file ending in a specified extension (such as .pl oi .php), it sends the content of
the file to an embedded inteipietei to be executed.
Foi the most pait, CCI sciipts and plug-ins aie the concein of web developeis and
piogiammeis. Infoitunately, they collide with the job of the system administiatoi in
one impoitant aiea: secuiity. Because CGI sciipts and plug-ins have access to files,
netwoik connections, and othei methods of moving data fiom one place to anothei,
theii execution can potentially affect the secuiity of the machine on which the HTTP
seivei is iunning. Iltimately, a CCI sciipt oi plug-in gives anyone in the woild the
ability to iun a piogiam (the sciipt) on youi seivei. Theiefoie, CCI sciipts and files
piocessed by plug-ins must be just as secuie as any othei netwoik-accessible pio-
giam. A good souice of infoimation on the secuie handling of CCI sciipts is the
page www.w?.oig/Secuiity/Faq. Although this page hasn't been updated in some
time, all its infoimation is still ielevant.
Load ba|anc|ng
It's difficult to piedict how many hits (iequests foi objects, including images) oi page
views (iequests foi HTMI pages) a seivei can handle pei unit of time. A seivei's
capacity depends on the system's haidwaie aichitectuie (including subsystems), the
opeiating system it is iunning, the extent and emphasis of any system tuning that
has been peifoimed, and peihaps most impoitantly, the constiuction of the sites
21.1 web hosting basics 723
being seived. (Io they contain only static HTMI pages, oi must they make database
calls and numeiic calculations?)
Only diiect benchmaiking and measuiement of youi actual site iunning on youi
actual haidwaie can answei the "how many hits?" question. Sometimes, people who
have built similai sites on similai haidwaie can give you infoimation that is useful
foi planning. In no case should you believe the numbeis quoted by system suppli-
eis. Also iemembei that youi bandwidth is a key consideiation. A single machine
seiving static HTMI files and images can easily seive enough data to satuiate a T?
(45 Mb/s) link.
That said, instead of single-seivei hit counts, a bettei paiametei to focus on is scal-
ability; a web seivei typically becomes CPU- oi IO-bound befoie satuiating its
Etheinet inteiface. Make suie that you and youi web design team plan to spiead the
load of a heavily tiafficked site acioss multiple seiveis.
Load balancing adds both peifoimance and iedundancy. Seveial diffeient load bal-
ancing appioaches aie available: iound iobin INS, load balancing haidwaie, and
softwaie-based load balanceis.
See page 385 fcr mcre
infcrmaticn abcut
rcund rcbin INS
ccnfiguraticn.
Round iobin INS is the simplest and most piimitive foim of load balancing. In this
system, multiple IP addiesses aie assigned to a single hostname. When a iequest foi
the web site's IP addiess aiiives at the name seivei, the client ieceives one of the IP
addiesses in iesponse. Addiesses aie handed out one aftei anothei, in a iepeating
"iound iobin" sequence.
The pioblem with iound iobin INS is that if a seivei goes down, INS data must be
updated to iemove the seivei fiom the iesponse cycle. Remote caching of INS data
can make this opeiation tiicky and unieliable. If you have a backup seivei available,
it is often easiei to ieassign the disabled seivei's IP addiess to the backup seivei.
Ioad balancing haidwaie is a ielatively easy alteinative, but one that iequiies some
spaie cash. Commeicial thiid-paity load balancing haidwaie includes the Big-IP
Contiollei fiom F5 Netwoiks, Noitel's web switching pioducts, and Cisco's Content
Seivices Switches. These pioducts distiibute incoming woik accoiding to a vaiiety
of configuiable paiameteis and can take the cuiient iesponse times of individual
seiveis into account.
Softwaie-based load balanceis don't iequiie specialized haidwaie; they can iun on a
Iinux seivei. Both open souice and commeicial solutions aie available. The open
souice categoiy includes the Iinux Viitual Seivei (www.linuxviitualseivei.oig), Ul-
tia Monkey (www.ultiamonkey.oig), and the mod_backhand module foi Apache
(www.backhand.oig). An example of commeicial offeiings aie those sold by Zeus,
www.zeus.com.
You may wondei how a laige site such as Coogle handles load balancing. Theii sys-
tem uses a combination of custom load-balancing INS seiveis and load balancing
haidwaie. See the Wikipedia aiticle foi "Coogle platfoim" foi moie details.
724 Chater 21 - web nosting and lnternet Servers
Keep in mind that most sites these days aie dynamically geneiated. This aichitectuie
puts a heavy load on database seiveis. If necessaiy, consult youi database adminis-
tiatoi to deteimine the best way to distiibute load acioss multiple database seiveis.
21.2 h11P Skvk INS1ALLA1IUN
Installing and maintaining a web seivei is easy. Web seivices iank fai below email
and INS in complexity and difficulty of administiation.
Choos|ng a server
Seveial HTTP seiveis aie available, but you'll most likely want to stait with the
Apache seivei, which is well known in the industiy foi its flexibility and peifoi-
mance. As of Septembei 2006, 63% of web seiveis on the Inteinet weie iunning
Apache. Miciosoft accounts foi most of the iemaindei at ?0% of seiveis. This mai-
ket shaie split between Apache and Miciosoft has been ielatively stable foi the last
five yeais. Moie detailed maiket shaie statistics ovei time aie available heie:
news.netciaft.com/aichives/web_seivei_suivey.html
You can find a useful compaiison of cuiiently available HTTP seiveis at the site
www.seiveiwatch.com/stypes/index.php (select "Web Seiveis"). Heie aie some of
the factois you may want to considei in making youi selection:

Robustness

Peifoimance

Timeliness of updates and bug fixes

Availability of souice code

Ievel of commeicial oi community suppoit

Cost

Access contiol and secuiity

Ability to act as a pioxy

Ability to handle enciyption

The Apache HTTP seivei is "fiee to a good home," and full souice code is available
fiom the Apache Cioup site at www.apache.oig. The less adventuious may want to
install the binaiy-only Apache package that comes as pait of youi Iinux distiibu-
tion. (But chances aie that it's alieady installed; tiy looking in /etc/apache2.)
Insta|||ng Aache
If you do decide to download the Apache souice code and compile it youiself, stait
by executing the configure sciipt included with the distiibution. This sciipt auto-
matically detects the system type and sets up the appiopiiate makefiles. Use the
--prefix option to specify where in your directory tree the Apache server should live.
If you don't specify a piefix, the seivei is installed in /usr/local/apache2 by default.
Foi example:
$ ./confgure --prefx=/etc/httpd/
21.2 nJJP server installation 725
You can use configure --help to see the entiie list of possible options, most of which
consist of --enable-mcdule and --disable-mcdule options that include oi exclude
vaiious functional components that live within the web seivei.
You can also compile modules into dynamically shaied objects files by specifying
the option --enable-mcdule=shared (oi use --enabled-mods-shared=all to make
all modules shaied). That way, you can decide latei which modules to include oi
exclude; only modules specified in youi httpd configuiation aie loaded at iun time.
This is actually the default configuiation foi the binaiy-only Apache package-all
the modules aie compiled into shaied objects and aie dynamically loaded when
Apache staits. The only disadvantages to using shaied libiaiies aie a slightly longei
staitup time and a veiy slight degiadation in peifoimance (typically less than 5%).
Foi most sites, the benefit of being able to add new modules on the fly and tuin exist-
ing modules off without having to iecompile outweighs the slight peifoimance hit.
Foi a complete list of standaid modules, see httpd.apache.oig/docs-2.0/mod.
Although the default set of modules is ieasonable, you may also want to enable the
modules shown in Table 21.2.
Iikewise, you may want to disable the modules listed in Table 21.?. Foi secuiity and
peifoimance, it's a good idea to disable modules that you know you will not be using.
When configure has finished executing, iun make and then iun make install to
actually compile and install the appiopiiate files.
1ab|e 21.2 usefu| Aache modu|es that are not enab|ed by defau|t
Modu|e Iunct|on
auth_dbm uses a 0bV database to manage user/grou access (recommended if
you need er-user assword-based access to areas of your web site)
rewrite Rewrites uRls with regular exressions
exires lets you attach exiration dates to documents
roxy uses Aache as a roxy server (more on this later)
ssl lnables suort for the Secure Sockets layer (SSl) (for nJJPS)
1ab|e 21.3 Aache modu|es we suggest remov|ng
Modu|e Iunct|on
asis Allows designated file tyes to be sent without nJJP headers
autoindex 0islays the contents of directories that don't have a default nJVl file
env lets you set secial environment variables for CCl scrits
include Allows server-side includes, an on-the-fly content generation scheme
userdir Allows users to have their own nJVl directories
726 Chater 21 - web nosting and lnternet Servers
Conf|gur|ng Aache
Once you've installed the seivei, configuie it foi youi enviionment. The config files
aie kept in the conf subdiiectoiy (e.g., /usr/local/apache2/conf). Examine and
customize the httpd.conf file, which is divided into thiee sections.
The fiist section deals with global settings such as the seivei pool, the TCP poit on
which the HTTP seivei listens foi queiies (usually poit 80, although you can choose
anothei-and yes, you can iun multiple HTTP seiveis on diffeient poits on a single
machine), and the settings foi dynamic module loading.
The second section configuies the "default" seivei, the seivei that handles any ie-
quests that aien't answeied by VirualHos definitions (see page 729). Configuia-
tion paiameteis in this section include the usei and gioup as whom the seivei will
iun (something othei than ioot!) and the all-impoitant DocunerRoo statement,
which defines the ioot of the diiectoiy tiee fiom which documents aie seived. This
section also addiesses issues such as the handling of "special" URIs like those that
include the -user syntax to access a usei's home diiectoiy.
You manage global secuiity conceins in the second section of the configuiation file
as well. Iiiectives contiol access on a pei-file basis (the <!ile> diiective) oi on a pei-
diiectoiy basis (the <Direcory> diiective). These peimission settings pievent ac-
cess to sensitive files thiough httpd. You should specify at least two access contiols:
one that coveis the entiie filesystem and one that applies to the main document
foldei. The defaults that come with Apache aie sufficient, although we iecommend
that you iemove the AllovSynLirls option to pievent httpd fiom following sym-
bolic links in youi document tiee. (We wouldn't want someone to accidentally cie-
ate a symbolic link to /etc, now would we?) Foi moie Apache secuiity tips, see
httpd.apache.oig/docs-2.0/misc/secuiity_tips.html
The thiid and final section of the config file sets up viitual hosts. We discuss this
topic in moie detail on page 729.
Once you have made youi configuiation changes, check the syntax of the configuia-
tion file by iunning httpd -t. If Apache iepoits "Syntax OK," then you'ie good to go.
If not, check the httpd.conf file foi typos.
kunn|ng Aache
You can stait httpd by hand oi fiom youi system's staitup sciipts. The lattei is pief-
eiable, since this configuiation ensuies that the web seivei iestaits whenevei the
machine ieboots. To stait the seivei by hand, type something like
$ /usr/IocaI/apache2/bn/apachectI start
See Chapter 2 fcr
mcre infcrmaticn
abcut scripts.
If you want to stait httpdautomatically at boot time, make a link in youi rc diiectoiy
that points to the /etc/init.d/httpd file (which is installed as pait of the httpd pack-
age). It's best to stait httpd late in the booting sequence, aftei daemons that manage
functions such as iouting and time synchionization have staited.
21.3 virtual interfaces 727
Ana|yz|ng |og f||es
With youi web site in pioduction, you'ie likely to want to gathei statistics about the
use of the site, such as the numbei of iequests pei page, the aveiage numbei of ie-
quests pei day, the peicentage of failed iequests, and the amount of data tiansfeiied.
Make suie that you'ie using the "combined" log foimat (youi CusonLo diiectives
have the woid conbired at the end instead of connor). The combined log foimat
includes each iequest's iefeiiei (the page fiom which the URI was linked) and usei
agent (the client's biowsei and opeiating system).
Youi access and eiioi logs appeai in Apache's logs diiectoiy. The files aie human
ieadable, but they contain so much infoimation that you ieally need a sepaiate anal-
ysis piogiam to extiact useful data fiom them. Theie aie liteially hundieds of diffei-
ent log analyzeis, both fiee and commeicial.
Two fiee analyzeis woith taking a look at aie Analog (www.analog.cx) and AWStats
(awstats.souicefoige.net). These both piovide faiily basic infoimation. If you want
iepoits with a bit moie pizazz, you may need a commeicial package. A helpful list
can be found at www.piacticalapplications.net/kb/loganalysis.html.
Ut|m|z|ng for h|gh-erformance host|ng of stat|c content
The hosting community has leained ovei the last few yeais that one of the easiest
ways to cieate a high-peifoimance hosting platfoim is to optimize some seiveis foi
hosting static content. Linux offeis unique functionality in this aiena thiough the
TUX web seivei.
TUX is a keinel-based web seivei that iuns in conjunction with a tiaditional web
seivei such as Apache. Whenevei possible, TUX seives up static pages without evei
leaving keinel space, in much the same way that rpc.nfsd seives files. This aichitec-
tuie eliminates the need to copy data between keinel and usei space and minimizes
the numbei of context switches. TUX is not iecommended foi beginneis, but it's an
excellent choice foi sites that must seive up static content with lightning speed.
Although TUX was developed by Red Hat (and is available fiom www.iedhat.com),
it's been ieleased undei the GPL and can be used with othei Linux distiibutions.
Howevei, configuiing TUX can be somewhat of a challenge. Foi details, see
www.iedhat.com/docs/manuals/tux
21.3 vIk1uAL IN1kIACS
In the eaily days, a machine typically acted as the seivei foi a single web site (e.g.,
www.acme.com). As the web's populaiity giew, eveiybody wanted to have a web site,
and oveinight, thousands of companies became web hosting piovideis.
Piovideis quickly iealized that they could achieve significant economies of scale if
they weie able to host moie than one site on a single seivei. This tiick would allow
www.acme.com, www.ajax,com, www.toadianch.com, and many othei sites to be
728 Chater 21 - web nosting and lnternet Servers
tianspaiently seived by the same haidwaie. In iesponse to this business need, vii-
tual inteifaces weie boin.
Viitual inteifaces allow a daemon to identify connections based not only on the des-
tination poit numbei (e.g., poit 80 foi HTTP) but also on the connection's destina-
tion IP addiess. Today, viitual inteifaces aie in widespiead use and have pioved to be
useful foi applications othei than web hosting.
The idea is simple: a single machine iesponds on the netwoik to moie IP addiesses
than it has physical netwoik inteifaces. Each of the iesulting "viitual" netwoik in-
teifaces can be associated with a coiiesponding domain name that useis on the In-
teinet might want to connect to. Thus, a single machine can seive liteially hundieds
of web sites.
us|ng name-based v|rtua| hosts
The HTTP 1.1 piotocol also defines a foim of viitual-inteiface-like functionality
(officially called "name-based viitual hosts") that eliminates the need to assign
unique IP addiesses to web seiveis oi to configuie a special inteiface at the OS level.
This appioach conseives IP addiesses and is useful foi some sites, especially those at
which a single seivei is home to hundieds oi thousands of home pages (such as
univeisities).
Unfoitunately, the scheme isn't veiy piactical foi commeicial sites. It ieduces scal-
ability (you must change the IP addiess of the site to move it to a diffeient seivei)
and may also have a negative impact on secuiity (if you filtei access to a site at youi
fiiewall accoiding to IP addiesses). Additionally, name-based viitual hosts cannot
use SSL. It appeais that tiue viitual inteifaces will be aiound foi a while.
Conf|gur|ng v|rtua| |nterfaces
Setting up a viitual inteiface involves two steps. Fiist, you must cieate the viitual
inteiface at the TCP/IP level. Second, you must tell the Apache seivei about the vii-
tual inteifaces you have installed. We covei this second step staiting on page 729.
Iinux viitual inteifaces aie named with an interface.instance notation. Foi example,
if youi Itheinet inteiface is eth0, then the viitual inteifaces associated with it could
be eth0:0, eth0:1, and so on. All inteifaces aie configuied with the ifconfig com-
mand. Foi example, the command
= fconfg eth0:0 128.138.243.150 netmask 255.255.255.192 up
configuies the inteiface eth0:0 and assigns it an addiess on the 128.1?8.24?.128/26
netwoik.
To make viitual addiess assignments peimanent on Red Hat and Fedoia, you cieate
a sepaiate file foi each viitual inteiface in /etc/sysconfig/network-scripts. Foi ex-
ample, the file ifcfg-eth0:0 coiiesponding to the ifconfig command shown above
contains the following lines.
21.3 virtual interfaces 729
DLVlCL=el0.0
lFADDR=l28.l38.243.lS0
NLTMASK=2SS.2SS.2SS.l2
NLTVORK=l28.l38.243.l28
BROADCAST=l28.l38.243.ll
ONBOOT=yes
Iebian's and Ubuntu's appioaches aie similai to Red Hat's, but the inteiface defini-
tions must appeai in the file /etc/network/interfaces. The entiies coiiesponding to
the eth0:0 inteiface in oui example above aie
iace el0.0 ire saic
address l28.l38.243.lS0
renasl 2SS.2SS.2SS.l2
broadcas l28.l38.243.ll
On SUSE systems you can eithei cieate viitual inteifaces with YaST oi you can cieate
inteiface files manually.
Undei SUSE, an inteiface's IP addiesses aie all configuied within a single file. To
configuie the files manually, look in the /etc/sysconfig/network diiectoiy foi files
whose names stait with ifcfg-ifname. The filenames foi ieal inteifaces include a
haiiy-looking 6-byte MAC addiess; those aie the ones you want.
Foi example, one of the config files might contain the following entiies to define two
viitual inteifaces:
lFADDR_0=l28.l38.243.l4
NLTMASK_0=2SS.2SS.2SS.l2
LABLL_0=0
lFADDR_l=l28.l38.243.lS0
NLTMASK_l=2SS.2SS.2SS.l2
LABLL_l=l
STARTMODL=orboo
NLTVORK=l28.l38.243.l28
The suffixes that follow IPAIIR and NETMASK (heie, _0 and _1) don't have to be
numeiic, but foi consistency this is a ieasonable convention.
1e|||ng Aache about v|rtua| |nterfaces
In addition to cieating the viitual inteifaces, you need to tell Apache what docu-
ments to seive when a client tiies to connect to each inteiface (IP addiess). You do
this with a VirualHos clause in the httpd.conf file. Theie is one VirualHos
clause foi each viitual inteiface that you've configuied. Heie's an example:
<VirualHos l28.l38.243.lS0>
ServerNane vvv.conary.con
ServerAdnir [email protected]
DocunerRoo /var/vvv/ldocs/conary
LrrorLo los/vvv.conary.con-error_lo
CusonLo los/vvv.conary.con-access_lo conbired
ScriAlias /ci-bir/ /var/vvv/ci-bir/conary
</VirualHos>
730 Chater 21 - web nosting and lnternet Servers
In this example, any client that connects to the viitual host 128.138.243.150 is seived
documents fiom the diiectoiy /var/www/htdocs/company. Neaily any Apache di-
iective can go into a VirualHos clause to define settings specific to that viitual
host. Relative diiectoiy paths, including those foi the DocunerRoo, LrrorLo,
and CusonLo diiectives, aie inteipieted in the context of the ServerRoo.
With name-based viitual hosts, multiple DNS names all point to the same IP ad-
diess. The Apache configuiation is similai, but you specify the piimaiy IP addiess
on which Apache should listen foi incoming named viitual host iequests and omit
the IP addiess in the VirualHos clause:
NaneVirualHos l28.l38.243.lS0
<VirualHos >
ServerNane vvv.conary.con
ServerAdnir [email protected]
DocunerRoo /var/vvv/ldocs/conary
LrrorLo los/vvv.conary.con-error_lo
CusonLo los/vvv.conary.con-access_lo conbired
ScriAlias /ci-bir/ /var/vvv/ci-bir/conary
</VirualHos>
In this configuiation, Apache looks in the HTTP headeis to deteimine the iequested
site. The seivei listens foi iequests foi www.company.com on its main IP addiess,
128.1?8.24?.150.
21.4 1h SCuk SUCk1S LAk (SSL)
The SSI
1
piotocol secuies communications between a web site and a client biowsei.
URIs that stait with https:// use this technology. SSI uses ciyptogiaphy to pievent
eavesdiopping, tampeiing, and message foigeiy.
The biowsei and seivei use a ceitificate-based authentication scheme to establish
communications, aftei which they switch to a fastei ciphei-based enciyption
scheme to piotect theii actual conveisation.
SSI iuns as a sepaiate layei undeineath the HTTP application piotocol. SSI simply
supplies the secuiity foi the connection and does not involve itself in the HTTP
tiansaction. Because of this hygienic aichitectuie, SSI can secuie not only HTTP
but also piotocols such as SMTP, NNTP, and FTP. Foi moie details, see the Wikipe-
dia entiy foi "Secuie Sockets Iayei."
See page 949 fcr mcre
details cn the legal
issues surrcunding
cryptcgraphy.
In the "eaily days" of SSI use, most symmetiic enciyption keys weie a ielatively
weak 40 bits because of U.S. goveinment iestiictions on the expoit of ciyptogiaphic
technology. Aftei yeais of contioveisy and lawsuits, the goveinment ielaxed some
aspects of the expoit iestiictions, allowing SSI implementations to use 128-bit keys
foi symmetiic key cipheis.
1. Tianspoii Layei Secuiiiy (TLS) is ihe successoi io SSL and is implemenied in all modein biowseis.
Howevei, ihe web communiiy siill iefeis io ihe oveiall pioiocol/concepi as SSL.
21.4 Jhe Secure Sockets layer (SSl) 731
6enerat|ng a cert|f|cate s|gn|ng request
The ownei of a web site that is to use SSI must geneiate a Ceitificate Signing Re-
quest (CSR), a digital file that contains a public key and a company name. The "cei-
tificate" must then be "signed" by a tiusted souice known as a Ceitificate Authoiity
(CA). The signed ceitificate ietuined by the CA contains the site's public key and
company name along with the CA's endoisement.
Web biowseis have built-in lists of CAs whose signed ceitificates they will accept. A
biowsei that knows of youi site's CA can veiify the signatuie on youi ceitificate and
obtain youi public key, thus enabling it to send messages that only youi site can
deciypt. Although you can actually sign youi own ceitificate, a ceitificate that does
not come fiom a iecognized CA piompts most biowseis to notify the usei that the
ceitificate is potentially suspect. In a commeicial setting, such behavioi is obviously
a pioblem. But if you want to set up youi own ceitificate authoiity foi inteinal use
and testing, see
httpd.apache.oig/docs/2.0/ssl/ssl_faq.html#aboutceits.
You can obtain a ceitificate signatuie fiom any one of a numbei of ceitificate au-
thoiities. Entei "SSI ceitificate" into Coogle and take youi pick. The only ieal diffei-
ences among CAs aie the amount of woik they do to veiify youi identity, the wai-
ianties they offei, and the numbei of biowseis that suppoit them out of the box
(most CAs aie suppoited by the vast majoiity of biowseis).
Cieating a ceitificate to send to a CA is ielatively stiaightfoiwaid. OpenSSI must be
installed, which it is by default on most distiibutions. Heie is the pioceduie.
Fiist, cieate a 1024-bit RSA piivate key foi youi Apache seivei:
$ openssI genrsa -des3 -out server.key 1024
You aie piompted to entei and confiim a passphiase to enciypt the seivei key. Back
up the server.key file to a secuie location (ieadable only by ioot), and be suie to
iemembei the passphiase you enteied. The cuiious can view the numeiic details of
the key with this command:
$ openssI rsa -noout -text -n server.key
Next, cieate a Ceitificate Signing Request (CSR) that incoipoiates the seivei key you
just geneiated:
$ openssI req -new -key server.key -out server.csr
Entei the fully qualified domain name of the seivei when you aie piompted to entei
a "common name." Foi example, if youi site's URI is https://www.company.com, en-
tei "www.company.com" as youi common name. Note that you need a sepaiate cei-
tificate foi each hostname-even to the point that "company.com" is diffeient fiom
"www.company.com." Companies typically iegistei only one common name; they
make suie any SSI-based links point to that hostname.
732 Chater 21 - web nosting and lnternet Servers
You can view the details of a geneiated CSR with the following command:
$ openssI req -noout -text -n server.csr
You can now send the server.csr file to the CA of youi choice to be signed. It is not
necessaiy to pieseive youi local copy. The signed CSR ietuined by the CA should
have the extension .crt. Put the signed ceitificate in the same secuie place as youi
piivate key.
Conf|gur|ng Aache to use SSL
HTTP iequests come in on poit 80, and HTTPS iequests use poit 44?. Both HTTPS
and HTTP tiaffic can be seived by the same Apache piocess. Howevei, SSL does not
woik with name-based viitual hosts; each viitual host must have a specific IP ad-
diess. (This limitation is a consequence of SSL's design.)
To set up Apache foi use with SSI, fiist make suie that the SSI module is enabled
within httpd.conf by locating oi adding the line
LoadModule ssl_nodule libexec/nod_ssl.so
Then add a VirualHos diiective foi the SSI poit:
<VirualHos l28.l38.243.lS0.443>
ServerNane vvv.conary.con
ServerAdnir [email protected]
DocunerRoo /var/vvv/ldocs/conary
LrrorLo los/vvv.conary.con-ssl-error_lo
CusonLo los/vvv.conary.con-ssl-access_lo conbired
ScriAlias /ci-bir/ /var/vvv/ci-bir/conary
SSLLrire or
SSLCeriicae!ile /usr/local/aacle2/cor/ssl.cr/server.cr
SSLCeriicaeKey!ile /usr/local/aacle2/cor/ssl.ley/server.ley
</VirualHos>
Note the :44? aftei the IP addiess and the SSI diiectives that tell Apache wheie to
find youi piivate key and signed ceitificate.
When you iestait Apache, you will be asked to entei the passphiase foi youi
server.key file. Because of this inteiaction, httpd can no longei stait up automati-
cally when the machine is booted. If you want, you can iemove the enciyption fiom
youi piivate key to ciicumvent the need to entei a passwoid:
$ cp server.key server.key.org
$ openssI rsa -n server.key.org -out server.key
$ chmod 400 server.key server.key.org
Of couise, anyone who obtains a copy of youi unenciypted key can then impeison-
ate youi site.
Foi moie infoimation about SSI, see the following iesouices:
httpd.apache.oig/docs-2.0/ssl/ssl_faq.html
httpd.apache.oig/docs/2.0/mod/mod_ssl.html
21.5 Caching and roxy servers 733
21.5 CAChIN6 AN0 PkUX SkvkS
The Inteinet and the infoimation on it aie giowing iapidly. Eigo, the bandwidth and
computing iesouices iequiied to suppoit it aie giowing iapidly as well. How can this
state of affaiis continue?
The only way to deal with this giowth is to use ieplication. Whethei it's on a national,
iegional, oi site level, Inteinet content needs to be moie ieadily available fiom a
closei souice as the Inteinet giows. It just doesn't make sense to tiansmit the same
populai web page fiom Austialia acioss a veiy expensive link to Noith Ameiica mil-
lions of times each day. Theie should be a way to stoie this infoimation once it's been
sent acioss the link once. Foitunately, theie is.
1he Squ|d cache and roxy server
Une answei is the fieely available Squid Inteinet Ubject Cache.
2
This package is both
a caching and a pioxy seivei that suppoits seveial piotocols, including HTTP, FTP,
and SSI.
Heie's how it woiks. Client web biowseis contact the Squid seivei to iequest an ob-
ject fiom the Inteinet. The Squid seivei then makes a iequest on the client's behalf
(oi piovides the object fiom its cache, as discussed in the following paiagiaph) and
ietuins the iesult to the client. Pioxy seiveis of this type aie often used to enhance
secuiity oi to filtei content.
In a pioxy-based system, only one machine needs diiect access to the Inteinet
thiough the oiganization's fiiewall. At oiganizations such as K-12 schools, a pioxy
seivei can also filtei content so that inappiopiiate mateiial doesn't fall into the wiong
hands. Many commeicial and fieely available pioxy seiveis (some based on Squid,
some not) aie available today. Some of these systems aie puiely softwaie-based
(like Squid), and otheis aie embodied in a haidwaie appliance (e.g., BlueCoat; see
www.cacheflow.com). An extensive list of pioxy seivei technologies can be found at
www.web-caching.com/pioxy-caches.html
Pioxy seivice is nice, but it's the caching featuies of Squid that aie ieally woith get-
ting excited about. Squid not only caches infoimation fiom local usei iequests but
also allows constiuction of a hieiaichy of Squid seiveis.
?
Cioups of Squid seiveis
use the Inteinet Cache Piotocol (ICP) to communicate infoimation about what's in
theii caches.
With this featuie, administiatois can build a system in which local useis contact an
on-site caching seivei to obtain content fiom the Inteinet. If anothei usei at that site
has alieady iequested the same content, a copy can be ietuined at IAN speed (usu-
ally 100 Mb/s oi gieatei). If the local Squid seivei doesn't have the object, peihaps
the seivei contacts the iegional caching seivei. As in the local case, if anyone in the
2. Why "Squid"? Accoiding io ihe FAQ, "all ihe good names weie iaken."
3. Unfoiiunaiely, some siies maik all iheii pages as being uncacheable, which pievenis Squid fiom woik-
ing iis magic. In a similai vein, Squid isn'i able io cache dynamically geneiaied pages.
734 Chater 21 - web nosting and lnternet Servers
iegion has iequested the object, it is seived immediately. If not, peihaps the caching
seivei foi the countiy oi continent can be contacted, and so on. Useis peiceive a
peifoimance impiovement, so they aie happy.
Foi many, Squid offeis economic benefits. Because useis tend to shaie web discovei-
ies, significant duplication of exteinal web iequests can occui at a ieasonably sized
site. One study has shown that iunning a caching seivei can ieduce exteinal band-
width iequiiements by up to 40%.
To make effective use of Squid, you'll likely want to foice youi useis to use the cache.
Eithei configuie a default pioxy thiough Active Iiiectoiy (in a Windows-based en-
viionment) oi configuie youi ioutei to iediiect all web-based tiaffic to the Squid
cache by using the Web Cache Communication Piotocol, WCCP.
Sett|ng u Squ|d
Squid is easy to install and configuie. Since Squid needs space to stoie its cache, you
should iun it on a dedicated machine that has a lot of fiee memoiy and disk space. A
configuiation foi a ielatively laige cache would be a machine with 2CB of RAV and
200CB of disk.
You can giab the Squid package in RPM oi apt-get foimat fiom youi distiibution
vendoi, oi you can download a fiesh copy of Squid fiom www.squid-cache.oig. If
you choose the compile-youi-own path, iun the configure sciipt at the top of the
souice tiee aftei you unpack the distiibution. This sciipt assumes that you want to
install the package in /usr/local/squid. If you piefei some othei location, use the
--prefix=dir option to configure. Aftei configure has completed, iun make all
and then make install.
Once you've installed Squid, you must localize the squid.conf configuiation file. See
the QUICKSTART file in the distiibution diiectoiy foi a list of the changes you need
to make to the sample squid.conf file.
You must also iun squid -z by hand to build and zeio out the diiectoiy stiuctuie in
which cached web pages will be stoied. Finally, you can stait the seivei by hand with
the RunCache sciipt; you will eventually want to call this sciipt fiom youi system's
rc files so that they stait the Squid seivei when the machine boots.
To test Squid, configuie youi desktop web biowsei to use the Squid seivei as a pioxy.
This option is usually found in biowsei's piefeiences panel.
21.6 ANUNMUuS I1P Skvk S1uP
FTP is one of the oldest and most basic seivices on the Inteinet, yet it continues to
be used today. Although FTP has a vaiiety of inteinal uses, the most common appli-
cation on the Inteinet continues to be "anonymous FTP," by which useis that do not
have accounts at youi site can download files you have made available.
21.6 Anonymous lJP server setu 735
FTP is useful foi distiibuting bug fixes, softwaie, document diafts, and the like, but
these days HTTP seiveis have all but ieplaced FTP seiveis. The aiguments in favoi
of FTP aie ielatively weak: FTP can be a bit moie ieliable, and useis don't need a web
biowsei to access an FTP site (although of couise, they need an FTP client).
Use vanilla FTP cnly when anonymous access is iequiied. Foi nonanonymous appli-
cations, use the secuie vaiiant SFTP. FTP tiansmits passwoids in plaintext and has a
histoiy of secuiity incidents.
ftpd is managed by inetd and theiefoie has an entiy in the /etc/inetd.conf and
/etc/services files. (If youi distiibution uses xinetd instead of inetd, a file should
exist in /etc/xinetd.d foi ftpd instead.) When an FTP usei logs in anonymously,
ftpd executes a chroot (shoit foi "change ioot") system call to make files outside the
~ftp diiectoiy invisible and inaccessible. Because of the public natuie of anonymous
FTP, it is impoitant that ftpd be configuied coiiectly so that sensitive files aie not
accidentally made available to the whole woild.
To allow anonymous ftp to youi site, take the following steps in the sequence listed:

Add the usei "ftp" to youi iegulai passwoid and shadow passwoid files (the
ftp usei should alieady exist on all distiibutions except foi Iebian). No
one needs to log in to the ftp account, so use an "x" as ftp's passwoid. It's
also a good idea to specify /sbin/nologin oi /bin/false as ftp's login shell.

Cieate ftp's home diiectoiy if it doesn't alieady exist.

Cieate subdiiectoiies bin, etc, lib, and pub beneath ~ftp. Since an anony-
mous ftp session iuns chrooted to ~ftp, the subdiiectoiies bin and etc
must piovide a copy of all the commands and configuiation infoimation
needed by ftpd. Aftei the chroot, ~ftp/bin and ~ftp/etc masqueiade as
/bin and /etc.

Copy the /bin/ls piogiam to the ~ftp/bin diiectoiy. Foi added secuiity,
make ~ftp/bin/ls execute-only by setting its mode to 111. This tweak pie-
vents clients fiom copying the binaiy and studying it foi weaknesses.

Copy oi haid-link the shaied libiaiies needed by ls to ~ftp/lib. Check the

documentation foi youi distiibution to find out which files aie necessaiy.
Note that haid linking woiks only if the files live in the same disk paitition.

Copy /etc/passwd and /etc/group to ~ftp/etc.

Edit the passwd and group files. ftpd uses only the ls command and skel-
etal copies of /etc/passwd and /etc/group fiom ~ftp/etc. The passwd and
gioup files undei ~ftp should contain only ioot, daemon, and ftp; and the
passwoid fields should contain "x".
736 Chater 21 - web nosting and lnternet Servers

Set the piopei peimissions on files and diiectoiies undei ~ftp. We iecom-
mend that peimissions be set as shown in Table 21.4.

Edit /etc/ftpusers and iemove the entiies foi "ftp" and "anonymous" to
enable anonymous useis to log in.

Put the files you want to make available in ~ftp/pub.

One of the biggest secuiity iisks of anonymous FTP iesults fiom allowing useis to
deposit files in FTP diiectoiies. Woild-wiitable diiectoiies, no mattei how obscuie,
quickly become "nests" wheie hackeis and kids looking to tiade waiez can stoie
files, sucking up all youi bandwidth and putting you iight in the middle of a chain of
activities that's piobably undesiiable, if not downiight illegal. Ion't be pait of the
pioblem; nevei allow wiitable anonymous FTP diiectoiies on youi system.
21.7 XkCISS
E21.1 Configuie a viitual inteiface on youi woikstation. Run ifconfig befoie
and aftei to see what changed. Can you ping the viitual inteiface fiom
anothei machine on the same subnet? Fiom a diffeient netwoik? Why oi
why not? (Requiies ioot access.)
E21.2 With a packet sniffei (tcpdump), captuie a two-way HTTP conveisation
that uploads infoimation (e.g., filling out a foim oi a seaich field). Anno-
tate the session to show how youi biowsei conveyed infoimation to the
web seivei. (Requiies ioot access.)
E21.3 Use a packet sniffei to captuie the tiaffic when you open a busy web page
such as the home page foi amazon.com oi cnn.com. How many sepaiate
TCP connections aie opened? Who initiates them? Could the system be
made moie efficient? (Requiies ioot access.)
E21.4 Iocate log files fiom an Inteinet-accessible web seivei, peihaps the main
seivei foi youi site. Examine the log files. What can you say about the
access patteins ovei a peiiod of a few houis? What eiiois showed up dui-
ing that peiiod? What piivacy conceins aie illustiated by the contents of
the log files? (May iequiie ioot access.)
1ab|e 21.4 kecommended erm|ss|ons under ~ft
I||e/0|r Uwner Mode I||e/0|r Uwner Mode
~ft root 555 ~ft/etc/asswd root 444
~ft/b|n root 555 ~ft/etc/grou root 444
~ft/b|n/|s root 111 ~ft/ub root 155
~ft/etc root 555 ~ft/||b root 555
21.1 lxercises 737
E21.5 Install Apache on youi system and cieate a couple of content pages. Fiom
othei machines, veiify that youi web seivei is opeiating. Find the Apache
log files that let you see what biowseis aie hitting youi seivei. Configuie
Apache to seive some of its content pages to the viitual inteiface cieated
in E21.1. (Requiies ioot access.)
This page intentionally left blank
5C7l0N 7RR
8dNCR 0' 57dll
This page intentionally left blank
741

Ibe w/odow 5,stem

The X Window System, also called X11 oi simply X, is the foundation foi most
giaphical usei enviionments foi UNIX and Iinux. X is the natuial successoi to a
window system called (believe it oi not) W, which was developed as pait of MIT's
Pioject Athena in the eaily 1980s. Veision 10 of the X Window System, ieleased in
1985, was the fiist to achieve widespiead deployment, and veision 11 (X11) followed
shoitly theieaftei. Thanks to the system's ielatively libeial licensing teims, X spiead
quickly to othei platfoims, and multiple implementations emeiged.
In 1988, the MIT X Consoitium was founded to set the oveiall diiection foi the X
piotocol. Ovei the next decade, this gioup and its successois issued a steady stieam
of piotocol updates. X11R7.1 is today's latest and gieatest, with the tiend appaiently
heading towaid adding new numbeis to the veision designation instead of incie-
menting the existing ones.
XFiee86 became the de facto X seivei implementation foi Iinux (and many othei
platfoims) until a licensing change in 2004 motivated many distiibutions to switch
to a foik of XFiee86 that was unencumbeied by the new licensing clause. That foik is
maintained by the nonpiofit X.Oig Foundation and is the piedominant Iinux im-
plementation today. In addition, the X.Oig seivei has been poited to Windows foi
use in the Cygwin Iinux compatibility enviionment. (Seveial commeicial X seiveis
foi Windows aie also available; see page 82? foi moie infoimation.)
This chaptei desciibes the X.Oig veision of X, which is used by all oui example dis-
tiibutions. The implementations of X.Oig and XFiee86 have diveiged aichitectui-
ally, but most of the administiative details iemain the same. It is often possible to
X Windows
742 Chater 22 - Jhe X window System
substitute "xf86" foi "xoig" in commands and filenames to guess at the appiopiiate
XFiee86 veision. XFiee86 is becoming obsolete by the day and will not be discussed
fuithei heie.
The X Window System can be bioken down into a few key components. Fiist, it pio-
vides a display manager whose main job is to authenticate useis, log them in, and
stait up an initial enviionment fiom staitup sciipts. The display managei also staits
the X server, which defines an abstiact inteiface to the system's bitmapped displays
and input devices (e.g., keyboaid and mouse). The staitup sciipts also iun a windcw
manager, which allows the usei to move, iesize, minimize, and maximize windows,
as well as to manage sepaiate viitual desktops. Finally, at the lowest level, applica-
tions aie linked to a widget library that implements high-level usei inteiface mecha-
nisms such as buttons and menus. Exhibit A illustiates the ielationship between the
display managei, the X seivei, and client applications.
xh|b|t A 1he X c||ent/server mode|
The X seivei undeistands only a veiy basic set of diawing piimitives ovei a netwoik
API; it does not define a piogiamming inteiface to high-level entities such as but-
tons, text boxes, menus, and slideis. This design achieves two impoitant goals. Fiist,
it allows the X seivei to iun on a completely sepaiate computei fiom the client appli-
cation. Second, it allows the seivei to suppoit a vaiiety of diffeient window manag-
eis and widget sets.
Application developeis have theii choice of seveial common widget libiaiies and
usei inteiface standaids. Unfoitunately, the choice often depends moie on ieligious
affiliation than on any ieal design consideiations. Although fieedom of choice is
good, X's usei inteiface agnosticism has aiguably iesulted in many yeais of pooi
usei inteifaces.
In this chaptei, we explain how to iun piogiams on a iemote display and how to
enable authentication. We then discuss how to configuie the X.Oig seivei and how
to tioubleshoot configuiation eiiois. Finally, we touch biiefly on some of the avail-
able window manageis and desktop enviionments.
X c||ent
X c||ent
X server
Vanages d|slay
Vanages |nut dev|ces
0|s|a manager
Launches X server
Requests log|n and assword
Runs startu scr|ts
Randles X0V control rotocol
X

n
e
t
w
o
r
k

r
o
t
o
c
o
l
w|ndow manager
0|s|a env|ronment
= w|dget ||brar
22.1 Jhe X dislay manager 743
22.1 1h X 0ISPLA MANA6k
The display managei is the fiist thing a usei usually sees when sitting down at the
computei. It is not iequiied; many useis disable the display managei and stait X
fiom the text console oi fiom theii .login sciipt by iunning startx (which itself is a
wiappei foi the xinit piogiam, which staits the X seivei).
On the othei hand, the display managei spoits an attiactive, usei-fiiendly login
scieen and adds some extia configuiability. The display managei can allow iemote
logins to othei X seiveis thiough the XIMCP piotocol. It can also handle display
authentication (see Client authenticaticn on page 745). The oiiginal display man-
agei is called xdm (foi X display managei), but modein ieplacements such as gdm
(the CNOME display managei) and kdm (the KIE display managei) delivei moie
oi less the same set of featuies and aie much bettei looking.
In the typical scenaiio, the display managei launches the X seivei, authenticates the
usei, logs the usei into the system, and executes the usei's staitup sciipts. A set of
configuiation files, most often located in the /etc/X11/xdm diiectoiy, specifies how
xdm will iun. Foi example, you might want to edit the Xservers file to change the
display numbei used foi this seivei if multiple seiveis will be iunning on othei vii-
tual teiminals. Oi, you might altei the seivei layout with the -layout option if you
have defined layouts to suit multiple systems.
See page 81 fcr
mcre infcrmaticn
abcut IAM.
Aftei launching the X seivei, xdm piompts foi a useiname and passwoid. The usei's
passwoid is authenticated accoiding to the PAM modules (Pluggable Authentication
Modules) specified in /etc/pam.d/xdm (oi kdm/gdm if you aie using the KIE oi
CNOME display manageis). The login scieen can also piesent the option to log in to
seveial alteinative desktop enviionments, including the impoitant failsafe option
discussed below.
The display managei's final duty is to execute the Xsession shell sciipt, which sets
up the usei's desktop enviionment. The Xsession sciipt, also most often found in
/etc/X11/xdm, is a system-wide staitup sciipt. It sets application defaults, installs
standaid key bindings, and selects language settings. The Xsession sciipt then exe-
cutes the usei's own peisonal staitup sciipt, usually called ~/.xsession, to stait up
the window managei, task bai, helpei applets, and possibly othei piogiams. CNUVI
and KIE have theii own staitup sciipts that configuie the usei's desktop in accoi-
dance with CNOME's and KIE's configuiation tools; this scheme is less eiioi-pione
than useis' editing of theii own staitup sciipts.
When the execution of ~/.xsession completes, the usei is logged out of the system
and the display managei goes back to piompting foi a useiname and passwoid.
Theiefoie, ~/.xsession must stait all piogiams in the backgiound (by appending an
& to the end of each command) except fcr the last cne, which is noimally the window
managei. (If all commands in ~/.xsession aie iun in the backgiound, the sciipt tei-
minates iight away and the usei is logged out immediately aftei logging in.) With
the window managei as the final, foiegiound piocess, the usei is logged out only
aftei the window managei exits.
744 Chater 22 - Jhe X window System
The failsafe login option lets useis log in to fix theii bioken staitup sciipts. This
option can usually be selected fiom the display managei's login scieen. It opens only
a simple teiminal window; once the window closes, the system logs the usei out.
Eveiy system should allow the failsafe login option; it helps useis fix theii own
messes iathei than having to page you in the middle of the night.
Foigetting to leave a piocess in the foiegiound is the most common staitup pioblem,
but it's haidly the only possibility. If the cause of pioblems is not obvious, you may
have to iefei to the ~/.xsession-errors file, which contains the output of the com-
mands iun fiom ~/.xsession. Iook foi eiiois oi othei unexpected behavioi. In a
pinch, move the ~/.xsession sciipt aside completely and make suie you can log in
without it. Then iestoie one oi two lines at a time until you find the offending line.
22.2 kuNNIN6 AN X APPLICA1IUN
The piocess iequiied to iun an X application may at fiist seem oveily complicated.
Howevei, you will soon discovei the flexibility piovided by the client/seivei display
model. Because display updates aie tiansmitted ovei the netwoik, an application
(the client) can iun on a completely sepaiate computei fiom the one that displays its
giaphical usei inteiface (the seivei). An X seivei can have connections fiom many
diffeient applications, all of which iun on sepaiate computeis.
To make this model woik, clients must be told what display to connect to and what
scieen to inhabit on that display. Once connected, clients must authenticate them-
selves to the X seivei to ensuie that the peison sitting in fiont of the display has
authoiized the connection.
See puge 97 fcr
mcre infcrmaticn
abcut SSH.
Even with authentication, X's intiinsic secuiity is ielatively weak. You can manage
connections moie secuiely by iouting them thiough SSH (see X ccnnecticn fcrward-
ing with SSH on page 747). We stiongly iecommend the use of SSH foi X connec-
tions ovei the Inteinet. It's not unieasonable foi local tiaffic, eithei.
1he 0ISPLA env|ronment var|ab|e
X applications consult the IISPIAY enviionment vaiiable to find out wheie to dis-
play themselves. The vaiiable contains the hostname oi IP addiess of the seivei, the
display numbei (identifying the paiticulai instance of an X seivei to connect to),
and an optional scieen numbei (foi displays with multiple monitois). When appli-
cations iun on the same computei that displays theii inteifaces, you can omit most
of these paiameteis foi simplicity.
The following example shows both the foimat of the display infoimation and the
bash syntax used to set the enviionment vaiiable:
clier$ DI5PLAY=servername.doman.com:10.2; export DI5PLAY
This setting points X applications at the machine seiveiname.domain.com, display
10, scieen 2. Applications establish a TCP connection to the seivei on poit numbei
22.2 Running an X alication 745
6000 plus the display numbei (in this example, poit 6010), wheie the X seivei han-
dling that display should be listening.
Keep in mind that eveiy piocess has its own enviionment vaiiables. When you set
the IISPIAY vaiiable foi a shell, its value is inheiited only by piogiams that you iun
fiom that shell. If you execute the commands above in one xterm and then tiy to
iun youi favoiite X application fiom anothei, the application won't have access to
youi caiefully constiucted IISPIAY vaiiable.
Anothei point woith mentioning is that although X applications send theii giaphi-
cal output to the designated X seivei, they still have local stdout and stdeii channels.
Some eiioi output may still come to the teiminal window fiom which an X applica-
tion was iun.
See page 418 fcr
mcre infcrmaticn
abcut INS resclver
ccnfiguraticn.
If the client and seivei aie both pait of youi local oiganization, you can usually omit
the seivei's full domain name fiom the IISPIAY vaiiable, depending on how youi
name seivei's iesolvei has been configuied. Also, since most systems iun only a sin-
gle X seivei, the display is usually 0. The scieen numbei can be omitted, in which
case scieen 0 is assumed. Eigo, most of the time it's fine to set the value of IISPIAY
to seiveiname:0.
If the client application happens to be iunning on the same machine as the X seivei,
you can simplify the IISPIAY vaiiable even fuithei by omitting the hostname. This
featuie is moie than just cosmetic: with a null hostname, the client libiaiies use a
UNIX domain socket instead of a netwoik socket to contact the X seivei. In addition
to being fastei and moie efficient, this connection method bypasses any fiiewall ie-
stiictions on the local system that aie tiying to keep out exteinal X connections. The
simplest possible value foi the IISPIAY enviionment vaiiable, then, is simply ":0".
The same client libiaiies that iead the IISPIAY enviionment vaiiable usually accept
this infoimation in the foim of a command-line aigument as well. Foi example, the
command
clier$ xprogram -dspIay servername:0
is equivalent to iunning the piogiam with IISPIAY set to "seiveiname:0". The
command-line options oveiiide the enviionment vaiiable settings. This featuie is
especially handy if you aie iunning on the same machine seveial piogiams that aie
handled by diffeient displays.
C||ent authent|cat|on
Although the X enviionment is geneially thought to be ielatively insecuie, eveiy
piecaution helps pievent unauthoiized access. In the days befoie secuiity was such a
piessing concein, it was common foi X seiveis to welcome connections fiom any
client iunning on a host that had been maiked as safe with the xhost command. But
since any usei on that host could then connect to youi display and wieak havoc
(eithei intentionally oi out of confusion), the xhost method of gianting access to
clients was eventually depiecated. We do not discuss it fuithei.
746 Chater 22 - Jhe X window System
The most pievalent alteinative to host-based secuiity is called magic cookie authen-
tication. While the thought of magic cookies might induce flashbacks in some of oui
ieadeis, in this context they aie used to authenticate X connections. The basic idea is
that the X display managei geneiates a laige iandom numbei, called a cookie, eaily
in the login pioceduie. The cookie foi the seivei is wiitten to the ~/.Xauthority file
in the usei's home diiectoiy. Any clients that know the cookie aie allowed to con-
nect. Useis can iun the xauth command to view existing cookies and add new ones
to this file.
The simplest way to show how this woiks is with an example. Suppose you have set
youi IISPIAY vaiiable on the client system to display X applications on the ma-
chine at which you aie sitting. Howevei, when you iun a piogiam, you get an eiioi
that looks something like this:
clier$ xprogram -dspIay server:0
Xlib. correcior o server.0.0 reused by server
xroran. urable o oer dislay 'server.0'
This message tells you that the client does not have the iight cookie, so the iemote
seivei iefused the connection. To get the iight cookie, log in to the seivei (which
you have piobably alieady done if you aie tiying to display on it) and list the seivei's
cookies by iunning xauth list:
server$ xauth Ist
server.0 MlT-MAGlC-COOKlL-l d888do08le4d88ab8dc
server/urix.0 MlT-MAGlC-COOKlL-l d888do08le4d88ab8dc
locallos.0 MlT-MAGlC-COOKlL-l cbocbeSc24l284eddd40e0
Each netwoik inteiface on the seivei has an entiy. In this example we have a cookie
foi the Etheinet, a cookie foi the UNIX domain socket used foi local connections,
and a cookie foi the localhost loopback netwoik inteiface.
The easiest way to get the cookie onto the client (when not using SSH, which negoti-
ates the cookie foi you) is with good old cut-and-paste. Most teiminal emulatois
(e.g., xterm) let you select text with the mouse and paste it into anothei window,
usually by piessing the middle mouse button. Conveniently, the xauth add com-
mand accepts as input the same foimat that xauth list displays. You can add the
cookie to the client like this:
clier$ xauth add server:0 MIT-MACIC-COOKIE-1
9d888df6077819ef4d788fab778dc9f
You should veiify that the cookie was added piopeily by iunning xauth list on the
client. With the IISPIAY enviionment vaiiable set and the coiiect magic cookie
added to the client, applications should now display coiiectly on the seivei.
If you aie having tiouble getting cookies to woik, you can diop back tempoiaiily to
xhost authentication just to veiify that theie aie no othei pioblems (foi example,
fiiewalls oi local netwoik iestiictions that aie pieventing the client fiom accessing
the seivei). Always iun xhost - (that is, xhost with a dash as its only aigument) to
disable xhost authentication once youi test is complete.
22.2 Running an X alication 747
X connect|on forward|ng w|th SSh
Magic cookies inciease secuiity, but they'ie haidly foolpioof. Any usei who can ob-
tain youi display's cookie can connect to the display and iun piogiams that monitoi
youi activities. Even without youi cookie, the X piotocol tiansfeis data ovei the net-
woik without enciyption, allowing it to be sniffed by viitually anyone.
See puge 97 fcr
mcre infcrmaticn
abcut SSH.
You can boost secuiity with SSH, the secuie shell piotocol. SSH piovides an authen-
ticated and enciypted teiminal seivice. Howevei, SSH can also foiwaid aibitiaiy
netwoik data, including X piotocol data, ovei a secuie channel. X foiwaiding is sim-
ilai to geneiic SSH poit foiwaiding, but because SSH is X-awaie, you gain some
additional featuies, including a pseudo-display on the iemote machine and the ne-
gotiated tiansfei of magic cookies.
You typically ssh fiom the machine iunning the X seivei to the machine on which
you want to iun X piogiams. This aiiangement can be confusing to iead about be-
cause the SSH client is iun on the same machine as the X server, and it connects to an
SSH server that is the same machine as the X client applications. To make it woise,
the viitual display that SSH cieates foi youi X seivei is local to the iemote system.
Exhibit B shows how X tiaffic flows thiough the SSH connection.
xh|b|t 8 us|ng SSh w|th X
Youi IISPIAY vaiiable and authentication infoimation aie set up automatically by
ssh. The display numbei staits at :10.0 and inciements foi each SSH connection that
is foiwaiding X tiaffic.
An example might help show the sequence
x-server$ ssh -v -X x-cIent.mydoman.com
OerSSH_3.l, OerSSL 0..a !eb l 2003
debul. Readir coriuraior daa /lone/bos/.ssl/cori
debul. Readir coriuraior daa /ec/ssl/ssl_cori
debul. Alyir oiors or
debul. Correcir o x-clier.nydonair.con [l2.lo8.lS.| or 22.
debul. Correcior esablisled.
Lrer asslrase or ley '/lone/bos/.ssl/id_rsa'.
debul. read FLM rivae ley dore. ye RSA
SSR server
X cllent vlrtual
0|SPLAY :12.0
X c||ent mach|ne
Secure SSh connect|on
SSR cllent
X server
0|SPLAY:0.0
X server mach|ne
748 Chater 22 - Jhe X window System
debul. Aulericaior succeeded (ublicley).
debul. Lrerir ireracive sessior.
debul. Requesir Xll orvardir vil aulericaior sooir.
debul. Requesir aulericaior aer orvardir.
x-clier$
You can see fiom the last two lines that the client is iequesting foiwaiding foi X11
applications. X foiwaiding must be enabled on both the SSH seivei and the SSH cli-
ent, and the client must still have the coiiect cookie foi the seivei. If things do not
seem to be woiking iight, tiy the -X and -v flags as shown above (foi OpenSSH) to
explicitly enable X foiwaiding and to iequest veibose output. Also check the global
SSH configuiation files in /etc/ssh to make suie that X11 foiwaiding has not been
administiatively disabled. Once logged in, you can check youi display and magic
cookies:
x-clier$ echo $DI5PLAY
locallos.l2.0
x-clier$ xauth Ist
x-clier/urix.l2 MlT-MAGlC-COOKlL-l aS4bol2leb4c8a803ab0aoaSl2
Notice that the IISPIAY points to a viitual display on the SSH seivei. Othei SSH
connections (both fiom you and fiom othei useis) aie assigned diffeient viitual dis-
play numbeis. With the IISPIAY and cookie piopeily set, we can now iun the client
application.
x-clier$ xeyes
debul. clier_iru_clarrel_oer. cye xll rclar 4 vir oSS3o nax lo384
debul. clier_reques_xll. reques ron l2.0.0.l 3S4ll
debul. clarrel l. rev [xll|
debul. corirn xll
debul. clarrel l. !ORCL iru drair
With the debugging infoimation enabled with ssh -v, you can see that ssh has ie-
ceived the X connection iequest and dutifully foiwaided it to the X seivei. The foi-
waiding can be a little slow on a distant link, but the application should eventually
appeai on youi scieen.
22.3 X Skvk CUNII6ukA1IUN
The X.Oig seivei, Xorg, has a ieputation foi being notoiiously difficult to configuie
foi a given haidwaie enviionment. It is not undeseived. In pait, the complexity of
Xorg's configuiation is explained by the wide aiiay of giaphics haidwaie, input de-
vices, video modes, iesolutions, and coloi depths that it suppoits. In the eaily days
of XFiee86, a new usei was often oveiwhelmed by a ciyptic configuiation file con-
taining what appeaied to be iandom numbeis deiived fiom obscuie infoimation in
the back of the monitoi's nonexistent manual. Xorg's configuiation file affoids sig-
nificantly moie stiuctuie foi some of these seemingly iandom numbeis.
22.3 X server configuration 749
The Xorg configuiation file is noimally found in /etc/X11/xorg.conf, but the X
seivei will seaich a whole slew of diiectoiies looking foi it. The man page piesents a
complete list, but one point to note is that some of the paths Xorg seaiches contain
the hostname and a global vaiiable, making it easy foi you to stoie configuiation
files foi multiple systems in a cential location.
Seveial piogiams can help you configuie X (e.g., xorgconfig), but it's a good idea to
undeistand how the configuiation file is stiuctuied in case you need to view oi edit
the configuiation diiectly. You can gathei some useful staiting infoimation diiectly
fiom the X seivei by iunning Xorg -probeonly and looking thiough the output foi
video chipset and othei piobed values. You can iun Xorg -configure to have the X
seivei cieate an initial configuiation file that is based on the piobed values. It's a
good place to stait if you have nothing else.
The xorg.conf file is oiganized into seveial sections, each staiting with the Secior
keywoid and ending with LrdSecior. The most common section types aie listed in
Table 22.1.
It is often simplest to build a configuiation file fiom the bottom up by fiist defining
sections foi the input and output devices and then combining them into vaiious
layouts. With this hieiaichical appioach, a single configuiation file can be used foi
many X seiveis, each with diffeient haidwaie. It's also a ieasonable appioach foi a
single system that has multiple video caids and monitois.
Exhibit C on the next page shows how some of these sections fit togethei into the
X.Oig configuiation hieiaichy. A physical display Morior plus a video caid Device
foim a Screer. A set of Screers plus lruDevices foim a ServerLayou. Multiple
seivei layouts can be defined in a configuiation file, though only one is active foi a
given instance of the Xorg piocess.
1ab|e 22.1 Sect|ons of the xorg.conf f||e
Sect|on 0escr|t|on
Server!las lists general X server configuration arameters
Module Secifies dynamically loadable extensions for accelerated
grahics, font renderers, and the like
Device Configures the video card, driver, and hardware information
Morior 0escribes hysical monitor arameters including timing and
dislay resolutions
Screer Associates a monitor with a video card (0evice) and defines the
resolutions and color deths available in that configuration
lruDevice Secifies inut devices such as keyboards and mice
ServerLayou bundles inut devices with a set of screens and ositions the
screens relative to each other
750 Chater 22 - Jhe X window System
xh|b|t C ke|at|onsh| of xorg.conf conf|gurat|on sect|ons
Some of the sections that make up the xorg.conf file aie ielatively fixed. The defaults
can often be used stiaight fiom an existing oi example configuiation file. Otheis,
such as the Device, Morior, Screer, lruDevice, and ServerLayou sections, de-
pend on the host's haidwaie setup. We discuss the most inteiesting of these sections
in moie detail in the following subsections.
0ev|ce sect|ons
A Device section desciibes a paiticulai video caid. You must piovide a stiing to
identify the caid and a diivei appiopiiate foi the device. The diivei is loaded only if
the device is iefeienced by a coiiesponding Screer section. A typical device section
might look like this:
Secior "Device"
lderiier STBVire3D
Driver s3vire
oior uuc
...
LrdSecior
The manual page foi the diivei, in this example s3vire, desciibes the haidwaie
that's diiven as well as the options the diivei suppoits. If you aie expeiiencing
stiange video aitifacts, you might tiy setting options to tuin off haidwaie acceleia-
tion (if suppoited), slowing down video memoiy access, oi modifying PCI paiame-
teis. It is geneially a good idea to check the web foi otheis who might have expeii-
enced similai pioblems befoie you stait iandomly changing values.
Mon|tor sect|ons
The Morior section desciibes the displays attached to youi computei. It can specify
detailed timing values. The timing infoimation is necessaiy foi oldei haidwaie, but
most modein monitois can be piobed foi it. Iisplay specifications can usually be
obtained fiom the manufactuiei's web site, but nothing beats having the oiiginal
manual that came with the monitoi. Eithei way, you will want to know at least the
hoiizontal sync and veitical iefiesh fiequencies foi youi model.
Mon|tor 0ev|ce
0ISPLA = .0.0
Vouse
Screen
Mon|tor 0ev|ce
0ISPLA = .0.1
Screen
Inut0ev|ce
Keyboard
Inut0ev|ce
ServerLaout
Crahlcs tablet
Inut0ev|ce
22.3 X server configuration 751
A typical Morior section looks like this:
Secior Morior
lderiier VievSoric
Oior DFMS
HorizSyrc 30-oS
VerReresl S0-l20
LrdSecior
As with all of the sections, the lderiier line assigns a name by which you latei iefei
to this monitoi. Heie we have tuined on IPMS (Iisplay Powei Management Signal-
ing) so that the X seivei poweis down the monitoi when we sneak away foi a donut
and some coffee.
The HorizSyrc and VerReresl lines should be filled in with values appiopiiate foi
youi monitoi. They may be specified as a fiequency iange (as above) oi as disciete
values sepaiated by commas. The diivei can theoietically piobe foi suppoited
modes, but specifying the paiameteis keeps the diivei fiom attempting to use un-
suppoited fiequencies.
Hoiioi stoiies abound of eaily CRTs being damaged by signals iunning at impiopei
fiequencies, but these days CRTs seem to be a bit moie iesilient. At woist, they aie
likely to emit a high-pitched squeal that is suie to get the dog's attention. Modein
ICI monitois aie even moie toleiant of signal vaiiations, but it is piobably still wise
to exeicise caution when expeiimenting with monitoi fiequencies. Be piepaied to
tuin off the monitoi if it does not like the signal it is ieceiving.
Screen sect|ons
A Screer section ties a device (video caid) to a monitoi at a specific coloi depth and
set of display iesolutions. Heie's an example that uses the video caid and monitoi
specified above.
Secior Screer
lderiier Screer 2
Device STBVire3D
Morior VievSoric
DeaulDel 24
Subsecior Dislay
Del 8
Modes o40x400
LrdSubsecior
Subsecior Dislay
Del lo
Modes o40x400 o40x480 800xo00 l024xo8
LrdSubsecior
Subsecior Dislay
Del 24
Modes l280xl024 l024xo8 800xo00 o40x400 o40x480
LrdSubsecior
LrdSecior
752 Chater 22 - Jhe X window System
As you might expect, the scieen is named with an lderiier, and the identifieis foi
the pieviously defined video device and monitoi aie mentioned. This is the fiist sec-
tion we have intioduced that has subsections. One subsection is defined foi each
coloi depth, with the default being specified by the DeaulDel field.
A given instance of the X seivei can iun at only one coloi depth. At staitup, the seivei
deteimines what iesolutions aie suppoited foi that coloi depth. The possible iesolu-
tions geneially depend on the amount of memoiy on the video caid. On oldei caids
with less memoiy, it's common foi iesolution to be limited at high coloi depths.
Special keybcard ccmbinaticns fcr X on page 754 desciibes how to cycle thiough the
iesolutions that aie defined heie.
Any decent modein video caid should be able to diive youi monitoi at its full ieso-
lution in 24-bit oi ?2-bit coloi. If you want to iun old piogiams that iequiie a seivei
iunning in 8-bit coloi, iun a second X seivei on a sepaiate viitual console. Use the
-depth 8 flag on the Xorg command line to oveiiide the DeaulDel option.
Inut0ev|ce sect|ons
An lruDevice section desciibes a souice of input events such as a keyboaid oi
mouse. Each device gets its own lruDevice section, and as with othei sections,
each is named with an lderiier field. If you aie shaiing a single configuiation file
among machines with diffeient haidwaie, you can define all the input devices; only
those iefeienced in the ServerLayou section aie used. Heie is a typical keyboaid
definition:
Secior lruDevice
lderiier Gereric Keyboard
Driver Keyboard
Oior AuoReea S00 30
Oior XlbModel cl04
Oior XlbLayou us
LrdSecior
You can set options in the keyboaid definition to expiess youi paiticulai ieligion's
stance on the piopei position of the Contiol and Caps Iock keys, among othei
things. In this example, the AuoReea option specifies how long a key needs to be
held down befoie it staits iepeating and how fast it iepeats.
The mouse is configuied in a sepaiate lruDevice section:
Secior lruDevice
lderiier Gereric Mouse
Driver nouse
Oior CoreFoirer
Oior Device /dev/iru/nice
Oior Froocol lMFS/2
Oior Lnulae3Buors o
Oior ZAxisMair 4 S
LrdSecior
22.3 X server configuration 753
The CoreFoirer option designates this mouse as the system's piimaiy pointing de-
vice. The device file associated with the mouse is specified as an Oior; it is typi-
cally set to /dev/input/mice, which is the mouse device multiplexei. The piotocol
depends on the paiticulai biand of mouse that is used; you can set it to auo so that
the seivei tiies to figuie it out foi you. If youi mouse wheel doesn't woik, tiy setting
the piotocol to lMFS/2. If you have moie than a few buttons, you might need to use
the LxlorerFS/2 piotocol.
If /dev/input/mice does not woik foi youi mouse, then the configuiation is slightly
moie complex. The gpm piogiam implements X-like, mouse-contiolled cut-and-
paste facilities in text-mode viitual teiminals. Howevei, only one piogiam can open
a tiaditional mouse device at a time. To solve this pioblem, gpm ieplicates the mouse
data to a FIFO file so that applications such as the X seivei can see it too (by using
the FIFO as the mouse device).
1
This aiiangement adds gpm functionality to the
system while keeping it ielatively tianspaient.
Foi example, the following command makes gpm get its input fiom /dev/mouse
with the IMPS/2 piotocol and foiwaid it to the FIFO /dev/gpmdata (the name is not
configuiable) with no piotocol tianslation.
$ gpm -m /dev/mouse -t mps2 -Rraw
You would then change the mouse device to /dev/gpmdata in the xorg.conf file.
Since gpm must be iun befoie the X seivei is staited, this command must go in a
system staitup sciipt such as /etc/init.d/gpm. See page ?2 foi moie infoimation
about staitup sciipts.
The Lnulae3Buors option lets a two-button mouse emulate a thiee-button
mouse by defining a click on both buttons to stand in foi a middle button click. The
ZAxisMair option is sometimes needed to suppoit a scioll wheel oi joystick
device by mapping the buttons appiopiiately. Vost mice these days have at least thiee
buttons, a scioll wheel, a built-in MP? playei, a foot massagei, and a beei chillei.
2
ServerLayout sect|ons
The ServerLayou section is the top-level node of the configuiation hieiaichy. Each
haidwaie configuiation that the seivei will be iun on should have its own instance
of the ServerLayou section. The layout used by a paiticulai X seivei is usually
specified on the seivei's command line.
Heie is an example of a complete ServerLayou section:
Secior ServerLayou
lderiier Sinle Layou
Screer Screer l LeO Screer 2
Screer Screer 2 RilO Screer l
lruDevice Gereric Mouse CoreFoirer
lruDevice Gereric Keyboard CoreKeyboard
1. FIFO files aie cieaied wiih ihe mknod command. Foi example, mknod p /dev/gpmdata.
2. Noi all opiions aie suppoiied by Xorg. Some opiions sold sepaiaiely.
754 Chater 22 - Jhe X window System
Oior BlarlTine l0 = Blarl le screer ir l0 nirues
Oior SardbyTine 20 = Turr o screer ir 20 nirues (DFMS)
Oior SuserdTine o0 = !ull liberraior ir o0 nirues (DFMS)
Oior OTine l20 = Turr o DFMS norior ir 2 lours
LrdSecior
This section ties togethei all the othei sections to iepiesent an X display. It staits
with the iequisite lderiier, which names this paiticulai layout. It then associates a
set of scieens with the layout.
?
If multiple monitois aie attached to sepaiate video
caids, each scieen is specified along with optional diiections to indicate how they
aie physically aiianged. In this example, scieen one is on the left and scieen two is
on the iight.
Some video caids can diive multiple monitois at once. In this case, only a single
Screer is specified in the ServerLayou section. Foi NVIIIA caids, cuiiently the
most common foi this application undei Iinux, you set an option in the Driver sec-
tion to signify suppoit foi TvirViev. The details of this configuiation aie outside
the scope of this book but can easily be found on vaiious web foiums.
Following the scieen list is the set of input devices to associate with this layout. The
CoreFoirer and CoreKeyboard options aie passed to the lruDevice section to
indicate that the devices aie to be active foi the configuiation. Those options can
also be set diiectly in the coiiesponding lruDevice sections, but it's cleanei to set
them in the ServerLayou section.
The last few lines configuie seveial layout-specific options. In the example above,
these all ielate to IPMS, which is the inteiface that tells Ineigy Stai-compliant mon-
itois when to powei themselves down. The monitois must also have theii IPMS op-
tions enabled in the coiiesponding Morior sections.
22.4 1kUu8LShUU1IN6 AN0 08u66IN6
X seivei configuiation has come a long way ovei the last decade, but it can still be
difficult to get things woiking just the way you would like. You may need to expeii-
ment with monitoi fiequencies, diivei options, piopiietaiy diiveis, oi extensions
foi ?I iendeiing. Iionically, it is the times when the display is not woiking coiiectly
that you aie most inteiested in seeing the debugging output on youi scieen. Foitu-
nately, the X.Oig seivei gives you all the infoimation you need (and a lot that you
don't) to tiack down the pioblem.
Sec|a| keyboard comb|nat|ons for X
Because the X seivei takes ovei youi keyboaid, display, mouse, and social life, you
can imagine that it might leave you with little iecouise but to powei the system down
if things aie not woiking. Howevei, theie aie a few things to tiy befoie it comes to
that. If you hold down the Contiol and Alt keys and piess a function key (F1-F6), the
X seivei takes you to one of the text-based viitual teiminals. Fiom theie you can log
3. Recall ihai scieens ideniify a moniioi/video caid combinaiion ai a paiiiculai coloi depih.
22.4 Jroubleshooting and debugging 755
in and debug the pioblem. To get back to the X seivei iunning on viitual teiminal 7,
piess <Alt-F7>.
4
If you aie on a netwoik, you can also tiy logging in fiom anothei
computei to kill the X seivei befoie iesoiting to the ieset button.
If the monitoi is not in sync with the caid's video signal, tiy changing the scieen
iesolution. The available iesolutions aie specified on a Modes line fiom the Screer
section of the configuiation file. The exact Modes line that is active depends on the
coloi depth; see Screen secticns on page 751 foi details. The X seivei defaults to the
fiist iesolution shown on the active Modes line, but you can cycle thiough the dif-
feient iesolutions by holding down Contiol and Alt and piessing the plus (+) oi
minus (-) key on the numeiic keypad.
Piessing <Contiol-Alt-Backspace> kills the X seivei immediately. If you ian the
seivei fiom a console, you will find youiself back theie when the seivei exits. If a
display managei staited the seivei, it usually iespawns a new seivei and piompts
again foi a login and passwoid. You have to kill the display managei (xdm, gdm,
etc.) fiom a text console to stop it fiom iespawning new X seiveis.
when good X servers go bad
Once you have iegained contiol of the machine, you can begin to tiack down the
pioblem. The simplest place to stait is the output of the X seivei. This output is
occasionally visible on viitual teiminal one (<Contiol-Alt-F1>), which is wheie all
the staitup piogiam output goes. Most often, the X seivei output goes to a log file
such as /var/log/Xorg.0.log.
As seen below, each line is pieceded by a symbol that categoiizes it. You can use these
symbols to spot eiiois (LL) and wainings (VV), as well as to deteimine how the
seivei found out each piece of infoimation: thiough default settings (==), in a config
file (''), detected automatically (--), oi specified on the X seivei command line (++).
Iet's examine the following snippet:
X Virdov Sysen Versior o.8.2
Release Dae. !ebruary 200S
X Froocol Versior ll, Revisior 0, Release o.8.2
Build Oerair Sysen. Lirux 2.4.2l-23.LLsn io8o [LL!|
Currer Oerair Sysen. Lirux clirool 2.o.l2-l.l32_!C3 =l !ri [ul lS 00.S.
l0 LDT 200S io8o
Marlers. (--) robed, ( ) ron cori ile, (==) deaul seir,
(++) ron connard lire, ('') roice, (ll) irornaioral,
(VV) varrir, (LL) error, (Nl) ro inlenered, () urlrovr.
(==) Lo ile. /var/lo/Xor.0.lo, Tine. Mor May l 08.4l.02 200o
(==) Usir cori ile. /ec/Xll/xor.cor
(==) ServerLayou Deaul Layou
( ) |-->Screer Screer0 (0)
( ) | |-->Morior Morior0
( ) | |-->Device Videocardl
4. The X seivei iequiies ihe <Coniiol> key io be held down along wiih ihe <Ali-Fn> key combinaiion io
swiich viiiual ieiminals, bui ihe iexi console does noi.
756 Chater 22 - Jhe X window System
( ) |-->lru Device Mouse0
( ) |-->lru Device Keyboard0
The fiist lines tell you the veision numbei of the X seivei and the X11 piotocol vei-
sion that it implements. Subsequent lines tell you that the seivei is using default val-
ues foi the log file location, the configuiation file location, and the active seivei lay-
out. The display and input devices fiom the config file aie echoed in schematic foim.
One common pioblem that shows up in the logs is difficulty with ceitain scieen
iesolutions, usually evidenced by those iesolutions not woiking oi the X seivei bail-
ing out with an eiioi such as "Unable to validate any modes; falling back to the de-
fault mode." If you have not specified a list of fiequencies foi youi monitoi, the X
seivei piobes foi them using Extended Iisplay Identification Iata (EIII). If youi
monitoi does not suppoit EIII oi if youi monitoi is tuined off when X is staited,
you need to put the fiequency ianges foi X to use in the Morior section of the
configuiation file.
Rounding eiioi in the iesults obtained fiom an EIII piobe can cause some iesolu-
tions to be unavailable even though they should be suppoited by both youi video
caid and monitoi. Iog entiies such as "No valid modes foi 1280x1024; iemoving"
aie evidence of this. The solution is to tell the X seivei to ignoie EIII infoimation
and use the fiequencies you specify with the following lines to the Device section:
Oior lroreLDlD rue
Oior UseLdid!reqs alse
As anothei example, suppose you foigot to define the mouse section piopeily. The
eiioi would show up like this in the output:
(==) Usir cori ile. /ec/Xll/xor.cor
Daa irconlee ir ile /ec/Xll/xor.cor
Urdeired lruDevice Mouse0 reererced by ServerLayou Deaul
Layou.
(LL) Froblen arsir le cori ile
(LL) Lrror arsir le cori ile
!aal server error.
ro screers ourd
Once X is up and iunning and you have logged in, you can iun the xdpyinfo com-
mand to get moie infoimation about the X seivei's configuiation.
5
xdpyinfo's out-
put again tells you the name of the display and the X seivei veision infoimation. It
also tells you the coloi depths that aie available, the extensions that have been loaded,
and the scieens that have been defined, along with theii dimensions and coloi con-
figuiations.
xdpyinfo's output can be paised by a sciipt (such as youi ~/.xsession file) to detei-
mine the size of the active scieen and to set up the desktop paiameteis appiopiiately.
5. We don'i iecommend logging inio X as iooi because ihis opeiaiion may cieaie a bunch of defauli siai-
iup files in iooi's home diiecioiy, which is usually /. Ii's also noiably insecuie. Insiead, log in as a iegu-
lai usei and use sudo. Iebian and Ubuniu enfoice ihis discipline by defauli.
22.5 A brief note on deskto environments 757
Foi debugging, xdpyinfo is most useful foi deteimining that the X seivei is up and
listening to netwoik queiies, that it has configuied the coiiect scieen and iesolution,
and that it is opeiating at the desiied coloi bit depth. If this step woiks, you aie ieady
to stait iunning X applications.
22.5 A 8kII NU1 UN 0Sk1UP NvIkUNMN1S
The flexibility and simplicity of the X client/seivei model has, ovei the yeais, led to
an explosion of widget sets, window manageis, file biowseis, tool bai utilities, and
utility piogiams. Out of Pioject Athena at MIT, wheie X has its ioots, came the Ath-
ena widgets and twm(Tom's Window Vanagei, named foi its cieatoi Tom IaStiange;
it's also called the Tab Window Managei). These iudimentaiy tools foimed the de
facto standaid foi eaily X applications.
OpenIook, developed by Sun Miciosystems and AT&T, was an alteinative tool kit
that intioduced oval buttons and pushpins to keep menus and dialog boxes visible.
Aiound the same time, the Open Softwaie Foundation intioduced the competing
Motif platfoim (latei called CIE, oi Common Iesktop Enviionment), which was
eventually adopted by Sun as well. These tool kits' thiee-dimensional chiseled look
was elegant foi the time, and the pievalence of advanced UI elements such as slideis
and menus made them a ieasonable choice foi new softwaie. Howevei, both tool kits
weie highly piopiietaiy, and licensing fees foi the development libiaiies and win-
dow managei made them inaccessible to the geneial public.
Along with open souice opeiating systems such as Iinux came open souice desktop
enviionments. FVWM (the "F" Viitual Window Managei) was populai foi Iinux
because of its high degiee of configuiability and suppoit foi "viitual desktops" that
expanded the usei's effective woiking aiea beyond the confines of the low-iesolution
displays available on most PCs at the time.
6
Theie was no associated widget set,
howevei, so useis weie still faced with a multitude of piogiams, each with a iathei
diffeient look and feel.
As applications became moie advanced and iequiied piogiessively moie advanced
usei inteiface functionality, it became cleai that a bioadei appioach must be taken
to unify the usei expeiience and piovide bettei suppoit to application developeis.
Fiom this need weie boin the two big playeis in modein Iinux desktop enviion-
ments: CNOME and KIE. Although some useis have stiong feelings iegaiding
which is the One Tiue Way, both aie ielatively complete desktop manageis. In fact,
just because you aie iunning in one iealm does not mean you cannot use applica-
tions fiom the othei; just expect a diffeient look and feel and a biief sense of discon-
tinuity in the univeise.
The fieedesktop.oig pioject is dedicated to cieating an enviionment that will allow
applications to be compatible with any desktop enviionment.
6. In faci, FVWM was so flexible ihai ii could be configuied io look like eiihei twm oi mwm (ihe Moiif
Window Managei).
758 Chater 22 - Jhe X window System
k0
KIE, which stands foi the K Iesktop Enviionment, is wiitten in C++ and built on
the Qt tool kit libiaiy. It is often piefeiied by useis who enjoy eye candy, such as
tianspaient windows, shadows, and animated cuisois. It looks nice, but it can be
slow on anything but a high-end PC. Foi useis who spend a lot of time clicking
aiound in the desktop iathei than iunning applications, the tiadeoff between look
and feel may ultimately decide whethei KIE is the appiopiiate choice.
KIE is often piefeiied by people tiansitioning fiom a Windows oi Mac enviion-
ment because of its pietty giaphics. It's also a favoiite of technophiles who love to be
able to fully customize theii enviionment. Foi otheis, KIE is simply too much to
deal with and CNOME is the simplei choice.
Applications wiitten foi KIE almost always contain a K somewheie in the name,
such as Konqueioi (the web/file biowsei), Konsole (the teiminal emulatoi), oi
KWoid (a woid piocessoi). The default window managei, KWin, suppoits the
fieedesktop.oig Window Managei Specification standaid, configuiable skins foi
changing the oveiall look and feel, and many othei featuies. The KOffice application
suite contains woid piocessing, spieadsheet, and piesentation utilities. KIE spoits a
compiehensive set of development tools, including an integiated development envi-
ionment (IIE). With these foundations, KIE piovides a poweiful and consistent
usei inteiface expeiience.
6NUM
CNOME is anothei desktop enviionment wiitten in C and based on the CTK+ wid-
get set. Its undeilying object communication model uses CORBA, the Common Ob-
ject Request Biokei Aichitectuie. The name CNOME was oiiginally an acionym foi
CNU Netwoik Object Model Enviionment, but that deiivation no longei ieally ap-
plies; these days, CNOME is just a name.
CNOME is less glitzy than KIE, is not as configuiable, and is slightly less consistent
oveiall. Howevei, it is noticeably cleanei, fastei, and simplei. Most Iinux distiibu-
tions use CNOME as the default desktop enviionment.
Iike KII, CNUVI has a iich application set. CNUVI applications aie usually iden-
tifiable by the piesence of a C in theii names. One exception is the standaid CNOME
window managei, called Metacity (pionounced like "opacity"), which piovides ba-
sic windowing functions and skins foi a configuiable look and feel. Following the
CNOME model, Metacity is designed to be lean and mean. If you want some of the
extia featuies you may be used to, like a viitual desktop oi smait window placement,
you need the suppoit of exteinal applications such as brightside oi devilspie. (This
is one aiea in which KIE has a leg up.)
Office applications include AbiWoid foi woid piocessing, Cnumeiic as a spiead-
sheet, and one of the moie impiessive piojects to come out of CNOME, The CIMP
foi image piocessing. A file managei called Nautilus is also included, along with
Ipiphany foi web biowsing. Iike KII, CNUVI piovides an extensive infiastiuctuie
22.1 lxercises 759
foi application developeis. Altogethei, CNOME offeis a poweiful aichitectuie foi
application development in an easy-to-use desktop enviionment.
wh|ch |s better, 6NUM or k0!
Ask this question on any public foium and you will see the definition of "flame wai."
Because of the tendency foi people to tuin desktop piefeience into a peisonal ciu-
sade, the following paiagiaphs may be some of the least opinionated in this book.
The best answei is to tiy both desktops and decide foi youiself which best meets
youi needs. Keep in mind that youi fiiends, youi useis, and youi managei may all
have diffeient piefeiences foi a desktop enviionment, and that is OK.
Now that fieedesktop.oig is cieating standaids to unify the desktop, the animosity
that has developed between the KIE and CNOME camps is piogiessing into a
healthy competition to cieate gieat softwaie. Remembei that youi choice of desktop
enviionment does not dictate which applications you can iun. No mattei which
desktop you choose, you can select applications fiom the full complement of excel-
lent softwaie made available by both of these (and othei) open souice piojects.
22.6 kCUMMN00 kA0IN6
The X.Oig home page, x.oig, includes infoimation on upcoming ieleases as well as
links to the X.Oig wiki, mailing lists, and downloads.
The man pages foi Xserver and Xorg covei geneiic X seivei options and Xorg-
specific command-line options. They also include a geneial oveiview of X seivei
opeiation. The xorg.conf man page coveis the config file and desciibes its vaiious
sections in detail. This man page also lists video caid diiveis in its REFERENCES
section. Iook up youi video caid heie to leain the name of the diivei, then iead the
diivei's own man page to leain about diivei-specific options.
22.7 XkCISS
E22.1 Use SSH to iun an X piogiam ovei the netwoik. Use ssh -v to veiify that
X foiwaiding is set up coiiectly. What is the IISPIAY vaiiable set to
aftei you log in? Iist the cookies by iunning xauth and veiify that magic
cookie authentication is active foi that display.
E22.2 Wiite a shell command line oi sciipt to paise the output of xdpyinfo
and piint the cuiient scieen iesolution in the foimat XxY, e.g.,
1024 768.
Lxercises are ccntinued cn the next page.
760 Chater 22 - Jhe X window System
E22.3 Examine the Xorg log file (/var/log/Xorg.0.log) and deteimine as
many of the following items as possible:
a) What type of video caid is piesent and which diivei does it use?
b) How much video memoiy does the caid have?
c) Was EIII used to piobe monitoi settings? How do you know?
d) What modes (iesolutions) aie suppoited?
e) Is IPMS enabled?
f) What does the seivei think the physical scieen dimensions aie?
g) What device file is used foi the mouse?
E22.4 What flag disables nonlocal TCP connections to the seivei? Explain why
this option is useful.
761

Pr/ot/oq
Piintei configuiation is annoying and difficult. Iseis take piinting foi gianted, but
the administiative contoitions iequiied foi delivei of peifectly iendeied pages to a
piintei a foot away fiom the usei can be challenging.
Two decades ago, the most common piinteis weie ASCII line piinteis. Iasei piinteis
weie expensive and iaie. High-iesolution output devices iequiied custom diivei
softwaie and foimatting piogiams.
Today, instead of connecting to a single computei thiough a seiial oi paiallel poit,
lasei piinteis often connect to a TCP/IP netwoik ovei an Etheinet oi wiieless link.
Iasei piinteis have laigely lost the low-end maiket to inkjet piinteis. Coloi piinteis
used to be a luxuiy, but like coloi photogiaphy and coloi monitois, they have be-
come common. Finding a black-and-white piintei will soon be as haid as finding
black-and-white film.
On the desktop and in the small office maiket, special-puipose piinteis, scanneis,
copieis, and fax machines aie being pushed aside by multifunction devices that do
all these jobs. Sometimes, these devices can even iead files fiom youi digital cam-
eia's memoiy caid.
With so many changes in technology, you'd expect the Iinux piinting system to be
flexible, and indeed it is. Howevei, this flexibility is a ielatively iecent achievement.
Intil a few yeais ago, most Iinux piinting systems weie based on softwaie developed
foi the line piinteis of yoie. These systems, hacked and oveiloaded in an attempt to
keep up with evolving technologies, weie nevei ieally up to the job of suppoiting
modein piinteis on modein netwoiks. Foitunately, CUPS, the Common UNIX
Piinting
762 Chater 23 - Printing
Piinting System, has aiiived on the scene to addiess many of the oldei systems'
weaknesses.
You can find CUPS on most modein UNIX and Iinux systems, including Mac OS X.
A few oldei piinting systems iemain in use (such as PIQ, pdq.souicefoige.net, and
IPRng, www.lping.com), but eaily piinting systems such as System V's piinting sys-
tem, Palladium, ilpi, PIP, CNUlpi, and PPR aie all pietty much dead.
In this chaptei, we focus on CUPS as the cuiient de facto standaid. We stait with a
geneial discussion of piinteis and piinting teiminology. We then desciibe Iinux
piinting systems in geneial and outline the aichitectuie of CUPS. We move on to the
specifics of piintei configuiation and administiation, then conclude with a biief
guide to piint-system debugging, a toui of optional piinting-ielated softwaie, and
some geneial administiation hints.
23.1 PkIN1kS Ak CUMPLICA10
Useis lump piinteis in with othei peiipheials such as monitois and speakeis, but
that viewpoint doesn't give piinteis ciedit foi theii complexity. Once upon a time,
the most poweiful computei Apple made was the Apple IaseiWiitei. Today, youi
desktop machine is piobably moie poweiful than youi piintei, but the piintei is still
a computei. It has a CPU, memoiy, an opeiating system, and peihaps even a disk. If
it's a netwoik piintei, it has its own IP addiess and TCP/IP implementation.
If you have a modein netwoik piintei aiound, entei its netwoik addiess into youi
web biowsei (e.g., 192.168.0.9). Chances aie that the piintei will ietuin some web
pages that let you administei the piintei haidwaie; the piintei is iunning its own
web seivei.
Since system administiatois aie secuiity minded, you may alieady be thinking,
"Ioes that mean a piintei could be compiomised oi hit by a denial of seivice at-
tack?" You bet. See the section on secuiity that staits on page 787.
What opeiating system is youi piintei iunning? What? You don't know? Not suipiis-
ing. You piobably can't find out, eithei, without some digging-and peihaps not
even then. The opeiating system vaiies fiom vendoi to vendoi and sometimes even
fiom model to model. Mid-iange and highei-end piinteis may even iun some de-
iivative of UNIX oi Iinux.
1
The OS confusion is just the beginning. Piinteis also handle a vaiiety of netwoik
piotocols and accept jobs in seveial diffeient piintei-specific page-desciiption and
document-desciiption languages.
If you'ie administeiing a laigei facility, you may need to suppoit seveial models of
piinteis fiom seveial diffeient manufactuieis. The piinting softwaie on youi com-
puteis must be piepaied to communicate with vaiied (and sometimes unknown)
haidwaie and to use an aiiay of piotocols.
1. Hackeis have poited Iinux to iPods and Xboxes; we'ie waiting to see who's fiist to poit it to an HP IaseiJet.
23.2 Printer languages 763
23.2 PkIN1k LAN6uA6S
A piint job is ieally a computei piogiam wiitten in a specialized piogiamming lan-
guage. These piogiamming languages aie known collectively as page desciiption
languages, oi PIIs.
Pages encoded in a PII can be much smallei and fastei to tiansmit than the equiv-
alent iaw images. PII desciiptions can also be device- and iesolution-independent.
The best-known PIIs today aie PostSciipt, PCI5, PCI6 (also called PCI/XI oi
"pxl"), and PIF. Many piinteis can accept input in moie than one language. We
discuss each of these languages biiefly in the sections below.
Piinteis have to inteipiet jobs in these languages and tiansfoim them into some
foim of bitmap iepiesentation that makes sense to the actual imaging haidwaie.
Theiefoie, piinteis contain language inteipieteis. Just as with C oi Java, these lan-
guages exist in multiple veisions, and the veisions make a diffeience. Vost PostSciipt
piinteis undeistand PostSciipt Ievel ?, but if you send a Ievel ? piogiam to a piintei
that only undeistands Ievel 2, the piintei is likely to be confused. Would you tiy to
compile a FORTRAN 90 piogiam with a FORTRAN 77 compilei? Ceitainly not.
Rasteiizing the PII desciiption (oi anything else, such as image files) into bitmap
page images is called "iastei image piocessing," and a piogiam that iasteiizes is
called a RIP. "To iip" is sometimes used infoimally as a veib.
It's possible to iip piint jobs in youi computei and view the images on youi display.
We discuss host-based inteipieteis that do this, such as Chostsciipt, on page 785.
You could in theoiy use youi computei to iip jobs foi piinting and ship the com-
pleted (and much laigei) bitmaps off to be piinted by a not-veiy-smait piint device.
In fact, this is the way that many CII (Windows) piinteis woik, and it's somewhat
suppoited undei Iinux as well.
PostScr|t
PostSciipt is the most common PII found on Iinux systems. It was oiiginally de-
veloped by Adobe Systems, and many PostSciipt piinteis still use an inteipietei li-
censed fiom Adobe. Almost all page layout piogiams can geneiate PostSciipt, and
some woik with PostSciipt exclusively.
PostSciipt is a full-fledged piogiamming language. You can iead most PostSciipt
piogiams with a text editoi oi with less. The piogiams contain a multitude of pa-
ientheses, cuily biaces, and slashes and often stait with the chaiacteis %!PS. Al-
though these staiting chaiacteis aie not iequiied by the language itself, PostSciipt
inteipieteis and othei piinting softwaie often look foi them when tiying to iecog-
nize and classify piint jobs.
PCL
One alteinative to PostSciipt is Hewlett-Packaid's Piintei Contiol Language. It's
undeistood by HP piinteis as well as many otheis; some piinteis speak only PCI.
764 Chater 23 - Printing
Inlike PostSciipt, which is a Tuiing-complete, geneialized piogiamming language,
PCI just tells piinteis how to piint pages. PCI jobs aie binaiy, not human ieadable,
and usually aie much shoitei than the equivalent PostSciipt. Iinux applications sel-
dom geneiate PCI diiectly, but filteis can conveit PostSciipt to PCI.
Unlike PostSciipt, eveiy veision of PCI is a little diffeient. The diffeiences aie minoi
but significant enough to be annoying. Jobs that piint coiiectly on a IaseiJet 5si can
piint slightly wiong on a IaseiJet 5500, and vice veisa. It's not just this paii of mod-
els, eithei; eveiy PCI piintei has a PCI dialect with custom commands that take
advantage of that piintei's featuies.
Foi example, if you tell youi computei you have a IaseiJet 4500 when you actually
have a IaseiJet 4550, it may geneiate some PCI commands that the 4550 ignoies oi
misinteipiets. Also, if you have a stoied PCI piint job-say, a blank puichase ie-
quest foim-and you ieplace the piintei foi which it was geneiated with something
newei, you may have to iegeneiate the job.
Woise still, HP has defined two almost completely unielated language families
called PCI: PCI5 (5C means coloi and 5E means black and white) and PCI6 (also
called PCI/XI). Nowadays, it's noimal foi new HP piinteis to have language intei-
pieteis foi both.
PCI4 is an aichaic flavoi of PCI5. Tieat a PCI4 (oi eailiei) piintei as you would a
Peil 4 inteipietei: ieplace it with something newei.
P0I
Adobe's Poitable Iocument Foimat is pioduced by Adobe Aciobat and many othei
desktop publishing tools. OpenOffice, foi example, can expoit documents as PIF.
PIF documents aie platfoim independent, and PIF is ioutinely used to exchange
documents electionically foi both on-line and off-line (piinted) use. The final text
of this book was deliveied to the book piintei as a PIF file.
PIF is a document desciiption language, not just a page desciiption language. It
desciibes not only individual pages, but also the oveiall stiuctuie of a document:
which pages belong to which chapteis, which text columns flow to othei text col-
umns, etc. It also accommodates a vaiiety of multimedia featuies foi on-scieen use.
Some piinteis inteipiet PIF diiectly. If youis doesn't, a host of PIF vieweis and
tianslatois (including Chostview, xpdf, kpdf, Evince, and Aciobat Readei) can con-
veit documents into something else (such as PostSciipt) that is moie widely undei-
stood. Youi piint system may even hide the conveision iequiiement fiom you and
automatically conveit PIF documents befoie sending them to the piintei.
Xh1ML
On the opposite end of the spectium, looming just ovei the hoiizon, is XHTMI-
Piint. A piintei that ieceives an XHTMI-Piint data stieam (desciibing, foi example,
a web page) pioduces a good-faith iepiesentation of the job, but diffeient piinteis
23.2 Printer languages 765
may pioduce diffeient iepiesentations, just as diffeient biowseis may iepiesent the
same web page in diffeient ways.
Why would useis want that? Imagine that you'ie a VP of Maiketing biowsing the
web on youi cell phone and that you see a web page ielevant to a piesentation you'ie
about to give. You walk ovei to a neaiby Bluetooth-enabled piintei and send it the
URI fiom youi phone. The piintei does the iest: it downloads the page fiom the
web, iendeis it, and piints copies. You take the copies fiom the output tiay and head
to youi piesentation.
PJL
PJI, Hewlett-Packaid's Piintei Job Ianguage, is not ieally a PII. It's a metalanguage
that desciibes piintei jobs. We desciibe it heie because you'll see it mentioned in
piintei desciiptions.
PJI is a job contiol language that specifies things such as a job's PII, whethei the
job is duplex oi simplex, what size papei to use, and so on. The PJI commands come
at the stait of the job, and the PJI statements all stait with uPJI:
@F[L SLT COFlLS=3
@F[L COMMLNT !OO BAR MUMBLL
@F[L SLT DUFLLX=ON
@F[L SLT FAGLFROTLCT=O!!
@F[L LNTLR LANGUAGL=FCL
PJI is widely undeistood (oi delibeiately ignoied) by non-HP piinteis, but if you'ie
having tiouble piinting something that contains PJI on a non-HP piintei, tiy ie-
moving the PJI with a text editoi and iesubmitting the job.
Pr|nter dr|vers and the|r hand||ng of P0Ls
The softwaie that conveits a file into something a paiticulai piintei undeistands is
the "piintei diivei." To piint PCI5 on a IaseiJet 5500, you need a IaseiJet 5500
PCI5 diivei.
What if a piintei suppoits only a subset of the languages you need to piocess? If you
download a PostSciipt file fiom the web and youi piintei only undeistands PCI5E,
what do you do? If youi piintei doesn't inteipiet PIF diiectly, how do you piint a
PIF file?
One option is to conveit the file by hand. Iinux boxes come with plenty of convei-
sion utilities; theie's almost always some way to tuin what you have into something
youi piinteis can piint. Biowseis can tiansfoim HTMI (oi XHTMI) pages into
PostSciipt. OpenOffice can tuin MS Woid files into PIF. Chostsciipt can tuin PIF
into PostSciipt and PostSciipt into almost anything, including PCI.
An easiei appioach is to let youi piinting system do the woik foi you. Many systems
have some built-in knowledge about which conveisions need to be done and can set
up the conveisions foi you automatically.
766 Chater 23 - Printing
If you need to deteimine what PII a file uses and you can't tell fiom the filename
(e.g., foo.pdf), the file command can tell you (unless the file staits with a chunk of
PJI instiuctions, in which case file just says "HP Piintei Job Ianguage data").
Save a few piint jobs to files instead of shipping them to a piintei, and you can see
what a piogiam in one of these languages looks like. A minute oi two peiusing files
of each of these types in youi text editoi will give you a good feel foi how diffeient
they aie. Ion't cat them diiectly to youi scieen, since only PostSciipt is ASCII.
PostSciipt:
'FS-Adobe-3.0
BourdirBox. 0 0 ol2 2
Faes. l
...
Drav a lire arourd le olyors...
o o o du 0 seray 0 0 noveo du 0 lireo 0.0l0o8l nul du
lireo closeal srole
PIF:
FD!-l.3
L"
8l 0 ob]
<<
/Lirearized l
/O 83
/H [ lS 44 |
/T l2S0S
>>
erdob]
xre
8l 24
00000000lo 00000 r
'F'@'<e>
erdsrean
erdob]
PCI5:
'[L'[&llo0ol0loD'[&llX'['r0!'['v0rlO'['4300X'[lBDT~,lTR0TDlSFl!Tl0,S0
C!3,lLB.~,'[lA'['cl00G'['v2T'[&a0F'['0X'['0Y'[(l0U'[(sll2vsb4l48T'[&l0
L'['0Y'['c20Y'[(l0U'[(sll2vsb4l0lT'[&a0F'[&l0ooo0L'['[&a0F'['0X'['
0Y'['44Y'['l4lX'[(l0U'[(l0U'[(sll2vsb4l0lT'['402Y'['l8oX'['v0O'['c
00a4bl002F'['vlO'['2S0Y'['v0O'['c00a4bl002F'['vlO'['v0O'['c4alSobl002
F'['vlO'['2SlY'['l8X'['v0O'['c8alS4bl02F'['vlO'['34oY'['2SoX
PCI/XI:
'X'BX'B<8>'@<8o>'C<8>A'@<88>'A<82>H'@('@
23.3 CuPS architecture 767
23.3 CuPS AkChI1C1uk
CUPS has a client/seivei aichitectuie. A CUPS seivei is a spoolei that maintains
piint queues foi clients.
CUPS clients can be applications with command line inteifaces such as lpr and lpq,
oi they can have giaphical usei inteifaces such as kprinter. Othei CUPS seiveis can
also act as clients fiom the peispective of a given seivei.
Considei the simplest possible configuiation: a CUPS seivei on a single machine,
connected to a single piintei, with a single piint queue. The next few sections biiefly
suivey the commands and piocesses involved in a few common piinting tasks.
0ocument r|nt|ng
Heie's how you might piint the files foo.pdf and /tmp/testprint.pdf:
$ Ipr foo.pdf /tmp/testprnt.ps
The client tiansmits copies of the files to the CUPS seivei, which stoies them in the
piint queue. CUPS piocesses each file in tuin as the piintei becomes ieady.
CUPS examines both the document and the piintei's PostSciipt Piintei Iesciiption
(PPI) file to see what needs to be done to get the document to piint piopeily. (As we
explain latei, PPIs aie used even foi non-PostSciipt piinteis.)
To piepaie a job foi piinting on a specific piintei, CUPS passes it thiough a pipeline
of filteis. These filteis can peifoim a vaiiety of functions. Foi example, a filtei could
iefoimat the job so that two ieduced-size page images piint on each physical page
("2-up") oi tiansfoim the job fiom one PII to anothei. A filtei can also peifoim
piintei-specific piocessing such as piintei initialization. A filtei can even peifoim
iasteiization on behalf of piinteis that do not include theii own RIPs.
The final stage of the piint pipeline is a back end that sends the job fiom the host to
the piintei thiough an appiopiiate piotocol such as USB. The back end also com-
municates status infoimation back to the CUPS seivei. To see the available back
ends, tiy the command
$ Iocate backend [ grep - cups
Aftei tiansmitting the piint job, the CUPS daemon goes back to piocessing its
queues and handling iequests fiom clients. The piintei goes to woik tiying to piint
the job it was shipped.
Pr|nt queue v|ew|ng and man|u|at|on
The lpq command iequests job status infoimation fiom the CUPS seivei and foi-
mats it foi display.
lpstat -t iepoits a good summaiy of the piint seivei's oveiall status.
768 Chater 23 - Printing
CUPS clients can ask the seivei to suspend, cancel, oi iepiioiitize jobs. They can
also move jobs fiom one queue to anothei. Most changes iequiie jobs to be identi-
fied by theii job numbei, which is iepoited by lpq.
Foi example, to iemove a piint job, just iun lprm jcbid.
Mu|t||e r|nters
If moie than one piintei is connected to a machine, CUPS maintains a sepaiate
queue foi each piintei.
Command-line clients accept an option (typically -P printer oi -p printer) to specify
the piintei queue. You can also set a default piintei foi youiself by setting the
PRINTER enviionment vaiiable
$ export PRINTER=rircr_rumc
oi by telling CUPS to use a paiticulai default foi youi account.
$ Ipoptons -drircr_rumc
lpoptions noimally sets youi peisonal defaults, which aie stoied in ~/.lpoptions.
When iun as ioot, it sets system-wide defaults in /etc/cups/lpoptions. lpoptions -l
lists the cuiient options.
Pr|nter |nstances
If you have only one piintei but want to use it in seveial ways-say, both foi quick
diafts and foi final pioduction woik-CUPS lets you set up diffeient "piintei in-
stances" foi these diffeient uses.
Foi example, if you alieady have a piintei named Phasei_6120, the command
$ Ipoptons -p Phaser_6120/2up -o number-up=2 -o job-sheets=standard
cieates an instance named Phasei_6120/2up that peifoims 2-up piinting and adds
bannei pages. The command
$ Ipr -P Phaser_6120/2up bgIstng.ps
then piints the PostSciipt file biglisting.ps as a 2-up job with banneis.
Network r|nt|ng
Fiom the CUPS peispective, a netwoik of many machines isn't veiy diffeient fiom
an isolated machine. Eveiy computei iuns a CUPS daemon (cupsd), and all the
CUPS daemons communicate with one anothei.
You configuie a CUPS daemon to accept piint jobs fiom iemote systems by editing
the /etc/cups/cupsd.conf file (see Netwcrk print server setup on page 77?). CUPS
seiveis that aie set up this way bioadcast infoimation about the piinteis they seive
eveiy ?0 seconds by default. As a iesult, computeis on the local netwoik automati-
cally leain about the piinteis available to them.
23.3 CuPS architecture 769
Making piinteis available to multiple netwoiks oi subnets is a little tiickiei since
bioadcast packets do not cioss subnet boundaiies. The usual solution is to designate
a slave seivei on each subnet that polls the othei subnets' seiveis foi infoimation
and then ielays that infoimation to machines on its local subnet.
Foi example, suppose the piint seiveis allie (192.168.1.5) and jj (192.168.2.14) live
on diffeient subnets and that we want both of them to be accessible to useis on a
thiid subnet, 192.168.?. To make this woik, we simply designate a slave seivei (say,
copeland, 192.168.?.10) and add these lines to its cupsd.conf file:
BrovseFoll allie
BrovseFoll ]]
BrovseRelay l2.0.0.l l2.lo8.3.2SS
The fiist two lines tell the slave's cupsd to poll the cupsds on allie and jj foi infoima-
tion about the piinteis they seive. The thiid line tells copeland to ielay all the infoi-
mation it leains to its own subnet.
Need a moie sophisticated setup? Multiple queues foi one piintei, each with diffei-
ent defaults? A single seivei peifoiming load balancing by paiceling out jobs to sev-
eial piinteis? Multiple seiveis each handling inteichangeable instances of the same
kind of piintei? IPI oi Windows clients? Theie's too much vaiiation to go thiough
heie, but CUPS handles all of these situations, and the CUPS documentation walks
you thiough the details.
1he CuPS under|y|ng rotoco|. h11P
HTTP is the undeilying piotocol foi all inteiactions among CUPS seiveis and theii
clients. CUPS seiveis listen foi connections on poit 6?1. Clients submit jobs with
the HTTP POST opeiation. Status iequests aie implemented thiough HTTP CET.
The CUPS configuiation files also look iemaikably like Apache configuiation files.
Some histoiy may help you undeistand how this came about.
The eailiest commeicial UNIX application was document pioduction. Key softwaie
included text editois, maikup languages (nroff/troff), and piinting softwaie.
Piinteis weie piimitive, and so weie the spooleis. This was tiue foi non-UNIX sys-
tems, too, though the non-UNIX systems weie piopiietaiy: IBM systems knew how
to diive IBM piinteis, Apple computeis knew how to diive Apple piinteis, and so
on. The computei you weie woiking on was often assumed (coiiectly) to be con-
nected diiectly to the piintei. Piintei configuiation consisted of answeiing ques-
tions such as "Seiial oi paiallel?"
When netwoik piinteis became available, pioblems multiplied. Eaily netwoik
piinting systems weie idiosynciatic and used an assoitment of piotocols foi piintei-
to-spoolei communication, client-to-spoolei communication, and netwoik tiaffic
negotiation.
770 Chater 23 - Printing
As the complexity of the woild incieased, seveial attempts weie made to cieate uni-
fied standaids, but none achieved univeisal acceptance. The piotocols in use got
oldei and cieakiei. New piintei featuies such as duplexing also spuiied a lot of spe-
cial-case hacking.
Ciitting its teeth, the IETF's Piintei Woiking Cioup cieated the Inteinet Piinting
Piotocol (IPP), which is built on top of HTTP. Not only did this choice stiuctuie
inteiactions in teims of simple CET and POST iequests, but it also allowed piinting
to take advantage of standaid, widely used technologies foi authentication, access
contiol, and enciyption.
Michael Sweet and Andiew Senft of Easy Softwaie Pioducts (ESP) biought IPP to
UNIX in the foim of the CUPS implementation. Today, CUPS is the most complete
implementation of IPP on the planet.
Although ESP has its own maiket niche and pioducts, CUPS is an open souice
pioject and is fieely iedistiibutable. Most Iinux and UNIX systems today use CUPS
as theii default piinting system.
A CUPS seivei is a web seivei, albeit one that communicates on poit 6?1 instead of
poit 80. You can veiify this by contacting youi local CUPS seivei thiough a web
biowsei (localhost:6?1). You'll see that the CUPS seivei seives up a CUI inteiface to
its full functionality. (You can also use SSI on poit 4?? foi secuie communication
with piinteis.) CUPS speaks IPP to web biowseis, piinteis, CUI and CII tools, and
othei CUPS seiveis.
PP0 f||es
When you invoke kprinter to piint book.ps on the coloi piintei Pollux, kprinter
may come back and ask you what size papei you want to piint on. But wait-how
does CUPS know to tell its client, kprinter, that Pollux can piint on A4 papei? How
does CUPS know Pollux can handle PostSciipt, and what should CUPS do if it can't?
Wheie does CUPS find the infoimation that Pollux is a coloi piintei?
All this infoimation is kept in a PostSciipt Piintei Iesciiption (PPI) file that de-
sciibes the attiibutes and capabilities of a PostSciipt piintei. The CUPS daemon
ieads the PPIs foi its piinteis and passes infoimation about them to clients and
filteis as needed.
PPIs weie fiist developed foi the Mac woild, but they weie quickly adopted by Win-
dows softwaie. Each new piintei comes with a PPI fiom the vendoi. Mac and Win-
dows piintei diiveis use the PPI file to figuie out how to send PostSciipt jobs to the
piintei. Foi example, it makes no sense to ask a single-sided black-and-white piintei
sold in Ameiica to piint a duplex, coloi document on Euiopean B4-sized papei.
Oldei UNIX and Iinux piinting systems made no use of PPIs. Useis eithei leained
how to massage theii PostSciipt, oi they lived with what they got as default output.
By contiast, CUPS was built fiom the giound up to take advantage of this iich souice
of infoimation. In fact, CUPS depends on PPIs.
23.3 CuPS architecture 771
Finding PPI files can take a bit of sleuthing. If a PPI is on youi machine, it's pioba-
bly in /etc/cups/ppd oi /usr/share/cups/model. The command locate .ppd helps
tiack them down. Foi netwoik piinteis, the PPIs aie piobably stoied iemotely;
CUPS clients get the PPI infoimation fiom the ielevant CUPS seivei.
PPI files aie just text files. It's infoimative to take a look at one and see the type of
infoimation that it contains.
PostSciipt piinteis all have vendoi-supplied PPIs, which you can get fiom the in-
stallation disk oi the vendoi's web site. PPIs fiom the libiaiy distiibuted with CUPS
aie kept in /usr/share/cups/model; CUPS copies PPIs that aie cuiiently in use into
/etc/cups/ppd.
CUPS also uses PPIs to desciibe piinteis that lack a PostSciipt inteipietei. An extia
field does the tiick. Iook:
$ grep cupsFIter /usr/share/cups/modeI/pxImono.ppd
cus!iler. alicaior/vrd.cus-osscri 0 soxl
You can diff a couple of closely ielated PPIs (tiy pxlmono.ppd and pxlcolor.ppd)
to see exactly how two piintei types diffei.
If youi piintei vendoi doesn't supply a PPI file-piobably because the piintei
doesn't have a PostSciipt inteipietei and the vendoi doesn't caie about anything but
Windows-go to linuxpiinting.oig and hunt thiough the Foomatic database foi
moie infoimation. Youi piintei may also be suppoited by the Cutenpiint pioject
(gutenpiint.souicefoige.net, foimeily known as Cimp-Piint). If you have a choice of
PPIs fiom these souices and youi useis want eveiy last diop of quality, tiy each
option and see which output looks best.
If a PPI file is nowheie to be found, then

You should have consulted linuxpiinting.oig befoie you got the piintei.

Theie may well be a geneiic PPI file that will let you piint something, even
if it doesn't take advantage of all youi piintei's featuies.

If you enhance a geneiic PPI file to make it woik bettei with youi piintei,
you should contiibute youi new PPI to the Foomatic database.
I||ters
Rathei than using a specialized piinting tool foi eveiy piintei, CUPS uses a chain of
filteis to conveit a file you piint into something youi piintei undeistands.
The CUPS filtei scheme is elegant. When you give CUPS a file to piint, it figuies out
the file's MIME type, the MIME types undeistood by youi piintei, and the filteis it
needs to conveit the foimei to one of the lattei.
CUPS uses iules in /etc/cups/mime.types to suss out the incoming data type. Foi
example, the iule
alicaior/d d srir (0,FD!)
772 Chater 23 - Printing
means "If the file has a .pdf extension oi staits with the stiing %PIF, then its MIME
type is application/pdf."
CUPS figuies out how to conveit one data type to anothei by looking up iules in the
file /etc/cups/mime.convs. Foi example,
alicaior/d alicaior/osscri 33 dos
means "To conveit an application/pdf file to an application/postsciipt file, iun the
filtei pdftops." The numbei ?? is the cost of the conveision.
If you need to wiite youi own filteis (impiobable), do not modify the distiibuted
files. Cieate an additional set of files with its own basename and put it into /etc/cups
wheie CUPS can find the files. CUPS ieads all files with the suffixes .types and
.convs, not just mime.types and mime.convs.
The last components in the CUPS pipeline aie the filteis that talk diiectly to the
piintei. In the PPI of a non-PostSciipt piintei you may see lines such as
cus!iler. alicaior/vrd.cus-osscri 0 oonaic-ri
oi even
cus!iler. alicaior/vrd.cus-osscri oonaic-ri
The quoted stiing has the same foimat as a line in mime.convs, but theie's only one
MIME type instead of two. This line adveitises that the foomatic-rip filtei conveits
data of type application/vnd.cups-postsciipt to the piintei's native data foimat. The
cost is zeio (oi omitted) because theie's only one way to do this step, so why pietend
theie's a cost? (Cutenpiint PPIs foi non-PostSciipt piinteis aie slightly diffeient.)
Civen a document and a taiget piintei, CUPS uses the types files to figuie out the
document type. It then consults the PPI to figuie out what data type the piintei
iequiies. It then uses the .convs files to deduce all the filtei chains that could conveit
one to the othei, and what each chain would cost. Finally, it picks the lowest-cost
chain and passes the document thiough those filteis.
The final filtei in the chain passes the piintable foimat to a back end, which commu-
nicates this data to the piintei by using whatevei piotocol the piintei undeistands.
To find the filteis available on youi system, tiy locate pstops. (pstops is a populai
filtei that massages PostSciipt jobs in vaiious ways, such as adding PostSciipt com-
mands to set the numbei of copies. The othei filteis won't be fai away.)
You can ask CUPS foi a list of the available back ends by iunning lpinfo -v. If youi
system lacks a back end foi the netwoik piotocol you need, it may be available fiom
the web oi fiom the vendoi.
23.4 CuPS Skvk A0MINIS1kA1IUN
cupsd staits at boot time and iuns continuously. All oui example Iinux distiibu-
tions aie set up this way by default.
23.4 CuPS server administration 773
The CUPS configuiation file is called cupsd.conf; it's usually found in /etc/cups.
The file foimat is similai to that of the Apache configuiation file. If you'ie comfoit-
able with one of these files, you'll be comfoitable with the othei.
Aftei you make changes to the config file, iun /etc/init.d/cups restart to iestait the
daemon and make youi changes take effect. (Iebian and Ubuntu distiibutions use
/etc/init.d/cupsys restart instead.)
The default config file is well commented. The comments and the cupsd.conf man
page aie good enough that we won't belaboi the same infoimation heie.
You can edit the CUPS configuiation file by hand, oi if you have the KIE desktop
enviionment installed, you configuie the system thiough the KIE Piint Managei,
which is accessible thiough the KIE contiol centei. The KDLIrint Handbcck docu-
ments the piocess in detail (see the Irint Server Ccnfiguraticn chaptei) and is a good
iefeience foi CUPS vaiiables, theii meanings, and theii default values.
You can diiectly iun the CUPS-specific poition of the KIE piint managei with the
cupsdconf command. This command is included in most systems' kdelibs pack-
ages; it is not necessaiy to install all of KIE to use it.
We don't have pioduction expeiience with the KIE CUI, but in oui testing it com-
plained about not undeistanding ceitain options found in the default cupsd.conf
files on all of oui iefeience systems. On SUSE it iefused to iun at all, appaiently
because the line
AulTye BasicDies
in cupsd.conf caused it to look foi the nonexistent file /etc/passwd.md5. (Othei
systems use AulTye Basic as a default.) Youi mileage may vaiy.
Network r|nt server setu
To make CUPS accept piint jobs fiom the netwoik, make two modifications to the
cupsd.conf file. Fiist, change
<Locaior />
Order Dery,Allov
Dery !ron All
Allov !ron l2.0.0.l
</Locaior>
to
<Locaior />
Order Dery,Allov
Dery !ron All
Allov !ron l2.0.0.l
Allov !ron rcuuurcss
</Locaior>
774 Chater 23 - Printing
Replace netaddress with the IP addiess of the netwoik fiom which to accept piint
jobs (e.g., 192.168.0.0). Then look foi the BrovseAddress keywoid and set it to the
bioadcast addiess on that netwoik plus the CUPS poit:
BrovseAddress l2.lo8.0.2SS.o3l
These two steps tell the seivei to accept iequests fiom any machine on the netwoik
and to bioadcast what it knows about the piinteis it's seiving to eveiy CUPS dae-
mon on the netwoik.
That's it! Once you iestait the CUPS daemon, it comes back as a seivei.
Pr|nter autoconf|gurat|on
You can actually use CUPS without a piintei (foi example, to conveit files to PIF oi
fax foimat), but its typical iole is to manage ieal piinteis. In this section we ieview
the ways in which you can deal with the piinteis themselves.
In some cases, adding a piintei is tiivial. CUPS tiies to autodetect USB piinteis
when they'ie plugged in and to figuie out what to do with them.
Piintei manufactuieis typically supply installation softwaie that does most of the
setup woik foi you on Windows and even Mac OS X (which also uses CUPS). How-
evei, you can't assume that vendois will handle installation foi you on Iinux.
Even if you have to do the woik youiself, adding a piintei often consists of nothing
moie than plugging in the haidwaie, connecting to the CUPS web inteiface at
localhost:6?1/admin
and answeiing a few questions. KIE and CNOME come with theii own piintei con-
figuiation widgets, which you may piefei to the CUPS inteiface.
If someone else adds a piintei and one oi moie CUPS seiveis iunning on the net-
woik know about it, youi CUPS seivei will be notified of its existence. You don't
need to explicitly add the piintei to the local inventoiy oi copy PPIs to youi ma-
chine. It's all done with miiiois.
Network r|nter conf|gurat|on
Netwoik piinteis need some configuiation of theii own just to be citizens of the
TCP/IP netwoik. In paiticulai, they need to know theii IP addiess and netmask.
That infoimation is usually conveyed to them in one of two ways.
Most modein piinteis can get this infoimation acioss the netwoik fiom a BOOTP oi
IHCP seivei. This method woiks well in enviionments that have many homoge-
neous piinteis. See page ?11 foi moie infoimation about IHCP.
Alteinatively, you can set a static IP addiess fiom the piintei's console, which usu-
ally consists of a set of buttons on the piintei's fiont panel and a one-line display.
Fumble aiound with the menus until you discovei wheie to set the IP addiess. (If
theie is a menu option to piint the menus, use it and save the piinted veision.)
23.4 CuPS server administration 775
A few piinteis give you access to a viitual console thiough a seiial poit. It's a nice
idea, but the total amount of woik is piobably similai to using the fiont-panel but-
tons. The piinciples aie the same.
If all else fails, many piinteis come with manuals.
Once configuied, netwoik piinteis usually have a "web console" accessible fiom a
biowsei. Howevei, piinteis need to have an IP addiess befoie you can get to them
this way, so theie's a bootstiapping issue.
Aftei youi piintei is on the netwoik and you can ping it, make suie to secuie it as
desciibed in the section Secure ycur printers on page 787.
Pr|nter conf|gurat|on exam|es
As examples, let's add the paiallel piintei gioucho and the netwoik piintei fezmo
fiom the command line.
= Ipadmn -p groucho -E -v paraIIeI:/dev/Ip0 -m pxIcoIor.ppd
= Ipadmn -p fezmo -E -v socket://192.168.0.12 -m Iaserjet.ppd
As you can see, gioucho is attached to poit /dev/lp0, and fezmo is at IP addiess
192.168.0.12. We specify each device in the foim of a univeisal iesouice indicatoi
(URI), and choose a PPI fiom the ones in /usr/share/cups/model.
As long as the local cupsd has been configuied as a netwoik seivei, it immediately
makes the new piinteis available to othei clients on the netwoik.
Instead of using the command-line inteiface, you can use the web-based configuia-
tion tools piesented by the CUPS seivei if you piefei. That's tiue of all the adminis-
tiative tasks in this section.
CUPS accepts a wide vaiiety of URIs foi piinteis. Heie aie a few moie examples:
i.//zoe.carary.con/i
ld.//riley.carary.con/s
serial.//dev/yS0baud=o00+ariy=ever+bis=
socle.//illiar.carary.con.l00
usb.//XLROX/Flaser20ol20serial=YGG2l0S4
Some URIs take options (e.g., seiial) and otheis don't. lpinfo -v lists the devices
youi system can see and the types of URIs that CUPS undeistands.
Pr|nter c|ass setu
A "class" is a set of piinteis that shaie a queue. Jobs in the queue can piint on which-
evei piintei becomes available fiist. The command below cieates the class haemei
and includes thiee piinteis in it: iiley, gilly, and zoe.
= Ipadmn -p rIey -c haemer
= Ipadmn -p gIIy -c haemer
= Ipadmn -p zoe -c haemer
776 Chater 23 - Printing
Note that theie is no explicit step to cieate the class; the class exists as long as piint-
eis aie assigned to it. In fact, CUPS is even smaitei than that: if multiple piinteis on
a netwoik aie all given the same name, CUPS tieats them as an implicit class and
load-shaies jobs among them automatically.
Serv|ce shutoff
If you want to iemove a piintei oi class, that's easily done with lpadmin -x.
= Ipadmn -x fezmo
= Ipadmn -x haemer
But what if that you just want to disable a piintei tempoiaiily foi seivice instead of
iemoving it? You can block the piint queue at eithei end. If you disable the tail (the
exit oi piintei side) of the queue, useis can still submit jobs, but the jobs will nevei
piint. If you disable the head (entiance) of the queue, jobs that aie alieady in the
queue will piint, but the queue will ieject attempts to submit additional jobs.
The disable and enable commands contiol the exit side of the queue, and the reject
and accept commands contiol the submission side. Foi example:
= dsabIe groucho
= reject corbet
Which to use? It's a bad idea to accept piint jobs that have no hope of being piinted
in the foieseeable futuie, so use reject foi extended downtime. Foi biief inteiiup-
tions that should be invisible to useis (e.g., cleaiing a papei jam), use disable.
Administiatois occasionally ask foi a mnemonic to help them iemembei which
commands contiol which end of the queue. Considei: if CUPS "iejects" a job, that
means you can't "inject" it. Anothei way to keep the commands stiaight is to ie-
membei that accepting and iejecting aie things you can do to piint jobs, wheieas
disabling and enabling aie things you can do to piinteis. It doesn't make any sense
to "accept" a piintei oi a piint queue.
A woid of waining: in addition to being a CUPS command, enable is also a bash
built-in command. bash assumes you mean its own enable unless you specify the
full pathname of the command, /usr/bin/enable. As it happens, bash's veision of
enable enables and disables bash built-ins, so you can use it to disable itself:
2
$ enabIe -n enabIe
CUPS itself sometimes tempoiaiily disables a piintei that it's having tiouble with
(e.g., if someone has dislodged a cable). Once you fix the pioblem, iemembei to
ieenable the queue. If you foiget, lpstat will tell you. (Foi a moie complete discus-
sion of this issue and an alteinative appioach, see www.linuxpiinting.oig/beh.html).
2. Foi bonus poinis, figuie oui how io ieenable bash's buili-in enable command now ihai you have
blocked access io ii. enable enable won'i woik!
23.4 CuPS server administration 777
Uther conf|gurat|on tasks
Today's piinteis aie heavily configuiable, and CUPS lets you tweak a wide vaiiety of
featuies thiough its web inteiface and thiough the lpadmin and lpoptions com-
mands. As a iule of thumb, lpadmin is foi system-wide tasks and lpoptions is foi
pei-usei tasks.
lpadmin lets you iestiict access in moie fine-giained ways than disable and reject
do. Foi example, you can set up piinting quotas and specify which useis can piint to
which piinteis.
Paer s|zes
In the United States and Canada, the most common papei size is called lettei and is
8.5 11 inches. Some Iinux distiibutions (e.g., Knoppix and SUSE) aie pioduced in
Euiope, wheie they don't even know what inches aie, oi in England, wheie they do
know but don't use them to measuie papei. In these places, and in Japan, the com-
mon papei type is called A4, and piinteis all come with A4 tiays. Eigo, some distii-
butions' piinting utilities pioduce A4 page images by default.
A4 papei makes sense because it's iiiational-mathematically, that is. The iatio of
length to width of A4 papei is . If you slice a piece of A4 papei in half hoiizontally,
you get two half-size pieces of papei that have the same length-to-width iatio. This
papei size is called A5. Cut A5 in half and you get two sheets of A6. In the othei
diiection, A? is twice the aiea of A4, but the same shape, and so on.
In othei woids, you can manufactuie A0 papei, which has an aiea of 1 squaie metei,
and use a papei cuttei to cieate the othei sizes you need. The only common U.S.
papei size you can play this kind of game with is ledgei (11 17 inches, also known
as tabloid), which you can slice in half to get two sheets of lettei.
Theie aie also an ISO B seiies and C seiies that pieseive the 1: aspect iatio but
have diffeient base aieas. B0 is 1 m in height and C0 papei has an aiea of 2

m
2
.
Engineeis will see immediately that the sides of Bn papei aie the geometiic means of
An-1 and An sides, while Cn papei sides aie the geometiic means of An and Bn.
What does all this mean? Bn has the same look as An but is biggei, and Cn is intei-
mediate between the two. A iepoit on A4 papei fits beautifully in a C4 manila foldei.
Folding an A4 lettei down the middle to make it A5 lets it slide into a C5 envelope.
Fold it again and it slides just as nicely into a C6 envelope.
To confuse things slightly, Japan has its own B seiies that's slightly diffeient. Al-
though it has the same aspect iatio as the ISO papeis, Japanese B4 papei size is the
aiithmetic mean of A? and A4, which makes it slightly laigei than ISO B4 papei.
Theie is no Japanese C seiies.
Just as the ISO system makes it easy to copy two pages of a B5 textbook onto a single
B4 handout, it makes all types of n-up piinting (piinting seveial ieduced-sized page
images on the same page) tiivial. Euiopean copieis often have buttons that ieduce
oi expand by a factoi of .
2
2
2
778 Chater 23 - Printing
If youi system has the paperconf command installed, you can use the command to
piint the dimensions of vaiious named papeis in inches, centimeteis, oi piintei's
points (72nds of an inch). Foi the Ameiicans, Table 2?.1 lists some typical uses foi
common sizes to give a sense of theii scale.
Unfoitunately, A4 papei is slightly thinnei and longei (8.? x 11.7 inches) than
Ameiican lettei papei. Piinting an A4 document on lettei papei typically cuts off
vital sliveis such as headeis, footeis, and page numbeis. Conveisely, if you'ie in Eu-
iope oi Japan and tiy to piint Ameiican pages on A4 papei, you may have the sides
of youi documents chopped off (though the pioblem is less seveie).
Individual softwaie packages may have theii own defaults iegaiding papei size. Foi
example, CNU enscript is maintained in Finland by Maikku Rossi and defaults to
A4 papei. If you'ie Ameiican and youi distiibution hasn't compiled enscript with a
diffeient default, one option is to giab the souice code and ieconfiguie it. Typically,
howevei, it's easiei to set the papei type on the command line oi in a CUI configuia-
tion file. If youi documents come out with the ends oi sides cut off, papei size con-
flicts aie a likely explanation.
You may also be able to adjust the default papei size foi many piinting tasks with the
paperconfig command, the PAPERSIZE enviionment vaiiable, oi the contents of
the /etc/papersize file. (Note: paperconfig != paperconf)
Comat|b|||ty commands
In the old days, theie weie two competing piinting systems: one found on BSI
UNIX systems, the othei found on System V UNIX systems. The two systems each
maintained ielatively simple piint queues and piovided commands to cieate, delete,
stait, stop, and pause the queues and to queue oi dequeue individual jobs.
You may ask, why weie theie two systems and was theie any significant diffeience
between them? Stand up in the middle of a Iinux useis gioup meeting and yell
"Anyone who uses vi is an idiot!"-then come ask us again.
1ab|e 23.1 Common uses for ISU aer s|zes
S|zes Common uses
A0, A1 Posters
A3, b4 Newsaers
A4 Ceneric ieces of aer'
A5 Note ads (roughly 5 8 inches)
b5, b6 books, ostcards, Cerman toilet aer
A1 3 5' index cards
b1 Passorts (even u.S. assorts are b1)
A8 business cards
b8 Playing cards
23.4 CuPS server administration 779
Wisely, CUPS piovides compatibility commands that ieplace both systems. Pait of
the motivation is to giease the path foi old-timeis who aie used to pievious systems,
but compatibility with existing softwaie is also an impoitant goal.
To be suie, these commands don't always do eveiything the oiiginals did, and some
less-used and vendoi-specific commands aien't yet implemented. Still, many sciipts
that use these commands woik just fine with CUPS. Think of what's missing as an
oppoitunity: if you want to contiibute to woild peace and Paieto optimality, theie's
still code left foi you to wiite.
Table 2?.2 lists the CII commands that come with CUPS and classifies them accoid-
ing to theii oiigin.
Common r|nt|ng software
Theie's moie to piinting than just spooling and piinting jobs. Even on a stock
Ubuntu system, the command
$ man -k . [ egrep - 'ghostscrpt[cups[prnt(er[ng[ (job[queue[fIter))'
lists moie than 88 piinting-ielated man pages-and that's just a quick and diity
seaich. (Speaking of piinting-ielated commands, pondei the fact that the print
command has nothing to do with piinting.) Seveial of these commands and tools
aie woith knowing about.
1ab|e 23.2 CuPS command-||ne ut|||t|es and the|r or|g|ns
Command Iunct|on
C
u
P
S
||nfo Shows available devices or drivers
|ot|ons 0islays or sets rinter otions and defaults
|asswd Adds, changes, or deletes digest asswords
cusdconf
a
ls a CuPS configuration tool
cus-conf|g
a
Prints cus APl, comiler, directory, and link information
S
y
s
t
e
m

v
| Prints files
cance| Cancels jobs
accet, reject Accets or rejects queue submissions
d|sab|e, enab|e Stos or starts rinters and classes
|stat Prints CuPS status information
|adm|n Configures CuPS rinters and classes
|move Voves a job to a new destination
b
S
0
|r Prints files
|rm Cancels rint jobs
|q 0islays rinter queue status
|c ls a general rinter control rogram
a. 0on't confuse these similar names. cusdconf is a Cul tool in K0lPrint, and cus-conf|g is a Cll
tool included with CuPS.
780 Chater 23 - Printing
pr is one of the oldest piinting tools. It iefoimats text files foi the piinted page. It
bieaks its input into pagefuls of 66 lines, adds headeis and footeis, and can double-
space text. It's peifect foi minoi massaging of text files on theii way to the piintei.
Adobe's enscript command peifoims similai conveisions with quite a few moie bells
and whistles; it's output is also PostSciipt. CNU enscript is an open souice veision
of this command that is backwaid compatible with Adobe's; howevei, CNU enscript
offeis a wealth of new featuies, including language-sensitive highlighting, suppoit
foi vaiious papei sizes, font downloading, and usei-defined headeis.
One of enscript's main claims to fame was its implementation of 2-up piinting. If
you'ie still using enscript because of this featuie, tiy CUPS's -o number-up=2 op-
tion to lpr.
At the high end of the complexity spectium is Chostsciipt, oiiginally wiitten by I.
Petei Ieutsch so he could piint PostSciipt documents on inexpensive PCI piinteis.
Today, Chostsciipt inteipiets both PostSciipt and PIF. CUPS uses it as a filtei, but
Chostsciipt can also cieate page images foi the scieen, eithei on its own oi with help
fiom fiont ends such as gv, CNOME Chostview (ggv), oi KIE's KChostView.
Iinux distiibutions all come with a fiee veision of Chostsciipt; foi moie infoima-
tion, see www.ghostsciipt.com. A commeicial veision of Chostsciipt with suppoit is
available fiom Aitifex Softwaie.
CuPS documentat|on
Theie's no shoitage of CUPS documentation, but sometimes you have to hunt foi it.
Man pages, such as those foi lpr, can be sketchy. If you don't find something in a
man page, don't assume you can't do it; google it.
The CUPS installation comes with many manuals in PIF and HTMI foimat. One
place to see these is to connect to a CUPS seivei and click the link foi on-line help.
Unfoitunately, this isn't any help if youi pioblem is connecting to the CUPS seivei.
The same documentation can be found at www.cups.oig. It should also be located
undei /usr/share/doc/cups. If youi distiibution doesn't have it installed theie, tiy
$ Iocate doc [ grep cups
Anothei option is to ask youi distiibution's package managei.
23.5 1kUu8LShUU1IN6 1IPS
Always iemembei to iestait cupsd aftei changing its configuiation file. Youi best
bet foi iestaiting is to iun /etc/init.d/cups restart (/etc/init.d/cupsys restart on
Iebian and Ubuntu). You can also iestait the daemon thiough the KIE Piint Man-
agei application. In theoiy you can also send cupsd a HUP signal, but this seems to
just kill the daemon on SUSE systems.
23.5 Jroubleshooting tis 781
CuPS |ogg|ng
CUPS maintains thiee logs: a page log, an access log, and an eiioi log. The page log
is a list of pages piinted. The othei two aie just like the access log and eiioi log foi
Apache. Not suipiising, since the CUPS seivei is a web seivei.
The cupsd.conf file specifies the logging level and the locations of the log files.
They'ie all typically kept undeineath /var/log.
Heie's an exceipt fiom a log file that coiiesponds to a single piint job:
l [2o/[ul/200o.l8.S.08 -0o00| Addir sar barrer ae rore o ]ob 24.
l [2o/[ul/200o.l8.S.08 -0o00| Addir erd barrer ae rore o ]ob 24.
l [2o/[ul/200o.l8.S.08 -0o00| [ob 24 queued or 'Flaser_ol20' by ']sl'.
l [2o/[ul/200o.l8.S.08 -0o00| Sared iler /usr/libexec/cus/iler/sos (FlD
l8S) or ]ob 24.
l [2o/[ul/200o.l8.S.08 -0o00| Sared baclerd /usr/libexec/cus/baclerd/usb
(FlD l8o) or ]ob 24.
Prob|ems w|th d|rect r|nt|ng
To veiify the physical connection to a local piintei, you can diiectly iun the piintei's
back end. Foi example, heie's what we get when we execute the back end foi a USB-
connected piintei:
$ /usr/Ib/cups/backend/usb
direc usb Urlrovr USB Frirer (usb)
direc usb.//XLROX/Flaser20ol20serial=YGG2l0S4 XLROX Flaser ol20
Flaser ol20
When the USB cable accidentally pulls out (oi bieaks), the line foi that piintei diops
out of the back end's output:
$ /usr/Ib/cups/backend/usb
direc usb Urlrovr USB Frirer (usb)
Network r|nt|ng rob|ems
Befoie you stait tiacking down a netwoik piinting pioblem, make suie you can
piint fiom the machine that actually hosts the piintei. Youi "netwoik piinting piob-
lem" may just be a "piinting pioblem." Also make suie that the netwoik is up.
Next, tiy connecting to the hosting cupsd with a web biowsei (hcstname:6?1) oi the
telnet command (telnet hcstname 631).
If you have pioblems debugging a netwoik piintei connection, keep in mind that
theie must be a queue foi the job on some machine, a way to decide wheie to send
the job, and a method of sending the job to the machine that hosts the piint queue.
On the piint seivei, theie must be a place to queue the job, sufficient peimissions to
allow the job to be piinted, and a way to output to the device.
782 Chater 23 - Printing
To tiack down these pioblems, you may have to look in seveial places:

System log files on the sending machine, foi name iesolution and peimis-
sion pioblems

System log files on the piint seivei, foi peimission pioblems

CUPS log files on the sending machine, foi missing filteis, unknown piint-
eis, missing diiectoiies, etc.

CUPS log files on the piint seivei machine, foi messages about bad device
names, incoiiect foimats, etc.
The system log files' locations aie specified in /etc/syslog.conf. The locations of
CUPS log files aie specified in /etc/cups/cupsd.conf.
0|str|but|on-sec|f|c rob|ems
CUPS is still evolving and bug fixes aie ieleased fiequently. Some pioblems aie
woise than otheis, and some have secuiity implications. On some oldei veisions of
Red Hat, CUPS is badly bioken. The iight solution foi those systems is an OS up-
giade. But if you can't install a newei ielease of Red Hat oi Fedoia, tiy getting the
cuiient ielease foi CUPS.
Easy Softwaie Pioducts sells a commeicial veision of CUPS called ESP PiintPio that
suppoits a much widei iange of piinteis than the fiee veision. If you have to suppoit
an unusual piintei and you can't find the necessaiy diiveis on the web, ESP may
alieady have it iunning. They also sell suppoit. Check them out at www.easysw.com.
23.6 PkIN1k PkAC1ICALI1IS
Iealing with piinteis can biing tioubles and fiustiations. Heie aie some geneial
guidelines to help limit those. When all else fails, just be glad you'ie not still using a
dot-matiix piintei connected via an RS-2?2 seiial poit. Unless, of couise, you aie.
Pr|nter se|ect|on
Befoie you buy a piintei oi accept a "fiee" piintei that someone else is thiowing
away, go to the Foomatic database at linuxpiinting.oig and check to see how well the
piintei is suppoited undei Iinux. The database classifies piinteis into foui catego-
iies ianging fiom Papeiweight to Peifectly; you want Peifectly.
CUPS likes PostSciipt piinteis. Configuiation of these piinteis is typically easy.
Non-PostSciipt piinteis aie also suppoited, but not as well. To piint to these, you
need softwaie that conveits piint jobs into the piintei's piefeiied PII oi data foi-
mat. Chances aie, this softwaie is available eithei fiom the CUPS distiibution oi
fiom one of the othei locations mentioned in this chaptei.
23.6 Printer racticalities 783
60I r|nters
Windows still holds an advantage in a couple of aieas, one of which is its suppoit foi
veiy low-end piinteis. The el cheapo piinteis used on Windows systems aie known
collectively as CII piinteis oi WinPiinteis. These piinteis have veiy little built-in
intelligence and lack inteipieteis foi any ieal PII. They expect iasteiization to be
peifoimed by the host computei.
Some of the infoimation needed to communicate with CII piinteis is hidden in
piopiietaiy, Windows-specific code. Such seciecy hindeis effoits to develop Iinux
suppoit foi these devices, but the open-souice community has demonstiated a ie-
maikable aptitude foi ieveise engineeiing. CUPS suppoits many WinPiinteis.
A second aiea of stiength foi Windows is its suppoit foi biand-new piinteis. Just as
with new video and audio caids, new piinteis aie fiist ieleased with Windows diiv-
eis, which fully suppoit all the model's documented and undocumented featuies.
Iinux suppoit geneially lags. If you buy a fancy, just-ieleased piintei because you
need its advanced featuies, you may have to iesign youiself to diiving it fiom Win-
dows foi a while.
0oub|e-s|ded r|nt|ng
A duplexei is a haidwaie component that lets a piintei piint on both sides of the
page. Some piinteis include them by default, and otheis suppoit them as an op-
tional add-on.
If you don't have access to (oi can't affoid) a piintei that duplexes, you can iun papei
thiough the piintei once to piint the odd pages, then flip the papei ovei and iun it a
second time foi the even pages. Expeiiment with a two-page document to find out
which way to flip the papei, then tape instiuctions to the piintei.
A vaiiety of piinting softwaie can help with this; foi example, Chostview (gv) has
icons to let you maik eithei set and an option to piint only maiked pages. The
CUPS veisions of lp and lpr handle this task with the options -o page-set=odd and
-o page-set=even. You can enshiine these options in a "piintei instance" if you use
them fiequently; see page 768.
Some piinteis, paiticulaily inexpensive lasei piinteis, aie not designed with double-
sided piinting in mind. Theii manufactuieis often wain of the iiiepaiable damage
that is suie to attend piinting on both sides of the page. We have nevei actually seen
a case of such damage, but suiely the piintei manufactuieis wouldn't steei you
wiong. Would they?
Uther r|nter accessor|es
In addition to duplexeis, many piinteis let you add memoiy, extia papei tiays, haid
disks, and othei accessoiies. These upgiades can peimit jobs to piint that would be
otheiwise indigestible, oi they can let jobs piint moie efficiently. If you have piob-
lems getting jobs to piint, ieview the eiioi logs to see if moie piintei memoiy might
help iesolve the pioblem. See CUIS lcgging on page 781.
784 Chater 23 - Printing
Ser|a| and ara||e| r|nters
If youi piintei is diiectly attached to youi computei with a cable, it's using some
foim of seiial oi paiallel connection.
Although the paiallel standaid has not aged giacefully, it does piovide us with poits
that iequiie ielatively little tinkeiing. If you have a paiallel piintei, it will piobably
be easy to set up-as long as youi computei has a paiallel poit, too.
A seiial connection on Mac haidwaie could be FiieWiie, but seiial connections in
the Iinux woild typically use USB. Check the database of suppoited USB devices at
www.qbik.ch/usb/devices oi www.linux-usb.oig to see the status of youi haidwaie.
You almost ceitainly do not have an old-fashioned RS-2?2 seiial piintei. If you do, it
can iequiie a mess of extia configuiation. The spoolei softwaie has to know the
appiopiiate values foi the baud iate and othei seiial options so that it can communi-
cate piopeily with the piintei. You specify all these options in the URI foi the device.
See the on-line CUIS Scftware Administratcrs Manual foi details. It may be fastei to
buy a diffeient kind of piintei than to figuie out the exact combination of seiial
magic needed to get things woiking.
Network r|nters
Many piinteis contain full-fledged netwoik inteifaces that allow them to sit diiectly
on a netwoik and accept jobs thiough one oi moie netwoik oi piinting piotocols.
Iata can be sent to netwoik-attached piinteis much fastei than to piinteis con-
nected to seiial oi paiallel poits.
23.7 U1hk PkIN1k A0vIC
Some administiative issues ielated to piinting tianscend the details of Iinux and
CUPS. Foi the most pait, these issues aiise because piinteis aie tempeiamental me-
chanical devices that cost money eveiy time they aie used.
use banner ages on|y |f you have to
CUPS can piint headei and tiailei pages foi each job that show the title of the job
and the usei who submitted it. These bannei pages aie sometimes useful foi sepa-
iating jobs on piinteis used by many diffeient people, but in most cases they'ie a
waste of time, tonei, and papei.
We suggest that you tuin off bannei pages globally in the CUPS CUI (oi by iunning
lpadmin), then tuin them on foi any individual jobs that might benefit fiom them:
$ Ipr -o job-sheets=confdentaI gIIy.ps
You can also tuin on banneis foi individual useis by using lpoptions. Anothei altei-
native to considei is a piintei instance that adds bannei pages to jobs (see Irinter
instances on page 768).
23.1 0ther rinter advice 785
If needed, you can cieate custom bannei pages by copying one of the existing ones
fiom /usr/share/cups/banners and modifying it. Put the new page in with the oth-
eis undei a new name.
Prov|de recyc||ng b|ns
All kinds of computei papei aie iecyclable. You can use the boxes that papei comes
in as iecycling bins; the papei fits in them peifectly. Post a sign asking that no foi-
eign mateiial (such as staples, papei clips, oi newspapei) be discaided theie.
use rev|ewers
Useis often piint a document, find a small eiioi in the foimatting, fix it, and then
iepiint the job. This waste of papei and time can easily be avoided with softwaie that
lets useis see, on-scieen, what the piinted output will look like.
Having pievieweis isn't enough; youi useis have to know how to use them. They'ie
usually happy to leain. One use of accounting iecoids is to check foi cases in which
the same document has been piinted iepeatedly. That's sometimes a pointei to a
usei who doesn't know about pievieweis.
Pieviewing is built into many modein WYSIWYC editois, biowseis, and piint-job
aggiegatois. Foi othei types of documents, youi options vaiy. Tools such as Chost-
view (gv) pieview iandom PostSciipt and PIF documents. Foi roff, pipe the output
of groff into Chostview; foi TeX output, tiy xdvi, kdvi, oi Evince.
8uy chea r|nters
Piintei haidwaie technology is matuie. You don't need to spend a lot of money foi
good output and ieliable mechanics.
Ion't spluige on an expensive "woikgioup" piintei unless you need it. If you'ie only
piinting text, an inexpensive "peisonal" piintei can pioduce good-quality output,
be neaily as fast and ieliable, and weigh tens of pounds less. A 10-page-a-minute
piintei can seive about five full-time wiiteis. You may be bettei off buying five $250
piinteis foi a gioup of 25 wiiteis than one $1,250 piintei.
In geneial, don't buy a piintei (oi a haid disk, oi memoiy) fiom a computei manu-
factuiei. Theii piinteis aie usually just iebianded commodity piinteis at twice the
piice. PostSciipt piinteis manufactuied foi the PC and Macintosh maikets and sold
independently aie usually bettei deals. (Some companies, like HP, manufactuie both
computeis and piinteis. They'ie fine.)
Even if you stick to mainstieam biands, no individual manufactuiei is a univeisally
safe bet. We have had excellent expeiiences with HP lasei piinteis. They aie solid
pioducts, and HP has been veiy aggiessive in suppoiting both Iinux and CUPS.
Even so, some of HP's piinteis have been complete disasteis. Iook foi ieviews on the
Inteinet befoie buying.
Heie, too, cheap is an advantage: a $250 mistake is easiei to iecovei fiom than a
$1,250 mistake.
786 Chater 23 - Printing
kee extra toner cartr|dges on hand
Iasei piinteis occasionally need theii tonei caitiidges ieplaced. Faded oi blank ai-
eas on the page aie hints that the piintei is iunning out of tonei. Buy ieplacement
caitiidges befoie you need them. In a pinch, iemove the caitiidge fiom the piintei
and gently iock it to iedistiibute the iemaining tonei paiticles. You can often get
anothei hundied pages out of a caitiidge this way.
Stieaks and spots piobably mean you should clean youi piintei. Iook on the piintei
to see if theie is a "clean" cycle. If not oi if the cleaning cycle doesn't help, iead the
manufactuiei's cleaning instiuctions caiefully, oi pay to have the piintei seiviced.
Piintei manufactuieis hate the use of iecycled and afteimaiket caitiidges, and they
go to gieat lengths to tiy to pievent it. Vany devices use "keyed" consumables whose
identities aie detected-electionically oi physically-by the piintei. Even if two
piinteis look identical (such as the Xeiox Phasei 6120 and the Konica-Minolta Mag-
icoloi 2450), it doesn't necessaiily mean you can use the same caitiidges in both.
Sometimes you can do suigeiy to conveit one vendoi's caitiidges foi anothei's
piintei, but it helps to know what you'ie doing. Usually, you just make a mess. If you
spill tonei, vacuum up as much of the mateiial as possible and wipe up the iemain-
dei with cold watei. Contiaiy to common belief, lasei piintei tonei is not a health oi
enviionmental hazaid, although as with all fine powdeis, it's best to avoid bieathing
the tonei dust.
When you ieplace a caitiidge, save the box and baggie the new caitiidge came in to
use when iecycling the spent one. Then look at the phone book oi the web to find a
company to take the old caitiidge off youi hands.
Keyed consumables have spuiied the giowth of companies ("punch and pouis")
that iefill old caitiidges foi a fiaction of the new-caitiidge piice. Caitiidge iecycleis
aie usually also punch-and-pouis, so you can iecycle youi old caitiidges and get
ieplacements at the same time.
Opinions on the quality and lifespan of iecycled caitiidges vaiy. One punch-and-
poui we know won't iefill coloi tonei caitiidges oi sell iemanufactuied ones be-
cause they believe the savings aie less than the incieased maintenance costs foi the
piinteis that use them.
Pay attent|on to the cost er age
Piintei manufactuieis use what MBAs call "meteiing" to make the total cost of the
pioduct scale as lineaily as possible with the amount of use the customei gets out of
it. That's why tonei and ink aie extoitionately expensive and fancy piintei haidwaie
is sometimes sold below its manufactuiing cost.
As of this wiiting, one manufactuiei is selling a coloi lasei piintei foi $299. A full set
of ieplacement caitiidges foi it costs $278. You can buy an inkjet piintei foi less
than $50 at Wal-Mait, but it won't be long befoie you need to buy a set of ieplace-
ment ink caitiidges that cost moie than the piintei.
23.1 0ther rinter advice 787
You can feign outiage ovei this, but piintei companies have to make theii money on
something. Cheapei caitiidges would just mean piiciei piinteis. A good iule of
thumb is that inkjet piinteis aie cheap as long as you don't piint with them; lasei
piinteis have a highei initial cost, but the consumables aie cheapei and last longei.
A full-coloi page fiom an inkjet piintei can cost 20-50 times as much as an analo-
gous piint fiom a lasei piintei. It also iequiies special papei and piints moie slowly.
Inkjet caitiidges empty quickly and fiequently plug up oi go bad. The ink iuns when
wet-don't use an inkjet to piint out a iecipe book foi use in the kitchen. On the
othei hand, you can now get photo piints fiom an inkjet that look just as good as
piints fiom a photo lab. Coloi lasei photos? Not so nice.
All piinteis have failuie-pione mechanical paits. Cheap piinteis bieak fastei.
In othei woids, it's all tiadeoffs. Foi low-volume, peisonal use-piinting a web page
oi two a day oi piinting a couple of iolls of film a month-a low-cost, geneial-pui-
pose inkjet is an excellent choice.
Next time you go piintei shopping, estimate how long you want to keep youi piintei,
how much piinting you do, and what kind of piinting you need befoie you buy. As-
sess quantitatively the long-teim cost pei page foi each candidate piintei. And ask
youi local punch-and-poui whethei they iemanufactuie caitiidges foi the piintei,
and at what piice.
Cons|der r|nter account|ng
At medium-to-laige installations, considei using piintei accounting even if you
don't plan to chaige foi piintei use. The pei-job oveihead is unimpoitant, and you
get to see who is using the piintei. Iemogiaphic infoimation about the souices of
piint jobs is valuable when you aie planning deployment of new piinteis.
Seveial piintei accounting packages (such as accsnmp and PyKota) have been de-
veloped foi CUPS. ESP piovides a cential, seaichable list of links to these and othei
CUPS-ielated pioducts at www.easysw.com/-mike/cups/links.php
Secure your r|nters
Netwoik piinteis typically suppoit iemote management. You can configuie and
monitoi them ovei the net thiough IPP oi SNMP, oi fiom a web biowsei using
HTTP. Thiough the iemote inteiface, you can set paiameteis such as the piintei's IP
addiess, default gateway, syslog seivei, SNMP community name, piotocol options,
and administiative passwoid.
By default, most iemotely administiable piinteis aie unpiotected and must have a
passwoid (oi peihaps an SNMP "community name") assigned as pait of the instal-
lation piocess. The installation manuals fiom youi piintei manufactuiei should ex-
plain how to do this on any paiticulai piintei, but CUI administiation tools in CUPS
and KIE Piint Managei aie incieasingly able to hide vendoi vaiiations fiom you.
Expect this tiend to continue.
788 Chater 23 - Printing
23.8 PkIN1IN6 uN0k k0
We've mentioned KIE in passing seveial times in this chaptei.
?
The KIE piinting
facilities aie ieally pietty nice, howevei, and they deseive a bit moie exposition.
KIE has put a lot of effoit into making its piinting tools and inteifaces independent
of the undeilying piinting system. It was built aftei CUPS became populai, so it can
handle all of CUPS's featuies. It woiks, howevei, with eveiything fiom IPRng to a
geneiic exteinal piogiam.
CNOME's piinting facilities have lagged KIE's, but the CNOME developeis want
useis to have a good piinting expeiience, too. Ievelopment is pioceeding iapidly;
by the time you iead this, CNOME's piinting featuies may iival KIE's. One ieadei of
an eaily diaft of this chaptei noted the iiony that CIPS ieplaced "waiiing piint stan-
daids that had no ieason to live but iefused to die," only to pave the way foi compe-
tition between suites of desktop piinting utilities.
KIEPiint is the oveiaiching fiamewoik foi piinting undei KIE. KIEPiint piovides
tools foi adding piinteis, administeiing piint jobs, iestaiting piint seiveis, and so
on. Yes, CUPS lets you do all this too; the KIEPiint tools aie theie foi two ieasons.
Fiist, they have a KIE look and feel, which offeis consistency foi KIE useis. Foi
example, the kghostview tool wiaps Chostview in a moie KIE-appiopiiate skin.
(You've piobably noticed that even KIE utility names have a distinctive look and
feel. Someone iecently asked us if ksh was a KIE application.)
Second, KIEPiint is spoolei-independent. If foi some ieason you don't iun CIPS
(oi woise, you have to switch back and foith between piint systems), you can still use
KIEPiint to manage youi piinting. Be foiewained that CUPS is moie capable than
othei piinting systems, so if you have to downshift to an alteinative piinting system,
some of KIEPiint's functionality may disappeai.
Why should you woiiy about all these CUI inteifaces if you do youi piinting woik in
the shell? Well, youi useis piobably won't be using the shell inteiface, so you may
end up having to know something about the KIE inteiface just to suppoit them.
Heie aie the majoi components of KIEPiint that you should know about:

kprinter, a CUI tool that submits piint jobs

The Add Piintei wizaid, which autodetects netwoik piinteis (JetIiiect,

IPP, and SMB) and some locally connected piinteis. The Add Piintei wiz-
aid also lets you add and configuie piinteis that it doesn't autodetect.

The Piint Job Viewei, which moves and cancels piint jobs and shows piint
job status infoimation
3. KIE is a sei of libiaiies and usei inieiface siandaids foi giaphical inieifaces iunning undei ihe X Win-
dow Sysiem, ihe iechnology on which all Linux CUIs aie based. Ii's an alieinaiive io ihe CNOME sys-
iem, which is mosi disiiibuiions' defauli. Iespiie appeaiances, ii is noi ieally necessaiy io choose
beiween KIE and CNOME. Foi a moie geneial desciipiion of CNOME and KIE, see page 757.
23.8 Printing under K0l 789

The KDLIrint Handbcck, which documents the system. It's available

thiough the KIE Help Centei but can be annoyingly haid to find. An eas-
iei ioute is to invoke something like kprinter and click on Help. Anothei
alteinative is to iun konqueror help:/kdeprint. Anothei souice of KIE-
Piint documentation is piinting.kde.oig.

The Piint Managei, which is the main CUI management tool foi the piint-
ing system. It, too, can be a bit haid to find. You can poke aiound in youi
main desktop menu, although the location in the menu tiee vaiies fiom
distiibution to distiibution. Anothei option is to iun kcmshell printmgr
oi konqueror print:/manager.
The Add Piintei wizaid and the Piint Job Managei aie accessible thiough eithei
kprinter oi the KIE Piint Managei. (Not to mention the URIs print:/manager and
print:/printers in Konqueioi.)
Pei-usei infoimation foi KIEPiint is stoied undei ~/.kde. The files aie human-
ieadable but designed to be changed thiough the Piint Managei. Tinkei with them
at youi peiil.
kr|nter. r|nt|ng documents
kprinter is a CUI ieplacement foi lpr. It can be used fiom the command line in
similai ways. You can even suppiess the CUI;
$ kprnter --nodaIog -5 -P Ij4600 rIey.ps gIIan.pdf zoe.prn
is equivalent to
$ Ipr -5 -P Ij4600 rIey.ps gIIan.pdf zoe.prn
Youi useis piobably want a CUI. Show them how to diag files fiom a file managei oi
desktop into the kprinter dialog, then piint the entiie batch. Replace lpr with
kprinter in theii biowsei's piint dialog, and they'll have a CUI piint dialog. Teach
them to click on theii "Keep this dialog open aftei piinting" check box, and they
won't even have the delay of iestaiting the piogiam eveiy time they want to piint.
Note the "Piint system cuiiently in use" menu, evidence of KIEPiint's system neu-
tiality. Note also that kprinter offeis piint-to-PIF and piint-to-fax functions even
without an actual piintei. The advanced options aie also woith a look; you can queue
youi iesume foi piinting and specify that it be piinted aftei youi boss goes home.
konqueror and r|nt|ng
Many web biowseis iecognize a set of special-puipose URIs that act as gateways to
idiosynciatic functionality. You've piobably at least tiied about:config and about:
mozilla in Fiiefox. Similaily, the piint: family of URIs is Konqueioi's gateway to
KIEPiint.
The piint:/ URI shows you all the possibilities. piint:/jobs monitois piint jobs, and
piint:/managei staits the Piint Managei inside of Konqueioi.
790 Chater 23 - Printing
Note that you'ie not dealing with CUPS heie, at least not diiectly. This is all pait of
the KIEPiint layei.
23.9 kCUMMN00 kA0IN6
Sweet, Michael. CUIS. Ccmmcn UNIX Irinting System. Indianapolis, Indiana: Sams
Publishing, 2001. This is the CUPS bible, iight fiom the hoise's mouth.
We've mentioned linuxpiinting.oig seveial times in this chaptei. It's a vast collection
of Iinux piinting iesouices and a good place to stait when answeiing questions.
This site also has a nice CUPS tutoiial that includes a tioubleshooting section.
Wikipedia and SUSE both supply good CUPS oveiviews:
en.opensuse.oig/SIB:CUPS_in_a_Nutshell
en.wikipedia.oig/wiki/Common_Unix_Piinting_System
You can find a collection of CUPS-ielated newsgioups at cups.oig/newsgioups.php.
This is a good place to ask questions, but do youi homewoik fiist and ask politely.
KIE includes man pages foi the KIEPiint commands and the KDLIrint Handbcck.
You can find additional infoimation at piinting.kde.oig. All of these souices contain
useful iefeiences to othei documentation. (Even if you don't have KIE, the KIE
documentation contains good, geneial infoimation about CUPS.)
23.10 XkCISS
E23.1 Using a web biowsei, visit a CUPS seivei on youi netwoik. What pie-
vents you fiom making administiative changes to that seivei's piinteis?
E23.2 Find someone who isn't computei liteiate (an ait student, youi mothei,
oi peihaps a Miciosoft Ceitified Piofessional) and teach that peison
how to piint a PIF document on a Iinux system. Iid youi subject find
any of the steps confusing? How could you make the piocess easiei foi
othei useis?
E23.3 Visit a ieal oi viitual big-box stoie such as Sam's Club oi Amazon.com
and list the piinteis you can buy foi undei $200. If you had to puichase
one of these piinteis foi youi oiganization tomoiiow, which one would
it be and why? Justify youi analysis with data fiom the linuxpiinting.oig
database.
E23.4 You have been asked to design the system softwaie foi a Iinux-based
lasei piintei aimed at the coipoiate woikgioup maiket. What Iinux dis-
tiibution will you stait with? What additional softwaie will you include,
and what softwaie will you have to wiite? How will you accommodate
Windows and Mac OS clients? (Hint: check out Iinux distiibutions de-
signed foi "embedded systems.")
791

Ha/oteoaoce aod fov/roomeot

With the influx of desktop woikstations and the move away fiom big-iion comput-
ing, it once appeaied that the days of the cential machine ioom (aka "data centei")
might be numbeied. Nevei feai! Ovei the last decade, those desktop systems have
become incieasingly dependent on a nucleus of cential seiveis iunning opeiating
systems such as Iinux. As a iesult, heids of seiveis can now be found ioaming those
once-abandoned machine iooms.
It's as impoitant as evei to ensuie a healthy, well-maintained enviionment foi these
seiveis. In fact, the powei and aii conditioning iequiiements of a iack of the latest
1I seiveis
1
often meet oi exceed the demands of the mainfiames they ieplace.
This chaptei offeis some hints on handling and maintaining haidwaie, as well as on
giving it a good home.
24.1 hAk0wAk MAIN1NANC 8ASICS
Haidwaie maintenance was tiaditionally coveied by an expensive annual mainte-
nance contiact. Although such contiacts aie still ieadily available, today it is moie
common and cost effective to use the "fly by the seat of youi pants" appioach.
See page 92 fcr mcre
infcrmaticn abcut
retiring hardware.
If you keep a log book, a quick glance at the iecoids foi the last six to twelve months
will give you an idea of youi failuie iates. It's a good idea to keep a caieful iecoid of
failuies and ieplacements so that you can accuiately evaluate the diffeient mainte-
nance options available to you. Some paits fail moie often than anticipated by the
1. One "U" is 1.75 veiiical inches and is ihe siandaid unii of measuiemeni foi iack space.
Maintenance
792 Chater 24 - Vaintenance and lnvironment
manufactuiei, so contiacts aie sometimes not only convenient but also financially
advantageous. But iemembei, theie comes a time when all haidwaie should be ie-
placed, not maintained. Know youi haidwaie and let it go giacefully when its time
has finally come. You might even considei donating outdated equipment to youi lo-
cal univeisity oi school. Foi them, equipment is iaiely too old to be useful.
When planning youi maintenance stiategy, considei which components aie most
likely to suffei fiom piematuie aging. Ievices that include moving paits tend to be
fai less ieliable than solid-state devices such as CPUs and memoiy. Heie aie some
common candidates foi the old folks faim:

Tape diives

Tape autoloadeis and changeis

Haid disk diives

Fans

Keyboaids

Mice

CRT monitois
24.2 MAIN1NANC CUN1kAC1S
Seveial majoi companies offei haidwaie maintenance on computei equipment that
they do not sell. These vendois aie often anxious to displace the oiiginal manufac-
tuiei and get theii foot in the dooi, so to speak. You can sometimes negotiate attiac-
tive maintenance contiacts by playing a manufactuiei against a thiid-paity piovidei.
If possible, get iefeiences on all potential maintenance vendois, piefeiably fiom
people you know and tiust.
Un-s|te ma|ntenance
If you have an on-site maintenance contiact, a seivice technician will biing spaie
paits diiectly to youi machine. Guaianteed iesponse time vaiies between 4 and 24
houis; it's usually spelled out in the contiact. Response times duiing business houis
may be shoitei than at othei times of the week.
If you aie consideiing a quick-iesponse maintenance contiact, it's usually woith cal-
culating the cost of keeping a couple of complete backup systems aiound that you can
swap in to ieplace malfunctioning computeis. A whole-system swap usually achieves
fastei iepaii than even the most deluxe maintenance contiact can, and with today's
low haidwaie piices, the investment is often minimal.
8oard swa ma|ntenance
A boaid swap piogiam iequiies you and youi staff to diagnose pioblems, peihaps
with the help of hotline peisonnel at the manufactuiei's site. Aftei diagnosis, you
call a maintenance numbei, desciibe the pioblem, and oidei the necessaiy ieplace-
ment boaid. It is usually shipped immediately and aiiives the next day. You then
24.3 llectronics-handling lore 793
install the boaid, get the haidwaie back up and happy, and ietuin the old boaid in
the same box in which the new boaid aiiived.
The manufactuiei will usually want to assign a "ietuin meichandise authoiization"
(RVA) numbei to the tiansaction. Be suie to wiite that numbei on the shipping doc-
uments when you ietuin the bad boaid.
warrant|es
The length of the manufactuiei's waiianty should play a significant iole in youi
computation of a machine's lifetime cost of owneiship. In most cases, the best main-
tenance scheme is piobably the "selective waiianty" stiategy. Iisk diive manufac-
tuieis offei waiianties up to five yeais long, and some memoiy modules even come
with a lifetime guaiantee. A yeai's waiianty is standaid foi computeis, but waiian-
ties of seveial yeais oi moie aie not uncommon. When puichasing new equipment,
shop aiound foi the best waiianty-it will save you money in the long iun.
In a many oiganizations, it seems to be easiei to get funding foi capital equipment
than foi suppoit peisonnel oi maintenance. We have occasionally paid foi an "ex-
tended waiianty" option on new haidwaie (which could also be desciibed as pie-
paid maintenance) to conveit equipment dollais to maintenance dollais.
With many pieces of haidwaie, the biggest maintenance and ieliability pioblems oc-
cui soon aftei installation. Haidwaie failuies that occui within a day oi two of de-
ployment aie iefeiied to as "infant moitality."
24.3 LC1kUNICS-hAN0LIN6 LUk
Ciicuit boaids and othei electionic devices should be handled gently, not diopped,
not have coffee spilled on them, not have books piled on them, etc. Most customei
engineeis (those fiiendly iepaii people that come with youi maintenance contiact)
aie ten times ioughei on equipment than seems ieasonable.
Stat|c e|ectr|c|ty
Electionic paits aie sensitive to static electiicity. To handle components safely, you
must giound youiself befoie and duiing installation. A giound stiap woin on the
wiist and attached to "eaith giound" (usually available as the thiid piong of youi
powei outlet) piotects you appiopiiately.
Remembei that you need to woiiy about static when you fiist open the package con-
taining an electionic component and any time the component is handled-not just
when you finally install it. Be especially caieful if the office wheie you ieceive youi
mail (and wheie you might be tempted to open youi packages) is caipeted; caipet
geneiates moie static electiicity than does a haid flooi.
One way to ieduce static on caipeted floois is to puichase a spiay bottle at youi local
Wal-Mait and fill it with one pait Iowny fabiic softenei to ?0 paits watei. Spiay this
on the caipet (but not on computing equipment) once eveiy month to keep static
794 Chater 24 - Vaintenance and lnvironment
levels low. This pioceduie also leaves youi office aiea with that all-impoitant Apiil-
fiesh scent.
keseat|ng boards
You can occasionally fix a haidwaie pioblem by simply poweiing down the equip-
ment, cleaning the contacts on the edge connectois of the inteiface caids (SCSI,
Etheinet, etc.), ieseating the caids, and poweiing the system back up. If this woiks
tempoiaiily but the same pioblem comes back a week oi a month latei, the electiical
contact between the caid and the motheiboaid is piobably pooi.
You can clean contacts with a special cleaning solution and cleaning kit oi with an
oidinaiy pencil eiasei. Ion't use an eiasei that is old and haid. If youi eiasei doesn't
woik well eiasing pencil maiks fiom papei, it won't woik well on electiical contacts
eithei. Tiy to keep youi fingeis off the contacts. Just "eiase" them with the pencil
eiasei (a mild abiasive), biush off the eiasei dioppings, and ieinstall the caid.
24.4 MUNI1UkS
Ovei the last few yeais, we've been foitunate to see the piices of ICI monitois de-
cline to a level at which they can be widely deployed. Although the initial cost of ICIs
is slightly highei than that of CRTs, these devices iequiie less powei, less mainte-
nance, and typically cause less eye stiain than theii CRT-based piedecessois. If you
still have CRT monitois in youi oiganization, a good maintenance plan is to simply
ieplace them with ICI monitois.
If you aie still foiced to maintain CRT monitois, be awaie that many of them have
biightness and conveigence adjustments that aie accessible only fiom the ciicuit
boaid. Unfoitunately, CRT monitois often use inteinal chaiges of tens of thousands
of volts that can peisist long aftei the powei has been disconnected. Because of the
iisk of electiic shock, we iecommend that you always have youi monitois adjusted
by a qualified technician. Io not attempt the job youiself.
24.5 MMUk MU0uLS
Today's haidwaie accepts memoiy in the foim of SIMMs (Single Inline Memoiy
Vodules), IIVVs (Iual Inline Vemoiy Vodules), oi RIVVs (Rambus Inline Vem-
oiy Modules) iathei than individual chips. These modules iange in size fiom ?2MB
to 4CB, all on one little stick.
If you need to add memoiy to a woikstation oi seivei, you can usually oidei it fiom a
thiid-paity vendoi and install it youiself. Be cautious of buying memoiy fiom com-
puter vendors; their prices are often quite imaginative.
2
When adding memory, think
big. The piice of memoiy is continually decieasing, but so is the standaid allotment
of expansion slots on a typical motheiboaid.
2. Ii's a diffeieni sioiy if ihe memoiy is paii of a package deal; some of ihese deals aie pieiiy good.
24.6 Preventive maintenance 795
It's woith double-checking youi system documentation befoie oideiing memoiy to
make suie you have a cleai idea of the types of memoiy modules that youi systems
will accept. You can often inciease peifoimance by installing memoiy that suppoits
a highei bus iate oi special featuies such as IIR (Iouble Iata Rate). Make suie that
you know how many memoiy slots each system has available and whethei theie aie
any iestiictions on the addition of new modules. Some systems iequiie modules to
be added in paiis; otheis do not stiictly iequiie this but can yield highei peifoimance
when modules aie paiied.
Vake suie that you undeistand how old and new memoiy modules will inteiact with
each othei. In most cases, only the featuies oi speeds common to all modules can
actually be used. It may sometimes be worthwhile to remove a system's original mem-
ory when upgiading.
If you install youi own memoiy, keep in mind that memoiy is moie sensitive than
anything else to static electiicity. Make suie you'ie well giounded befoie opening a
baggie full of memoiy.
Memoiy modules aie fiequently a candidate foi the pencil eiasei cleaning technol-
ogy desciibed eailiei in this chaptei.
24.6 PkvN1Iv MAIN1NANC
It may sound piimitive (and some of us thought we'd outgiow this affliction), but
many pieces of haidwaie have aii filteis that must be iegulaily cleaned oi changed.
Clogged filteis impede the flow of aii and may iesult in oveiheating, a majoi cause
of equipment failuie. It's impoitant to keep the aii vents on all equipment open and
unobstiucted, but pay special attention to those seiveis that have been densely
packed into small 1U oi 2U enclosuies. These systems depend on theii ventilation
to cool themselves. Without it, a coie meltdown is assuied.
Anything with moving paits may need iegulai lubiication, cleaning, and belt main-
tenance. Listen foi squeaks fiom youi oldei equipment and pampei it accoidingly.
On seivei systems, the pait that most fiequently fails is the fan and powei supply
module-especially on PCs, wheie it is often a single field-ieplaceable unit (FRU).
Peiiodically check youi seiveis to make suie theii main fans aie spinning fast and
stiong. If not, you must usually ieplace the entiie powei supply assembly. Othei-
wise, you iun the iisk of oveiheating youi equipment. Io not tiy to lubiicate the fan
itself; this pioceduie might postpone the inevitable bieakdown, but it could also ac-
celeiate the pioblem oi cause damage to othei components.
Many PC cases piovide a convenient mounting location foi a second fan (and elec-
tiical connections to powei it). If noise is not a consideiation, it's always advisable to
install the second fan.
?
In addition to loweiing the opeiating tempeiatuie of the
components, the extia fan acts as a backup if the piimaiy fan fails. Extia fans aie
cheap; keep a couple aiound as spaies.
3. Oi leain aboui ihe laiesi in supeiquiei fans ai www.silenipcieview.com.
796 Chater 24 - Vaintenance and lnvironment
A computei in a dusty enviionment will buin out components much moie fiequently
than one whose enviionment is ielatively clean. Iust clogs filteis, diies out lubiica-
tion, jams moving paits (fans), and coats components with a layei of dusty "insula-
tion" that ieduces theii ability to dissipate heat. All of these effects tend to inciease
opeiating tempeiatuies. You may need to give youi systems' innaids an occasional
housecleaning in bad enviionments. (Any enviionment that featuies caipeting is
likely to be bad.)
Vacuuming is the best way to iemove dust, but be suie to keep the motoi at least five
feet fiom system components and disks to minimize magnetic field inteifeience.
Youi machine ioom should be vacuumed iegulaily, but make suie this task is pei-
foimed by people who have been tiained to iespect piopei distances and not haim
equipment (office janitoiial staff aie usually not acceptable candidates foi this task).
Tape diives usually iequiie iegulai cleaning as well. You clean most diives by inseit-
ing a special cleaning cassette.
24.7 NvIkUNMN1
Just like humans, computeis woik bettei and longei if they'ie happy in theii enviion-
ment. Although they don't caie much about having a window with a view, they do
want you to pay attention to othei aspects of theii home.
1emerature
The ideal opeiating tempeiatuie foi computei equipment is 64 to 68F (17 to 20C),
with about 45% humidity. Unfoitunately, this tempeiatuie does not coincide with
the ideal opeiating tempeiatuie of a computei usei. Ambient tempeiatuies above
80F (27C) in the computei ioom imply about 120F (49C) inside machines. Com-
meicial-giade chips have an opeiational iange up to about 120F, at which point they
stop woiking; beyond about 160F (71C), they bieak. Inlet tempeiatuies aie ciitical;
one machine's hot exhaust should nevei flow towaid anothei machine's aii intake.
hum|d|ty
The ideal humidity foi most computei haidwaie is in the iange of 40% to 55%. If the
humidity is too low, static electiicity becomes a pioblem. If it is too high, condensa-
tion can foim on the boaids, causing shoiting and oxidation.
Uff|ce coo||ng
These days, many computeis live in people's offices and must suivive on building aii
conditioning (often tuined off at night and on weekends) and must oveicome a
healthy dose of papeis and books iesting on cooling vents. When you put a com-
putei in an office, keep in mind that it will steal aii conditioning that is intended foi
humans. If you aie in a iole in which you can influence cooling capacity, a good iule
of thumb is that each human in the ioom pioduces 300 BTIH woith of heat, wheieas
youi aveiage office PC pioduces about 1,100 BTUH. Ion't let the engineeis foiget to
add in solai load foi any windows that ieceive diiect sunlight.
24.1 lnvironment 797
Mach|ne room coo||ng
If you aie "lucky" enough to be moving youi seiveis into one of those fancy iaised-
flooi machine iooms built in the 1980s that has enough capacity to cool all of youi
equipment and the state of Oklahoma, youi biggest concein will likely be to find
some iemedial education in piimitive cooling system maintenance. Foi the iest of
us, coiiectly sizing the cooling system is what makes the diffeience in the long teim.
A well-cooled machine ioom is a happy machine ioom.
We have found that it's a good idea to double-check the cooling load estimated by
the HVAC folks, especially when you'ie installing a system foi a machine ioom.
You'll definitely need an HVAC engineei to help you with calculations foi the cooling
load that youi ioof, walls, and windows (don't foiget solai load) contiibute to youi
enviionment. HVAC engineeis usually have a lot of expeiience with those compo-
nents and should be able to give you an accuiate estimate. The pait you need to check
up on is the inteinal heat load foi youi machine ioom.
You will need to deteimine the heat load contiibuted by the following components:

Roof, walls, and windows (see youi HVAC engineei foi this estimate)

Electionic geai

Iight fixtuies

Opeiatois (people)
Llectrcnic gear
You can estimate the heat load pioduced by youi seiveis (and othei electionic geai)
by deteimining theii powei consumption. Iiiect measuiement of powei consump-
tion is by fai the best method to obtain this infoimation. Youi fiiendly neighboi-
hood electiician can often help, oi you can puichase an inexpensive metei to do it
youiself.
4
Vost equipment is labeled with its maximum powei consumption in watts,
but typical consumption tends to be significantly less than the maximum. You can
conveit powei consumption to the standaid heat unit, BTUH, by multiplying by
?.41? BTUH/watt. Foi example, if you wanted to build a machine ioom that would
house 25 seiveis iated at 450 watts each, the calculation would be
Iight fixtures
As with electionic geai, you can estimate light fixtuie heat load based on powei con-
sumption. Typical office light fixtuies contain foui 40-watt fluoiescent tubes. If youi
new machine ioom had six of these fixtuies, the calculation would be
4. The KILL A WATT meiei made by P3 is a populai choice ai aiound $30.
= ?8,?85 BTUH 25 seiveis
450 watts
seivei
?.412 BTUH
watt
= ?,276 BTUH 6 fixtuies
160 watts
fixtuie
?.412 BTUH
watt
798 Chater 24 - Vaintenance and lnvironment
Operatcrs
At one time oi anothei, humans will need to entei the machine ioom to seivice
something. Allow 300 BTUH foi each occupant. To allow foi foui humans in the
machine ioom at the same time:
1ctal heat lcad
Once you have calculated the heat load foi each component, add them up to detei-
mine youi total heat load. Foi oui example, we assume that oui HVAC engineei esti-
mated the load fiom the ioof, walls, and windows to be 20,000 BTUH.
Cooling system capacity is typically expiessed in tons. You can conveit BTIH to tons
by dividing by 12,000 BTUH/ton. You should also allow at least a 50% slop factoi to
account foi eiiois and futuie giowth.
See how youi estimate matches up with the one fiom youi HVAC folks.
1emerature mon|tor|ng
If you aie suppoiting a mission-ciitical computing enviionment, it's a good idea to
monitoi the tempeiatuie (and othei enviionmental factois, such as noise and powei)
in the machine ioom even when you aie not theie. It can be veiy disappointing to
aiiive on Monday moining and find a pool of melted plastic on youi machine ioom
flooi. Foitunately, automated machine ioom monitois can watch the goods while
you aie away. We use and iecommend the Phonetics Sensaphone pioduct family.
These inexpensive boxes monitoi enviionmental vaiiables such as tempeiatuie,
noise, and powei, and they telephone you (oi youi pagei) when a pioblem is de-
tected. You can ieach Phonetics in Aston, PA at (610) 558-2700 oi visit them on the
web at www.sensaphone.com.
24.8 PUwk
Computei haidwaie would like to see nice, stable, clean powei. In a machine ioom,
this means a powei conditionei, an expensive box that filteis out spikes and can be
adjusted to pioduce the coiiect voltage levels and phases. In offices, suige piotectois
placed between machines and the wall help insulate haidwaie fiom powei spikes.
= 1,200 BTUH 4 humans
?00 BTUH
human
20,000 BTUH foi ioof, walls, and windows
?8,?85 BTUH foi seiveis and othei electionic geai
?,276 BTUH foi light fixtuies
1,200 BTUH foi opeiatois
62,861 BTUH total
= 7.86 tons of cooling iequiied 62,681 BTUH
1 ton
1.5
12,000 BTUH
24.9 Racks 799
Seiveis and netwoik infiastiuctuie equipment should be placed on an Uninteiiupt-
ible Powei Supply (UPS). Cood UPSes have an RS-2?2, Etheinet, oi USB inteiface
that can be attached to the machine to which they supply powei. This connection
enables the UPS to wain the computei that the powei has failed and that it should
shut itself down cleanly befoie the batteiies iun out.
See page 4u fcr mcre
infcrmaticn abcut
shutdcwn prccedures.
One study has estimated that 1?% of the electiical powei consumed in the United
States is used to iun computeis. Tiaditionally, UNIX boxes weie based on haidwaie
and softwaie that expected the powei to be on 24 houis a day. These days, only seiv-
eis and netwoik devices ieally need to be up all the time. Iesktop machines can be
poweied down at night if theie is an easy way foi useis to tuin them off (and if you
tiust youi useis to do it coiiectly).
You may occasionally find youiself in a situation in which you have to iegulaily
powei-cycle a seivei because of a keinel oi haidwaie glitch. Oi, peihaps you have
non-Iinux seiveis in youi machine ioom that aie moie pione to this type of piob-
lem. In eithei case, you may want to considei installing a system that will allow you
to powei-cycle pioblem seiveis by iemote contiol.
A ieasonable solution is manufactuied by Ameiican Powei Conveision (APC).
Theii MasteiSwitch pioduct is similai to a powei stiip, except that it can be con-
tiolled by a web biowsei thiough its built-in Etheinet poit. You can ieach APC at
(401) 789-0204 oi on the web at www.apcc.com.
24.9 kACkS
The days of the iaised-flooi machine ioom-in which powei, cooling, netwoik con-
nections, and phone lines aie all hidden undeineath the flooi-aie ovei. Have you
evei tiied to tiace a cable that iuns undei the flooi of one of these labyiinths? Oui
expeiience is that while it looks nice thiough glass, a "classic" iaised-flooi ioom is a
hidden iat's nest. Today, you should use a iaised flooi to hide electiical powei feeds,
distiibute cooled aii, and ncthing else.
If youi goal is to opeiate youi computing equipment in a piofessional mannei, a
dedicated machine ioom foi seivei-class machines is essential. A seivei ioom not
only piovides a cozy, tempeiatuie-contiolled enviionment foi youi machines but
also addiesses theii physical secuiity needs.
In a dedicated machine ioom, stoiing equipment in iacks (as opposed to, say, set-
ting it on tables oi on the flooi) is the only maintainable, piofessional choice. The
best stoiage schemes use iacks that aie inteiconnected with an oveihead tiack sys-
tem foi iouting cables. This appioach confeis that iiiesistible high-tech feel without
saciificing oiganization oi maintainability.
The best oveihead tiack system is manufactuied by Chatswoith Pioducts (Chat-
swoith, CA, (818) 882-8595). Using standaid 19" single-iail telco iacks, you can
constiuct homes foi both shelf-mounted and iack-mounted seiveis. Two back-to-
back 19" telco iacks make a high-tech-looking "tiaditional" iack (foi cases in which
800 Chater 24 - Vaintenance and lnvironment
you need to attach iack haidwaie both in fiont of and in back of equipment). Chat-
swoith piovides the iacks, cable iaces, and cable management doodads, as well as
all the haidwaie necessaiy to mount them in youi building. Since the cables lie in
visible tiacks, they aie easy to tiace, and you will natuially be motivated to keep
them tidy.
24.10 0A1A CN1k S1AN0Ak0S
Seivei iooms have become so peivasive that a numbei of gioups have pioduced
standaids foi setting them up. These standaids typically specify attiibutes such as
the diveisity of exteinal netwoik connectivity, the available cooling and powei
(along with backup plans foi these iesouices), and the annual facility maintenance
downtime. The Uptime Institute publishes one set of these standaids; theii catego-
iies aie summaiized in Table 24.1.
In addition to pioviding an in-depth desciiption of each of these tieis and desciib-
ing how to achieve them, the Uptime Institute piovides statistical and best-piactice
infoimation on a vaiiety of topics ielevant to the infiastiuctuie of fault-toleiant data
centeis. You can visit them on the web at www.upsite.com.
24.11 1UULS
A well-outfitted system administiatoi is an effective system administiatoi. Having a
dedicated tool box is an impoitant key to minimizing downtime in an emeigency.
Table 24.2 lists some items to keep in youi tool box, oi at least within easy ieach.
24.12 kCUMMN00 kA0IN6
The following souices piesent additional infoimation about data centei standaids.
1eleccmmunicaticns Infrastructure Standard fcr Data Centers. ANSI/TIA/EIA 942.
ASHRAE INC. ASHRAL 1hermal Cuidelines fcr Data Irccessing Lnvircnments. At-
lanta, CA: ASHRAE, Inc., 2004.
EUBANK, HUSTON, JOEI SWISHER, CAMERON BURNS, JEN SEAI, ANI BEN EMERSON. De-
sign Reccmmendaticns fcr High Ierfcrmance Data Centers. Snowmass, CO: Rocky
Mountain Institute, 200?.
1ab|e 24.1 ut|me Inst|tute server standards
1|er ut|me Power/coo||ng kedundancy
l 99.611 Single ath No redundant comonents
ll 99.141 Single ath Some comonent redundancy
lll 99.982 Vultiath, 1 active Redundant comonents, concurrent maintenance
lv 99.995 Vultiath, >1 active Redundant comonents, fully fault tolerant