SUSE LINUX ® ®

Advanced Administration

Novell Training Services w w w. n o v e l l . c o m

COURSE 303 8
A U T HORIZE D C OU RS E WARE

100-004991-001
Version 1
Proprietary Statement
Copyright © 2004 Novell, Inc. All rights reserved.
No part of this publication may be reproduced, photocopied, stored
on a retrieval system, or transmitted without the express prior
consent of the publisher. This manual, and any portion thereof, may
not be copied without the express written permission of Novell, Inc.
Novell, Inc.
1800 South Novell Place
Provo, UT 84606-2399
Disclaimer
Novell, Inc. makes no representations or warranties with respect to
the contents or use of this manual, and specifically disclaims any
express or implied warranties of merchantability or fitness for any
particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and
to make changes in its content at any time, without obligation to
notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with
respect to any NetWare software, and specifically disclaims any
express or implied warranties of merchantability or fitness for any
particular purpose.
Further, Novell, Inc. reserves the right to make changes to any and
all parts of NetWare software at any time, without obligation to
notify any person or entity of such changes.
This Novell Training Manual is published solely to instruct students
in the use of Novell networking software. Although third-party
application software packages are used in Novell training courses,
this is for demonstration purposes only and shall not constitute an
endorsement of any of these software applications.
Further, Novell, Inc. does not represent itself as having any
particular expertise in these application software packages and any
use by students of the same shall be done at the students’ own risk.
Software Piracy
Throughout the world, unauthorized duplication of software is
subject to both criminal and civil penalties.
If you know of illegal copying of software, contact your local
Software Antipiracy Hotline.
For the Hotline number for your area, access Novell’s World Wide
Web page at http://www.novell.com and look for the piracy page
under “Programs.”
Or, contact Novell’s anti-piracy headquarters in the U.S. at 800-
PIRATES (747-2837) or 801-861-7101.
Trademarks
Novell, Inc. has attempted to supply trademark information about
company names, products, and services mentioned in this manual.
The following list of trademarks was derived from various sources.
Novell, Inc. Trademarks
Novell, the Novell logo, NetWare, BorderManager, ConsoleOne,
DirXML, GroupWise, iChain, ManageWise, NDPS, NDS, NetMail,
Novell Directory Services, Novell iFolder, Novell SecretStore,
Ximian, Ximian Evolution and ZENworks are registered
trademarks; CDE, Certified Directory Engineer and CNE are
registered service marks; eDirectory, Evolution, exteNd, exteNd
Composer, exteNd Directory, exteNd Workbench, Mono, NIMS,
NLM, NMAS, Novell Certificate Server, Novell Client, Novell
Cluster Services, Novell Distributed Print Services, Novell Internet
Messaging System, Novell Storage Services, Nsure, Nsure
Resources, Nterprise, Nterprise Branch Office, Red Carpet and Red
Carpet Enterprise are trademarks; and Certified Novell
Administrator, CNA, Certified Novell Engineer, Certified Novell
Instructor, CNI, Master CNE, Master CNI, MCNE, MCNI, Novell
Education Academic Partner, NEAP, Ngage, Novell Online
Training Provider, NOTP and Novell Technical Services are service
marks of Novell, Inc. in the United States and other countries. SUSE
is a registered trademark of SUSE LINUX AG, a Novell company.
For more information on Novell trademarks, please visit
http://www.novell.com/company/legal/trademarks/tmlist.html.
Other Trademarks
Adaptec is a registered trademark of Adaptec, Inc. AMD is a
trademark of Advanced Micro Devices. AppleShare and AppleTalk
are registered trademarks of Apple Computer, Inc. ARCserv is a
registered trademark of Cheyenne Software, Inc. Btrieve is a
registered trademark of Pervasive Software, Inc. EtherTalk is a
registered trademark of Apple Computer, Inc. Java is a trademark or
registered trademark of Sun Microsystems, Inc. in the United States
and other countries. Linux is a registered trademark of Linus
Torvalds. LocalTalk is a registered trademark of Apple Computer,
Inc. Lotus Notes is a registered trademark of Lotus Development
Corporation. Macintosh is a registered trademark of Apple
Computer, Inc. Netscape Communicator is a trademark of Netscape
Communications Corporation. Netscape Navigator is a registered
trademark of Netscape Communications Corporation. Pentium is a
registered trademark of Intel Corporation. Solaris is a registered
trademark of Sun Microsystems, Inc. The Norton AntiVirus is a
trademark of Symantec Corporation. TokenTalk is a registered
trademark of Apple Computer, Inc. Tru64 is a trademark of Digital
Equipment Corp. UnitedLinux is a registered trademark of
UnitedLinux. UNIX is a registered trademark of the Open Group.
WebSphere is a trademark of International Business Machines
Corporation. Windows and Windows NT are registered trademarks
of Microsoft Corporation. All other third-party trademarks are the
property of their respective owners.
 Contents

Introduction
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
Certification and Prerequisites . . . . . . . . . . . . . . . . . . . . . . Intro-2
SLES 9 Support and Maintenance . . . . . . . . . . . . . . . . . . . Intro-4
SLES 9 Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
Exercise Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6

SECTION 1 Install SLES

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Objective 1 Perform the SLES 9 Base Installation . . . . . . . . . . . . . . . . . . . 1-3
Boot From the Installation Media . . . . . . . . . . . . . . . . . . . . . . 1-3
Select the System Language . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Select the Installation Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Understand and Change the Installation Proposal . . . . . . . . . . 1-9

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Partition the Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

The Basics of Hard Drive Partitioning . . . . . . . . . . . . . . 1-11
The Basic Linux Partition Scheme . . . . . . . . . . . . . . . . . 1-12
Partitioning Schemes for Different Server Types . . . . . . 1-13
How to Change YaST’s Partitioning Proposal . . . . . . . . 1-14
How to Use the YaST Expert Partitioner . . . . . . . . . . . . 1-16
Create New Partitions . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Edit Existing Partitions . . . . . . . . . . . . . . . . . . . . . . . 1-22
Delete Existing Partitions . . . . . . . . . . . . . . . . . . . . . 1-22
Resize Existing Partitions . . . . . . . . . . . . . . . . . . . . . 1-22
Manage LVM Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Manage EVMS Volumes. . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Manage Soft RAID Setups . . . . . . . . . . . . . . . . . . . . . . . 1-33
Create Crypt File Partitions . . . . . . . . . . . . . . . . . . . . . . . 1-35
Perform Expert Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Select the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Configure the Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Start the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Objective 2 Configure the SLES 9 Installation . . . . . . . . . . . . . . . . . . . . . 1-43
Set the root Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Configure the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
Configure Network Interfaces . . . . . . . . . . . . . . . . . . . . . 1-46
Configure a Network Card Manually . . . . . . . . . . . . 1-47
Change an Existing Configuration . . . . . . . . . . . . . . 1-48
Test the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Perform an Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Manage Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Select the Authentication Method . . . . . . . . . . . . . . . . . . 1-51
Add Users to the Systems . . . . . . . . . . . . . . . . . . . . . . . . 1-52
Configure the Host as a NIS Client. . . . . . . . . . . . . . 1-53

TOC-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

Configure the System as LDAP Client . . . . . . . . . . . 1-54

Add Local Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Configure Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58
Configure the Graphics Card. . . . . . . . . . . . . . . . . . . . . . 1-59
Change the Monitor Settings . . . . . . . . . . . . . . . . . . 1-60
Change the Color Depth and Resolution Settings. . . 1-62
Finalize the Installation Process. . . . . . . . . . . . . . . . . . . . . . . 1-64
Objective 3 Troubleshoot the Installation Process . . . . . . . . . . . . . . . . . . 1-65
Exercise 1-1: Install SLES 9 . . . . . . . . . . . . . . . . . . . . . 1-67
Part I: Boot From the Installation Media. . . . . . . . . . . . . 1-67
Part II: Start the Installation Proposal . . . . . . . . . . . . . . . 1-68
Part III: Configure the Partitions for Your Hard Drive . . 1-68
Part IV: Add Compiler and Development
Tools to the Software Selection. . . . . . . . . . . . . . . . . . . . 1-70
Part V: Start the Installation Process . . . . . . . . . . . . . . . . 1-70
Part VI: Set the root Password . . . . . . . . . . . . . . . . . . . . 1-71
Part VII: Set Up the Network . . . . . . . . . . . . . . . . . . . . . 1-71
Part VIII: Set Up Services and Users . . . . . . . . . . . . . . . 1-73
Part IX: Configure Hardware Devices . . . . . . . . . . . . . . 1-73
Part X: Configure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . 1-75
Part XI: Update Your SLES 9 Server With YOU . . . . . . 1-75
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-77

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-3
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

SECTION 2 Configure the Network Manually

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Objective 1 Understand Linux Network Terms . . . . . . . . . . . . . . . . . . . . . 2-3
Objective 2 Set Up Network Devices With the ip Tool . . . . . . . . . . . . . . . 2-4
Display the Current Network Configuration . . . . . . . . . . . . . . 2-4
IP Address Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Display Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Display Device Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Change the Current Network Configuration . . . . . . . . . . . . . . 2-9
Assign an IP Address to a Device . . . . . . . . . . . . . . . . . . 2-10
Delete the IP Address from a Device . . . . . . . . . . . . . . . 2-10
Change Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Objective 3 Save Device Settings to a Configuration File . . . . . . . . . . . . 2-12
Configure a Device Statically . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Configure a Device Dynamically With DHCP . . . . . . . . . . . 2-14
Start and Stop Configured Devices . . . . . . . . . . . . . . . . . . . . 2-15
Objective 4 Set Up Routing With the ip Tool . . . . . . . . . . . . . . . . . . . . . . 2-16
View the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Add Routes to the Routing Table. . . . . . . . . . . . . . . . . . . . . . 2-17
Set a Route to the Locally Connected Network . . . . . . . 2-18
Set a Route to a Different Network . . . . . . . . . . . . . . . . . 2-18
Set a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Delete Routes from the Routing Table . . . . . . . . . . . . . . . . . 2-18
Objective 5 Save Routing Settings to a Configuration File . . . . . . . . . . . 2-19
Objective 6 Configure Host Name and Name Resolution. . . . . . . . . . . . . 2-20
Set the Host and Domain Name. . . . . . . . . . . . . . . . . . . . . . . 2-20
Configure Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

TOC-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

Objective 7 Test the Network Connection With Command Line Tools . . 2-21
Use ping to Test Network Connections . . . . . . . . . . . . . . . . . 2-21
Use traceroute to Trace Network Packets . . . . . . . . . . . . . . . 2-23
Exercise 2-1: Configure the Network Manually . . . . . . . 2-25
Part I: Note the Current Network Configuration. . . . . . . 2-25
Part II: Delete the Current Network Setup with YaST . . 2-26
Part III: Configure the Network Manually . . . . . . . . . . . 2-27
Part IV: Save the Network Connection to
Interface and Hardware Configuration Files . . . . . . . . . . 2-27
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29

SECTION 3 Configure Network Services

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Objective 1 Configure a DNS Server Using BIND . . . . . . . . . . . . . . . . . . 3-3
Understand the Domain Name System . . . . . . . . . . . . . . . . . . 3-4
How Name Resolution Worked in the Early
Days of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
The Internet Domain Concept . . . . . . . . . . . . . . . . . . . . . . 3-5
Understand How Name Servers Work . . . . . . . . . . . . . . . 3-6
Understand How to Query DNS . . . . . . . . . . . . . . . . . . . . 3-8
Install and Configure the BIND Server Software . . . . . . . . . 3-10
Configure a Caching-Only DNS server . . . . . . . . . . . . . . . . . 3-10
Configure a Master Server for Your Domain . . . . . . . . . . . . 3-13
Adapt the Main Server Configuration File . . . . . . . . . . . 3-13
Create the Zone Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Structure of the Files. . . . . . . . . . . . . . . . . . . . . . . . . 3-15
The File
/var/lib/named/master/digitalairlines.com.zone . . . . 3-17
The File /var/lib/named/master/10.0.0.zone . . . . . . . 3-19
The File /var/lib/named/master/localhost.zone. . . . . 3-21

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-5
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

The File /var/lib/named/master/127.0.0.zone . . . . . . 3-22

Create Additional Resource Records. . . . . . . . . . . . . . . . 3-22
Define Mail Servers for the Domain. . . . . . . . . . . . . 3-22
Assign Aliases for Computers . . . . . . . . . . . . . . . . . 3-23
Configure One or More Slave Servers. . . . . . . . . . . . . . . . . . 3-24
Configure the Client Computers to Use the DNS Server . . . 3-26
Use Command Line Tools to Query DNS Servers . . . . . . . . 3-28
host Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
dig Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Find More Information About DNS . . . . . . . . . . . . . . . . . . . 3-31
Exercise 3-1: Configure a DNS server . . . . . . . . . . . . . . 3-33
Part I: Install BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
Part II: Configure a DNS Master Server . . . . . . . . . . . . . 3-34
Part III: Configure the DNS Slave Server . . . . . . . . . . . . 3-39
Objective 2 Deploy OpenLDAP on a SLES 9 Server . . . . . . . . . . . . . . . . 3-41
The Concept of a Directory Service. . . . . . . . . . . . . . . . . . . . 3-41
The Basics of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
How to Install and Set Up an OpenLDAP Server . . . . . . . . . 3-44
Install the Required Software and Start the Server . . . . . 3-45
Edit the OpenLDAP Configuration Files . . . . . . . . . . . . 3-45
How to Add Entries to the LDAP Server. . . . . . . . . . . . . . . . 3-47
How to Query Information from the LDAP Server . . . . . . . . 3-51
How to Delete and Modify Entries of the LDAP Server . . . . 3-52

TOC-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

How to Use Graphical LDAP Applications. . . . . . . . . . . . . . 3-54

Search the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Browse the Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Explore the Schema Definitions . . . . . . . . . . . . . . . . . . . 3-57
Exercise 3-2: Use the SLES 9 OpenLDAP server. . . . . . 3-58
Part I: Install GQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-58
Part II: Search the SLES 9 OpenLDAP server . . . . . . . . 3-58
Part III: Browse the SLES 9 OpenLDAP Server. . . . . . . 3-60
Part IV: Use an LDIF File to Add a User . . . . . . . . . . . . 3-61
Objective 3 Configure an Apache Web Server . . . . . . . . . . . . . . . . . . . . . 3-63
The Basic Functionality of a Web Server . . . . . . . . . . . . . . . 3-64
How to Install and Set Up a Basic Apache Web Server . . . . 3-64
Install the Required Software Packages . . . . . . . . . . . . . 3-65
Start and Test the Web Server . . . . . . . . . . . . . . . . . . . . . 3-65
Locate the DocumentRoot of the Web Server. . . . . . . . . 3-66
The Structure and the Basic Elements of the Apache
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67
Locate the Apache Configuration Files. . . . . . . . . . . . . . 3-67
Understand the Basic Rules of the Configuration Files . 3-68
The Basic Apache Configuration. . . . . . . . . . . . . . . . . . . . . . 3-69
How to Configure Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . 3-70
The Concept of Virtual Hosts . . . . . . . . . . . . . . . . . . . . . 3-71
How to Configure a Virtual Host . . . . . . . . . . . . . . . . . . 3-72
How to Limit Access to the Web Server . . . . . . . . . . . . . . . . 3-74
Limit Access on an IP Address Basis . . . . . . . . . . . . . . . 3-74
Limit Access with User Authentication . . . . . . . . . . . . . 3-76
How to Configure OpenSSL for Connection Encryption . . . 3-78
The Basics of SSL Encryption . . . . . . . . . . . . . . . . . . . . 3-79
How to Create a Test Certificate . . . . . . . . . . . . . . . . . . . 3-81
Create an RSA Key Pair . . . . . . . . . . . . . . . . . . . . . . 3-81
Sign the Public Key to Create a Certificate . . . . . . . 3-82

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-7
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

How to Configure Apache to Use SSL . . . . . . . . . . . . . . 3-83

Configure the Main Server to Use
SSL Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-84
Configure a Virtual Host to Use SSL Encryption. . . 3-85
The Limitations of the SSL Configuration . . . . . . . . . . . 3-85
Exercise 3-3: Configure an Apache Web Server . . . . . . 3-87
Part I: Install Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-87
Part II: Test the Installation . . . . . . . . . . . . . . . . . . . . . . . 3-88
Part III: Configure a Virtual Host for the
Accounting Department. . . . . . . . . . . . . . . . . . . . . . . . . . 3-88
Part IV: Configure User Authentication . . . . . . . . . . . . . 3-91
Part V: Configure SSL . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92
Objective 4 Configure a Samba Server as a File Server . . . . . . . . . . . . . . 3-96
The Purpose and the Possibilities of Samba . . . . . . . . . . . . . 3-96
How to Install and Set Up a Basic Samba Server . . . . . . . . . 3-97
The Structure and Elements of the Samba
Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Create a Section for the General
Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Create a Section for the Files to be Shared . . . . . . . . . . 3-100
How to Use the Samba Tools to Access SMB Shares
from a Linux Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101
Use nmblookup for Name Resolution in a
NetBIOS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-102
Use smbclient to Access SMB Shares. . . . . . . . . . . . . . 3-102
Browse the Shares Provided by a Server . . . . . . . . 3-103
Access Files Provided by an SMB Server . . . . . . . 3-104
Print on Printers Provided by an SMB Server . . . . 3-105
Mount SMB Shares into the Linux File System . . . . . . 3-105

TOC-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

How to Configure a File Server with

User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106
Prepare the Server for User Authentication. . . . . . . . . . 3-106
Configure a Share That Is Accessible to
Only One User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107
Configure Shared Access for a Group of Users . . . . . . 3-108
Configure the Export of Home Directories . . . . . . . . . . 3-109
Additional Possibilities with Samba . . . . . . . . . . . . . . . . . . 3-110
Exercise 3-4: Configure a File Server With Samba. . . 3-111
Part I: Install Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-111
Part II: Configure a Share for the User Geeko . . . . . . . 3-112
Part III: Access the Share of the User Geeko
With smbclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113
Part IV: Mount Geeko's Share. . . . . . . . . . . . . . . . . . . . 3-114
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-115

SECTION 4 Secure a SLES 9 Server

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Objective 1 Create a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Understand the Basics of a Security Concept . . . . . . . . . . . . . 4-4
Perform a Communication Analysis . . . . . . . . . . . . . . . . . . . . 4-4
Analyze the Protection Requirements . . . . . . . . . . . . . . . . . . . 4-6
Analyze the Current Situation and
Necessary Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Objective 2 Limit Physical Access to Server Systems . . . . . . . . . . . . . . . 4-16
Place the Server in a Separate, Locked Room . . . . . . . . . . . . 4-16
Secure the BIOS with a Password . . . . . . . . . . . . . . . . . . . . . 4-17
Secure the GRUB Boot Loader with a Password . . . . . . . . . 4-17

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-9
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 3 Limit the Installed Software Packages. . . . . . . . . . . . . . . . . . 4-19

Objective 4 Understand the Linux User Authentication . . . . . . . . . . . . . . 4-21
Understand How PAM Works . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Understand PAM Configuration . . . . . . . . . . . . . . . . . . . . . . 4-23
Understand the Requirements for a Secure Password . . . . . . 4-27
Exercise 4-1: Change the PAM Configuration to
Disable the Graphical Root Login. . . . . . . . . . . . . . . . . 4-29
Objective 5 Ensure File System Security . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Understand the Basic Rule for User Write Access . . . . . . . . 4-31
Understand the Basic Rule for User Read Access . . . . . . . . . 4-32
Understand How Special File Permissions Affect the
Security of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Objective 6 Use ACLs for Advanced Access Control . . . . . . . . . . . . . . . 4-35
Understand the Basics of ACLs . . . . . . . . . . . . . . . . . . . . . . . 4-35
Understand Important ACL Terms . . . . . . . . . . . . . . . . . . . . 4-36
Understand ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Understand How ACLs and Permission Bits
Map to Each Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
Use the ACL Command Line Tools . . . . . . . . . . . . . . . . . . . 4-40
Configure a Directory with an Access ACL . . . . . . . . . . . . . 4-42
Configure a Directory with a Default ACL . . . . . . . . . . . . . . 4-45
Understand the ACL Check Algorithm . . . . . . . . . . . . . . . . . 4-49
Understand How Applications Handle ACLs . . . . . . . . . . . . 4-49
Exercise 4-2: Use ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Part I: Configure the ACL of a Directory . . . . . . . . . 4-51
Part II: Configure a Default ACL for a Directory. . . 4-52
Part III: Delete an ACL. . . . . . . . . . . . . . . . . . . . . . . 4-53

TOC-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

Objective 7 Configure Security Settings with YaST. . . . . . . . . . . . . . . . . 4-55

Objective 8 Stay Informed About Security Issues . . . . . . . . . . . . . . . . . . 4-70
Exercise 4-3: Subscribe to the SUSE Security
Announcements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71
Objective 9 Apply Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Register Your Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Use the YaST Online Update. . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

SECTION 5 Manage Backup and Recovery

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Objective 1 Develop a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Choose a Backup Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Perform an Incremental Backup . . . . . . . . . . . . . . . . . . . . 5-4
Perform a Differential Backup . . . . . . . . . . . . . . . . . . . . . 5-5
Choose the Right Backup Media . . . . . . . . . . . . . . . . . . . . . . . 5-6
Objective 2 Create Backup Files With tar . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Create tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Unpack tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Exclude Files from Backup . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Perform Incremental and Differential Backups. . . . . . . . . 5-9
Use a Snapshot File for Incremental Backups . . . . . . 5-9
Use the find Command to Search for
Files to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Use tar Command Line Options . . . . . . . . . . . . . . . . . . . 5-11
Exercise 5-1: Create Backup Files With tar . . . . . . . . . . 5-12
Part I: Create a Full Backup . . . . . . . . . . . . . . . . . . . . . . 5-12
Part II: Create an Incremental Backup . . . . . . . . . . . . . . 5-13

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-11
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 3 Work With Magnetic Tapes. . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

Objective 4 Copy Data With the dd Command . . . . . . . . . . . . . . . . . . . . 5-18
Exercise 5-2: Create Drive Images with dd . . . . . . . . . . 5-20
Objective 5 Mirror Directories With the rsync Command . . . . . . . . . . . . 5-21
Perform Local Copying With rsync . . . . . . . . . . . . . . . . . . . . 5-21
Perform Remote Copying with rsync . . . . . . . . . . . . . . . . . . 5-23
Exercise 5-3: Create a Backup of a Home
Directory With rsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Part I: Perform a Local Backup With rsync . . . . . . . . . . 5-24
Part II: Perform a Remote Backup with rsync. . . . . . . . . 5-25
Objective 6 Automate Data Backups With the cron Service. . . . . . . . . . . 5-26
Exercise 5-4: Configure a cron Job for Data Backups . . 5-27
Objective 7 Troubleshoot the Boot Process of a SLES 9
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Understand Issues During the System Boot Process . . . . . . . 5-28
Boot a Corrupted System Directly into a Shell . . . . . . . . . . . 5-29
Boot a Corrupted System With the Installation Media . . . . . 5-30
Start and Use the SLES 9 Rescue System . . . . . . . . . . . . . . . 5-30
Objective 8 Configure and Install the GRUB Boot
Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
The Basic Functionality of a Boot Loader . . . . . . . . . . . . . . . 5-32
The Basics of GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
Configure the GRUB Boot Loader . . . . . . . . . . . . . . . . . . . . 5-33
Exercise 5-5: Boot to a Shell and Configure the
GRUB Boot Loader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
Part I: Boot the Rescue System . . . . . . . . . . . . . . . . . . . . 5-36
Part II: Edit and Test the GRUB Configuration File. . . . 5-37
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38

TOC-12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

SECTION 6 Create Shell Scripts

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Objective 1 Use Basic Script Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Create Flow Charts for Scripts. . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Understand the Basic Rules of Shell Scripting . . . . . . . . . . . . 6-5
Exercise 6-1: Produce Output from a Script . . . . . . . . . . . 6-9
Develop Scripts That Read User Input . . . . . . . . . . . . . . . . . 6-10
Exercise 6-2: Read User Input . . . . . . . . . . . . . . . . . . . . 6-11
Perform Basic Script Operations with Variables . . . . . . . . . . 6-12
Exercise 6-3: Simple Operations with Variables . . . . . . 6-14
Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Exercise 6-4: Use Command Substitution . . . . . . . . . . . 6-16
Use Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Exercise 6-5: Use Arithmetic Operations. . . . . . . . . . . . 6-19
Objective 2 Use Variable Substitution Operators . . . . . . . . . . . . . . . . . . . 6-20
Exercise 6-6: Use Variable Substitution. . . . . . . . . . . . . 6-22
Objective 3 Use Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Creat Basic Branches With the if Command . . . . . . . . . . . . . 6-23
Exercise 6-7: Use the if Command. . . . . . . . . . . . . . . . . 6-30
Build Multiple Branches With a case Statement . . . . . . . . . . 6-31
Exercise 6-8: Use the case Command . . . . . . . . . . . . . . 6-34
Create Loops Using the while and until Commands . . . . . . . 6-35
Exercise 6-9: Use the while and until Commands . . . . . 6-37
Process Lists with the for Loop . . . . . . . . . . . . . . . . . . . . . . . 6-38
Exercise 6-10: Use the for Loop. . . . . . . . . . . . . . . . . . . 6-40
Hints:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Interrupt Loop Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Exercise 6-11: Interrupt Loop Processing . . . . . . . . . . . 6-42

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-13
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 4 Use Advanced Scripting Techniques . . . . . . . . . . . . . . . . . . . 6-43

Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43
Exercise 6-12: Use Shell Functions . . . . . . . . . . . . . . . . 6-45
Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47
Exercise 6-13: Use the getopts Command . . . . . . . . . . . 6-49
Objective 5 Learn About Useful Commands in Shell Scripts . . . . . . . . . 6-50
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
Use the echo Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52
Use the Commands grep and egrep . . . . . . . . . . . . . . . . . . . . 6-53
Use the sed Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-54
Use the test Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-57
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-60
Exercise Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-1: . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-2: . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-3: . . . . . . . . . . . . . . . . . . . . . 6-62
Solution for Exercise 6-4: . . . . . . . . . . . . . . . . . . . . . 6-62
Solution for Exercise 6-5: . . . . . . . . . . . . . . . . . . . . . 6-63
Solution for Exercise 6-6: . . . . . . . . . . . . . . . . . . . . . 6-64
Solution for Exercise 6-7: . . . . . . . . . . . . . . . . . . . . . 6-64
Solution for Exercise 6-8: . . . . . . . . . . . . . . . . . . . . . 6-65
Solutions for Exercise 6-9: . . . . . . . . . . . . . . . . . . . . 6-65
Solution for Exercise 6-10: . . . . . . . . . . . . . . . . . . . . 6-66
Solution for Exercise 6-12: . . . . . . . . . . . . . . . . . . . . 6-67
Solution for Exercise 6-13: . . . . . . . . . . . . . . . . . . . . 6-68
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69

TOC-14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

SECTION 7 Compile Software from Source

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Objective 1 Understand the Basics of C Programming. . . . . . . . . . . . . . . . 7-3
The Difference Between Source Code and an Executable . . . 7-3
The Structure of a Simple C Program . . . . . . . . . . . . . . . . . . . 7-5
How to Compile a Simple C Program . . . . . . . . . . . . . . . . . . . 7-8
Exercise 7-1: Compile a Simple C Program. . . . . . . . . . . 7-9
Objective 2 Understand the GNU Build Tool Chain. . . . . . . . . . . . . . . . . 7-10
Use configure to Prepare the Build Process. . . . . . . . . . . . . . 7-10
Use make to Compile the Source Code . . . . . . . . . . . . . . . . . 7-11
Use make install to Install the Compiled Program . . . . . . . . 7-13
Install the Required Packages for a Build Environment . . . . 7-13
Objective 3 Understand the Concept of Shared Libraries . . . . . . . . . . . . . 7-15
Objective 4 Perform a Standard Build Process . . . . . . . . . . . . . . . . . . . . 7-17
Exercise 7-2: Compile Software
from a Source Package . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
Part I: Compile a Source Package. . . . . . . . . . . . . . . 7-21
Part II: Run the Application . . . . . . . . . . . . . . . . . . . 7-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

SECTION 8 Perform a Health Check and Performance Tuning

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Objective 1 Find Performance Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Analyze Processes and Processor Utilization . . . . . . . . . . . . . 8-4
Analyze Memory Utilization and Performance . . . . . . . . . . . . 8-6

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-15
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Analyze Storage Performance . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

Analyze Network Utilization and Performance . . . . . . . . . . . 8-14
Exercise 8-1: Analyze System Performance . . . . . . . . . 8-17
Part I: Analyze Processor Utilization . . . . . . . . . . . . . . . 8-17
Part II: Analyze Memory Utilization. . . . . . . . . . . . . . . . 8-18
Part III: Analyze Hard Disk Utilization. . . . . . . . . . . . . . 8-19
Part IV: Analyze Network Utilization. . . . . . . . . . . . . . . 8-20
Objective 2 Reduce System and Memory Load . . . . . . . . . . . . . . . . . . . . 8-22
Analyze CPU Intensive Applications . . . . . . . . . . . . . . . . . . 8-22
Run Only Required Software. . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Run a Server System without X . . . . . . . . . . . . . . . . . . . 8-23
Reduce the Number of Daemon Processes . . . . . . . . . . . 8-24
Keep Your Software Up to Date . . . . . . . . . . . . . . . . . . . . . . 8-25
Optimize Swap Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . 8-26
Upgrade the CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Upgrade the Memory . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Exercise 8-2: Reduce Resource Utilization . . . . . . . . . . 8-28
Objective 3 Optimize the Storage System. . . . . . . . . . . . . . . . . . . . . . . . . 8-30
Configure IDE Drives with hdparm. . . . . . . . . . . . . . . . . . . . 8-30
Tune Kernel Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Tune the IO Scheduler. . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33
Change the Read Ahead Parameter . . . . . . . . . . . . . . . . . 8-34
Change the Swappiness Parameter . . . . . . . . . . . . . . . . . 8-34
Tune File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
Disable atime Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
Implement File System Dependent Tuning Options . . . . 8-35
Mount a Reiser File System
With the notail Option . . . . . . . . . . . . . . . . . . . . . . . 8-36
Configure the Journaling Mode of Ext3 . . . . . . . . . . 8-36

TOC-16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Contents

Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . 8-37

Exercise 8-3: Tune an IDE Hard Drive With hdparm . . 8-38
Objective 4 Tune the Network Performance . . . . . . . . . . . . . . . . . . . . . . . 8-39
Change Kernel Network Parameters . . . . . . . . . . . . . . . . . . . 8-39
Change Your Network Environment . . . . . . . . . . . . . . . . . . . 8-41
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

SECTION 9 Manage Hardware and Component Changes

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Objective 1 Understand the Differences Between
Devices and Interfaces9-3
Objective 2 Understand How Device Drivers Work . . . . . . . . . . . . . . . . . 9-4
Objective 3 Understand How Device Drivers Are Loaded . . . . . . . . . . . . . 9-6
Objective 4 Understand the sysfs File System . . . . . . . . . . . . . . . . . . . . . . 9-7
Objective 5 Understand How the SLES 9 Hotplug System Works. . . . . . . 9-9
Objective 6 Understand the hwup Command . . . . . . . . . . . . . . . . . . . . . . 9-13
Exercise 9-1: Trace How a Network Adapter Is
Set Up With hwup and ifup . . . . . . . . . . . . . . . . . . . . . . 9-16
Part I: Boot the System with Hot- and
Coldplug Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Part II: Use hwup to Load a Driver Module . . . . . . . . . . 9-17
Part III: Use ifup to Set Up the Network Interface . . . . . 9-18
Objective 7 Add New Hardware to a SLES 9 System . . . . . . . . . . . . . . . 9-20
Add a New Drive to the System . . . . . . . . . . . . . . . . . . . . . . 9-20
Replace a Graphics Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Add a New Network Adapter . . . . . . . . . . . . . . . . . . . . . 9-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-17
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

SECTION 10 Prepare for the Novell CLP Practicum

Scenario 1: Install and Configure SLES 9 . . . . . . . . . . . . . . 10-2

Scenario 2: Configure a DNS Server . . . . . . . . . . . . . . . . . . 10-3
Scenario 3: Configure a Web Server. . . . . . . . . . . . . . . . . . . 10-4
Scenario 4: Configure a Samba file server . . . . . . . . . . . . . . 10-5

Appendix A Novell CLP and LPI Requirements

TOC-18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Introduction

Introduction

In this course you learn advanced SUSE LINUX Enterprise Server

9 (SLES 9) administration skills. These, along with the skills taught
in the SUSE LINUX Fundamentals (3036) and SUSE LINUX
Administration (3037) courses, prepare you to take the Novell®
Certified Linux® Professional (Novell CLP) certification practicum
test.

Course Objectives
This course teaches you how to perform the following SUSE
LINUX advanced administration tasks for SLES 9:
1. Install SLES 9 with a custom partitioning
2. Configure the network manually
3. Configure network services
4. Secure a SLES 9 server
5. Manage backup and recovery
6. Create shell scripts
7. Compile software from source
8. Perform a health check and performance tuning
9. Manage hardware and component changes

These are advanced administrative skills common to an experienced

administrator in an enterprise environment.

The final day of class is reserved for a “Live Fire” exercise that tests
your advanced SLES 9 administration skills and prepares you to
take the Novell CLP Practicum.

Version 1 Copying all or part of this manual, Intro-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Audience
While the primary audience for this course is the current Novell
CNESM who has completed courses 3036 and 3038 in the CLP
curriculum, Linux professionals and administrators with experience
in other operating systems can also use this course to help prepare
for the Novell CLP Practicum.

Certification and Prerequisites

This course helps you prepare for the Novell Certified Linux
Professional (Novell CLP) Practical Test, called a practicum. The
Novell CLP is an entry-level certification for people interested in
becoming SUSE LINUX administrators.

As with all Novell certifications, course work is never required. You

only need only pass a Novell CLP Practicum (050-689) in order to
achieve the certification.

The Novell CLP Practicum is a hands-on, scenario-based exam

where you apply the knowledge you have learned to solve real-life
problems—demonstrating that you know what to do and how to do
it.

The practicum tests you on objectives in this course (SUSE LINUX

Advanced Administration - Course 3038) and the skills outlined in
the following Novell CLP courses:
■ SUSE LINUX Fundamentals - Course 3036
■ SUSE LINUX Administration - Course 3037

Intro-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Introduction

The following illustrates the training/testing path for Novell CLP:

Before attending this course, you should complete the prerequisites

which included in SUSE LINUX Administration (Course 3037) or
have experience managing SLES 9 servers in a networked
environment.

Version 1 Copying all or part of this manual, Intro-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about Novell certification programs and taking the
Novell CLP Practicum, see http://www.novell.com/education/certinfo.

SLES 9 Support and Maintenance

The copy of SUSE LINUX Enterprise Server 9 (SLES 9) you
receive in your student kit is a fully functioning copy of the SLES 9
product.

However, to receive official support and maintenance updates, you

need to do one of the following:
■ Register for a free registration/serial code that provides you
with 30 days of support and maintenance.
■ Purchase a copy of SLES 9 from Novell (or an authorized
dealer).

You can obtain your free 30-day support and maintenance code at
http://www.novell.com/products/linuxenterpriseserver/eval.html.

You will need to have or create a Novell login account to access the 30-day
evaluation.

SLES 9 Online Resources

Novell provides a variety of online resources to help you configure
and implement SLES 9.

These include the following:

■ http://www.novell.com/products/linuxenterpriseserver/
This is the Novell home page for SLES 9.
■ http://www.novell.com/documentation/sles9/index.html
This is the Novell Documentation web site for SLES 9.

Intro-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Introduction

■ http://support.novell.com/linux/
This is the home page for all Novell Linux support, and
includes links to support options such as the Knowledgebase,
downloads, and FAQs.
■ http://www.novell.com/coolsolutions
This Novell web site provides the latest implementation
guidelines and suggestions from Novell on a variety of
products, including SUSE LINUX.

Agenda
The following is the agenda for this 3-day course:

Section Duration
Day 1 Introduction 00:30
Section 1: Install SLES 9 03:30
Section 2: Configure the Network 02:00
Manually
Day 2 Section 3: Configure Network Services 04:00
Section 4: Secure a SLES 9 Server 02:00
Day 3 Section 4: Secure a SLES 9 Server 01:00
(cont.)
Section 5: Managing Backup and 01:00
Recovery
Section 6: Create Shell Scripts 02:30
Section 7: Compile Software from 01:30
Source
Day 4 Section 8: Perform a Health Check 03:00
and Performance Tuning

Version 1 Copying all or part of this manual, Intro-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Section Duration
Section 9: Manage Hardware and 02:00
Component Changes
Day 5 Live Fire Exercise 06:00

Scenario
The Digital Airlines management has made the decision to migrate
several back-end services to Linux servers running SLES 9. You
have already installed SLES 9 before and are familiar with
administering SLES 9 from YaST and from the command line.

To be able to implement the migration plan, you need additional

experience in the following areas:
■ System settings on the configuration file level
■ Network services configuration from the command line
■ Applying security solutions and deploying backup and recovery
■ Creating basic shell scripts and compiling software from source
packages

You decide to set up a test server in the lab to enhance your skills in
these areas.

Exercise Conventions
When working through an exercise, you will see conventions that
indicate information you need to enter that is specific to your server.

The following describes the most common conventions:

■ italicized/bolded text. This is a reference to your unique
situation, such as the host name of your server.

Intro-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Introduction

For example, if the host name of your server is DA50, and you
see the following,
hostname.digitalairlines.com
you would enter
DA50.digitalairlines.com
■ 10.0.0.xx. This is the IP address that is assigned to your SLES 9
server.
For example, if your IP address is 10.0.0.50, and you see the
following
10.0.0.xx
you would enter
10.0.0.50
■ Select. The word select is used in exercise steps to indicate a
variety of actions including clicking a button on the interface
and selecting a menu item.
■ Enter and Type. The words enter and type have distinct
meanings.
The word enter means to type text in a field or at a command
line and press the Enter key when necessary. The word type
means to type text without pressing the Enter key.
If you are directed to type a value, make sure you do not press
the Enter key or you might activate a process that you are not
ready to start.

Version 1 Copying all or part of this manual, Intro-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Intro-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

SECTION 1 Install SLES 9

In this section, you install SUSE Linux Enterprise Server 9

(SLES 9). You also learn how to use advanced installation options
and to troubleshoot the installation process.

Objectives
1. Perform the SLES 9 Base Installation
2. Configure the SLES 9 Installation
3. Troubleshoot the Installation Process

Version 1 Copying all or part of this manual, 1-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
YaST presents an installation proposal (automatically generate)
during installation that you can accept to make installation simple
and quick.

However, you also need to understand the more advanced

installation options available. By changing the following installation
proposal options, you can install servers that meet a variety of
needs:
■ Installation mode
■ Partitioning scheme
■ Software selection
■ Authentication method
■ Hardware setup

This section describes these and other SLES 9 installation options.

1-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Objective 1 Perform the SLES 9 Base Installation

Installing SLES 9 consists of a base installation phase and a
configuration phase.

To perform the base installation do the following:

■ Boot From the Installation Media
■ Select the System Language
■ Select the Installation Mode
■ Understand and Change the Installation Proposal
■ Partition the Hard Disk
■ Select the Software
■ Configure the Boot Loader
■ Start the Installation Process

Boot From the Installation Media

To start the installation process, insert the SLES 9 CD 1 into the CD

drive and then reboot the computer to start the installation program.

To start the installation program, your computer needs to be configured to

start from a CD or DVD drive. You might need to change the boot drive
order in the BIOS setup of your system to boot from the drive.

Consult the manual shipped with your hardware for further information.

Version 1 Copying all or part of this manual, 1-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

When your system has started from the installation CD, the
following appears:

You can use the arrow keys to select one of the following options:
■ Boot from Hard Disk. Boots the system installed on the hard
disk (the system normally booted when the machine is started).
This is the default option.
■ Installation. Starts the normal installation process. All modern
hardware functions are enabled.
■ Installation - ACPI Disabled. Starts the installation process
with ACPI (Advanced Configuration and Power Interface)
disabled. If the normal installation fails, the system hardware
might not support ACPI. In this case, you can use this option to
install without ACPI support.

1-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Installation - Safe Settings. Starts the installation process with

the DMA mode and any interfering power management
functions disabled. Use this option if the installation fails with
the other options.
■ Manual Installation. When you select this installation mode,
you can load driver modules manually and change the advanced
installation settings.
■ Rescue System. Starts the SLES 9 rescue system. If you cannot
boot your installed Linux system, you can boot the computer
from the CD and select this option. This starts a minimal Linux
system without a graphical user interface to allow experts to
access disk partitions for troubleshooting and repairing an
installed system.
■ Memory Test. Starts a memory testing program, which tests
system RAM by using repeated read and write cycles. This is
done in an endless loop, because memory corruption often
shows up sporadically and many read and write cycles might be
necessary to detect it.
If you suspect that your RAM might be defective, start this test
and let it run for several hours. If no errors are detected, you
can assume that the memory is intact. Terminate the test by
rebooting the system.

Use the function keys, as indicated in the bar at the bottom of the
screen, to change a number of installation settings:
■ F1. Opens context-sensitive help for the currently selected
option of the boot screen.
■ F2. Select a graphical display modes (such as 640x480 or
1024X768) for the installation. You can select one of these or
select the text mode, which is useful if the graphical mode
causes display problems.
■ F3. Select an installation media type. Normally, you install from
the inserted installation disk, but in some cases you might want
to select another source, such as FTP or NFS.
■ F4. Select a installation language.

Version 1 Copying all or part of this manual, 1-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ F5. Select the debugging output level. By default, diagnostic

messages of the Linux kernel are not displayed during system
start up. To display these messages, select Native. For
maximum information, select Verbose.
■ F6. Add a driver update CD to the installation process. You are
asked to insert the update disk at the appropriate point in the
installation process.

Select the Installation option to start the installation process. If the

installation fails for some reason, try to install with the Installation
- ACPI Disabled option or the Installation - Safe Settings option.

After you select an installation option, a minimal Linux system

loads to run the YaST installation program.

Select the System Language

After YaST starts, the following appears:

1-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Almost all YaST installation dialogs use the same format:

■ The left side displays an overview of the installation status.
■ From the lower left side, you can select a help button to get
information about the current installation step.
■ The right side displays the current installation step.
■ The lower right side provides buttons for navigating to the
previous or next installation steps, or to abort the installation.
If the installation program does not detect your mouse, you can use the Tab
key to navigate through the dialog elements, the arrow keys to scroll in lists
and Enter to select buttons. You can change the mouse settings later in the
installation process.

From the language dialog, select the language of your choice, and
then select Accept to continue to the next step.

Select the Installation Mode

After you have selected the installation language, the following

appears:

Version 1 Copying all or part of this manual, 1-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this dialog, YaST asks you for the installation mode. Select one
of the following options:
■ New installation. Performs a normal new installation of SLES
9. This is the default option.
■ Update an existing system. Updates a previously installed
SLES 8 installation.
■ Repair Installed System. Repairs a previously installed SLES
9 installation.
■ Boot installed system. Boots a previously installed Linux
installation.
■ Abort Installation. Terminates the installation process.

For a normal installation, select New Installation and then select

OK to proceed to the next step.

1-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Understand and Change the Installation Proposal

After you select New Installation, YaST analyzes the system and
creates an installation proposal. The proposal is displayed as shown
in the following:

The proposal displays all installation settings that are necessary for
a base installation. You can change these settings by selecting the
following headlines (headings):
■ System. Restarts the hardware detection process and displays a
list of all available hardware components. You can select single
components, view details, or save the list to a file.
■ Mode. Changes the installation mode.
■ Keyboard layout. Changes the keyboard layout. YaST selects
the keyboard layout according to your language settings.
Change the keyboard settings if you prefer a different layout.

Version 1 Copying all or part of this manual, 1-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Mouse. Changes the mouse settings. If your mouse does not

work correctly, you can select a different mouse type in this
block.
■ Partitioning. Changes the hard drive partitioning. If the
automatically generated partitioning scheme does not fit your
needs, you can change it by selecting this headline.
■ Software. Changes the software selection. You can select or
deselect software.
■ Booting. Changes the boot loader setting.
■ Time zone. Changes the time zone. YaST selects the time zone
of the installed system according to your language selection.
Change the time zone if you prefer a different one.

Of the settings described above, partitioning, software, and booting

are discussed next in more detail.

Partition the Hard Disk

In most cases, YaST proposes a reasonable partitioning scheme that

you can accept without change. However, you might need to change
the partitioning manually if
■ You want to optimize the partitioning scheme for a special
purpose server (such as a file server).
■ You have more than one hard drive and want to configure
RAID or LVM devices.
■ You want to delete existing operating systems so you have more
space available for your SLES 9 installation.

To partition the hard drive manually, you need to know the

following:
■ The Basics of Hard Drive Partitioning
■ The Basic Linux Partition Scheme
■ Partitioning Schemes for Different Server Types

1-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ How to Change YaST´s Partitioning Proposal

■ How to Use the YaST Expert Partitioner

The Basics of Hard Drive Partitioning

Partitions divide the available space of a hard drive into smaller

portions. This lets you install more than one operating system on a
hard drive or to use different areas for programs and data.

Every hard disk has a partition table with space for four entries. An
entry in the partition table can correspond to a primary partition or
an extended partition. Only one extended partition entry is allowed.

A primary partition consists of a continuous range of cylinders

(physical disk areas) assigned to a particular operating system. If
you use only primary partitions, you are limited to 4 partitions per
hard disk (because the partition table can only hold 4 primary
partitions).

This is why extended partitions are used. Extended partitions are

also continuous ranges of disk cylinders, but can be subdivided into
logical partitions. Logical partitions do not require entries in the
main partition table. In other words, an extended partition is a
container for logical partitions.

If you need more than 4 partitions, create an extended partition

before you create the fourth partition. This extended partition
should include the entire remaining free cylinder range. Then create
multiple logical partitions within the extended partition. The
maximum number of logical partitions is fifteen on SCSI disks and
63 on (E)IDE disks.

It does not matter which type of partitions you use on Linux

systems; primary and logical partitions both work well.

Version 1 Copying all or part of this manual, 1-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The Basic Linux Partition Scheme

The optimal partition scheme for a server depends on the purpose of

the server.

A SLES 9 installation needs at least two partitions:

■ Swap partition. This partition is used by Linux to move
unused data from the main memory to the hard dive. Moving
unused data from the main memory to the hard drive helps
improve the performance of the system.
■ Root partition. This is the partition for the operating system
itself, and is mounted under / in the installed system.

No matter what partition scheme you choose, you always need a

swap partition and a root partition.

The following guidelines help you determine the size of your root
partition:
■ 500 MB. This allows for a minimal installation with no
graphical interface. With this configuration, you can only use
console applications.
■ 700 MB. This allows for an installation with a minimum
graphical interface. This includes the X window system and a
few graphical applications.
■ 1.5 GB. This is the default installation recommended proposed
by YaST. This configuration includes a modern desktop
environment (such as KDE or GNOME), and provides enough
space for large applications suites (such as Netscape or
Mozilla).
■ 2.5 GB. This allows for a full installation, including all
software packages shipped with SLES 9.

If your server hosts data (such as a web server or a file server) you
will probably need more space on the root partition.

1-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Partitioning Schemes for Different Server Types

It often makes sense to create more than the default Linux

partitions. The following list provides examples of partitions for
different server types:
■ File server. Hard disk performance is crucial for a file server.
Create an extra partition with enough space for the data that is
hosted by the server.
■ Web server. You should create an extra partition for the web
space hosted by the server. Make the partition large enough to
hold the expected amount of hosted data.
■ Compute server. A compute server carries out extensive
calculations in the network. Fast disk throughput is only needed
for the swap partitions. If possible, use more than one swap
partition and distribute swap partitions to multiple hard disks.
■ Desktop workstation. Create a separate partition for users'
home directories. This lets you reinstall the operating system
without losing user data.

Version 1 Copying all or part of this manual, 1-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Change YaST´s Partitioning Proposal

To use YaST to change the partition scheme, select the Partitioning

headline in the installation proposal. The following appears:

In the top part of the dialog, YaST displays the automatically

generated partitioning proposal. The lower part of the dialog
provides the following options:
■ Accept proposal as is. Accepts the partitioning scheme and
returns to the main installation proposal.
■ Base partition setup on this proposal. Starts the YaST Expert
Partitioner with the partition proposal as base setup.

1-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Create custom partition setup. Displays the following:

In this dialog, you can select

■ Select a hard disk completely or in parts
■ Create a custom partitioning by using the YaST Expert
Partitioner

Version 1 Copying all or part of this manual, 1-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Use the YaST Expert Partitioner

When you start the YaST Expert Partitioner, the following appears:

In the top part of the dialog, YaST lists details of the current
partition setup. Depending on your previous choice, the list contains
the current physical disk setup or the partitioning proposal created
by YaST.

Most of the changes made with the YaST Expert Partitioner are not written
to disk until the installation process is started. You can always discard your
changes by selecting Back or you can restart the Expert Partitioner to make
more changes.

1-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

The following entries are displayed for every hard disk in your
system:
■ One entry for the hard disk itself, which has the corresponding
device name in the Device column (such as /dev/sda).
■ One entry for every partition on the hard disk with the
corresponding device name and the partition number in the
Device column (such as /dev/sda1).

If a hard disk is not partitioned yet, you see only the entry for the
hard disk itself.

Each entry in the list includes information in the following columns:

■ Device. Displays the device name for the hard disk or the
partition.
■ Size. Displays the size for the hard disk or partition.
■ F. When the character “F” is displayed in this column, the
partition will be formatted during the installation process.
■ Type. Displays the partition or hard disk type.
■ Mount. Displays the mount point of a partition. For swap
partitions, only the keyword swap is used.
■ Start. Displays the start cylinder of a hard disk or partition.
Hard disk entries starts always with 0.
■ End. Displays the end cylinder of a hard disk or partition.

The buttons in the lower part of the dialog let you

■ Create New Partitions
■ Edit Existing Partitions
■ Delete Existing Partitions
■ Resize Existing Partitions
■ These administrative tasks are covered in more detail below.

Version 1 Copying all or part of this manual, 1-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In addition, you can do the following:

■ Manage LVM volumes
■ Manage EVMS volumes
■ Manage soft RAID setups
■ Create crypt file partitions
■ Perform expert tasks

Create New Partitions

Create a new partition by selecting Create. A dialog with one of the

following options appears (the options you see depend on your hard
disk setup):
■ If you have more than one disk in your system, you are asked to
select a disk for the new partition first.
■ If you do not have an extended partition, you are asked if you
want to create a primary or an extended partition.
■ If you have an extended partition, you are asked if you want to
create a primary or a logical partition.
■ If you have 3 primary partitions and an extended partition, you
can only create logical partitions.

You need enough space on your hard disk to create a new partition. You
learn later in this section how to delete existing partitions to free used disk
space.

1-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

If you choose to create a primary or a logical partition, the

following appears:

This dialog provides the following options:

■ Format. This lets you choose one of the following options:
■ Do not format. Do not format the newly created partition.
Select this only if you need to change an existing partition
instead of creating a new one.
■ Format. Formats the new partition with the file system you
select from the File System drop-down list.
You can choose from the following file systems:
■ Ext2. Formats the partition with the Ext2 file system.
Ext2 is an old and proven file system, but it does not
include journaling.
■ Ext3. Formats the partition with the Ext3 file system.
Ext3 is the successor of Ext2 and offers a journaling
feature.
■ FAT. Formats the partition with the FAT file system.

Version 1 Copying all or part of this manual, 1-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

FAT is an older file system used in DOS and Windows.

You can use this option to create a data partition, which
is accessible from Windows and Linux. You must not
create a root partition with this file system.
■ JFS. Formats the partition with JFS, a journaling file
system developed by IBM.
■ Reiser. Formats the partition with ReiserFS, a modern
journaling file system. (This is the default option.)
■ XFS. Formats the partition with XFS, a journaling file
system originally developed by SGI.
■ Swap. Formats the partition as a swap partition.
If you are not sure which file system to choose, select
Reiser for root and data partitions and Swap for swap
partitions.
■ Options. By selecting Options, you can change parameters
for the file system you selected. You can use the default
parameters in most cases.
■ Encrypt file system. If you select this option, the partition
file system is encrypted. You should only use this option for
non-system partitions such as user home directories.
■ Size. Lets you configure the size of the new partition with the
following:
■ Start Cylinder. The start cylinder determines the first
cylinder of the new partition. YaST normally preselects the
first available free cylinder of the hard disk.
■ End. The end cylinder determines the size of the new
partition. To configure the end cylinder, do one of the
following:
■ Enter the cylinder number.
■ Enter a plus sign (+) followed by the amount of disk
space for the new partition. Use M for MB and GB for
GB. YaST calculates the last cylinder number.
For example, enter +5G for a partition size of 5 GB.

1-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Fstab Options. Select this option to edit the fstab entry for this
partition. The default setting should work in most cases.
■ Mount Point. Select the mount point of the new partition from
this drop-down list. You can also enter a mount point manually,
if it's not available in the list.

After changing the parameters, select OK to add the new partition

to the partition list.

If you chose to create an extended partition, the following appears:

You can enter the following:

■ Start cylinder. The start cylinder determines the first
cylinder of the new partition. YaST normally preselects the
first available free cylinder of the hard disk.
■ End. The end cylinder determines the size of the new
partition. To configure the end cylinder, do one of the
following:
■ Enter the cylinder number.

Version 1 Copying all or part of this manual, 1-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Enter a plus sign (+) followed by the amount of disk

space for the new partition. Use M for MB and GB for
GB. YaST calculates the last cylinder number.
For example, enter +5G for a partition size of 5 GB.

After entering the size, select OK to add the new extended partition
to the partition list.

Edit Existing Partitions

Select a partition from the list and select Edit. You can edit only
primary and logical partitions with the Expert Partitioner. You
cannot edit extended partitions or the entry for the full hard disk.

If you edit a primary or logical partition, a dialog appears which is

very similar to the Create Partition dialog described above. You can
change all options except for the partition size.

After changing the partition parameters, select OK to save your

changes to the partition list.

Delete Existing Partitions

To delete a partition, select a partition from the list, select Delete,

and then select Yes in the confirmation dialog. The partition is
deleted from the partition list.

Remember that you also delete all logical partitions when you delete
an extended partition.

Resize Existing Partitions

Select a partition from the list and select Resize.

Although you can resize a partition without deleting it to increase free

space on the hard disk, you should always back up the data on the partition
before resizing it.

1-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

If the selected partitions are formated with the FAT or NTFS file
system, do the following before resizing the partition:
■ FAT file system. To save time, first run Scan Disk and Defrag
to make sure the FAT partition is free of lost file fragments and
cross links and to move files to the beginning of the partition.
If you have optimized virtual memory settings for Windows so
that a contiguous swap file is used with the same initial
(minimum) and maximum size limit, disable them before
resizing and re-enable them after the resizing has been
completed.
If these virtual memory settings are enabled, the resizing might split
the swap file into many small parts scattered all over the FAT partition.
Also, the entire swap file would need to be moved during the resizing,
which makes the process rather slow.

■ NTFS file system. You must run Scan Disk and Defrag to
move the files to the beginning of the partition or the NTFS
partition cannot be resized.

Version 1 Copying all or part of this manual, 1-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After you select Resize, the following appears:

This dialog includes the following:

■ Two bars representing the partition before and after the resizing
process
■ Now. In the Now bar, the used space is designated by dark
blue and the available space is designated by light blue.
■ After installation. In the After Installation bar the used
space is designated by dark blue and the free space is
designated by light blue. The space that is available for a
new partition is designated by white.
■ A slider to change the size of the partition
■ Two text fields that display the amount of free space on the
partition being resized and the space available for a new
partition after the resizing process

1-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ A Do Not Resize button used to reset the partition to the

original size

To resize the partition, move the slider until enough unused disk
space is available for a new partition. When you select OK, the
partition size changes in the partition list.

Manage LVM Volumes

To manage LVM (Logical Volume Manager) volumes, select the

LVM button in the YaST Expert Partitioner.

SLES 9 supports only LVM version 2. Therefore, references to LVM in

this section always refer to LVM version 2.

Using LVM you can create logical volumes, which spread over
several physical disks and partitions. Do not confuse logical
volumes with physical, logical partitions in the extended partition of
a hard disk.

You can use a logical volume like a physical partition. You can
create a file system on the volume and mount it at a mount point of
your choice.

You can also use the YaST Expert Partitioner to create logical volumes
after installation. There are also command line tools for managing logical
volumes. We do not recommend that you use LVM for the root partition of
a system.

You need to understand the following terms connected with logical

volumes:
■ Logical volume group. A logical volume group is a group of
physical partitions. The physical partitions can be spread over
different hard disks.
■ Logical volume. A logical volume is a part of a logical volume
group. A logical volume can be formatted and mounted like a
physical partition.

Version 1 Copying all or part of this manual, 1-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can think of logical volume groups as logical hard disks and
logical volumes as partitions on those logical hard disks.

Before you can create a logical volume, you always need a logical
volume group.

The following shows the relationship of physical partitions, logical

volume groups, and logical volumes:

Logical volumes have the following advantages:

■ They can be resized more easily than a physical partition.
■ They can spread over multiple disks.
■ You can easily add new hard disks to logical volume groups.
■ You can create extremely large logical volumes.
■ They provide a snapshot functionality for consistent backups.

1-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

If you select LVM in the YaST Expert Partitioner, the following

appears:

You use this dialog to create a new logical volume group by

entering the following:
■ Volume Group Name. Enter the name of your volume group.
■ Physical Extent Size. The physical extent size defines the
smallest unit of a logical volume group, and the maximum size
of a logical volume group. Entering a value 4 MB allows a
logical volume group of 256 GB.

If you are not sure which values to enter, use the default settings.

Version 1 Copying all or part of this manual, 1-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After you select OK, the following appears:

You can use the following options this dialog to add physical
partitions to your logical volume group:
■ Volume Group. Select the volume group from the drop-down
list that you want to add partitions to.
■ Size. Displays the current size of the selected logical volume
group.
■ Remove Group. Deletes the currently selected volume group.
You can delete empty groups only.
■ Add Group. Add a logical volume group.
■ Partition List. Select the partition you want to add to the
volume group.
■ Add Volume. Add the selected partition to the volume group.

1-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Remove Volume. Remove the selected partition from the

volume group.

Add partitions to your logical volume group, and then select Next to
continue. The following appears:

You can use the following options in this dialog to create logical
volumes in your logical volume group:
■ Volume Group. Select the volume group from this drop-down
list that you want to create partitions in.
■ Space bar. Displays the available space of the selected volume
group.
■ Volume list. Displays physical partitions and logical volumes in
the system.

Version 1 Copying all or part of this manual, 1-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ View all mount points. When you select this option, all
partitions and volumes that have entries in /etc/fstab are
displayed. Otherwise, only the volumes in the selected volume
group are displayed.
■ Add. Adds a new logical volume to the volume group. When
you select Add, the following appears:

This dialog is similar to the Create Partition dialog in the Expert

Partitioner and includes the following options:
■ Format. Lets you choose one of the following options:
■ Do Not Format. Do not format the newly created
volume. Select this option only if you want to change
an existing volume instead of creating a new one.
■ Format. Formats the new volume with the file system
that you select from the drop-down list.

1-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

You can choose one of the following file systems:

■ Ext2. Formats the volume with the Ext2 file system.
Ext2 is a dependable file system, but it doesn't include
journaling.
■ Ext3. Formats the volume with the Ext3 file system.
Ext3 is the successor of Ext2 and offers a journaling
feature.
■ FAT. Formats the volume with the FAT file system.
FAT is used by older versions of DOS and Windows.
You can use this option to create a data volume that is
accessible from both Windows and Linux.
■ JFS. Formats the volume with JFS, a journaling file
system developed by IBM.
■ Reiser. Formats the volume with ReiserFS, a modern
journaling file system. (This is the default option.)
■ XFS. Formats the volume with XFS, a journaling file
system originally developed by SGI.
■ Swap. Formats the volume as a swap volume.
If you are not sure which file system to choose, select
Reiser for root and data volumes and Swap for swap
volumes.
■ Options. Select this button to change parameters for
the selected file system. You can use the default
parameters in most cases.
■ Encrypt file system. Select this check box to encrypt
the file system of the volume. You should only use this
option for non-system volumes like user home
directories.
■ Logical volume name. Enter the name of the new logical
volume.
■ Size. Enter the size of the logical volume in this field. Use
M for MB and GB for GB. For example, enter 5G for a
volume size of 5 GB.

Version 1 Copying all or part of this manual, 1-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Max. Set the size of the maximum available space of the

volume group.
■ Stripes. If you choose a value larger than 1 from this drop-
down list, every file written to the volume will be spread in
small pieces (stripes) over all physical devices in the
volume group.
This enhances disk performance by using all available
disks at the same time.
The number of stripes you select must not exceed the
number of physical disks in the system.
If you need more performance than a single disk can
deliver, this might be a good option for you. However, a
real hardware RAID system is normally a much better
choice.
■ Stripe Size. Select the size of a single stripe.
■ Fstab Options. Select this option to edit the fstab entry for
this volume. The default setting should work in most cases.
■ Mount Point. Select the mount point of the new volume
from this drop-down list. You can also enter a mount point
manually if the mount point you want is not available in the
list.
After selecting all options for the new volume, select OK to
add the volume.
■ Edit. Change the parameters of a selected volume.
The dialog to edit a volume has the same options as the dialog
to create volumes (already described). You can also edit logical
volumes directly from the Partition list in the Expert Partitioner.
■ Remove. Remove a selected volume. You can also remove
logical volumes directly from the Partition list in the Expert
Partitioner.

When you are finished with the logical volume setup, select Next to
save the settings and return to the Expert Partitioner.

1-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Manage EVMS Volumes

To manage EVMS (Enterprise Volume Management System)

volumes, select EVMS in the YaST Expert Partitioner.

EVMS is a similar approach to LVM. In the latest versions of

EVMS and LVM both use the device mapper of the kernel to
manage logical volumes. However, YaST´s configuration tools are
not as developed for EVMS as they are for LVM, so EVMS is not
covered in as much detail in this section.

The EVMS setup is very similar to the LVM setup with the
exception that logical volume groups are called containers in
EVMS.

After selecting EVMS in the YaST Expert Partitioner, you create a

container and add physical partitions to it. Then you can create
logical volumes in the container, format them with a file system, and
choose a mount point for them.

You can also use striping to enhance the performance of your

EVMS volumes.

Manage Soft RAID Setups

To manage soft RAID (Redundant Array of Inexpensive Disks)

setups, select RAID in the YaST Expert Partitioner.

The purpose of RAID is to combine several hard disk partitions into

one large virtual hard disk for optimizing performance and
improving data security.

There are 2 types of RAID configurations:

■ Hardware RAID. Hard disks are combined by the hard disk
controller. The operating system sees the combined hard disks
as one device. No additional RAID configuration is necessary
at the operating system level.

Version 1 Copying all or part of this manual, 1-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Software RAID. Hard disks are combined by the operating

system. The operating system sees every single disk and needs
to be configured to use them as a RAID system.

Hardware RAID provides better performance and data security than

software RAID, but it is also much more expensive. Use software
RAID to enhance disk performance and security if you cannot
afford a hardware RAID solution.

In this section, you learn how to set up software RAID.

You combine hard disks according to RAID levels. Using YaST you
can set up RAID levels 0, 1, and 5 (RAID levels 2, 3, and 4 are not
available with software RAID):
■ RAID 0. This level improves the performance of your data
access. With RAID 0, 2 hard disks are pooled together. Disk
performance is very good, but the RAID system is vulnerable to
a single point of failure. If one of the 2 disks fails, the system is
destroyed and the data is lost.
■ RAID 1. This level provides enhanced security for your data
because the data is copied to both hard disks. This is also
known as hard disk mirroring. If one disk is destroyed, a copy
of its contents is available on the other disk.
■ RAID 5. RAID 5 is an optimized compromise between RAID 0
and RAID 1 in terms of performance and redundancy. The data
is distributed over the hard disks as with RAID 0, while one
partition saves a checksum of the written data.
If one hard disk fails, it must be replaced as soon as possible to
avoid the risk of losing data. If more than one hard disk fails at
the same time, the data on the disks is lost.

To create software RAID with YaST, do the following:

■ Partition your hard disks. For RAID 0 and RAID 1, at least 2
partitions on different disks are needed (RAID 1 requires 2
partitions; no more) RAID 5 requires at least 3 partitions. We
recommend that you use only partitions of the same size.

1-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Set up RAID. Select RAID in the YaST Expert Partitioner to

open a dialog to choose between the RAID levels 0, 1, and 5,
and then add partitions to the new RAID.
Choose a file system and a mount point for your RAID. By
changing the chunk size, you can fine tune the RAID
performance.
Select Persistent Superblock to ensure that the partitions are
recognized as RAID when booting.
After finishing the configuration, the RAID partitions appear in
the partition list of the Expert Partitioner.

Create Crypt File Partitions

By selecting Crypt File, you can create an encrypted file system

within a file. This file can be mounted and used like a normal
partition.

You can use a crypt file to securely store confidential data on your
computer.

We do not recommend that you create crypt files during the

installation process, as the file systems to create the crypt file on are
not yet available.

To create a crypt file, start the YaST Partitioning Module after the
installation process has finished.

Perform Expert Tasks

When you select Expert, the following options are available:

■ Reread the partition table. Resets the partition list to the
actual physical disk setup. All changes will be lost.
■ Import mount points from existing /etc/fstab. Scans the hard
disks for an /etc/fstab file. You can load this file and set the
mount points accordingly.

Version 1 Copying all or part of this manual, 1-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Delete partition table and disk label. Deletes the partition

table and the disk label of the selected hard disk. All data on
that disk will be lost.

When you finish configuring settings in the Expert Partitioner,

return to the installation proposal by selecting Next.

Select the Software

SLES 9 contains a number of software packages for various

application purposes. Instead of selecting needed packages one by
one, you can select from four system types with various installation
scopes.

Depending on the available disk space, YaST selects one of the

following predefined systems and displays it in the installation
proposal:
■ Minimal System. (only recommended for special purposes).
This includes the core operating system with various services,
but without any graphical user interface. Select this system type
for servers that require little direct user interaction.
■ Minimal Graphical System. (without KDE) If you do not want
the KDE desktop or if there is insufficient disk space, install
this system type. The installed system includes the X windows
system and a basic window manager. You can use all programs
that have a graphical user interface.
■ Default System (with KDE). This system type includes the
KDE desktop, most of the KDE programs, and the CUPS print
server. If possible, YaST selects this system type by default.
■ Full Installation This system type is includes all packages that
ship SLES 9, except those that create dependency conflicts.

1-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

You need to understand the following term to understand YaST

software management:
■ Package. An RPM file, which is available on the SLES 9
installation media. A package typically contains an application
and all additional files required to use the software.
Sometimes larger applications can be split into multiple
packages and several small applications can be bundled into a
single package.
■ Dependencies. Sometimes one software package needs another
one to run. These dependencies are stored in the RPM
packages. YaST can automatically select software packages
when another package requires them.

When you select Software in the installation proposal, a dialog

appears that lets you change the preselected system type to a
different one.

Select Detailed selection to start the YaST Package Manager:

Version 1 Copying all or part of this manual, 1-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can select the following options in this dialog to configure

software selections:
■ Filter. The Package Manager can display different views of the
available software packages. These views are displayed in the
area below the drop-down list and include the following:
■ Selection. Displays the packages in logical selections. All
packages in the selection can be installed by selecting the
check box.
■ Package Groups. Displays the packages in a hierarchical
tree view.
■ Search. Displays a search dialog to search for packages.
■ Installation Summary. Displays a summary of the
packages selected for installation.
■ Individual package list. Individual packages are listed on the
right side of the Package Manger window. The content of this
list depends on the filter selection.
You can install a package by selecting the check box for that
package.
Details for the currently selected package are displayed below
the package list.
■ Disk usage. The disk usage of the currently selected software
package is displayed in the lower left corner of the Package
Manager window.
■ Check Dependencies. Select this option to check the
dependencies of the selected packages. This check is also done
when you confirm the package selection dialog.
■ Autocheck. If this check box is selected, dependencies are
checked every time you select or deselect a package.

Confirm your package selection and return to the installation

proposal by selecting Accept.

1-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Configure the Boot Loader

During installation, YaST proposes a boot configuration for your

system. Normally, you should leave these settings unchanged.
However, if you need a custom setup, you can modify the proposal.

To change the configuration of the boot loader, select Booting in

the installation proposal to display the following:

This dialog lists the current boot loader configuration settings with
3 columns for each setting:
■ Ch. Indicates whether an entry has been changed.
■ Option. Displays the boot loader option.
■ Value. Displays the value of the option.

Version 1 Copying all or part of this manual, 1-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Below the list, there are several buttons:

■ Add. Adds an additional option.
■ Edit. Edits the selected option.
■ Delete. Deletes an option.
■ Reset. Provides the following options:
■ Propose New Configuration. Generates a new
configuration suggestion. Older Linux versions or other
installed operating systems are added to the boot menu.
■ Start from Scratch. Enables you to create the entire
configuration from scratch. No suggestions are generated.
■ Propose and Merge with Existing GRUB Menus. If
another Linux version is installed on the system, the boot
menu can be transfered from that installation. You cannot
do this if LILO is used as boot loader.

You can use Edit Configuration Files to edit the configuration files
in a text editor. When you finish, save your changes by selecting
OK.

For less experienced users, the configuration with YaST is easier

than editing the files directly. Select a boot loader option in the list
and select Edit to open a dialog to change the settings. Confirm the
changes and return to the Boot Loader Setup menu by selecting
OK.

The available options in the Boot Loader Setup dialog depend on

the boot loader used. The following introduces some options of the
default boot loader GRUB:
■ Boot Loader Type. Use this option to switch between GRUB
and LILO. You can also create a new configuration from
scratch or generate and edit a suggestion for a configuration.

1-40 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Boot Loader Location. Use this dialog to define where to

install the boot loader:
■ In the master boot record (MBR)
■ In the boot sector of the boot partition (if available)
■ In the the boot sector of the root partition
■ On a floppy disk
■ Use Others to manually specify a different location
■ Disk Order. If your computer has more than one hard disk,
specify the boot sequence of the disks as defined in the BIOS
setup of the machine.
■ Default Section. Sets the kernel or operating system that
should be booted by default. The selected system is booted after
a timeout. Select Edit to display a list of all boot menu entries.
Select an entry from the list and select Set as Default.
■ Available Sections. Lists all existing entries of the boot menu.
■ Activate Boot Loader Partition. Activates the partition whose
boot sector holds the boot loader.
■ Replace Code in MBR. Specifies whether to overwrite the
MBR. This might be necessary if you have changed the location
of the boot loader.
■ Back up Affected Disk Areas. Backs up the changed hard disk
areas.
■ Add Saved MBR to Boot Loader Menu. Adds the backed up
MBR to the Boot Loader menu.

Use Time-out to define how many seconds the boot loader should
wait for keyboard input before the default system is booted. You can
specify a number of other options with Add. However, these options
requires a thorough understanding of the boot loader and are not
covered here.

After finishing the boot loader configuration, return to the

installation proposal by selecting Finish.

Version 1 Copying all or part of this manual, 1-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Start the Installation Process

After customizing the installation proposal, select Accept. A dialog

appears asking you to confirm the proposal. Start the installation
process by selecting Yes, install; Return to the installation proposal
by selecting No.

Before installing software packages, YaST changes the hard disk

partitioning.

Depending on your software selection and the performance of your

system, the installation process takes 15–45 minutes.

During the installation, YaST asks you to change the installation

CDs. Insert the requested CD and continue the installation by
selecting OK.

After all software packages are installed, YaST reboots the

computer and lets you make configuration changes.

1-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Objective 2 Configure the SLES 9 Installation

In this part of the installation process, you use YaST perform the
following configuration tasks:
■ Set the root Password
■ Configure the Network
■ Test the Internet Connection
■ Perform an Online Update
■ Configure Network Services
■ Manage Users
■ Configure Hardware
■ Finalize the Installation Process

Set the root Password

root is the name of the superuser, the administrator of the system.

Unlike regular users, who might not have permission to do certain
things on the system, root has unlimited power to do anything,
including the following:
■ Access every file and device in the system
■ Change the system configuration
■ Install programs
■ Set up hardware

The root account should only be used for system administration,

maintenance, and repair. Logging in as root for daily work is risky:
a single mistake can lead to irretrievable loss of many system files.

Version 1 Copying all or part of this manual, 1-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To let you set the root password during the installation process,
YaST displays the following dialog:

Enter the same password in both text fields of the dialog.

You should choose a password that cannot be guessed easily. Use

numbers, lowercase and uppercase characters to avoid wordbooks
(dictionary) attacks.

By selecting Expert Options, you can choose the password

encryption algorithm. In most cases, you use with the default
settings.

After entering the root password, continue to the next configuration

step by selecting Next.

1-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Configure the Network

To let you configure the network connection of your system, YaST

displays the following:

In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip the network configuration for now.
You can configure the network connection later in the installed
system.
■ Use Following Configuration. Use the network configuration
proposal displayed in the area below.

Version 1 Copying all or part of this manual, 1-45

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The network configuration proposal is similar to the installation

proposal at the beginning of the base installation, and includes the
following entries:
■ Network Interfaces. Displays the configuration of the network
interfaces (such as Ethernet or a Wireless-LAN adapter).
■ DSL Connections. Displays the the configuration of DSL
devices. These can be DSL modems connected with an Ethernet
adapter or internal DSL modems.
■ ISDN Adapters. Displays the configuration of ISDN devices.
■ Modems. Displays the configuration of analog modems.
■ Proxy. Displays the HTTP and FTP proxy settings.
■ VNC Remote Administration. Displays the configuration of
remote administration using VNC.

You can change a configuration by selecting the headline of the

entry or by selecting the entry from the Change drop-down list. This
menu lets you reset all settings to the defaults generated by YaST.

If you are not sure which settings to use, stay with the defaults
generated by YaST.

Configure Network Interfaces

After starting the network interface configuration, YaST displays a

general network configuration dialog. The top lists all network
cards which are detected but configured yet. Devices that could not
be detected are listed as Other (not detected).

The bottom part the dialog lists configured devices.

At this point, you can do one of the following:

■ Configure a Network Card Manually
■ Change an Existing Configuration

1-46 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Configure a Network Card Manually

If you want to configure a network card that was not automatically

detected, select Other (not detected) to display the following:

From this dialog, you can configure the following:

■ Device Type. Specifies the network device type and the device
number.
■ Kernel Module. If your network card is a PCMCIA or USB
device, select the corresponding check boxes and confirm
selecting Next.
Otherwise, select Select from List and select your network
card from the list. YaST automatically loads the appropriate
driver for the selected card. Confirm by selecting Next

Version 1 Copying all or part of this manual, 1-47

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Wireless Settings. If you are within the reach of a wireless

network and your network card is designed for this wireless
network type, select Wireless Settings to set the operating
mode, the network name (ESSID), the network identifier
(NWID), the encryption key, and a nickname.
After setting these options, confirm by selecting OK.

When you are finished with this dialog, select Next.

Change an Existing Configuration

After configuring a network card manually, or selecting an

automatically detected card, the Network Setup dialog appears with
the following options:
■ Automatic Address Setup (via DHCP). If your network has a
DHCP server, you can set up your network address
automatically. You should also use this option if you are using a
DSL line with no static IP address assigned by the ISP.
If you decide to use DHCP, you can configure the details after
selecting DHCP Client Options from the Advanced drop-down
list. Specify whether the DHCP server should always broadcast
its responses and any identifier to use.
By default, DHCP servers use the network card's hardware
address to identify an interface. If you have a virtual host setup
where different hosts communicate through the same interface,
an identifier is necessary to distinguish them.
■ Static Address Setup. If your have a static address, select the
corresponding check box. Then enter the address and subnet
mask for your network. The preset subnet mask should match
the requirements of a typical home network.
■ Host name and name server. Select this option to set the host
name and the name server manually.
■ Routing. Select this option to configure routing manually.

1-48 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Confirm the network device setup and return to the network device
overview by selecting Next. Then save the network device setup
and return to the network configuration proposal by selecting
Finish.

After finishing the the Network Configuration, select Next.

Test the Internet Connection

YaST then asks you to test your connection to the Internet. Select
one of the following options:
■ Yes, Test Connection to the Internet. YaST tries to test the
Internet connection by downloading the latest release notes and
checking for available updates.
If you select this option, the results are displayed on the next
dialog.
■ No, Skip This Test. Skip the connection test. If you skip the
test, you can't update the system during installation.

Select one of the options and select Next.

Perform an Online Update

If the Internet connection test was successful, you can select

whether to perform a YaST online update. If there are any update
packages available on the SUSE update servers, you can download
and install them now to fix known bugs or security issues.

To perform the software update, select Perform Update Now, and

then and select OK. YaST's online update dialog opens up with a
list of available patches (if any). Select the patches you want to
install, and then start the update process by selecting Accept.

You can also select Skip Update to perform the update later in the
installed system.

Version 1 Copying all or part of this manual, 1-49

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure Network Services

In the next installation step, YaST displays the Service

Configuration dialog.

In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip this configuration step. You can
enable the services later in the installed system.
■ Use Following Configuration. Use the automatically
generated configuration displayed below this option or select
one of the following headlines to change the configuration:
■ CA Management. The purpose of a CA (certificate
authority) is to guarantee a trust relationship among all
network services that communicate with each other.
If you decide that you do not want to establish a CA, you
must secure server communications using SSL and TLS
separately for each individual service.
By default, a CA is created and enabled during the
installation.
■ LDAP Server. You can run an LDAP service on your host
to have a central facility managing a range of configuration
settings. Typically, an LDAP server handles user account
data, but with SLES 9, you can also use LDAP for mail,
DHCP, and DNS related data.
By default, an LDAP server is set up during installation. If
you decide not to use an LDAP server, the YaST mail
server module does not work because it depends on LDAP.
However, you can still set up a mail server on your system
using the Mail Transfer Agent module.

If you are not sure about the correct settings, keep the defaults
generated by YaST. You can change the configuration later in the
installed system.

When you are finished, select Next.

1-50 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Manage Users

To manage users during this configuration step, do the following:

■ Select the Authentication Method
■ Add Users to the Systems

Select the Authentication Method

YaST displays the following dialog to configure the authentication

method:

You can selecting one of the following options:

■ NIS. If you have a NIS server in your network, you can
configure your system as a NIS client.

Version 1 Copying all or part of this manual, 1-51

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ LDAP. If you have an LDAP server in your network, you can

configure your system as an LDAP client. You can also use the
previously started LDAP server on the local host.
■ Local (/etc/passwd). Select this option to configure the system
to use the traditional file-based authentication method.

If you are not sure which method to select, stay with LDAP, which
is the default for SLES 9.

After selecting an authentication method, select Next.

Add Users to the Systems

Depending on which authentication method you select, you use one

of the following to add users to the system:
■ Configure the Host as a NIS Client
■ Configure the System as LDAP Client
■ Add Local Users

1-52 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Configure the Host as a NIS Client

If you chose NIS as the authentication method, the following

appears:

From this dialog ,you can setup your system as NIS client with the
following options:
■ NIS client. Select whether the host has a fixed IP address or is
assigned an IP address DHCP. If you select DHCP, you cannot
specify an NIS domain or an NIS server address manually,
because these are provided by the DHCP server.
If a static IP address is used, specify the NIS domain and the
NIS server manually.
To search for NIS servers broadcasting in the network, select
Find.
For each domain, select Edit to specify several server addresses
or enable the broadcast function on a per-domain basis.

Version 1 Copying all or part of this manual, 1-53

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Expert. Select this option to display the Expert Setting dialog.

Select Answer to the Local Host Only to prevent other
network hosts from being able to query which server your client
is using.
Select Broken Server to accept responses from servers on
unprivileged ports.
■ Start Automounter. If your NIS server provides information
about the automatic mounting of file systems (such as home
directories), you can start the automounter and use this
information for it.

After configuring the NIS client settings, select Finish.

Configure the System as LDAP Client

If you select LDAP as authentication method, the following

appears:

1-54 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

From this dialog, you can configure your system as an LDAP client.
The default configuration uses the locally installed LDAP server.

You can change the configuration with the following options:

■ LDAP client. You can configure the following:
■ LDAP base DN. Enter the search base on the server.
■ Addresses of LDAP Servers. Enter the address of the
LDAP server.
■ LDAP TSL/SSL . Select this option to encrypt the
communication with the LDAP server.
■ LDAP Version2. Select this option if your LDAP server
only support LDAP version 2. By default, LDAP version 3
is used.
■ Start Automounter. If your LDAP server provides information
about the automatic mounting of file systems (such as home
directories), you can start the automounter and use the
automount information for the LDAP server.
■ Advanced Configuration. Selecting this option to change
advanced LDAP settings.

If you are not sure how to configure the LDAP setting and you want
to use the locally installed LDAP server, keep the default settings.

When finished the LDAP configuration, select Next.

A dialog appears to add a user to the local LDAP server, which

includes the same fields at the Add local users dialog.

Version 1 Copying all or part of this manual, 1-55

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Add Local Users

If you select Local as the authentication method, the following

appears:

You can use the following in this dialog to add local users to the
system (account information is stored in the files /etc/passwd and /
etc/shadow):
■ User Data. Enter the full user name, the login name, and the
password.
To provide effective security, a password should be 5-8
characters long. The maximum length for a password is 128
characters. However, if no special security modules are loaded,
only the first eight characters are used to discern the password.
Passwords are case-sensitive. Special characters are allowed,
but they might be hard to enter depending on the keyboard
layout. Other special characters (such as 7-bit ASCII) and
numbers 0-9 are allowed.

1-56 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

■ Password Settings. Select this option to change advanced

password settings (such as password expiration). The default
settings are suitable in most cases.
■ Details. Select this option to edit details of the user account.
The default settings are suitable in most cases.
■ Receive System Mail. Select this option to forward all emails
to this user. Usually system notifications are only sent to the
root user.
■ Automatic Login. Select this option to enable automatic login
for this user. This option logs in the user automatically (without
requesting a password) when the system starts.
You should not enable this feature on a production system.
■ User Management. Select this option add more users (with the
YaST User Management module).

You can add other users later(after installation), but you should create at
least 1 user during installation so you don´t have to work as the user root
after the system has been set up.

After you enter all required information, select Next.

Version 1 Copying all or part of this manual, 1-57

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure Hardware

Next you configure the system hardware of the system from the
following:

The configuration proposal contains the following items:

■ Graphics Cards. Displays the graphic card and monitor setup.
■ Printers. Displays the printer and printer server settings.
■ Sound. Displays the configuration of the sound card.

To change the automatically generated configuration, select the

headline of the item you want to change, or select the corresponding
entry in the Change drop-down list.

You can also use the Change drop-down list to reset all settings to
the automatically generated configuration proposal.

1-58 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

You can skip the hardware configuration at this time and configure
your devices later in the installed system. However, if the settings of
the graphics card in the configuration proposal are not correct, you
should change them now to avoid problems during the first system
start.

Configure the Graphics Card

If you select the headline Graphics Cards, YaST starts the SaX2
configuration tool to configure the graphics card settings. The
following appears:

Version 1 Copying all or part of this manual, 1-59

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the left navigation bar, the following main items are displayed:
■ Display. Configure your monitor, graphics card, color depth,
resolution, and the position and size of the screen.
■ Input Devices. Configure the keyboard, mouse, touchscreen
monitor, and graphics tablet.
■ Multihead. Configure multiple screens.
■ AccessX. Configure AccessX to control the mouse pointer with
the keyboard.

The first 3 items have subitems that are displayed on the right side
of the dialog, or you can access them by selecting the + character in
front of every item.

In most cases, you can use the automatically generated

configuration should be correct, although you might need to do the
following:
■ Change the Monitor Settings
■ Change the Color Depth and Resolution Settings

Change the Monitor Settings

If the installation does not detect your monitor, you can change the
monitor model.

Select Display on the left side of the dialog; then select Monitor on
the right side of the dialog. At the bottom of the dialog, change the
monitor settings by selecting Change Configuration.

1-60 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

On the next dialog, select Properties. The following appears:

The dialog has three pages:

■ Monitor-Model. Select your monitor model on this page. If
your model is not listed, you can also select one of the VESA or
LCD standard settings.
■ Frequencies. The frequency settings are usually determined by
the chosen monitor model. If those settings are not correct, you
can change them manually.
Make sure that the frequency settings are within the limits of your
monitor. Your monitor could be ruined if you use inappropriate
settings.

■ Expert. You can change some expert settings like the Modeline
Algorithm or the Display size.

Version 1 Copying all or part of this manual, 1-61

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After selecting the correct monitor model, return to the overview by

selecting OK and Finish.

Change the Color Depth and Resolution Settings

You can change the color or resolution settings by selecting

Desktop and Color and Resolution.

From the next dialog, select Properties. The following appears:

The dialog provides the following pages:

■ Colors. Select the color resolution from the drop-down list.
■ Resolution(s). Select one or more resolutions from the list. The
graphic engine always starts with the highest selected
resolution. You can change to lower selected resolutions during
runtime.
■ Expert. You can add user defined resolutions to the Resolutions
list. This can be useful for nonstandard sized displays or
monitors.
Make sure that your monitor can handle all of the selected resolutions.
Otherwise your monitor could be ruined when the graphic engine starts up.

1-62 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Change the color and resolution settings; then return to the

configuration overview by selecting OK and Finish.

Select Finalize after making all changes. Confirm the next dialog
by selecting Test.

The X Server starts up and the following appears:

You can use this dialog to fine tune the X Server settings such as
changing the position and the size of the displayed area.

When you are done, select Save.

Version 1 Copying all or part of this manual, 1-63

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Finalize the Installation Process

Confirm your hardware settings by selecting Next, and then select

Finish. The system starts the graphical login screen, where you can
log in with your previously created user.

SLES 9 is installed on your system.

1-64 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Objective 3 Troubleshoot the Installation Process

SLES 9 has been installed and tested on many different machines
and hardware platforms. However, sometimes problems can occur.

The following table contains an overview of the most common

installation problems, possible causes, and solutions:

Problem Cause Solution

The system The system is Enter the BIOS setup of the
does not start not configured system and choose the CD or
from the to boot from the DVD drive as the first boot drive.
installation CD or DVD Read the system manual for
media. drive. details about the BIOS setup

The CD or DVD Try to boot a different system with

drive is SLES 9 CD 1. If it works, the CD
defective. or DVD drive of the actual system
might be defective.

The installation If the installation CD does not

CD or DVD is boot on a different system, the
defective. CD or DVD itself could be
defective. Contact your reseller to
exchange the SLES 9 CD or DVD
set.
The installation Your system Select Installation – ACPI
program does does not Disabled. If that doesn't fix the
not start. support newer problem, select Installation –
hardware Save Settings from the Boot
features menu of the CD or DVD.
correctly.
Your system Install at least 256 MB of main
has less than memory and start the installation
256 MB of main again.
memory.

Version 1 Copying all or part of this manual, 1-65

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Problem Cause Solution

The installation Your system Select Installation – ACPI
process stops. does not Disabled. If that doesn't fix the
support newer problem, select Installation –
hardware Save Settings from the Boot
features menu of the CD or DVD.
correctly.
The installation If the installation process also
CD or DVD is stops on a different system, the
defective. CD or DVD could be defective.
Contact your reseller to exchange
the SLES 9 CD or DVD set.
The network There is no If you configured your network
connection test DHCP server in card to use DHCP, assign a static
or Online the network. IP address and configure routing
Update fails. and DNS settings manually.
There is no Set the default gateway correctly.
route to the
Internet.
The system is Set the right proxy configuration
using the in the network configuration
wrong Proxy dialog.
settings.
You can also skip the connection
test and the Online Update and
perform an Online Update in the
installed system.
The graphical You are using Change to a text terminal and
login does not the wrong X11 change to run level 3. Start SaX2
appear after configuration. from the command line and
the installation correct the X11 configuration.
is completed. Change back to run level 5 to get
a graphical login screen.

1-66 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Exercise 1-1: Install SLES 9

In this exercise, you install SLES 9 by doing the following:

■ Part I: Boot From the Installation Media
■ Part II: Start the Installation Proposal
■ Part III: Create an Extra Partition for the /srv Directory
■ Part IV: Add Compiler and Development Tools to the Software
Selection
■ Part V: Start the Installation Process
■ Part VI: Set the root Password
■ Part VII: Set Up the Network
■ Part VIII: Set Up Services and Users
■ Part IX: Configure Hardware Devices
■ Part X: Configure NTP
■ Part XI: Update Your SLES 9 Server With YOU

Part I: Boot From the Installation Media

Do the following:
1. Turn on the computer.
2. Insert the SLES 9 CD 1 into the CD-ROM drive.
3. Reboot the computer by selecting the Reset button or
by pressing Ctrl+Alt+Del.
4. (Conditional) If your computer does not boot from the
CD-ROM drive, adjust the BIOS settings and reboot the
computer.
5. When the GRUB installation screen appears, select Installation
with the arrow keys and press Enter.

Version 1 Copying all or part of this manual, 1-67

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Start the Installation Proposal

Do the following
1. When YaST displays the Novell Software License
Agreement, select I Agree.
2. From the language selection dialog, select your language; then
select Accept.
Although you can select any available language, the exercises in this
manual are written for English US.

3. (Conditional) If an installation mode dialog appears, select New

installation; then select OK.
An Installation Proposal dialog appears.
4. Scroll down to and select Keyboard layout.
5. Select your keyboard layout; then select Accept.
You are returned to the Installation Proposal dialog.
6. Scroll down to and select Time zone.
7. Select your region; then select your time zone.
8. Make sure that the hardware clock is set to UTC; then select
Accept.

Part III: Configure the Partitions for Your Hard Drive

Do the following:
1. Change the partitioning settings by scrolling to and selecting
Partitioning.
2. Select Create custom partition setup; then select Next.
3. Select Custom partitioning -- for experts; then select Next.

1-68 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

4. Delete existing partitions:

a. From the Expert Partitioner dialog, check for any existing
partitions in the partition list.
b. If there are partitions, select the hard disk entry of the
corresponding partitions (such as hda or hdc).
c. Delete all existing partitions on the selected hard disk by
selecting Delete.
d. When you are asked to confirm the deletion, select Yes.
e. (Conditional) If there is more than one hard disk containing
partitions in the system, repeat Steps b, c, and d until only
the hard disk entries are left in the list.
5. Create a swap partition:
a. From the partition list, select the hard drive entry; then
select Create.
If you have more than one hard disk, select the larger disk.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +512M.
d. From the File system drop-down list, select Swap.
e. Add the swap partition by selecting OK.
6. Create the root partition:
a. Select the same hard disk you used for the swap partition;
then select Create.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +6GB.
d. Make sure that the following options are set:
• Reiser should be selected from the File system drop-
down list.
• / should be selected from the Mount Point
drop-down list.
e. Add the root partition by selecting OK.

Version 1 Copying all or part of this manual, 1-69

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

7. Create a partition for the directory /srv (used in the Apache and
Samba server exercises):
a. Select the same hard disk you used for the swap and root
partitions; then select Create.
b. Select Primary partition; then select OK.
Leave the size settings as suggested by YaST. The last
partition will use the rest of the available hard disk space.
c. Make sure that the File system drop-down list is set to
Reiser.
d. From the Mount Point drop-down list, select /srv.
e. Add the /srv partition by selecting OK.
8. Confirm the partitioning setup and return to the installation
proposal by selecting Next.

Part IV: Add Compiler and Development Tools to the

Software Selection

Do the following:
1. From the installation proposal dialog, scroll to and select
Software.
2. Select Detailed selection.
3. In the list on the left side of the package selection dialog, select
C/C++ Compiler and Tools.
4. Return to the installation proposal by selecting Accept.

Part V: Start the Installation Process

Do the following:
1. From the installation proposal, select Accept.
2. From the confirmation dialog, select Yes, install.
YaST asks you to change CDs during the installation process.

1-70 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

3. Insert the requested CD and select OK.

Part VI: Set the root Password

Do the following:
1. In the first field, enter novell.
2. In the second field, enter novell.
You are warned that the password is too simple.
3. Continue by selecting Yes.
You are warned that you are using only lowercase letters.
4. Continue by selecting Yes.
5. Continue by selecting Next.

Part VII: Set Up the Network

Do the following:
1. Request the following information for your computer from your
instructor:
• IP address:
• Network mask:
• Host name:
• Domain name:
• Name server:
• Default gateway:
2. From the Network Configuration proposal, select Network
Interfaces.

Version 1 Copying all or part of this manual, 1-71

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

3. Do one of the following:

■ If your network card appears in the Network cards to
configure list, select Configure; then select the first
detected network card and select Configure.
or
■ If your network card appears in the Already configured
devices list, select Change; then select your network card
and select Edit.
4. Select Static address setup.
5. In the IP Address field, enter your IP address.
6. In the Subnet mask field, enter your subnet mask.
7. Configure the host name and name server:
a. Select Host name and name server.
b. Enter your host name.
c. Enter your domain name.
d. In the Name Server 1 field, enter the IP address of the
name server.
e. Return to the Network setup dialog by selecting OK.
8. Configure routing:
a. Select Routing.
b. In the Default Gateway field, enter the IP address of the
default gateway.
c. Return to the Network setup dialog by selecting OK.
9. Return to the Network Configuration dialog by selecting Next.
10. Continue with the installation by selecting Finish; then select
Next.
11. From the Test Internet Connection dialog, select No, Skip This
Test; then select Next.

1-72 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Part VIII: Set Up Services and Users

Do the following:
1. From the Service Configuration dialog, accept the default
settings by selecting Next.
2. For the authentication method, select LDAP; then select Next.
3. Accept the defaults in the LDAP Client Configuration dialog
by selecting Next.
4. Add a user:
a. First Name: Geeko
b. Last Name: Novell
c. User Login: geeko
d. Password: N0v3ll (a zero, not an uppercase O)
e. Verify password: N0v3ll
5. Create the user by selecting Next.

Part IX: Configure Hardware Devices

Do the following:
1. From the Release Notes dialog, select Next.
2. Adjust the monitor settings:
a. Review the information displayed below the Graphics
Cards entry of the Hardware Configuration proposal.
Make sure that the monitor model, the resolution, and the
refresh rate are appropriate for your hardware.
b. (Conditional) If the settings are correct, select Next and
skip the following steps for monitor configuration and go to
Step 3.
c. If the automatically generated settings are not appropriate,
select Graphics Cards.

Version 1 Copying all or part of this manual, 1-73

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

d. From the left side of the dialog, change the monitor model
by expanding Desktop; then select Monitor.
e. Select Change configuration.
f. From the next dialog, select Properties.
g. From the left side, select your vendor; from the right side,
select your model.
h. (Conditional) If your model is not in the list, select one of
the generic LDC or VESA entries. (You can also enter the
frequencies manually on the Frequencies page of the
dialog).
i. Continue by selecting OK.
j. Select Finish.
k. Change the color and resolution settings by selecting
Color and Resolution on the left; then select Change
configuration.
l. From the next dialog, select Properties.
m. From the drop-down list, select your desired color
resolution.
n. From the Resolutions page, select your desired display
resolution (deselect all other resolutions).
o. Continue by selecting OK.
p. Select Finish.
q. Finish the monitor setup by selecting Finalize.
r. Test the new settings by selecting Test.
If the screen does not display properly, press
Ctrl+Alt+Backspace, then repeat the above steps to adjust
the selected settings.
s. Adjust Size and Position.
t. When you are finished, select Save; then select OK.
3. From the Hardware Configuration dialog, select Next.
4. Complete the installation process by selecting Finish.

1-74 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Part X: Configure NTP

Do the following:

1. When the GUI login screen appears, log in as geeko with a

password of N0v3ll.

2. From the KDE desktop, select the YaST icon; then enter a
password of novell and select OK.

3. From the YaST Control Center, select Network Services > NTP
Client.

4. Select When Booting System.

5. In the NTP Server field, enter 10.0.0.254.

6. Select Finish.

Part XI: Update Your SLES 9 Server With YOU

As a post-installation procedure, you want to make sure you have

updated your installation with the latest patches available from
Novell SUSE LINUX.

In this part of the exercise, you update your SLES 9 installation

using a YOU server available on DA1.

Do the following:
1. From the YaST Control Center, select Software > Online
Update.
The Welcome to YaST Online Update dialog appears.
2. From the Installation source drop-down list, select User-Defined
Location.
3. In the Location field, enter http://DA1/YOU.
4. Continue by selecting Next.

Version 1 Copying all or part of this manual, 1-75

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The YOU update dialog appears with all the patches available.
From this dialog you can filter the patch list view and select or
deselect the patches you want to install.
5. From YaST Online Update Patch list, make sure the Optional
patches (black) are deselected.
6. Make sure all the Security (red) and Recommended (blue)
patches are selected.
7. Continue by selecting Accept.
One or more warning messages appear.
8. For each warning message, select Install Patch.
YaST downloads and installs the patches.
9. When process is complete (or during the process), select
Remove Source Packages after Update.
10. When the patches have been installed, update the system
configuration by selecting Finish.
11. Reboot the X windows server by pressing Ctrl+Alt+Del; then
select Logout.
After rebooting, you are returned to the GUI login interface.
12. Select Menu > Shutdown.
13. Select Restart computer and enter a password of novell; then
select OK.
14. After the system reboots, log back in to the KDE desktop as
geeko with a password of N0v3ll.

(End of Exercise)

1-76 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Summary
The following is the summary of the objectives.

Objective Summary
1) Perform the SLES 9 Base In the base installation, the hard
Installation disks are prepared and the
software packages are installed.
The following tasks belong to the
base installation step:
■ Boot from the installation
media
■ Select the language
■ Select the installation mode
■ Understand and change the
installation proposal
■ Perform hard disk partitioning
■ Configure LVM devices
■ Change the software selection
■ Configure the boot loader
■ Launch the installation process

Version 1 Copying all or part of this manual, 1-77

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2) Configure the SLES 9 Installation In the configuration step, you
customize and configure the
installed system.
The following tasks belong to the
configuration step:
■ Sett the root password
■ Configure the network
■ Test the Internet connection
■ Perform the Online Update
■ Configure Network Services
■ Manage Users
■ Configure Hardware
■ Finalize the Installation
Process

1-78 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Install SLES 9

Objective Summary
3) Troubleshoot the Installation SLES 9 has been installed and
Process tested on many different
machines and hardware
platforms. However, sometimes
installation problems can occur.
The problems can be caused by
the following reasons:
■ The system is not configured
to boot from the CD or DVD
drive.
■ The CD or DVD drive is
defective.
■ The installation CD or DVD is
defective.
■ The system does not support
newer hardware features
(ACPI) correctly.
■ There is no DHCP server in
the network.
■ There is no route to the
Internet.
■ You are using the wrong Proxy
settings.
■ You are using the wrong X11
configuration.

Version 1 Copying all or part of this manual, 1-79

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

1-80 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

SECTION 2 Configure the Network Manually

In this section, you learn how to configure network devices

manually. You also learn how to configure routing with command
line tools and how to save the network setup to configuration files.

Objectives
1. Understand Linux Network Terms
2. Set Up Network Devices with the ip Tool
3. Save Device Settings to a Configuration File
4. Set Up Routing with the ip Tool
5. Save Routing Settings to a Configuration File
6. Configure Host Name and Name Resolution
7. Test the Network Connection with Command Line Tools

Version 1 Copying all or part of this manual, 2-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Although almost every step of a network configuration can be done
with YaST, it´s sometimes useful to configure the network settings
manually. For testing and troubleshooting, it´s much faster to
change the network setup from the command line.

2-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Objective 1 Understand Linux Network Terms

Before you can configure the network manually with ip, you need to
understand the following Linux networking terms:
■ Device. The network adapter built into the system. To use a
physical device, a software component creates an interface to
the device. This interface can be used by other software
applications.
■ The software component which creates the interface is also
called a driver.
In Linux, network interfaces use a standard naming scheme.
Interfaces to Ethernet adapters follow the naming scheme eth0,
eth1, eth2, and so on. For every adapter installed in the system,
an interface is created when the appropriate driver is loaded.
The command line tools for the network configuration use the
term device when they actually mean an interface. The term
device is used in this section for both physical devices and
software interfaces.
■ Link. The command line tool ip uses the term link to refer to
the connection of a device to the network.
■ Address. The IP address assigned to a device. The address can
be either an IPv4 or an IPv6 address. To use a device in a
network, you have to assign at least one address to it. However,
you can assign more than one address to a device.
■ Broadcast. The term broadcast refers the broadcast address of
a network. By sending a network packet to the broadcast
address, you can reach all hosts in the locally connected
network at the same time. When you assign an IP address to a
device, you can also set this broadcast address.
■ Route. The path an IP packet takes from the source to the
destination host. The term route also refers to an entry in the
routing table of the Linux kernel.

Version 1 Copying all or part of this manual, 2-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Set Up Network Devices With the ip Tool

You normally configure a network card with YaST during or after
installation. You can use the tool ip to change the network card
configuration quickly from the command line.

Changing the network card configuration at the command line is

especially useful for test purposes; but if you want a configuration
to be permanent, you must save it in a configuration file. These
configuration files are generated automatically when you set up a
network card with YaST.

You can use ip to perform the following tasks:

■ Display the Current Network Configuration
■ Change the Current Network Configuration

You can enter /sbin/ip as a normal user to display the current network
setup only. To change the network setup, you have to be logged in as root.

Display the Current Network Configuration

With the ip tool, you can display the following information:

■ IP Address Setup
■ Device Attributes
■ Device Statistics

IP Address Setup

To display the IP address setup of all devices, use the following

command:
ip address show

2-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Depending on your network setup, you see information similar to

the following:
DA1:~ # ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host
lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu
1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
inet6 fe80::230:5ff:fe4b:9885/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0

The information is grouped by network devices. Every device entry

starts with a digit, called the interface index, with the device name
displayed below the interface index.

In the above example, there are 3 devices:

■ lo. The loopback device, which is available on every Linux
system, even when no network adapter is installed. Using this
virtual device, applications on the same machine can use the
network to communicate with each other.
For example, you can use the IP address of the loopback device
to access a locally installed web server by typing
http://127.0.0.1 in the address bar of your web browser.
■ eth0. The first Ethernet adapter of the computer in this
example. This is a physical device which is connected to the
local network. Ethernet devices are normally called eth0, eth1,
eth2, and so on.
■ sit0. This a special virtual device which can be used to
encapsulate IPv4 into IPv6 packets. It´s not used in a normal

Version 1 Copying all or part of this manual, 2-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

IPv4 network.

You always have the entries for the loopback and sit devices.
Depending on your hardware setup, you might have more Ethernet
devices in the ip output.

Several lines of information are displayed for every network device,

such as eth0 for the example above:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu
1500 qdisc pfifo_fast qlen 1000

The most important information of the line in this example is the

device index (2) and the device name (eth0).

The other information shows additional attributes set for this device,
such as the hardware address of the Ethernet adapter
(00:30:05:4b:98:85):
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff

In the following line, the IPv4 setup of the device is displayed:

inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0

The IP address (10.0.0.2) follows inet, and the broadcast address

(10.0.0.255) after brd. The length of the network mask is displayed
after the IP address, separated by a /. The length is displayed in bits
(24).

The following lines show the IPv6 configuration of the device:

inet6 fe80::230:5ff:fe4b:9885/64 scope link
valid_lft forever preferred_lft forever

The address shown here is automatically assigned, even though

IPv6 is not used in the network that is connected with the device.
The address is generated from the hardware address of the device.

Depending on the device type, the information can differ. However,

the most important information (such as assigned IP addresses) is
always shown.

2-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Display Device Attributes

If you are only interested in the device attributes and not in the IP
address setup, you can use the following command:
ip link show

The command produces an output similar to the following:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500
qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0

The information is similar to the what you seen when entering

ip address show, but the information about the address setup is
missing. The device attributes are displayed in brackets right after
the device name.

The following is a list of possible attributes and their meanings:

■ UP. The device is turned on. It is ready to accept packets for
transmission and it´s ready to receive packets from the network.
■ LOOPBACK. The device is a loopback device.
■ BROADCAST. The device can send packets to all hosts
sharing the same network.
■ POINTOPOINT. The device is only connected to one other
device. All packets are sent to and received from the other
device.
■ MULTICAST. The device can send packets to a group of other
systems at the same time.

Version 1 Copying all or part of this manual, 2-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ PROMISC. The device listens to all packets on the network,

not only to those sent to the device's hardware address. This is
usually used for network monitoring.

Display Device Statistics

You can use the option -s with the command ip to display additional
statistics information about the devices. The command looks like
the following:
ip -s link show eth0

By giving the device name at the end of the command line, the
output is limited to one specific device. This can also be used to
display the address setup or the device attributes.

The following is an example of the information displayed for the

device eth0:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500
qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
849172787 9304150 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
875278145 1125639 0 0 0 0

Two additional sections with information are displayed for every

device. Each of the sections has a headline with a description of the
displayed information.

The section starting with RX displays information about received

packets, and the section starting with TX displays information about
sent packets.

The sections display the following information:

■ Bytes. The total number of bytes received or transmitted by the
device.

2-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

■ Packets. The total number of packets received or transmitted by

the device.
■ Errors. The total number of receiver or transmitter errors.
■ Dropped. The total number of packets dropped due to a lack of
resources.
■ Overrun. The total number of receiver overruns resulting in
dropped packets.
■ As a rule, if a device is overrun, it means that there are serious
problems in the Linux kernel or that your computer is too slow
for the device.
■ Mcast. The total number of received multicast packets. This
option is supported by only a few devices.
■ Carrier. The total number of link media failures, because of a
lost carrier.
■ Collsns. The total number of collision events on Ethernet-like
media.
■ Compressed. The total number of compressed packets.

Change the Current Network Configuration

You can also use the ip tool to change the network configuration by
performing the following tasks:
■ Assign an IP Address to a Device
■ Delete the IP Address from a Device
■ Change Device Attributes

Version 1 Copying all or part of this manual, 2-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Assign an IP Address to a Device

To assign an address to a device, use a command similar to the

following:
ip address add 10.0.0.2/24 brd + dev eth0

In this example, the command assigns the IP address 10.0.0.2 to the

device eth0. The network mask is 24 bits long, as determined by the
/24 after the IP address. The brd + option sets the broadcast address
automatically as determined by the network mask.

You can enter the following command to verify the assigned IP

address:
ip address show dev eth0

The assigned IP address is displayed in the output of the command

line.

You can assign more than one IP address to a device.

Delete the IP Address from a Device

To delete the IP address from a device, use a command similar to

the following:
ip address del 10.0.0.2 dev eth0

In this example, the command deletes the IP address 10.0.0.2 from

the device eth0.

Use the following command to verify that the address was deleted:
ip address show eth0

2-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Change Device Attributes

You can also change device attributes with the ip tool. The
following is the basic command to set device attributes:
ip link set <device> <attribute>

The possible attributes are described in “Display Device Attributes.”

The most important attributes up and down. By setting these
attributes, you can enable or disable a network device.

To enable a network device (such as eth0), enter the following

command:
ip link set eth0 up

To disable a network device (such as eth0), enter the following

command:
ip link set eth0 down

Version 1 Copying all or part of this manual, 2-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 3 Save Device Settings to a Configuration File

All device configuration changes you make with ip are lost when
the system is rebooted. To restore the device configuration
automatically when the system is started, the settings need to be
saved in configuration files.

The configuration files for network devices are located in the

directory /etc/sysconfig/network.

If the network devices are set up with YaST, one configuration file
is created for every device.

For Ethernet devices, the filenames consist of ifcfg-eth-id- and the

hardware address of the device. For a device with the hardware
address 00:30:05:4b:98:85, the filename would be ifcfg-eth-id-
00:30:05:4b:98:85.

We recommended that you set up a device with YaST first and make
changes in the configuration file. Setting up a device from scratch is
a very complex task, because the hardware driver also needs to be
configured manually.

If you have more than one network adapter in your system, it might
be difficult to find the corresponding configuration file for a device.

You can use the command ip link show to display the hardware
address for each Ethernet device. Because the hardware address is
part of the file name, you can identify the right configuration file.

The content of the configuration files depends on the configuration

of the device. To change the configuration file, you need to know
how to do the following:
■ Configure a Device Statically
■ Configure a Device Dynamically With DHCP
■ Start and Stop Configured Devices

2-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Configure a Device Statically

The content of a configuration file of a statically configured device

is similar to the following:
BOOTPROTO='static'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'

The configuration file includes several lines. Each line has an

option and a value assigned to that option, and is shown and then
explained below.
BOOTPROTO='static'

The option BOOTPROTO determines the way the device is

configured. There are 2 possible values:
■ Static. The device is configured with a static IP address.
■ DHCP. The device is configured automatically with an DHCP
server.
MTU=''

You can use the MTU option to specify a value for the MTU
(Maximum Transmission Unit). If you don´t specify a value, the
default value is used. For an Ethernet device, the default value is
1500 bytes.
REMOTE_IPADDR=''

You need to set the value for the REMOTE_IPADDR option only
if you are setting up a point-to-point connection.

Version 1 Copying all or part of this manual, 2-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

STARTMODE='onboot'

The STARTMODE option determines how the device is started.

The option can include following values:
■ onboot. The device is started at boot time.
■ manual. The device must be started manually.
■ hotplug. The device is started when it´s plugged in if your
system offers PCI hotplugging.
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'

These 2 lines contain options added by YaST when the device is

configured. They don´t affect the network configuration itself.
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'

These 4 lines contain the options for the network address

configuration. The options have the following meaning:
■ BROADCAST. The broadcast address of the network.
■ IPADDR. The IP address of the device.
■ NETMASK. The network mask.
■ NETWORK. The address of the network itself.

The file /etc/sysconfig/network/ifcfg.template contains a template

that you can use as a base for device configuration files.

Configure a Device Dynamically With DHCP

If you want to configure a device by using a DHCP server, you set

the BOOTPROTO option to dhcp as shown in the following:
BOOTPROTO='dhcp'

2-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

When the device is configured by using DHCP, you don´t need to

set any options for the network address configuration in the file. If
there are any settings, they are overwritten by the settings of the
DHCP server.

Start and Stop Configured Devices

To apply changes to a configuration file, you need to stop and

restart the corresponding device. You can do this with the
commands ifdown and ifup.

For example, the following ifdown command disables the device

eth0:
ifdown eth0

The following ifup command enables eth0 again:

ifup eth0

When the device is restarted, the new configuration is read from the
configuration file.

Version 1 Copying all or part of this manual, 2-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Set Up Routing With the ip Tool

You can use the ip tool to configure the routing table of the Linux
kernel. The routing table determines the path IP packets use to reach
the destination system.

Because routing is a very complex topic, this objective only covers the
most common routing scenarios.

You can use the ip tool to perform the following tasks:

■ View the Routing Table
■ Add Routes to the Routing Table
■ Delete Routes From the Routing Table

View the Routing Table

To view the current routing table, use the following command:

ip route show

For most systems, the output looks similar to the following:

10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.0.1 dev eth0

Every line represents an entry in the routing table. Each line in the
example is shown and explained below:
10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2

This line represents an the route for the local network. All network
packets to a system in the same network are sent directly through
the device eth0.

2-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

169.254.0.0/16 dev eth0 scope link

This line shows a network route for the 169.254.0.0 network. Hosts
can use this network for address auto configuration.

SLES 9 automatically assigns a free IP address from this network

when no other device configuration is present. The route to this
network is always set, especially when the system itself has no
assigned IP address from that network.
127.0.0.0/8 dev lo scope link

This is the route for the loopback device.

default via 10.0.0.1 dev eth0

This line is the entry for the default route. All network packets that
cannot be sent according to the previous entries of the routing table
are sent through the gateway defined in this entry.

Depending on the setup of your machine, the content of the routing

table varies. In most cases, you have at least 2 entries in the routing
table:
■ One route to the local network the system is connected to.
■ One route to the default gateway for all other packets.

Add Routes to the Routing Table

The following are the most common tasks you do when adding a
route:
■ Set a Route to the Locally Connected Network
■ Set a Route to a Different Network
■ Set a Default Route

Remember to substitute your own network and gateway addresses when

using the following examples in a production environment.

Version 1 Copying all or part of this manual, 2-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Set a Route to the Locally Connected Network

The following command sets a route to the locally connected

network:
ip route add 10.0.0.0/24 dev eth0

This system in this example is in the 10.0.0.0 network. The network

mask is 24 bits long (255.255.255.0). All packets to the local
network are sent directly through the device eth0.

Set a Route to a Different Network

The following command sets a route to different network:

ip route add 149.44.171.0/24 via 10.0.0.100

All packets for the network 149.44.171.0 are sent through the
gateway 10.0.0.100.

Set a Default Route

The following command sets a default route:

ip route add default via 10.0.0.1

Packets that cannot be sent according to previous entries in the

routing table are sent through the gateway 10.0.0.1

Delete Routes from the Routing Table

To delete an entry from the routing table, use a command similar to

the following:
ip route delete 149.44.171.0/24 dev eth0

This command deletes the route to the network 149.44.171.0

assigned to the device eth0.

2-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Objective 5 Save Routing Settings to a Configuration File

Routing settings made with the ip tool are lost when you reboot
your system. Settings have to be written to configuration files to be
restored at boot time.

Routes to the directly connected network are automatically set up

when a device is started. All other routes are saved in the
configuration file /etc/sysconfig/network/routes.

The following shows the content of of a typical configuration file:

149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85
default 10.0.0.8 - -

Each line of the configuration file represents an entry in the routing

table. Each line is shown and explained below.
149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85

All packets sent to the network 149.44.171.0 with the network mask
255.255.255.0 are sent through the gateway 10.0.0.100 through the
device with the id eth-id-00:30:05:4b:98:85. The id is the same as
used for the device configuration file.
Default 10.0.0.8 - -

This entry represents a default route. All packets that are not
affected by the previous entries of the routing table are sent through
the gateway 10.0.0.8. It´s not necessary to fill out the last 2 columns
of the line for a default route.

To apply changes to the routing configuration file, you need to

restart the affected network device with the ifdown and ifup
commands.

Version 1 Copying all or part of this manual, 2-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 6 Configure Host Name and Name Resolution

The host name and the name resolution can also be set up manually.
In this objective, you learn how to do the following:
■ Set the Host and Domain Name
■ Configure Name Resolution

Set the Host and Domain Name

The host name is configured in the file /etc/HOSTNAME.

The content of the file is similar to the following:

da2.digitalairlines.com

The file contains the fully qualified domain name of the system, in
this case, da2.digitalairlines.com

Configure Name Resolution

The name resolution is configured in the file /etc/resolv.conf.

The content of the file is similar to the following:

search digitalairlines.com
nameserver 10.0.0.1
nameserver 10.10.0.1
nameserver 10.0.10.1

The file contains 2 types of entries:

■ search. The domain name in this option is used to complete
incomplete host names. For example, if you look up the host
name da3, the name is automatically completed to the fully
qualified domain name da3.digitalairlines.com.
■ nameserver. Every entry starting with nameserver is followed
by an IP address of a name server. You can configure up to 3
name servers. If the first name server fails, the next one is used.

2-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Objective 7 Test the Network Connection With Command

Line Tools
After the network is configured, you might want to test the network
connection by doing the following:
■ Use ping to Test Network Connections
■ Use traceroute to Trace Network Packets

Use ping to Test Network Connections

The tool ping lets you check network connections in a simple way
between two hosts. If the ping command works, then both the
physical and logical connections are correctly set up between the 2
hosts.

The ping command sends special network packets to the target

system and waits for a reply. In the simplest scenario, you enter ping
with an IP address:
ping 10.0.0.1

You can also use the host name of the target system instead of an IP
address. The output of ping looks similar to the following:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=60 time=2.95
ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=60 time=2.16
ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=60 time=2.18
ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=60 time=2.08
ms

Each line of the output represents a packet sent by ping. Ping keeps
sending packets until it´s terminated by pressing Ctrl+C.

Version 1 Copying all or part of this manual, 2-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The output displays the following information:

■ The size of an ICMP datagram (64 bytes).
■ The IP address of the target system (from 10.0.0.1).
■ The sequence number of each datagram (seq=1).
■ The TTL (TTL, time to live) of the datagram (ttl=60).
■ The amount of time that passes between the transmission of a
packet and the time a corresponding answer is received
(time=2.95 ms). This time is also called the Round Trip Time.

If you get an answer from the target system, you can be sure that the
basic network device setup and routing to the target host works.

The following table provides some options for ping you can use for
advanced troubleshooting:

Option Descriptions
-c count The number of packets to be sent. After this
number has been reached, ping is terminated.
-I device_addr Specifies the network device to be used on a
computer with several network devices.
-i seconds Specifies the number of seconds to wait between
individual packet shipments. The default setting is
1 second.
-f (Flood ping) Packets are sent one after another at
the same rate as the respective replies arrive.
Only root can use this option. For normal users
the minimum time is 200 milliseconds.
-l preload Sends packets without waiting for a reply.
-n The numerical output of the IP address. Address
resolutions to host names are not carried out.
-t ttl Sets the Time To Live for packets to be sent.

2-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Option Descriptions
-w maxwait Specifies a timeout in seconds, before ping exits
regardless of how many packets have been sent
or received.
-b Sends packets to the broadcast address of the
network.

Use traceroute to Trace Network Packets

The diagnosis tool traceroute is primarily used to check the routing

between different networks. To achieve this task, traceroute sends
packets with an increasing TTL value to the destination host,
whereby three packets of each value are sent.

Traceroute also uses UDP packets, which are called datagrams.

First, three datagrams with a TTL=1 are sent to the host, then three
packets with a TTL=2, and so on. The TTL of a datagram is reduced
by one, every time it passes through a router.

When the TTL reaches zero, the datagram is discarded and a

message is sent to the sender. Because the TTL is increased by one
every three packets, traceroute can collect information about every
router on the way to the destination host.

You normally include a host name with the traceroute command:

traceroute pluto.example.com

It´s also possible to use an IP address instead of the host name. The
output of traceroute looks similar to the following:
traceroute to pluto.example.com (192.168.2.1), 30
hops max, 40 byte packets
1 sun.example.com (192.168.0.254) 0 ms 0 ms 0 ms
2 antares.example.com (192.168.1.254) 14 ms 18 ms 14
ms
3 pluto.example.com (192.168.2.1) 19 ms * 26 ms

Version 1 Copying all or part of this manual, 2-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The first line of the output displays general information about the
traceroute call. Each of the lines that follow represents a router on
the way to the destination host. Every router is displayed with the
host name and IP address.

Traceroute also displays information about the round trip times of

the 3 datagrams returned by every router. The last line of the output
represents the destination host itself.

2-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Exercise 2-1: Configure the Network Manually

In this exercise, you configure the network manually by doing the

following:
■ Part I: Note the Current Network Configuration
■ Part II: Delete the Current Network Setup with YaST
■ Part III: Configure the Network Manually
■ Part IV: Save the Network Connection to a File

Part I: Note the Current Network Configuration

Do the following:
1. Make sure you are logged in to the KDE Desktop as geeko with
a password of N0v3ll.
2. Open a terminal window and su (switch user) to root.
3. Enter ip address show eth0.
4. Find the line starting with inet, and record the IP address with
the subnet mask displayed in that line:

5. Enter ip route show.

6. Find the line starting with default and record the gateway IP
address of the gateway:

7. Enter ip link show eth0.

8. Find the line starting with link/ether and record the hardware
address of the device:

9. Change to the /etc/sysconfig/hardware directory by entering the

following:
cd /etc/sysconfig/hardware

Version 1 Copying all or part of this manual, 2-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Enter ls -al; then look for one of the following files (depending
on your hardware configuration):
■ hwcfg-id-ethernet_controller_address
■ or
■ hwcfg-bus-pci-ethernet_controller_address
11. Record the name of the file:

12. Display the contents of the file by entering one of the

following:
■ cat hwcfg-id-ethernet_controller_address
■ or
■ cat hwcfg-bus-pci-ethernet_controller_address
13. Record the following parameters:
■ MODULE=
■ MODULE_OPTIONS=
■ STARTMODE=
You use these parameters and the hwcfg filename in Part IV to
manually create the file.

Part II: Delete the Current Network Setup with YaST

Do the following:
1. Start YaST and select Network Devices > Network Card.
2. In the lower part of the dialog, select Change.
3. Select the network device; then select Delete.
4. Select Finish.

2-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

5. From the terminal window (as root), enter

rm /etc/sysconfig/network/routes.
6. Verify that the network connection is not working any more by
entering ping www.novell.com.

Part III: Configure the Network Manually

Do the following:
1. In the terminal window enter the following command:
ip address add your_ip_address/24 brd + dev eth0
2. To activate the network device, enter ip link set eth0 up.
3. To set a route to the local network enter the following:
ip route add 10.0.0.0/24 dev eth0
4. To set the default route enter the following:
ip route add default via gateway_ip_address
5. Verify that the network connection is working again by entering
ping www.novell.com.

If you are having problems with the network interface, you might need
to delete the network card configuration with YaST, save the change,
and then re-configure the network card with YaST.

This can happen if you have 2 network cards installed in your

computer.

Part IV: Save the Network Connection to Interface and

Hardware Configuration Files

Do the following:
1. From the terminal window, change to the directory
/etc/sysconfig/network.

Version 1 Copying all or part of this manual, 2-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

2. Make a copy of the network configuration template by entering

the following:
cp ifcfg.template ifcfg-eth-id-device_hardware_address
3. Open the copied file (ifcfg-eth-id-device_hardware_address)
with the vi editor.
4. Find the following options and enter the indicated values:
■ STARTMODE='onboot'
■ BOOTPROTO='static'
■ IPADDR='your_ip_address/24'
5. Save the file and exit vi (:wq).
6. Change to the directory /etc/sysconfig/hardware.
7. Create one of the following files with vi and enter the
parameters you recorded in Part I of this exercise:
■ hwcfg-id-ethernet_controller_address
■ or
■ hwcfg-bus-pci-ethernet_controller_address
8. When you finish, save the file and exit the editor.
9. Change to the /etc/sysconfig/network directory.
10. Create a new file with vi called routes.
11. Add the the following line to the file:
default default_gateway_ip_address - -
12. Save the file and exit vi.
13. Reboot your system (init 6) and log in as geeko with a
password of N0v3ll.
14. From a terminal window, verify that the network configuration
is loaded correctly by entering ping www.novell.com.

(End of Exercise)

2-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Summary
The following is the summary of the objectives.

Objective Summary
1. Understand Linux Network The following terms are used for
Terms the Linux network configuration:
■ Device
■ Interface
■ Link
■ Address
■ Broadcast
■ Route

2. Set Up Network Devices with You can perform the following

the ip Tool tasks with the ip tool:
■ Display the IP address setup
ip address show
■ Display device attributes
ip link show
■ Display device statistics
ip -s link show
■ Assign an IP address to a
device
ip address add <IP
address>/<netmask> brd + dev
<device name>
■ Delete an IP address of a
device
ip address del <IP address> dev
<device name>
■ Change device attributes
ip link set <device name>
<attribute>

Version 1 Copying all or part of this manual, 2-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
3. Save Device Settings to a ■ The configuration files for
Configuration File network devices are located
in /etc/sysconfig/network.
■ For Ethernet devices, the file
names consist of ifcfg-eth-id-
and the hardware address of
the device.
■ For a statically configured
device ,at least the following
options need to be set:
BOOTPROTO='static'
STARTMODE='onboot'
IPADDR='10.0.0.2/24'
■ For devices configured with
DHCP, the BOOTPROTO
option needs to be changed as
follows:
BOOTPROTO='dhcp'
■ Configured devices can be
enabled with ifup device name
and disabled with ifdown
device name.

4. Set Up Routing with the ip You can perform the following

Tool tasks with the ip tool:
■ View the routing table
ip route show
■ Add routes to the routing table
ip route add
<network>/<netmask> dev
<device name>
■ Delete routes from the routing
table
ip route del
<network>/<netmask> dev
<device name>

2-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure the Network Manually

Objective Summary
5. Save Routing Settings to a The configuration for routing table
Configuration File is located in the file
/etc/sysconfig/network/routes.
Each line represents an entry of
the routing table and has the
following columns:
■ Destination network address
■ Gateway address
■ Netmask
■ Device id
Default routes use default instead
of the network address and does
not require a netmask or device
id.
6. Configure Host Name and The host name is configured in
Name Resolution the file /etc/HOSTNAME.
The name resolution is
configured in the file
/etc/resolv.conf.
One line specifies the search
domain; the others list up to three
available name servers.

Version 1 Copying all or part of this manual, 2-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Test the Network Connection Two command line tools are
with Command Line Tools available to test the network
connection:
■ ping
ping hostname
With ping you can test
whether another host is
reachable in the network.
■ traceroute
traceroute hostname
With traceroute you can test
the routing in the network.

2-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

SECTION 3 Configure Network Services

In this section, you learn how to configure four of the most

important network services shipped with SLES 9 (BIND,
OpenLDAP, Apache, Samba).

Objectives
1. Configure a DNS Server Using BIND
2. Deploy OpenLDAP on a SLES 9 Server
3. Configure an Apache Web Server
4. Configure a Samba Server as a File Server

Version 1 Copying all or part of this manual, 3-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
In this section you learn how to install and configure four of the
most popular Linux network services at the command line:
■ BIND
■ OpenLDAP
■ Apache
■ Samba

Because configuring the services can be very complex, this section

covers only the basic functionality of the services.

The configuration is covered at the command-line level to show you

a more direct way to manipulate the behavior of the services.

The services as described in this section should be used within an

internal network. You should make the services accessible from the
Internet only if you have sufficient knowledge about network
security.

3-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Objective 1 Configure a DNS Server Using BIND

The Domain Name System (DNS) is one of the most important
network services. Without DNS, it would be difficult, if not
impossible, to work with networked computers.

To configure a DNS server (also called a name server) using the

most popular software BIND (Berkeley Internet Name Domain) you
need to do the following:
 Understand the Domain Name System
 Install and Configure the BIND Server Software
 Configure a Caching-Only Name Server
 Configure a Master Server for Your Domain
 Configure One or More Slave Servers
 Configure the Client Computers to Use the DNS Server
 Understand How to Query DNS Servers Using Command Line
Tools
 Find More Information About DNS

Version 1 Copying all or part of this manual, 3-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand the Domain Name System

To understand the basics of name resolution with DNS, you need to

know the following:
■ How Name Resolution Worked in the Early Days of the Internet
■ The Internet Domain Concept
■ How Name Servers Work
■ How to Query DNS

How Name Resolution Worked in the Early Days of the

Internet

Computers communicate with each other by using IP addresses, but

for humans it is more simple to address a computer by using its
name. This requires some kind of conversion that provides
computers with IP addresses when a user enters a computer name.

In the early days of the Internet, when there were relatively few
computers connected to each other, a file was maintained at the
Network Information Centre (NIC) of the Stanford Research
Institute in California that provided exactly this conversion.

Whenever system administrators added a new computer to the

Internet or changed the name of an already connected computer,
these changes were sent by email to the SRI-NIC where they were
written to a file called hosts.txt.

Every system administrator worldwide had to copy this file by FTP

and distribute it to all computers for which he was responsible.

In 1984, Paul Mockapetris created a powerful solution: the

Domain Name System (or DNS). DNS is a distributed database
system that allows local administration of areas and guarantees
unique computer names worldwide. Its hierarchical structure is very
similar to the tree structure of the Linux file system.

3-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The Internet Domain Concept

DNS consists of several domains that can be divided into

subdomains. The top level of this structure is the root domain. It is
represented simply by a dot (“.”).

There are over 13 computers worldwide that act as root name

servers. In the first layer beneath the root domain contains the top
level domains (TLDs).

In the early days of DNS there were 7 TLDs:

■ .com for commercial institutions (such as novell.com and
suse.com)
■ .edu for educational institutions and research institutes (such as
harvard.edu and stsci.edu)
■ .gov for institutions of the U.S. government (such as nasa.gov
and whitehouse.gov)
■ .int for international institutions (such as un.int and ecb.int)
■ .mil for military institutions (such as army.mil and navy.mil)
■ .net for institutions that provide and manage network
infrastructure (such as internic.net and att.net)
■ .org for noncommercial institutions (such as eso.org andeff.org)

.arpa was used as a TLD, while the ARPAnet transferred from host
files to DNS. All computers from the ARPAnet were later put into
the other TLDs. The .arpa TLD still has a special meaning which
will be explained later in this section.

These TLDs are also known as generic TLDs. Other TLDs for
individual countries were defined, such as .de for Germany, .uk for
the United Kingdom, and .ch for Switzerland.

Recently, TLDs such as .info or .biz have become operational. Each

of these TLDs is administered by its own institution (the Network
Information Center or NIC).

Version 1 Copying all or part of this manual, 3-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part of the Internet namespace is shown in the following:

The complete computer name or fully qualified domain name

(FQDN) is made from the actual computer name, the domain name,
and the name of the TLD (one or more subdomains might be
included).

Examples of FQDNs are ns.suse.de, www.astro.physik.uni-

goettingen.de and mail.novell.com. To be precise, all these names
end with a dot (such as ns.suse.de) indicating the root domain. But
as a rule the dot normally is not used.

Understand How Name Servers Work

Domains are administered locally instead of using a global

authority. Each domain has its own administration point (in practice,
many domains are administered from one location).

For each domain there is one DNS server (or name server) defined
as being “in charge” of its domain. This server is known as the
master server, and it is the authority for this domain (providing
authoritative answers).

3-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

This authoritative information is important because DNS servers

also temporarily store information on other domains in a cache and
can pass this information on, with the note that it is a non-
authoritative answer.

There are other DNS servers called slave servers for the domain
that distribute the load and serve as backups. Slave servers keep a
copy of the information on the master server and update this
information at regular intervals. This update is called zone transfer.

The following describe the DNS server types available:

Server Type Responsibility

Master server Has the main responsibility for a
domain. Gets its data from local
files.
Slave server Gets its data from the master server
using zone transfer.
Caching-only server Queries data from other DNS
servers and stores the information in
the cache until its expiration date. All
replies are nonauthoritative.
Forwarding server All queries the server cannot answer
authoritatively are forwarded to other
DNS servers.

Version 1 Copying all or part of this manual, 3-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand How to Query DNS

Various programs are involved in processing a request to the DNS

database. The first is the resolver. This is a set of library routines
used by various programs.

The resolver makes a request to a DNS server, interprets the answer

(real information or error message), and sends back this information
to the program that called it up.

If the DNS server receives a request from a resolver, one of 2 things

happens:
■ If the DNS server is the authority for the requested domain, the
DNS server provides the required information to the resolver
(the authoritative answer).
or
■ If the DNS server is not the authority for the required domain,
the DNS server queries the responsible authority for the request
domain and gives the result to the resolver.
The data is stored in the cache of the DNS server. If there is
another request for this data later, the DNS server can provide it
immediately (a non-authoritative answer). All data has a
timestamp, and information is deleted from the cache after a
certain time.

Assume that your DNS server wants to find the IP address of the
computer www.suse.de. To do this, the DNS server first makes a
request to one of the DNS servers of the root domain.

Each DNS server knows the authorities responsible for the TLDs.
The address for each authority required is passed onto the
requesting DNS server. For www.suse.de, this is a DNS server for
the TLD .de, that is, the computer dns2.denic.de.

Our DNS server then asks this for the authority for the domain
suse.de and as an answer is given the computer ns.suse.de.

3-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

In a third step this DNS server is queried, and as an answer gives

the IP address of the SUSE web server. This answer is returned by
our DNS server to the requesting resolver.

This procedure is illustrated in the following figure:

The DNS servers for the root domain play a very important role in
name resolution. In order to alleviate the server load due to queries,
every DNS server stores the information received from other names
servers in its cache.

When queries are made, this information is sent without querying

the root DNS server anew. However, root DNS servers are very
busy despite this caching mechanism. Several thousand queries per
second are nothing unusual.

Version 1 Copying all or part of this manual, 3-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Install and Configure the BIND Server Software

To run a DNS server, you need to install the following packages:

■ bind. The BIND server software (version 9 in SLES 9)
■ bind-utils. Utilities to query and test BIND (included in
standard installation)

Before starting the DNS server, you have to make some basic
configuration changes. After finishing your configuration, you can
start the server using the following command:
rcnamed start

To stop a running server, use the following command:

rcnamed stop

To have the DNS server start automatically at boot time, use the
following command:
insserv named

This creates the necessary links in the runlevel directories.

Configure a Caching-Only DNS server

A caching-only DNS server does not manage its own databases but
merely accepts queries and forwards them to other DNS servers.
The supplied replies are saved in the cache.

A caching-only DNS server can be used on a workstation or a

gateway that has access to an external DNS server.

The DNS server configuration is defined in the file

/etc/named.conf. You can use the example file that is installed with
the DNS package as a configuration file for a caching-only server.

3-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The following example shows a simple configuration:

#
# /etc/named.conf: Configuration of the name server
(BIND9)
#
# Global options
#
options
{
#
# In which directory are the database files?
#
directory "/var/lib/named";
};

The global options are defined in the options block at the beginning
of the file. The directory containing the database files (or zone files)
is listed. Normally, this is /var/lib/named/.

All filenames that follow the /var/lib/named directory refer to the

directory. The directory is created when installing the server
package. It contains several preconfigured files. Other options can
also be defined in this file.

The Global options are followed by the definition of the database

files for the domains managed by the DNS server. Several entries
are needed for basic DNS server functions such as those provided
by a caching-only server.

Three entries are needed for every DNS server:

■ The entry for root DNS servers (not needed for BIND 9
because it has the list of root DNS servers compiled into the
software).
■ The forward resolution for localhost
■ The reverse resolution for the network 127.0.0.0 (localhost)

Version 1 Copying all or part of this manual, 3-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following are examples of these entries:

## entry for root nameservers#
zone "." in { type hint;
file "root.hint";
};

#
# forward resolution for localhost
#
zone "localhost" in {
type master;
file "localhost.zone";
};

#
# reverse resolution for localhost
#
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

The zone entry for the root DNS servers contains a reference to a
file containing the addresses of the root DNS servers. This file
(root.hint) is generated in the directory /var/lib/named/ during the
installation of the package bind.

The 2 files for the resolution of localhost are also generated during
the installation. The structure of these files is explained later.

These entries are used to forward queries to the DNS server directly
to the responsible DNS servers. However, this resolution method
can be very slow. This problem can be solved by using forwarders.

The DNS server has the addresses of other DNS servers in case it
cannot resolve a host name itself. You might be able to use the DNS
servers of an Internet provider for this purpose, as they usually have
a lot of information in their cache.

You can define these DNS servers in the options block in the file
/etc/named.conf, as in the following:

3-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

options
{
directory "/var/lib/named";

forwarders
{
10.0.0.254;
};
};

You can enter up to 3 DNS server addresses. Queries that cannot be

resolved by the local DNS server are forwarded to one of the
specified DNS servers.

If these DNS servers cannot be reached, the queries are sent directly
to the root DNS servers.

Configure a Master Server for Your Domain

The following are the tasks you need to do to configure a master

DNS server for your domain:
■ Adapt the Main Server Configuration File
■ Create the Zone Files
■ Create Additional Resource Records

Adapt the Main Server Configuration File

You can adapt the configuration for the caching-only DNS server
for configuring a DNS server containing its own information files.

This configuration already contains the global entries for the

directory and the forwarders (which can be omitted) entries in the
options block. The file also contains the mandatory entries for the
root servers and the resolution of localhost.

Version 1 Copying all or part of this manual, 3-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The global options are followed by definitions for the database files
(or zone files) for the domains this DNS server serves. At least 2
files are necessary for each domain:
■ A file for forward resolution (allocating an IP address to a
computer name)
■ A file for reverse resolution (allocating a computer name to an
IP address)

If several subnets belong to a domain, then one file for each of these
networks must be created for reverse resolution.

Each definition begins with the instruction zone (this is why the
database files are also known as zone files), followed by the name
of this zone.

For forward resolution, this is always the domain name. For reverse
resolution, the network prefix of the IP address must be given in
reverse order (10.0.0.0 becomes 0.0.10.) to which the suffix in-
addr.arpa is added (0.0.10.in-addr.arpa).

The zone name is always followed by an “in” for Internet. (DNS

servers can administer information on different name spaces, not
only that of the Internet. Other name spaces are practically never
used).

The text in curly brackets defines the type of DNS server this is for
the corresponding zone (here it is always the type master; other
types are introduced later).

Finally, there is the name of the file in which the entries for this
zone are located.

3-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The entries for the Digital Airlines configuration look like the
following:
#
# forward resolution for the domain
digitalairlines.com
#
zone "digitalairlines.com" in
{
type master;
file "master/digitalairlines.com.zone";
};
#
# reverse resolution for the network 10.0.0.0
#
zone "0.0.10.in-addr.arpa" in
{
type master;
file "master/10.0.0.zone";
};

Create the Zone Files

The 2 files for the domain localhost and the file for the root DNS
servers are always included in the installation. You do not need to
change these files; however, you must create the files required for
the actual domain.

The subdirectory /var/lib/named/master/ is used for the database

files of a master server.

In these files, the semicolon is used as a comment sign.

Structure of the Files

Each of the database files consists of a series of entries, or resource

records. The syntax of these records is always as follows:

reference [TTL] class type value

Version 1 Copying all or part of this manual, 3-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following describes each part of a record:

■ reference
■ The reference to which the record refers. This can be a domain
(or subdomain) or a standalone computer (name or IP address).
■ TTL
■ The Time To Live value for the record. If this expires, a default
TTL value is used.
■ class
■ The class of the record. For TCP/IP networks, this is always IN
(internet).
■ type
■ The type of the record. The most important types are listed in
the table below.
■ value
■ The value of the record. The value depends on the type of
record as listed in the following:

Record Type Meaning Value

SOA Start of Authority Parameter for the domain
(term for the
authority)
NS DNS server Name of one of the DNS
servers for this domain
MX Mail exchanger Name and priority of a
mail server for this
domain
A Address IP address of a computer
PTR Pointer Name of a computer
CNAME Canonical name Alias name for a
computer

3-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Individual entries must always start in the first column with the reference.
If an entry does not start in the first column, the reference is taken from the
previous entry.

The File /var/lib/named/master/digitalairlines.com.zone

Unlike earlier versions of BIND, BIND 9 requires you to specify a

default TTL for all information at the beginning. This value is used
whenever the TTL has not been explicitly given for an entry.

You define the TTL with the following instruction:

;
; definition of a standard time to live, here: two
days
;
$TTL 172800

In this example, the TTL is given in seconds. But it can be given in

other units, such as 2D for two days. Other units are M (minutes), H
(hours), and W (weeks).

This is followed by the definition of the SOA (Source of Authority)

entry, which specifies which DNS server has the authority for this
domain:
;
; SOA Entry
;
digitalairlines.com. IN SOA da1.digitalairlines.com. adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity (three hours)
)

The domain to which this entry refers (here, digitalairlines.com) is

listed first. The domain name must end with a dot. If a name does
not have a dot at the end, the name of the domain is added on,
which could lead to an error here.

Version 1 Copying all or part of this manual, 3-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After the SOA entry the name of the DNS server is listed (in this
example, da1.digitalairlines.com with a dot at the end).
Alternatively, you could write da1, and the domain name
digitalairlines.com would be added after the name.

Next comes the email address of the person who is responsible for
the administration of the DNS server. The “@” usually used in
email addresses must be replaced by a dot (so the email address in
this example is hostmaster.example.com). This is necessary
because @ has a special meaning as an abbreviation.

After this information, there is a serial number. Any number can be

used, but normally the date and a version number are used here.
After any change to the data in this file, the serial number has to be
increased.

Slave servers use this number to detect if they need to copy this
zone file or not. If the serial number on the master server is greater
than that on the slave server, the file is copied.

This is followed by the following time information (the first three

entries listed here are only important for slave servers):
■ The first entry causes a slave server to query a master server
after this length of time, to see if there is a new version of the
files (in the example, this is 1D or one day).
■ If the slave server cannot reach the master server, the next time
entry specifies at what intervals new attempts should be made
(in the example, this is 2H or two hours).
■ If the master server is not reached for a longer period of time,
the first time entry specifies when the slave server should
discard its information on this zone (in the example, this is 1W
or a week).
■ The basic idea here is that it is better not to pass on any
information than to pass on outdated information.

3-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

■ The fourth entry defines for how long negative responses from
the DNS server are valid. Each requesting server stores
responses in its cache, even if a computer name could not be
resolved (in the example, this is 3H or 3 hours).

These time definitions are followed by the name of the computer

that is responsible for this domain as the DNS server. In all cases,
the master server must be entered here. If slave servers are used,
they should also be entered, as in the following:
;
; entry for the name server
;
digitalairlines.com. IN NS
da1.digitalairlines.com.

The name of the domain can be omitted at this point. Then the name
from the previous entry is taken (the SOA entry).

At the end of this file are the IP addresses that are allocated to
computer names. This is done with A (address) entries, as in the
following:
;
; Allocation of IP addresses to host names
;
da10 IN A 10.0.0.10
da12 IN A 10.0.0.12
da13 IN A 10.0.0.13

The File /var/lib/named/master/10.0.0.zone

The file for reverse resolution contains similar entries as the file for
forward resolution. At the beginning of the file there is the
definition of a default TTL and an SOA entry.

Version 1 Copying all or part of this manual, 3-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the SOA and NS entries, the IP address of the network is written

in reverse order:
; Database file for the domain digitalairlines.com:
; reverse resolution for the network
; 10.0.0.0
;
; Definition of a default TTL,here: two days
;

$TTL 172800
;
; SOA entry
;
0.0.10.in-addr.arpa. IN SOA da1.digitalairlines.com. adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity(three hours)
)
;; Entry for the name server
;
IN NS da1.digitalairlines.com.

At the end of this file are the IP addresses that are allocated to
computer names, this time with the PTR (Pointer) entry, as in the
following:
;
; Allocation of host names to IP addresses
;
10 IN PTR da10.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
13 IN PTR da13.digitalairlines.com.
14 IN PTR da14.digitalairlines.com.

The following 2 files must exist for the local computer. These are
created automatically during installation and should not be
modified.

3-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The File /var/lib/named/master/localhost.zone

The following is an example of the file

/var/lib/named/master/localhost.zone:
$TTL 1W
@ IN SOA @ root (
42 ; serial (d.
adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS @
IN A 127.0.0.1

In this example, the “@” character is used as an abbreviation (for

this reason, it must be replaced by a dot in the email address in the
database files).

Using “@” instead of the domain name causes the file

/etc/named.conf to be read to see for which domain this file is
responsible.

In this case, it is localhost, which is also used for the name of the
DNS server (this is why “@” appears many times in the file).

Version 1 Copying all or part of this manual, 3-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The File /var/lib/named/master/127.0.0.zone

In this file, the abbreviation “@” is also used. But here the
computer name must be given explicitly with localhost (remember
the dot at the end):
$TTL 1W
@ IN SOA localhost. root.localhost.
(
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS localhost.
1 IN PTR localhost.

Create Additional Resource Records

Apart from the resource records already discussed (SOA, NS, A,

PTR), there are MX and CNAME resource records, which are used
to do the following:
■ Define Mail Servers for the Domain
■ Assign Aliases for Computers

Define Mail Servers for the Domain

To be able to use email addresses in the form

[email protected], the email server responsible for the
domain must be defined (the email cannot be sent directly to the
domain, but must be sent to a mail server).

To achieve this, an MX (Mail Exchange) entry must be made in the

database file for forward resolution, after the DNS server entry:
digitalairlines.com. IN MX 0 mail
IN MX 10 da1
IN MX 10 da5

3-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

If an email is now sent to the address [email protected],

the computer sending the mail asks the DNS server which computer
is the mail server, and is sent the list of the MX entries in return.

Several mail servers can be given. On the basis of their priorities, it

is then decided to which computer the email is sent. The priority of
mail servers is defined by the number in front of the computer
name; the lower this number, the higher the priority.

In this example the computer mail.digitalairlines.com has the

highest priority (is therefore the primary mail server).
da1.digitalairlines.com and da5.digitalairlines.com both have the
same priority.

If the mail server with the highest priority cannot be reached, the
mail server with the second highest priority is used. If several mail
servers have the same priority, then one of them is chosen at
random. An address entry must be made for each mail server.

Assign Aliases for Computers

If you want a computer to be reached by more than one name (such

as addressing a computer as da30.digitalairlines.com and
www.digitalairlines.com), then corresponding aliases must be given.
These are the CNAME (canonical name) entries in the database file
for forward resolution:
da30 IN A 10.0.0.30
www IN CNAME da30

The names of the mail servers for the domain (MX entry) cannot be alias
names, since some mail servers cannot handle this correctly.

Version 1 Copying all or part of this manual, 3-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure One or More Slave Servers

To guarantee reliable operation, at least one more DNS server

besides the master server is required. This can take over part of the
load from the DNS master server. But it is especially important in
case the DNS master server is not available. This new DNS server is
set up as a DNS slave server.

The essential difference between the two types is that a slave server
receives copies of the zone files from the master server.
Modifications to the zone files are only made on the master server.

As soon as a slave server is started, it connects to the master server

and receives a copy of the zone files from it. This is called a zone
transfer.

Comparison of data between the servers takes place automatically.

On the one hand, the slave server queries the master server at
regular intervals and detects, using the serial number of the zone
files, whether anything has changed.

By default, the master server sends a message to all listed slave

servers (called notify) as soon as it has been restarted in order to
read in modified zone files.

In the configuration file /etc/named.conf for a slave server, there are

at least 2 entries that define it as the master server: the 2 zone
definitions for the loopback network (localhost).

There might also be a zone definition for the root DNS server. But a
zone definition is only necessary if the slave server will forward
requests to other DNS servers.

3-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The definitions for zones for which it should copy data from the
master server look like the following:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
10.0.0.254;
};
};

The slave server gets data from the master server with the IP
address 10.0.0.254 and stores it in the directory
/var/lib/named/slave/. This directory is created when you install the
BIND package.

A similar configuration must be made for reverse resolution, as in

the following:
zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
10.0.0.254;
};
};

In the simplest configuration, the slave server gets information from

the master server at regular intervals. This can cause the slave server
to provide outdated information for a certain length of time.

This is why it is reasonable to instruct the master server to inform

the slave servers about modifications in the database files. The slave
servers then immediately carry out a zone transfer, which always
brings them up to date.

Version 1 Copying all or part of this manual, 3-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In order for the master server to be able to communicate with the

slave servers, it must know about them. By default, the master
server automatically informs its slave servers. But this can also be
done in the options section of the file /etc/named.conf, as in the
following:
options
{
...
notify yes;
};

Subsequently, the slave servers must be entered as DNS servers in

the database files (of the forward and reverse resolution):
digitalairlines.com. IN NS
da8.digitalairlines.com.

IN NS
da8.digitalairlines.com.

This informs the slave server, da8.digitalairlines.com, about all

modifications.

Configure the Client Computers to Use the DNS Server

You can use YaST to configure a client computer during installation

to use the DNS server (configuration of the network) or later. You
simply have to enter the IP address of the DNS server and possibly
add some information about your domain.

This information is written to the file /etc/resolv.conf, as in the

following:
search digitalairlines.com
nameserver 10.0.0.254

3-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Normally, this file has the following 2 types of entries:

■ search
■ A list of the names of domains (or subdomains) is provided
after this keyword. Several domain names are entered on one
line. This allows only the host name to be used to resolve to the
correct IP address.
■ The host name is expanded by the domain names specified here
until a matching IP address is found.
■ For example, if you provide digitalairlines.com and
atl.digitalairlines.com as domain names, the host DNS server is
expanded to server.digitalairlines.com and
server.atl.digitalairlines.com to look for a corresponding IP
address. The first matching IP address is returned.
■ If both of these host names exist, you have to specify the FQDN
to resolve the IP address.
■ nameserver
■ The keyword nameserver specifies the IP address of a DNS
server to use. You can have up to 3 entries, but each of them
must only contain 1 server address. If several entries of this
type exist, the DNS servers are queried in this order.

There is another important file for the clients:

/etc/nsswitch.conf. This file applies to all programs that use the
resolver functions of the current GNU C Library (libc6). (The
predecessor of this file is /etc/host.conf, which applies to older
versions of the GNU C Library.)

This file configures the name service switch, which is responsible

for resolving host names, network names, users, and groups.

Version 1 Copying all or part of this manual, 3-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The relevant part for resolving host names looks like the following:
#
# /etc/nsswitch.conf
#
...
hosts: files dns
networks: files dns
...

Both entries shown here define that in the first attempt to resolve a
host name is done using the file /etc/hosts. If this fails, a DNS server
resolved the name. The same applies to the resolution of network
names, done using /etc/networks first.

Use Command Line Tools to Query DNS Servers

Several command line tools are available to query DNS server.

These include the following:
■ host Command
■ dig Command

host Command

The most important command line tool for querying a DNS server is
called host. The general syntax is as follows:

host computer nameserver

The following example shows how it is used:

da2:~ # host da50
da50.digitalairlines.com has address 10.0.0.50
da2:~ # host 10.0.0.49
49.0.0.10.in-addr.arpa domain name pointer da49.digitalairlines.com.

If a DNS server address is not provided, host contacts the servers

listed in /etc/resolv.conf. If you want to use another DNS server, you
have to provide its IP address with the command.

3-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

By default, host returns the IP address or the host name, depending

on which information is given. If you want to query domain
information, you need to use the option -t with the type of
information required, as in the following:
da2:~ # host -t ns novell.com
novell.com name server ns.novell.com.
novell.com name server ns1.westnet.net.
novell.com name server ns.utah.edu.

In this example, the host names of the DNS servers for the domain
novell.com are requested.

dig Command

A more verbose command is dig, which is normally used to

troubleshoot DNS problems. The general syntax is as follows:

dig @nameserver computer type query_options

The options are listed in the following table:

Option Meaning
nameserver The IP address or name of the DNS
server that should be queried. If not
specified, dig checks all DNS
servers listed in /etc/resolv.conf.
computer The resource record to query about
(such as a host name, an IP
address, or a domain name).
type The type of resource record to be
returned, such as A (IP address), NS
(DNS server), MX (mail exchanger),
-x (pointer), or ANY (all information).

Version 1 Copying all or part of this manual, 3-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
query_options Defines how the query is done and
how the results are displayed. Each
query option starts with a plus sign
(+).

The most important difference between host and dig is that dig does
not use the domain list from /etc/resolv.conf by default to expand
the host name. This means that the FQDN or IP address of the host
must be specified. If the domain list should be used, you need to use
the query option +search.

The following example demonstrates the application:

da2:~ # dig ripe.net ns

; <<>> DiG 9.2.3 <<>> ripe.net ns

;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
1315
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY:
0,
ADDITIONAL: 9

;; QUESTION SECTION:
;ripe.net. IN NS

;; ANSWER SECTION:
ripe.net. 158814 IN NS ns2.nic.fr.
ripe.net. 158814 IN NS
sunic.sunet.se.
ripe.net. 158814 IN NS
auth03.ns.uu.net.
ripe.net. 158814 IN NS
munnari.oz.au.
ripe.net. 158814 IN NS ns.ripe.net.

;; ADDITIONAL SECTION:
ns.ripe.net. 171939 IN A 193.0.0.193
ns.ripe.net. 171939 IN AAAA

3-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

2001:610:240:0:53::193
ns2.nic.fr. 344302 IN A 192.93.0.4
ns2.nic.fr. 344302 IN AAAA
2001:660:3005:1::1:2
sunic.sunet.se. 172586 IN A 192.36.125.2
auth03.ns.uu.net.170436 IN A 198.6.1.83
munnari.oz.au. 170107 IN A 128.250.22.2
munnari.oz.au. 170107 IN A 128.250.1.21
munnari.oz.au. 21410 IN AAAA
2001:388:c02:4000::1:21

;; Query time: 51 msec

;; SERVER: 10.0.0.254#53(10.0.0.254)
;; WHEN: Mon Sep 27 15:27:01 2004
;; MSG SIZE rcvd: 329

The QUESTION SECTION shows what was queried and the

ANSWER SECTION shows the response: a list of DNS servers of
the domain ripe.net.

The IP addresses of certain DNS servers are listed under

ADDITIONAL SECTION. The address in the last line is an IPv6
address (2001:388:c02:4000::1:21).

Data about the query, such as the duration of the query (Query
time), the server that answered the query (SERVER), and the date
of the query (WHEN) are listed at the end of the output.

Find More Information About DNS

If there are syntax errors in one of the configuration or zone files,

BIND writes verbose messages to the file /var/log/messages. These
messages also contain information on the filename and the line in
which this error occurs.

If there is an error, the processing of the file is interrupted at this

point (that is,errors later in the file are not detected now).

Version 1 Copying all or part of this manual, 3-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about BIND and DNS, see DNS and BIND by Paul
Albitz and Cricket Liu and the BIND homepage at
http://www.isc.org/sw/bind/.

3-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Exercise 3-1: Configure a DNS server

In this exercise, you work with a partner to configure a DNS master

server and a DNS slave server for the domain digitalairlines.com.
You need to work as a team on all parts of the exercise.

Do the following:
■ Part I: Install BIND
■ Part II: Configure a DNS Master Server
■ Part III: Configure the DNS Slave Server on the Second
Machine

This exercise requires extensive typing to create your DNS files. To save
you some time, the files digitalairlines.com.zone and 10.0.0.zone are
included on your 3038 Course CD in the directory /exercises/section_3.

Part I: Install BIND

Do the following on both SLES 9 servers:

1. From the KDE menu, select System > YaST.

2. Enter the root password and select OK.

3. From the YaST Control Center, select Software > Install and
Remove Software.

4. From the filter drop-down menu, select Search.

5. In the Search field, enter bind; then select Search.

6. On the right, select the bind package.

7. Select Accept; then insert the requested SLES 9 CD.

8. When installation is complete, close the YaST Control Center.

Version 1 Copying all or part of this manual, 3-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Configure a DNS Master Server

Decide which SLES 9 server will be the DNS master server, then do
the following only on the master server:

1. Open a terminal window and su to root.

2. Open the file /etc/named.conf in a text editor.

3. Configure the forwarders line to match the following:

forwarders { 10.0.0.254; };
Make sure that you delete the comment character from the
beginning of the forwarders line.

4. Add the following 2 zone statements after the existing zone

statements:
zone "digitalairlines.com" in {
type master;
file "master/digitalairlines.com.zone";
};

zone "0.0.10.in-addr.arpa" in {
type master;
file "master/10.0.0.zone";
};

5. Save and close the file.

6. Create a new file digitalairlines.com.zone in the directory

/var/lib/named/master/.

3-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

7. Enter the following zone configuration in the file:

$TTL 172800

digitalairlines.com. IN SOA your_FQHN.

root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

digitalairlines.com. IN NS your_FQHN.

da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12

The SOA record (including root.digitalairlines.com) should be

on a single line. Make sure you enter your FQHN (such as
da50.digitalairlines.com) in the SOA and NS records. Use the
current date and “01” as the serial number (such as
2005071501).

8. Save and close the file.

9. Create a new file 10.0.0.zone in the directory

/var/lib/named/master/.

Version 1 Copying all or part of this manual, 3-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Enter the following zone configuration in the file:

$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

IN NS your_FQHN.

10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.

The SOA record (including root.digitalairlines.com) should be

on a single line. Make sure you enter your FQHN (such as
da50.digitairlines.com) in the SOA and NS records. Use the
current date and “01” as the serial number (such as
2005071501).

11. Save and close the file.

12. Open a second terminal window and su to root.

13. Enter the following command:

tail -f /var/log/messages

14. Switch to the first terminal window and start bind with the
following command:
rcnamed start

15. From the second terminal window, watch the log output of bind
for any messages such as Unknown RR type or file not found.

16. If any errors occur, try to fix them and restart bind.

3-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

One solution is to edit the digitalairlines.com.zone file by replacing

“digitalairlines.com. IN SOA...” with “@ IN SOA...” and to edit the
10.0.0.zone file by replacing “0.0.10.in-addr.arpa. IN SOA...” with “@
IN SOA...”.

17. From the first terminal window, start bind automatically when
the system is booted by entering the following:
insserv named

18. Open the file /etc/resolv.conf in a text editor.

19. Delete all existing nameserver entries.

20. Add the following entry:

nameserver your_ip_address

21. Save and close the file.

22. Verify that your DNS server works by entering the following
command:
host da10.digitalairlines.com

Version 1 Copying all or part of this manual, 3-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

23. Add a new DNS record for the slave server in the file
/var/lib/named/master/digitalairlines.com.zone:
$TTL 172800

digitalairlines.com. IN SOA your_FQHN.

root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

digitalairlines.com. IN NS your_FQHN.
digitalairlines.com. IN NS slave_FQHN.

da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12

24. Add a new DNS record for the slave server in the file
/var/lib/named/10.0.0.zone:
$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

IN NS your_FQHN.
IN NS slave_FQHN.

10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.

3-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Part III: Configure the DNS Slave Server

From the DNS slave server, do the following:

1. Open a terminal window and su to root.

2. Open the file /etc/named.conf in a text editor.

3. Configure the forwarder by entering the following:

forwarders { 10.0.0.254; };
4. Enter the following two zone statements after the existing
statements:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
master_server_ip_address;
};

};

zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
master_server_ip_address;
};

};

5. Save the changes and close the editor.

6. Open a second terminal window su to root.

Version 1 Copying all or part of this manual, 3-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

7. Enter the following command:

tail -f /var/log/messages
8. Switch to the first terminal window and start bind by entering
the following:
rcnamed start
9. From the second terminal window, watch the log output of bind
for any messages such as Unknown RR type or file not found.

10. If any errors occur, try to fix them and restart bind.

11. Start bind automatically when the system boots by entering the
following:
insserv named

12. Open the file /etc/resolv.conf in a text editor.

13. Delete all existing nameserver entries.

14. Add the following entry:

nameserver your_ip_address

15. Save and close the file.

16. Verify whether or not your DNS server works by entering the
following:
host da10.digitalairlines.com

(End of Exercise)

3-40 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Objective 2 Deploy OpenLDAP on a SLES 9 Server

OpenLDAP is the most popular open source LDAP suite. It
provides not only the LDAP server itself, but also applications and
tools to control and query the server and to develop LDAP-based
software.

To deploy an OpenLDAP server with SLES 9, you need to know the

following:
■ The Concept of a Directory Service
■ The Basics of LDAP
■ How to Install and Set Up an OpenLDAP Server
■ How to Add Entries to the LDAP Server
■ How to Query Information from the LDAP Server
■ How to Delete and Modify Entries of the LDAP Server
■ How to Use Graphical LDAP Applications

The Concept of a Directory Service

A directory is a specialized database that is optimized for reading,

browsing and searching. Directories contain descriptive, attribute-
based information and support sophisticated filtering.

Directories are tuned to give quick response to high-volume lookup

or search operations. They can replicate information widely in order
to increase availability and reliability, while reducing response time.

There are many different ways to provide a directory service.

Different methods allow different kinds of information to be stored
in the directory, place different requirements on how that
information can be referenced, queried and updated, and determine
how it is protected from unauthorized access.

Version 1 Copying all or part of this manual, 3-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Some directory services are local, providing service to a restricted

context (such as the finger service on a single machine). Other
services are global, providing service to a much broader context
(such as the entire Internet).

Directory services can be used for man different purposes. Very

often they are used as databases for user authentication. By default,
SLES 9 uses OpenLDAP for user management and some
configuration purposes.

The Basics of LDAP

LDAP stands for Lightweight Directory Access Protocol. As the

name suggests, it is a lightweight protocol for accessing directory
services. LDAP runs over TCP/IP or other connection-oriented
transfer services.

The LDAP information model is based on entries. An entry is a

collection of attributes that has a globally-unique distinguished
name (DN). The DN is used to refer to the entry. Each of the entry's
attributes has a type and one or more values.

The types are typically mnemonic strings, like "cn" for common
name, or "mail" for email addresses. The syntax of values depend
on the attribute type.

For example, a cn attribute might contain the value “Tux Penguin.”

A mail attribute might contain the value "[email protected]." A
jpegPhoto attribute might contain a photograph in the JPEG
(binary) format.

In LDAP, directory entries are arranged in a hierarchical tree

structure. If you use LDAP for user management, the structure
normally reflects the organizational structure of the company or
organization.

Under the root of the tree are the country, organization,

organizational unit and leaf objects (such as users).

3-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The following illustrates a LDAP tree:

An entry of the tree is referenced by its DN, which is constructed by

taking the name of the entry itself (called the relative distinguished
name or RDN) and concatenating the names of its ancestor entries.

For example, the entry for Tux Penguin in the example above has a
DN of uid=tux,ou=Management,dc=example,dc=com.

In addition, LDAP allows you to control which attributes are

required and allowed through the use of objectClasses. The
following objectClasses are used when LDAP is used for Linux user
authentication.
■ posixAccount
■ shadowAccount
■ posixGroup

Version 1 Copying all or part of this manual, 3-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is an overview of some of the attributes used in these

object classes:

Attribute Abbreviation Description

uid Login of the user
uidNumber Numerical user ID
gid Group name
gidNumber Numerical group ID
homeDirectory Home directory
loginShell Login shell
shadowLastChange Date of the last password change

Object classes are defined in schema files. OpenLDAP ships with

some basic schema files located in the directory
/etc/openldap/schema.

To create the tree structure, you use container objects, which can
contain other objects. The following is a list of these objects:
■ Root. The root of the directory tree
■ c. Countries
■ o. Organizations
■ ou. Organizational units
■ dc. Domain components

How to Install and Set Up an OpenLDAP Server

To install and set up an OpenLDAP server, you need to do the

following:
■ Install the Required Software and Start the Server
■ Edit the OpenLDAP Configuration Files

3-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Install the Required Software and Start the Server

Normally, YaST sets up an OpenLDAP server during the installation

process of SLES 9.

However, if you chose not to install the server during installation,

you can set up an LDAP server by installing the following software
packages with YaST:
■ openldap2
■ openldap2-client

Edit the OpenLDAP Configuration Files

The configuration files for OpenLDAP are located in the directory /

etc/openldap/. The directory contains 2 configuration files:
■ slapd.conf. This file is the main configuration file for the
OpenLDAP server.
■ ldap.conf. This file contains the default configuration for
LDAP clients.

If you installed the LDAP server during SLES 9 installation, the

configuration file slapd.conf has already been set up. Otherwise,
you need to set the following options of the configuration file to
reflect your environment:
suffix "dc=your-domain,dc=com"

In this line you set the domain components “dc” according to your
domain name.
rootdn "cn=Manager,dc=example,dc=com"

This line sets the administrator of the the LDAP server. You can
also configure the domain components in this line.

Version 1 Copying all or part of this manual, 3-45

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

rootpw secret

This line specifies the password for the administrator. The default
password secret must be changed. For security reasons, the
password should be stored in an encrypted form. To create an
encrypted password, use the following command:
slappasswd -s <your_password>

The command outputs a string that has to be copied into the

configuration file. The entry for the command rootpw looks like the
following:
rootpw {SSHA}rawtcakVvoBls6J6wz2+yPa8H02Dprax

After finishing the configuration, you can start the server with the
following command:
rcldap start

If you want to start the LDAP server automatically when the server
boots, use the following command:
insserv ldap

After you change the server configuration file, you change the client
configuration file ldap.conf. You have to set add at least 2 lines:
host localhost

This line sets the default server that LDAP clients should connect
to.
base dc=suse,dc=de

This is the default directory search base that should be used by

LDAP clients.

The configuration shown above is for a SLES 9 authentication server.

Depending on your environment, you might need a different setup and tree
structure.

3-46 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

How to Add Entries to the LDAP Server

OpenLDAP provides the command ldapadd to insert data that is in

LDIF format into the directory. You can use files in the LDIF format
to avoid specifying all values on the command line.

LDIF files contain the information that should be included into the
directory service in a plain text format.

You can create a different file for each user you would like to add,
but you can also multiple user records in one file. An LDIF file
contains the following entries:
■ dn. The distinguished name of the object you want to add.
■ objectclass. The object classes of the new entry.
■ attribute. An attribute of the entry. You normally add more
than one attribute at the same time.

If you installed an LDAP server during installation, the basic tree

structure for user authentication has already been created. If you set
up the server later, you need to create the structure manually with an
LDIF file like the following:
dn: dc=example,dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

Version 1 Copying all or part of this manual, 3-47

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The file creates 2 entries in the directory tree:

■ The base entry with the DN dc=example,dc=com.
■ An entry below the base entry for the ou people. The dn for this
entry is ou=people,dc=example,dc=com.

Every entry in an LDIF file does the following:

■ Sets the distinguished name of the entry.
■ Lists the object classes used for the entry.
■ Lists the attributes and their corresponding values.

Make sure that there are no empty spaces or tabs at the beginning or end of
a line.

Because LDAP uses Unicode (UTF-8), special characters in LDIF

files have to be coded into UTF-8, or they might not be evaluated.
This means you need to edit the LDIF file with a Unicode editor, or
convert the file later. You can convert the file by entering the
following command:
recode lat1.utf8 <ldif_file>

The command to insert a data set that exists as an LDIF file looks
like the following:
ldapadd -x -D dn_of_the_administrator -W -f
file.ldif

You need to use the -x option because you haven't configured SASL
authentication yet.

Use the option -D to specify who can access the directory. This
should be rootdn, specified in the server configuration file.

Use the option -W to display a password prompt. Otherwise, you

must enter the password directly at the command line, where it will
be visible as plain text.

Finally, specify the LDIF file with the option -f.

3-48 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

If the LDIF file is called example.ldif, ldapadd should be run as

follows:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f
example.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "cn=people,dc=example,dc=com"

After you have set up the basic tree structure (during or after
installation), you can add a user to the directory with an LDIF file
similar to the following:
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: geeko
uidNumber: 1010
gidNumber: 100
cn: Geeko Chameleon
givenName: Geeko
sn: Chameleon
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609

This example LDIF file creates a user based on the default LDAP
setup of SLES 9. The attributes are shown below with an
explanation of each:
uid: geeko

This attribute sets the login name of the user.

uidNumber: 1010

This attribute sets the numerical ID of the user.

Version 1 Copying all or part of this manual, 3-49

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

gidNumber: 100

This attribute sets the default group ID of the user. The value 100
belongs to the group users in a SLES 9 installation.
cn: Geeko Chameleon

This attribute sets the full name of the user.

givenName: Geeko

This attribute sets the given name of the user.

sn: Chameleon

This attribute sets the surname of the user.

homeDirectory: /home/geeko

This attribute sets the path to the home directory of the user.
loginShell: /bin/bash

This attribute sets the login shell of the user. The default for SLES
9 is /bin/bash.
ShadowMax: 99999

This attribute sets the number of days before the password expires.
ShadowWarning: 7

Users can be warned before their passwords expire. This attribute

sets the number of days before the warning is issued. Set to -1 to
disable the warning.
ShadowInactive: -1

This attribute sets the number of days that a user can still log in
after the password expires. Set to -1 to set an unlimited number of
days.
ShadowMin: 0

This attribute sets the minimum number of days that need to pass
before a password can be changed.

3-50 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

ShadowLastChange: 12609

This attribute sets the date of the last password change.

How to Query Information from the LDAP Server

You can use the command ldapsearch to read data from the LDAP
directory. The following command reads the entire tree:
ldapsearch -x

The -x option forces ldapsearch to use the simple authentication

method. This is necessary if the LDAP server is not yet configured
to use the SASL authentication method.

ldapsearch reads the search base for the query out of the
configuration file /etc/openldap/ldap.conf. The search base is the
entry in the directory where ldapsearch starts the the recursive
search process.

If the file ldap.conf file does not exist, or if you want to use a
different search base, you can specify it with the -b option, as in the
following:
ldapsearch -x -b "dc=example,dc=com"

If you have a lot of data in your LDAP tree, you might want to limit
the output of ldapsearch to specific entries. You can do that by
adding a filter expression to the ldapsearch command, as in the
following:
ldapsearch -x "(uid=g*)"

In this example, ldapsearch displays all entries that have a uid

attribute starting with g. You can use any attributes or objectClasses
as a search filter.

Version 1 Copying all or part of this manual, 3-51

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The output of ldapsearch looks like the following:

# geeko, people, suse.de
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1010
shadowLastChange: 12623

ldapsearch displays the result in LDIF format. That means you can
transfer the data to another LDAP server by redirecting the data into
a file and loading it with ldapadd on a different machine.

How to Delete and Modify Entries of the LDAP Server

The easiest way to modify data in the LDAP directory in SLES 9 is

to modify an LDIF file and apply the changes with the ldapmodify
tool.

3-52 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

In the following example, the uidNumber of the user tux has been
changed to 1011:
# geeko, people, suse.de
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1011
shadowLastChange: 12623

To apply the changes, use the following command:

ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f
geeko.ldif

Using the ldapmodify command is similar to using ldapadd.

ldapmodify compares the data in the directory with the data from
the LDIF file and applies the changes to the directory entries.

To delete an entry from the LDAP directory, use the following

command:
ldapdelete -D cn=Administrator,dc=example,dc=com -x
-W "cn=geeko, dc=example, dc=com"

In this example, the entry with the distinguished name "cn=geeko,

dc=example, dc=com" is deleted.

Version 1 Copying all or part of this manual, 3-53

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Use Graphical LDAP Applications

Graphical applications are also available to access the LDAP server.

SLES 9 comes with the graphical LDAP browser GQ. Before you
can use GQ, you need to install the package gq because it is not part
of the default software selection.

After installation, you can access GQ from the KDE menu by

selecting System >GQ LDAP Client.

After starting GQ, the following appears:

GQ reads the file /etc/openldap/ldap.conf to get information about

the default LDAP server.

You can do the following with the LDAP directory:

■ Search the Directory
■ Browse the Directory
■ Explore the Schema Definitions

3-54 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Search the Directory

This is the default page that opens after you start GQ. At the top of
the page are the following text field:
■ Search filter. In this field you enter the search filter for your
query. The syntax is the same as that used for ldapsearch.
■ LDAP server. Choose an LDAP server from the drop-down
list.
■ If you want to add an additional server, you need to open the
Preferences dialog by selecting File > Preferences. On the
Servers page, specify a new LDAP server by selecting New.
■ Search base. In this field you specify the search base for your
query. The syntax for the search base is the same as that used
for ldapsearch.

After you have entered all necessary data, start the query by
selecting Find.

The result of the query is displayed in a list below the input fields.
Double-click an entry to display detailed information.

Version 1 Copying all or part of this manual, 3-55

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Browse the Directory

The following is the Browse page of GQ:

On the left side of the page is a tree menu you can use to browse the
directory. By selecting the arrow symbol before an entry, you can
expand the tree structure.

You can display the details of an entry on the right side of the page
by selecting the entry in the tree menu.

3-56 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Explore the Schema Definitions

The following is the Schema page of GQ:

On this page you can browse the schema definition available on the
LDAP server.

Version 1 Copying all or part of this manual, 3-57

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 3-2: Use the SLES 9 OpenLDAP server

In this exercise, you use the OpenLDAP server by doing the

following:
■ Part I: Install GQ
■ Part II: Search the SLES 9 OpenLDAP server
■ Part III: Browse the SLES 9 OpenLDAP server
■ Part IV: Add a User With an LDIF File

Part I: Install GQ

Do the following:

1. From the KDE menu, select System > YaST

2. Enter the root password and select OK.

3. From the YaST Control Center, select Software > Install and
Remove Software.

4. From the filter drop down menu, select Search.

5. In the Search field, enter gq; then select Search.

6. On the right, select the gq package.

7. Install the GQ application by selecting Accept.

8. When the installation is complete, close the YaST Control

Center.

Part II: Search the SLES 9 OpenLDAP server

Do the following:

1. From the KDE menu, select System > GQ LDAP Client.

3-58 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

2. Make sure that the Search tab is selected.

3. In the left search field, enter uid=geeko.

4. In the right search field, enter dc=digitalairlines,dc=com.

5. Select Find.

A result line appears.

6. Double-click the result line.

The LDAP entry for the user geeko is displayed.

7. Scroll down and verify that you cannot see the password entry
for geeko.

8. Select Close.

9. From the menu bar, select File > Preferences.

10. From the configuration dialog, select the Servers tab.

11. Select the entry localhost; then select Edit.

12. From the server dialog, select Details.

13. In the Bind DN field enter the following:

cn=Administrator,dc=digitalairlines,dc=com

14. Close the server dialog by selecting OK.

15. Close the configuration dialog by selecting OK.

16. Make sure that the search fields still contain the previously
entered query.

17. Select Find.

18. When prompted for a password, enter novell.

Version 1 Copying all or part of this manual, 3-59

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

19. Double-click the result line.

20. Make sure that you can see the password entry for the user
geeko.
Notice that access to the password is not granted to anonymous
users, but to the authenticated administrator.

21. When you finish, select Close.

Part III: Browse the SLES 9 OpenLDAP Server

Do the following:

1. From the GQ application, select Browse.

2. On the left, expand localhost.

3. Expand dc=digitalairlines,dc=com.

4. Expand people.

All users of the system are displayed. At the moment, this only
includes geeko.

5. Select geeko.

The user information for geeko appears on the right.

6. Close the GQ window.

3-60 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Part IV: Use an LDIF File to Add a User

Do the following:

1. With a text editor, create a file with the following content.

dn:uid=tux,ou=people,dc=digitalairlines,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Tux Penguin
gidNumber: 100
givenName: Tux
homeDirectory: /home/tux
loginShell: /bin/bash
shadowInactive: -1
shadowLastChange: 12609
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Penguin
uid: tux
userPassword: {crypt}GpyJ3/OQgLxZE
uidNumber: 1010
You can also copy the LDIF file tux.ldif from the directory
/exercises/section_3 from your 3038 Course CD.

2. Save the file with the name tux.ldif in the directory /tmp.

3. From a terminal window (as root), add the user tux by entering
the following (all on one line):
ldapadd -x -D
"cn=Administrator,dc=digitalairlines,dc=com" -W -f
/tmp/tux.ldif

4. When prompted for a password, enter novell.

Version 1 Copying all or part of this manual, 3-61

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If you are unsuccessful at authenticating as Administrator, try closing

the terminal window and opening a new terminal window. Repeat
steps 3 and 4.

You do not have to be root to enter the ldapadd command; however,

you need to be root for the commands that follow.

5. Create the home directory for the user tux by entering the
following :
cp -a /etc/skel/ /home/tux

6. Adjust the file system permissions by entering the following

commands:
chown -R tux:users /home/tux/

7. Log out as root by entering exit.

8. Switch to the user tux by entering the following:

su - tux
You can now log in to the tux user account by entering a
password of Novell.

9. Log out as tux by pressing Ctrl+D.

(End of Exercise)

3-62 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Objective 3 Configure an Apache Web Server

The Apache web server is the leading web server software. Apache
was developed as open source software and is shipped with SLES 9.

To set up an internal Apache web server, you need to know the

following:
■ The Basic Functionality of a Web Server
■ How to Install and Set Up a Basic Apache Web Server
■ The Structure and the Basic Elements of the Apache
Configuration Files
■ The Basic Apache Configuration
■ How to Configure Virtual Hosts
■ How to Limit Access to the Web Server
■ How to Configure OpenSSL for Connection Encryption

Version 1 Copying all or part of this manual, 3-63

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The Basic Functionality of a Web Server

A web server delivers data that is requested by a web browser. The

data can have different formats such as HTML files, image files,
Flash animations, or sound files.

Web browsers and web servers communicate using HTTP (Hyper

Text Transfer Protocol). The following diagram shows the
relationship between the browser, server, and HTTP:

Web Browser Web Server

HTTP

In addition to delivering data to the web browser, a web server can

perform tasks such as limiting access to specific web sites, logging
access to a file, and encrypting the connection between a server and
browser.

How to Install and Set Up a Basic Apache Web Server

To set up a basic Apache web server, you need to do the following:

■ Install the Required Software Packages
■ Start and Test the Web Server
■ Locate the DocumentRoot of the Web Server

3-64 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Install the Required Software Packages

To run a basic Apache web server, you need to install the following
packages with YaST:
■ apache2. The basic web server software.
■ apache2-prefork. An additional Apache package that
influences the multiprocessing behavior of the web server.
■ apache2-example-pages. Sample HTML pages.

SLES 9 ships with 2 Apache versions: Apache series 1 and Apache

series 2. This section covers Apache series 2 because this version
will continue to be developed.

When you install the packages listed above, YaST prompts you to
install also one or more additional packages required by Apache.
Confirm the additional package installation by selecting OK to
resolve all dependencies of the Apache packages.

Start and Test the Web Server

After installing the required software, you need to start the web
server. Do this as the root user by entering the following:
rcapache2 start

As with all services, enter the following to stop the web server:
rcapache2 stop

If you want the web server to start up at boot time, you need to enter
the following:
insserv apache2

To test whether the web server is properly installed, open a web

browser and enter the following address:
http://localhost

Version 1 Copying all or part of this manual, 3-65

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The browser displays the following page:

If your SLES 9 server is connected to a network, you (and other

hosts on the network) can remotely access the web server by
entering the following:
http://<ip_address_of_your_system

If your network provides a DNS server, you can use the hostname
instead of the IP address.

Locate the DocumentRoot of the Web Server

The default directory of the data provided by Apache is

/srv/www/htdocs.

This directory is also called the DocumentRoot of the web server.

After the installation, it contains the Apache example pages, which
are displayed above.

3-66 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

You can replace the data in the DocumentRoot directory to display

your own web server content. Because the web server runs with the
user id wwwrun, you have to make sure that this user has read
access to files in the DocumentRoot directory.

If you create subdirectories in DocumentRoot, you can access those

subdirectories with the following web address scheme:
http://<your_server>/<name_of_subdirectory>

If no specific file is requested in the address, Apache looks for a file

with the name index.html. You can change the name of this default
file in the Apache configuration files.

The Structure and the Basic Elements of the Apache

Configuration Files

To configure the Apache web server with the configuration files,

you need to do the following:
■ Locate the Apache Configuration Files
■ Understand the Basic Rules of the Configuration Files

Locate the Apache Configuration Files

The configuration of the Apache web server is spread over several

configuration files located in the directory /etc/apache2.

The following is a list of the most important Apache configuration

files:
■ httpd.conf. This is the main Apache configuration file. All
other configuration files are included by this files.
■ default-server.conf. This file contains the basic web server
setup. However, all options set in this file can be overwritten by
other configuration files.
■ vhost.d/. This is a directory containing configuration files for

Version 1 Copying all or part of this manual, 3-67

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

virtual host setups. Learn more about virtual hosts later in this
section.
■ uid.conf. This configuration file sets the user and group id for
Apache. By default, Apache uses the user id wwwrun and the
group id www.
■ listen.conf. In this configuration file, you can specify the IP
addresses and TCP/IP ports Apache is listening to. By default,
Apache listens to all assigned interfaces on port 80.
■ server-tuning.conf. You can use this configuration file to fine
tune the performance of Apache. The default values should be
fine unless you are going to run a web server that has to handle
a lot of requests at the same time.
■ error.conf. In this file you configure the behavior of Apache
when a request cannot be performed correctly.
■ ssl-global.conf. Configure the connection encryption with SSL
in this configuration file.

Understand the Basic Rules of the Configuration Files

The options of the Apache configuration files are called directives.

Directives are case sensitive, which means that a word such as
“include” is not the same as “Include.”

Directives can be grouped so that they do not apply to the global

server configuration. In the following, the directives only apply to
the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

The directives are grouped by <Directory "/srv/www/htdocs"> and

</Directory> which limits their validity to the directory
/srv/www/htdocs only.

3-68 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

You can use the # character to indicate comments in the

configuration file. All lines starting with a # are ignored by the
Apache server.

Whenever you edit the Apache configuration files, you need to

reload the web server by entering the following:
rcapache2 reload

In some cases it´s not enough to reload Apache. You need to stop
and restart the web server by entering the following:
rcapache2 restart

If you are not sure that your changes use the correct syntax, you can
verify the syntax of the configuration files by entering the
following:
apache2ctl configtest

If the syntax is correct, the command displays the following

message:
Syntax OK

The Basic Apache Configuration

You do the main Apache web server configuration in the file

/etc/apache2/default-server.conf by using directives such as the
following:

Directive Meaning
DocumentRoot Specifies the DocumentRoot of the
web server.
Directory “dir_name” All directives used within this block,
/Directory apply only to the specified directory.

Version 1 Copying all or part of this manual, 3-69

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Directive Meaning
Options With this directive additional options
can applied to logical blocks like
directories.
AllowOverride Determines whether other directives
are allowed to be overwritten by a
configuration found in a .htaccess
file of a directory.
Alias “fakename” “realname” Allows you to create an alias to a
directory.
ScriptAlias Allows you to create an alias to a
directory containing scripts for
dynamic content generation.

In most cases the default settings are suitable and don't need to be
changed.

An overview of all Apache directives can be found at

http://httpd.apache.org/docs-2.0/mod/directives.html.

How to Configure Virtual Hosts

To use the virtual host feature of Apache, you need to know the
following:
■ The Concept of Virtual Hosts
■ How to Configure a Virtual Host

3-70 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The Concept of Virtual Hosts

With the default setup, the Apache server can be reached with a
browser using the following web addresses:
■ http://localhost (from the computer where the web server is
running)
■ http://IP_address_of_web_server
■ http://hostname_of_the_web_server

For all of these addresses, Apache serves the same files located in
the DocumentRoot directory.

To use this setup, you would need a dedicated computer for every
domain of the Internet. To avoid this, Apache lets you set up
multiple virtual web servers on one physical system. These virtual
web servers are called virtual hosts.

The physical system needs to have an entry in the DNS for every
virtual host of the Apache web server.

The following outlines the steps in the process of sending a request

to the virtual host www.example.com:

1. The web browser requests the IP address of the host

www.example.com.

2. The browser uses the IP address to request a file from the

Apache web server listening on the IP address of
www.example.com.

3. In the HTTP request, the browser includes the hostname of the

server it wants to reach.

4. Apaches uses the hostname to determine the right virtual host

and delivers the requested data from that host.

Version 1 Copying all or part of this manual, 3-71

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following illustrates this process:

DNS Server

Requests IP for the same IP address for:

www.example.com www.example.com
www2.example.com
www3.example.com
www4.example.com

Web Browser Web Server

Uses the IP address to requests
data from the virtual Host
www.example.com
Virtual Hosts for:
www.example.com
www2.example.com
www3.example.com
www4.example.com

How to Configure a Virtual Host

For every virtual host you need to create a configuration file in the
directory /etc/apache2/vhosts.d/. The name of the configuration file
must end with .conf.

You can find a template file vhost.template in the directory

/etc/apache2/vhosts.d/ to use as a base for your configuration file.

You need to edit the following directives in the template:

Directive Meaning
ServerAdmin Enter the email address of the
Virtual Host administrator here.
ServerName Enter the hostname of the virtual
host as it´s configured in the DNS.

3-72 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Directive Meaning
DocumentRoot Set the DocumentRoot of the virtual
host. The directory and the files in
the directory must be readable by
the user wwwrun.
ErrorLog Enter a filename for the error log.
The file must be writable for the user
wwwrun.
CustomLog Enter a filename for the general log
file. The file must be writable for the
user wwwrun.
ScriptAlias Set the ScriptAlias to a directory of
your choice. The directory must not
be under the DocumentRoot of the
virtual host. If you don´t need scripts
for dynamic content creation, delete
this directive.
<Directory “script_dir”> If you set a ScriptAlias before, you
have adjust the settings for script
directory accordingly. If you are not
using a script directory, delete this
directory block.
<Directory “document_root”> You need to adjust the path name of
this directory directive to the path of
your DocumentRoot.

After customizing the template file, you need to reload the Apache
web server. You also need to make sure that the settings in DNS are
updated so that the hostname of your virtual host is resolved
correctly.

Version 1 Copying all or part of this manual, 3-73

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Limit Access to the Web Server

Normally Apache delivers data to all hosts in the network that can
reach the web server. Sometimes it can be useful to restrict access to
the content delivered by Apache.

The following are the most common methods used:

■ Limit Access on an IP Address Basis
■ Limit Access With User Authentication

Limit Access on an IP Address Basis

Apache offers the following directives to limit access to the web

server on an IP address basis:

Directive Meaning
allow IP addresses or networks listed after
this directive are allowed to access
the web server.
deny IP addresses or networks listed after
this directive are not allowed to
access the web server.
order This directive sets the order in which
the allow and deny directives are
evaluated.

These directives must be used within a <Directory> block and

control the access to all data below that directory.

3-74 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The following example allows only hosts from the network

10.0.0.0/24 to access the data in the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Directory>

The following lists and describes the lines in the example:

<Directory "/srv/www/htdocs">

This directive starts the directory block. The directives that follow
apply to the directory /srv/www/htdocs only.
Order deny,allow

The Order directive determines in which order the allow and deny
directives are evaluated. You have the following options:
■ Deny,Allow. The deny directives are evaluated before the allow
directives. Access is allowed by default. Any client who does
not match a deny directive or does match an allow directive is
allowed access to the server.
■ Allow,Deny. The allow directives are evaluated before the deny
directives. Access is denied by default. Any client who does not
match an allow directive or does match a deny directive is
denied access to the server.
■ Mutual-failure. Only those hosts that appear in the Allow list
and do not appear on the Deny list are granted access. This has
the same effect as Order Allow,Deny and is deprecated in favor
of that configuration.
Deny from all

The Deny directive is evaluated first, and in this case access is

denied for all clients. You can use the following options with the
deny and the allow directives:
■ all. This option applies to all hosts.
■ A full IP address. This option applies to a specific IP address

Version 1 Copying all or part of this manual, 3-75

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

(such as 10.0.0.23).
■ A partial IP address. This option applies to IP addresses
starting with the given IP address fragment (such as 10.0.0).
■ A network/netmask pair. This option applies to IP addresses
matching to the given network/netmask pair (such as
10.0.0.0/255.255.255.0)
■ A network/nnn CIDR specification. This option applies to IP
addresses matching to the given CIDR expression (such as
10.0.0.0/24).
Allow from 10.0.0.0/24

This allow directive is evaluated after the deny directive. In this

case, the access is allowed for hosts in the network 10.0.0.0/24
</Directory>

This directive ends the directory block.

Limit Access with User Authentication

By limiting access to certain IP addresses, you can control the hosts

that access the web server, but you have no control of the over the
user that sits in front of the computer.

Apache offers another possibility of access control called basic

authentication. If you protect content on your web server with this
method, users are required to log in before they can access the data.

Before you can configure Apache to use basic authentication, you

first have to create user accounts for the web server. You can do this
by using the tool htpasswd2.

The following command creates a password file and an account for

the user tux.
htpasswd2 -c /etc/apache2/htpasswd tux

3-76 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

After entering this command, htpasswd2 prompts you for a

password for the user you want to create. The passwords are stored
in the file /etc/apache2/htpasswd.

You can specify a different location for the password file, but you
have to make sure that it is readable for the user wwwrun and that it
is not located within the DocumentRoot of your server.

When you use a password file for the first time, you have to call
htpasswd2 with the -c option to create the file. If you want to add
more users later, use the following command:
htpasswd2 /etc/apache2/htpasswd <username>

To delete a user from the password file, use the following

command:
htpasswd2 -D /etc/apache2/htpasswd <username>

After you have created the user accounts, you need to configure
Apache to prompt for a password when accessing restricted data.
You need to add the following lines to the directory block of the
directory that should be restricted:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux

The following describes each line:

AuthType Basic

This directive sets the authentication method. For the type described
in this section, the value is Basic.
AuthName "Restricted Files"

With this directive, you have to choose a name for the restricted
directory of your web server. This name is used for the
authentication process between the browser and the web server.

Version 1 Copying all or part of this manual, 3-77

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

AuthUserFile /etc/apache2/htpasswd

This directive sets the password file used for the restricted directory.
Require user tux

This directive lists the user of the password file who is allowed to
access the directory. You can add more than one user by separating
the user names with spaces, or you can use the following directive:
Require user valid-user

In this case, access is granted to all users of the password file.

How to Configure OpenSSL for Connection Encryption

By default, the connection between the web browser and the web
server are not encrypted. Anyone who can listen to the network
packets exchanged between browser and server can access the
transfered information.

Apache can use the SSL (Secure Socket Layer) protocol to encrypt
the connection. To configure an SSL encryption with an Apache
web server, you need know the following:
■ The Basics of SSL Encryption
■ How to Create a Test Certificate
■ How to Configure Apache to Use SSL
■ The Limitations of the SSL Configuration

3-78 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

The Basics of SSL Encryption

Most of the time data is transmitted across a network in encrypted

form by using RSA keys. This method is used by the encryption
software PGP (Pretty Good Privacy) to encrypt emails, by ssh
(Secure Shell) for encrypted data transfers between two computers,
and by Apache for secure data transmission between the web server
and the web browser.

This encryption is based on 2 different keys: a private key and a

public key. While the private key is known only to the owner, the
public key should be accessible to the public. The following shows
the encryption process:

Public and private keys can also be used to sign data. In principle,
when data is signed, an encrypted checksum is generated from the
data. The sender signs the data with his private key.

Version 1 Copying all or part of this manual, 3-79

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The signature can be checked by the recipient by using the public

key of the sender to determine whether the data is really from her or
whether the text has been modified by a third party.

The following illustrates the signing process:

A problem with the encryption procedure described above is that

you cannot determine who the owner of a public key is. The
solution to this problem is a Certificate Authority (CA) which signs
the public keys with its own private keys.

A public key that is signed by a CA is also called a Certificate.

CAs are well-known companies or organizations like VeriSign or

VISA. The public keys of these organizations are built into the web
browsers. By verifying the signature with the public key of the CA,
the browser can make sure that a public key of a web server is valid.

The following explains the process of using a CA with SSL

encryption for a web server:

1. The browser recognizes a web address starting with https://.

3-80 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

This means that the connection to this server should be

encrypted. The default port for SSL connections is 443 instead
of port 80 (used for normal unencrypted HTTP connections).

2. The web browser asks the server for its public RSA key.

3. The web server sends the public key to the web browser.

4. The web browser verifies the key of the server with the public
key of the CA that signed the key.

5. If the key is valid, the web browser and web server establish a
secure connection.

You need an officially signed key to set up a secure web server. You
can sign a key by yourself, but this should only be done for test
purposes.

How to Create a Test Certificate

To set up a secure web server for test purposes, you can create a
certificate by yourself. You should never use such a certificate for a
production system.

To create a test certificate, you do the following:

■ Create a RSA Key Pair
■ Sign the Public Key to Create a Certificate

Create an RSA Key Pair

To create a key pair, you need a file with as many random numbers
as possible. You can generate this file with the following command:
cat /dev/random > /tmp/random

Stop this procedure after a few seconds by pressing Ctrl+C. The

file generated be at least a thousand bytes in size. You can now
generate the key pair with the following command:

Version 1 Copying all or part of this manual, 3-81

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

openssl genrsa -des3 -out server.key -rand

/tmp/random 1024

During the process, you are prompted to enter a password. This

password is used to secure the private key of the key pair.

The generated keys are saved together in the file server.key.

Sign the Public Key to Create a Certificate

Next you need to sign your public key to create a certificate by

using the following command:
openssl req -new -x509 -key server.key -out
server.crt

During the process, you are prompted for the following information:
Enter pass phrase for /tmp/server.key:

Enter the passphrase you chose for the server key.

Country Name (2 letter code) [AU]

Enter the country code of your country (such as DE for Germany).

State or Province Name (full name) [Some-State]:

Enter your state or province name. You can enter a period (.) to
leave this field blank.
Locality Name (eg, city) []:

Enter the name of your city.

Organization Name (eg, company) [Internet Widgits Pty
Ltd]:

Enter the name of your company.

Organizational Unit Name (eg, section) []:

Enter the name of your unit, or you can enter a period (.) to leave it
blank.

3-82 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Common Name (eg, YOUR name) []:

Enter the full hostname of your system (such as

www.example.com). The certificate will be valid for this hostname
only.
Email Address []:

Enter the email address of the administrator who is responsible for

the server.

After you have answered all questions, the server certificate is saved
into the file server.crt.

Now the files server.key and server.crt have to be copied to right

location:
■ Copy the file server.key to the directory /etc/apache2/ssl.key.
■ Copy the file server.crt to the directory /etc/apache2/ssl.crt.

How to Configure Apache to Use SSL

After you have generated the RSA key pair and the server
certificate, you have to configure Apache to use SSL. First, you
need to change two settings in the file /etc/sysconfig/apache2.

The settings in this file apply to the Apache startup script and do not
belong to the server configuration.

Set the following variables to the appropriate values:

APACHE_START_TIMEOUT="10"

This setting extends the start timeout of Apache so that you have
more time to enter the passphrase of the private RSA key.

Version 1 Copying all or part of this manual, 3-83

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

APACHE_SERVER_FLAGS="SSL"

The additional server flag SSL defines the SSL variable when
evaluating the Apache configuration files. This enables some
directives that are necessary for SSL encryption.

For example, it lets Apache listen on port 443 instead of only to port
80.

You also need to change the server configuration files to enable SSL
by doing one of the following:
■ Configure the Main Server to Use SSL Encryption
■ Configure a Virtual Host to Use SSL Encryption

Configure the Main Server to Use SSL Encryption

To configure the main server, you need to add the following

directives to the file /etc/apache2/default-server.conf:
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Each line is listed and described below:

SSLEngine on

This directive enables the Apache SSL engine.

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL

This directive sets the details of the encryption method. The line
displayed above is the default configuration that comes with
Apache.

3-84 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

For more information about this directive, go to

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite.

SSLCertificateFile /etc/apache2/ssl.crt/server.crt

This directive points to the server certificate file.

SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

This directive points to the server key file.

After you make the described changes, you have to restart Apache.
Apache prompts you for the passphrase of the server key file.

The server might not start up correctly at boot time, because it

requires the passphrase for the server key. You should remove
Apache from the init process and start it manually after the system
starts up.

You can access the SSL host by using the address

https://name_of_your_host.

Configure a Virtual Host to Use SSL Encryption

You can also configure a virtual host instead of the main server to
use SSL. Place the directives described above in your virtual host
configuration and define you virtual host with a directive such as
the following:
<VirtualHost your_hostname:443>

The Limitations of the SSL Configuration

The SSL setup as described in this section is a very basic

configuration. To run Apache with SSL on a server that can be
reached from the Internet, you need a more thorough understanding
of SSL and the available configuration directives.

Version 1 Copying all or part of this manual, 3-85

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about this topic, go to

http://httpd.apache.org/docs-2.0/.

3-86 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Exercise 3-3: Configure an Apache Web Server

In this exercise, you configure an Apache web server by doing the

following:
■ Part I: Install Apache
■ Part II: Test the Installation
■ Part III: Configure a Virtual Host for the Accounting
Department
■ Part IV: Configure User Authentication
■ Part V: Configure SSL

The file accounting.conf you create in this exercise can be difficult to

modify properly. To help you understand what needs to be changed and
where parameters are placed, the file is available on your 3038 Course CD
in the directory /exercises/section_3.

Part I: Install Apache

Do the following:

1. From the KDE start menu, select System > YaST; then enter a
password of novell and select OK.

2. From the YaST Control Center, select Software > Install and
Remove Software.

3. From the search drop-down menu, select Search.

4. In the Search field, enter apache; then select Search.

5. On the right side, select the following packages.

■ apache2
■ apache2-example-pages
■ apache2-prefork

Version 1 Copying all or part of this manual, 3-87

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Select Accept.

7. (Conditional) If YaST displays packet dependencies, confirm by

selecting Continue.

8. When prompted, insert the requested SLES 9 CDs in the drive.

9. Open a terminal window and su to root.

10. To start Apache at boot time, enter the following:

insserv apache2
11. To start the Apache daemon, enter the following:
rcapache2 start

Part II: Test the Installation

Do the following:

1. From the KDE menu, select Internet > Web Browser.

2. In the address bar of the web browser, enter the following:

http://localhost
If the Apache example page appears, the web server has been
installed and started correctly.
If you are having problems displaying the page, you need to
rename the file /srv/www/htdocs/index.html.en to
/srv/www/htdocs/index.html.

Part III: Configure a Virtual Host for the Accounting

Department

Do the following:

1. From a terminal window, su to root.

3-88 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

2. Create a directory for the virtual host by entering the following:

mkdir /srv/www/accounting

3. Adjust the file system permissions by entering the following:

chown wwwrun /srv/www/accounting/

4. In the new directory, create a file index.html with the following

content:
<html>
<head>
<title>Accounting Intranet Server</title>
</head>
<body>
<h1>Accounting Intranet</h1>
No content yet ...
</body>
</html>
This file is also available on your 3038 Course CD in the directory
/exercises/section_3.

5. Adjust the file system permissions of the file by entering the

following:
chown wwwrun index.html

6. Change to the directory /etc/apache2/vhosts.d/ by entering the

following:
cd /etc/apache2/vhosts.d/

7. Copy the virtual host template file by entering the following:

cp vhost.template accounting.conf

Version 1 Copying all or part of this manual, 3-89

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

8. Open the file accounting.conf in a text editor and make the

following changes:
<VirtualHost accounting.da.com:80>
ServerName accounting.da.com
DocumentRoot /srv/www/accounting
ErrorLog /var/log/apache2/accounting.da.com-error_log
CustomLog /var/log/apache2/accounting.da.com-access_log
combined
UseCanonicalName On
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin"
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/srv/www/accounting/">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

9. For testing purposes, append “accounting.da.com” to the line

“127.0.0.1” in the file /etc/hosts:
127.0.0.1 localhost accounting.da.com

10. Test the syntax of your configuration file by entering the

following:
apache2ctl configtest

11. Reload Apache by entering the following:

rcapache2 reload

3-90 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

12. Open a web browser and access the virtual host by entering the
following:
http://accounting.da.com
The accounting intranet page is displayed.

Part IV: Configure User Authentication

Do the following:

1. Open a terminal window and su to root.

2. Create the file htpasswd and add the user geeko to it by

entering the following:
htpasswd2 -c /etc/apache2/htpasswd geeko

3. When prompted for a password, enter novell (twice).

4. Open the virtual host configuration file

/etc/apache2/vhosts.d/accounting.conf in a text editor.

5. Find the following directory directive:

<Directory "/srv/www/accounting/">

6. Within this directory block, add the following lines:

AuthType Basic
AuthName "Accounting Intranet"
AuthUserFile /etc/apache2/htpasswd
Require user geeko

7. Check the syntax of the configuration file by entering the

following command:
apache2ctl configtest

8. Reload the Apache server by entering the following:

rcapache2 reload

Version 1 Copying all or part of this manual, 3-91

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

9. Open a web bowser and enter the following:

http://accounting.da.com

A password dialog appears.

10. Enter a user name of geeko and a password of novell.

11. Access the protected web site by selecting OK.

Part V: Configure SSL

Do the following:

1. From the terminal window (as root), create the file random by
entering the following:
cat /dev/random > /tmp/random

2. Press some keys on the keyboard to generate random events

which help to create the file.

3. Stop the process after about 15 seconds by pressing Ctrl+C.

4. Generate a server key by entering the following.

openssl genrsa -des3 -out /tmp/accounting.key -rand
/tmp/random 1024

5. When prompted for a password, enter novell (twice).

6. Sign the key by entering the following:

openssl req -new -x509 -key /tmp/accounting.key
-out /tmp/accounting.crt

3-92 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

7. When prompted for a password, enter novell; then enter the

following information:

Option Value
Country Name US
State or Province Name Utah
Locality Name Provo
Organization Name Digital Airlines
Organizational Unit Name Accounting
Common Name accounting.da.com
Email Address [email protected]

8. Copy the files by entering the following commands:

cp /tmp/accounting.key /etc/apache2/ssl.key/
cp /tmp/accounting.crt /etc/apache2/ssl.crt/

9. Delete the temporary files by entering the following:

rm /tmp/accounting*

10. Adjust the file system permissions by entering the following

commands:
chmod 400 /etc/apache2/ssl.key/accounting.key
chmod 400 /etc/apache2/ssl.crt/accounting.crt

11. Open the file /etc/apache2/vhosts.d/accounting.conf in a text

editor.

Version 1 Copying all or part of this manual, 3-93

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

12. Change the following lines:

<VirtualHost accounting.da.com:80>
to
<VirtualHost accounting.da.com:443>
and
ServerName accounting.da.com
to
ServerName accounting.da.com:443

13. Add the following lines after the ServerName directive:

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+
LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/accounting.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/accounting.key
The lines starting with SSLCipherSuite, ALL:, and LOW:
should be on one line.
These lines are available in the file servername in the directory /
exercises/section_3/servername on your 3038 Course CD.

14. Save and close the file.

15. Open the file /etc/sysconfig/apache2 in a text editor.

16. Change the following lines:

APACHE_SERVER_FLAGS="SSL"
APACHE_START_TIMEOUT="10"

17. Save and close the file.

3-94 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

18. Check the syntax of the configuration file by entering the

following:
apache2ctl configtest

19. Restart Apache by entering the following:

rcapache2 restart

20. When prompted for the pass phrase, enter novell.

As the pass phrase has to be entered every time the server starts,
you can prevent the server from being started automatically at
boot by entering the following:
insserv -r apache2

21. Open a web browser and enter the following:

https://accounting.da.com/
As the certificate used in this exercises is self-signed, the
browser displays a warning.

22. In the warning dialogs, select Continue and Forever to view the
web site.

23. In the login dialog, enter a username of geeko with a password

of novell.

24. After the page displays, close the web browser.

(End of Exercise)

Version 1 Copying all or part of this manual, 3-95

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Configure a Samba Server as a File Server

Samba is a suite of applications used to integrate a Linux system
into a Windows network. Samba is most commonly used as a file
server for Windows hosts.

To configure a Samba file server, you need to know the following:

■ The Purpose and the Possibilities of Samba
■ How to Install and Set Up a Basic Samba Server
■ The Structure and Elements of the Samba Configuration File
■ How to Use the Samba Tools to Access SMB Shares from a
Linux Computer
■ How to Configure a File Server with User Authentication
■ Additional Possibilities with Samba

The Purpose and the Possibilities of Samba

The Server Message Block (SMB) protocol is a network protocol

that provides file and print services in a Windows network. Samba
enables Linux to use SMB so Linux can work in a Windows
environment.

You can use Samba for the following purposes:

■ Use the Samba server to provide file and print services for
Windows clients.
■ Use the Samba tools to access SMB file and print services on a
Linux system.
■ Use Samba as a domain controller for Windows clients.

SMB services are provided by the NetBIOS protocol. NetBIOS

makes its own name space available, which is completely different
from the domain name system.

3-96 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

This name space can be accessed with the Unique Naming

Convention (UNC) notation: all services provided by a server are
addressed as \\Server\Servicename.

File or print services offered by a server are also called shares.

The server side of Samba consists of 2 parts:

■ nmbd. This daemon handles all NetBIOS-related tasks.
■ smbd. This daemon provides file and print services for clients
in the network.

To integrate Linux as client in a Windows environment, Samba

provides 2 tools:
■ nmblookup. This tool can be used for NetBIOS name
resolution and testing.
■ smbclient. This tool provides access to SMB file and print
services.

How to Install and Set Up a Basic Samba Server

To set up a basic Samba server, you need to install the following

packages with YaST:
■ samba. This is the main Samba package. It contains the Samba
server software.
■ samba-client. This package contains the Samba client tools.
■ samba-doc. This package provides additional documentation
about Samba.

After the packages have been installed, you can start the 2 Samba
daemons with the following commands:
rcnmb start
rcsmb start

Version 1 Copying all or part of this manual, 3-97

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To start the Samba services automatically when the system is

booting, enter the following commands:
insserv nmb
insserv smb

The Structure and Elements of the Samba

Configuration File

The Samba services are configured in the file /etc/samba/smb.conf.

The options in the this file are grouped into different sections. Each
section starts with a keyword in square brackets.

To set up a simple file server with Samba, do the following:

■ Create a Section for the General Server Configuration
■ Create a Section for the Files to be Shared

Create a Section for the General Server Configuration

The section for the general server configuration starts with the
keyword [global]. The following is an example of a basic global
section.
[global]
workgroup = DigitalAirlines
netbios name = Fileserver
security = share

The entries of the global section in this example are shown and
described below:
workgroup = DigitalAirlines

This line sets the Windows workgroup of the Samba server (in this
case, DigitalAirlines).

3-98 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

netbios name = Fileserver

This line sets the name of the system in the NetBIOS name space
(in this case, Fileserver).
security = share

This line determines how a client has to authenticate itself when

accessing a share. This option can have the following values:
■ share. The client does not need to provide a password when
initially connecting to the server. However, a password might
be necessary when the client tries to access a share.
■ user. The client needs to provide a user name and password
when connecting to the server. Samba validates the password
against the users available on the Linux system and its own
password file.
■ server. The client needs to provide a user name and password
when it connects to the server. Samba contacts another SMB
server in the network to validate the password.
■ domain. The client needs to provided a user name and
password when connecting to the server. Samba connects to the
domain controller and validates the password. This works only
if Samba joins a Windows domain.
■ ads. Samba acts as domain member of an ADS realm to
validate the user name and password.

You might need to configure additional settings for these options to work
correctly. For more information, see the man page of smb.conf.

Version 1 Copying all or part of this manual, 3-99

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Create a Section for the Files to be Shared

After the global section, you need to add a section for the share of
your file server. The following example is the simplest way to set up
for a share:
[data]
comment = Data
path = /export
read only = Yes
guest ok = Yes

The entries of the section in this example are shown and described
below:
[data]

This is the identifier for the share. The share can later be accessed
with the address \\Fileserver\data.
comment = Data

This option is a comment with additional information about the

share. The comment is displayed when you browse the network
with Windows Explorer.
path = /srv/data

This option sets the path to the exported data on the local file
system. You have to make sure that the local user who needs to
access the files of this share has sufficient file system rights.
read only = Yes

If this option is set to yes, the client accessing the share is not
allowed to modify, delete or create any files.
guest ok = Yes

If this option is set to Yes, a password is not required to access the

share.

There many more configuration options available than those discussed in

this section. For an overview of all options, see the man page of smb.conf.

3-100 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

After you have created a smb.conf file, you should restart the
Samba server daemons.

Before you restart the daemons, you can test the syntax of the
Samba configuration file with the following command:
testparm

The output of the command looks like the following:

Load smb config files from /etc/samba/smb.conf
processing section "[data]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

In this case, no errors are found. If there were any errors in the file,
the command would display the errors grouped by configuration
sections.

How to Use the Samba Tools to Access SMB Shares

from a Linux Computer

Although the main purpose of Samba is to provide services for

Windows clients, it also provides tools to access SMB shares from
Linux. It doesn't matter if these shares are provided by Samba or a
native Windows server.

You can perform 3 basic tasks with the Samba tools:

■ Use nmblookup for Name Resolution in a NetBIOS Network
■ Use smbclient to Access SMB Shares
■ Mount SMB Shares into the Linux File System

Version 1 Copying all or part of this manual, 3-101

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Use nmblookup for Name Resolution in a NetBIOS Network

With the tool nmblookup, you can resolve NetBIOS names into IP
addresses. In the following example, the IP address for the Samba
server with the NetBIOS name Fileserver is looked up:
nmblookup Fileserver

The output of the command looks like the following:

querying Fileserver on 10.0.0.255
10.0.0.1 Fileserver<00>

In the first line, nmblookup states that it queries the IP address with
a broadcast to the address 10.0.0.255. In the second line, it displays
the result of the query, in this case, address 10.0.0.1 for the system
with the NetBIOS name Fileserver.

If the system you are querying is not in the same subnet as yours, the name
cannot be resolved with a broadcast query. Instead nmblookup, uses a
WINS server to resolve the name.

For more information, see the man page for nmblookup.

Use smbclient to Access SMB Shares

With the smbclient tool, you can access SMB shares on the
network. It's also a very useful tool to test a Samba server
configuration.

You can perform 3 basic tasks with smbclient.

■ Browse the Shares Provided by a Server
■ Access Files Provided by a SMB Server
■ Print on Printers Provides by a SMB Server

3-102 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Browse the Shares Provided by a Server

To display the shares offered by an SMB server, enter a command

such as the following.
smbclient -L //Fileserver

When smbclient asks for a password, press Enter to proceed.

The output of smbclient looks like the following:

Domain=[DigitalAirlines] OS=[Unix] Server=[Samba
3.0.4-SUSE]
Sharename Type Comment
--------- ---- -------
data Disk Data
IPC$ IPC IPC Service
ADMIN$ IPC IPC Service
Domain=[DigitalAirlines] OS=[Unix] Server=[Samba
3.0.4-SUSE]
Server Comment
--------- -------
Workgroup Master
--------- -------
DigitalAirlines Fileserver

smbclient first displays all available shares of the SMB server.

Beside the shares you have configured in the smb.conf file, an SMB
server always offers at least 2 other shares:
■ IPC$. This share provides information about the other shares
available on the SMB server.
■ ADMIN$. On a Windows computer this share points to the
directory where Windows itself is installed. This can be useful
for administrative tasks. When Samba tries to emulate a
Windows server, it also offers this share. However, it is not
needed to administer a Linux server.

The lower part of the smbclient output gives some information

about the workgroup of the system.

Version 1 Copying all or part of this manual, 3-103

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

This command can also very be valuable for testing purposes. After
you have set up a share, you can check the availability of the share
with smbclient.

Some shares are not browsable without authentication. In this case,

you can pass a user name to smbclient, as in the following:
smbclient -L //Fileserver -U tux

In the example, smbclient connects to the server with the user name
tux and prompt for the corresponding password.

Access Files Provided by an SMB Server

The command to access a share on a server is similar to the

command used to browse for available shares, but instead of
supplying just the server name, the full path to the share needs to be
supplied without the -L option.

In the following example, smbclient connects to the share data on

the server Fileserver:
smbclient //Fileserver/data

In this case, it is not necessary to supply a user name because the

share data is configured with the guest ok = yes option. A user name
can be supplied with the -U option.

After smbclient has connected to a share, it displays the following

prompt:
Smb: \>

Smbclient can be used like a command-line FTP client. The most

important commands are the following:
■ ls. Displays the content of the current directory.
■ cd. Changes to a directory.
■ get. Copies a file from the share to the current working
directory.

3-104 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

■ put. Copies a file to the share. The share must be writable to

use this command.

Print on Printers Provided by an SMB Server

You can use smbclient to print on shared network printers. The

basic syntax of a print command is shown in the following:
smbclient //Printserver/laser -c 'print letter.ps'

In this example, the file letter.ps is printed on a network printer

accessed through the share laser of the SMB server Printserver.

You can also use the command print on the smbclient command line
after you have connected to the server. The -c option performs the
given command automatically after the connection to the server has
been established.

Mount SMB Shares into the Linux File System

Instead of accessing shared files with smbclient, you can mount a

share into the file system like a hard disk partition or a CD-ROM
drive.

The basic mount command is shown in the following:

mount -t smbfs //Fileserver/data /mnt

In this example, the share data of the SMB server Fileserver is

mounted into the directory /mnt. The option -t smbfs is necessary to
specify that the resource to be mounted is an SMB share.

If the share requires authentication, you can supply a username and

password, as in the following:
mount -t smbfs -o username=tux,password=novell
//Fileserver/data /mnt

Version 1 Copying all or part of this manual, 3-105

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Configure a File Server with User

Authentication

In the previous example, the Samba share is accessible with

supplying a user name and password. In most cases, this type of
accessibility in not recommended.

The following shows you how to configure Samba to require

authentication with a user name and password:
■ Prepare the Server for User Authentication
■ Configure a Share That is Accessible for Only One User
■ Configure Shared Access for a Group of Users
■ Configure the Export of Home Directories

Prepare the Server for User Authentication

The first task is to change the security option in the smb.conf file to
the following:
security = user

The value user for the option security forces user authentication
when the client attempts to connect to the server.

In the following examples, the configuration is based on User Level

Security. In this security level, the Windows-compatible encrypted
password file is stored in the file /etc/samba/smbpasswd (by
default).

Users who want to access SMB shares must first be created as

Linux users. Then an SMB password needs to be set using the
smbpasswd tool.

The following example sets a SMB password for the user tux:
smbpasswd -a tux

3-106 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Smbpasswd prompts you to enter the password twice and confirms

the setting of the password by displaying the following message:
New SMB password: novell
Reenter smb password: novell
Added user tux

If smbpasswd is called without any parameters, the current user can

change his SMB password. If smbpasswd is called with the -x
option followed by a user name, that user is deleted from the
smbpasswd file.

Configure a Share That Is Accessible to Only One User

The following example configures a share that is accessible only for

the user tux.
[tux-dir]
comment = Tux Directory
path = /srv/share
valid users = tux
read only = no

Each line of this share is listed and described below:

comment = Tux Directory

This option sets the comment for the share.

path = /srv/share

This option sets the path to the share.

valid users = tux

This option lists all user who are allowed to connect to this share.
User names have to be separated by commas. You can add an entire
UNIX group with the syntax @group_name. However, all the users
of the UNIX group need accounts in the smbpasswd file.

Version 1 Copying all or part of this manual, 3-107

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

read only = no

This option makes the share writable by setting the read only option
to no.

Configure Shared Access for a Group of Users

The following example creates a share that is readable and writable

for all users of the UNIX group accounting:
[accounting]
comment = Accounting department
path = /srv/share
valid users = @accounting
force user = tux
....force group = accounting
read only = no

Compared to the previous example, the following lines are new or

have changed:
valid users = @accounting

This line allows all users who are in the UNIX group accounting to
access the shared folder.
force user = tux

This line forces the Samba server to perform all file operations in
the shared folder as user tux. This ensures that all files in the shared
folder are readable and writable for every user who is allowed to
access the share.
....force group

This line forces the Samba server to perform all file operations with
the group accounting.

3-108 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Configure the Export of Home Directories

The following example exports the home directory of all UNIX

users of the Samba server. You need to add the users to the
smbpasswd file before the setup works:
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

In this example, you must name the share homes. If Samba finds a
share with this name in the configuration file, it is treated in a
special way.

When a share is requested, Samba first scans the existing sections of

the configuration file. If no section is found, Samba uses the
requested share name as a user name and looks up the user in the
local password file.

If the user is found and the the correct password is supplied, Samba
automatically creates a share for the home directory of the user.

The following shows and describes the lines in the example:

valid users = %S

The %S macro sets the value of the valid users option to the name
of the requested share.
read only = No

The exported home directory should be readable and writable for

the authenticated user.
browseable = No

For security reasons, the share is not browsable.

To access an exported home directory, use the address

//server_name/user_name.

Version 1 Copying all or part of this manual, 3-109

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Additional Possibilities with Samba

This section explained only the basic usage of Samba. Many more
features and configuration options are available to help you
customize Samba for your environment.

For example, you could

■ Use Samba as member server of a Windows domain.
■ Use Samba as domain controller.

You can find more information about Samba and the possible
configurations from the following:
■ The samba-doc package in the directory
/usr/share/doc/packages/samba/
■ The man page of smb.conf
■ The Samba project site at http://www.samba.org/

3-110 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Exercise 3-4: Configure a File Server With Samba.

In this exercise, you configure a file server with Samba by doing the
following:
■ Part I: Install Samba
■ Part II: Configure a Share for the User Geeko
■ Part III: Access the Share of the User Geeko With smbclient
■ Part IV: Mount Geeko' Share

Part I: Install Samba

Do the following:

1. From the KDE start menu, select System > YaST.

2. When prompted for the root password, enter novell.

3. From the YaST Control Center, select

Software > Install and Remove Software.

4. From the filter drop-down menu, select Search.

5. In the search field, enter samba; then select Search.

6. On the right, select the following packages:

■ samba
■ samba-client (if not already selected)

7. Install the selected packages by selecting Accept.

Version 1 Copying all or part of this manual, 3-111

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Configure a Share for the User Geeko

Do the following:

1. From a terminal window, su to root.

2. Change to the directory /etc/samba.

3. Save the default Samba configuration file by entering the

following:
mv smb.conf smb.save

4. Create the file smb.conf with a text editor.

5. Add the following lines to the configuration file:

[global]
workgroup = Accounting
netbios name = Fileserver_your_host_name
security = user

[geeko-dir]
comment = Geeko Directory
path = /srv/samba/geeko
valid users = geeko
read only = no
This file is available on your 3038 Course CD in the directory
/exercises/section_3.

6. Save and close the file.

7. Create the directory to export by entering the following

commands:
mkdir /srv/samba/
mkdir /srv/samba/geeko

8. Create a test file in the directory by entering the following:

touch /srv/samba/geeko/my_file

3-112 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

9. Adjust the directory permissions by entering the following

commands:
chown geeko /srv/samba/geeko
chown geeko /srv/samba/geeko/my_file

10. Add geeko to the file smbpasswd file by entering the following:
smbpasswd -a geeko

11. When prompted for a password, enter novell (twice).

12. Check the syntax of the configuration file by entering the

following:
testparm

13. Start the Samba servers by entering the following commands:

rcsmb start
rcnmb start

Part III: Access the Share of the User Geeko With smbclient

Do the following:

1. Open a terminal window as a normal user.

2. Access Geeko's share by entering the following:

smbclient -U geeko //localhost/geeko-dir

3. When prompted for a password, enter novell.

4. Display all available commands of smbclient by entering the

following:
help

5. List the content of the share by entering the following:

ls

Version 1 Copying all or part of this manual, 3-113

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Copy the file my_file to the current directory by entering the

following:
get my_file

7. Exit smbclient by pressing Ctrl+D.

8. Verify that the file my_file has been copied.

Part IV: Mount Geeko's Share

Do the following:

1. From the terminal window, su to root.

2. Mount geeko's share in the directory /mnt by entering the

following:
mount -t smbfs -o username=geeko,password=novell
//localhost/geeko-dir /mnt

3. Display the content of the mounted share by entering the

following:
ls /mnt/
You should see the file my_file.

4. Umount the share by entering the following:

umount /mnt

(End of Exercise)

3-114 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Summary
The following is the summary of the objectives.

Objective Summary
1. Configure a DNS Server Using ■ DNS translates host names
BIND into IP addresses.
■ DNS is a distributed database.
■ Under SLES 9 you can use the
BIND software to set up your
own DNS server.
■ A caching-only DNS server is
not responsible for its own
domain, it just forwards
requests to other name
servers and caches the result
for later requests.
■ A master server is responsible
for its domain. It also provides
resource information to host
entries like the IP address of
the mail server.
■ DNS server information is
stored in zone files.
■ A slave DNS server receives
copies of the domain zone files
from the master server. Using
slave servers enhances the
reliability of the DNS.
■ On a client, the name
resolution is configured in the
files /etc/resolve.conf and /
etc/nsswitch.conf.
■ To query DNS from the
command line, you can use the
host and the dig commands.

Version 1 Copying all or part of this manual, 3-115

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2. Deploy OpenLDAP on a SLES 9 ■ Directory services are tree-like
Server structured databases that
contain entry-based
information.
■ OpenLDAP is the most popular
open source LDAP directory
and is used for user
authentication in SLES 9.
■ If you did not configure an
OpenLDAP server during the
installation, you need to install
the following software
packages.
■ openldap2
■ openldap2-client
■ The configuration of the
OpenLDAP server is located in
the file
/etc/openldap/slapd.conf.
■ You can create passwords for
the administrator entry of the
configuration file with the
command slappasswd.
■ The default configuration file
for LDAP clients is
/etc/openldap/ldap.conf.
■ Use ldapadd to insert data
from LDIF files into the
directory.

3-116 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Objective Summary
■ Make sure that LDIF files
conform to Unicode.
■ Use ldapsearch to query
information from the directory.
■ Use ldapmodify to change
entries in the directory.
■ Use ldapdelete to delete
directory entries.
■ You can use the graphical
program GQ to browse and
query the directory.
3. Configure an Apache Web Server ■ Apache is the leading web
server software.
■ Apache delivers data to a web
browser using the HTTP
protocol.
■ For a basic web server, you
need to install the following
packages:
■ apache2
■ apache2-prefork
■ apache2-example-pages
■ The locally running web server
can be accessed using the
address http://localhost.
■ The default document root of
the web server is
/etc/www/htdocs.
■ The Apache configuration files
are located in the directory
/etc/apache2.
■ The options of the Apache
configuration files are called
directives.

Version 1 Copying all or part of this manual, 3-117

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
■ You can check the syntax of
the configuration file with the
command apache2ctl
configtest.
■ By configuring virtual hosts you
can host multiple domains on
one physical machine.
■ You need to create a
configuration file in the
directory
/etc/apache2/vhosts.d/ for
every virtual host.
■ You can limit the access to the
Apache web server
■ On an IP address basis
■ Based on user
authentication
■ To encrypt the connection
between the browser and
server, you can configure
Apache to use SSL.
■ To run a production system
under SSL, you need a
certificate signed by a CA.
■ To access an SSL-enabled
system, use an address
starting with https://.

3-118 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Configure Network Services

Objective Summary
4. Configure a Samba Server as a ■ Samba can be used to
File Server integrate a Linux system into a
Windows environment.
■ Windows services are
delivered using the SMB
protocol.
■ The network protocol NetBIOS
is used in a Windows
environment.
■ NetBIOS creates its own name
space independently from
DNS.
■ An SMB share can be
accessed with the address
schema
\\server_name\service_name.
■ Samba can be used for the
following purposes:
■ As a file and print server
■ To access SMB shares
■ As a domain controller
■ The Samba server is
configured in the file
/etc/samba/smb.conf.
■ The Samba configuration file is
structured in sections.
■ You can check the syntax of
the configuration file with the
command testparm.

Version 1 Copying all or part of this manual, 3-119

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
■ Use nmblookup to resolve
NetBIOS names to IP
addresses.
■ Use smbclient to access
shares from the command line.
■ Use mount -t smbfs to mount
SMB shares into the Linux file
system.
■ You can limit access to a
Samba server with user
authentication.

3-120 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

SECTION 4 Secure a SLES 9 Server

In this section, you learn how to create a general security policy and
how to secure a SLES 9 server against local attacks.

Objectives
1. Create a Security Concept
2. Limit Physical Access to Server Systems
3. Limit the Installed Software Packages
4. Understand the Linux User Authentication
5. Ensure File System Security
6. Use ACLs for Advanced Access Control
7. Configure Security Settings with YaST
8. Stay Informed About Security Issues
9. Apply Security Updates

Version 1 Copying all or part of this manual, 4-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Given the number of press reports about attacks on computers, it is
not surprising that computer security is being taken more seriously.

Despite the increased interest in security not all administrators and

decision makers understand what security IT means and why this is
important to them.

An entire branch of the IT industry is concerned with security.

Many security products have been created in recent years. Firewall
solutions and antivirus software have become bestsellers, and yet an
important component of every security concept–perhaps even the
most important component–is being neglected. This is know-how.

Without the appropriate knowledge you cannot recognize and

understand security-critical issues in complex IT infrastructures.

This section begins with a general overview of security concepts.

This is because every aspect of security needs to be seen in the
context of the environment. It does not make sense to secure one
server when the same data can be stolen or manipulated on other
systems.

After the introduction, you will learn details about local security.
Local security covers every threat that can be caused by users of the
local system.

This section does not cover topics that belong to the area of network
security. Topics such as firewalls and packet filtering are beyond the
scope of this course.

4-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 1 Create a Security Concept

“It is easy to run a secure computer system. You merely have to
disconnect all dial-up connections and permit only direct wired
terminals, put the machine and its terminals in a shielded room and
post a guard at the door.”

F.T. Grampp and R.H. Morris

It might be possible to operate a computer system in this secure

manner, but it's not practical. To deal with network problems in the
real world, a different security concept is required.

This objective does not provide sample solutions that can be

adapted to your own problem solving. Instead, you learn how to
create your own security concepts.

The process of creating a security concept consists of the following

parts:
■ Understand the Basics of a Security Concept
■ Perform a Communication Analysis
■ Analyze the Protection Requirements
■ Analyze the Current Situation and Necessary Enhancements

Version 1 Copying all or part of this manual, 4-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand the Basics of a Security Concept

First, you must know what you are protecting your system from. A
security concept for a computer used by multiple users at different
times is different from a security concept for an environment in
which many different users use multiple computers at the same
time.

If users work on different computers and use common resources,

such as disk space or printers, then a security concept pertaining to
a network must be considered.

The formal method of creating a security concept presented in this

section has been tried and proven in practice. It helps to detect
errors and sources of danger that are not obvious and provides good
documentation of the concept.

Perform a Communication Analysis

Creating a security concept begins with a communication analysis.

This includes analyzing the security situation and evaluating the
dangers.

Resources are differentiated according to what a user needs and

how the access to these resources are controlled.

If users should not have access to certain resources, you can assign
different access rights. For example, you can determine which user
groups can use a resource or if the user groups can only access the
resource during a certain time period.

4-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

By answering the following questions, you can learn valuable

information to use in developing a structured overall picture of your
security needs.
■ What information will be exchanged across which barriers
and in which direction?
A barrier can be the virtual barrier between the home
directories of two users in a UNIX system or a firewall between
two networks.
■ Which data packets will be transported with which
protocols to which hosts in the network?
The fewer protocols you use, the better security you will have,
simply because there are fewer sources of error.
■ What resources are available to individual users and with
which access rights?
Consider the resources users will need: printers, files on storage
media, the storage media themselves (such as CD-ROM
drives), sound cards, modems, fax cards, ISDN cards, network
services (such as FTP or HTTP), and the computing capacity of
CPUs.
■ Which resources must be available in each work area?
Even in small companies, different departments require
different resources.
■ Which data must users have access to and in which way?
It does not make sense to organize access to data for each
specific user individually. It is better to structure access rights
for user groups.
■ Which external users have external access to company
resources, what resources do they use, and how is access
controlled?
Pay special attention to the authenticating external users.
■

Version 1 Copying all or part of this manual, 4-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Which external resources does the company provide?

Usually this means web and mail servers and other Internet
services.
■ Should users be charged for resources?
Many organizations charge users or departments for expensive
resources (such as Internet bandwidth).
■ Which tasks must external service providers be involved in?
Determine if it is necessary to exchange any security-relevant
data with the external service provider?
■ How do security restrictions affect users, and how open are
users to these restrictions?
Users are more willing to live with restrictions if they
understand why the restrictions are needed.
■ Will you filter transmitted or stored information on
gateways between networks or on computers?
This applies to virus control, which should take place where the
viruses can be reliably detected, on workstations and file
servers.
■ How available do individual resources need to be?
Not every file server in the company needs to have a high
availability setup. This is why it is important to calculate
exactly what costs are incurred if a resource fails.

Analyze the Protection Requirements

After you have determined the communication demands, you need

to analyze the protection requirements for the data.

The expense of securing individual resources is determined by the

amount of potential damage that could be caused by an attack, a
faulty operation, or a natural catastrophe.

4-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

You should estimate the frequency of the occurrence of possible

damage to use in your calculations.

To determine your protection needs, ask yourself the following

questions:
■ Which groups of people can access which information?
Is there information reserved for management, while other
information is available to all employees?
■ Where is protected data located?
The degree of data protection needed determines the degree of
protection for each individual computer in the corresponding
network.
■ Which zones exist and what security needs do they have?
You should create corresponding security zones for computers
belonging to the same protection class.
■ What might happen to security zones if security barriers
are breached?
This question is not difficult to answer if the security zones
have previously been clearly defined.
■ Who are potential attackers?
You also need to estimate the financial and technical means of
the potential attackers.
■ What information is of special interest to others?
This question helps you group zones with different security
needs.
■ What are the remaining risks when the security concept is
implemented?
This question can only be asked at the end of the analysis.
Consider all questions asked, the relevant answers, and the
technical and organizational implementation of the security
concept.

Version 1 Copying all or part of this manual, 4-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Important parts of the communication analysis can be represented in

tables, also known as access matrices.

The following table shows a simple access matrix:

Proxy Server Web Server Mail Server

Workstation Office 8080

WorkstationWeb ssh
Designer 8080

Workstation Sysad 8080 ssh ssh

Mail Server Intranet smtp

It is often useful to have 2 columns for individual protocols,

matching the two transport directions (IN or OUT).

Besides application level gateways, routers with activated packet

filtering also count as firewalls.

Analyze the Current Situation and Necessary

Enhancements

A company-wide security policy should guarantee the

confidentiality, data integrity, availability, and transparency of a
company's business processes and prevent damage.

The security policy determines what security demands are required

for specific data and resources. The security policy should include
the analysis of the remaining risk. Risks that cannot be removed or
can only partially be removed by taking appropriate protective
measures should be highlighted.

The security policy always also describes the current actual state of
security. For this, information is needed on who is required to do
what to achieve the desired security level.

4-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The following table shows what topics need to be covered in the

security policy. The table also includes the physical access to the IT
infrastructure.

Security of How the components and their physical storage

network areas are secured against unauthorized
components access?
Actual state The network cabinets are freely accessible so
that each member of staff can patch his own
network connections.
Target state Technical rooms are locked, so only system
administrators have access.
Task The locks must be checked and keys assigned
to system administrators.
Date 2005-02-02
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 5 days and $1200.
Done/checked 2005-03-01 Henry Boardman, Assistant to the
Board.

The reasons given in the description of the actual state show that:
■ Members of the staff need to be told why they can no longer
patch their network connections themselves.
■ Administrators must be made available to patch the network
connections in the future.

Version 1 Copying all or part of this manual, 4-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following table covers dial-up to and from the internal network:

Security of Do connections to other networks or dial-up

network possibilities to the internal network exist? How
components are these accesses protected?
Actual state In the departments of the U.S. branches, there
is an undefined number of Internet accesses
through a local provider. It is not known if the
computers used for the dial-up are connected to
the internal network. A number of administrators
are using Windows NT RAS access to
administer from home. The NT RAS is operated
using Chap and Callback. The situation at the
other locations is not known.
Target state There is no local Internet access. Members of
staff who require Internet access can obtain this
using the central firewall.
Task All worldwide locations are connected by VPN
to the headquarters in the U.S. in accordance
with a board decision. A 2 MB Internet access is
used in the headquarters, secured by a three-
level firewall with an application level gateway.
Local Internet access is removed.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department. Management provides Ms. Doe
with appropriate powers.
Estimated expense Approximately 15 days and approximately
$200,000.
Done/checked 2005-03-30 Henry Boardman, Assistant to the
Board.

4-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The following tables cover other data security measures you should
consider:

Further security How are the servers protected against power

measures failure?
Actual state In all technical rooms, a UPS is installed so
servers automatically shut down in case of
power failure. The UPS and server connecting
cables are checked regularly.
Target state All servers are connected to a functioning UPS.
Actual state reflects target state.
Task
Date
Responsible
Person
Estimated expense
Done/checked 2005-01-12 Henry Boardman, Assistant to the
Board.

Further security What firefighting means are available?

measures
Actual state Suitable fire extinguishers are installed in front
of all technical rooms. Suitable fire detectors are
installed in all technical rooms. The large
technical rooms at the U.S. headquarters are
equipped with automatic fire extinguishing
equipment.
Target state Technical rooms are equipped with fire
detectors and extinguishers outside the doors to
the rooms. U.S. headquarters technical rooms
have automatic sprinklers installed. Actual state
reflects target state.
Task

Version 1 Copying all or part of this manual, 4-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Further security What firefighting means are available?

measures
Date
Responsible
Person
Estimated expense
Done/checked 2005-01-14 Henry Boardman, Assistant to the
Board.

Further security How is data security controlled? How are checks

measures made to determine whether the data stored is
usable?
Actual state Important servers and workplace machines are
equipped with tape drives. Backups take place
daily. Responsibility for data backups lies with
those members of staff in the technical
departments who have been briefed for this.
Target state At each location, backups are made on tape
libraries by means of network backup software.
The tapes are cloned, regularly recycled, and
stored in fireproof safes.
Task A data backup concept must be drawn up and
implemented. An external consultant should be
hired.
Date 2005-04-22
Responsible Jenny Doe, head of System Administration
Person department. Management provides Ms. Doe with
appropriate powers.
Estimated A cost estimate will be made by an external
expense consultant.
Done/checked 2005-01-14 Florian Sailer, Co-Assistant to the
Board.

4-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Further security How can we guarantee that available software

measures updates to close known security loopholes are
tested and installed?
Actual state Installing software updates is left to the
judgment of the appropriate administrator, but
this is discussed in detail with colleagues and
suppliers or vendors.
Target state Software updates will be recorded, tested, and
released company-wide by two accountable
members of staff. Security-relevant software
updates will be installed especially on systems
in the demilitarized zone. Only in exceptional
cases, justified in writing, will software updates
in the DMZ be delayed. In such cases, the head
of System Administration must determine if
other kinds of protective measures can be used.
Task The head of the System Administration
department will name two system administrators
who will design a software update concept and
who will then be responsible for software
updates.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department
Estimated expense Approximately 4 days for designing the concept.
The running costs will be included in the
concept.
Done/Checked 2005-03-30 Henry Boardman, Assistant to the
Board.

Version 1 Copying all or part of this manual, 4-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The next table covers the virus protection of the IT systems:

Further security How are the systems protected from malicious

measures software viruses?
Actual state Virus scanners are only installed on certain
workplace computers.
Target state Virus scanners with a frequent update service
are installed on all file servers and workstations.
Current virus signatures can be downloaded at
any time from the Internet from the server of the
virus scanner vendor. The virus scanners on
workstations obtain the virus signatures from a
central server, so new virus signatures only
need to be installed once. To monitor the file
servers, the product of a different vendor than
the product monitoring the workstations is used.
Overall, an efficient, two-level virus defense
concept is implemented.
Task The head of the System Administration
department names two accountable persons
who will design a virus defense concept and
who will later on be responsible for the
operation of the virus defense.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 10 days for the product
evaluation and concept design. Operating costs
will be included in the concept.
Done/checked 2005-03-30 Florian Sailer, Co-Assistant to the
Board.

4-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The following table covers the documentation of the IT

infrastructure:

Further security How is the system configuration documented?

measures
Actual state Everyone who has configured a machine on the
network writes down or remembers the
configuration data.
Target state All system configurations (hardware and
software) are documented centrally in electronic
form at the corresponding location. System
administrators at the U.S. headquarters can
access the documentation from all locations.
Task The head of the System Administration
department shall name two system
administrators who will draw up documentation
guidelines.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 20 days to design a concept. The
estimated cost of implementing this will be
included in the concept.
Done/checked 2005-03-30 Henry Boardman, Assistant to the
Board.

The examples shown above should not be considered as a template for

your own security policy. Every company has its own demands and issues
to be solved. The tables should give you an idea of ways to enhance the IT
security in your company.

Version 1 Copying all or part of this manual, 4-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Limit Physical Access to Server Systems

If a server is not protected from unauthorized physical access, even
the best software configuration cannot prevent someone from
misusing it. By rebooting a system from a floppy or CD, or by
passing boot parameters to the Linux kernel, someone can access
the server without knowing the password.

To prevent unauthorized users from physically accessing the server,

do the following:
■ Place the Server in a Separate, Locked Room
■ Secure the BIOS with a Password
■ Secure the GRUB Boot Loader with a Password

Place the Server in a Separate, Locked Room

The best way to prevent physical access to a server is to lock the

server in a dedicated server room. We highly recommended that you
do this for every production system.

The server room should be locked with a solid door, and only
system administrators should have access. The room should be
protected against fire and be equipped with an automatic fire
extinguishing system.

What can be done depends on the size of the company and on the
available financial resources. At the least, a separated locked room
for all servers is recommended.

4-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Secure the BIOS with a Password

For test systems or workstations that are not placed in a secure

room, there are some things you can do to make it more difficult to
access a system without an account.

One of these is to set a password for the BIOS setup.

The BIOS represents the lowest level of software and lies

underneath the operating system. Modern BIOS versions give you
the option of protecting the boot process with a password. You can
also protect the BIOS settings and prevent the system from booting
from media like floppies or CDs.

The exact procedure for protecting the BIOS depends on the BIOS vendor
and version. For more details on this, please consult your vendor
documentation.

By preventing the system from booting from a different media, only

the installed system can be started. This system is password
protected and cannot be accessed without any further effort.
However, a BIOS password is never a replacement for a dedicated
server room.

Secure the GRUB Boot Loader with a Password

Another way to misuse physical access to a Linux system is to

reboot and pass additional parameters to the kernel. This makes it
possible to start and access the system without entering a password.

The boot loader GRUB can be configured to prompt for a password

before any parameters can be entered. To do this, you need to create
an encrypted password with the following parameter.
grub-md5-crypt

GRUB asks for a password that needs to be confirmed once and

outputs an encrypted string. This string looks like the following:
$1$SEVCU0$S.7WQL05kHiK4VKDsKtfI0

Version 1 Copying all or part of this manual, 4-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Then the password needs to be added to the GRUB configuration

file as follows:
/boot/grub/menu.lst

You can find the global section at the beginning of the configuration
file. The password needs to be placed into that section as shown in
the following example:
color white/blue black/light-gray
default 0
timeout 8
gfxmenu (hd0,5)/boot/message
password --md5 $1$h8GCU0$Vt3impL0.Cr0nkGQY1jjJ1

4-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 3 Limit the Installed Software Packages

Every software package that is installed on a system, but is not
needed by that system, should be removed from a production sever.

The more software is installed, the more possible security problems

can occur. For example, it does not make sense to install an X
Server and graphical applications on a system that is exclusively
used as web server.

To set up a production system, you can use the minimal system as a

base for the software selection during the installation. Then you can
manually add just those software packages that are needed.

This rule is especially true for network daemons. A server should

never offer any network services that are not needed. For example,
if a server is used as a dedicated file server, it is not necessary to run
a postfix mail server on the same system.

You can use the the following command to check which services are
configured to start and their run levels:
chkconfig -l

The command displays a line for every service installed on the

system. The following line shows the configuration of the Samba
server:
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off

After the service name, the configuration for all six default run
levels is displayed. On means the service is configured to be started
in the corresponding run level; off means the service will not be
started.

You can use the following command to remove a service from its
default run levels:
insserv -r <service_name>

Version 1 Copying all or part of this manual, 4-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Removing a service from the run level configuration does not stop an
already running daemon. A daemon that is already running needs to be
stopped manually or the system needs to be rebooted to start with the new
run-level configuration.

4-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 4 Understand the Linux User Authentication

User authentication plays a central role in IT security. Users are
almost always granted access to programs and data based on
password authentication.

Even the best mechanisms for administering and setting user

permissions would be useless if a normal user could log in to a
system as the system administrator.

Authentication on a Linux system is based on Pluggable

Authentication Modules (PAM). To understand and use PAM
properly, you need to do the following:
■ Understand How PAM Works
■ Understand PAM Configuration
■ Understand the Requirements for a Secure Password

Understand How PAM Works

The Pluggable Authentication Modules (PAM) for Linux is a

collection of software modules that handle the authentication
process. A Linux system administrator can use these modules to
configure the way programs should authenticate users.

For example, if a user logs into a Linux system on a virtual terminal,

a program called login is usually involved in this process.

Login requires a user's login name and the password. The password
is encrypted and then compared with the encrypted password stored
in an authentication database. If the encrypted passwords are
identical, login grants the user access to the system by starting the
user´s login shell.

This is sufficient if authentication is done using Linux or UNX

passwords. If other authentication procedures are used, such as chip
cards instead of passwords, all programs that perform user
authentication must be able to work together with these chip cards.

Version 1 Copying all or part of this manual, 4-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Before PAM was introduced, login and all other applications that
handle authentication like FTP, SSH, or the KDM Display Manager
had to be extended to support a chip card reader.

PAM makes things easier. PAM creates a software level with clearly
defined interfaces between applications (such as login) and the
current authentication mechanism. Instead of modifying every
program, a new PAM module just needs to be added to enable
authentication with a chip card reader.

The following graphic illustrates the role of PAM:

Applications that handle authentication

login SSH FTP ...

PAM

passwd LDAP SmartCard ...

Authentication mechanisms

4-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Understand PAM Configuration

The PAM modules are located in the directory:

/lib/security

Every filename of a module starts with the prefix pam_.

PAM configuration is done in the following directory:

/etc/pam.d/

This directory contains a configuration file for every application

that uses PAM. The name of the configuration file usually
corresponds to the name of the application. For example, the name
of the configuration file for the application login is also login.

There is one special configuration file with the name other. This file
contains the default configuration if no application-specific file is
found.

Every line in a configuration file enables a PAM module. Each line

consists from the left to the right of the following entries:
■ module-type. One of four PAM module types. The four types
are as follows:
■ auth. These modules provide two ways of authenticating
the user. First, it establishes that the user is who he claims
to be by instructing the application to prompt the user for a
password or other means of identification. Second, the
module can grant group membership or other privileges
through its credential granting properties.
■ account. These modules perform nonauthentication based
account management. It is typically used to restrict or
permit access to a service based on the time of day,
currently available system resources (maximum number of
users) or perhaps the location of the applicant user (for
example, to limit `root' login to the console).

Version 1 Copying all or part of this manual, 4-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ session. These modules are associated with performing

tasks that need to be done for the user before she can be
given access to a service or after a service is provided to
her. Such things include logging information concerning
mounting directories and the opening and closing of some
data exchange with another user.
■ password. This last module type is required for updating
the authentication token associated with the user. Typically,
there is one module for each challenge/response-based
authentication (auth) module type.
Some PAM modules (such as pam_unix2.so) can be used for
different module type settings listed below:
■ control-flag. The control-flag indicates how PAM will react to
the success or failure of the module it is associated with. Since
modules can be stacked (modules of the same type execute in a
series, one after another), the control-flags determine the
relative importance of each module.
The Linux-PAM library interprets these keywords in the
following manner:
■ required. This indicates that the success of the module is
required for the module-type facility to succeed. Failure of
this module is not apparent to the user until all of the
remaining modules (of the same module-type) have been
executed.
■ requisite. Like required, however, in the case that such a
module returns a failure, control is directly returned to the
application. The return value is associated with the first
required or requisite module to fail.
■ sufficient. The success of this module is deemed
“sufficient” to satisfy the Linux-PAM library that this
module-type has succeeded in its purpose. If no previous
required module has failed, no more “stacked” modules of
this type are invoked. Even if this module type fails, the
application can be satisfied that the module type has
succeeded.

4-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

■ optional. As its name suggests, this control-flag marks the

module as not being critical to the success or failure of the
user's application for service.
■ module-path. The pathname to the module itself. If the first
character of the module path is /, it is assumed to be a complete
path. If this is not the case, the given module path is appended
to the default module path /lib/security.
■ args. The args are a list of tokens that are passed to the module
when it is invoked, much like arguments to a typical Linux shell
command. Valid arguments are usually optional and are specific
to any given module.

The following is the default configuration file for the login program
on SLES 9:
auth requisite pam_unix2.so nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so

The configured modules perform the following tasks:

auth requisite pam_unix2.so nullok

The module pam_unix2.so is used during the authentication process

to validate the login and password provided by the user. The control
flag is set to requisite; that means that a failure of this module (such
as a wrong password) stops the whole authentication process.

Version 1 Copying all or part of this manual, 4-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

auth required pam_securetty.so

This module checks the file /etc/securetty for a list of valid login
terminals. If a terminal is not listed in that file, the login is denied
from that terminal. This concerns only the root user.
auth required pam_nologin.so

This module checks whether a file /etc/nologin exists. If such a file

is found, login is denied for all but the root user.
auth required pam_env.so

This module can be used to set additional environment variables.

The variables can be configured in the file
/etc/security/pam_env.conf
auth required pam_mail.so

This module displays a message if any new mail is in the user's mail
box. It also sets an environment variable pointing to the
user´s mail directory.
account required pam_unix2.so

In this entry the pam_unix2.so module is used again, but in this case
it checks whether the password of the user is still valid or if the user
needs to create a new one.
password required pam_pwcheck.so nullok

This is an entry for a module of the type password. It is used when a

user attempts to change the password. In this case, the module
pam_pwcheck.so is used to check if a new password is secure
enough.
password required pam_unix2.so nullok
use_first_pass use_authtok

The pam_unix2.so module is also necessary when changing a

password. It takes the new password, encrypts it, and writes it to the
authentication database.

4-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

session required pam_unix2.so none

Here the session component of the pam_unix2.so module is used. It

uses the syslog daemon to log the user's login.
session required pam_limits.so

The pam_limits.so sets resource limits for the users that can be
configured in the file /etc/security/limits.conf.

For an overview of the default PAM modules and their configuration

options consult the PAM documentation under
/usr/share/doc/packages/pam.

Third party vendors can supply other PAM modules to enable specific
authentication features for their products, such as the PAM modules that
enable Novell´s Linux User Management (LUM) authentication with
eDirectory.

Understand the Requirements for a Secure Password

Even the best security setup for a system can be defeated if users
choose easy to guess passwords. With today's computing power, a
simple computer can be used to crack an easy password within
seconds. These attacks are also called dictionary attacks, as the
password cracking program just tries one word after another from a
dictionary file.

Therefore, a password should never be a word which could be

found in a dictionary. A good, secure password should always
contain some numbers and uppercase characters.

To check whether user passwords fulfill this requirement, you can

enable a special PAM module cto test a password first before a user
can set it. The PAM module is called pam_pwcheck.so and uses the
cracklib library to test the security of passwords.

By default, this PAM module is enabled on SLES 9.

Version 1 Copying all or part of this manual, 4-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If a user enters a password that is not secure enough, the following

message is displayed:
Bad password: too simple

and the user is prompted enter a different one.

There are also dedicated password check programs available like

John the Ripper (http://www.openwall.com/john/).

You can also force users to change their passwords after a specific
period of time.

4-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Exercise 4-1: Change the PAM Configuration to Disable the

Graphical Root Login

In this exercise, you change the PAM configuration by doing the

following:

1. Log out from the KDE desktop environment.

2. When the KDM login screen appears, log in with the following:
■ Username: root
■ Password: novell

Notice that you can log in as root without a root entry in the
login screen.

3. Log out again from the KDE desktop environment.

4. Log in as geeko with a password of N0v3ll.

5. Open a terminal window and su to root.

6. Open the file /etc/pam.d/xdm in a text editor.

7. Add the following as the second line of the file:

auth required pam_securetty.so

8. Save and close the file.

9. Log out and try to log in as root user at the KDM login screen
again.

The root login is denied.

10. Log in as geeko again.

If you cannot log in as geeko, restart the X server using

Ctrl+Alt+Backspace and try again. You might also need to reboot
your server.

11. Open a terminal window and su to root.

Version 1 Copying all or part of this manual, 4-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

12. Open the file /etc/pam.d/xdm in a text editor and remove or

comment out the following line (the line you added):
auth required pam_securetty.so

13. Save and close the file.

14. Log out and try to log in as root at the KDM login screen again.

You can now log in as root.

If you cannot log in as root, restart the X-server using

Ctrl+Alt+Backspace and try again.

(End of Exercise)

4-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 5 Ensure File System Security

After a user has logged in to the system, what he can and can't do is
mainly determined by the security settings of the file system.

In UNIX systems like Linux, file system security is especially

important as every resource available on the system is represented
as a file. For example, when a user tries to access the sound card to
play back audio data, the access rights of the sound card are
determined by the permission settings of the corresponding device
file in the /dev directory.

To ensure a basic file system security, do the following:

■ Understand the Basic Rule for User Write Access
■ Understand the Basic Rule for User Read Access
■ Understand How Special File Permissions Affect the Security
of the System

Understand the Basic Rule for User Write Access

The file systems used in Linux are structurally UNIX file systems.
They support the typical file access permissions (read, write,
execute, sticky bit, SUID, SGID, etc.). Apart from additional
standard functionalities, such as various time stamps, the access
permissions can be administered separately for file owners, user
groups, and the rest of the world (user, group, other).

As a general rule, a normal user should only have write access in

the following directories:
■ The home directory of the user
■ The /tmp directory to store temporary files

Depending on the purpose of a computer other directories can be

writable by users. For example, if you install a Samba file server, a
writable share needs a directory that is also writable for the UNIX
user the connection is mapped to.

Version 1 Copying all or part of this manual, 4-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Some device files (like those for sound cards) might also be
writable for users since applications need to send data to the
corresponding devices.

Understand the Basic Rule for User Read Access

Some files in the system should be protected from user read access.
This is important for files that store passwords.

No normal user account should be able to read the content of such

files. Even when the passwords in a file are encrypted, the files
must be protected from any unauthorized access.

The following lists some files containing passwords on a Linux

system.
■ /etc/shadow. This file contains user passwords in an encrypted
form. Even when LDAP is used for user authentication, this file
contains at least the root password.
■ /etc/samba/smbpasswd. This file contains the passwords for
Samba users.
■ Files with Apache passwords. The location of these files
depend on your configuration. They contain passwords for the
authorized access to the web server.
■ /etc/openldap/slapd.conf. This file contains the root password
for the openLDAP server.
■ /boot/grub/menu.lst. This file can contain the password for the
GRUB boot loader.

This list is not complete. There can be more password files on your system,
depending on your system configuration and your software selection.

Some password files can be readable for a nonroot account. This is

normally the account under which user ID a service daemon is
running. For example, the Apache web server runs under the user id
of the user wwwrun. Therefore the password files must be readable
for the user wwwrun.

4-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

In this case you have to make sure that only this daemon account
can read the file and not any other user.

Understand How Special File Permissions Affect the

Security of the System

There are three file system rights that influence the security in a
special way:
■ The SUID bit. If the SUID bit is set for an executable, the
program is started under the user ID of the owner of the file. In
most cases, this is used to allow normal users to run application
with the rights of the root users.
This bit should only be set for applications that are well tested
and in cases where no other way can be used to grant access to
a specific task.
An attacker could get access to the root account by exploiting
an application that runs under the UID of root.
■ The SGID bit. If this bit is set, it lets a program run under the
GID of the group the executable file belongs to. It should be
used as carefully as the SUID bit.
■ The sticky bit. The sticky bit can influence the security of a
system in a positive way. In a globally writable directory, it
prevents users from deleting each others files that are stored in
these directories.
Typical application areas for the sticky bit include directories
for temporary storage (such as /tmp and /var/tmp). Such a
directory must be writable by all users of a system. However,
the write permissions for a directory do not only include the
permission to create files and subdirectories, but also the
permission to delete these, regardless of whether the user has
access to these files and subdirectories.
If the sticky bit is set for such a writable directory, deleting or
renaming files in this directory is only possible if one of the
following conditions is fulfilled:

Version 1 Copying all or part of this manual, 4-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ The effective UID of the deleting or renaming process is

that of the file owner.
■ The effective UID of the deleting or renaming process is
that of the owner of the writable directory marked with the
sticky bit.
■ The superuser root is allowed to do anything.

4-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 6 Use ACLs for Advanced Access Control

To use ACLs for advanced file system access control you do the
following:
■ Understand the Basics of ACLs
■ Understand Important ACL Terms
■ Understand ACL Types
■ Understand How ACLs and Permission Bits Map to Each Other
■ Use the ACL Command Line Tools
■ Configure a Directory with an Access ACL
■ Configure a Directory with a Default ACL
■ Understand the ACL Check Algorithm
■ Understand How Applications Handle ACLs

Understand the Basics of ACLs

Traditionally, three sets of permissions are defined for each file

object on a Linux system. These sets include the read (r), write (w),
and execute (x) permissions for each of three types of users the file
owner, the group, and other users.

This concept is adequate for most practical cases. In the past

however, for more complex scenarios or advanced applications,
system administrators had to use a number of tricks to circumvent
the limitations of the traditional permission concept.

ACLs (Access Control Lists) provide an extension of the traditional

file permission concept. They allow you to assign permissions to
individual users or groups even if these do not correspond to the
original owner or the owning group.

Version 1 Copying all or part of this manual, 4-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

ACLs are a feature of the Linux kernel and are supported by the
ReiserFS, Ext2, Ext3, JFS, and XFS file systems. Using ACLs, you
can create complex scenarios without implementing complex
permission models on the application level.

The advantages of ACLs are clearly evident in situations like

replacing a Windows server with a Linux server providing file and
print services with Samba.

Since Samba supports ACLs, user permissions can be configured

both on the Linux server and in Windows with a graphical user
interface (only on Windows NT and later).

With winbindd, it is even possible to assign permissions to users

that only exist in the Windows domain without any account on the
Linux server.

Understand Important ACL Terms

The following list defines terms concerning ACLs:

■ user class. The conventional POSIX permission concept uses
three classes of users for assigning permissions in the file
system: the owner, the owning group, and other users.
Three permission bits can be set for each user class, giving
permission to read (r), write (w), and execute (x).
■ access ACL. The user and group access permissions for all
kinds of file system objects (files and directories) are
determined by access ACLs.
■ default ACL. Default ACLs can only be applied to directories.
They determine the permissions a file system object inherits
from its parent directory when it is created.
■ ACL entry. Each ACL consists of a set of ACL entries. An
ACL entry contains a type, a qualifier for the user or group to
which the entry refers, and a set of permissions. For some entry
types, the qualifier for the group or users is undefined.

4-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Understand ACL Types

There are two basic classes of ACLs:

■ A minimum ACL comprises the entries for the types owner,
owning group, and other, which correspond to the conventional
permission bits for files and directories.
■ An extended ACL goes beyond this. It contains a mask entry
and can contain several entries of the named user and named
group types.

ACLs extend the classic Linux file permission by the following

permission types:
■ named user. With this type, you can assign permissions to one
or more users.
■ named group. With this type, you can assign permissions to
one or more groups.
■ mask. With this type, you can limit the permissions of named
users or groups.
The following is an overview of all possible ACL types:

Type Text Form

owner user::rwx
named user user:name:rwx
owning group group::rwx
named group group:name:rwx
mask mask::rwx
other other::rwx

The permissions defined in the entries owner and other are always
effective. Except for the mask entry, all other entries (named user,
owning group, and named group) can be either effective or masked.

Version 1 Copying all or part of this manual, 4-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If permissions exist in the named user, owning group, or named

group entries as well as in the mask, they are effective. Permissions
contained only in the mask or only in the actual entry are not
effective.

This means that the entries for named user, owning group, and
named group are combined by a logical AND with the mask entry.

The following example determines the effective permissions for the

user jane.

Entry Type Text Form Permissions

named user user:jane:r-x r-x
mask mask::rw- rw
Effective permissions: r--

The ACL contains two entries, one for the named user jane and one
mask entry. Jane has permissions to read and execute the
corresponding file, but the mask only contains permissions for
reading and writing. Because of the AND combination, the effective
rights allow jane to read the file only.

4-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Understand How ACLs and Permission Bits Map to

Each Other

When you assign an ACL to a file or directory, the permissions set

in the ACL are mapped to the standard UNIX permissions.

The following figure illustrates the mapping of a minimum ACL:

The figure is structured in three blocks:

■ The left block shows the type specifications of the ACL entries.
■ The center block displays an example ACL.
■ The right block shows the respective permission bits according
to the conventional permission concept as displayed by ls -l, for
example.

The following is an example of an extended ACL:

Version 1 Copying all or part of this manual, 4-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In both cases, the owner class permissions are mapped to the ACL
entry owner. Other class permissions are mapped to their respective
ACL entries. However, the mapping of the group class permissions
is different in the second case.

In the case of a minimum ACL without a mask, the group class

permissions are mapped to the ACL entry owning group. In the case
of an extended ACL with a mask, the group class permissions are
mapped to the mask entry.

This mapping approach ensures the smooth interaction of

applications, regardless of whether they have ACL support.

The access permissions that were assigned by permission bits

represent the upper limit for all other adjustments made by ACLs.

Any permissions not reflected here are either not in the ACL or are
not effective. Changes made to the permission bits are reflected by
the ACL and vice versa.

Use the ACL Command Line Tools

To manage the ACL settings, you can use the following command
line tools:
■ getfacl. The command getfacl can be used to display the ACL
of a file.
■ setfacl. The command setfacl can be used to change the ACL of
a file.

4-40 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The following are the most important options for the setfacl
command:

Option Meaning
-m Adds or modifies an ACL entry.
-x Removes an ACL entry.
-d Sets a default ACL.
-b Removes all extended ACL entries.

The options -m and -x expect an ACL definition on the command

line. The following are the definitions for the extended ACL types:
■ named user. The following is an example entry for the user
tux:
setfacl -m u:tux:rx my_file
The user tux gets read and execute permissions for the file
my_file.
■ named groups. The following is an example entry for the
group accounting:
setfacl -m g:accounting:rw my_file
The group accounting gets read and write permissions for the
file my_file.
■ mask. Sets the ACL mask:
setfacl -m m:rx
Sets the mask for the read and execute permissions.

Version 1 Copying all or part of this manual, 4-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure a Directory with an Access ACL

To configure a directory with ACL access, do the following:

1. Before you create the directory, use the umask command to

define which access permissions should be masked each time a
file object is created.
The command umask 027 sets the default permissions by giving
the owner the full range of permissions (0), denying the group
write access (2), and giving other users no permissions at all
(7).
umask actually masks the corresponding permission bits or
turns them off.

For more information about umask, see the corresponding man page
man umask.

The command mkdir mydir should create the mydir directory

with the default permissions as set by umask. Enter the
following command to check if all permissions were assigned
correctly:
ls -dl mydir
drwxr-x--- ... tux project3 ... mydir

2. Check the initial state of the ACL by entering the following

command:
getfacl mydir.
The output of the command looks like the following:
# file: mydir
# owner: tux
# group: project3
user::rwx
group::r-x
other::---

4-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The output of getfacl precisely reflects the mapping of

permission bits and ACL entries as described before. The first
three output lines display the name, owner, and owning group
of the directory.
The next three lines contain the three ACL. In fact, in the case
of this minimum ACL, the getfacl command does not produce
any information you could not have obtained with ls.
Your first modification of the ACL is the assignment of read,
write, and execute permissions to an additional user jane and an
additional group jungle:
setfacl -m user:jane:rwx,group:jungle:rwx mydir
The option -m prompts setfacl to modify the existing ACL. The
following argument indicates the ACL entries to modify
(several entries are separated by commas). The final part
specifies the name of the directory to which these modifications
should be applied.
Use the getfacl command to take a look at the resulting ACL:
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
In addition to the entries initiated for the user jane and the
group jungle, a mask entry has been generated.
This mask entry is set automatically to reduce all entries in the
group class to a common denominator. Furthermore, setfacl
automatically adapts existing mask entries to the settings you
modified, provided you do not deactivate this feature with -n.

Version 1 Copying all or part of this manual, 4-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The mask type defines the maximum effective access

permissions for all entries in the group class. This includes
named user, named group, and owning group.
The group class permission bits that would be displayed by
ls -dl mydir now correspond to the mask entry:
drwxrwx---+ ... tux project3 ... mydir
The first column of the output now contains an additional + to
indicate that there is an extended ACL for this item.

3. According to the output of the ls command, the permissions for

the mask entry include write access. Traditionally, such
permission bits would mean that the owning group (in this
example project3) also has write access to the directory mydir.
However, the effective access permissions for the owning group
correspond to the overlapping portion of the permissions
defined for the owning group and for the mask, which is r-x in
the example.
As far as the effective permissions of the owning group are
concerned, nothing has changed even after adding the ACL
entries.
In the following example, the write permission for the owning
group is removed with the chmod command.
chmod g-w mydir
ls -dl mydir
drwxr-x---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx # effective: r-x
group::r-x
group:jungle:rwx # effective: r-x
mask::r-x
other::---

4-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

After executing the chmod command to remove the write

permission from the group class bits, the output of the ls
command is sufficient to see that the mask bits have changed
accordingly: write permission is again limited to the owner of
mydir.
The output of the getfacl confirms this. This output includes a
comment for all those entries in which the effective permission
bits do not correspond to the original permissions because they
are filtered according to the mask entry.
The original permissions can be restored at any time with
chmod:
chmod g+w mydir
ls -dl mydir
drwxrwx---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x g
group:jungle:rwx
mask::rwx
other::---

Configure a Directory with a Default ACL

Directories can have a default ACL, which is a special kind of ACL

that defines the access permissions that objects under the directory
inherit when they are created. A default ACL affects subdirectories
as well as files.

Version 1 Copying all or part of this manual, 4-45

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

There are two different ways in which the permissions of a

directory's default ACL are passed to the files and subdirectories in
it:
■ A subdirectory inherits the default ACL of the parent directory
both as its own default ACL and as an access ACL.
■ A file inherits the default ACL as its own access ACL.

All system functions that create file system objects use a mode
parameter that defines the access permissions for the newly created
file system object.

If the parent directory does not have a default ACL, the permission
bits as defined by the umask are subtracted from the permissions as
passed by the mode parameter, with the result being assigned to the
new object.

If a default ACL exists for the parent directory, the permission bits
assigned to the new object correspond to the overlapping portion of
the permissions of the mode parameter and those that are defined in
the default ACL. The umask command is disregarded in this case.

The following three examples show the main operations for

directories and default ACLs:
■ Add a default ACL to the existing directory mydir with the
following command:
setfacl -d -m group:jungle:r-x mydir
The option -d of the setfacl command prompts setfacl to
perform the following modifications (option -m) in the default
ACL.
Take a closer look at the result of this command:
getfacl mydir

# file: mydir
# owner: tux
# group: project3
user::rwx

4-46 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
getfacl returns both the access ACL and the default ACL. The
default ACL is formed by all lines that start with default.
Although you merely executed the setfacl command with an
entry for the jungle group for the default ACL, setfacl
automatically copied all other entries from the access ACL to
create a valid default ACL.
Default ACLs do not have an immediate effect on access
permissions. They only come into play when file system objects
are created. These new objects inherit permissions only from
the default ACL of their parent directory.

 In the next example, use mkdir to create a subdirectory in mydir,

which inherits the default ACL.
mkdir mydir/mysubdir
getfacl mydir/mysubdir
# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:jungle:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---

Version 1 Copying all or part of this manual, 4-47

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

As expected, the newly-created subdirectory mysubdir has

permissions from the default ACL of the parent directory.
The access ACL of mysubdir is an exact reflection of the
default ACL of mydir, as is the default ACL that this directory
hands down to its subordinate objects.

 Use touch to create a file in the mydir directory:

touch mydir/myfile
ls -l mydir/myfile
-rw-r-----+ ... tux project3 ... mydir/myfile
getfacl mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rwgroup:: r-x # effective:r--
group:jungle:r-x # effective:r--
mask::r--
other::---
touch passes a mode with the value 0666, which means that
new files are created with read and write permissions for all
user classes, provided no other restrictions exist in umask or in
the default ACL.
In effect, this means that all access permissions not contained in
the mode value are removed from the respective ACL entries.
Although no permissions were removed from the ACL entry of
the group class, the mask entry was modified to mask
permissions not set using mode.
This approach ensures the smooth interaction of applications,
such as compilers, with ACLs. You can create files with
restricted access permissions and subsequently assign them as
executable. The mask mechanism guarantees that the right users
and groups can execute them as desired.

4-48 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Understand the ACL Check Algorithm

A check algorithm is applied before any process or application is

granted access to an ACL-protected file system object.

As a basic rule, the ACL entries are examined in the following

sequence: owner, named user, owning group or named group, and
other. The access is handled in accordance with the entry that best
suits the process. Permissions do not accumulate.

Things are more complicated if a process belongs to more than one

group and belongs to several group entries. An entry is randomly
selected from the suitable entries with the required permissions.

It is irrelevant which of the entries triggers the final result, which is

access granted . Likewise, if none of the suitable group entries
contains the correct permissions, a randomly selected entry triggers
the final result, which is access denied .

Understand How Applications Handle ACLs

As described in the preceding sections, you can use ACLs to

implement very complex permission scenarios that meet the
requirements of applications.

The traditional permission concept and ACLs can be combined in a

smart manner. However, some important applications still lack ACL
support. Except for the star archiver, there are currently no backup
applications that guarantee the full preservation of ACLs.

The basic file commands (cp, mv, ls, and so on) support ACLs, but
many editors and file managers (such as Konqueror) do not.

For example, when you copy files with Konqueror, the ACLs of
these files are lost. When you modify files with an editor, the ACLs
of files are sometimes preserved, sometimes not, depending on the
backup mode of the editor used.

Version 1 Copying all or part of this manual, 4-49

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If the editor writes the changes to the original file, the access ACL is
preserved. If the editor saves the updated contents to a new file that
is subsequently renamed to the old filename, the ACLs might be
lost, unless the editor supports ACLs.

For more information about ACLs go to http: //

sdb.suse.de/en/sdb/html/81_acl.html and http://acl.bestbits.at/. Also see the
man pages for getfacl, acl(5), and setfacl(1).

4-50 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Exercise 4-2: Use ACLs

In this exercise, you practice using ACLs by doing the following:

■ Part I: Configure the ACL of a Directory
■ Part II: Configure a Default ACL for a Directory
■ Part III: Delete an ACL

Part I: Configure the ACL of a Directory

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory /tmp by entering the following:

cd /tmp

3. Create a test directory by entering the following:

mkdir acl_test

4. Limit the file system permissions for the directory by entering

the following:
chmod 700 acl_test

5. Open a second terminal window as the user geeko.

6. Try changing to the test directory by entering the following:

cd /tmp/acl_test/
The command fails because geeko (who is not the owner of the
directory) has no permission to read the directory.

7. Switch to the root terminal.

8. Display the minimum ACL of the directory by entering the

following:
getfacl acl_test

Version 1 Copying all or part of this manual, 4-51

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

9. Add an extended ACL by entering the following:

setfacl -m u:geeko:rwx acl_test/

10. Switch to the geeko terminal and try to access the directory
again by entering the following:
cd /tmp/acl_test
Because of the extended ACL, you can view the directory.

11. Switch to the root terminal and display the extended ACL of the
directory by entering the following:
getfacl /tmp/acl_test/

Part II: Configure a Default ACL for a Directory

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory acl_test by entering the following:

cd /tmp/acl_test

3. Create a file by entering the following:

touch without_default_acl

4. Display the ACL of the new file by entering the following:

getfacl without_default_acl
As there is no default ACL for the parent directory, the new file
does not have an extended ACL either.

5. Set a default ACL for the directory acl_test by entering the

following:
setfacl -d -m u:geeko:rw /tmp/acl_test/

6. Create another test file by entering the following:

touch with_default_acl

4-52 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

7. Display the ACL of the new file by entering the following:

getfacl with_default_acl
As this file was created after the default ACL of the parent
directory was set, the new file inherited the ACL.

Part III: Delete an ACL

Do the following:

1. From a root terminal window, change to the directory acl_test

by entering the following:
cd /tmp/acl_test

2. Display the ACL of the file with_default_acl by entering the

following:
getfacl with_default_acl

3. Remove the ACL by entering the following:

setfacl -x u:geeko with_default_acl

4. Display the ACL again by entering the following:

getfacl with_default_acl
As you can see, the ACL for the user geeko has been removed.
If there were ACLs for other users, they would remain
unaffected.

5. View the file attributes of with_default_acl by entering the

following:
ls -l with_default_acl
There are still extended attributes (such as the mask “+”) in the
output.

Version 1 Copying all or part of this manual, 4-53

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Remove all ACLs by entering the following:

setfacl -b with_default_acl

7. Display the ACL again by entering the following commands:

getfacl with_default_acl
ls -l with_default_acl
Notice that the ACL has been removed.

(End of Exercise)

4-54 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective 7 Configure Security Settings with YaST

YaST offers a module to configure certain system settings that affect
the local security. The module can be found under
Security and Users > Security settings.

With the module you can easily change the following settings of the
system configuration:
■ The password settings
■ The boot behavior of the system
■ The login behavior
■ The user ID limitations
■ General file system security

When you start the module, the following appears:

Version 1 Copying all or part of this manual, 4-55

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the dialog you can choose between four different levels of local
security:

Level
Level 1 (Home Workstation)
Level 2 (Networked Workstation)
Level 3 (Network Server)
Custom Settings
Meaning
This option represents the lowest
level of local security. It should
only be used on a home
workstation that is not connected
to any kind of network.
This option provides an
intermediate level of local
security. It is suitable for
workstations that are connected
to a network.
This option enables a high level
of local security. Systems that are
used as a network server should
be run with this setting.
This option lets you create your
own level of local security.

By selecting one of the three predefined security levels and

selecting Next, the chosen security level is applied. By selecting
Details, you can change the the settings for the security level you
have selected.

If you choose the Customs Settings and then select Next, you can
directly change the details of the security configuration.

The dialogs for the detail settings look the same for every security
level, but the preselected options are different. In the following you
can see the settings for Level 3 (Network Server).

4-56 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

In this dialog you can change the default password requirements

that are accepted by the systems.

Version 1 Copying all or part of this manual, 4-57

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You have the following options:

Option Meaning
Checks This option enables the checking of
newly created passwords. The
following two methods can be
enabled:
■ Checking New Passwords: New
passwords will be checked to see
if they can be found in a dictionary.
■ Plausibility Test For Passwords:
Passwords will be checked to see
if they contain a mixture of different
kind of characters (such as
lowercase and uppercase
characters).
For a server system, you should at
least enable Checking New
Passwords.
Password Encryption Method You can choose between different
kinds of password encryption
methods. This option sets the
maximum length of the password.
The default option DES supports only
passwords with a length up to 8
characters.
MD5 and blowfish support longer
passwords but are not well supported
by older systems and applications.
Unless your system does not need to
meet very high security demands,
you can stay with the default DES.

4-58 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Option Meaning
Number Of Significant This option corresponds to the
Characters In The Password previous one. You can only choose a
value higher than 8 if you have
chosen a different encryption method
than DES.
For normal security demands, a
value of 8 is sufficient.
Minimum Acceptable This value determines the minimum
Password Length length of a password. The shorter a
password is, the easier it is to crack
it.
A password should never be shorter
than 6 characters.
Days To Password Change The name of this option is a little bit
Warnings misleading. There are two values to
be set:
■ Minimum: The number of days
after a user can change the
password.
■ Maximum: The number of days
after a user must change the
password.

Days Before Password This option determines how many

Expires Warning days before a password has to be
changed, a warning should be given
to the user.

After adapting the options to your needs, select Next to proceed to

the next dialog.

Version 1 Copying all or part of this manual, 4-59

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following dialog appears:

In this dialog you can configure how the system can be rebooted.

4-60 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

You have the following options:

Option Meaning
Interpretation Of Crtl+Alt+Del This option determines how the Key
Combination Crtl+Alt+Del is
evaluated. You can choose between
the following possibilities:
■ Ignore: The key combination is
ignored; nothing happens.
■ Reboot: When the combination is
pressed, the system reboots.
■ Halt: The can be halted by
pressing the key combination.
On a server you should always
choose Ignore because otherwise
someone could halt or reboot the
system even without being logged in.

Version 1 Copying all or part of this manual, 4-61

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
Shutdown Behavior Of KDM This option determines how the
system can be halted with the
graphical login manager KDM. You
have the following choices:
■ Only Root: To halt the system, the
root password has to be entered.
■ All users: Everyone, even
remotely connected users, can halt
the system using KDM.
■ Nobody: Nobody can halt the
system with KDM.
■ Local Users: Only locally
connected users can halt the
system with KDM.
■ Automatic: The system is halted
automatically after log out.
For a server system you should use
Only Root or Nobody to prevent
normal or even remote users from
halting the system.

4-62 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

After selecting Next, the following appears:

In this dialog you can configure the login behavior of the system.

Version 1 Copying all or part of this manual, 4-63

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You have the following options:

Option Meaning
Delay After Incorrect Login The value of this option determines
Attempts the number of seconds the next login
try will be delayed after a failed login
attempt.
This is useful to prevent attackers
from trying various passwords very
quickly.
The default value 3 is sufficient in
most cases.
Record Failed Login Attempts If this option is checked, failed login
attempts are logged.
This option should be enabled.
Record Successful Login If this option is checked, successful
Attempts login attempts are logged.
This option should also be enabled.
Allow Remote Graphical The display manager KDM lets you
Login. log in remotely to the X-Window
system.
If this option is selected, remote login
is allowed.
For a server system, you should not
enable this option unless it is needed
for purpose of the server (for
example, the system is a terminal
server.)

After adjusting the settings in this dialog, select Next to proceed to

the next dialog.

4-64 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The next dialog looks as follows:

In this dialog you can adjust the Minimum and the Maximum value
for User and Group IDs. The default values should be acceptable
for most purposes.

Select Next to proceed to the next dialog.

Version 1 Copying all or part of this manual, 4-65

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following appears:

This the last page of the security configuration.

4-66 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

You have the following options:

Option Meaning
Setting Of File Permissions From this menu, you can choose
between three different presets for
file system permissions.
You have the following options:
■ Easy: Most configuration files are
readable for normal users.
■ Secure: Certain system files (like
/var/log/messages) can only be
viewed by root. Some programs
can only launched by root or by
daemons.
■ Paranoid: This is the preset with
the highest level of file system
security. Access rights are even
more restricted than with the
Secure setting.
The security settings for every preset
are read from configuration files
following the naming scheme
/etc/permissions.<level>.
For example, the configuration for the
Secure level is read from the file
/etc/permissions.secure
Each file contains a description of the
file syntax and purpose of the
preset.
You can also add your own rules to
the file /etc/permissions.local.

Version 1 Copying all or part of this manual, 4-67

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
User Launching Updatedb This option determines under which
user ID the command updatedb is
executed by cron.
The updatedb program indexes all
files in the file system. The generated
database can be queried with the
locate command.
The choices of this option are:
■ nobody: The command is
launched under the user ID of the
system user nobody.
This way only files that are
accessible for the user nobody
are indexed.
■ root: The command is executed
under the user ID of the root user.
This way all files in the file system
can be indexed.
For security reasons you should use
the user nobody. This way no files
are indexed that should not be
accessible for normal users.
Current Directory In Root If this option is selected, the current
Path directory is added to the search path
of root.
This could lead to security problems
if an attacker places an executable
with a common name like ls into a
directory.
If root enters ls in that directory, the
executable of the attacker could be
launched instead of the normal ls
command.
Never select this option.

4-68 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Option Meaning
Current Directory In Path Of If this option is selected, the current
Regular Users directory is added to the search path
of normal users.
In a security sensitive environment,
this option should not be enabled.
Enable Magic SysRq Keys This option enables special key
combinations that give you some
control over the system even in the
case of a system crash.
This is useful for debugging purposes
but should be disabled on production
systems.

After confirming this dialog with Finish, the changes are saved and
applied to the system.

In most cases it should be sufficient to choose one of the

preconfigured security levels.

Version 1 Copying all or part of this manual, 4-69

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 8 Stay Informed About Security Issues

One of the most important security tasks for an administrator is to
stay informed about current security issues.

Damage can be prevented only when security patches are installed

as quickly as possible.

You can use the following resources to gather information about

Linux-related security issues:
■ http://www.suse.de/en/business/security.html: This web site
is the central security information site of SUSE. All security
issues affecting the SUSE products are announced here.
You will also find information about security and OpenSource
software and the SUSE security team.
■ http://www.suse.de/en/business/mailinglists.html: This web
site offers an overview of all SUSE related mailing lists.
There are two security related mailing lists that you can
subscribe to for further security information.
■ suse-security: This mailing list is intended for security-
relevant discussions.
■ suse-security-announce: This mailing list announces
security issues and fixes. This mailing list is read only. For
discussions please use suse-security.
To subscribe to a mailing list, select the check boxes by the
name of the list, enter your mail address at the bottom of the
page, and then click OK.
■ http://www.securityfocus.com/: This web site is about general
IT security. It also offers various security-relevant mailing lists.

4-70 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Exercise 4-3: Subscribe to the SUSE Security Announcements

In this exercise, you subscribe to the SUSE security mailing list.

This means that Novell/SUSE will inform you by email about
current security issues of SUSE Linux Products.

If you don't want to receive these messages, skip this exercise.

Do the following:

1. From the KDE start menu, select Internet > Web Browser.

2. In the address bar of the browser, enter the following:

http://www.suse.com/us/business/mailinglists.html

3. Scroll down to the entry suse-security-announce; then select

the check box for that entry .

4. Scroll down to the bottom of that page and in the email address
field enter your email address.

5. Subscribe to the list by selecting OK.

(End of Exercise)

Version 1 Copying all or part of this manual, 4-71

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 9 Apply Security Updates

SLES 9 is usually delivered with system maintenance. This system
maintenance includes updates and security patches.

Software updates can be managed with YaST Online Update

(YOU). This YaST module downloads and installs software updates
and security patches.

To apply security updates, you need to do the following:

■ Register your Product
■ Use the YaST Online Update

Register Your Product

To access the update packages you need to enter a user name and a
password. To get these credentials, you need to create an account
for the SUSE support portal.

The SUSE support portal can be accessed at http://portal.suse.com.

After you have created an account, you need to register your

product in the portal with the registration code delivered with the
SLES 9 CDs.

Only registered products can be updated with the YOU module.

Use the YaST Online Update

The following is a quick guide to applying software updates with

YOU.

First you need to start the YOU module from the YaST Control
Center under Software > Online Update.

4-72 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

The following appears:

Select Next to start the update process. There are some additional
configuration options but the defaults are sufficient unless you want
to run your own YOU server.

Version 1 Copying all or part of this manual, 4-73

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the next step, YOU asks you for your account at the SUSE
support portal. Enter your login name and password in the
following dialog:

Select Login to proceed to the next step. YOU retrieves information

about the available patches and displays the following dialog:

4-74 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

On the top left side of the dialog all available patches are displayed.
Security relevant patches are indicated by red characters.

By selecting the check box by an entry, the corresponding update is

installed in the next step. Normally YOU autoselects the updates
that are relevant for your system.

By selecting an entry itself, details for the corresponding update are

displayed on the right side of the dialog.

By selecting Accept, the selected updates are downloaded and

installed.

During the process YOU displays the following dialog:

You can display additional information for some updates. These

dialogs need to be confirmed to install the corresponding software
package.

Version 1 Copying all or part of this manual, 4-75

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Summary
The following is the summary of the objectives.

Objective Summary
1. Create a Security Concept The security of a system must
always be seen in the context of
the whole IT environment.
We highly recommended that you
create a security concept for the
company.
The process of creating a
security concept includes the
following steps.
■ Understand the basics of a
security concept.
■ Perform a communication
analysis.
■ Analyze the protection
requirements.
■ Analyze the current situation
and necessary enhancements.

4-76 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective Summary
2. Limit Physical Access to Server If a server is not protected from
Systems unauthorized physical access,
even the best software
configuration cannot prevent
someone from misusing a
system.
To make the server as secure as
possible, do the following:
■ Place the server in a separated
and locked server room.
■ Secure the BIOS with a
password.
■ Secure the GRUB boot loader
with a password.
3. Limit the Installed Software You should install only those
Packages software packages that are
needed to fulfill the purpose of a
server.
To set up a production system,
minimize the software selections
you install and add only
packages which are definitely
needed.
It is important that no network
services are installed that are not
needed on a server.

Version 1 Copying all or part of this manual, 4-77

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
4. Understand the Linux User User authentication is the base
Authentication for every kind of access control.
The user authentication of a
modern Linux system is based on
PAM, the Pluggable
Authentication Modules.
PAM creates a software layer
between the applications,
handling user authentication, and
the currently used authentication
mechanism.
PAM is configured in the directory
/etc/pam.d/
This directory contains a
configuration file for every
application that uses PAM.
Every line of a configuration file
enables a PAM module for the
corresponding application.
Another important aspect of user
authentication is the
requirements for a secure
password.
A password should never be a
word from a dictionary and
should always contain some
uppercase characters and
numbers.

4-78 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective Summary
5. Ensure File System Security The permission settings in the
files system have an important
meaning to the overall system
security.
You should always follow some
basic rules about file system
security.
■ A user should only have write
access in the home and the
/tmp directory.
■ Users should never have read
access to configuration files
that contain passwords.
■ The following special file
permissions affect the security
of a system:
■ The SUID bit
■ The SGID bit
■ The sticky bit
6. Use ACLs for Advanced Access ACLs extend the classic Linux file
Control system permissions.
They let you assign permissions
to named users and named
groups.
ACLs also provide a mask entry,
which basically limits the
permissions of named users and
names groups.
The ACL entries are managed
with getfacl and setfacl.
Directories can have a default
ACL that is inherited by newly
created files or subdirectories.

Version 1 Copying all or part of this manual, 4-79

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Configure Security Settings with YaST offers a module that can be
YaST used to configure various security
relevant system settings.
The module can be found in the
YaST Control Center under
Security and Users > Security
Settings.
You can change the following
settings:
■ The password settings
■ The boot behavior
■ The login behavior
■ The user and group ID
imitations
■ The file system security
8. Stay Informed About Security It is very important to be informed
Issues about the current security issues.
The following resources can be
used to gather security relevant
information:
■ http://www.suse.de/en/
business/security.html
■ http://www.suse.de/en/
business/mailinglists.html
■ http://www.securityfocus.
com/

4-80 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Secure a SLES 9 Server

Objective Summary
9. Apply Security Updates To get and apply security updates
for SLES 9, you need to do the
following:
■ Register SLES 9 at the SUSE
support portal at
http://portal.suse.com.
■ Download and apply updates
with YOU, the YaST Online
Update.
The YOU module can be
found in the YaST Control
Center under Software >
Online Update.

Version 1 Copying all or part of this manual, 4-81

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

4-82 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

SECTION 5 Manage Backup and Recovery

In this section, you learn how to develop a backup strategy and how
to use the backup tools shipped with SLES 9. You also learn about
possible problems you might encounter during the boot process and
how to configure the GRUB boot loader.

Objectives
1. Develop a Backup Strategy
2. Creat3 Backup Files With tar
3. Work With Magnetic Tapes
4. Copy Data With the dd Command
5. Mirror Directories With the rsync Command
6. Automate Data Backups With the cron Service
7. Troubleshoot the Boot Process of a SLES 9 System
8. Configure and Install the GRUB Boot Loader

Version 1 Copying all or part of this manual, 5-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Even the best security measures cannot guarantee that data will
never be lost. There is always the possibility that
■ A hard disk failure will fail, destroying data on the affected
disk.
■ Users will delete files by accident.
■ A virus will delete important files on a desktop computer.
■ A notebook will be lost or destroyed.
■ An attacker will delete data on a server.
■ Natural influences like thunderstorms will destroy storage
systems.

It is very important to ensure that you have a reliable backup of

important data.

In this section you learn how to develop a backup strategy and how
to use the standard UNIX backup tools tar, rsync, and dd.

You will learn about possible issues during the boot process and
how to configure the GRUB boot loader.

5-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective 1 Develop a Backup Strategy

Backing up data is one of the most important tasks of a system
administrator. But before you can actually back up data, you need to
develop a backup strategy by doing the following:
■ Choose a Backup Method
■ Choose the Right Backup Media

Choose a Backup Method

The best possible method of data backup is the full backup.

In a full backup, all system data is copied to a backup media once a

day. To restore the data, the most current backup media is copied
back to the system´s hard disk.

The disadvantage of this method is the backup window. The backup

window is the time frame available to perform backups.

Backups should be performed when the system is not used, to avoid

data changes on the disk during the backup. These data changes
would lead to inconsistent data on the backup media.

Therefore, a backup is normally performed at night when systems

are not needed.

In some cases, especially in larger companies, because the backup

window might be too small to perform a full backup every day.

This can happen for the following reasons:

■ The amount of data to be backed up is so large, it takes too long
to copy all data to a backup media during the backup window.
■ The affected systems have to be available around the clock, so
the backup window is very small.

In most cases, a combination of both reasons prevents you from

using a full backup.

Version 1 Copying all or part of this manual, 5-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To circumvent this problem, you can use a backup method other

than full backup. The following are 2 basic backup alternatives:
■ Perform an Incremental Backup
■ Perform a Differential Backup

Perform an Incremental Backup

In an incremental backup, you normally perform a full backup once

a week (such as on the weekend). Then you perform a backup every
day that copies only files that have changed since the backup the
day before.

For example, if you might perform a full backup on Sunday, while

on Monday you just backup the files which have changed since
Sunday. On Tuesday you back up the files which have changed
since Monday, and so on.

Before performing an incremental backup, you need to understand

the following advantage and disadvantage of this method:
■ Advantage. Because you only back up files that have changed
since the last backup, the backup window can be much smaller
than the one you need for a daily full backup.
■ Disadvantage. The recovery time is longer. For example, you
have perform a full backup on Sunday and incremental backups
on Monday, Tuesday and Wednesday. On Thursday the server
crashes and all data is lost.
To restore the server you now need all incremental backups and
the full backup since last Sunday. All these backups need to be
copied to the server in the correct order.

5-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Perform a Differential Backup

In an incremental backup, you perform a full backup once a week,

then you perform backups every day to record the files that have
changed since the last full backup.

For example, suppose you perform a full backup on Sunday. On

Monday you back up the files that have changed since Sunday, on
Tuesday you also back up the files that have changed since Sunday,
and so on.

Before performing a differential backup, you need to understand the

following advantage and disadvantage of the method:
■ Advantage. To restore data from a differential backup, you
need just 2 backup media:, the last full backup and the last
differential backup. This makes the average time needed to
restore a system shorter.
■ Disadvantage. The amount of data to be backed up grows
every day. At the end of the backup cycle, the amount of data
might be too large for the available backup window.

The following illustrates the difference between incremental and

differential backups:

Version 1 Copying all or part of this manual, 5-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Choose the Right Backup Media

You must choose the right backup media for the amount of data to
be backed up and the backup method.

Tape drives are used most often because they still have the best
price-to-capacity ratio. Normally these are SCSI drives, so that all
kinds of tape drives can be accessed in the same way (such as DAT,
EXABYTE, and DLT). In addition, tapes can be reused.

Other media for data backup include writable CDs or DVDs,

removable hard drives, and magnetic-optical (MO) drives.

More and more frequently, Storage Area Networks (SANs) are

used. With a SAN, a storage network is set up to exclusively back
up data from different computers on a central backup server. But
even a SAN often uses magnetic tapes to store the data.

Backup media should always be stored separately from the backed

up systems. This prevents the backups from being lost in case of a
fire in the server room. Sensitive backup media should be stored
safely offsite.

5-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective 2 Create Backup Files With tar

The tar (tape archiver) tool is the most commonly used application
for data backup on Linux systems. It archives files in a special
format, either directly on a backup medium (such as magnetic tape
or floppy disk), or to an archive file.

The following are tasks you perform when backing up files with tar:
■ Create tar Archives
■ Unpack tar Archives
■ Exclude Files from Backup
■ Perform Incremental and Differential Backups
■ Use tar Command Line Options

Create tar Archives

The tar format is a container format for files and directory

structures. By convention, the extension of the archive files end in
.tar.

tar archives can be saved to a file to store them on a file system, or

they can be written directly to a backup tape.

Normally the data in the archive files is not compressed, but you
can enable compression with additional compression commands. If
archive files are compressed (usually with the command gzip), then
the extension of the filename is either .tar.gz or .tgz.

The tar command first expects an option, then the name of the
archive to be written (or the device file of a tape recorder), and the
name of the directory to be backed up. All directories and files
under this directory are also saved.

Directories are typically backed up with a command such as

tar -cvf /backup/etc.tar /etc

Version 1 Copying all or part of this manual, 5-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this example, the tar command backs up the complete contents of

the directory /etc to the file /backup/etc.tar.

The option -c (create) creates the archive. The option -v (verbose)

displays a more detailed output of the backup process. The name of
the archive to be created entered after the option -f (file).

This can either be a normal file or a device file (such as a tape

drive), as in the following:
tar -cvf /dev/st0 /home

In this example, the /home directory is backed up to the tape

recorder /dev/st0.

When an archive is created, absolute paths are made relative by

default. This means that the leading / is removed, as in the
following:
tar: Removing leading / from member names

You can view the contents of an archive by entering the following:

tar -tvf /backup/etc.tar

Unpack tar Archives

To unpack files from an archive, use the following command:

tar -xvf /dev/st0

This writes all files in the archive to the current directory. Due to the
relative path specifications in the tar archive, the directory structure
of the archive is created here.

If you want to extract to another directory, this can be done with the
option -C, followed by the directory name.

If you want to extract just one file, you can specify the name of the
file with the -C option, as in the following:
tar -xvf /test1/backup.tar -C /home/user1/.bashrc

5-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Exclude Files from Backup

If you want to exclude specific files from the backup, a list of these
files must be written in an exclude file, line by line, as in the
following:
/home/user1/.bashrc
/home/user2/Text*

In this example, the file /home/user1/.bashrc from user1 and all files
that begin with Text in the home directory of user2 will be excluded
from the backup.

This list is then passed to tar with the option -X, as in the following:
tar -cvf /dev/st0 /home -X exclude.files

Perform Incremental and Differential Backups

In an incremental or differential backup, only files that have been

changed or newly created since a specific date must be backed up.

The following are 2 methods you can use to accomplish the same
thing with tar:
■ Use a Snapshot File for Incremental Backups
■ Use the find Command to Search for Files to Back Up

Use a Snapshot File for Incremental Backups

Tar lets you use a snapshot file that contains information about the
last backup process. This file needs to be specified with the -g
option.

First, you need to make a full backup with a tar command, as in the
following:
tar -cz -g /backup/snapshot_file
-f /backup/backup_full.tar.gz /home

Version 1 Copying all or part of this manual, 5-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this example, the directory /home is backed up to the file

/backup/backup_full.tar.gz. The snapshot file
/backup/snapshot_file does not exist and is created.

The next time, you can perform an incremental backup with the
following command:
tar -cz -g /backup/snapshot_file
-f /backup/backup_mon.tar.gz /home

In this example, tar uses the snapshot file to determine which files
or directories have changed since the last backup. Only changed
files are included in the new backup /backup/backup_mon.tar.gz.

Use the find Command to Search for Files to Back Up

You can also use the find command to find files that need to be
backed up as a differential backup.

First, you use the following command to make a full backup:

tar -czf /backup/backup_full.tar.gz /home

In this example, the /home directory is backed up into the file

/backup/backup_full.tar.gz. Then you can use the following
command to back up all files that are newer than the full backup:
find /home -type f -newer /backup/backup_full.tar.gz
\ -print0 | tar --null -cvf /backup/backup_mon.tar.gz
-T -

In this example, all files (-type f) in the directory /home that are
newer than the file /backup/backup_mon.tar.gz are archived.

The options -print0 and --null ensure that files with spaces in their
names are also archived. The option -T determines that files piped
to stdin are included in the archive.

5-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Use tar Command Line Options

The following are some useful tar options:

Option Meaning
-c Creates an archive.
-C Changes to the specified directory.
-d Compares files in the archive with those in the file system.
-f Uses the specified archive file or device.
-j Directly compresses or decompresses the tar archive
using bzip2, a modern efficient compression program.
-r Appends files to an archive.
-u Only includes files in an archive that are newer than the
version in the archive (update).
-v Displays the files, which are being processed (verbose
mode).
-x Extracts files from an archive.
-X Excludes files listed in a file.
-z Directly compresses or decompresses the tar archive
using gzip.

For more information about tar, consult the man page for tar.

Version 1 Copying all or part of this manual, 5-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-1: Create Backup Files With tar

In this exercise, you use tar to do the following:

■ Part I: Create a Full Backup
■ Part II: Create an Incremental Backup

In this exercise, you copy backup files to the directory /tmp. This is only
done to demonstrate using backup methods. You should never make an
actual backup to the directory /tmp.

Part I: Create a Full Backup

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory /srv/www by entering the following:

cd /srv/www/

3. Create a tar archive of the directory htdocs by entering the

following:
tar czf /tmp/htdocs.tar.gz htdocs

4. Delete the directory htdocs by entering the following:

rm -r htdocs

5. Copy the backup archive to the directory /srv/www by entering

the following:
cp /tmp/htdocs.tar.gz /srv/www

6. Restore the directory htdocs by entering the following:

tar xzf htdocs.tar.gz

7. View the content of the restored directory by entering ls.

5-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Part II: Create an Incremental Backup

Do the following:

1. From the root terminal window, change to the directory

/srv/www by entering the following:
cd /srv/www

2. Create a full backup by entering the following command:

tar czv -g /tmp/snapshot_file -f /tmp/htdocs_full.tar.gz
htdocs

3. Create a new file in the directory htdocs by entering the

following:
touch htdocs/incremental.html

4. Perform an incremental backup by entering the following

command:
tar czv -g /tmp/snapshot_file -f
/tmp/htdocs_incremental.tar.gz htdocs
Note that tar backs up the file incrementally.

5. View the content of the incremented backup file by entering the

following:
tar -tzf /tmp/htdocs_incremental.tar.gz

6. Remove the directory htdocs by entering the following:

rm -r htdocs

7. To restore the directory, begin by unpacking the backup by

entering the following:
tar xzf /tmp/htdocs_full.tar.gz

Version 1 Copying all or part of this manual, 5-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

8. Unpack the incremental backup by entering the following

command:
tar xzf /tmp/htdocs_incremental.tar.gz

(End of Exercise)

5-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective 3 Work With Magnetic Tapes

To work with magnetic tapes in SLES 9, use the command mt. With
this command, you can position tapes, switch compression on or off
(with some SCSI-2 tape drives), and query the tape status.

Magnetic tape drives used under Linux are always SCSI devices
and can be accessed with the following device names:
■ /dev/st0. Refers to the first tape drive.
■ /dev/nst0. Addresses the same tape drive in the no rewind
mode. This means that after writing or reading, the tape remains
at that position and is not rewound back to the beginning.

For reasons of compatibility with other UNIX versions, 2 symbolic

links exist: /dev/rmt0 and /dev/nrmt0.

You can query the status of the tape by entering the following
command:
mt -f /dev/st0 status

In this example, the -f option is used to indicate the device name of

the tape drive. The command status displays the status of the tape
drive.

The output of the command looks like the following:

drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 0
block number = 0
Tape block size 0 bytes. Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (41010000):
BOT ONLINE IM_REP_EN

The most important information in this example is the file number

(file number, starting at 0) and the block numbers (block number,
starting at 0).

Version 1 Copying all or part of this manual, 5-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

These parameters determine the position of the tape. In this

example, the tape is positioned at the beginning of the first file.

The file count starts with 0.

To position the tape at the beginning of the next file, use the
following command:
mt -f /dev/nst0 fsf 1

In this example, the command fsf forwards the tape by the given
number of files, and the tape will start before the first block of the
second file.

This can be verified with the status command, as in the following:

mt -f /dev/nst0 status
drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 1
block number = 0
Tape block size 0 bytes.
Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (81010000):
EOF ONLINE IM_REP_EN

Now the file number is set to 1, and the final line of the output
contains EOF (end of file) instead of BOT (beginning of tape).

With the option bsf, the tape can be repositioned back by a

corresponding number of files.

In general, when positioning the tape, you should use a

nonrewinding device file like /dev/nst0.

If you want the tape to be spooled back to the beginning after the
reading or writing process, enter the following command:
mt -f /dev/nst0 rewind

5-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

If you want to eject the tape from the drive, then enter the following
command:
mt -f /dev/nst0 offline

Normally, tapes should always be written without compression,

because otherwise you cannot recover the subsequent data in case of
a write or read error.

To check whether data compression is switched on or off, enter the

following command:
mt -f /dev/st0 datcompression

The command shows whether data compression is switched on or

off.

If the parameter on or off is specified at the end of the command,

then data compression will be switched on or off. By default,
compression is switched on.

Version 1 Copying all or part of this manual, 5-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Copy Data With the dd Command

You can use the command dd to convert and copy files byte-wise.
Normally dd reads from the standard input and writes the result to
the standard output. But with the corresponding parameters, files
can also be addressed directly.

You can copy all kinds of data with this command, including entire
hard disk partitions. Exact copies of an installed system (or just
parts of it) can be created very simply.

In the simplest case, a file can be copied with the following

command:
dd if=/etc/protocols of=protocols.org

The output of dd during the copying process looks like following:

12+1 records in
12+1 records out

Use the option if= (input file) to specify the file to be copied, and
the option of= (output file) to specify the name of the copy.

Copying files in this way is done using records. The standard size
for a record is 512 bytes. The output shown above indicates that 12
complete records of the standard size and an incomplete record (that
is, less than 512 bytes) were copied.

If the record size is now modified by the option bs=block size, then
the output will also be modified:
dd if=/etc/protocols of=protocols.old bs=1
6561+0 records in
6561+0 records out

A file listing shows that their sizes are identical:

ls -l protocols*
-rw-r--r-- 1 root root 6561 Apr 30 11:28 protocols
-rw-r--r-- 1 root root 6561 Apr 30 11:30
protocols.old

5-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

If you want to copy a complete partition, then the corresponding

device file of the partition should be given as the input, as in the
following:
dd if=/dev/sda1 of=boot.partition

In this example, the whole partition /dev/sda1 is written to the file

boot.partition.

You can also use dd to create a backup copy of the MBR (master
boot record), as in the following:
dd if=/dev/sda of=/tmp/mbr_copy bs=512 count=1

In this example, a copy of the MBR is created from the hard disk
/dev/sda and is written to the file /tmp/mbr_copy.

Version 1 Copying all or part of this manual, 5-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-2: Create Drive Images with dd

In this exercise, you use dd to create a drive image by doing the

following:

1. From a root terminal window, display the content of the file

/etc/fstab by entering the following:
cat /etc/fstab

2. Find an entry /media/dvd or /media/cdrom and note the

corresponding device name (listed in the first column of the
output).

3. Insert the the 3038 Course CD in the CD or DVD drive.

4. Copy an image of the CD to the hard disk by entering the

following command:
dd if=/dev/CD/DVD_device of=/tmp/course_cd.iso

5. When the copy process is complete, mount the image file by

entering the following command:
mount -o loop /tmp/course_cd.iso /mnt/

6. Change to the directory /mnt/ by entering cd /mnt.

7. Display the content of the image file by entering ls.

Note that the content of the image file is identical to the original
media.

8. Change to your home directory and unmount the image file by

entering the following commands:
cd
umount /mnt

9. Delete the image file by entering the following:

rm /tmp/course_cd.iso

(End of Exercise)

5-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective 5 Mirror Directories With the rsync Command

The command rsync (remote synchronization) is actually intended
to create copies of complete directories across a network to a
different computer.

When coping data, rsync compares the source and the target
directory and transfers only data that has changed or been created.

rsync is the ideal tool to mirror the content of directories or to back

up data across a network.

You can use rsync in 2 different ways:

■ Perform Local Copying With rsync
■ Perform Remote Copying With rsync

Perform Local Copying With rsync

You can mirror all home directories by entering the following:

rsync -a /home /shadow

In this example, the mirroring is made to the directory /shadow.

The directory /home is first created in the directory /shadow, and

then the actual home directories of the users are created under
/home.

If you want to mirror the content of a directory and not the directory
itself, you can use a command such as the following:
rsync -a /home/. /shadow

By adding a /. to the end of the source directory, only the data under
/home is copied.

If you run the same command again, only files that have changed or
that are new will be transfered.

Version 1 Copying all or part of this manual, 5-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The option -a used in the examples puts rsync into archive mode.
Archive mode is a combination of various other options (namely
rlptgoD) and ensures that the characteristics of the copied files are
identical to the originals.

The following describes these options:

■ Symbolic links (option l)
■ Access permissions (option p)
■ Owners (option o)
■ Group membership (option g)
■ Time stamp (option t)

The option -r ensures that directories are copied recursively.

The following are some useful rsync options:

Option Description
-a Puts rsync into the archive mode.
-x Saves files on one file system only, which means
that rsync does not follow symbolic links to other file
systems.
-v Enables the verbose mode. Use verbose mode to
outputs information about the transfered files and
the progress of the copying process.
-z Compresses the data during the transfer. This is
especially useful for remote synchronization.
--delete Deletes files that no longer exist in the original
directory from the mirrored directory.
--exclude-from Does not back up files listed in an exclude file.

The last option can be used as follows:

rsync -a --exclude-from=/home/exclude /home/. /
shadow/home

5-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

In this example, all files listed in the file /home/exclude are not
backed up. Empty lines or lines beginning with ; or # are ignored.

Perform Remote Copying with rsync

With rsync and SSH, you can log in to other systems and perform
data synchronization remotely over the network.

The following command copies the home directory of the user tux
to a backup server:
rsync -ave ssh root@DA1:/home/tux /backup/home/

In this example, the option -e specifies the remote shell (ssh) that
should be used for the transmission. The source directory is
specified by the expression root@DA1:/home/tux. This means that
rsync should log in to DA1 as root and transfer the directory
/home/tux.

Of course, this also works in the other direction. In the following

example, the backup of the home directory is copied back to the
DA1 system:
rsync -ave ssh /backup/home/tux root@DA1:/home/

rsync must be installed on both the source and the target computer.

There is also another way to perform remote synchronization with

rsync by running an rsync server. This way you can enable remote
synchronization without allowing an SSH login.

For more information, consult the rsync documentation at

http://samba.anu.edu.au/rsync/.

Version 1 Copying all or part of this manual, 5-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-3: Create a Backup of a Home Directory With rsync

In this exercise, you do the following:

■ Part I: Perform a Local Backup With rsync
■ Part II: Perform a Remote Backup With rsync

Part I: Perform a Local Backup With rsync

Do the following:

1. Open a terminal window and su to root.

2. Create a test backup directory by entering the following:

mkdir /tmp/rsync_test

3. Copy geeko's home directory to the backup directory by

entering the following:
rsync -av /home/geeko /tmp/rsync_test

4. Open another terminal window as user geeko.

5. Create a new file by entering the following:

touch new_file

6. Switch to the root terminal window and enter the same rsync
command again:
rsync -av /home/geeko /tmp/rsync_test
Notice that rsync transfers only the new file and the
corresponding directory.

5-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Part II: Perform a Remote Backup with rsync

Wait until a partner has completed the previous steps in the

exercise, and then do the following:

1. From the root terminal window, perform a remote backup of

your partner's geeko home directory by entering the following
command:
rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test/remote

2. Ask your partner to create a new file in the geeko home

directory by entering the following:
touch new_file2

3. Enter the rsync command again:

rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test/remote

Notice that only the new file is copied by rsync.

4. Clean up the backup directory by entering the following:

rm -r /tmp/rsync_test/*

(End of Exercise)

Version 1 Copying all or part of this manual, 5-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 6 Automate Data Backups With the cron Service

Backing up data is a task that you should perform on a regular basis.
You can automate backups in Linux with the cron service.

System jobs are controlled with the file /etc/crontab and the files in
the directory /etc/cron.d. They are defined with the scripts in the
directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and
/etc/cron.monthly.

Specifying which users can create cron jobs is done through the
files /var/spool/cron/allow and /var/spool/cron/deny, which are
evaluated in this order. If both files do not exist, then only root can
define jobs.

The jobs of individual users are stored in files in the directory

/var/spool/cron/tabs with names matching the user names. These
files are processed with the command crontab.

The following is an example of a cron job:

0 22 * * 5 /root/bin/backup

In this example, the script /root/bin/backup is started every Friday at

10 P.M. The format for the line is described in man crontab.

5-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Exercise 5-4: Configure a cron Job for Data Backups

In this exercise, you use cron for data backup by doing the
following:

1. Open a terminal window and su to root.

2. Change to the directory /usr/local/bin/ by entering the

following:
cd /usr/local/bin

3. Create the file home_backup.sh in the directory by entering the

following commands in the file:
#!/bin/bash
rsync -av /home/geeko /tmp/rsync_test

4. Save the file and close the editor.

5. Make the file executable by entering the following:

chmod 744 home_backup.sh

6. Open the file /etc/crontab in the crontab editor by entering

crontab -e.

7. Add the following at the end of the file:

30 15 * * * root /usr/local/bin/home_backup.sh

8. Check after 3:30 pm (or tomorrow) to see if the backup has

been completed by entering the following:
ls /tmp/rsync_test

9. (Optional) Try changing the time of the backup job.

(End of Exercise)

Version 1 Copying all or part of this manual, 5-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 7 Troubleshoot the Boot Process of a SLES 9

System
Sometimes a Linux system cannot start up correctly. Another task of
system recovery is to access a corrupted system and to fix the
problem that prevents the normal boot process.

To perform basic troubleshooting of the boot process, you need to

know the following:
■ Understand Issues During the System Boot Process
■ How to Boot a Corrupted System Directly into a Shell
■ How to Boot a Corrupted System With the Installation Media
■ How to Start and Use the SLES 9 Rescue System

Understand Issues During the System Boot Process

The boot process of a modern Linux system can be very complex,

and its possible to encounter problems during the boot process.

The following are some of the most common problems:

■ The system cannot boot due to a misconfigured boot loader.
■ The system cannot boot because of file system corruption.
■ An init script has malfunctioned and is blocking the boot
process.
■ The system does not start correctly because of hardware
changes.

In all of these cases you must access the file system of the corrupted
system to detect and fix the problem.

In this objective, you learn how to access a system which is not

booting any longer.

5-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Boot a Corrupted System Directly into a Shell

The boot screen of the GRUB boot loader lets you pass parameters
that modify the Linux kernel before the kernel is actually loaded.

At the bottom of the GRUB boot screen is a Boot Options field.

When you select an operating system in the boot screen, the boot
options for that operating system are displayed in the field.

To add a boot option, select an operating system and type the

additional boot option in the Boot Options field.

One way to access a system that is not booting anymore is to set a

different program for the init process. Normally, the Linux kernel
tries to find a program with the name init and starts this program as
the first process. All other processes are then started by init.

With the boot parameter init=new_init_program, you can change

the first program loaded by the kernel. For example, by entering the
the boot parameter init=/bin/bash, the system is started directly into
a bash shell.

You can use this bash file to access the file system and to fix a
misconfiguration.

The file systems are mounted read-only after booting into a shell. To
change configuration files, you need to remount the file system with the
following command:

mount -o remount,rw,sync -t filesystem_type device_name mount_point

Version 1 Copying all or part of this manual, 5-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Boot a Corrupted System With the Installation Media

You can use the SUSE LINUX installation media to boot a system
with a misconfigured boot loader. To boot the system, you need to
do the following:
1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the
system.
Make sure that the system boots from the drive.
2. Select Installation; then press Enter.
Wait until the installation program starts.
3. When YaST displays the language selection dialog, select
Accept.
4. In the next dialog, select Boot installed system; then select OK.
YaST analyzes the the hard disk and displays all Linux root
partitions.
5. Select the root partition of the system you would like to boot;
then select Boot.
The selected system is now booted.

After the system has started, you can log in as root user and fix the
boot loader problem.

Start and Use the SLES 9 Rescue System

Another way to access a corrupted system is to use the SLES 9

Rescue System. The Rescue System is a Linux system that can be
booted directly from the installation media.

When this system is running, you can mount partitions from the
corrupted system and fix problems.

To start the Rescue System, do the following:

1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the
system.

5-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Make sure that the system boots from the drive.

2. From the boot menu, select Rescue System; then press Enter.
3. From the language selection dialog, select your language; then
press Enter.
4. At the prompt Rescue login, enter root.
5. Press the Enter key.
You are now logged into the Rescue System as root.

To access the file system of the corrupted system, you need to

mount the corresponding partition, as in the following:
mount -t reiserfs /dev/hda6 /mnt

In this example, the partition /dev/hda6 is mounted into the

directory /mnt.

Now you can access the file system, fix any errors, or copy data to
another media.

Version 1 Copying all or part of this manual, 5-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 8 Configure and Install the GRUB Boot

Loader
To boot the system, you need a program, called the boot loader,
which loads the operating system kernel and starts the system.

In SLES 9 (by default) this task is handled by the boot manager

GRUB (GRand Unified Boot Loader).

To configure the GRUB boot loader, you need to know the

following:
■ The Basic Functionality of a Boot Loader
■ The Basics of GRUB
■ How to Configure the GRUB Boot Loader

The Basic Functionality of a Boot Loader

The following are the 2 basic tasks of a boot loader:

■ Boot various operating systems
■ Pass boot parameters to the Linux kernel

The boot loader performs these tasks in the following 2 stages:

■ Stage 1. The program code for the first stage of a boot loader is
usually installed in the master boot record (MBR) of the hard
disk.
■ Because the space in the MBR is limited to 446 bytes, this
program code merely contains the information for loading the
next stage. Stage 1 can be installed in the boot sector of a
partition or on a floppy disk.
■ Stage 2. This stage usually contains the actual boot loader. The
files of the boot loader are located in the directory /boot.

5-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

The Basics of GRUB

GRUB is the standard boot loader of SLES 9 and includes the

following features:
■ Stage 2 File System Drivers. Stage 2 of GRUB includes file
system drivers for ReiserFS, ext2, ext3, Minix, JFS, XFS, FAT,
and FFS (BSD).
This means that GRUB can be used to access files by means of
filenames even before the operating system is loaded. This
feature is used to search for kernel and initrd images.
■ GRUB Shell. GRUB has its own shell that enables interactive
control of the boot manager.

Configure the GRUB Boot Loader

You configure GRUB by editing the file /boot/grub/menu.lst. The

following is the general structure of the file:
■ First, the general options such as the background color of the
boot manager menu are listed:
color white/blue black/light-gray
■ This is followed by options for the various operating systems
that can be booted with the boot manager. Each entry for an
operating system begins with a command title, as in the
following:
title linux
kernel (hd0,0)/boot/vmlinuz root=/dev/hda1
initrd (hd0,0)/boot/initrd

Version 1 Copying all or part of this manual, 5-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is an example of a simple GRUB configuration file:

default 0
timeout 8

title linux
kernel (hd0,0)/boot/vmlinuz
root=/dev/hda1
initrd (hd0,0)/boot/initrd

Each line in this example is shown and described below:

default 0

The first entry (numbering from 0) is the default boot entry that
starts automatically if no other entry is selected with the keyboard.
timeout 8

The default boot entry is started automatically after 8 seconds.

title linux

This is the first entry in the boot menu. By default, this entry is
started.
kernel (hd0,0)/boot/vmlinuz

This entry describes the kernel location (in this example, the first
partition of the first hard disk).

Note the following regarding the designations for hard disks and
partitions:
■ GRUB does not distinguish between IDE and SCSI hard disks.
The hard disk that is recognized by the BIOS as the first hard
disk is designated as hd0, the second hard disk as hd1, and so
on.
■ The first partition on the first hard disk is called hd0,0, the
second partition hd0,1, and so on.

5-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

root=/dev/hda1

The root= option specifies the root partition of the system. This can
be followed by other kernel parameters.
initrd (hd0,0)/boot/initrd

This entry sets the location of the initial ramdisk (initrd). The initrd
contains hardware drivers that are needed before the kernel can
access the hard disk (such as a driver for the IDE or SCSI
controller).

Another GRUB configuration file is /etc/grub.conf. It contains

information on how and where the components of the GRUB boot
manager are supposed to be installed (for example, whether GRUB
should reside in the MBR or in the boot record of a partition).

This file is read only once when the boot loader is first installed.

Version 1 Copying all or part of this manual, 5-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-5: Boot to a Shell and Configure the GRUB Boot Loader

Your SLES 9 system is corrupted and no longer booting. To access

the file system and configure the GRUB boot loader with an option
to boot to runlevel 3, you do the following:
■ Part I: Boot the Rescue System
■ Part II: Edit and Test the GRUB Configuration File

This exercise demonstrates booting from the Rescue System and editing
the GRUB configuration file for learning purposes, and does not
necessarily reflect what you might do in an emergency situation.

For example, you can boot the Rescue System and enter a 3 in the boot
options field to boot into runlevel 3 without editing the GRUB
configuration file.

Part I: Boot the Rescue System

Do the following:

1. Open a terminal window and su to root.

2. Enter mount; then look for a file system which is mounted on

root (/) and note the corresponding device name.

3. Insert the SLES 9 CD 1 in the CD-ROM drive; then reboot the

system.
Make sure that your system boots from the CD-ROM drive. If not, you
might need to adjust the BIOS settings.

4. At the boot screen, highlight Rescue System; then press Enter.

5. From the language selection dialog, highlight your language;
then press Enter.

6. When the rescue system starts, log in by entering root.

5-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Part II: Edit and Test the GRUB Configuration File

Do the following:

1. After logging in to the rescue system, mount the root partition

of the system by entering the following:
mount root_partition /mnt

2. Open the GRUB configuration file of the installed system with

vi by entering the following:
vi /mnt/boot/grub/menu.lst

3. Duplicate all 3 lines which belong to the first entry (title

Linux) in the configuration file.

4. When you have duplicated the entry, change the title of the
copy to the following:
title Linux-Runlevel 3

5. Add a 3 (preceded by a space) at the end of the line with the

kernel parameters.

6. Save and close the GRUB configuration file.

7. Unmount the root partition by entering umount /mnt.

8. Remove the SLES 9 CD 1 from the drive.

9. Restart the computer by entering reboot.

10. At the boot prompt, highlight the entry Linux-Runlevel 3 and

press Enter.
You can also boot to runlevel 3 by entering 3 in the Boot Options
field.

11. When the the system boots to runlevel 3, log in as root; then
access the graphical login by entering init 5.

Version 1 Copying all or part of this manual, 5-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Summary
The following is the summary of the objectives.

Objective Summary
1. Develop a Backup Strategy To develop a backup strategy,
you need to complete the
following steps:
■ Choose a backup method
■ Choose a backup media
There are 3 basic backup
strategies:
■ Full backup. All data is
backed up every day.
■ Incremental backup. Only the
data that has been changed
since the last Incremental or
full backup is saved every day.
■ Differential backup. Only the
data that has been changed
since the last full backup is
saved every day.
Which method you use depends
on the backup window.
The backup window is the time
period in which a system is not
used and is available for a
backup.

5-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective Summary
2. Create Backup Files With the tar tar is a commonly-used tool for
Command performing data backups under
Linux.
tar can write data directly to a
backup media or to an archive
file.
Archive files normally end in .tar,
if they are compressed in .tar.gz
or .tgz.
The following is the basic syntax
to create a tar archive:
tar -cvf home.tar /home
To unpack a tar archive, use the
following command:
tar -xvf /home.tar
If you want to use tar with gzip for
compression, you need to add
the option z to the tar command.
Archives can also be written
directly to tape drives.
In this case, the device name of
the tape drive must be used
instead of a filename.
tar can also be used for
incremental or differential
backups.

Version 1 Copying all or part of this manual, 5-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration
Objective
3. Work with Magnetic Tapes
4. Copy Data With the dd Command
5-40 Copying all or part of this manual,
or distributing such copies, is strictly prohibited.
Summary
mt is the Linux standard tool to
work with magnetic tapes.
Use the following command to
query the status of the drive:
mt -f /dev/st0 status
The following command moves
the tape to the beginning of the
next file:
mt -f /dev/nst0 fsf 1
To rewind the tape by a certain
amount of files, use the bsf
command.
To rewind the tape to the
beginning, use the following:
mt -f /dev/nst0 rewind
The following command ejects
the tape from the drive:
mt -f /dev/nst0 offline
With the command dd files can
be converted and copied byte-
wise.
To copy a file, use the following
command:
dd if=/etc/protocols
of=protocols.org
To copy an entire partition into a
file, use the following command:
dd if=/dev/sda1
of=boot.partition
Version 1
 Manage Backup and Recovery

Objective Summary
5. Mirror Directories With the rsync The command rsync is used to
service synchronize the content of
directories, locally or remotely,
over the network.
rsync uses special algorithms to
ensure that only those files are
transferred that are new or have
been changed since the last
synchronization.
The basic command to
synchronize the content of two
local directories is the following:
rsync -a /home /shadow
To perform a remote
synchronization, use a command
like the following:
rsync -ave ssh
root@DA1:/home/tux /
backup/home/
6. Automate Data Backups with cron Because backups are recurring
tasks, they can be automated
with the cron daemon.
System jobs are controlled using
the file /etc/crontab and the files
in the directory /etc/cron.d.
The jobs are defined by the
scripts in the directories
/etc/cron.hourly, /etc/cron.daily,
/etc/cron.weekly and
/etc/cron.monthly.
The following is an example of a
job entry:
0 22 * * 5 /bin/backup

Version 1 Copying all or part of this manual, 5-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Troubleshoot the Boot Process of A SLES 9 installation can be
a SLES 9 System prevented from booting normally
if
■ The system cannot boot due to
a misconfigured boot loader.
■ The system cannot boot
because of a file system
corruption.
■ An init script malfunctioned
and is blocking the boot
process.
■ The system does not start
correctly because of hardware
changes.
When a system is not booting
any more, you can do the
following to access the file
system of the corrupted system:
■ Boot a corrupted system
directly into a shell.
■ Boot a corrupted system with
the installation media.
■ Start and use the SLES 9
Rescue System.

5-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Backup and Recovery

Objective Summary
8. Configure and Install the GRUB The most important configuration
Boot Loader file for GRUB is
/boot/grub/menu.lst.
The file contains a general
section at the beginning and a
section for every operating
system.
A section for a Linux operating
system contains at least the
following options:
title
This is the title of the system that
is displayed in the boot menu.
Kernel
This option specifies the location
of the Linux kernel.
Root
This option sets the root partition
of the system.
Initrd
This option points to the initrd file
of the system.

Version 1 Copying all or part of this manual, 5-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

5-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

SECTION 6 Create Shell Scripts

In this section, you learn about the basic scripting elements and
structures of the shell programing language.

Objectives
1. Use Basic Script Elements
2. Use Variable Substitution Operators
3. Use Control Structures
4. Use Advanced Scripting Techniques
5. Learn About Useful Commands in Shell Scripts

Version 1 Copying all or part of this manual, 6-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
The Linux shell can control the system with commands and perform
file operations or start applications. You can also create a file that
includes several shell commands and start this file like a
application.

This type of file is called a shell script. The following are several
reasons why you need to understand and create shell scripts:
■ You can automate many daily tasks with shell scripts. In many
cases this increases speed and convenience in everyday work.
■ The boot procedure and many other system functions are
controlled by shell scripts. To understand and manipulate the
system behavior, you need a basic understanding of shell
programming.
■ Shell programming is relatively easy to learn compared to other
programming languages.
■ A shell script runs on almost every UNIX-like operating system
and does not need to be adapted to other platforms.

There are also some disadvantages to using shell scripts:

■ Shell scripts are rather slow compared with other scripting
languages.
■ Shell scripts can use a lot of CPU power.

However, in most cases these disadvantages are not significant.

As you might have noticed, a Linux system offers different shell

types. Shell scripts that are developed for one shell can sometimes
be executed with a different shell, but this cannot be guaranteed.

For this reason, this section focuses on the Bash shell, which is the
default shell in SLES 9.

As with all programing languages, shell scripting is learned best by

actually writing code.

6-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The exercises in this section include a description of a script that

needs to be written. At the end of the section are the solutions to the
exercises. We recommend attempting to create the script, and then
comparing your script to the solution to understand the scripting
concepts covered.

You can find all these scripts on the 3038 Course CD in the
directory /exercises/section_6. By using these scripts as a template,
you can customize them to meet the needs of your production
environment.

Although shell programing can be difficult at first, it becomes easier

as you using the shell scripting language to automate tasks on your
own system.

Normally, there is not enough time during instructor-led training for

students to complete all scripting exercises.

For classroom instruction, we recommend that students perform selected

exercises that are the most beneficial, then let the students complete the
remainder on their own outside of class.

Version 1 Copying all or part of this manual, 6-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 1 Use Basic Script Elements

The shell programming language is a powerful and complete
programing language. Before you can start to create scripts, you
need to become familiar with basic scripting techniques and
elements.

In this objective, you learn the following about the basics of the
shell programming language and how to create simple shell scripts.

This includes the following:

■ Create Flow Charts for Scripts
■ Understand the Basic Rules of Shell Scripting
■ Create Scripts That Read User Input
■ Perform Basic Script Operations with Variables
■ Use Command Substitution
■ Use Arithmetic Operations

Create Flow Charts for Scripts

Programming elements of a script are often visualized by using

program flow charts. Illustrating a program through a flow chart
provides the following benefits:
■ They force the author to lay down the steps the script should
perform to achieve the desired goal, making it clearer which
constructs need to be used.
■ They provide a clear symbolic outline of the algorithm, which
can be used as a guide during the programming process.

6-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The following are typical symbols used to create flow charts:

Understand the Basic Rules of Shell Scripting

Before writing your first shell script, you should consider a few
points about scripting in general.

A shell script is basically an ASCII text file containing commands to

be executed in sequence. To allow this, it is important that
permissions for the script file are set to “r” (readable) and “x”
(executable) for the user that run its.

However, the execute permission is not granted by default to newly

created file. To assign this permission, you need to use a command
such as the following:
chmod +x script.sh

Version 1 Copying all or part of this manual, 6-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can also run the script from another shell with a command such
as the following:
sh script.sh

In this example, it is not necessary to make the script executable.

On SLES 9, /bin/sh is a link to /bin/bash. It doesn't really matter
whether you call the script with sh script.sh or bash script.sh.

Another important point is that the directory where the script is

located must actually be in the user´s search path for executables.

A good way to deal with this is to create a /bin directory for scripts
under each user´s home directory. Then you can add this directory
to the user's search path by adding a line such as the following to
your ~.bashrc:
export PATH=$PATH:~/bin

Otherwise, shell scripts must be started with the full pathname.

When naming script files, it is a good idea to add an .sh extension to

the filename. This ensures that the file can easily be recognized as a
shell script.

If you do not add the suffix, you need to make sure the filename is
not identical to existing commands. For example, a common
mistake is to name a script test.

The basic structure of a shell script can be illustrated with a simple

program that does nothing more than print the message “Hello
world.”

6-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The following is the flow chart for the script:

The script consists of three elements:

■ The program start
■ The action to print out “Hello world”
■ The program stop

The following illustrates the 3 elements with the corresponding

script code on the right:

Before looking closer at each of the 3 elements, you need to

understand that the general rules for creating shell scripts, as
explained in this section, can be applied to any conceivable script.

Version 1 Copying all or part of this manual, 6-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following describes the 3 elements of the script:

■ Start. The first line of any shell script must be the shebang
(such as #!/bin/bash). This line specifies the shell program to
be called to execute the script. As with any other program, a
subshell is started to run the script.
The script´s start section should also include a comment
describing what the script does. A comment is introduced with a
# character in shell scripts.
It is also a good idea to include the name of the author, the date,
and the version number of the script. Also, any variables and
functions used in the script should be defined at the top of the
script.
■ Commands. The sample script above includes the echo
command as the only one executed (to print the “Hello world”
greeting). Shell scripts in general rely on the echo command as
the most common solution to display information on the screen.
■ Stop. Before the script ends, it might be necessary to do some
cleanup. For example, you might want to remove any temporary
files created by the script.
As the very last step, you should define the script´s exit status
with an exit value. This informs the parent process how the
script was terminated. The exit status as returned by the script
can be queried afterward with echo $?.

Every script that you write should use this basic structure.

6-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-1: Produce Output from a Script

Do the following:

1. Write a script that outputs “Hello world.” Use the following

command in the script:
echo -e "\aHello\nworld"

2. Find out the purpose of the \a, the \n and the -e options (try
accessing the man pages).

3. Compare your solution with the script at the end of the section.

This script is also available as hello.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Develop Scripts That Read User Input

One way create scripts that read user input is to use the read
command. The read command takes a variable as an argument and
stores the read input in the variable. The variable can then be used
to process the user input.

The following example reads user input into the variable with the
name VARIABLE:
read VARIABLE

The script pauses at this point, waiting for user input until the Enter
key is pressed. To tell the user to enter something, you need to print
(echo) a line with some information, such as the following:
echo "Please enter a value for the variable:"
read VARIABLE

The following flow chart illustrates the structure of a script that

reads user input:

First, the script produces some output with echo to ask the user to
enter something. Then the read command waits until the input is
provided to store it in the variable VARIABLE. At the end the
content, the variable is printed out with echo.

6-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-2: Read User Input

Do the following:

1. Create a simple shell script that prompts the user to enter her
first and last name, and then greets the user with her full name.

2. Compare your solution with the script at the end of the section.

This script is also available as name1.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Perform Basic Script Operations with Variables

In this part of the section, you learn how to uses variables in shell
scripts.

The following flowchart and script show how a string value can be
assigned to a variable:

You want to read the user´s first and last name and then print both
names to the screen. However, this time you create a variable called
NAME, which holds both the first and the last name.

6-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The following is an interesting line in the script:

NAME=”$FIRSTNAME $LASTNAME”

This line shows how you can combine two variables, in this case,
FIRSTNAME and LASTNAME, and assign the combined value to
another variable, in this case, NAME.

In this example, you can also see another rule of the variable
handling in shell scripts. If you assign a value to a variable, you use
just the name of the variable, in this case, NAME=.

If you want to use the value of a variable, put a $ before the name,
in this case, $FIRSTNAME.

It is often useful to assign a default value to a variable. This might

prevent errors, if the user has entered a value that cannot be
interpreted in a meaningful way.

If the variable FIRSTNAME is empty, the default value FLORIAN

is used instead, as in the following:
NAME=${FIRSTNAME:=”FLORIAN”}

Version 1 Copying all or part of this manual, 6-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-3: Simple Operations with Variables

Do the following:

1. Modify your script from Exercise 6-2 so that it reads the user's
first and last name, combines both in one variable, and outputs
the variable.

2. Compare your solution with the script at the end of the section.

This script is also available as name2.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Use Command Substitution

The term command substitution basically means that the output of a

command is used in a shell command line or a shell script.

In the following example, the output of the command date is used to

generate the output of the current date.
#!/bin/bash

echo "Today is `date +%m/%d/%Y`"

An important thing to remember is that the command date +%m/%

d/%Y is included in backticks (` ... `).

Instead of printing the output of a command to the screen with echo,

it can also be assigned to a variable, as in the following:
#!/bin/bash

TODAY=`date +%m/%d/%Y`
echo "Today is $TODAY"

In this case, the output of date is assigned to the variable TODAY,

and then TODAY is printed to the screen with echo. Make sure that
there are no spaces before or after the equal sign.

Version 1 Copying all or part of this manual, 6-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-4: Use Command Substitution

Do the following:

1. Create a shell script that outputs the current login name and the
current working directory.
The output of the commands whoami and pwd should be read
into variables with the variables printed to the screen.

2. Compare your solution with the script at the end of the section.

This script is also available as info.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Use Arithmetic Operations

Shell scripts often use values assigned to variables for calculation.

There are several ways to implement this.

The Bourne shell is limited in this regard, but it can perform such
operations by relying on external commands (such as expr).

The Bash shell comes with built-in support for arithmetic

operations, but there are some limitations to this as well.
Specifically, the arithmetic capabilities of Bash are limited in the
following ways:
■ Only operations with whole numbers (integers) can be
performed.
■ All values are signed 64-bit values. Thus, possible values range
from -263 to +263 -1.

So even when using Bash, you might need to use external

commands, such as bc for floating-point calculations.

The following paragraphs list all the possible methods and formats
for arithmetic operations. All of them use this sample operation:
A=B+10

■ Use the external command expr (Bourne shell compatible)

A=`expr $B + 10`

Since an external command is used, this method will also work

with the Bourne shell. Scripts using external commands will
always perform slower than those relying on built-in
commands.
■ Use the Bash built-in command let
let A="$B + 10"

In Bash, you can use the let command to perform an arithmetic

expression.

Version 1 Copying all or part of this manual, 6-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Use arithmetic expressions inside parentheses or brackets

(two different formats)
A=$((B + 10))

A=$[B + 10]

Arithmetic expressions can be enclosed in double parentheses

or in brackets for expansion by Bash. Both $((. . .)) and $[. . .]
are possible, but the latter is considered deprecated and should
be avoided.
■ Use the built-in command declare
declare -i A
declare -i B
A=B+10

This declares a variable as an integer.

If all the variables involved in a calculation have previously
been declared as integers through declare -i, arithmetic
evaluation of these variables happens automatically when a
value is assigned to them.
This means that the variable B, for instance, does not have to be
prefixed with the $ to be evaluated.

With the expr command, only the following five operators are
available: + , - , * , / , and %. Additional operators (which are
identical to those of the C programming language) can be used with
all of the above Bash formats.

For a complete list, consult the man page for bash.

It makes sense to limit yourself to using one of the described

possibilities. As far as Bash is concerned, a good choice might be to
only use the declare command, since it makes the best use of the
available features.

6-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-5: Use Arithmetic Operations

Do the following:

1. Review the following flowchart:

2. Write a shell script that reflects the above flowchart.

3. Modify the script to use the other fundamental arithmetic

operations (subtraction, multiplication, division).

4. Find out what happens if

■ The user enters a word for each number.
■ The user enters nothing (presses Enter) at each prompt.

5. Compare your solution with the script at the end of the section.

This script is also available as sum.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Use Variable Substitution Operators

In Bash, you can use special variable substitution operators to
assign different values to variables without having to rely on
external commands.

For example, these special substitution operators allow changing

variables by deleting certain patterns in their values and returning
the rest.

They also allow you to set a default for a variable for situations
where no value can be assigned to it.

The following variable substitutions are possible:

Substitution Operator Description

${variable-value} Returns value if the variable
does not exist.
${variable=value} Assigns value to the variable
and returns value if the variable
does not exist.
${variable+value} Returns value if the variable
exists.
${#variable} Returns the number of
characters in the value of
variable.
${variable#pattern} Deletes the shortest part
matched by pattern from the
beginning of the variable's value
and returns the rest.
${variable##pattern} Deletes the longest part
matched by pattern from the
beginning of the variable's value
and returns the rest.

6-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Substitution Operator Description

${variable%pattern} Deletes the shortest part
matched by pattern from the end
of the variable's value and
returns the rest.
${variable%%pattern} Deletes the longest part
matched by pattern from the end
of the variable's value and
returns the rest.

The substitution operators returning or setting a default value (- , = ,

and +) can also be prefixed with a colon so that substitution
happens if the variable does not exist of if it exists but has a null
value (is empty).

The following are some examples of how to use the substitution

operators:
tux@DA1:~> echo $VAR

tux@DA1:~> echo ${VAR-value}

value

tux@DA1:~> echo $VAR

tux@DA1:~> echo ${VAR=value}

value

tux@DA1:~> echo $VAR

value

tux@DA1:~> VAR=
tux@DA1:~> echo ${VAR=value}

tux@DA1:~> echo ${VAR:=value}

value

tux@DA1:~> echo $VAR

value

tux@DA1:~> echo ${VAR+VaLue}

VaLue

Version 1 Copying all or part of this manual, 6-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-6: Use Variable Substitution

Do the following:

1. Write a script that asks the user for a filename, and then
performs a search for that filename using the command find.

Use a variable substitution to assign a default value for the

filename (such as *.bak) in case the user enters nothing.

2. Compare your solution with the script at the end of the section.

This script is also available as find.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Objective 3 Use Control Structures

Using the scripting techniques you have learned so far, you can only
develop scripts that run sequentially from the beginning to the end.

In this objective, you learn how to use control structures to make the
execution of parts of your script dependent on certain conditions or
to repeat script parts.

To use control structures, you need to know how to do the

following:
■ Create Basic Branches With the if Command
■ Build Multiple Branches With the case Command
■ Create Loops Using the while and until Commands
■ Process Lists With the for Command
■ Interrupt Loop Processing

Creat Basic Branches With the if Command

You can use the if command to perform certain actions in your

script that depend on a condition.

The following is the basic usage of the if command:

if condition
then
commands
fi

The if statement can be extended with an optional else statement, as

in the following:
if condition
then
command1
else
command2
fi

Version 1 Copying all or part of this manual, 6-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In a program flow chart, a branch created with an if statement can

be represented like the following:

A branch of this type must begin with if and end with fi. Command1
is only executed if the condition is true.

If the return code of a command is used as condition, the exit code

zero (success) represents true. If the exit status is not zero or the
condition is not true, the shell goes to the end of the branch or, if an
else statement is present, to the else statement.

When you use these control structures in a shell script, individual

commands (such as if, then, and fi) must follow immediately after a
command separator.

In the above case, the separator is a new line. The separator could
also be a semicolon, which would allow you to enter the same if
statement as one command, as in the following:
if condition; then commands; fi

6-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The following example uses a sample script to explain how an if

branch works:

This script asks the user to enter his date of birth; if that happens to
be today, the script congratulates him on his birthday. It does
nothing if his birthday is another day.

There are a number of items to consider when writing this script.

From the flow chart, it should be obvious that the script consists of
2 basic steps:
■ Prompt the user to enter the date of birth.
■ Compare the date as entered by the user with the current date. If
the dates are the same, the user sees “congratulations.” If they
are not equal, nothing appears.

The branch is the actual mechanism that compares the current date
and the date of birth.

Version 1 Copying all or part of this manual, 6-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Before the comparison can be performed, both dates must be

available in the same format. The user should be asked to specify
the date of birth in a suitable format.

You need to know the format in which the system obtains the
current date. The obvious choice to get a date string is with the
command date.

The command date + %m-%d returns the current date in the form
month-day, as in the following:
date + %m-%d
06-21

This format should also be used for the birth date the user is
requested to enter:
echo "Please enter your date of birth (YYYY-MM-DD, for
instance 1978-06-21): "
read BIRTHDAY

The second part of the listing consists of several items. To check if

the user´s birthday is today, 2 dates must be compared: the birthday
and the current date.

The user´s birthday is stored in the variable BIRTHDAY. The

current date must also be stored in a variable for the comparison.
This can be done using command substitution, as in the following:
TODAY=`date + %m-%d`

A closer examination of the comparison reveals that the values in

the variables cannot be compared with each other (BIRTHDAY:
1973-12-21, TODAY: 09-24). Therefore, the dates must be
compared without the year.

To do this, the variable substitutions of the Bash shell can be used to

truncate the year from the date. The first part of the script should
look like the following:
#!/bin/bash
echo "Please enter your date of birth (YYYY-MM-DD, for
instance 1978-06-21): "
read BIRTHDAY
BIRTHDAY=${BIRTHDAY#*-}
TODAY= date + %m-%d

6-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Now you can compare the two values with the help of an if branch.
Most variables are compared using the test command. The test
command is followed by a string condition such as
test $VARIABLE1 = $VARIABLE2.

If the condition is met (if the value of VARIABLE1 is identical to

the value of VARIABLE2), test returns a zero to indicate success.

So the second part of the shell script could look like this:
if test "$BIRTHDAY" = "$TODAY"
then
echo "Tada! Happy birthday to you! Nice presents
awaiting you ..."
else
echo "Sorry to disappoint you, no presents today ..."

fi

Finally, you want the script to use the exit command to finish with a
certain exit status, which depends on whether today is the user´s
birthday. This is implemented by defining yet another variable, as in
the following:
if test "$BIRTHDAY" = "$TODAY"
then
echo "Tada! Happy birthday to you! Nice presents
awaiting you ..."
STATUS=0
else
echo "Sorry to disappoint you, no presents today ..."

STATUS=1
fi
exit $STATUS

Several if branches are often nested in each other. The command

elif, which represents a more compact way of writing the command
sequence else if, is useful for the following kind of structures:
if condition1
then
command1
elif condition2
command2
else
command3
fi

Version 1 Copying all or part of this manual, 6-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The elif command is illustrated in the following:

There are several ways to use the Bash shell to successively execute
several commands. This includes using the separators && and ||,
which make it possible to execute a second command depending on
the success or failure of the first, as in the following:
command1 && command2
command1 || command2

■ The && separator executes command2 if the command1 exits

with success.
■ The || separator executes command2 if the command1 exits with
a failure.

These separators can also be understood as short forms of an if

branch.

This means that the following structure:

if test -e file
then
. file
fi

6-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

can be condensed into the following command line:

test -e file && . file

Whenever the comparison is a simple one as in the example above,

you can replace the relatively complex if. . .then. . .fi structure with
a command line that uses && or || to chain the commands.

Version 1 Copying all or part of this manual, 6-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-7: Use the if Command

Do the following:

1. Write a shell script that checks for the existence of a given file,
and if the file is executable.

A message should be displayed for each of the following

scenarios:
■ The file does not exist.
■ The file exists.
■ The file exists and is executable.
You can use the command test -x to check whether a file is
executable.

2. Compare your solution with the script at the end of the section.

This script is also available as file_check.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Build Multiple Branches With a case Statement

You can create multiple branches with case. In a case statement, the
expression contained in a variable is compared with a number of
expressions, and a command is executed for each expression
matched.

A case statement has the following structure:

case $variable in
expression1) command1;;
expression2) command2;;
esac

In a flow chart, multiple branching with case looks similar to a

simple branch created with if:

Version 1 Copying all or part of this manual, 6-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is an example of how a multiple branch works:

#!/bin/bash
cat << EOF
Name me an animal and I will tell you how many legs
it has!
EOF

read CREATURE
case "$CREATURE" in
dog | cat | mouse ) echo "A $CREATURE has 4 legs."
;;
bird | human | monkey ) echo "A $CREATURE has 2
legs."
;;
spider ) echo "A $CREATURE has 8 legs."
;;
fly ) echo "A $CREATURE has 6 legs."
;;
* ) echo "I haven t the faintest idea how many
legs a(n) $CREATURE has."
;;

esac
exit 0

This script prompts the user to enter the name of an animal. The
name is then stored in a variable and compared with a number of
possible matches. For the matches found, the script tells the user
how many legs the animal has.

To allow for several expressions to be matched within one and the

same branch, several expressions can be listed on one line with a |
symbol as a separator.

The user input is read and assigned to the CREATURE variable.

The case statement then compares this value against each of the
expressions provided as alternatives. For instance, if the user enters
cat, the script prints the matching sentence that says that this animal
has four legs.

The asterisk (*) is often used as the last expression to be evaluated

to cover all cases not matched by the other alternatives. The
corresponding message states that the number of legs is not known.

6-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

It is important that the expressions provide for an exact match of

any allowable expression. For instance, if someone entered Dog
instead of dog, the script will not know the number of legs for this
strange kind of animal.

For this reason, it is useful to supply the possible alternatives

beforehand, as in the following:
...

case "$CREATURE" in
[dD]og | [cC]at | [mM]ouse )

...

You can provide such alternatives in brackets, in the same way as

the shell´s filename expansion mechanism.

Version 1 Copying all or part of this manual, 6-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-8: Use the case Command

Do the following:

1. Create an example (not a complete script) to show how a script

can use a case statement to process a user's answer to a Yes/No
question. Include the responses as “yeah” and “nope.”

2. Compare your solution with the example at the end of the

section.

This example t is also available as yes_no.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Create Loops Using the while and until Commands

The purpose of a loop is to test a certain condition and to execute a

given command while the condition is true (while loop) or until the
condition becomes true (until loop).

The following is the structure of a while loop:

while condition
do
commands
done

The following is a structure of until loop:

until condition
do
commands
done

The following illustrates the loop constructs:

These loops actually rely on the exit status of a terminating

condition: a while loop remains operative as long as the condition's
exit status is zero (path B in the flow chart), but an until loop is
terminated if the status is zero (path A in the flow chart).

Version 1 Copying all or part of this manual, 6-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

A while loop is terminated when the exit status becomes nonzero

(when the condition is not true), but an until loop is operative as
long as the status is nonzero.

6-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-9: Use the while and until Commands

Do the following:

1. Create a script that performs a simple while loop 100 times. In

every iteration, the number of the current iteration should be
printed to screen.

2. Write a second script which uses until instead of while.

3. Compare your solution with the script at the end of the section.

These scripts are also available as counter1.sh and counter2.sh in the

directory /exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Process Lists with the for Loop

The purpose of a for loop is to process a list of elements. It has the

following syntax:
for variable in element1 element2 element3
do
commands
done

A for loop executes the given commands once for every element on
the list, and the value of the variable matches one list element with
each loop iteration. The list itself is often created through command
substitution.

If the for command is not accompanied by a list of elements, the

loop will be executed with the contents of the variables $1, $2, $3,
and so on. These elements represent the command line parameters
that are passed to the script.

As with similar constructs, a command separator must immediately

precede the do and done parts of the for loop. This means that a for
loop can be entered in 2 different ways:
for i in 1 2 3 4 5 6 7 8
do
ping -c1 DA$i
done

In the example above, the command separator is a line break and the
loop is started only after entering the final done.

You could use a semicolon as a separator instead, In this case, the

same loop looks like the following:
for i in 1 2 3 4 5 6 7 8; do ping -c1 DA$i; done

If you want to use a range of numbers in your for loop, you can use
the following C-Style syntax:
LIMIT=10

for ((a=1; a <= LIMIT ; a++))

do
echo -n "$a "
done

6-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

In this example, the variable a is a count from 1 to 10. The for

expression contains the following 3 elements:
■ a=1. This determines the start value for a.
■ a <= LIMIT. This is the condition when the for loop should be
terminated; in this case, when the a variable reaches the value
determined by the LIMIT variable (in this example, the value
10).
■ a++. This command adds 1 to the a variable for every pass of
the for loop.

Version 1 Copying all or part of this manual, 6-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-10: Use the for Loop

Do the following:

1. Create a shell script that renames all files in the current

directory with uppercase letters transformed to lowercase.

Hints:

■ Use the command find . -type f -maxdepth 1 to find all

files in the current directory.
■ You can use the command tr [A-Z] [a-z] to convert
uppercase letters to lowercase.
■ If you don´t know how to start, have a brief look at the
solution at the end of the section.
■ Test your script in a directory that does not contain
important files.

2. Compare your solution with the script at the end of the section.

This script is also available as lowercase1.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-40 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Interrupt Loop Processing

Use the continue command to exit from the current iteration of a

loop (while, until, for, and select) and resume with the next iteration
of the loop.

This allows a script to test for an additional condition with each

iteration without stopping completely (as a result of the terminating
condition becoming true, for instance).

The following is an example of using the continue command:

for FILE in ls *.mp3
do
if test -e /MP3/$FILE
then
echo "The file $FILE exists."
continue
fi
cp $FILE /MP3
done

This script writes a backup copy of all files ending with .mp3 to the
directory /MP3/ unless there is already a file with the same name in
that directory. If there is, the script prints a message stating that the
file already exists and exits from the current loop iteration.

The break command is another way to introduce a new condition

within a loop. Unlike continue, it causes the loop (not the current
loop iteration) to be terminated completely if the condition is met.

Version 1 Copying all or part of this manual, 6-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-11: Interrupt Loop Processing

Do the following:

1. Modify the script from Exercise 6-10 so that existing files in the
current directory are not overwritten.
Use continue to interrupt the iteration over the files in the
directory if a file with the target name already exists.

2. Compare your solution with the script at the end of the section.

This script is also available as lowercase2.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Objective 4 Use Advanced Scripting Techniques

In this objective, you learn the following advanced scripting
techniques that can help you solve common problems of script
development:
■ Use Shell Functions
■ Read Options with getopts

Use Shell Functions

Sometime you need to perform a task multiple times in a shell

script. Instead of writing the same code again and again, you can
use functions.

Shell functions act like script modules because they make an entire
script section available with a single name. Shell functions are
normally defined at the beginning of a script. You can store several
functions in a file and include this file whenever the functions are
needed.

The following is the basic syntax of a function:

functionname () {
commands
commands
}

The following generates a function with the function command:

function functionname {
commands
commands
}

The function name can be composed of any regular character string

that then can be used to call the function.

Version 1 Copying all or part of this manual, 6-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is a simple function that creates a directory and then

changes to that directory:
# mcd: mkdir + cd; creates a new directory and
# changes into that new directory right away

mcd (){
mkdir $1
cd $1
}

After having been created, this function can be called in a shell

scripts, as in the following:
...
mcd directory
...

The parameter directory is called an argument. Within a function,

arguments can be accessed with the variables $1, $2, $3, and so on,
depending on the number of arguments passed to the function.

The following function can be used to create a pause in a script. The

script resumes only after the Enter key is pressed:
# pause: causes a script to take a break

pause (){
echo "To continue, hit RETURN."
read q
}

You can also create functions that stop their processing from within,
similar to exiting a loop (iteration) with the commands break and
continue.

To exit a function, use the command return. If return is called

without an argument, the return value of the function is identical to
the exit status of the last command executed in that function.
Otherwise, the return value is identical to the one supplied as an
argument to return.

6-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-12: Use Shell Functions

Do the following:

1. Review the following shell function:

# Prompt the user to answer with "yes" or "no.”
# The question itself is supplied as an argument
# when calling the function, for example:
# "yesno Do you want to continue?"

yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I cannot understand you over here."
;;
esac
done }

This function asks the user to enter y or n. Depending on the

answer, the function returns 0 or 1. If the answer is wrong, an
error message is displayed.
The command echo "$*" is used to print a question, which is
passed as a parameter to the function.

2. Use the above yesno function to write a script that lets the
system administrator delete user accounts. The script should
prompt for the account to delete, and then asks whether the
user's home directory should also be deleted.
If the question is answered with no, the script should change
the user and group ownership of the corresponding home
directory to root.
After doing so, the script should use the yesno function again to
ask whether the administrator really wants to delete the account.

Version 1 Copying all or part of this manual, 6-45

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Use the commands userdel and chown in the script to perform

the necessary tasks.
You can assume that the home directory of the user is always
located in /home and that the name of the directory is the same
as the login name of the user.

3. Test your solution by adding a user account (enter useradd -m

tux2) and deleting it.

4. Compare your solution with the script at the end of the section.

This script is also available as userdel1.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-46 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Read Options with getopts

With the shell built-in command getopts, you can extract the options
supplied to a script on the command line. The shell interprets
command-line arguments as command options only if they are
prefixed with a - (the default when using the shell interactively).

This makes it possible to place options in different positions on the

command line and to supply them in an arbitrary order.

This means that the following command:

cp -dpR *.txt texts/

achieves the same thing as the command

cp -R *.txt -d texts/ -p

getopts recognizes options in the same way. The following is the

getopts syntax:
getopts optionstring variable

The optionstring describes all options to be recognized. For

instance, getopts abc declares a, b, and c as the options to be
processed.

If a parameter is expected for the option (such as -m maxvalue), the

corresponding option must be followed by a : in the string (as in
getopts m:).

The option string is followed by a variable to which all the

command-line options specified are assigned as a list.

Version 1 Copying all or part of this manual, 6-47

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The getopts command is mostly frequently used in a while loop

together with case to define which command to execute for a given
option, as in the following:
while getopts abc: variable
do
case $variable in
a ) echo "The option -a was used." ;;
b ) echo "The option -b was used." ;;
c ) option_c="$OPTARG"
echo "Option c has been set." ;;
esac
done

echo $option_c

If the option -a or -b is used, the script prints out a message that the
corresponding option was used. If the option -c value is used, the
value is assigned to the variable option_c, which is printed to the
screen at the end of the script.

The parameter of an option can be accessed with the variable

OPTARG.

6-48 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise 6-13: Use the getopts Command

Do the following:

1. Modify the script from Exercise 6-12 so that it does not prompt
the user for input. Instead, the script should use the following
options:
■ -u username. This option determines the user which shall
be deleted.
■ -r. If this option is set, the home directory should be
removed. If this option is not set, the owner of the home
directory should be set to root.

2. Test you solution by adding a user account (enter useradd -m

tux2) and deleting it.

3. Compare your solution with the script at the end of the section.

This script is also available as userdel2.sh in the directory

/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-49

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 5 Learn About Useful Commands in Shell

Scripts
You can use external commands in shell scripts to perform certain
tasks. In this objective, you learn how to
■ Use the cat Command
■ Use the cut Command
■ Use the date Command
■ Use the echo Command
■ Use the Commands grep and egrep
■ Use the sed Command
■ Use the test Command
■ Use the tr Command

Use the cat Command

When combined with the here operator ( << ), the cat command is a
good choice to output several lines of text from a script. In
interactive use, the command is mostly run with a filename as an
argument, in which case cat prints the file contents on standard
output.

Use the cut Command

You can use the cut command to cut out sections of lines from a
file, so only the specified section is printed on standard output.

The command is applied to each line of text as available in a file or

on standard input. You can use cut -f to cut out text fields. cut -c
works with the specified characters.

6-50 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

You can specify single sections (characters or fields) or several

sections. The default delimiter to separate fields from each other is a
tab, but you can specify a different field separator with the -d
option.

The following are some examples of using cut:

cut -d : -f1 /etc/passwd
root
bin
daemon
lp
mail
news

The above command specifies that the field separator should be a

colon. In every line of /etc/passwd, the field that comes before the
first colon is taken and printed to stdout.
ls -l somedir/ | cut -c 35- | sort -n
687 Sep 20 17:06 file2
2199 Sep 20 17:05 file1
6593 Sep 20 17:06 file3

The above command takes the output of the ls command and cuts
out everything from the thirty-fifth character. This is piped to sort,
so the final output is sorted according to file size.

Use the date Command

You can use the date command whenever there is a need to obtain a
date or time string for further processing by a script. Without any
options specified, the command´s output looks like the following:
date
Fre Sep 03 14:18:12 CEST 2004

Version 1 Copying all or part of this manual, 6-51

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The date command lets you change the output format in almost
every detail. With the -I option (as in the following), date prints the
date and time in ISO format (which is the same as if the options had
been +%Y-%m-%d):
date -I
2004-09-03

date +%m-%d %H:%M

09-03 14:19

date +%D, %r
09/03/02, 02:19:58 PM

date +%d.%m.%y
03.09.02

date +%d.%m.%Y
03.09.2004

date +%e.%-m.%y, %l.%M %p

3.9.02, 2.20 PM

date +%A, %e. %B %Y

Friday, 3. September 2004

To view a list with all the possible format options for date, see man
date. In any case, you should be able to customize the output to
exactly match the requirements of your script.

Use the echo Command

The echo command, which exists both as a shell built-in command

and as an external command, prints text lines on standard output. A
line break is inserted automatically after each line. When called
with the -e option, echo accepts a number of additional options.

The following are some of the special sequences recognized by

echo when run with the -e option:
■ \a. Outputs an alert (sounding the bell). This does not work in
the KDE Konsole.
■ \c. Do not add a new line at the end of the output.
■ \n. Add a new line (line break).

6-52 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

The cat command is preferred over echo to output a text file or

several lines of text.

Use the Commands grep and egrep

The command grep and its variant egrep are used to search files for
certain patterns, and use the following syntax:
grep searchpattern filename ...

The command prints lines that contain the given search pattern. You
can specify several files, in which case the output will print the
matching line and the corresponding filenames.

Several options are available to specify that only the line number
should be printed, for instance, or that the matching line should be
printed together with leading and trailing context lines.

Search patterns can be supplied in the form of regular expressions,

although the bare grep command is limited in this regard.

To search for more complex patterns, use the egrep command,

which accepts extended regular expressions. As a simple way to
deal with the difference between the two variants, make sure you
use egrep in all of your shell scripts.

The regular expressions used with egrep need to be in accordance

with the standard regex syntax.

To avoid having special characters in search patterns interpreted by

the shell, enclose the pattern in quotation marks, as in the following:
tux@DA1:~> egrep (b|B)lurb file*
bash: syntax error near unexpected token |

tux@DA1:~> egrep "(b|B)lurb" file*

file1:blurb
file2:Blurb

Version 1 Copying all or part of this manual, 6-53

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Use the sed Command

The sed program is a stream editor, an editor used from the

command line rather than interactively. sed performs text
transformations on a line-by-line basis.

You can specify sed commands either directly on the command line
or in a special command script loaded by the program on execution.

The following is the syntax for the sed command:

sed editing-command filename

The available editing commands are single-character arguments

such as the following:
■ d. Delete
■ s. Substitute (replace)
■ p. Output line
■ a. Append after

As with other commands, the output of sed normally goes to

standard output, but it can also be redirected to a file.

Each sed command must be preceded by an exact address or

address range specifying the lines to which the editing command
applies.

Apart from the single-character commands for text transformations,

you can also specify options to influence the overall behavior of the
sed program.

The following are some important command-line options for sed:

■ -n, --quiet, --silent. By default, sed will print all lines on
standard output after they have been processed. This option
suppresses the output so sed only prints those lines for which
the p editing command has been given to explicitly re-enable
printing.

6-54 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

■ -e command1 -e command2 .... This option is necessary when

specifying two or more editing commands. It must be inserted
before each additional editing command.
■ -f filename. With this option, a script file can be specified from
which sed should read its editing commands.

For many editing commands, it is important to specify the exact line

or lines that should be processed by the command. One of the more
frequently used address labels is $, which stands for the last line.

The following are 2 examples of the sed command:

sed -n ´1,9p´ somefile

This command prints only lines 1 through 9 on stdout.

sed ´10,$d´ somefile

This command deletes everything from line 10 to the end of the file
and also prints the first 9 lines of somefile.

You can use a regular expression to define the address or address

range for an editing command. Regular expressions must be
enclosed in forward slashes. If an address is defined with such an
expression, sed processes every line that includes the given pattern.

The following is an example of using regular expressions:

sed -n ´/Murphy.*/p´ somefile

This example prints all lines that have the pattern Murphy.* in them.

If you want sed to perform several editing commands for the same
address, you need to enclose the commands in braces, as in the
following:
sed ´1,10{command1 ; command2}´

Version 1 Copying all or part of this manual, 6-55

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following lists the most important editing commands available

for sed:

Command Example Editing Action

d sed 10,$d file
a sed ´a\
text\
text´ file
i sed ´i\
text\
text` file
c sed `2000,$c\
text ´ file
s sed s/x/y/option
y sed y/abc/xyz/
Delete line.
Insert text before the specified
line.
Replace specified lines with the
text.
Replace specified lines with the
text.
Search and replace. The search
pattern x is replaced with pattern
y. The search and the
replacement pattern are regular
expressions in most cases and
the search and replace behavior
can be influenced through
various options.
(yank) Replace every character
from the set of source characters
with the character that has the
same position in the set of
destination characters.

You can use the following options with the s command (search and
replace):
■ I. Do not distinguish between uppercase and lowercase letters.
■ g. Replace globally wherever the search pattern is found in the
line (instead of replacing only the first instance).
■ n. Replace the nth matching pattern only.

6-56 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

■ p. Print the line after replacing.

■ w. Write the resulting text to the specified file rather than
printing it on stdout.

The following are some examples of usingthe s command:

sed ´s/:/ /´ /etc/passwd

This command replaces the first colon in each line with a space.
sed ´s/:/ /g´ /etc/passwd

This command replaces all colons in all lines with a space.

sed ´s/:/ /2´ /etc/passwd

This command replaces only the second colon in each line with a
space.
sed -n ´s/\([aeiou]\)/\1\1/Igp´

This command replaces all single vowels with double vowels. The
example shows how matched patterns can be referenced with “\1” if
the search pattern is given in parentheses (which have to be
escaped). The I option ensures that sed ignores the case.

The g option causes characters to be replaced globally. The p option

tells sed to print all lines processed in this way.

Use the test Command

The test command exists both, as a built-in command and as an

external command. It is used to compare values and to check for
files and their properties (whether a file exists, whether it is
executable, and so on).

If a tested condition is true, test returns an exit status of 0; if the

condition is not true, the exit status is 1. In shell scripts, ttest is used
mainly to declare conditions to influence the operation of loops,
branches, and other statements.

Version 1 Copying all or part of this manual, 6-57

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is the test syntax:

test condition

You can use the test command to do the following:

■ Testing whether a file exists. Some of the available options are:

Option Description
-e File exists
-f File exists and is a regular file
-d File exists and is a directory
-x File exists and is an executable file

■ Comparing 2 files. Some of the available operators are:

Option Description
-nt Newer than
-ot Older than
-ef Refers to the same inode (such as in the case of a
hard link)

■ Comparing two integers. The available operators are:

Option Description
-eq Equal
-ne Not equal
-gt Greater than
-lt Less than
-ge Greater than or equal
-le Less than or equal

6-58 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

■ Testing strings. The available operators are:

Option Description
test -z string Exit status is 0 (true) if the string has
zero length (is empty).
test string Exit status is 0 (true) if the string has
nonzero length (consists of at least one
character).
test string1 = string2 Exit status is 0 (true) if the strings are
equal.
test string1 != string2 Exit status is 0 (true) if the strings are not
equal.

■ Combined tests. The available operators are:

Option
test ! condition
test condition1 -a condition2
test condition1 -o condition2
Description
Exit status is 0 (true) if the
condition is not true
Exit status is 0 (true) if both
conditions are true
Exit status is 0 (true) if either
condition is true

For more detailed information about test, enter help test and man test (the
built-in test command and the external one have identical features).

Version 1 Copying all or part of this manual, 6-59

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Use the tr Command

The tr command translates (replaces) or deletes characters. It reads

from standard input and prints the result on standard output. With tr,
you can replace regular characters or sequences of such characters
and special characters like \t (horizontal tab) or \r (return).

A complete list of all special characters handled by tr is included in

the man page of the program.

The following is the standard syntax of tr:

tr set1 set2

The characters included in set1 are replaced with the characters

included in set2.

The following is an example of using the tr command:

cat text-file | tr a-z A-Z

This a command causes all lowercase characters in a file to be

changed to uppercase, and the result is printed to stdout.

You can use tr to delete characters from the first set by entering the
following:
tr -d set1

This will not translate anything; it only deletes the ones included in
set1, printing the rest to standard output.

The following is another example of using the tr command:

VAR=`echo $VAR | tr -d %`

In this example, tr deletes the percent sign from the original value of
VAR and the result is assigned as a new value to the same variable.

By entering a command like

tr -s set1 char

you can also use tr to replace a set of characters with a single

character.

6-60 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Exercise Answers

The following are answers to the exercises in this section.

Solution for Exercise 6-1:

Script: /exercise/section_6/hello.sh on your 3038 Course CD

#!/bin/bash
# This script prints a "Hello world" greeting
# Author: Tux Penguin
# Created: 8/22/2004

echo -e "\aHello\nworld"
exit 0

Solution for Exercise 6-2:

Script: /exercise/section_6/name1.sh on your 3038 Course CD

#!/bin/bash
# This script reads the users first and last name
# and then prints a greeting with the full name.
# Author: Tux Penguin
# Created: 8/22/2004

echo "Please enter your first name:"

# first name gets assigned to variable FIRSTNAME

read FIRSTNAME

echo "Please enter your last name:"

# last name gets assigned to variable LASTNAME

read LASTNAME

#Now print the greeting:

echo "Welcome to the club, $FIRSTNAME $LASTNAME"
exit 0

Version 1 Copying all or part of this manual, 6-61

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Solution for Exercise 6-3:

Script: /exercise/section_6/name2.sh on your 3038 Course CD

#!/bin/bash
# This scripts reads the users first and last name
# and then prints a greeting with this full name.
# Author: Tux Penguin
# Created: 8/22/2004

echo "Please enter your first name:"

# first name gets assigned to variable FIRSTNAME

read FIRSTNAME

echo "Please enter your last name:"

# last name gets assigned to variable LASTNAME

read LASTNAME

# create a new NAME variable

NAME="$FIRSTNAME $LASTNAME"

# Now print the greeting:

echo "Welcome back home, $NAME"

exit 0

Solution for Exercise 6-4:

Script: /exercise/section_6/info.sh on your 3038 Course CD

#!/bin/bash
# This script prints information about
# the current login
# and the current working directory.
# Author: Tux Penguin
# Created: 8/22/2004

login=`whoami`
path=`pwd`

echo "The current login is: $login"

echo "The current path is: $path"
exit 0

6-62 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Solution for Exercise 6-5:

This script uses all available methods for arithmetic operations.

Script: /exercise/section_6/sum.sh on your 3038 Course CD

#!/bin/bash
# This script lets the user specify two whole
# numbers and then adds them together. All kinds of
# arithmetic formats that are possible
# under Bash are used, one after another.
# Author: Tux Penguin
# Created: 8/22/2004

declare -i INTEGER1
declare -i INTEGER2
declare -i SUM

# read first integer

echo "Please enter first integer: "
read INTEGER1

# read second integer

echo "Please enter second integer: "
read INTEGER2

# this uses expr for Bourne shell compatibility:

RESULT=`expr $INTEGER1 + $INTEGER2`
echo "The expr command returns the result: $RESULT."

# this uses the Bash built-in let :

let RESULT="$INTEGER1 + $INTEGER2"
echo "The let built-in returns the result: $RESULT."

# this uses a Bash-specific arithmetic expression:

RESULT=$[$INTEGER1 + $INTEGER2]
#or:
#RESULT=$(($INTEGER1 + $INTEGER2))

echo "Using an arithmetic expression in Bash, the

result is: $RESULT."

# this one uses the variables declared as integers

#above:
SUM=INTEGER1+INTEGER2
echo "Using the variables declared as integers, the sum
is: $SUM."

exit 0

Version 1 Copying all or part of this manual, 6-63

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Solution for Exercise 6-6:

Script: /exercise/section_6/find.sh on your 3038 Course CD

#!/bin/bash
# This script searches for files in the current
# directory.
# The user is prompted to enter a filename;
# if no name is entered, we search for the default
# value anyway, which is set to "*.bak"
# Author: Tux Penguin
# Created: 8/22/2004

echo "Please enter the file to be searched for (default

is: *.bak):"
read FILE
find . -name "${FILE:="*.bak"}"
exit 0

Solution for Exercise 6-7:

Script: /exercise/section_6/file_check.sh on your 3038 Course CD

#!/bin/bash
# This script checks whether a file exists and if
# its executable
# Author: Tux Penguin
# Created: 8/22/2004

echo "Please enter a filename: "

read FILENAME

if test -e $FILENAME
then
if test -x $FILENAME
then
echo "The file exists and is executable."
else
echo "The file exists but is not executable."
fi
else
echo "The file does not exist."
fi

exit 0

6-64 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Solution for Exercise 6-8:

File: /exercise/section_6/yes_no.sh on your 3038 Course CD

case "$VARIABLE" in
[yY] | [yY][eE][sS] | [yY] [eE] [aA] [hH] )
... ;;
[nN] | [nN][oO] | [nN][oO][pP][eE] )
... ;;
* )
echo error message ;;
esac

Solutions for Exercise 6-9:

Script: /exercise/section_6/counter1.sh on your 3038 Course CD

#!/bin/bash
# A script to iterate over a simple "while" loop 100
# times.
# Author: Tux Penguin
# Created: 8/22/2004

declare -i COUNTER=1

while test $COUNTER -le 100

do
echo "The counter stands at $COUNTER."
COUNTER=COUNTER+1
sleep 1
done

exit 0

Script: /exercise/section_6/counter2.sh on your 3038 Course CD

#!/bin/bash
# A script to iterate over a simple “until” loop 100
times.
# Author: Tux Penguin
# Created: 8/22/2004

declare -i COUNTER=1

until test $COUNTER -gt 100

do
echo "The counter stands at $COUNTER."
COUNTER=COUNTER+1
sleep 1
done

exit 0

Version 1 Copying all or part of this manual, 6-65

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Solution for Exercise 6-10:

Script: /exercise/section_6/lowercase1.sh on the 3038 Course CD

#!/bin/bash
# This script renames all files in the current
# directory so that they have all lowercase file
# names.
# Author: Tux Penguin
# Created: 8/22/2004

for FILE in `find . -type f -maxdepth 1`

do
NEWFILE=`echo $FILE | tr [A-Z] [a-z]`
if test $FILE != $NEWFILE
then
echo mv $FILE $NEWFILE
fi
done

exit 0

Solution for Exercise 6-11:

Script: /exercise/section_6/lowercase2.sh on the 3038 Course CD

#!/bin/bash
# This script renames all files in the current
# directory so that they have all-lowercase file
# names.
# 2nd version: Now we also check whether the file
# already exists with lowercase lettering.
# Author: Tux Penguin
# Created: 8/22/2004

for FILE in `find . -type f -maxdepth 1`

do
NEWFILE=`echo $FILE | tr [A-Z] [a-z]`
if test $FILE != $NEWFILE
then
if test -e $NEWFILE
then
echo "There is already a file
with the name $NEWFILE."
echo "$FILE will not be renamed."

# Skip the rest and begin next loop iteration:

continue
fi
echo mv $FILE $NEWFILE
fi
done
exit 0

6-66 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Solution for Exercise 6-12:

For testing purposes, an echo is put before all important commands,

such as chown and userdel. There should be no spaces between
[yY][eE][sS]. The same is true of [nN][oO].

Script: /exercise/section_6/userdel1.sh on your 3038 Course CD

#!/bin/bash
# This script prompts for a user name and
# then deletes the corresponding account.
# Author: Tux Penguin
# Created: 8/22/2004
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I can't understand you over here."
;;
esac
done
}

read -p "Delete which user? " user

if yesno "Also delete home directory of $user?"

then
home=yes
fi

if yesno "Really delete user $user?"

then
if test "$home" = yes
then
userdel -r $user
else
home="/home/$user"
chown -R root.root $home
userdel $user
fi
fi

exit 0

Version 1 Copying all or part of this manual, 6-67

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Solution for Exercise 6-13:

Script: /exercise/section_6/userdel2.sh on your 3038 Course CD

#!/bin/bash
# This script prompts for a user name and then deletes
# the corresponding account. Optionally, the user's
# home directory is deleted as well.
# Author: Tux Penguin
# Created: 8/22/2004

while getopts u:r variable

do
case $variable in
u ) user="$OPTARG" ;;
r ) home=yes ;;
esac
done

if test "$home" = yes

then
userdel -r $user
else
home="/home/$user"
chown -R root.root $home
userdel $user
fi

exit 0

6-68 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Summary
The following is the summary of the objectives.

Objective Summary
1. Use Basic Script Elements ■ Before writing a shell script, it
is useful to draw a program
flow chart.
■ Before a file can be run as a
shell script, it must have both
read and execute permissions.
■ To produce some simple
output from a script, you can
use the echo command.
■ To read user input for
processing by a script, you can
use the read command.
■ There are several ways to
perform arithmetic operations
in a script:
■ Use the external command
expr.
■ Use the Bash built-in
command let.
■ Enclose arithmetic
expressions in double
parentheses for expansion
by the shell.
■ In Bash, arithmetic
operations can also be
performed with plain
variables, provided that
these have been declared
as integers before.

Version 1 Copying all or part of this manual, 6-69

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2. Use Variable Substitution ■ In Bash, you can use special
Operators variable substitution operators
to assign different values to
variables without having to rely
on external commands.
■ These special substitution
operators allow changing
variables by deleting certain
patterns in their values and
returning the rest, for instance.
■ They also allow you to set a
default for a variable for
situations where no value can
be assigned to it.

6-70 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Objective Summary
3. Use Control Structures ■ Conditional statements in shell
scripts can be implemented
with an if branch.
■ For relatively simple
structures, you can also use
the command separators &&
and || to express the same
statement as a command line.
■ To take decisions with a
number of possible choices in
a script, create a multiple
branch with a case statement.
■ With the commands while and
until, create loops that depend
on certain terminating
conditions.
■ The for command allows you
to create loops to process a list
of elements.
■ There are 2 ways to influence
the operation of a loop:
■ With the break command,
a loop can be terminated
completely according to a
given condition.
■ The continue command
allows exiting from the
current iteration of a loop if
the condition is true.

Version 1 Copying all or part of this manual, 6-71

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
4. Use Advanced Scripting ■ If you anticipate that certain
Techniques command sequences will be
used more than once in a
script or if you want to make a
complex script easier to read
and understand, consider
defining shell functions for
certain routines.
■ A function normally comprises
a part of a script and makes it
available under a user-
definable name, such that the
script part can be executed
simply by stating this name
further below in the script.
■ Use the Bash built-in
command getopts to easily
extract command-line options
for shell scripts.
■ With the getopts command,
you can tell the script which
options it should recognize and
which action should be
triggered by a given option.

6-72 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Create Shell Scripts

Objective Summary
5. Learn About Useful You can use external commands
Commands in Shell Scripts in Shell scripts to perform certain
tasks.
The following is a list of
commonly-used commands:
■ cat
■ cut
■ date
■ echo
■ grep and egrep
■ sed
■ test
■ tr

Version 1 Copying all or part of this manual, 6-73

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6-74 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

SECTION 7 Compile Software from Source

In this section, you learn how to compile and install software that is
available as source code.

Objectives
1. Understand the Basics of C Programing
2. Understand the GNU Build Tool Chain
3. Understand the Concept of Shared Libraries
4. Perform a Standard Build Process

Version 1 Copying all or part of this manual, 7-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Although SLES 9 is shipped with software packages for almost all
purposes, you might want to install software from other sources.

Sometimes OpenSource projects or third-party vendors provide

RPM packages that are made for SLES 9 and can be installed with
the RPM command line tool or with YaST.

In many cases, however, open source projects provide only tar

archives with the source code of an application. In this section you
learn how to compile and install software from these source
archives.

7-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Objective 1 Understand the Basics of C Programming

Most applications (and the Linux kernel) are written in the C or
C++ programming language. To compile and install software from
source achieves, it is useful to have a basic understanding of C and
the steps which are necessary to turn program code into an
executable file.

The C++ language is considered the successor of C. The syntax of C++ is

very similar to C, but C++ lets you create object-oriented code. However,
many applications and the Linux kernel are still written in C.

In this objective, you learn the following C programming basics:

■ The Difference Between Source Code and an Executable
■ The Structure of a Simple C Program
■ How to Compile a Simple C Program

The Difference Between Source Code and an

Executable

There are basically 2 different types of programing languages:

■ Script languages. Applications written in a script language can
be easily developed with just a text editor. The script files can
be directly executed with the help of an interpreter program.
Examples of script languages are Perl, PHP, Python, and the
Shell scripting language.
■ Compiler languages. Applications written with this kind of
programing languages can also be created with a text editor, but
normally there is no interpreter software available.
Before the code can be executed, it needs to be converted into a
binary format that can be directly executed by the CPU. This
conversion is done by a special program called the compiler.
Examples of compiler languages include C, C++, and Fortran.

Version 1 Copying all or part of this manual, 7-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following are advantages and disadvantages of each

programing language type:

Language Type Advantage Disadvantage

Script language ■ Most script ■ The execution of
languages are scripts application is
relatively easy to rather slow.
learn.
■ It´s not possible to
■ The development do system
process in a script programing with
language is rather scripting languages.
fast. (such as operating
systems or device
■ Script programs can
drivers).
basically run on all
platforms where the
interpreter is
available, without
changing the
program code.

Compiler ■ The execution is ■ Compiler languages

language very fast compared can be pretty difficult
with scripting to learn.
languages.
■ The development
■ It is possible to do process takes
system programming usually longer.
(such as operating
■ The source code
systems or device
needs at least to be
drivers).
recompiled before it
can be executed on a
different platform.

The summary in this table is not complete. There are programming

languages like Java that are classified between the described programing
language types.

7-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

The Structure of a Simple C Program

The following is the source code of a simple C program:

#include <stdio.h>

int main(void)
{
char name[80];

printf("Please enter your name: ");

scanf("%s", name);

printf("Your name is: %s\n", name);

return(0);
}

This program prompts the user to enter his name, and then it prints
out Your name is: and the name the user has entered.

The following shows each line with a description:

#include <stdio.h>

This line is a preprocessor directive. Before the actual source code

is compiled into a binary file, the file is processed by the
preprocessor. In this example, the directive instructs the
preprocessor to include the file stdio.h.

A file such as stdio.h contains information about functions that are

used later in the program. This is a typical characteristic of C.
Every variable or function needs to be declared before it can be
used.

Files that contain function declarations are called header files and
their filenames typically end in .h.

Version 1 Copying all or part of this manual, 7-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

int main(void)

This line starts the main function of the program. This is the
function that is initially called when the program is started. A
program can consist of more functions, but is must have at least a
main function.

The function head normally has 3 parts:

■ First, the type of the return value is determined; in this case, int,
an integer.
■ This is followed by the function name. The main function
always has the name main.
■ Finally, the arguments of the function are listed in parentheses.
The keyword void means the function does not expect an
argument.
{

Every thing that belongs to a function is included in curly brackets.

This line starts the block of the main function.
char name[80];

This line declares a variable name. The type of the variable is char,
a variable type for a single character. In this example, since you
need to store more that just one character in the variable, declare 80
char variables [80].

This shows another characteristic of C. It is not enough to declare a

variable before you can use it, you need to specify the type of
variable. In the example above, it would not be possible to store
other data like integers in the variable.

Another important element is the semicolon at the end of the line.

Every declaration and every function call in C must end with a
semicolon.

7-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

printf("Please enter your name: ");

This line prints out the message Please enter your name:. It uses the
function printf for this purpose. This line also shows a typical
function call in C. The arguments are given in parentheses after the
function name.
scanf("%s", name);

In this line the function scanf is used to read the input of the user.
The function takes two arguments: a format string %s, which
determines the way the input should be handled by the function, and
the variable name, in which the input should be stored.
printf("Your name is: %s\n", name);

This line uses the function printf again, this time to print out the
entered name of the user. The function takes 2 arguments in this
case, the string Your name is: and the variable name, which holds
the name of the user.

The content of name is output at the position of the %s format

string, which acts like a placeholder in this case.
return(0);

This line uses the return function to return 0 as the value of the
function. Because this is the main function, it also determines the
return value of whole program.
}

This curly bracket closes the main function and the whole program.

The code of C programs should be saved in a file ending in .c. In

this example, the filename my_name.c is used.

Version 1 Copying all or part of this manual, 7-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Compile a Simple C Program

To execute the previously described program, it needs to be

compiled into a binary file. For this you need a C compiler. The
standard C compiler in Linux is the gcc, the Gnu C Compiler.

To compile the simple example program, the compiler is invoked

with the following command:
gcc my_name.c -o my_name

First, the name of the file that contains the source code is passed to
gcc, followed by the -o option and the name of the output binary
file.

After the compilation has finished, the binary can be started like any
other command line program, as in the following:
./my_name
Please enter your name: Florian
Your name is: Florian

7-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Exercise 7-1: Compile a Simple C Program

In this exercise, you compile a simple C program by doing the

following:

As part of the SLES 9 installation exercise in Section 1, you already

installed the necessary packages for compiling C source (C/C++ Compiler
and Tool).

If you did not complete this successfully, use the YaST Install and Remove
Software module to install this software before starting the exercise.

Do the following:

1. Open a terminal window.

2. Insert the 3038 Course CD in the CD-ROM drive.

3. Copy the source code package of the example application to the

/tmp directory by entering the following:
cp /media/drive/exercises/section_7/my_name.c /tmp
(where drive is cdrom or dvd, depending on your installed
hardware)

4. Change to the directory /tmp/ by entering cd /tmp.

5. Compile the C source file by entering the following:

gcc my_name.c -o my_name

6. After the program compiles, start the program by entering the

following:
./my_name

7. Verify that the program works properly by entering a name.

8. Close the terminal window.

(End of Exercise)

Version 1 Copying all or part of this manual, 7-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Understand the GNU Build Tool Chain

In most cases programs use more than one source code file. In order
to structure the source, developers tend to spread the code over
multiple files.

It would be very difficult to compile a program with multiple source

code files manually on the command line. Fortunately some tools
are available to manage the compilation process.

In this objective, you learn how to do the following to perform a

standard build process:
■ Use configure to Prepare the Build Process
■ Use make to Compile the Source Code
■ Use make install to Install the Compiled Program
■ Install the Required Packages for a Build Environment

Use configure to Prepare the Build Process

Before the actual compilation process can be started, you must

prepare the source code with a configure script. This needs to be
done for the following reasons:
■ Many applications can be compiled on different UNIX systems,
Linux distributions, and hardware platforms. To make this
possible, the build process needs to be prepared for the actual
environment.
■ The build process itself is controlled by a program called make.
The instructions for how to compile the different source files
are read from Makefiles. The configure script generates these
Makefiles depending on the system environment.
■ You can use configure to enable or disable certain features of an
application.

7-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

To run the configure script, you need to use the following command
at the top of the source directory:
./configure

To enable or disable certain features of an application, configure

takes additional arguments. The available arguments depend on the
application that will be compiled.

You can use the following command to list all available configure
options:
./configure --help

Use make to Compile the Source Code

You use the tool make to compile multiple source files in the correct
order. Make is controlled by Makefiles. Normally, these Makefiles
are generated by the configure script, but you can also create them
manually.

You can also use make to install and uninstall the program to or
from the right location on the hard disk.

The following is a simple Makefile that shows how make works:

# Makefile for my_name

all: my_name

my_name: my_name.c
gcc my_name.c -o my_name

install: my_name
install -m 755 my_name /usr/local/bin/my_name

uninstall: /usr/local/bin/my_name
rm -f /usr/local/bin/my_name

clean:
rm -f my_name

Version 1 Copying all or part of this manual, 7-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

This Makefile can perform the following tasks:

■ Compile the program from source
■ Install the program
■ Uninstall the program
■ Clean up the directory where the compilation is performed

Every Makefile consists of targets, dependencies, and commands

for the targets. Targets and dependencies are separated by a colon.
The commands must be placed under the target, indented with one
tab space. A # introduces comments.

If you execute the command make while you are in the respective
directory, the program make will search this directory for the files
GNUMakefile, Makefile, or makefile.

If make is executed without any parameters, the first target of a

Makefile is used. In the example above, this is all. This target is
associated with the target my_name, which specifies the step to
take: compile the file my_name.c with gcc.

The command make can also be used with individual targets. For
example, the command make install (as root) installs the binary file
at the specified location and make uninstall removes the binary file.

Even large software projects are created in the same way, but the
Makefiles are much more extensive and complex. If the software
will be compiled to a functional program on multiple architectures,
things are much more complicated.

For this reason, the Makefile is usually generated by the configure

script.

7-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Use make install to Install the Compiled Program

The last step when installing a program from source is to install the
binary file and additional files belonging to the application.

This step is usually done with make and an install target in the
corresponding Makefile.

You can perform the installation with the following command:

make install

This command must be entered b root at the top level of the source
directory.

Install the Required Packages for a Build Environment

A lot of different software packages are required to perform the

described build process. The easiest way to install all required
packages is to select the selection C/C++ Compiler and Tools in the
YaST package manager.

Version 1 Copying all or part of this manual, 7-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To access the predefined selections, select Selections from the filter

drop-down list as shown in the following:

7-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Objective 3 Understand the Concept of Shared Libraries

Many tasks on a system are performed by more than one
application. For example, the opening and displaying of PNG image
files is performed by the web browser, the graphic program, and
other applications.

It would not make sense to implement the functionality of opening

PNG files again and again in every application. Therefore, program
functionality can be stored in shared libraries.

In the case of opening and displaying PNG files, the functionality is

provided by the shared library libpng.

Physically, a shared library is a file on the hard disk that is loaded

into the main memory when an application is started that requires
the functionality of the library.

The task of finding and loading the required libraries is performed

by the program ld.

The following illustrates how shared libraries work:

libpng

Both application use functions from libjpeg

Graphic-
Webbrowser
Program

Version 1 Copying all or part of this manual, 7-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Normally, a shared library has 2 basic parts:

■ The shared library file itself, which is loaded when a program
requires a function of the corresponding library. The filenames
for these files end in .so (shared object).
■ The header files of the library, which contain the functions
declaration of the library. The filenames of these files end in .h
(header file).

As described at the beginning of this section, the C programing

language requires that every function used in a program has to be
declared.

This means that the header files of a library need to be installed on a

system to compile software that uses functions of that library. To run
already compiled software, only the shared library files are
necessary.

Because the software that ships with SLES 9 is already compiled,

the header files of some libraries are not installed by default. These
libraries are split into two packages: the software packages that
contain the header files have the extension -devel attached to the
package name.

For example, the package libpng contains the shared library, and the
package libpng-devel contains the corresponding header files.

When you run the configure script, it sometimes prompts you about
missing libraries that should be installed on the system. If you install
the required packages with YaST, you have to make sure that you
select both the shared library and the corresponding devel package.

7-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Objective 4 Perform a Standard Build Process

In this objective, the program xpenguins is compiled and installed
from a source archive as an example of a standard build process.

The xpenguins program can be downloaded in a tar archive with the

name xpenguins-2.2.tar.gz.

Before you start the build process, you need to extract the tar
archive with the following command:
tar xzf xpenguins-2.2.tar.gz

Some tar archives end in .bz. In this case, the archive is compressed with
bzip and needs to be extracted with the options xjf.

After the archive is extracted, you need to change to the source

directory which has been created by entering the following:
cd xpenguins-2.2/

In the source directory, you need to run the configure script with the
following command:
./configure

The output looks like the following:

creating cache ./config.cache
checking for a BSD compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... yes
checking for working aclocal... found
checking for working autoconf... found
checking for working automake... found
checking for working autoheader... found
checking for working makeinfo... missing
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking for a BSD compatible install... /usr/bin/install -c

Version 1 Copying all or part of this manual, 7-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

checking how to run the C preprocessor... gcc -E

checking for X... libraries /usr/X11R6/lib, headers
/usr/X11R6/include
checking for dnet_ntoa in -ldnet... no
checking for dnet_ntoa in -ldnet_stub... no
checking for gethostbyname... yes
checking for connect... yes
checking for remove... yes
checking for shmat... yes
checking for IceConnectionNumber in -lICE... yes
checking for XpmReadFileToData in -lXpm... yes
checking for XpmFree in -lXpm... yes
checking for ANSI C header files... yes
checking for unistd.h... yes
checking whether time.h and sys/time.h may both be included... yes
checking return type of signal handlers... void
checking for select... yes
checking for strdup... yes
updating cache ./config.cache
creating ./config.status
creating Makefile
creating src/Makefile
creating themes/Makefile
creating themes/Penguins/Makefile
creating themes/Big_Penguins/Makefile
creating themes/Classic_Penguins/Makefile
creating themes/Turtles/Makefile
creating themes/Bill/Makefile
creating xpenguins.spec
creating config.h

In the last line of the output you can see that the Makefiles are
created.

If the configure script does not report any errors, you can start the
compilation process by entering the following:
make

7-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

The output of make for xpenguins looks like the following:

make all-recursive
make[1]: Entering directory `/tmp/xpenguins-2.2'
Making all in src
make[2]: Entering directory `/tmp/xpenguins-2.2/src'
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c main.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_config.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_core.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_theme.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
toon_associate.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_draw.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
toon_globals.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_query.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_set.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_core.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_end.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_init.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_root.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_signal.c
gcc -I/usr/X11R6/include -g -O2 -DPKGDATADIR=
""/usr/local/share/xpenguins"\" -o xpenguins main.o
xpenguins_config.o xpenguins_core.o xpenguins_theme.o
toon_associate.o toon_draw.o toon_globals.o toon_query.o
toon_set.o toon_core.o toon_end.o toon_init.o toon_root.o

Version 1 Copying all or part of this manual, 7-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

toon_signal.o -lXpm -lXpm -L/usr/X11R6/lib -lX11 -lXext

make[2]: Leaving directory `/tmp/xpenguins-2.2/src'
Making all in themes
[...]

The most important part in the output of make are the compiler calls
starting with:
gcc -DHAVE_CONFIG_H -I ...

When the compilation process has finished without any errors, you
can install the software by entering the following (as root):
make install

7-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Exercise 7-2: Compile Software from a Source Package

In this exercise, you do the following:

■ Part I: Compile a Source Package
■ Part II: Run the Application

Part I: Compile a Source Package

Do the following:

1. Insert the 3038 Course CD in your CD-ROM drive.

2. Copy the source code package of the example application to the

directory /tmp/ by entering the following (on one line):
cp /media/drive/exercises/section_7/xpenguins-2.2.tar.gz
/tmp

3. Change to the directory /tmp by entering cd /tmp.

4. Unpack the source archive by entering the following:

tar xzf xpenguins-2.2.tar.gz

5. Change to the source directory by entering cd xpenguins-2.2/.

6. Start the configure script by entering ./configure.

7. (Conditional) If the configure script displays an error message

indicating that the header files of the X Window system are not
installed, install the package XFree86-devel and with YaST and
run the configure script again before continuing.

8. When the configure script finishes, enter make.

9. When the make command finishes, su to root.

Version 1 Copying all or part of this manual, 7-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Change to the source directory by entering the following:

cd /tmp/xpenguins-2.2/

11. Install the compiled application by entering make install.

12. Close the terminal window.

Part II: Run the Application

To run the application xpenguins, you need to make an adjustment

from the KDE Control Center that is not part of the standard build
process.

To make this adjustment and start the application, do the following:

1. From the KDE start menu, select Control Center.

2. From the left side of the Control Center, select

Desktop > Behavior.

3. Select the check box for Allow programs in desktop window;

then select Apply and close the Control Center.

4. Open a terminal window.

5. Start the application by entering the following:

/usr/local/bin/xpenguins
6. Stop the program by pressing Ctrl+C.

Have a lot of fun :-).

(End of Exercise)

7-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Summary
The following is the summary of the objectives.

Objective Summary
1. Understand the Basics of C There are basically 2 different
Programming programing language types:
■ Script languages. The source
code is executed by an
interpreter software.
■ Compiler languages. The
source code needs to be
converted into a binary file,
which can be directly executed
by the CPU.
The C and C++ programming
languages are the most important
compiler languages.
C has the following basic
characteristics:
■ A preprocessor processes the
source code before compiling.
■ Every program has at least a
main function.
■ Functions and variables need
to be declared before they can
be used in the code.
■ The declaration must include
the definition of variable types.
The name of C source files end
normally in .c.
The basic command to compile a
source file looks like the
following:
gcc <sfile.c> -o <bfile>

Version 1 Copying all or part of this manual, 7-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2. Understand the GNU Build Tool The standard build process
Chain consists of the following steps:
■ The build process must be
prepared with the configure
script.
■ The make command is used to
compile the source code.
■ The make program is used
again to install the application.
The easiest way to install all
necessary software packages for
a build environment is to select
the C/C++ Compiler and Tools
selection in the YaST package
manager.
3. Understand the Concept of Shared libraries contain certain
Shared Libraries functions that are needed by
many programs.
These files are loaded when an
application needs a function from
the corresponding library.
A shared library consists of 2
basic parts:
■ The shared object
■ The header file
Some libraries are split into 2
software packages on SLES 9.
To run applications, you just need
the base library package. To
compile software, you also need
the header files in the package
with the extension -devel.

7-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Compile Software from Source

Objective Summary
4. Perform a Standard Build Process The following are the command
lines that are needed to build a
software from source, shown by
example of the xpenguins game:
tar xzf xpenguins-
2.2.tar.gz
This extracts the source archive.
cd xpenguins-2.2/
This changes to the source
directory.
./configure
This runs the configure script.
make
This starts the compilation
process.
make install
This installs the program.

Version 1 Copying all or part of this manual, 7-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

7-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

SECTION 8 Perform a Health Check and

Performance Tuning

In this section, you learn how to analyze performance on a SLES 9

system and what you can do to prevent these bottlenecks.

Objectives
1. Find Performance Bottlenecks
2. Reduce System and Memory Load
3. Optimize the Storage System
4. Tune the Network Performance

Version 1 Copying all or part of this manual, 8-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction

As with any system, sometimes the performance of a SLES 9

system is not sufficient.

Because of the complexity of today's IT systems and infrastructure,

performance bottlenecks are sometimes not easy to find. All
components interact with each other, and different kinds of server
types require different measures to improve system performance.

In this section, you learn about monitoring utilities that help you
find the component having performance problems.

You also learn some hints for solving performance problems.

Remember that the solutions for your problems need to be based on
the result of your performance analysis and depend on your system
type.

No matter what measures you choose, make sure that all changes
are well tested before you enable them on the actual production
system. Changes to the kernel parameters need to be tested very
carefully.

For more information about Linux performance tuning, go to

http://www.redbooks.ibm.com/abstracts/redp3862.html?Open.

8-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Objective 1 Find Performance Bottlenecks

If you need to tune system performance, it is usually because the
system is too slow. Before you make any changes, you need to
identify the bottleneck that is causing the performance problem.

Complaints from users or customers about a slow system are

normally of a general character and do not provide detailed
information about the cause of a problem.

Before you start to troubleshoot a system, you should ask for more
information to gain a better overview about the whole situation. The
following is a list of questions that can help you to find the
performance bottleneck:
■ What kind of server is affected? This includes information
about the hardware and the purpose of the server.
■ What are the exact symptoms of a problem? The more
information you have, the more likely you are to determine the
cause of a problem.
■ Does the problem occur at specific times of the day or the
week? For example, performance problems might occur in the
morning when people start to work or after lunch break when
people return to work.
■ When and how did the problem start? Did the problem occur
quickly or slowly over several days or months?
■ Who is experiencing the problems? Does just one person
have the problem, or is it a group of people who are using the
same file server?
■ Can the problem be reproduced? This can be very helpful
when you are analyzing the system.

Version 1 Copying all or part of this manual, 8-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

When you have gathered enough information, you can start to

analyze the system by doing the following;
■ Analyze Processes and Processor Utilization
■ Analyze Memory Utilization and Performance
■ Analyze Storage Performance
■ Analyze Network Utilization and Performance

Analyze Processes and Processor Utilization

When you have a performance problem, you should look at the

processor utilization first. If the processor is not fast enough to run
all of your applications at a reasonable speed, this is the bottleneck
you have to work on.

One way to measure processor utilization is the system load. The

load value can be displayed with various monitoring tools such as
top or uptime.

On a multiprocessing operating system like Linux, multiple

processes can run virtually simultaneously. Since one processor can
run only one process at a time, the Linux kernel splits the available
processing time of a CPU into short slices that are assigned to the
running processes.

To assign the CPU time, the kernel puts the running processes into a
queue. Depending on the priority of a process and the time since it
was executed last, the kernel decides which process should be
executed next.

The load value is basically the average number of waiting processes

in the process queue in a specific amount of time. Therefore
programs like top or uptime display load values for the last 1,5 and
15 minutes.

On a system with a single processor, an average load value of 1

means that the full processing capacity is used by applications and
the operating system.

8-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

If the value is lower than 1, some capacity is not used. If the average
value is higher than 1, the processor is not fast enough to handle all
currently running processes.

On a multiprocessor system, the load value can be higher. As a rule of

thumb, the load value should not be higher than the number of processors
installed in the system.

A process that is started on a system does not always require CPU

time. Depending on the kind of the process it is running, the CPU
spends quite a lot of time to waiting for I/O processes to be finished.
For example, an I/O process can be user input or data that is read
from or written to the hard disk.

During these times the processes are not waiting in the kernel's
process queue and do not influence the load value of a system. This
means that an application can be slow, but CPU time is not the
reason for it.

The following is a list of monitoring utilities that can be used to

display the current CPU utilization and the average load values:

Program Description
top Displays a sorted list of applications and the three
values for the average load values in the last 1, 5
and 15 minutes.
When you find that your system has a high load
value, top can also be very helpful to find out
which application is actually producing it.

uptime uptime can also be used to display the system

load in the last 1, 5, and 15 minutes.

mpstat On multiprocessor systems, mpstat can be used

to display the utilization of each installed
processor.

KDE System Guard KDE System Guard displays a graphical

representation of the system load.

Version 1 Copying all or part of this manual, 8-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Analyze Memory Utilization and Performance

Another bottleneck for system performance can be caused by

system memory. Applications have to be loaded into memory before
they can be executed by the CPU. The memory is also used by the
Linux kernel itself and for caching I/O operations like network or
storage access.

The memory is controlled by the Memory Management system of

the Linux kernel. Every application has to ask the kernel to allocate
memory, and every application is only allowed to write into its own
memory space.

There are 2 different kinds of memory available on a Linux system:

■ Physical memory. This is memory that is actually installed in
the system in the form of memory bars or chips. Access to this
kind of memory is usually very fast.
■ Swap memory. A Linux system should have access to at least
one swap partition. The space on this partition is used to free
parts of the physical memory by copying temporarily unused
memory pages. Access to swap memory is very slow compared
to physical memory.

You can view the utilization of the physical and the swap memory
with the free program, as in the following:
free

The output looks like the following:

total used free shared buffers cached
Mem: 516204 502080 14124 0 29356 154920
-/+ buffers/cache: 317804 198400
Swap: 1036152 143320 892832

The output contains a headline with 3 lines of information:

■ Mem. This line contains information about the physical
memory. It contains the following details:

8-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

■ total. This entry displays the total amount of available

physical memory in KBs. The number is lower than the
installed physical memory, since the kernel itself uses a
small part of the memory.
■ used. This entry displays the the amount of memory that is
used for applications cached data.
■ free. This entry displays the memory that is not used and
available at the moment.
■ Shared/buffers/cached. These columns display more
detailed information about how the memory is used.
■ -/+ buffers/cache. Some of the memory on a Linux system is
used to cache data for applications or devices. Parts of this
memory can be freed when it is needed for other purposes.
The free column displays the buffer adjusted line, which shows
the memory that would be used and available if the buffer and
the cache were freed.
■ Swap. This line shows informations about the utilization of the
swap memory. The information includes the amount of total,
used and free available memory.

As accessing the hard disk is much slower than accessing physical

memory, the performance of the whole system is affected when a lot
of swap space has to be used.

Usually this happens when there is not enough physical memory to

perform the desired functionality of a system. It can also happen if
an application requests much more memory than it actually needs.

This can happen when the application crashes. It can also happen
during normal operation, when the implementation of the program
is faulty. In this case, the application has a memory leak.

Version 1 Copying all or part of this manual, 8-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can use the top command to find programs that use a lot of
memory. By default, top sorts the process list by CPU utilization.
By pressing F, then n and then the Enter key, you can change the
sorting column memory utilization. This way the top memory
consumers can be found at the top of the list.

If a lot of used swap memory is displayed in free, this can indicate

a performance bottleneck caused by a lack of physical memory but
is not always the case. Sometimes a lot of memory is copied to the
swap partition but is never touched again. The performance of the
system is only affected when the swap memory is actually accessed.

You can use the command vmstat to display the activity of swap
memory, as in the following:
vmstat 1

The option 1 lets vmstat repeat its output every second. This way
the usage of swap memory can be displayed over a period of time.
You can terminate the program pressing Ctrl+C.

The output of vmstat looks like the following:

procs --------memory---------- -swap- --io-- -system- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 98 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 98 0

The output the columns si and so are of interest in this case. si

stands for swap in, which means that data is copied to the swap
memory. so for swap out, which means that data is copied back into
the physical memory. In the example above, there is no activity for
the swap memory.

The first line of the output displays the average values since the
system was started. The lines that follow show the average values
since the last output.

8-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

The following output of vmstat is captured on a different system

which ran out of memory and shows a lot of activity in swap
memory:
procs --------memory-------- -- -swap- --io-- -system- ---------cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa
0 3 167880 608 4592 93400 340 188 2588 196 1223 1315 7 3 0 90
1 3 169316 1072 4044 90352 300 1768 5968 1868 1233 1222 36 5 0 59
1 2 170268 2520 4088 89416 288 1104 1388 1224 1260 442 23 2 0 75
0 3 170652 1484 4020 90136 364 668 1844 808 1260 1142 12 3 0 85
0 4 171380 1848 3544 92424 100 868 4400 940 2491 2458 11 8 0 81
0 5 171576 1352 3504 91984 552 388 1592 388 1248 1195 15 3 0 82

In this example, there is much more activity in the si and so

columns than before. The number displayed represents the amount
of memory that is copied to or from swap memory.

A system that shows a constant vmstat output like this has a

performance bottleneck caused by a lack of physical memory.

The following are commands you can use to display memory

utilization:

Program Description
free Displays the current utilization of the physical and
swap memory.

vmstat Monitors the activity of swap memory and can

also be used to display other system parameters.

KDE System Guard Offers the capability to display memory usage.

Choose the signal plotter visualization to follow
the memory usage over a period of time.

Analyze Storage Performance

The performance of the storage system can be an issue, especially

on systems that face heavy hard disk utilization like ftp, web, or
other kinds of file servers.

Version 1 Copying all or part of this manual, 8-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Before you analyze the hard disk performance and utilization, you
should make sure that you don´t have any problems with a too-high
system load or a lack of physical memory.

A system where the performance problems are caused by the disk

subsystem usually shows a relatively low network and CPU
utilization but a high activity of the installed disks that is not caused
by memory paging or swapping.

In this case, you can use the command vmstat to display the activity
of the disk subsystem. You start vmstat by entering the following:
vmstat 1

The program should be started on the system when the performance

problem occurs. The following is the output of a system with almost
no disk operations:
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 100 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 100 0

In this example, the columns of interest are bi and bo. They display
the number of blocks that are read from (bi) or written to (bo) the
disk subsystem.

The following shows a system with a high utilization of the disk

subsystem:
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
1 2 52 5680 6100 221688 0 0 0 36160 1273 1655 42 58 0 0
0 3 304 6896 1232 225672 0 256 4 22160 1586 1127 31 40 0 28
1 2 304 5936 1252 226540 0 0 0 28400 1487 460 15 23 0 62
1 0 304 7792 1276 224404 0 0 0 43328 1342 408 20 29 0 51
1 2 304 6256 1624 224648 0 0 0 88260 1205 439 24 42 0 35
0 2 476 6648 1672 224112 0 172 4 45452 1149 8015 29 54 0 17
0 2 476 7672 1720 223184 0 0 8 36940 1168 8310 23 44 0 33

8-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

As you can see in this column, the system has to deal with a lot of
writing activity to the disk subsystem.

However, a lot of data read from or written to the disk does not
necessarily mean that the disk subsystem is too slow. Depending on
the available disk types and the disk configuration, a disk load that
totally blocks one system can be easily handled by another system.

A performance problem that is caused by the disk subsystem

usually occurs when a process has to wait for data being delivered
from or written to the disk.

You can use the command iostat to determine the average time a
program has to wait for data from the disk.

The iostat command is not part of the SLES 9 default installation. You
need to install the package sysstat to use it.

The following command displays information about the disk device

/dev/hda:
iostat -x 1 /dev/hda

The option -x enables the output of some additional information. 1

sets the interval in which iostat repeats its output to 1 second. The
device name specifies the disk that should be monitored. If no disk
is specified on the command line, all disks that are used by the
system are monitored.

The output of iostat looks like the following:

avg-cpu: %user %nice %sys %iowait %idle

8.08 0.04 1.73 1.70 88.45

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 3.18 17.90 3.37 1.32 146.73 153.78 73.36 76.89 64.11 0.25 53.50 4.57 2.14

avg-cpu: %user %nice %sys %iowait %idle

4.90 0.00 0.98 0.00 94.12

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Version 1 Copying all or part of this manual, 8-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

avg-cpu: %user %nice %sys %iowait %idle

5.05 0.00 0.00 0.00 94.95

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Every output contains two blocks of information. The first block

displays information of the CPU utilization, like top or uptime. The
second block shows the information about the requested disk
device.

The first output represents the average values since the system was
started. All following lines show the average values since the last
update period.

The block that displays the device information shows first some
details about the amount of data that is read from or written to the
device. To find out if the disk subsystem has a performance
bottleneck, focus on the following 2 columns:
■ await. This column displays the average time in milliseconds
an application has to wait till its I/O request is performed.
■ svctm. This column displays the average time in milliseconds
that an I/O request needs to be performed.

As you can see in the output above, the concerned system is not
really busy. The average await time since the system was booted is
53.50 milliseconds and the average svctm time is 2.14 milliseconds.

As you can see in the following lines, the current disk utilization is
even far below the average with await and svctm times of 0
milliseconds.

8-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Compare this with the following output of a system with a higher

I/O load:
avg-cpu: %user %nice %sys %iowait %idle

26,00 0,00 45,00 29,00 0,00

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0,00 9198,00 4,00 39,00 32,00 73872,00 16,00 36936,00 1718,70 103,83 1430,33 23,28 100,10

avg-cpu: %user %nice %sys %iowait %idle

20,79 0,00 39,60 39,60 0,00

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0,00 9105,94 0,00 44,55 0,00 73140,59 0,00 36570,30 1641,60 99,97 2441,89 22,24 99,11

avg-cpu: %user %nice %sys %iowait %idle

26,26 0,00 45,45 28,28 0,00

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0,00 10313,13 0,00 41,41 0,00 82828,28 0,00 41414,14 2000,00 93,90 2529,10 24,41 101,11

avg-cpu: %user %nice %sys %iowait %idle

24,00 0,00 48,00 28,00 0,00

Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util

hda 0,00 9293,00 0,00 41,00 0,00 74640,00 0,00 37320,00 1820,49 92,70 2447,00 24,41 100,10

As you can see, the average await time on this system far beyond
2000 milliseconds, and the svctm time is much higher than before.
Such a system cannot fulfill the requested I/O operation at an
adequate speed.

The following is an overview of commands that you can use to

analyze disk utilization:

Program Description
vmstat Monitors the amount of data that is read from or
written to disk.

iostat Displays how long I/O requests from applications

take.

Version 1 Copying all or part of this manual, 8-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Analyze Network Utilization and Performance

On server systems, the network connection can be a performance

bottleneck. There are many different parameters that can interfere
with the network connection.

You can monitor these parameters with KDE System Guard. To start
KDE System guard from the KDE start menu, select
System > Monitor > KDE System Guard.

On the left side of the window, you can browse the available
monitoring sensors. Browse to Network > Interfaces >
Interface_you_want_to_monitor.

Two different blocks of sensors available:

■ Receiver. These sensors display information about the received
network data.
■ Transmitter. These sensors display information about the sent
network data.

The following describes some of the available sensors you can use
to analyze network problems:

Sensor Description
Data/Packets The amount of data or packets sent or received by
the interface. If performance problems occur
during a high network load, the network
connection or type might be too slow for the
purpose of the server.

Collisions This sensor is only available for the transmitter.

Collisions usually occur more frequently when too
many hosts share the same Ethernet domain
(such as hosts that are connected with a hub and
instead of a switch). Too many collisions can have
a negative impact on the overall network
performance.

8-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Sensor Description
Dropped Packets This sensor displays the number of packets that
are either dropped when they are received by the
host or by other network components like routers
on their way to the destination.
Too many dropped packets can have a bad
influence on the network performance. The
following are some reasons for dropped packets:
■ Network components are running at a
different speed. For example, the server runs
at 100 Mbps, but the router at only 10 Mbps.
■ The network or system load of a server is too
high to handle all received network packets
properly.
■ A network component runs with a
misconfigured packet filter that drops network
packets.

Errors An error occurs when a packet is transmitted but

the content of the packet is corrupted. This can be
caused by a bad physical connection or faulty
network adapters.

There is also protocol specific information under Network >

Sockets.

Besides problems that are caused by the network or network setup

itself, some network services can interfere the overall system
performance. These network services might not even be running on
the same host that actually experiences performance problems.

The following are 3 examples of this:

■ DNS. Many applications or services rely on the name resolution
of the DNS system. If a DNS server is not working properly, the
application is waiting for the response, which slows down its
operation.

Version 1 Copying all or part of this manual, 8-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Proxy. Applications that connect to a service using a proxy

server suffer from bad performance of this system.
■ NFS. Applications or services that access data that is mounted
using NFS can be blocked completely if the NFS service is not
available.

The following are tools that you can use to monitor the network:

Program Description
KDE System Guard Displays network utilization and different kinds
of transmission errors.
Traffic-vis Analyzes network connections to specific
hosts. You need to install the package traffic-
vis in order to use this tool.
ip Displays the status of an interface as well as
transmission errors.

8-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Exercise 8-1: Analyze System Performance

In this exercise, you analyze system performance by doing the

following:
■ Part I: Analyze Processor Utilization
■ Part II: Analyze Memory Utilization
■ Part III: Analyze Hard Disk Utilization
■ Part IV: Analyze Network Utilization

Part I: Analyze Processor Utilization

Do the following:

1. Make sure, that you have installed the software selection

C/C++ Compiler and Tools as well as the package
kernel-source.
If these packages are not installed, install them with the YaST
software installer.

2. Open a terminal window.

3. Enter top.

Watch the information about the system load and the process
list for a few moments.

4. Open a second terminal window and su to root.

5. Enter the following commands:

cd /usr/src/linux
make cloneconfig

If the directory /usr/src/linux does not exist, you need to install the
package kernel-source.

Version 1 Copying all or part of this manual, 8-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. When the second command finishes, start a Linux kernel

compilation by entering make bzImage.

The compilation generates a high load on the system:

7. From the first terminal window, watch the load numbers.

Notice that the load values are constantly rising. The 3 values
differ as they display the average of three different periods of
time.

8. Wait until the load average value has reached 1; then quit the
compilation process in the second terminal window by pressing
Ctrl+C.

9. In the second terminal window, restore the initial state by

entering make clean.

10. From the first terminal window, watch the load values for a few
moments.

Notice that the values decrease.

11. End the top program by typing q.

Part II: Analyze Memory Utilization

Do the following:

1. In the first terminal window, enter vmstat 1.

2. Watch the vmstat output for a few moments, especially the

columns si (swap in) and so (swap out).

3. In the second terminal window, enter make -j bzImage.

4. In the first terminal window, watch the so and si columns.

Notice that the command make utilizes a lot of memory. As a

result, after a few minutes the system starts using swap memory.

8-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

5. In the second terminal window, stop the make process by

pressing Ctrl+C.

6. In the first terminal window, watch as the swap activity

declines.

7. Terminate the command vmstat by pressing Ctrl+C.

8. In the second terminal window, enter make clean.

Part III: Analyze Hard Disk Utilization

Do the following:

1. Using the YaST package manager, install the package sysstat.

2. In the first terminal window, enter the following:

iostat -x 2 /dev/hda
If your root partition is on a different device than hda (such as
hdc), adjust the command accordingly.

3. Watch the output of iostat for a while, particularly the columns

await and svctm.

4. In the second terminal window, enter make -j bzImage.

5. Watch the iostat values in the columns await and svctm.

Notice that both values are rising due to high disk utilization
caused by the command make.

6. In the second terminal window, stop the command make by

pressing Ctrl+C.

7. Watch how the await and svctm times decrease again.

8. End iostat by pressing Ctrl+C.

9. In the second terminal window, enter make clean.

Version 1 Copying all or part of this manual, 8-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Close both terminal windows.

Part IV: Analyze Network Utilization

Do the following:

1. From the KDE start menu, select System > Monitor > KDE
System Guard.

2. From the menu bar, select File > New.

3. Enter a title of Network.

4. Select 2 rows and 1 columns.

5. Select OK.

6. On the left side of the KDE System Guard window, browse to

Network > Interfaces > eth0.

7. Open Receiver and Transmitter.

8. Drag the Packets sensor from the Receiver and drop it in the
upper part of the Network worksheet.

9. For the display mode, select Signal Plotter.

10. Drag the Packets sensor from the Transmitter and drop it in the
lower part of the Network worksheet.

11. For the display mode, select Signal Plotter.

12. Watch the network activity for a few moments.

13. Open a terminal window and su to root.

14. Wait until a partner has reached this step of the exercise.

15. Produce some network load with the system of your partner by
entering the following:

8-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

ping -f partner_ip_address

16. Watch the network load rise in the receiver and the transmitter.

17. Terminate the ping command by pressing Ctrl+C.

18. Close the terminal window.

19. Watch how the network goes down again.

20. Close the KDE System Guard window.

(End of Exercise)

Version 1 Copying all or part of this manual, 8-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Reduce System and Memory Load

If you have determined that your performance problem is caused by
a high system load, you do the following to reduce the load:
■ Analyze CPU Intensive Applications
■ Run Only Required Software
■ Keep Your Software Up to Date
■ Optimize Swap Partitions
■ Change Hardware Components

Analyze CPU Intensive Applications

A high system and memory load is often caused by single

application. You can use the top utility to find out which process
uses the most resources on your system.

Sometimes a process uses a lot of system resources because of a

faulty implementation. Usually you can determine this by restarting
the process. If the process does not use the same amount of
resources after it has been restarted, a likely cause is a faulty
implementation.

In this case, you should try to get more information about the issue
by searching the Internet and the web site of the vendor or the
OpenSource project.

If the process starts to utilize the same amount of system resources

after it has been restarted, the system is probably not fast enough to
run the process. Refer to “Run Only Required Software” below for
details on how to solve this issue.

8-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Run Only Required Software

The easiest but most effective way to reduce the system load is to
run only the software that is required to fulfill the purpose of a
system. This includes the following methods:
■ Run a Server System Without X
■ Reduce the Number of Daemon Processes

Run a Server System without X

Usually, it's not necessary to run an X-Server on a server system.

Most administrative tasks including those done in YaST can be done
on the text console or remotely with SSH or SUSE LINUX Remote
Administration.

Preventing the X-Server from being started saves memory and CPU
utilization. To do so, you can switch to runlevel 3 manually by
entering the following:
init 3

You can also set the default runlevel to 3 to boot the system to
runlevel 3 automatically.

To change the default runlevel, you need to open the following file
with a text editor:
/etc/inittab

In the file, look for a line like the following:

id:5:initdefault:

By changing 5 to 3, you can change the default runlevel from 5

(multiuser, network, graphical login) to 3 (multiuser, network).

After the change, the line looks like the following:

id:3:initdefault:

Version 1 Copying all or part of this manual, 8-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Reduce the Number of Daemon Processes

In most cases, a server offers only a few services but a lot more
daemons are actually running. By reducing the number of running
daemon processes, you can reduce the processor and the memory
load.

To get an overview of the current service configuration, you can use

the chkconfig command, as in the following:
chkconfig -l

The -l option lists all services and their configuration in each

runlevel. For example, the following is the output of the Apache
web server:
apache2 0:off 1:off 2:off 3:on 4:off 5:on 6:off

As you can see, apache2 is enabled for runlevels 3 and 5.

Review the list and make sure that the only services that are running
are those needed in the default runlevel of your server. If you find a
service that is not necessary, you can prevent it from starting up at
boot time by removing its startscript from the init process.

Use a command like the following to remove a service from the init
process:
chkconfig apache2 off

In this example, apache2 is disabled in all runlevels. To re-enable a

service, use a command like the following:
chkconfig apache2 3

In this example, apache2 is enabled in runlevel 3.

Changing the runlevel configuration does not affect the currently

running instance of a service. If you don´t want to reboot your
system with the new configuration, you need to stop a running
service by calling its rc script manually.

8-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

The command in the following example stops a running instance of

apache2:
rcapache2 stop

Keep Your Software Up to Date

There are many reasons to keep your software up to date. Beside

possible security issues caused by outdated software, up to date
software can improve performance.

Implementation errors that lead to a high utilization of system

resources might be fixed in a newer release. And newer, faster
algorithms might be used.

However, there might be exceptions to the rule. For this reason, you
should test new releases carefully before using them in a production
environment.

Optimize Swap Partitions

On a system with a lot of swapping, you should usually add more

main memory to enhance the performance. However, you can't do
so, optimizing the swap partitions can help.

First, you should make sure that you have enough available swap
space. The old rule–that you should have double the size of the
physical memory as swap space–is a bit outdated but still a
reasonable starting point.

The key to speeding up the swap space is to spread it over several

disks. This works only on systems that have more than one installed
disk.

Version 1 Copying all or part of this manual, 8-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Every swap partition has an entry in the file /etc/fstab that looks like
the following:
/dev/hda1 swap swap 0 0

You can use more than one swap partition by creating partitions and
adding these to /etc/fstab, as in the following:
/dev/hda1 swap swap pri=1 0 0
/dev/hdb1 swap swap pri=1 0 0
/dev/hdc1 swap swap pri=1 0 0

In this example, 3 partitions are used on 3 different disks. The

additional parameter pri=1 assigns the same priority to all swap
partitions. With a priority 1 assigned to all swap partitions, the
kernel can use the partitions in parallel. This leads to a higher
overall performance of swapping operations.

The drives that hold swap partitions should run at the same speed.

Change Hardware Components

If the above methods to reduce the system load do not lead to a

lower resource utilization, you should consider upgrading the
following hardware:
■ Upgrade the CPU
■ Upgrade the Memory

Upgrade the CPU

If your system shows a high system load but all other parameters
like memory, network and storage load or utilization are not
significantly high, you should consider upgrading the CPU.

8-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

However, you need to consider the following before upgrading the

CPU:
■ Are there significantly faster CPUs available for the type of
system you are using (socket type, BIOS support)?
■ Are the rest of the system components fast enough for the new
CPU? Otherwise, you could work on one bottleneck and create
a new one.
■ Is the system going to be replaced in the near future?
■ Are other, faster systems available in your organization that
could be used instead of the current system?

Depending on the answers to these questions, you might decide to

replace the whole system instead of just the CPU. In some cases,
this might be even more economical in the long run than just a CPU
upgrade.

Upgrade the Memory

Upgrading the memory usually means installing more physical

memory. The first question you might ask is how much additional
memory you should install.

A way to answer this question is to look at the amount of swap

space that is used by the system when the performance problems
occur. Adding double the amount of used swap space might be a
good starting point.

However, you should also compare the cost of a memory upgrade

with the cost of installing a new system.

Remember that if you add additional physical memory, you should

also add additional swap space. However, in most cases, more than
1 GB of swap space does not increase performance significantly.

Version 1 Copying all or part of this manual, 8-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 8-2: Reduce Resource Utilization

Do the following:

1. Log out of the KDE desktop environment and reboot your

system.

2. When the KDM login appears, change to a text console by

pressing Ctrl+Alt+F2.

3. Login as root.

4. Enter free.

Notice the amount of free physical memory.

5. Open the file /etc/inittab with the vi editor:

6. Look for the line id:5:initdefault: and change it to the

following:
id:3:initdefault:

7. Save and close the file.

8. Reboot your system by entering reboot.

The system boots to runlevel 3.

9. Log in as root; then enter free.

10. Compare the amount of free physical memory with the number
you noted earlier.

Notice that runlevel 3 uses less memory than runlevel 5.

The success of this depends on the amount of free memory you have
available on your hardware.

11. Switch to runlevel 5 by entering init 5.

8-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

12. Edit the line id:3:initdefault: in /etc/inittab to change the default

runlevel back to 5.

13. Save the file and close the editor.

(End of Exercise)

Version 1 Copying all or part of this manual, 8-29

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 3 Optimize the Storage System

There are many different ways to optimize the performance of your
storage systems, including the following:
■ Configure IDE Drives with hdparm
■ Tune Kernel Parameters
■ Tune File System Access
■ Change Hardware Components

Configure IDE Drives with hdparm

You can use the tool hdparm to tune some settings of IDE hard
drives. Entering the following command displays the current
settings of a drive:
hdparm -i /dev/hda

In this example, the settings of the device hda are listed.

The most important setting you can change with hdparm is DMA
(direct memory access). With DMA, data from a disk can be written
directly to the main memory of a system without CPU utilization.
This enhances performance in 2 ways:
■ The transfer itself is much faster than with disabled DMA.
■ The CPU is not utilized and can be used for other tasks.

By default, DMA should be enabled for IDE hard disks. However, if

you experience a weak disk performance, you should check the
settings. DMA can also be enabled for CD/DVD drives, which
increases performance, especially for large data transfers.

You can use following command to check the current status of the
DMA configuration:
hdparm -d /dev/hda

8-30 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

In this example, the DMA settings for the device hda are checked,
with an output similar to the following:
/dev/hda:
using_dma = 1 (on)

In this example, DMA is enabled for the device hda; otherwise, the
variable using_dma would have the value 0.

You can enable DMA with a command such as the following:

hdparm -d 1 /dev/hda

In this example, DMA is enabled for the device hda.

With hdparm, you can also use command line options that affect a
drive's performance. The following lists the most important options:

Parameter Description
-c 1 Enables 32-bit transfers of disk data over the
PCI bus.
-u1 A setting of 1 permits the driver to unmask
other interrupts during processing of a disk
interrupt, which greatly improves Linux's
responsiveness and eliminates serial port
overrun errors.
-X <value> Configures the drive to use a specific transfer
mode.
-A 1 Enables read-ahead, which increases
performance when dealing with large,
sequential file operations.

Before you change any settings with hdparm, you should make sure that
important files on your system are saved and backed up. Improper settings
can lead to system crashes or data loss. For more information, see man
hdparm.

Version 1 Copying all or part of this manual, 8-31

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

hdparm also provides an option to measure the transfer performance

of a hard disk, as in the following command for the device hda:.
hdparm -t /dev/hda

The output for this command might look like the following:
/dev/hda:
Timing buffered disk reads: 156 MB in 3.01 seconds
= 51.75 MB/sec

In this example, the disk offers a sequential transfer rate of 51.75

Mbps. To achieve valid results, you should repeat the test several
time and compare the results. In general, the test should be run at a
low system and storage load.

All changes that are made with hdparm are active only until the next
reboot. To make sure hdparm commands are executed every time
the system boots, you can add them to the file /etc/init.d/boot.local.

Tune Kernel Parameters

The components of the Linux kernel that are responsible for hard
disk access offer some parameters that can be changed at runtime.

None of these parameters are saved permanently. If you want to set

them every time the system starts up, you can enter a command to
set a parameter in the file /etc/init.d/boot.local.

Tunable parameters let you do the following:

■ Tune the IO Scheduler
■ Change the Read Ahead Parameter
■ Change the Swappiness Parameter

8-32 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Tune the IO Scheduler

Because Linux is a multitasking operating system, more than one

process at a time might need to access the hard disk.

For this reason, the Linux kernel contains a component called the
I/O Scheduler. This scheduler collects requests from the processes
and hands them over to the hardware driver that is responsible for
the drive.

The SLES 9 I/O Scheduler has one parameter that you can used to
tune the I/O performance. The parameter is stored in the file /
sys/block/device/queue/iosched/quantum

The parameter determines how many I/O requests are stored in a

queue before they are handed over to the driver. By queuing the
requests, the scheduler can optimize the order of the requests.

When you use this parameter, there is a tradeoff between data

throughput and latency. Use the following rule:
■ Lower value = Shorter latency but lower data throughput
■ Higher value = Longer latency but higher data throughput

The default value for SLES 9 is 4 requests.

You can set the value of the parameter with a command similar to
the following:
echo 6 > /sys/block/hda/queue/iosched/quantum

When you change the value, you should always benchmark your
application to measure the success of the change.

Changes to the I/O Scheduler parameters might not lead to

performance enhancements on general purpose servers. However,
on systems with a high disk utilization like database servers, it can
be useful to experiment with theses settings.

Version 1 Copying all or part of this manual, 8-33

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Change the Read Ahead Parameter

Another kernel parameter lets you determine how much data should
be used for the read-ahead. Read-ahead basically means that more
data from a file is read than requested by an application.

This is done because an application usually wants to read all data

from a file, not just the data at the beginning. You can set the read-
ahead parameter in the file /sys/block/device/queue/read_ahead_kb.

The value determines how much data (in KB) is read ahead from
file. The default value on SLES 9 is 128 KB. Larger values can lead
to a better overall throughput with the drawback of a higher latency.

You can set the value with the following command:

echo 256 > /sys/block/device/queue/read_ahead_kb

Change the Swappiness Parameter

The swappiness parameter affects both the memory and the I/O
performance. It basically determines when a system starts to swap
out data to the disk, and can be set in the file
/proc/sys/vm/swappiness.

You can set the parameter value from 0 and 100. The higher the
value, the more the system will swap. The default value for SLES 9
is 60.

You can set the parameter with a command like the following:
echo 40 > /proc/sys/vm/swappiness

The parameter determines how much you value the page cache over
program memory.

8-34 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Tune File System Access

To achieve a performance advantage for an application, you can

control the way the kernel accesses the file system by doing the
following:
■ Disable atime Update
■ Implement File System Dependent Tuning Options

Disable atime Update

For every file Linux stores the following information:

■ When was the file created. (ctime)
■ When was the file modified the last time. (mtime)
■ When was the file accessed the last time. (atime)

To keep the atime information up to date, the kernel needs to update

the atime attribute every time a file is accessed. Updating the atime
means that the kernel needs to perform a write process, which
causes additional load for the hard disk.

If the atime attribute is not important to you, you can mount a data
partition with the noatime option. The following shows an fstab
entry for the partition /dev/hda2 that uses the noatime option:
/dev/hda2 /data reiserfs noatime 0 0

Implement File System Dependent Tuning Options

Beside the general disk tuning options, you can also configure the
file system to
■ Mount a Reiser File System With the notail Option
■ Configure the Journaling Mode of Ext3

Version 1 Copying all or part of this manual, 8-35

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Mount a Reiser File System With the notail Option

On traditional UNIX files systems, small files or the rest of a big

file (the tail) are use a full block of the file system although they are
don´t really fill the block.

Reiserfs can store this data much more efficiently in the file system
internal structure. However, this costs some performance. You can
use the mount option notail to disable this feature. The drawback is
a less space-efficient data storage.

You can use the notail option either with the -o option of mount or
in the /etc/fstab file, as in the following:
/dev/hda2 /data reiserfs notail 0 0

Configure the Journaling Mode of Ext3

The ext3 file system offers journaling functionality. In journaling,

every file system transaction is logged in a special area of a
partition, called the journal. The data in the journal helps to restore
a consistent file system in case of a system crash or a power failure.

The ext3 file system offers 3 journaling modes that also affect the
disk performance:
■ data=journal. If you use this mode, the data of a transaction
and the file metadata are logged in the journal. This is the most
secure option for data security.
■ data=ordered. When an ext3 file system is mounted with this
option, only the file metadata is stored in the journal. However,
it forces the file data to be written to disk before the metadata.
This option is a good compromise between speed and
reliability, and is the default for SLES 9.
■ data=writeback. This is the fastest journaling option. Metadata
is logged to the journal, but file data is not treated in a special
way. However, you still have the advantages of a journaling file
system when a crash or a power failure occurs.

8-36 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

You can use these options with the -o option of the mount
command, or them to the /etc/fstab, as in the following:
/dev/hda2 /data ext3 data=writeback 0 0

Change Hardware Components

If all of the above mentioned options do not improve disk

performance, you might need to consider upgrading your hardware.

From a performance perspective, a true SCSI hardware RAID

system might be the best choice. But upgrading to a newer IDE or
SCSI disk can produce some of the same results.

However, you have to compare the costs and the estimated

advantages of an upgrade with the purchase of a new system. A
hardware upgrade has always the risk of creating a new
performance bottleneck somewhere else in the system.

Version 1 Copying all or part of this manual, 8-37

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 8-3: Tune an IDE Hard Drive With hdparm

In this exercise, you tune your IDE hard drive. It is assumed that the
IDE hard disk is /dev/hda. If your IDE hard disk is connected
differently (such as hdc), use the correct device name in the
following steps.

Do the following:

1. Open a terminal window and su to root.

2. Make sure that the DMA mode is activated by entering the

following command:
hdparm -d 1 /dev/hda

3. Run a performance test by entering the following:

hdparm -t /dev/hda

Notice the data throughput in MB/sec.

4. Disable the DMA mode by entering the following:

hdparm -d 0 /dev/hda

5. Run the performance test again by entering the following:

hdparm -t /dev/hda

Compare the result with the DMA enabled throughput.

6. Re-enable DMA by entering the following:

hdparm -d 1 /dev/hda

(End of Exercise)

8-38 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Objective 4 Tune the Network Performance

There are several different approaches to tuning the network
performance of your Linux system. Because of the nature of
networks, this sometimes includes not only your system but the
whole network infrastructure.

The following are 2 ways you can tune network performance:

■ Change Kernel Network Parameters
■ Change Your Network Environment

Change Kernel Network Parameters

The Linux kernel lets you change some network parameters during
runtime. This makes sense on systems that have to deal with a lot of
parallel connections (such as web servers).

The parameters can be set with the sysctl command. To use this
command, you have to be the root user, because changing kernel
parameters is not permitted for normal users.

The most important command line parameter of sysctl is -w. With

this option, you can write a value into a kernel configuration
parameter.

You can also access the kernel parameters from the proc file system,
which is mounted under /proc. You change the parameters by
writing them into the corresponding files in the /proc directory.

Version 1 Copying all or part of this manual, 8-39

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following lists several sysctl commands and their effect on

network performance:

sysctl command Effect

sysctl -w net.ipv4.tcp_tw_reuse=1 When a TCP connection
sysctl -w net.ipv4.tcp_tw_recycle=1 has been closed, the
corresponding socket stays
in the TIME-WAIT status for
a while.
Setting these 2 parameters,
enables the reuse of these
sockets for new connections.
On a system with many TCP
connections, this can reduce
the number of open
connections and the
utilization of system
resources.
sysctl -w net.ipv4.tcp_keepalive_time=900 TCP connections are usually
kept alive for a specific
amount of time. After this
time period, a system probes
to see if the connection
partner is still reachable. If
not, the connection is closed
and the used resources are
freed.
The default time for SLES 9
is 1800 seconds. By
reducing this time, you can
reduce the number of
opened but unused
connections.

8-40 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Change Your Network Environment

Because networking involves more than one system, you should

consider which changes to other hosts or your network
infrastructure can improve the network performance.

The following are some suggestions for improving network

performance:
■ Monitor all other system components. Before you change
your network infrastructure, you should make sure that your
problem is really caused by the network connection.
Monitor all other components carefully over a longer period of
time, especially the CPU and memory utilization.
■ Limit the collision domain. If you see a lot of collisions when
you monitor your system's network interface, there are probably
too many systems that share the same Ethernet collision
domain.
In this case, you should restructure your network or use
switches instead of hubs.
■ Check cable quality. If you see a lot of transmission errors
when you monitor a network interface, you might have a
problem with your network cable. Replace the network cable
and monitor the interface again.
■ Check both sides of a connection. If your server has
connectivity problems with a specific client and all other
clients are working correctly, you should check the connection
from the client side.
■ Change network adapters. In some cases, a driver for a
network adapter can be faulty and cause a performance
bottleneck. Try switching to an adapter from a different vendor
and monitor the system to see if performance improves.

Version 1 Copying all or part of this manual, 8-41

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Upgrade to a faster network type. If other measures do not

lead to improved performance, upgrading to a faster network
technology (such as Gigabit Ethernet) might help.
However, you must make sure that the other components of
your system (such as the chipset) can handle this speed.

8-42 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Summary
The following is the summary of the objectives:

Objective Summary
1. Find Performance To find performance bottlenecks,
Bottlenecks you should monitor the following
components of your system:
■ CPU. The value of the CPU load
is measured by the average
number of process that are
waiting to be executed.

The load can be displayed with

uptime or top. top can also be
used to display the processes
that cause the highest CPU
utilization.
■ Memory. A lack of physical
memory is a very common
performance bottleneck.

When the system needs to page

out memory pages to swap
memory, the overall system
performance is affected.

You can display the paging and

swapping activities with the tool
vmstat.

Version 1 Copying all or part of this manual, 8-43

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
1. Find Performance ■ Storage System. A good
Bottlenecks (continued) indicator for the storage load of a
system is the time that an
application needs to wait for an
I/O request and the amount of
time an average I/O request
takes.

Both values can be displayed

with the tool iostat.
■ Network components. KDE
System Guard displays various
parameters of network utilization
such as packets, errors, or
collisions.

2. Reduce System and To reduce the system and memory

Memory Load load, you can do the following:
■ Determine which processes
utilize most of the processing
power. Determine whether this is
a failure or part of normal
operation.
■ Run only software that is required
to fulfill the purpose of the
system.
■ Keep your software up to date.
■ Optimize swap memory by
spreading it over multiple disks.
■ Upgrade the CPU and the
physical memory.

8-44 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Perform a Health Check and Performance Tuning

Objective Summary
3. Optimize the Storage To enhance the performance of the
System storage system, you can do the
following:
■ Use hdparm to ensure an optimal
configuration of your hard disks.
■ Set kernel parameters to optimize
disk access.
■ Tune access to the file systems
on your disks.
■ Exchange slow components of
your storage system.

4. Tune the Network To tune the performance of your

Performance network connections, you can do
the following:
■ Adapt the network parameters of
the Linux kernel for your needs.
■ Reconfigure your network
environment. This includes the
following:
■ Reduce the collision domain
of Ethernet networks.
■ Check the physical quality of
the connection (such as
cables and plugs)
■ Check both sides of a faulty
network connection.
■ Replace or upgrade your
network equipment.

Version 1 Copying all or part of this manual, 8-45

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

8-46 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

SECTION 9 Manage Hardware and Component

Changes

In this section, you learn how SLES 9 handles hardware and device
drivers. You also learn how to add and replace certain types of
hardware.

Objectives
1. Understand the Differences Between Devices and Interfaces
2. Understand How Device Drivers Work
3. Understand How Device Drivers Are Loaded
4. Understand the sysfs Files System
5. Understand How the SLES 9 hotplug System Works
6. Understand the hwup Command
7. Add New Hardware to a SLES 9 System

Version 1 Copying all or part of this manual, 9-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Although most hardware devices can be configured with YaST or
are even automatically detected when plugged into the system, it is
sometimes helpful to understand how things work in the
background.

In the this section, you are introduced to SLES 9 hardware

management and how device drivers are loaded.

9-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective 1 Understand the Differences Between

Devices and Interfaces
This objective uses the terms “device” and “interface.” These terms
are often confused, not only by users and administrators but also by
developers of operating systems and related tools.

This course uses the following definitions for device and interface:
■ Device. A device is a real, physical piece of hardware. This can
be a PCI network card, an AGP graphic adapter, a USB printer,
or any kind of hardware that you can hold, feel, or break if you
want to.
■ Interface. An interface is a software component associated
with a device. To use a physical piece of hardware, it needs to
be accessed by a software interface.
A device can have more than one interface.

Interfaces are usually created by a driver. In Linux, a driver is

usually a software module that can be loaded into the Linux kernel.
Therefore, a driver can be seen as the glue between a device and its
interfaces.

Version 1 Copying all or part of this manual, 9-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Understand How Device Drivers Work

As described before, device drivers access and use a device. There
are 2 basic kinds of device drivers:
■ Kernel modules. The functionality of the Linux kernel can be
extended by kernel modules. These modules can be loaded and
removed during runtime. They allow the kernel to provide
access to hardware.
■ User space drivers. Some hardware needs additional drivers
that work in user space. Examples of this kind of hardware are
printers or scanners.

The following illustrates the roles of kernel and user space drivers:

9-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

While the handling of user space drivers depends on the framework

they are used in, you can mange kernel modules with the following
commands:
■ lsmod. This command lists all loaded kernel modules. For
example:
lsmod
■ modprobe. This command loads kernel modules. Because
kernel modules can depend on each other, modprobe
automatically resolves these dependencies and loads all
required modules. For example:
modprobe usb-storage
In this example, modprobe loads the usb-storage, module which
is needed to access storage devices connected with the USB
bus.
Because this module requires other USB modules, modprobe
also loads these modules.
■ rmmod. This command removes loaded kernel modules. For
example:
rmmod usb-storage
Only modules that are not needed can be removed. In this
example, the USB device first has to be disconnected before the
usb-storage module can be removed.

Kernel modules are files that are stored in the directory

/lib/modules/kernel-version/.

Because modules normally work only with the kernel version they
are built for, a new directory is created for every kernel update you
install.

Modules are stored in several subdirectories with a filename

extension of .ko for kernel object. When loading a module with
modprobe, you can mot the extension and use just the module name.

Version 1 Copying all or part of this manual, 9-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 3 Understand How Device Drivers Are Loaded

Because it would be very inconvenient to load all kernel modules
manually after every system start, there are several methods to
perform this task automatically.

The following is an overview of how device drivers are loaded in

SLES 9:
■ initrd. Important device drivers that are necessary to access the
root partition are loaded from initrd. initrd is a special file that
is loaded into memory by the boot loader. Examples of such
modules are the scsi host controller and file system drivers.
■ initscripts. Some initscripts are dedicated to loading and setting
up hardware devices, such as the alsasound script for sound
cards.
■ hotplug. hotplug also loads kernel modules.
■ X Server. Although the graphics card drivers are not kernel
modules, X Server loads special drivers to enable hardware 3D
support.
■ manually. You can always load kernel modules on the
command line or in scripts with the modprobe command or
with the hwup or hwdown commands.

9-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective 4 Understand the sysfs File System

In the past it was difficult to determine which interface belonged to
which device. This changed with kernel version 2.6 when the sysfs
filesystem was introduced.

sysfs is a virtual file system that is mounted under /sys. In a virtual

file system, there is no physical device that holds the information.
Instead, the file system is generated virtually by the kernel.

sysfs represents all devices and interfaces of a Linux system. In

sysfs, there are 4 main directories:
■ /sys/bus and /sys/devices. These directories contain different
representations of system hardware. Devices are represented
here.
For example, the following represents a digital camera
connected to the USB bus:
/sys/bus/usb/devices/1-1/
This directory contains several files that provide information
about the device. The following is a listing of the files in this
directory:
1-1:1.0 bMaxPower manufacturer
bcdDevice bNumConfigurations maxchild
bConfigurationValue bNumInterfaces power
bDeviceClass detach_state product
bDeviceProtocol devnum serial
bDeviceSubClass idProduct speed
bmAttributes idVendor version
For example, by reading the content from the manufacturer file,
you can determine the manufacturer of the device:
cat manufacturer
OLYMPUS
In this case, an Olympus digital camera is connected with the
system.

Version 1 Copying all or part of this manual, 9-7

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ /sys/class and /sys/block. The interfaces of the devices are

represented under these 2 directories,.
For example, the interface belonging to the Olympus digital
camera is represented by the following directory:
/sys/block/sda/
The directory named /sda is the digital camera accessed like a
SCSI hard disk.
The following is the content of the /sda directory:
dev queue removable size
device range sda1 stat
The subdirectory /sda1 represents the interface to the first
partition on the cameras memory card. For example, by reading
the content of /sda1/size, you can determine the size of the
partition:
cat sda1/size
31959
The partition has a size of 31959 512-byte blocks, which is
about 16 MB.

To connect an interface with a device, file system links are used. In

the Olympus digital camera example, a link exists from the file
/sys/block/sda/device to the corresponding device:
ll device
lrwxrwxrwx 1 root root 0 Aug 17 14:03 device
-> ../../devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-
1:1.0/host0/0:0:0:0

In this way, all interfaces of the system are linked with their
corresponding devices.

Beside the representation in sysfs, there are also the device files in
the /dev directory.

These files are needed for applications to access the interfaces of a

device. The name “device file” is a bit misleading, as in our
terminology the name “interface file” would be more suitable.

9-8 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective 5 Understand How the SLES 9 Hotplug

System Works
Before you can use a hardware device, you need to load the
appropriate driver module and set up the corresponding interface.
For some devices in SLES 9, this is done by the hotplug system.

The name “hotplug” is a bit misleading, because the hotplug system

sets up different kinds of devices, not only those that are really hot
pluggable, like USB or Firewire devices.

Every action hotplug performs must be triggered by a hotplug event.

Hotplug events can be created in the following ways:
■ By the Linux kernel. The Linux kernel triggers a hotplug event
when a connection to a device is established, or when a driver
is already loaded for a connected device.
For example, when you plug in a USB device or insert a
hotplug PCI adapter a hotplug event is triggered.
■ By Coldplug. Coldplug is a script that starts at boot time. It
scans the system and creates a hotplug event for every device it
finds.
This way, the hotplug system is used for devices other than hot
pluggable devices.

A hotplug event is basically a call of the script /sbin/hotplug. The

kernel is configured to call this script by an entry in
/proc/sys/kernel/hotplug.

Every hotplug event has an event type. The event type is determined
by a single parameter that is passed to the hotplug script and some
additional environment variables that can be read by the hotplug
script.

The command line parameters determines the subsystem that has

issued the event in the kernel.

Version 1 Copying all or part of this manual, 9-9

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is a list of some possible parameters and the

corresponding subsystems:
■ ieee1394. This is used by the Firewire subsystem of the kernel.
■ usb. This is used by the USB subsystem.
■ net. This is used by the networking subsystem for any kind of
networking interfaces.
■ pci. This is used for PCI devices.

The environment variables provided for a hotplug event depending

on the event type.

Basically, the environment variables provide the action of the event

(such as add when a device has been added or remove when a
device has been removed) and additional information about the
affected device.

Depending on the event type, the hotplug script starts the hotplug
agents.

There are 2 basic types of hotplug agents:

■ Device agents. These agents are responsible for loading kernel
modules and calling additional commands to set up a device. To
find the correct kernel module, they first call the hwup script,
which looks for a configuration file of the corresponding
device.
■ Interface agents. When the kernel module loads, it usually
register an interface for the device. The registration of the
interface also triggers a hotplug event, which might be handled
by an interface agent.
In SLES 9, an interface agent is used to set up network
interfaces. Instead of calling hwup, the interface agent uses the
ifup command, which reads the corresponding interface
configuration file.

The hotplug agents are located in the directory /etc/hotplug/.

9-10 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

It might not be possible to start some devices with the hwup script,
because no configuration file can be found.

In this case, the agents have routines to find and load the correct
driver module automatically by searching module map files in the
directories /etc/hotplug/ and /lib/modules/kernelversion/.

The file /etc/hotplug/blacklist contains a list of driver modules that

should never be loaded by hotplug.

Sometimes coldplug and hotplug can cause errors during system

startup; for example, when a broken kernel module is loaded. In this
case, you can switch off both coldplug and hotplug with the
following boot parameters:
NOCOLDPLUG=1

This switches coldplug off.

NOHOTPLUG=1

This switches hotplug off.

The following is the hotplug process for attaching a USB camera to

the system:

1. The camera is plugged into the system.

2. The USB subsystem recognizes the camera and triggers a

hotplug event by calling the hotplug script.

3. The subsystem passes usb as the parameter to the script and

provides additional information about the new device in
environment variables.

4. Because of the usb parameter, the hotplug script calls the USB
hotplug agent.

5. The USB agent tries to configure the device by calling hwup.

Version 1 Copying all or part of this manual, 9-11

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. If hwup fails, the agent tries to find the correct usb module by
searching module mapfiles in /etc/hotplug and
/lib/modules/kernelversion.

7. If a driver is found, the corresponding module is loaded.

The following illustrates the Linux hotplug process for a USB

camera:

Linux System
Linux Kernel

Hotplug Script

USB Agent

1. hwup

2. Automatic module
loading
● /etc/hotplug/usb.usermap
● /etc/hotplug/usb.handmap
● /lib/modules/<version>

/ modules.usbmap

9-12 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective 6 Understand the hwup Command

The command hwup is used by the hotplug agent to start
preconfigured devices. In this objective, you learn how to use this
command and how to interpret the corresponding configuration
files.

hwup reads the device configurations from files in the directory

/etc/sysconfig/hardware/.

In order to determine the correct configuration file, the

configuration filenames follow a specific naming scheme.

The following is the filename for a PCI network adapter:

hwcfg-bus-pci-0000:02:08.0

The filename consists of the following 4 elements separated by

hyphens:
■ hwcfg. This is the beginning of every device configuration file.
■ bus. This determines that the device is identified by the bus it is
connected to.
■ pci. This indicates that the device is connected to the PCI bus.
■ 0000:02:08.0. This is the address of the device in the PCI bus.
You can display the PCI address of a device with the lspci
command, as in the following:
...

0000:02:08.0 Ethernet controller: Intel Corp. 82801BD PRO/100 VE (LOM)

Ethernet Controller (rev 81)

...

Other devices types might use different elements in their

configuration filename. For more information about the naming
scheme, see the manpage of getcfg (man getcfg).

Version 1 Copying all or part of this manual, 9-13

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following lists the possible variables in a device configuration

file:

Variable Meaning
STARTMODE This determines when and how a
device will be started:
■ auto. The device is
automatically started at boot
time or by hotplug when the
device is connected to the
system.
■ manual. The device should
not be started automatically,
but it can be started manually.
■ off. The device should never
be started.

MODULE The value of this variable

determines the name of the
kernel module that should be
loaded for the device.
If multiple modules have to be
loaded, you can use this variable
multiple times with any suffix
appended.
You must then use the same
suffixes for multiple
MODULE_OPTIONS variables.
Example:
MODULE_A="foo"
MODULE_B="bar"
MODULE_OPTIONS_A="foo-
opt"
MODULE_OPTIONS_B="bar-
opt1=xyz"
MODULE_OPTIONS With this variable, options can be
passed to the kernel module.

9-14 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Variable Meaning
SCRIPT{UP,DOWN}_[type] This specifies the script to be
called for initialization and
deconfiguration of a specific
device type.
This script is called if the type of
the device to be initialized
matches the type given in this
parameter.
SCRIPT{UP,DOWN} This specifies the script to be
called for initialization and
deconfiguration of the device.
It will be called only if no
matching type-specific scripts are
configured.

The following is an example of a configuration file for a network

adapter:
MODULE='e100'
MODULE_OPTIONS=''
STARTMODE='auto'

The module e100 is loaded, there are no options for this module and
the device is started automatically at boot time.

The hwup command is usually called by hotplug agents, but you

can also use it manually. For example, the following command
starts the network card shown in the previous:
hwup bus-pci-0000:02:08.0

The last 3 elements of the configuration filename specify the device.

You can use the command hwdown to deconfigure devices, as in the

following:
hwdown bus-pci-0000:02:08.0

Version 1 Copying all or part of this manual, 9-15

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 9-1: Trace How a Network Adapter Is Set Up With hwup

and ifup

In this exercise, you do the following:

■ Part I: Boot the System with Hot and Coldplug Disabled
■ Part II: Use hwup to Load a Driver Module
■ Part III: Use ifup to Set Up the Network Interface

Part I: Boot the System with Hot- and Coldplug Disabled

Do the following:

1. Log out of the KDE desktop environment and reboot your

system.

2. When the SLES 9 boot screen appears, add the following to the
Boot Options field:
NOCOLDPLUG=1 NOHOTPLUG=1
These parameters are case-sensitive.

3. Boot the system by pressing Enter.

4. At the KDM login screen, log in as geeko.

5. Open a terminal window.

6. Try to ping the system of a partner by entering the following:

ping partner_ip_address
Notice that the network is not working.

9-16 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Part II: Use hwup to Load a Driver Module

Do the following:

1. From the terminal window, su to root.

2. Enter lspci.

3. Look for a line with the description Ethernet controller in the

second column.

Note the PCI address (in the first column), such as the
following:
0000:02:00.0

4. Look for one of the following files:

■ In /etc/sysconfig/hardware:
hwcfg-bus-pci-address_ethernet_controller
■ In /etc/sysconfig/hardware:
hwcfg-id-address_ethernet_controller

5. Open the file with a text editor.

6. Look for a line starting with MODULE=.

Notice the name of the module after this option. This is the
hardware driver for your network adapter.

7. Close the file.

8. Verify whether the driver has been already loaded by entering

the following:
lsmod | grep module_name
Notice that the driver has not been loaded because you have
disabled Cold- and Hotplug.

9. Load the driver module by entering one of the following:

Version 1 Copying all or part of this manual, 9-17

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

hwup bus-pci-address_ethernet_controller
or
hwup id-address_ethernet_controller

10. Verify that the diver is loaded by entering the following:

lsmod | grep module_name
Notice that the driver has been loaded.

Part III: Use ifup to Set Up the Network Interface

1. Display the current configuration of the network interfaces by

entering the following:
ip address show

2. Look for a line starting with eth0.

Notice that no IP address has been assigned to the interface.

Also notice the hardware address of eth0 (displayed after the
words link/ether).

3. Enter cd /etc/sysconfig/network.

4. In the directory /etc/sysconfig/network, look for a file with the

following name:
ifcfg-eth-id-hardware_address

5. Open this file with a text editor.

6. Look for the option IPADDR.

This is the IP address you will assign to the device.

7. Close the file.

8. Configure the interface by entering the following:

ifup eth-id-hardware_address

9-18 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

9. Verify that the interface has been configured by entering the

following:
ip address show
Notice that the interface has been configured and is ready to
use.

(End of Exercise)

Version 1 Copying all or part of this manual, 9-19

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 7 Add New Hardware to a SLES 9 System

In general, new hardware is either detected with hotplug or can be
easily configured with YaST. In some cases, however, some manual
work is necessary to integrate new devices properly into the system.

In this objective, you learn how to perform the following tasks:

■ Add a New Drive to the System
■ Replace a Graphics Card
■ Add a New Network Adapter

Add a New Drive to the System

The following explains how to add a new drive to a SLES 9

installation. For this example, assume the following:
■ The system is equipped with a single hard disk and is used as a
web server.
■ The system is running out of disk space, so you need to add a
new hard disk for the /srv directory.

Do the following:

1. Shut down the system and install the new drive.

2. Boot the system into runlevel 1 by passing the boot parameter 1

to the Linux kernel.

3. Use YaST or command line tools to create a partition and a file

system on the new drive.

4. Mount the drive temporarily in the /mnt directory.

5. Copy the existing data from /srv to /mnt. Make sure that the file
permissions copy properly. (Use the -a option for the cp
command.)

9-20 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

6. Verify the copied data and delete the content of the /srv
directory.

7. Umount the new hard disk.

8. Edit the file /etc/fstab to mount the new hard drive automatically
at boot time.

9. Reboot the system to the default runlevel.

Replace a Graphics Card

When you add a new graphics card to the system, the X Server
starts up with the wrong driver configuration when booting into
runlevel 5.

A similar problem occurs when you replace the monitor of your system.
You can also use the following instructions in this situation.

Do the following steps:

1. Shut down the system and replace the graphics card.

2. Boot the system into runlevel 3 by passing the boot parameter 3

to the Linux kernel.

3. Log in as root and start sax2 to configure the new graphics

card.

4. When finished, change to runlevel 5.

Version 1 Copying all or part of this manual, 9-21

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Add a New Network Adapter

When adding a second network adapter, you have to make sure that
the interface names of the devices are not confused.

The interface names are determined by the order of the network

adapters in the PCI bus. So and adapter might get a different
interface name after another one has been plugged in.

In this example, assume the following:

■ The system has a single network adapter.
■ The system should be used as a router and and so you need to
install a second adapter.

Do the following:

1. Before you install the new adapter, open the interface

configuration file of the existing adapter in
/etc/sysconfig/network/.

2. Add the following line to the configuration file:

PERSISTENT_NAME='external'
This ensures that the device always gets the interface name
external.

3. Shut down the system and install the new network adapter.

4. Start the system and boot into runlevel 1.

5. Configure the new network adapter with YaST.

6. Open the interface configuration file of the new network

adapter and add the following line:
PERSISTENT_NAME='internal'

7. Reboot the system into the default runlevel.

With this method, the old adapter always gets the interface external
while the new adapter gets internal.

9-22 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Summary
The following is the summary of the objectives.

Objective Summary
1) Understand the Differences ■ The terms device and interface
Between Devices and are often confused. This
Interfaces section uses the following
definitions:
■ Device. A device is a
physical piece of
hardware.
■ Interface. An interface is
a software component
that is used to access a
device.
■ One device can have more
than one interface.
■ An interface is created by a
device driver.

Version 1 Copying all or part of this manual, 9-23

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2) Understand How Device Drivers ■ There are 2 basic kinds of
Work device drivers:
■ Kernel modules. Kernel
modules are loaded into
the Linux kernel and
extend its functionality.
■ User space drivers.
These drivers run within
user space applications.
Some devices require both,
kernel modules and user
space drivers.
■ You can use the following
commands to manage kernel
modules:
■ lsmod. Use lsmod to list
loaded drivers.
■ modprobe. Use
modprobe load kernel
modules.
■ rmmod. Use rmmod to
remove loaded kernel
modules.
■ The kernel modules are files
that are stored in the
directory /lib/modules/kernel-
version/.
3) Understand How Device Drivers In a SLES 9 system, kernel
Are Loaded modules are loaded in the
following ways:
■ From initrd
■ By initscripts
■ By hotplug
■ By the X Server
■ Manually by the user root

9-24 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective Summary
4) Understand the sysfs File ■ The sysfs file system provides
System a representation of all devices
and interfaces of a system.
■ Devices are represented in the
directories: /sys/bus and
/sys/devices.
■ Interfaces are represented by
the directories /sys/class and
/sys/block.
■ A device and its interfaces are
connected with file system
links.

Version 1 Copying all or part of this manual, 9-25

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
5) Understand How the SLES 9 ■ The hotplug system is used to
hotplug System Works configure some devices of a
SLES 9 system.
■ The following is the standard
hotplug process when a new
device is plugged into the
system:
1) The device is plugged into
the system.
2) The USB subsystem
recognizes the device and
triggers a hotplug event by
calling the hotplug script.
3) The subsystem passes
usb as the parameter to
script and provides
additional information
about the new device in
environment variables.
4) Because of the usb
parameter, the hotplug
script calls the usb hotplug
agent.
5) The USB agent tries to
configure the device by
calling hwup.
6) If hwup fails, the agent
tries to find the correct usb
module by searching
module mapfiles in
/etc/hotplug and
/lib/modules/kernelversion.
7) If a driver is found, the
corresponding module is
loaded.

9-26 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Manage Hardware and Component Changes

Objective Summary
6) Understand the hwup ■ The hwup command is used to
Command start preconfigured devices.
■ The device configuration files
are stored in the directory
/etc/sysconfig/hardware/.
■ The filename of the
configuration file contains a
unique identifier for the
corresponding device.
In the configuration file, the
following variables can be
used:
■ STARTMODE
■ MODULE
■ MODULE_OPTIONS
■ SCRIPT{UP,DOWN}_
[type]
■ SCRIPT{UP,DOWN}
7) Add New Hardware to a SLES 9 In general, new hardware is
System either detected with hotplug or
can be easily configured with
YaST.
It some cases, however, some
manual work is necessary to
integrate new devices properly
into the system.
The following are 3 examples of
situations that require manual
configuration:
■ Adding a hard drive
■ Replacing a graphic adapter
■ Adding a new network adapter

Version 1 Copying all or part of this manual, 9-27

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

9-28 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Prepare for the Novell CLP Practicum

SECTION 10 Prepare for the Novell CLP Practicum

In this section, you work through the following scenarios to help

you to prepare for the Novell CLP (Certified Linux Professional)
practicum exam:
■ Scenario 1: Install and Configure SLES 9
■ Scenario 2: Configure a DNS Server
■ Scenario 3: Configure a Web Server
■ Scenario 4: Configure a Samba File Server

You must complete Scenario 1. You can then select any of the
remaining scenarios to complete, depending on available time.

Remember that skills from all 3 Novell CLP courses might be

necessary to fulfill the required tasks.

Version 1 Copying all or part of this manual, 10-1

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Scenario 1: Install and Configure SLES 9

Digital Airlines is planning on deploying SUSE LINUX in its IT
infrastructure. During the first phase, SUSE LINUX will be used on
the back-end systems like file, web, and network-infrastructure
servers.

As the network administrator for your Digital Airlines office, you ,

you (along with management) have designed a migration plan
which includes the following services to be migrated to SUSE
LINUX:
■ DNS services on the internal network
■ Intranet Web server.
■ File and Print services for Windows clients.

You decide to start by installing and testing these services on a

computer in a computer in the test lab.

The following are tasks and requirements that need to be performed

on the test server. Read through them carefully, then install and
configure the server:
■ Install SLES 9 from the SLES 9 installation CDs.
■ Make sure that you use a partition setup that fits your needs.
■ Chose a root password under security aspects.
■ Create one additional normal user account.
■ Update the system with YOU (from server DA1) after the
installation.
■ Secure the GRUB boot loader with a password.
■ Configure the network connection manually (with or without
YaST).
■ Configure only necessary applications and daemons.
■ Configure runlevel 3 as the system default.
■ Synchronize the system clock with DA1 using NTP.

10-2 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Prepare for the Novell CLP Practicum

Scenario 2: Configure a DNS Server

One milestone of Digital Airlines move to SUSE LINUX is the
implementation of Linux-based DNS servers. As a first step you
decide to setup a test DNS Server in your lab.

On the SUSE LINUX test server in your lab, do the following:

■ Configure a master DNS server for 5 test systems
(DA10-DA14).
■ Test your setup (you can use the command dig).
■ The server configuration files under /etc as well as the zone
files should be backed up. Write a shell script which performs a
full backup every Sunday and an incremental backup on the
other days using the tar tool.
For test purposes, you can copy the backup files to the directory
/tmp.
■ Configure your backup script as a cron job which runs every
day at10 pm.
■ With another student who is working on the same scenario,
configure your servers to be slave DNS servers for each other.

Version 1 Copying all or part of this manual, 10-3

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Scenario 3: Configure a Web Server

Your Digital Airlines office runs an internal web server which
provides vital information for employees. The server hosts a general
portal site and a virtual host for every department.

Because the web server needs to be migrated to SLES 9, you decide

to create a prototype system for the general portal site and 2
departments (accounting and marketing) on the test server.

Set up the prototype system using the following guidelines:

■ Install and configure an Apache web server that hosts the
general portal site and 2 virtual hosts for the departments
accounting and marketing.
■ Use the Apache example pages as demo content.
■ The virtual host from accounting should run under SSL, and
should only be accessible for the users in the group accounting.
■ Make additional entries in the file /etc/hosts to test the virtual
host setup.
■ From each department one user should be allowed to login
using SSH on the server to change the content of the virtual
host.
Create two normal users JNelson and SRife on your system.
JNelson should be responsible for the marketing department
and SRife for the accounting department.
Use ACLs to make sure that JNelson and SRife can only read
and access the content in the corresponding virtual host
directory.
■ All pages which you have to migrate end in .htm. Create a shell
script which replaces the .htm with .html.

10-4 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Prepare for the Novell CLP Practicum

Scenario 4: Configure a Samba file server

As part of the SUSE LINUX migration plan for your Digital
Airlines office, you need to move file and print services to a Samba
server running on SLES 9.

You decide to test this migration for the marketing department on

the test server in your lab.

Set up the Samba server using the following guidelines:

■ Install the Samba server and client software.
■ Configure a marketing workgroup.
■ Create a UNIX group named marketing.
■ Create 2 normal users (PSmith and JWattson) who are members
of the accounting group and are included in the file smbpasswd.
■ Create one shared folder for the group accounting.
■ Export the home directories of PSmith and JWattson as
personal shared folders.
■ Test your shares (you can use the smbclient).
■ Create a bash script that searches for Windows executables on
the shares. If an executable is found, the file should be moved
to a directory outside of the share and a mail should be send to
the root user of the Samba server.
Depending on your programing skills, you can choose one of
the following methods to determine if a file is a Windows
executable:
■ Search for file extensions such as .exe or .com (not a secure
solution)
■ Identify the file type using the command file.

Version 1 Copying all or part of this manual, 10-5

or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10-6 Copying all or part of this manual, Version 1

or distributing such copies, is strictly prohibited.
 Novell CLP and LPI Requirements

APPENDIX A Novell CLP and LPI Requirements

This appendix provides information about the LPI Level I objectives

covered in this and the other Novell CLP certification courses.

LPI objectives named 1.xxx.y are part of exams 101 and 102 (LPI
Certification Level 1). LPI objectives named 2.xxx.y are part of
exams 201 and 202 (LPI Certification Level 2). CLP courses
include the section (such as 3037/3 for Course 3037 Section 3).

Because the Novell CLP courses use SUSE LINUX exclusively,

there are some differences in the software used in those courses and
those covered by the LPI objectives (such as CUPS for printing in
SLES 9 and lpr in the LPI objectives).

Table A-1 LPI Objective CLP Courses

Topic 101: Hardware & Architecture

1.101.1 Configure fundamental BIOS not applicable

settings

1.101.3 Configure modem and sound cards not applicable

1.101.4 Setup SCSI devices not applicable

1.101.5 Setup different PC expansion not applicable

cards

1.101.6 Configure communication devices not applicable

1.101.7 Configure USB devices not applicable

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

(continued) Table A-1 LPI Objective CLP Courses

Topic 102: Linux Installation and

Package Management

1.102.1 Design hard disk layout 3037/3, 3038/1

1.102.2 Install a boot manager 3037/5, 3038/5

1.102.3 Make and install programs from 3038/7

source

1.102.4 Manage shared libraries 3037/4

1.102.5 Use Debian package management not applicable

1.102.6 Use Red Hat Package Manager 3036/5, 3037/4

(RPM)

Topic 103: GNU and Unix Commands

1.103.1 Work on the command line 3036/3, 3036/5

1.103.2 Process text streams using filters 3036/6

1.103.3 Perform basic file management 3036/6

1.103.4 Use streams, pipes, and redirects 3036/5, 3036/6

1.103.5 Create, monitor, and kill processes 3036/8, 3037/6, 3038/8

1.103.6 Modify process execution priorities 3036/8, 3037/6, 3038/8

1.103.7 Search text files using regular 3036/6

expressions

1.103.8 Perform basic file editing 3036/7

operations using vi

A-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Novell CLP and LPI Requirements

(continued) Table A-1 LPI Objective CLP Courses

Topic 104: Devices, Linux Filesystems,

Filesystem Hierarchy Standard

1.104.1 Create partitions and filesystems 3037/3, 3038/1

1.104.2 Maintain the integrity of filesystems 3037/3

1.104.3 Control mounting and unmounting 3036/6, 3037/3

filesystems

1.104.4 Managing disk quota 3037/3

1.104.5 Use file permissions to control 3036/6, 3037/2

access to files

1.104.6 Manage file ownership 3036/6, 3037/2

1.104.7 Create and change hard and 3036

symbolic links

1.104.8 Find system files and place files in 3036/6

the correct location

Topic 105: Kernel

1.105.1 Manage/query kernel and kernel 3037/5

modules at runtime

1.105.2 Reconfigure, build, and install a not applicable

custom kernel and kernel modules

Topic 106: Boot, Installation, Shutdown

and Runlevels

1.106.1 Boot the system 3037/5, 3038/5

1.106.2 Change runlevels and shutdown or 3036/8, 3037/5, 3037/6

reboot system

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-3
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

(continued) Table A-1 LPI Objective CLP Courses

Topic 107: Printing

1.107.2 Manage printers and print queues 3037/8

1.107.3 Print files 3037/8

1.107.4 Install and configure local and 3037/8

remote printers

Topic 108: Documentation

1.108.1 Use and manage local system 3036/3

documentation

1.108.2 Find Linux documentation on the 3036/3

Internet

1.108.5 Notify users on system-related 3036/2

issues

Topic 109: Shells, Scripting,

Programming and Compiling

1.109.1 Customize and use the shell 3036/5, 3038/6

environment

1.109.2 Customize or write simple scripts 3038/6

Topic 110: X

1.110.1 Install and configure XFree86 not applicable

1.110.2 Setup a display manager not applicable

1.110.4 Install and customize a window not applicable

manager environment

A-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Novell CLP and LPI Requirements

(continued) Table A-1 LPI Objective CLP Courses

Topic 111: Administrative Tasks

1.111.1 Manage users and group accounts 3036/5, 3037/2

and related system files

1.111.2 Tune the user environment and 3036/5, 3037/2

system environment variables

1.111.3 Configure and use system log files 3037/6, 3038/8

to meet administrative and security needs

1.111.4 Automate system administration 3036/8, 3037/6

tasks by scheduling jobs to run in the future

1.111.5 Maintain an effective data backup 3036/6, 3037/3, 3038/5

strategy

1.111.6 Maintain system time 3037/8

Topic 112: Networking Fundamentals

1.112.1 Fundamentals of TCP/IP 3036/9, 3037/7

1.112.3 TCP/IP configuration and 3036/9, 3037/7, 3038/1

troubleshooting

1.112.4 Configure Linux as a PPP client not applicable

Topic 113: Networking Services

1.113.1 Configure and manage inetd, 3037/9

xinetd, and related services

1.113.2 Operate and perform basic not applicable

configuration of sendmail

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-5
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

(continued) Table A-1 LPI Objective CLP Courses

1.113.3 Operate and perform basic 3037/8, 3038/3

configuration of Apache

1.113.4 Properly manage the NFS, smb, 3037/9, 3038/3

and nmb daemons

1.113.5 Setup and configure basic DNS 3038/1

services

1.113.7 Setup secure shell (OpenSSH) 3037/10

Topic 114: Security

1.114.1 Perform security administration 3038/4

tasks

1.114.2 Setup host security 3038/4

1.114.3 Setup user level security 3037/2, 3038/4

Topic 201: Linux Kernel

2.201.1 Kernel components not applicable

2.201.2 Compiling a kernel not applicable

2.201.3 Patching a kernel not applicable

2.201.4 Customizing a kernel not applicable

Topic 202: System Startup

2.202.1 Customizing system startup and 3037/5, 3037/6

boot process

2.202.2 System recovery 3038/5

A-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Novell CLP and LPI Requirements

(continued) Table A-1 LPI Objective CLP Courses

Topic 203: Filesystem

2.203.1 Operate the Linux filesystem 3037/3

2.203.2 Maintaining a Linux filesystem 3037/3

2.203.3 Creating and configuring 3037/3

filesystem options

Topic 204: Hardware

2.204.1 Configuring RAID 3038/1

2.204.2 Adding new hardware 3038/9

2.204.3 Software and kernel configuration 3038/1

2.204.4 Configuring PCMCIA devices not applicable

Topic 205: Networking

2.205.1 Basic network configuration 3036/9, 3037/7, 3038/1

2.205.2 Advanced network configuration 3036/9, 3037/7, 3038/1

and troubleshooting

Topic 206: Mail and News

2.206.1 Configuring mailing lists not applicable

2.206.2 Using sendmail not applicable

2.206.3 Managing mail traffic not applicable

2.206.4 Serving news not applicable

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-7
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

(continued) Table A-1 LPI Objective CLP Courses

Topic 207: DNS

2.207.1 Basic BIND 8 configuration not applicable

2.207.2 Create and maintain DNS zones 3038/1

2.207.3 Securing a DNS server 3038/1

Topic 208: Web Services

2.208.1 Implementing a web server 3037/9, 3038/3

2.208.2 Maintaining a web server 3037/9, 3038/3

2.208.3 Implementing a proxy server not applicable

Topic 209: File and Service Sharing

2.209.1 Configuring a samba server 3037/8, 3038/3

2.209.2 Configuring an NFS server 3037/8

Topic 210: Network Client Management

2.210.1 DHCP configuration not applicable

2.210.2 NIS configuration 3037/8

2.210.3 LDAP configuration 3037/8, 3038/2

2.210.4 PAM authentication 3037/2

Topic 211: System Maintenance

2.211.1 System logging 3037/6, 3038/8

2.211.2 Packaging software not applicable

A-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
 Novell CLP and LPI Requirements

(continued) Table A-1 LPI Objective CLP Courses

2.211.3 Backup operations 3038/5

Topic 212: System Security

2.212.2 Configuring a router not applicable

2.212.3 Securing FTP servers not applicable

2.212.4 Secure Shell (OpenSSH) 3037/10

2.212.5 TCP wrappers 3037/9

2.212.6 Security tasks 3038/4

Topic 213: System Customization and

Automation

2.213.1 Automating tasks using scripts 3037/6, 3038/6

Topic 214: Troubleshooting

2.214.2 Creating recovery disks 3037/3, 3038/5

2.214.3 Identifying boot stages 3037/5, 3038/5

2.214.4 Troubleshooting LILO not applicable

2.214.5 General troubleshooting 3038/5

2.214.6 Troubleshooting system resources 3037/5

2.214.7 Troubleshooting network issues 3037/7, 3038/1

2.214.8 Troubleshooting environment 3038/5

configurations

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-9
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

A-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.