Suse Linux
Suse Linux
Advanced Administration
100-004991-001
Version 1
Proprietary Statement Trademarks
Copyright © 2004 Novell, Inc. All rights reserved. Novell, Inc. has attempted to supply trademark information about
No part of this publication may be reproduced, photocopied, stored company names, products, and services mentioned in this manual.
on a retrieval system, or transmitted without the express prior The following list of trademarks was derived from various sources.
consent of the publisher. This manual, and any portion thereof, may
not be copied without the express written permission of Novell, Inc. Novell, Inc. Trademarks
Novell, Inc. Novell, the Novell logo, NetWare, BorderManager, ConsoleOne,
DirXML, GroupWise, iChain, ManageWise, NDPS, NDS, NetMail,
1800 South Novell Place
Provo, UT 84606-2399 Novell Directory Services, Novell iFolder, Novell SecretStore,
Ximian, Ximian Evolution and ZENworks are registered
trademarks; CDE, Certified Directory Engineer and CNE are
Disclaimer registered service marks; eDirectory, Evolution, exteNd, exteNd
Novell, Inc. makes no representations or warranties with respect to Composer, exteNd Directory, exteNd Workbench, Mono, NIMS,
the contents or use of this manual, and specifically disclaims any NLM, NMAS, Novell Certificate Server, Novell Client, Novell
express or implied warranties of merchantability or fitness for any Cluster Services, Novell Distributed Print Services, Novell Internet
particular purpose. Messaging System, Novell Storage Services, Nsure, Nsure
Further, Novell, Inc. reserves the right to revise this publication and Resources, Nterprise, Nterprise Branch Office, Red Carpet and Red
to make changes in its content at any time, without obligation to Carpet Enterprise are trademarks; and Certified Novell
notify any person or entity of such revisions or changes. Administrator, CNA, Certified Novell Engineer, Certified Novell
Further, Novell, Inc. makes no representations or warranties with Instructor, CNI, Master CNE, Master CNI, MCNE, MCNI, Novell
respect to any NetWare software, and specifically disclaims any Education Academic Partner, NEAP, Ngage, Novell Online
express or implied warranties of merchantability or fitness for any Training Provider, NOTP and Novell Technical Services are service
particular purpose. marks of Novell, Inc. in the United States and other countries. SUSE
Further, Novell, Inc. reserves the right to make changes to any and is a registered trademark of SUSE LINUX AG, a Novell company.
all parts of NetWare software at any time, without obligation to For more information on Novell trademarks, please visit
notify any person or entity of such changes. http://www.novell.com/company/legal/trademarks/tmlist.html.
This Novell Training Manual is published solely to instruct students
Other Trademarks
in the use of Novell networking software. Although third-party Adaptec is a registered trademark of Adaptec, Inc. AMD is a
application software packages are used in Novell training courses, trademark of Advanced Micro Devices. AppleShare and AppleTalk
this is for demonstration purposes only and shall not constitute an are registered trademarks of Apple Computer, Inc. ARCserv is a
endorsement of any of these software applications. registered trademark of Cheyenne Software, Inc. Btrieve is a
Further, Novell, Inc. does not represent itself as having any registered trademark of Pervasive Software, Inc. EtherTalk is a
particular expertise in these application software packages and any registered trademark of Apple Computer, Inc. Java is a trademark or
use by students of the same shall be done at the students’ own risk. registered trademark of Sun Microsystems, Inc. in the United States
and other countries. Linux is a registered trademark of Linus
Software Piracy Torvalds. LocalTalk is a registered trademark of Apple Computer,
Throughout the world, unauthorized duplication of software is Inc. Lotus Notes is a registered trademark of Lotus Development
subject to both criminal and civil penalties. Corporation. Macintosh is a registered trademark of Apple
Computer, Inc. Netscape Communicator is a trademark of Netscape
If you know of illegal copying of software, contact your local
Communications Corporation. Netscape Navigator is a registered
Software Antipiracy Hotline.
trademark of Netscape Communications Corporation. Pentium is a
For the Hotline number for your area, access Novell’s World Wide
registered trademark of Intel Corporation. Solaris is a registered
Web page at http://www.novell.com and look for the piracy page
trademark of Sun Microsystems, Inc. The Norton AntiVirus is a
under “Programs.”
trademark of Symantec Corporation. TokenTalk is a registered
Or, contact Novell’s anti-piracy headquarters in the U.S. at 800- trademark of Apple Computer, Inc. Tru64 is a trademark of Digital
PIRATES (747-2837) or 801-861-7101. Equipment Corp. UnitedLinux is a registered trademark of
UnitedLinux. UNIX is a registered trademark of the Open Group.
WebSphere is a trademark of International Business Machines
Corporation. Windows and Windows NT are registered trademarks
of Microsoft Corporation. All other third-party trademarks are the
property of their respective owners.
Contents
Introduction
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
Certification and Prerequisites . . . . . . . . . . . . . . . . . . . . . . Intro-2
SLES 9 Support and Maintenance . . . . . . . . . . . . . . . . . . . Intro-4
SLES 9 Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
Exercise Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Objective 1 Perform the SLES 9 Base Installation . . . . . . . . . . . . . . . . . . . 1-3
Boot From the Installation Media . . . . . . . . . . . . . . . . . . . . . . 1-3
Select the System Language . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Select the Installation Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Understand and Change the Installation Proposal . . . . . . . . . . 1-9
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-3
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Objective 1 Understand Linux Network Terms . . . . . . . . . . . . . . . . . . . . . 2-3
Objective 2 Set Up Network Devices With the ip Tool . . . . . . . . . . . . . . . 2-4
Display the Current Network Configuration . . . . . . . . . . . . . . 2-4
IP Address Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Display Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Display Device Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Change the Current Network Configuration . . . . . . . . . . . . . . 2-9
Assign an IP Address to a Device . . . . . . . . . . . . . . . . . . 2-10
Delete the IP Address from a Device . . . . . . . . . . . . . . . 2-10
Change Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Objective 3 Save Device Settings to a Configuration File . . . . . . . . . . . . 2-12
Configure a Device Statically . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Configure a Device Dynamically With DHCP . . . . . . . . . . . 2-14
Start and Stop Configured Devices . . . . . . . . . . . . . . . . . . . . 2-15
Objective 4 Set Up Routing With the ip Tool . . . . . . . . . . . . . . . . . . . . . . 2-16
View the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Add Routes to the Routing Table. . . . . . . . . . . . . . . . . . . . . . 2-17
Set a Route to the Locally Connected Network . . . . . . . 2-18
Set a Route to a Different Network . . . . . . . . . . . . . . . . . 2-18
Set a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Delete Routes from the Routing Table . . . . . . . . . . . . . . . . . 2-18
Objective 5 Save Routing Settings to a Configuration File . . . . . . . . . . . 2-19
Objective 6 Configure Host Name and Name Resolution. . . . . . . . . . . . . 2-20
Set the Host and Domain Name. . . . . . . . . . . . . . . . . . . . . . . 2-20
Configure Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
TOC-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objective 7 Test the Network Connection With Command Line Tools . . 2-21
Use ping to Test Network Connections . . . . . . . . . . . . . . . . . 2-21
Use traceroute to Trace Network Packets . . . . . . . . . . . . . . . 2-23
Exercise 2-1: Configure the Network Manually . . . . . . . 2-25
Part I: Note the Current Network Configuration. . . . . . . 2-25
Part II: Delete the Current Network Setup with YaST . . 2-26
Part III: Configure the Network Manually . . . . . . . . . . . 2-27
Part IV: Save the Network Connection to
Interface and Hardware Configuration Files . . . . . . . . . . 2-27
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Objective 1 Configure a DNS Server Using BIND . . . . . . . . . . . . . . . . . . 3-3
Understand the Domain Name System . . . . . . . . . . . . . . . . . . 3-4
How Name Resolution Worked in the Early
Days of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
The Internet Domain Concept . . . . . . . . . . . . . . . . . . . . . . 3-5
Understand How Name Servers Work . . . . . . . . . . . . . . . 3-6
Understand How to Query DNS . . . . . . . . . . . . . . . . . . . . 3-8
Install and Configure the BIND Server Software . . . . . . . . . 3-10
Configure a Caching-Only DNS server . . . . . . . . . . . . . . . . . 3-10
Configure a Master Server for Your Domain . . . . . . . . . . . . 3-13
Adapt the Main Server Configuration File . . . . . . . . . . . 3-13
Create the Zone Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Structure of the Files. . . . . . . . . . . . . . . . . . . . . . . . . 3-15
The File
/var/lib/named/master/digitalairlines.com.zone . . . . 3-17
The File /var/lib/named/master/10.0.0.zone . . . . . . . 3-19
The File /var/lib/named/master/localhost.zone. . . . . 3-21
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-5
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-7
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Objective 1 Create a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Understand the Basics of a Security Concept . . . . . . . . . . . . . 4-4
Perform a Communication Analysis . . . . . . . . . . . . . . . . . . . . 4-4
Analyze the Protection Requirements . . . . . . . . . . . . . . . . . . . 4-6
Analyze the Current Situation and
Necessary Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Objective 2 Limit Physical Access to Server Systems . . . . . . . . . . . . . . . 4-16
Place the Server in a Separate, Locked Room . . . . . . . . . . . . 4-16
Secure the BIOS with a Password . . . . . . . . . . . . . . . . . . . . . 4-17
Secure the GRUB Boot Loader with a Password . . . . . . . . . 4-17
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-9
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Objective 1 Develop a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Choose a Backup Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Perform an Incremental Backup . . . . . . . . . . . . . . . . . . . . 5-4
Perform a Differential Backup . . . . . . . . . . . . . . . . . . . . . 5-5
Choose the Right Backup Media . . . . . . . . . . . . . . . . . . . . . . . 5-6
Objective 2 Create Backup Files With tar . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Create tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Unpack tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Exclude Files from Backup . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Perform Incremental and Differential Backups. . . . . . . . . 5-9
Use a Snapshot File for Incremental Backups . . . . . . 5-9
Use the find Command to Search for
Files to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Use tar Command Line Options . . . . . . . . . . . . . . . . . . . 5-11
Exercise 5-1: Create Backup Files With tar . . . . . . . . . . 5-12
Part I: Create a Full Backup . . . . . . . . . . . . . . . . . . . . . . 5-12
Part II: Create an Incremental Backup . . . . . . . . . . . . . . 5-13
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-11
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Objective 1 Use Basic Script Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Create Flow Charts for Scripts. . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Understand the Basic Rules of Shell Scripting . . . . . . . . . . . . 6-5
Exercise 6-1: Produce Output from a Script . . . . . . . . . . . 6-9
Develop Scripts That Read User Input . . . . . . . . . . . . . . . . . 6-10
Exercise 6-2: Read User Input . . . . . . . . . . . . . . . . . . . . 6-11
Perform Basic Script Operations with Variables . . . . . . . . . . 6-12
Exercise 6-3: Simple Operations with Variables . . . . . . 6-14
Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Exercise 6-4: Use Command Substitution . . . . . . . . . . . 6-16
Use Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Exercise 6-5: Use Arithmetic Operations. . . . . . . . . . . . 6-19
Objective 2 Use Variable Substitution Operators . . . . . . . . . . . . . . . . . . . 6-20
Exercise 6-6: Use Variable Substitution. . . . . . . . . . . . . 6-22
Objective 3 Use Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Creat Basic Branches With the if Command . . . . . . . . . . . . . 6-23
Exercise 6-7: Use the if Command. . . . . . . . . . . . . . . . . 6-30
Build Multiple Branches With a case Statement . . . . . . . . . . 6-31
Exercise 6-8: Use the case Command . . . . . . . . . . . . . . 6-34
Create Loops Using the while and until Commands . . . . . . . 6-35
Exercise 6-9: Use the while and until Commands . . . . . 6-37
Process Lists with the for Loop . . . . . . . . . . . . . . . . . . . . . . . 6-38
Exercise 6-10: Use the for Loop. . . . . . . . . . . . . . . . . . . 6-40
Hints:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Interrupt Loop Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Exercise 6-11: Interrupt Loop Processing . . . . . . . . . . . 6-42
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-13
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Objective 1 Understand the Basics of C Programming. . . . . . . . . . . . . . . . 7-3
The Difference Between Source Code and an Executable . . . 7-3
The Structure of a Simple C Program . . . . . . . . . . . . . . . . . . . 7-5
How to Compile a Simple C Program . . . . . . . . . . . . . . . . . . . 7-8
Exercise 7-1: Compile a Simple C Program. . . . . . . . . . . 7-9
Objective 2 Understand the GNU Build Tool Chain. . . . . . . . . . . . . . . . . 7-10
Use configure to Prepare the Build Process. . . . . . . . . . . . . . 7-10
Use make to Compile the Source Code . . . . . . . . . . . . . . . . . 7-11
Use make install to Install the Compiled Program . . . . . . . . 7-13
Install the Required Packages for a Build Environment . . . . 7-13
Objective 3 Understand the Concept of Shared Libraries . . . . . . . . . . . . . 7-15
Objective 4 Perform a Standard Build Process . . . . . . . . . . . . . . . . . . . . 7-17
Exercise 7-2: Compile Software
from a Source Package . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
Part I: Compile a Source Package. . . . . . . . . . . . . . . 7-21
Part II: Run the Application . . . . . . . . . . . . . . . . . . . 7-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Objective 1 Find Performance Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Analyze Processes and Processor Utilization . . . . . . . . . . . . . 8-4
Analyze Memory Utilization and Performance . . . . . . . . . . . . 8-6
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-15
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Objective 1 Understand the Differences Between
Devices and Interfaces9-3
Objective 2 Understand How Device Drivers Work . . . . . . . . . . . . . . . . . 9-4
Objective 3 Understand How Device Drivers Are Loaded . . . . . . . . . . . . . 9-6
Objective 4 Understand the sysfs File System . . . . . . . . . . . . . . . . . . . . . . 9-7
Objective 5 Understand How the SLES 9 Hotplug System Works. . . . . . . 9-9
Objective 6 Understand the hwup Command . . . . . . . . . . . . . . . . . . . . . . 9-13
Exercise 9-1: Trace How a Network Adapter Is
Set Up With hwup and ifup . . . . . . . . . . . . . . . . . . . . . . 9-16
Part I: Boot the System with Hot- and
Coldplug Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Part II: Use hwup to Load a Driver Module . . . . . . . . . . 9-17
Part III: Use ifup to Set Up the Network Interface . . . . . 9-18
Objective 7 Add New Hardware to a SLES 9 System . . . . . . . . . . . . . . . 9-20
Add a New Drive to the System . . . . . . . . . . . . . . . . . . . . . . 9-20
Replace a Graphics Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Add a New Network Adapter . . . . . . . . . . . . . . . . . . . . . 9-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-17
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
TOC-18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Introduction
Introduction
Course Objectives
This course teaches you how to perform the following SUSE
LINUX advanced administration tasks for SLES 9:
1. Install SLES 9 with a custom partitioning
2. Configure the network manually
3. Configure network services
4. Secure a SLES 9 server
5. Manage backup and recovery
6. Create shell scripts
7. Compile software from source
8. Perform a health check and performance tuning
9. Manage hardware and component changes
The final day of class is reserved for a “Live Fire” exercise that tests
your advanced SLES 9 administration skills and prepares you to
take the Novell CLP Practicum.
Audience
While the primary audience for this course is the current Novell
CNESM who has completed courses 3036 and 3038 in the CLP
curriculum, Linux professionals and administrators with experience
in other operating systems can also use this course to help prepare
for the Novell CLP Practicum.
For more information about Novell certification programs and taking the
Novell CLP Practicum, see http://www.novell.com/education/certinfo.
You can obtain your free 30-day support and maintenance code at
http://www.novell.com/products/linuxenterpriseserver/eval.html.
You will need to have or create a Novell login account to access the 30-day
evaluation.
■ http://support.novell.com/linux/
This is the home page for all Novell Linux support, and
includes links to support options such as the Knowledgebase,
downloads, and FAQs.
■ http://www.novell.com/coolsolutions
This Novell web site provides the latest implementation
guidelines and suggestions from Novell on a variety of
products, including SUSE LINUX.
Agenda
The following is the agenda for this 3-day course:
Section Duration
Day 1 Introduction 00:30
Section 1: Install SLES 9 03:30
Section 2: Configure the Network 02:00
Manually
Day 2 Section 3: Configure Network Services 04:00
Section 4: Secure a SLES 9 Server 02:00
Day 3 Section 4: Secure a SLES 9 Server 01:00
(cont.)
Section 5: Managing Backup and 01:00
Recovery
Section 6: Create Shell Scripts 02:30
Section 7: Compile Software from 01:30
Source
Day 4 Section 8: Perform a Health Check 03:00
and Performance Tuning
Section Duration
Section 9: Manage Hardware and 02:00
Component Changes
Day 5 Live Fire Exercise 06:00
Scenario
The Digital Airlines management has made the decision to migrate
several back-end services to Linux servers running SLES 9. You
have already installed SLES 9 before and are familiar with
administering SLES 9 from YaST and from the command line.
You decide to set up a test server in the lab to enhance your skills in
these areas.
Exercise Conventions
When working through an exercise, you will see conventions that
indicate information you need to enter that is specific to your server.
For example, if the host name of your server is DA50, and you
see the following,
hostname.digitalairlines.com
you would enter
DA50.digitalairlines.com
■ 10.0.0.xx. This is the IP address that is assigned to your SLES 9
server.
For example, if your IP address is 10.0.0.50, and you see the
following
10.0.0.xx
you would enter
10.0.0.50
■ Select. The word select is used in exercise steps to indicate a
variety of actions including clicking a button on the interface
and selecting a menu item.
■ Enter and Type. The words enter and type have distinct
meanings.
The word enter means to type text in a field or at a command
line and press the Enter key when necessary. The word type
means to type text without pressing the Enter key.
If you are directed to type a value, make sure you do not press
the Enter key or you might activate a process that you are not
ready to start.
Objectives
1. Perform the SLES 9 Base Installation
2. Configure the SLES 9 Installation
3. Troubleshoot the Installation Process
Introduction
YaST presents an installation proposal (automatically generate)
during installation that you can accept to make installation simple
and quick.
Consult the manual shipped with your hardware for further information.
When your system has started from the installation CD, the
following appears:
You can use the arrow keys to select one of the following options:
■ Boot from Hard Disk. Boots the system installed on the hard
disk (the system normally booted when the machine is started).
This is the default option.
■ Installation. Starts the normal installation process. All modern
hardware functions are enabled.
■ Installation - ACPI Disabled. Starts the installation process
with ACPI (Advanced Configuration and Power Interface)
disabled. If the normal installation fails, the system hardware
might not support ACPI. In this case, you can use this option to
install without ACPI support.
Use the function keys, as indicated in the bar at the bottom of the
screen, to change a number of installation settings:
■ F1. Opens context-sensitive help for the currently selected
option of the boot screen.
■ F2. Select a graphical display modes (such as 640x480 or
1024X768) for the installation. You can select one of these or
select the text mode, which is useful if the graphical mode
causes display problems.
■ F3. Select an installation media type. Normally, you install from
the inserted installation disk, but in some cases you might want
to select another source, such as FTP or NFS.
■ F4. Select a installation language.
From the language dialog, select the language of your choice, and
then select Accept to continue to the next step.
In this dialog, YaST asks you for the installation mode. Select one
of the following options:
■ New installation. Performs a normal new installation of SLES
9. This is the default option.
■ Update an existing system. Updates a previously installed
SLES 8 installation.
■ Repair Installed System. Repairs a previously installed SLES
9 installation.
■ Boot installed system. Boots a previously installed Linux
installation.
■ Abort Installation. Terminates the installation process.
After you select New Installation, YaST analyzes the system and
creates an installation proposal. The proposal is displayed as shown
in the following:
The proposal displays all installation settings that are necessary for
a base installation. You can change these settings by selecting the
following headlines (headings):
■ System. Restarts the hardware detection process and displays a
list of all available hardware components. You can select single
components, view details, or save the list to a file.
■ Mode. Changes the installation mode.
■ Keyboard layout. Changes the keyboard layout. YaST selects
the keyboard layout according to your language settings.
Change the keyboard settings if you prefer a different layout.
Every hard disk has a partition table with space for four entries. An
entry in the partition table can correspond to a primary partition or
an extended partition. Only one extended partition entry is allowed.
The following guidelines help you determine the size of your root
partition:
■ 500 MB. This allows for a minimal installation with no
graphical interface. With this configuration, you can only use
console applications.
■ 700 MB. This allows for an installation with a minimum
graphical interface. This includes the X window system and a
few graphical applications.
■ 1.5 GB. This is the default installation recommended proposed
by YaST. This configuration includes a modern desktop
environment (such as KDE or GNOME), and provides enough
space for large applications suites (such as Netscape or
Mozilla).
■ 2.5 GB. This allows for a full installation, including all
software packages shipped with SLES 9.
If your server hosts data (such as a web server or a file server) you
will probably need more space on the root partition.
When you start the YaST Expert Partitioner, the following appears:
In the top part of the dialog, YaST lists details of the current
partition setup. Depending on your previous choice, the list contains
the current physical disk setup or the partitioning proposal created
by YaST.
Most of the changes made with the YaST Expert Partitioner are not written
to disk until the installation process is started. You can always discard your
changes by selecting Back or you can restart the Expert Partitioner to make
more changes.
The following entries are displayed for every hard disk in your
system:
■ One entry for the hard disk itself, which has the corresponding
device name in the Device column (such as /dev/sda).
■ One entry for every partition on the hard disk with the
corresponding device name and the partition number in the
Device column (such as /dev/sda1).
If a hard disk is not partitioned yet, you see only the entry for the
hard disk itself.
You need enough space on your hard disk to create a new partition. You
learn later in this section how to delete existing partitions to free used disk
space.
■ Fstab Options. Select this option to edit the fstab entry for this
partition. The default setting should work in most cases.
■ Mount Point. Select the mount point of the new partition from
this drop-down list. You can also enter a mount point manually,
if it's not available in the list.
After entering the size, select OK to add the new extended partition
to the partition list.
Select a partition from the list and select Edit. You can edit only
primary and logical partitions with the Expert Partitioner. You
cannot edit extended partitions or the entry for the full hard disk.
Remember that you also delete all logical partitions when you delete
an extended partition.
If the selected partitions are formated with the FAT or NTFS file
system, do the following before resizing the partition:
■ FAT file system. To save time, first run Scan Disk and Defrag
to make sure the FAT partition is free of lost file fragments and
cross links and to move files to the beginning of the partition.
If you have optimized virtual memory settings for Windows so
that a contiguous swap file is used with the same initial
(minimum) and maximum size limit, disable them before
resizing and re-enable them after the resizing has been
completed.
If these virtual memory settings are enabled, the resizing might split
the swap file into many small parts scattered all over the FAT partition.
Also, the entire swap file would need to be moved during the resizing,
which makes the process rather slow.
■ NTFS file system. You must run Scan Disk and Defrag to
move the files to the beginning of the partition or the NTFS
partition cannot be resized.
To resize the partition, move the slider until enough unused disk
space is available for a new partition. When you select OK, the
partition size changes in the partition list.
Using LVM you can create logical volumes, which spread over
several physical disks and partitions. Do not confuse logical
volumes with physical, logical partitions in the extended partition of
a hard disk.
You can use a logical volume like a physical partition. You can
create a file system on the volume and mount it at a mount point of
your choice.
You can also use the YaST Expert Partitioner to create logical volumes
after installation. There are also command line tools for managing logical
volumes. We do not recommend that you use LVM for the root partition of
a system.
You can think of logical volume groups as logical hard disks and
logical volumes as partitions on those logical hard disks.
Before you can create a logical volume, you always need a logical
volume group.
If you are not sure which values to enter, use the default settings.
You can use the following options this dialog to add physical
partitions to your logical volume group:
■ Volume Group. Select the volume group from the drop-down
list that you want to add partitions to.
■ Size. Displays the current size of the selected logical volume
group.
■ Remove Group. Deletes the currently selected volume group.
You can delete empty groups only.
■ Add Group. Add a logical volume group.
■ Partition List. Select the partition you want to add to the
volume group.
■ Add Volume. Add the selected partition to the volume group.
Add partitions to your logical volume group, and then select Next to
continue. The following appears:
You can use the following options in this dialog to create logical
volumes in your logical volume group:
■ Volume Group. Select the volume group from this drop-down
list that you want to create partitions in.
■ Space bar. Displays the available space of the selected volume
group.
■ Volume list. Displays physical partitions and logical volumes in
the system.
■ View all mount points. When you select this option, all
partitions and volumes that have entries in /etc/fstab are
displayed. Otherwise, only the volumes in the selected volume
group are displayed.
■ Add. Adds a new logical volume to the volume group. When
you select Add, the following appears:
When you are finished with the logical volume setup, select Next to
save the settings and return to the Expert Partitioner.
The EVMS setup is very similar to the LVM setup with the
exception that logical volume groups are called containers in
EVMS.
You combine hard disks according to RAID levels. Using YaST you
can set up RAID levels 0, 1, and 5 (RAID levels 2, 3, and 4 are not
available with software RAID):
■ RAID 0. This level improves the performance of your data
access. With RAID 0, 2 hard disks are pooled together. Disk
performance is very good, but the RAID system is vulnerable to
a single point of failure. If one of the 2 disks fails, the system is
destroyed and the data is lost.
■ RAID 1. This level provides enhanced security for your data
because the data is copied to both hard disks. This is also
known as hard disk mirroring. If one disk is destroyed, a copy
of its contents is available on the other disk.
■ RAID 5. RAID 5 is an optimized compromise between RAID 0
and RAID 1 in terms of performance and redundancy. The data
is distributed over the hard disks as with RAID 0, while one
partition saves a checksum of the written data.
If one hard disk fails, it must be replaced as soon as possible to
avoid the risk of losing data. If more than one hard disk fails at
the same time, the data on the disks is lost.
You can use a crypt file to securely store confidential data on your
computer.
To create a crypt file, start the YaST Partitioning Module after the
installation process has finished.
This dialog lists the current boot loader configuration settings with
3 columns for each setting:
■ Ch. Indicates whether an entry has been changed.
■ Option. Displays the boot loader option.
■ Value. Displays the value of the option.
You can use Edit Configuration Files to edit the configuration files
in a text editor. When you finish, save your changes by selecting
OK.
Use Time-out to define how many seconds the boot loader should
wait for keyboard input before the default system is booted. You can
specify a number of other options with Add. However, these options
requires a thorough understanding of the boot loader and are not
covered here.
To let you set the root password during the installation process,
YaST displays the following dialog:
In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip the network configuration for now.
You can configure the network connection later in the installed
system.
■ Use Following Configuration. Use the network configuration
proposal displayed in the area below.
If you are not sure which settings to use, stay with the defaults
generated by YaST.
Confirm the network device setup and return to the network device
overview by selecting Next. Then save the network device setup
and return to the network configuration proposal by selecting
Finish.
YaST then asks you to test your connection to the Internet. Select
one of the following options:
■ Yes, Test Connection to the Internet. YaST tries to test the
Internet connection by downloading the latest release notes and
checking for available updates.
If you select this option, the results are displayed on the next
dialog.
■ No, Skip This Test. Skip the connection test. If you skip the
test, you can't update the system during installation.
You can also select Skip Update to perform the update later in the
installed system.
In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip this configuration step. You can
enable the services later in the installed system.
■ Use Following Configuration. Use the automatically
generated configuration displayed below this option or select
one of the following headlines to change the configuration:
■ CA Management. The purpose of a CA (certificate
authority) is to guarantee a trust relationship among all
network services that communicate with each other.
If you decide that you do not want to establish a CA, you
must secure server communications using SSL and TLS
separately for each individual service.
By default, a CA is created and enabled during the
installation.
■ LDAP Server. You can run an LDAP service on your host
to have a central facility managing a range of configuration
settings. Typically, an LDAP server handles user account
data, but with SLES 9, you can also use LDAP for mail,
DHCP, and DNS related data.
By default, an LDAP server is set up during installation. If
you decide not to use an LDAP server, the YaST mail
server module does not work because it depends on LDAP.
However, you can still set up a mail server on your system
using the Mail Transfer Agent module.
If you are not sure about the correct settings, keep the defaults
generated by YaST. You can change the configuration later in the
installed system.
Manage Users
If you are not sure which method to select, stay with LDAP, which
is the default for SLES 9.
From this dialog ,you can setup your system as NIS client with the
following options:
■ NIS client. Select whether the host has a fixed IP address or is
assigned an IP address DHCP. If you select DHCP, you cannot
specify an NIS domain or an NIS server address manually,
because these are provided by the DHCP server.
If a static IP address is used, specify the NIS domain and the
NIS server manually.
To search for NIS servers broadcasting in the network, select
Find.
For each domain, select Edit to specify several server addresses
or enable the broadcast function on a per-domain basis.
From this dialog, you can configure your system as an LDAP client.
The default configuration uses the locally installed LDAP server.
If you are not sure how to configure the LDAP setting and you want
to use the locally installed LDAP server, keep the default settings.
You can use the following in this dialog to add local users to the
system (account information is stored in the files /etc/passwd and /
etc/shadow):
■ User Data. Enter the full user name, the login name, and the
password.
To provide effective security, a password should be 5-8
characters long. The maximum length for a password is 128
characters. However, if no special security modules are loaded,
only the first eight characters are used to discern the password.
Passwords are case-sensitive. Special characters are allowed,
but they might be hard to enter depending on the keyboard
layout. Other special characters (such as 7-bit ASCII) and
numbers 0-9 are allowed.
You can add other users later(after installation), but you should create at
least 1 user during installation so you don´t have to work as the user root
after the system has been set up.
Configure Hardware
Next you configure the system hardware of the system from the
following:
You can also use the Change drop-down list to reset all settings to
the automatically generated configuration proposal.
You can skip the hardware configuration at this time and configure
your devices later in the installed system. However, if the settings of
the graphics card in the configuration proposal are not correct, you
should change them now to avoid problems during the first system
start.
If you select the headline Graphics Cards, YaST starts the SaX2
configuration tool to configure the graphics card settings. The
following appears:
In the left navigation bar, the following main items are displayed:
■ Display. Configure your monitor, graphics card, color depth,
resolution, and the position and size of the screen.
■ Input Devices. Configure the keyboard, mouse, touchscreen
monitor, and graphics tablet.
■ Multihead. Configure multiple screens.
■ AccessX. Configure AccessX to control the mouse pointer with
the keyboard.
The first 3 items have subitems that are displayed on the right side
of the dialog, or you can access them by selecting the + character in
front of every item.
If the installation does not detect your monitor, you can change the
monitor model.
Select Display on the left side of the dialog; then select Monitor on
the right side of the dialog. At the bottom of the dialog, change the
monitor settings by selecting Change Configuration.
■ Expert. You can change some expert settings like the Modeline
Algorithm or the Display size.
Select Finalize after making all changes. Confirm the next dialog
by selecting Test.
You can use this dialog to fine tune the X Server settings such as
changing the position and the size of the displayed area.
Do the following:
1. Turn on the computer.
2. Insert the SLES 9 CD 1 into the CD-ROM drive.
3. Reboot the computer by selecting the Reset button or
by pressing Ctrl+Alt+Del.
4. (Conditional) If your computer does not boot from the
CD-ROM drive, adjust the BIOS settings and reboot the
computer.
5. When the GRUB installation screen appears, select Installation
with the arrow keys and press Enter.
Do the following
1. When YaST displays the Novell Software License
Agreement, select I Agree.
2. From the language selection dialog, select your language; then
select Accept.
Although you can select any available language, the exercises in this
manual are written for English US.
Do the following:
1. Change the partitioning settings by scrolling to and selecting
Partitioning.
2. Select Create custom partition setup; then select Next.
3. Select Custom partitioning -- for experts; then select Next.
7. Create a partition for the directory /srv (used in the Apache and
Samba server exercises):
a. Select the same hard disk you used for the swap and root
partitions; then select Create.
b. Select Primary partition; then select OK.
Leave the size settings as suggested by YaST. The last
partition will use the rest of the available hard disk space.
c. Make sure that the File system drop-down list is set to
Reiser.
d. From the Mount Point drop-down list, select /srv.
e. Add the /srv partition by selecting OK.
8. Confirm the partitioning setup and return to the installation
proposal by selecting Next.
Do the following:
1. From the installation proposal dialog, scroll to and select
Software.
2. Select Detailed selection.
3. In the list on the left side of the package selection dialog, select
C/C++ Compiler and Tools.
4. Return to the installation proposal by selecting Accept.
Do the following:
1. From the installation proposal, select Accept.
2. From the confirmation dialog, select Yes, install.
YaST asks you to change CDs during the installation process.
Do the following:
1. In the first field, enter novell.
2. In the second field, enter novell.
You are warned that the password is too simple.
3. Continue by selecting Yes.
You are warned that you are using only lowercase letters.
4. Continue by selecting Yes.
5. Continue by selecting Next.
Do the following:
1. Request the following information for your computer from your
instructor:
• IP address:
• Network mask:
• Host name:
• Domain name:
• Name server:
• Default gateway:
2. From the Network Configuration proposal, select Network
Interfaces.
Do the following:
1. From the Service Configuration dialog, accept the default
settings by selecting Next.
2. For the authentication method, select LDAP; then select Next.
3. Accept the defaults in the LDAP Client Configuration dialog
by selecting Next.
4. Add a user:
a. First Name: Geeko
b. Last Name: Novell
c. User Login: geeko
d. Password: N0v3ll (a zero, not an uppercase O)
e. Verify password: N0v3ll
5. Create the user by selecting Next.
Do the following:
1. From the Release Notes dialog, select Next.
2. Adjust the monitor settings:
a. Review the information displayed below the Graphics
Cards entry of the Hardware Configuration proposal.
Make sure that the monitor model, the resolution, and the
refresh rate are appropriate for your hardware.
b. (Conditional) If the settings are correct, select Next and
skip the following steps for monitor configuration and go to
Step 3.
c. If the automatically generated settings are not appropriate,
select Graphics Cards.
d. From the left side of the dialog, change the monitor model
by expanding Desktop; then select Monitor.
e. Select Change configuration.
f. From the next dialog, select Properties.
g. From the left side, select your vendor; from the right side,
select your model.
h. (Conditional) If your model is not in the list, select one of
the generic LDC or VESA entries. (You can also enter the
frequencies manually on the Frequencies page of the
dialog).
i. Continue by selecting OK.
j. Select Finish.
k. Change the color and resolution settings by selecting
Color and Resolution on the left; then select Change
configuration.
l. From the next dialog, select Properties.
m. From the drop-down list, select your desired color
resolution.
n. From the Resolutions page, select your desired display
resolution (deselect all other resolutions).
o. Continue by selecting OK.
p. Select Finish.
q. Finish the monitor setup by selecting Finalize.
r. Test the new settings by selecting Test.
If the screen does not display properly, press
Ctrl+Alt+Backspace, then repeat the above steps to adjust
the selected settings.
s. Adjust Size and Position.
t. When you are finished, select Save; then select OK.
3. From the Hardware Configuration dialog, select Next.
4. Complete the installation process by selecting Finish.
Do the following:
2. From the KDE desktop, select the YaST icon; then enter a
password of novell and select OK.
3. From the YaST Control Center, select Network Services > NTP
Client.
6. Select Finish.
Do the following:
1. From the YaST Control Center, select Software > Online
Update.
The Welcome to YaST Online Update dialog appears.
2. From the Installation source drop-down list, select User-Defined
Location.
3. In the Location field, enter http://DA1/YOU.
4. Continue by selecting Next.
The YOU update dialog appears with all the patches available.
From this dialog you can filter the patch list view and select or
deselect the patches you want to install.
5. From YaST Online Update Patch list, make sure the Optional
patches (black) are deselected.
6. Make sure all the Security (red) and Recommended (blue)
patches are selected.
7. Continue by selecting Accept.
One or more warning messages appear.
8. For each warning message, select Install Patch.
YaST downloads and installs the patches.
9. When process is complete (or during the process), select
Remove Source Packages after Update.
10. When the patches have been installed, update the system
configuration by selecting Finish.
11. Reboot the X windows server by pressing Ctrl+Alt+Del; then
select Logout.
After rebooting, you are returned to the GUI login interface.
12. Select Menu > Shutdown.
13. Select Restart computer and enter a password of novell; then
select OK.
14. After the system reboots, log back in to the KDE desktop as
geeko with a password of N0v3ll.
(End of Exercise)
Summary
The following is the summary of the objectives.
Objective Summary
1) Perform the SLES 9 Base In the base installation, the hard
Installation disks are prepared and the
software packages are installed.
The following tasks belong to the
base installation step:
■ Boot from the installation
media
■ Select the language
■ Select the installation mode
■ Understand and change the
installation proposal
■ Perform hard disk partitioning
■ Configure LVM devices
■ Change the software selection
■ Configure the boot loader
■ Launch the installation process
Objective Summary
2) Configure the SLES 9 Installation In the configuration step, you
customize and configure the
installed system.
The following tasks belong to the
configuration step:
■ Sett the root password
■ Configure the network
■ Test the Internet connection
■ Perform the Online Update
■ Configure Network Services
■ Manage Users
■ Configure Hardware
■ Finalize the Installation
Process
Objective Summary
3) Troubleshoot the Installation SLES 9 has been installed and
Process tested on many different
machines and hardware
platforms. However, sometimes
installation problems can occur.
The problems can be caused by
the following reasons:
■ The system is not configured
to boot from the CD or DVD
drive.
■ The CD or DVD drive is
defective.
■ The installation CD or DVD is
defective.
■ The system does not support
newer hardware features
(ACPI) correctly.
■ There is no DHCP server in
the network.
■ There is no route to the
Internet.
■ You are using the wrong Proxy
settings.
■ You are using the wrong X11
configuration.
Objectives
1. Understand Linux Network Terms
2. Set Up Network Devices with the ip Tool
3. Save Device Settings to a Configuration File
4. Set Up Routing with the ip Tool
5. Save Routing Settings to a Configuration File
6. Configure Host Name and Name Resolution
7. Test the Network Connection with Command Line Tools
Introduction
Although almost every step of a network configuration can be done
with YaST, it´s sometimes useful to configure the network settings
manually. For testing and troubleshooting, it´s much faster to
change the network setup from the command line.
You can enter /sbin/ip as a normal user to display the current network
setup only. To change the network setup, you have to be logged in as root.
IP Address Setup
IPv4 network.
You always have the entries for the loopback and sit devices.
Depending on your hardware setup, you might have more Ethernet
devices in the ip output.
The other information shows additional attributes set for this device,
such as the hardware address of the Ethernet adapter
(00:30:05:4b:98:85):
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
If you are only interested in the device attributes and not in the IP
address setup, you can use the following command:
ip link show
You can use the option -s with the command ip to display additional
statistics information about the devices. The command looks like
the following:
ip -s link show eth0
By giving the device name at the end of the command line, the
output is limited to one specific device. This can also be used to
display the address setup or the device attributes.
You can also use the ip tool to change the network configuration by
performing the following tasks:
■ Assign an IP Address to a Device
■ Delete the IP Address from a Device
■ Change Device Attributes
Use the following command to verify that the address was deleted:
ip address show eth0
You can also change device attributes with the ip tool. The
following is the basic command to set device attributes:
ip link set <device> <attribute>
If the network devices are set up with YaST, one configuration file
is created for every device.
We recommended that you set up a device with YaST first and make
changes in the configuration file. Setting up a device from scratch is
a very complex task, because the hardware driver also needs to be
configured manually.
If you have more than one network adapter in your system, it might
be difficult to find the corresponding configuration file for a device.
You can use the command ip link show to display the hardware
address for each Ethernet device. Because the hardware address is
part of the file name, you can identify the right configuration file.
You can use the MTU option to specify a value for the MTU
(Maximum Transmission Unit). If you don´t specify a value, the
default value is used. For an Ethernet device, the default value is
1500 bytes.
REMOTE_IPADDR=''
You need to set the value for the REMOTE_IPADDR option only
if you are setting up a point-to-point connection.
STARTMODE='onboot'
When the device is restarted, the new configuration is read from the
configuration file.
Because routing is a very complex topic, this objective only covers the
most common routing scenarios.
Every line represents an entry in the routing table. Each line in the
example is shown and explained below:
10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2
This line represents an the route for the local network. All network
packets to a system in the same network are sent directly through
the device eth0.
This line shows a network route for the 169.254.0.0 network. Hosts
can use this network for address auto configuration.
This line is the entry for the default route. All network packets that
cannot be sent according to the previous entries of the routing table
are sent through the gateway defined in this entry.
The following are the most common tasks you do when adding a
route:
■ Set a Route to the Locally Connected Network
■ Set a Route to a Different Network
■ Set a Default Route
All packets for the network 149.44.171.0 are sent through the
gateway 10.0.0.100.
All packets sent to the network 149.44.171.0 with the network mask
255.255.255.0 are sent through the gateway 10.0.0.100 through the
device with the id eth-id-00:30:05:4b:98:85. The id is the same as
used for the device configuration file.
Default 10.0.0.8 - -
This entry represents a default route. All packets that are not
affected by the previous entries of the routing table are sent through
the gateway 10.0.0.8. It´s not necessary to fill out the last 2 columns
of the line for a default route.
The file contains the fully qualified domain name of the system, in
this case, da2.digitalairlines.com
The tool ping lets you check network connections in a simple way
between two hosts. If the ping command works, then both the
physical and logical connections are correctly set up between the 2
hosts.
You can also use the host name of the target system instead of an IP
address. The output of ping looks similar to the following:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=60 time=2.95
ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=60 time=2.16
ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=60 time=2.18
ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=60 time=2.08
ms
Each line of the output represents a packet sent by ping. Ping keeps
sending packets until it´s terminated by pressing Ctrl+C.
If you get an answer from the target system, you can be sure that the
basic network device setup and routing to the target host works.
The following table provides some options for ping you can use for
advanced troubleshooting:
Option Descriptions
-c count The number of packets to be sent. After this
number has been reached, ping is terminated.
-I device_addr Specifies the network device to be used on a
computer with several network devices.
-i seconds Specifies the number of seconds to wait between
individual packet shipments. The default setting is
1 second.
-f (Flood ping) Packets are sent one after another at
the same rate as the respective replies arrive.
Only root can use this option. For normal users
the minimum time is 200 milliseconds.
-l preload Sends packets without waiting for a reply.
-n The numerical output of the IP address. Address
resolutions to host names are not carried out.
-t ttl Sets the Time To Live for packets to be sent.
Option Descriptions
-w maxwait Specifies a timeout in seconds, before ping exits
regardless of how many packets have been sent
or received.
-b Sends packets to the broadcast address of the
network.
First, three datagrams with a TTL=1 are sent to the host, then three
packets with a TTL=2, and so on. The TTL of a datagram is reduced
by one, every time it passes through a router.
It´s also possible to use an IP address instead of the host name. The
output of traceroute looks similar to the following:
traceroute to pluto.example.com (192.168.2.1), 30
hops max, 40 byte packets
1 sun.example.com (192.168.0.254) 0 ms 0 ms 0 ms
2 antares.example.com (192.168.1.254) 14 ms 18 ms 14
ms
3 pluto.example.com (192.168.2.1) 19 ms * 26 ms
The first line of the output displays general information about the
traceroute call. Each of the lines that follow represents a router on
the way to the destination host. Every router is displayed with the
host name and IP address.
Do the following:
1. Make sure you are logged in to the KDE Desktop as geeko with
a password of N0v3ll.
2. Open a terminal window and su (switch user) to root.
3. Enter ip address show eth0.
4. Find the line starting with inet, and record the IP address with
the subnet mask displayed in that line:
10. Enter ls -al; then look for one of the following files (depending
on your hardware configuration):
■ hwcfg-id-ethernet_controller_address
■ or
■ hwcfg-bus-pci-ethernet_controller_address
11. Record the name of the file:
Do the following:
1. Start YaST and select Network Devices > Network Card.
2. In the lower part of the dialog, select Change.
3. Select the network device; then select Delete.
4. Select Finish.
Do the following:
1. In the terminal window enter the following command:
ip address add your_ip_address/24 brd + dev eth0
2. To activate the network device, enter ip link set eth0 up.
3. To set a route to the local network enter the following:
ip route add 10.0.0.0/24 dev eth0
4. To set the default route enter the following:
ip route add default via gateway_ip_address
5. Verify that the network connection is working again by entering
ping www.novell.com.
If you are having problems with the network interface, you might need
to delete the network card configuration with YaST, save the change,
and then re-configure the network card with YaST.
Do the following:
1. From the terminal window, change to the directory
/etc/sysconfig/network.
(End of Exercise)
Summary
The following is the summary of the objectives.
Objective Summary
1. Understand Linux Network The following terms are used for
Terms the Linux network configuration:
■ Device
■ Interface
■ Link
■ Address
■ Broadcast
■ Route
Objective Summary
3. Save Device Settings to a ■ The configuration files for
Configuration File network devices are located
in /etc/sysconfig/network.
■ For Ethernet devices, the file
names consist of ifcfg-eth-id-
and the hardware address of
the device.
■ For a statically configured
device ,at least the following
options need to be set:
BOOTPROTO='static'
STARTMODE='onboot'
IPADDR='10.0.0.2/24'
■ For devices configured with
DHCP, the BOOTPROTO
option needs to be changed as
follows:
BOOTPROTO='dhcp'
■ Configured devices can be
enabled with ifup device name
and disabled with ifdown
device name.
Objective Summary
5. Save Routing Settings to a The configuration for routing table
Configuration File is located in the file
/etc/sysconfig/network/routes.
Each line represents an entry of
the routing table and has the
following columns:
■ Destination network address
■ Gateway address
■ Netmask
■ Device id
Default routes use default instead
of the network address and does
not require a netmask or device
id.
6. Configure Host Name and The host name is configured in
Name Resolution the file /etc/HOSTNAME.
The name resolution is
configured in the file
/etc/resolv.conf.
One line specifies the search
domain; the others list up to three
available name servers.
Objective Summary
7. Test the Network Connection Two command line tools are
with Command Line Tools available to test the network
connection:
■ ping
ping hostname
With ping you can test
whether another host is
reachable in the network.
■ traceroute
traceroute hostname
With traceroute you can test
the routing in the network.
Objectives
1. Configure a DNS Server Using BIND
2. Deploy OpenLDAP on a SLES 9 Server
3. Configure an Apache Web Server
4. Configure a Samba Server as a File Server
Introduction
In this section you learn how to install and configure four of the
most popular Linux network services at the command line:
■ BIND
■ OpenLDAP
■ Apache
■ Samba
In the early days of the Internet, when there were relatively few
computers connected to each other, a file was maintained at the
Network Information Centre (NIC) of the Stanford Research
Institute in California that provided exactly this conversion.
.arpa was used as a TLD, while the ARPAnet transferred from host
files to DNS. All computers from the ARPAnet were later put into
the other TLDs. The .arpa TLD still has a special meaning which
will be explained later in this section.
These TLDs are also known as generic TLDs. Other TLDs for
individual countries were defined, such as .de for Germany, .uk for
the United Kingdom, and .ch for Switzerland.
For each domain there is one DNS server (or name server) defined
as being “in charge” of its domain. This server is known as the
master server, and it is the authority for this domain (providing
authoritative answers).
There are other DNS servers called slave servers for the domain
that distribute the load and serve as backups. Slave servers keep a
copy of the information on the master server and update this
information at regular intervals. This update is called zone transfer.
Assume that your DNS server wants to find the IP address of the
computer www.suse.de. To do this, the DNS server first makes a
request to one of the DNS servers of the root domain.
Each DNS server knows the authorities responsible for the TLDs.
The address for each authority required is passed onto the
requesting DNS server. For www.suse.de, this is a DNS server for
the TLD .de, that is, the computer dns2.denic.de.
Our DNS server then asks this for the authority for the domain
suse.de and as an answer is given the computer ns.suse.de.
The DNS servers for the root domain play a very important role in
name resolution. In order to alleviate the server load due to queries,
every DNS server stores the information received from other names
servers in its cache.
Before starting the DNS server, you have to make some basic
configuration changes. After finishing your configuration, you can
start the server using the following command:
rcnamed start
To have the DNS server start automatically at boot time, use the
following command:
insserv named
A caching-only DNS server does not manage its own databases but
merely accepts queries and forwards them to other DNS servers.
The supplied replies are saved in the cache.
The global options are defined in the options block at the beginning
of the file. The directory containing the database files (or zone files)
is listed. Normally, this is /var/lib/named/.
#
# forward resolution for localhost
#
zone "localhost" in {
type master;
file "localhost.zone";
};
#
# reverse resolution for localhost
#
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
The zone entry for the root DNS servers contains a reference to a
file containing the addresses of the root DNS servers. This file
(root.hint) is generated in the directory /var/lib/named/ during the
installation of the package bind.
The 2 files for the resolution of localhost are also generated during
the installation. The structure of these files is explained later.
These entries are used to forward queries to the DNS server directly
to the responsible DNS servers. However, this resolution method
can be very slow. This problem can be solved by using forwarders.
The DNS server has the addresses of other DNS servers in case it
cannot resolve a host name itself. You might be able to use the DNS
servers of an Internet provider for this purpose, as they usually have
a lot of information in their cache.
You can define these DNS servers in the options block in the file
/etc/named.conf, as in the following:
options
{
directory "/var/lib/named";
forwarders
{
10.0.0.254;
};
};
If these DNS servers cannot be reached, the queries are sent directly
to the root DNS servers.
You can adapt the configuration for the caching-only DNS server
for configuring a DNS server containing its own information files.
The global options are followed by definitions for the database files
(or zone files) for the domains this DNS server serves. At least 2
files are necessary for each domain:
■ A file for forward resolution (allocating an IP address to a
computer name)
■ A file for reverse resolution (allocating a computer name to an
IP address)
If several subnets belong to a domain, then one file for each of these
networks must be created for reverse resolution.
Each definition begins with the instruction zone (this is why the
database files are also known as zone files), followed by the name
of this zone.
For forward resolution, this is always the domain name. For reverse
resolution, the network prefix of the IP address must be given in
reverse order (10.0.0.0 becomes 0.0.10.) to which the suffix in-
addr.arpa is added (0.0.10.in-addr.arpa).
The text in curly brackets defines the type of DNS server this is for
the corresponding zone (here it is always the type master; other
types are introduced later).
Finally, there is the name of the file in which the entries for this
zone are located.
The entries for the Digital Airlines configuration look like the
following:
#
# forward resolution for the domain
digitalairlines.com
#
zone "digitalairlines.com" in
{
type master;
file "master/digitalairlines.com.zone";
};
#
# reverse resolution for the network 10.0.0.0
#
zone "0.0.10.in-addr.arpa" in
{
type master;
file "master/10.0.0.zone";
};
The 2 files for the domain localhost and the file for the root DNS
servers are always included in the installation. You do not need to
change these files; however, you must create the files required for
the actual domain.
Individual entries must always start in the first column with the reference.
If an entry does not start in the first column, the reference is taken from the
previous entry.
After the SOA entry the name of the DNS server is listed (in this
example, da1.digitalairlines.com with a dot at the end).
Alternatively, you could write da1, and the domain name
digitalairlines.com would be added after the name.
Next comes the email address of the person who is responsible for
the administration of the DNS server. The “@” usually used in
email addresses must be replaced by a dot (so the email address in
this example is hostmaster.example.com). This is necessary
because @ has a special meaning as an abbreviation.
Slave servers use this number to detect if they need to copy this
zone file or not. If the serial number on the master server is greater
than that on the slave server, the file is copied.
■ The fourth entry defines for how long negative responses from
the DNS server are valid. Each requesting server stores
responses in its cache, even if a computer name could not be
resolved (in the example, this is 3H or 3 hours).
The name of the domain can be omitted at this point. Then the name
from the previous entry is taken (the SOA entry).
At the end of this file are the IP addresses that are allocated to
computer names. This is done with A (address) entries, as in the
following:
;
; Allocation of IP addresses to host names
;
da10 IN A 10.0.0.10
da12 IN A 10.0.0.12
da13 IN A 10.0.0.13
The file for reverse resolution contains similar entries as the file for
forward resolution. At the beginning of the file there is the
definition of a default TTL and an SOA entry.
$TTL 172800
;
; SOA entry
;
0.0.10.in-addr.arpa. IN SOA da1.digitalairlines.com. adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity(three hours)
)
;; Entry for the name server
;
IN NS da1.digitalairlines.com.
At the end of this file are the IP addresses that are allocated to
computer names, this time with the PTR (Pointer) entry, as in the
following:
;
; Allocation of host names to IP addresses
;
10 IN PTR da10.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
13 IN PTR da13.digitalairlines.com.
14 IN PTR da14.digitalairlines.com.
The following 2 files must exist for the local computer. These are
created automatically during installation and should not be
modified.
IN NS @
IN A 127.0.0.1
In this case, it is localhost, which is also used for the name of the
DNS server (this is why “@” appears many times in the file).
In this file, the abbreviation “@” is also used. But here the
computer name must be given explicitly with localhost (remember
the dot at the end):
$TTL 1W
@ IN SOA localhost. root.localhost.
(
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS localhost.
1 IN PTR localhost.
If the mail server with the highest priority cannot be reached, the
mail server with the second highest priority is used. If several mail
servers have the same priority, then one of them is chosen at
random. An address entry must be made for each mail server.
The names of the mail servers for the domain (MX entry) cannot be alias
names, since some mail servers cannot handle this correctly.
The essential difference between the two types is that a slave server
receives copies of the zone files from the master server.
Modifications to the zone files are only made on the master server.
There might also be a zone definition for the root DNS server. But a
zone definition is only necessary if the slave server will forward
requests to other DNS servers.
The definitions for zones for which it should copy data from the
master server look like the following:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
10.0.0.254;
};
};
The slave server gets data from the master server with the IP
address 10.0.0.254 and stores it in the directory
/var/lib/named/slave/. This directory is created when you install the
BIND package.
IN NS
da8.digitalairlines.com.
The relevant part for resolving host names looks like the following:
#
# /etc/nsswitch.conf
#
...
hosts: files dns
networks: files dns
...
Both entries shown here define that in the first attempt to resolve a
host name is done using the file /etc/hosts. If this fails, a DNS server
resolved the name. The same applies to the resolution of network
names, done using /etc/networks first.
host Command
The most important command line tool for querying a DNS server is
called host. The general syntax is as follows:
In this example, the host names of the DNS servers for the domain
novell.com are requested.
dig Command
Option Meaning
nameserver The IP address or name of the DNS
server that should be queried. If not
specified, dig checks all DNS
servers listed in /etc/resolv.conf.
computer The resource record to query about
(such as a host name, an IP
address, or a domain name).
type The type of resource record to be
returned, such as A (IP address), NS
(DNS server), MX (mail exchanger),
-x (pointer), or ANY (all information).
Option Meaning
query_options Defines how the query is done and
how the results are displayed. Each
query option starts with a plus sign
(+).
The most important difference between host and dig is that dig does
not use the domain list from /etc/resolv.conf by default to expand
the host name. This means that the FQDN or IP address of the host
must be specified. If the domain list should be used, you need to use
the query option +search.
;; QUESTION SECTION:
;ripe.net. IN NS
;; ANSWER SECTION:
ripe.net. 158814 IN NS ns2.nic.fr.
ripe.net. 158814 IN NS
sunic.sunet.se.
ripe.net. 158814 IN NS
auth03.ns.uu.net.
ripe.net. 158814 IN NS
munnari.oz.au.
ripe.net. 158814 IN NS ns.ripe.net.
;; ADDITIONAL SECTION:
ns.ripe.net. 171939 IN A 193.0.0.193
ns.ripe.net. 171939 IN AAAA
2001:610:240:0:53::193
ns2.nic.fr. 344302 IN A 192.93.0.4
ns2.nic.fr. 344302 IN AAAA
2001:660:3005:1::1:2
sunic.sunet.se. 172586 IN A 192.36.125.2
auth03.ns.uu.net.170436 IN A 198.6.1.83
munnari.oz.au. 170107 IN A 128.250.22.2
munnari.oz.au. 170107 IN A 128.250.1.21
munnari.oz.au. 21410 IN AAAA
2001:388:c02:4000::1:21
Data about the query, such as the duration of the query (Query
time), the server that answered the query (SERVER), and the date
of the query (WHEN) are listed at the end of the output.
For more information about BIND and DNS, see DNS and BIND by Paul
Albitz and Cricket Liu and the BIND homepage at
http://www.isc.org/sw/bind/.
Do the following:
■ Part I: Install BIND
■ Part II: Configure a DNS Master Server
■ Part III: Configure the DNS Slave Server on the Second
Machine
This exercise requires extensive typing to create your DNS files. To save
you some time, the files digitalairlines.com.zone and 10.0.0.zone are
included on your 3038 Course CD in the directory /exercises/section_3.
3. From the YaST Control Center, select Software > Install and
Remove Software.
Decide which SLES 9 server will be the DNS master server, then do
the following only on the master server:
zone "0.0.10.in-addr.arpa" in {
type master;
file "master/10.0.0.zone";
};
digitalairlines.com. IN NS your_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
IN NS your_FQHN.
10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.
14. Switch to the first terminal window and start bind with the
following command:
rcnamed start
15. From the second terminal window, watch the log output of bind
for any messages such as Unknown RR type or file not found.
16. If any errors occur, try to fix them and restart bind.
17. From the first terminal window, start bind automatically when
the system is booted by entering the following:
insserv named
22. Verify that your DNS server works by entering the following
command:
host da10.digitalairlines.com
23. Add a new DNS record for the slave server in the file
/var/lib/named/master/digitalairlines.com.zone:
$TTL 172800
digitalairlines.com. IN NS your_FQHN.
digitalairlines.com. IN NS slave_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
24. Add a new DNS record for the slave server in the file
/var/lib/named/10.0.0.zone:
$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)
IN NS your_FQHN.
IN NS slave_FQHN.
10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.
};
zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
master_server_ip_address;
};
};
10. If any errors occur, try to fix them and restart bind.
11. Start bind automatically when the system boots by entering the
following:
insserv named
16. Verify whether or not your DNS server works by entering the
following:
host da10.digitalairlines.com
(End of Exercise)
The types are typically mnemonic strings, like "cn" for common
name, or "mail" for email addresses. The syntax of values depend
on the attribute type.
For example, the entry for Tux Penguin in the example above has a
DN of uid=tux,ou=Management,dc=example,dc=com.
To create the tree structure, you use container objects, which can
contain other objects. The following is a list of these objects:
■ Root. The root of the directory tree
■ c. Countries
■ o. Organizations
■ ou. Organizational units
■ dc. Domain components
In this line you set the domain components “dc” according to your
domain name.
rootdn "cn=Manager,dc=example,dc=com"
This line sets the administrator of the the LDAP server. You can
also configure the domain components in this line.
rootpw secret
This line specifies the password for the administrator. The default
password secret must be changed. For security reasons, the
password should be stored in an encrypted form. To create an
encrypted password, use the following command:
slappasswd -s <your_password>
After finishing the configuration, you can start the server with the
following command:
rcldap start
If you want to start the LDAP server automatically when the server
boots, use the following command:
insserv ldap
After you change the server configuration file, you change the client
configuration file ldap.conf. You have to set add at least 2 lines:
host localhost
This line sets the default server that LDAP clients should connect
to.
base dc=suse,dc=de
LDIF files contain the information that should be included into the
directory service in a plain text format.
You can create a different file for each user you would like to add,
but you can also multiple user records in one file. An LDIF file
contains the following entries:
■ dn. The distinguished name of the object you want to add.
■ objectclass. The object classes of the new entry.
■ attribute. An attribute of the entry. You normally add more
than one attribute at the same time.
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
Make sure that there are no empty spaces or tabs at the beginning or end of
a line.
The command to insert a data set that exists as an LDIF file looks
like the following:
ldapadd -x -D dn_of_the_administrator -W -f
file.ldif
You need to use the -x option because you haven't configured SASL
authentication yet.
Use the option -D to specify who can access the directory. This
should be rootdn, specified in the server configuration file.
After you have set up the basic tree structure (during or after
installation), you can add a user to the directory with an LDIF file
similar to the following:
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: geeko
uidNumber: 1010
gidNumber: 100
cn: Geeko Chameleon
givenName: Geeko
sn: Chameleon
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609
This example LDIF file creates a user based on the default LDAP
setup of SLES 9. The attributes are shown below with an
explanation of each:
uid: geeko
gidNumber: 100
This attribute sets the default group ID of the user. The value 100
belongs to the group users in a SLES 9 installation.
cn: Geeko Chameleon
This attribute sets the path to the home directory of the user.
loginShell: /bin/bash
This attribute sets the login shell of the user. The default for SLES
9 is /bin/bash.
ShadowMax: 99999
This attribute sets the number of days before the password expires.
ShadowWarning: 7
This attribute sets the number of days that a user can still log in
after the password expires. Set to -1 to set an unlimited number of
days.
ShadowMin: 0
This attribute sets the minimum number of days that need to pass
before a password can be changed.
ShadowLastChange: 12609
You can use the command ldapsearch to read data from the LDAP
directory. The following command reads the entire tree:
ldapsearch -x
ldapsearch reads the search base for the query out of the
configuration file /etc/openldap/ldap.conf. The search base is the
entry in the directory where ldapsearch starts the the recursive
search process.
If the file ldap.conf file does not exist, or if you want to use a
different search base, you can specify it with the -b option, as in the
following:
ldapsearch -x -b "dc=example,dc=com"
If you have a lot of data in your LDAP tree, you might want to limit
the output of ldapsearch to specific entries. You can do that by
adding a filter expression to the ldapsearch command, as in the
following:
ldapsearch -x "(uid=g*)"
ldapsearch displays the result in LDIF format. That means you can
transfer the data to another LDAP server by redirecting the data into
a file and loading it with ldapadd on a different machine.
In the following example, the uidNumber of the user tux has been
changed to 1011:
# geeko, people, suse.de
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1011
shadowLastChange: 12623
This is the default page that opens after you start GQ. At the top of
the page are the following text field:
■ Search filter. In this field you enter the search filter for your
query. The syntax is the same as that used for ldapsearch.
■ LDAP server. Choose an LDAP server from the drop-down
list.
■ If you want to add an additional server, you need to open the
Preferences dialog by selecting File > Preferences. On the
Servers page, specify a new LDAP server by selecting New.
■ Search base. In this field you specify the search base for your
query. The syntax for the search base is the same as that used
for ldapsearch.
After you have entered all necessary data, start the query by
selecting Find.
The result of the query is displayed in a list below the input fields.
Double-click an entry to display detailed information.
On the left side of the page is a tree menu you can use to browse the
directory. By selecting the arrow symbol before an entry, you can
expand the tree structure.
You can display the details of an entry on the right side of the page
by selecting the entry in the tree menu.
On this page you can browse the schema definition available on the
LDAP server.
Part I: Install GQ
Do the following:
3. From the YaST Control Center, select Software > Install and
Remove Software.
Do the following:
5. Select Find.
7. Scroll down and verify that you cannot see the password entry
for geeko.
8. Select Close.
cn=Administrator,dc=digitalairlines,dc=com
16. Make sure that the search fields still contain the previously
entered query.
20. Make sure that you can see the password entry for the user
geeko.
Notice that access to the password is not granted to anonymous
users, but to the authenticated administrator.
Do the following:
3. Expand dc=digitalairlines,dc=com.
4. Expand people.
All users of the system are displayed. At the moment, this only
includes geeko.
5. Select geeko.
Do the following:
2. Save the file with the name tux.ldif in the directory /tmp.
3. From a terminal window (as root), add the user tux by entering
the following (all on one line):
ldapadd -x -D
"cn=Administrator,dc=digitalairlines,dc=com" -W -f
/tmp/tux.ldif
5. Create the home directory for the user tux by entering the
following :
cp -a /etc/skel/ /home/tux
(End of Exercise)
To run a basic Apache web server, you need to install the following
packages with YaST:
■ apache2. The basic web server software.
■ apache2-prefork. An additional Apache package that
influences the multiprocessing behavior of the web server.
■ apache2-example-pages. Sample HTML pages.
When you install the packages listed above, YaST prompts you to
install also one or more additional packages required by Apache.
Confirm the additional package installation by selecting OK to
resolve all dependencies of the Apache packages.
After installing the required software, you need to start the web
server. Do this as the root user by entering the following:
rcapache2 start
As with all services, enter the following to stop the web server:
rcapache2 stop
If you want the web server to start up at boot time, you need to enter
the following:
insserv apache2
If your network provides a DNS server, you can use the hostname
instead of the IP address.
virtual host setups. Learn more about virtual hosts later in this
section.
■ uid.conf. This configuration file sets the user and group id for
Apache. By default, Apache uses the user id wwwrun and the
group id www.
■ listen.conf. In this configuration file, you can specify the IP
addresses and TCP/IP ports Apache is listening to. By default,
Apache listens to all assigned interfaces on port 80.
■ server-tuning.conf. You can use this configuration file to fine
tune the performance of Apache. The default values should be
fine unless you are going to run a web server that has to handle
a lot of requests at the same time.
■ error.conf. In this file you configure the behavior of Apache
when a request cannot be performed correctly.
■ ssl-global.conf. Configure the connection encryption with SSL
in this configuration file.
In some cases it´s not enough to reload Apache. You need to stop
and restart the web server by entering the following:
rcapache2 restart
If you are not sure that your changes use the correct syntax, you can
verify the syntax of the configuration files by entering the
following:
apache2ctl configtest
Directive Meaning
DocumentRoot Specifies the DocumentRoot of the
web server.
Directory “dir_name” All directives used within this block,
/Directory apply only to the specified directory.
Directive Meaning
Options With this directive additional options
can applied to logical blocks like
directories.
AllowOverride Determines whether other directives
are allowed to be overwritten by a
configuration found in a .htaccess
file of a directory.
Alias “fakename” “realname” Allows you to create an alias to a
directory.
ScriptAlias Allows you to create an alias to a
directory containing scripts for
dynamic content generation.
In most cases the default settings are suitable and don't need to be
changed.
To use the virtual host feature of Apache, you need to know the
following:
■ The Concept of Virtual Hosts
■ How to Configure a Virtual Host
With the default setup, the Apache server can be reached with a
browser using the following web addresses:
■ http://localhost (from the computer where the web server is
running)
■ http://IP_address_of_web_server
■ http://hostname_of_the_web_server
For all of these addresses, Apache serves the same files located in
the DocumentRoot directory.
To use this setup, you would need a dedicated computer for every
domain of the Internet. To avoid this, Apache lets you set up
multiple virtual web servers on one physical system. These virtual
web servers are called virtual hosts.
The physical system needs to have an entry in the DNS for every
virtual host of the Apache web server.
DNS Server
For every virtual host you need to create a configuration file in the
directory /etc/apache2/vhosts.d/. The name of the configuration file
must end with .conf.
Directive Meaning
ServerAdmin Enter the email address of the
Virtual Host administrator here.
ServerName Enter the hostname of the virtual
host as it´s configured in the DNS.
Directive Meaning
DocumentRoot Set the DocumentRoot of the virtual
host. The directory and the files in
the directory must be readable by
the user wwwrun.
ErrorLog Enter a filename for the error log.
The file must be writable for the user
wwwrun.
CustomLog Enter a filename for the general log
file. The file must be writable for the
user wwwrun.
ScriptAlias Set the ScriptAlias to a directory of
your choice. The directory must not
be under the DocumentRoot of the
virtual host. If you don´t need scripts
for dynamic content creation, delete
this directive.
<Directory “script_dir”> If you set a ScriptAlias before, you
have adjust the settings for script
directory accordingly. If you are not
using a script directory, delete this
directory block.
<Directory “document_root”> You need to adjust the path name of
this directory directive to the path of
your DocumentRoot.
After customizing the template file, you need to reload the Apache
web server. You also need to make sure that the settings in DNS are
updated so that the hostname of your virtual host is resolved
correctly.
Normally Apache delivers data to all hosts in the network that can
reach the web server. Sometimes it can be useful to restrict access to
the content delivered by Apache.
Directive Meaning
allow IP addresses or networks listed after
this directive are allowed to access
the web server.
deny IP addresses or networks listed after
this directive are not allowed to
access the web server.
order This directive sets the order in which
the allow and deny directives are
evaluated.
This directive starts the directory block. The directives that follow
apply to the directory /srv/www/htdocs only.
Order deny,allow
The Order directive determines in which order the allow and deny
directives are evaluated. You have the following options:
■ Deny,Allow. The deny directives are evaluated before the allow
directives. Access is allowed by default. Any client who does
not match a deny directive or does match an allow directive is
allowed access to the server.
■ Allow,Deny. The allow directives are evaluated before the deny
directives. Access is denied by default. Any client who does not
match an allow directive or does match a deny directive is
denied access to the server.
■ Mutual-failure. Only those hosts that appear in the Allow list
and do not appear on the Deny list are granted access. This has
the same effect as Order Allow,Deny and is deprecated in favor
of that configuration.
Deny from all
(such as 10.0.0.23).
■ A partial IP address. This option applies to IP addresses
starting with the given IP address fragment (such as 10.0.0).
■ A network/netmask pair. This option applies to IP addresses
matching to the given network/netmask pair (such as
10.0.0.0/255.255.255.0)
■ A network/nnn CIDR specification. This option applies to IP
addresses matching to the given CIDR expression (such as
10.0.0.0/24).
Allow from 10.0.0.0/24
You can specify a different location for the password file, but you
have to make sure that it is readable for the user wwwrun and that it
is not located within the DocumentRoot of your server.
When you use a password file for the first time, you have to call
htpasswd2 with the -c option to create the file. If you want to add
more users later, use the following command:
htpasswd2 /etc/apache2/htpasswd <username>
After you have created the user accounts, you need to configure
Apache to prompt for a password when accessing restricted data.
You need to add the following lines to the directory block of the
directory that should be restricted:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux
This directive sets the authentication method. For the type described
in this section, the value is Basic.
AuthName "Restricted Files"
With this directive, you have to choose a name for the restricted
directory of your web server. This name is used for the
authentication process between the browser and the web server.
AuthUserFile /etc/apache2/htpasswd
This directive sets the password file used for the restricted directory.
Require user tux
This directive lists the user of the password file who is allowed to
access the directory. You can add more than one user by separating
the user names with spaces, or you can use the following directive:
Require user valid-user
By default, the connection between the web browser and the web
server are not encrypted. Anyone who can listen to the network
packets exchanged between browser and server can access the
transfered information.
Apache can use the SSL (Secure Socket Layer) protocol to encrypt
the connection. To configure an SSL encryption with an Apache
web server, you need know the following:
■ The Basics of SSL Encryption
■ How to Create a Test Certificate
■ How to Configure Apache to Use SSL
■ The Limitations of the SSL Configuration
Public and private keys can also be used to sign data. In principle,
when data is signed, an encrypted checksum is generated from the
data. The sender signs the data with his private key.
2. The web browser asks the server for its public RSA key.
3. The web server sends the public key to the web browser.
4. The web browser verifies the key of the server with the public
key of the CA that signed the key.
5. If the key is valid, the web browser and web server establish a
secure connection.
You need an officially signed key to set up a secure web server. You
can sign a key by yourself, but this should only be done for test
purposes.
To set up a secure web server for test purposes, you can create a
certificate by yourself. You should never use such a certificate for a
production system.
To create a key pair, you need a file with as many random numbers
as possible. You can generate this file with the following command:
cat /dev/random > /tmp/random
During the process, you are prompted for the following information:
Enter pass phrase for /tmp/server.key:
Enter your state or province name. You can enter a period (.) to
leave this field blank.
Locality Name (eg, city) []:
Enter the name of your unit, or you can enter a period (.) to leave it
blank.
After you have answered all questions, the server certificate is saved
into the file server.crt.
After you have generated the RSA key pair and the server
certificate, you have to configure Apache to use SSL. First, you
need to change two settings in the file /etc/sysconfig/apache2.
The settings in this file apply to the Apache startup script and do not
belong to the server configuration.
This setting extends the start timeout of Apache so that you have
more time to enter the passphrase of the private RSA key.
APACHE_SERVER_FLAGS="SSL"
The additional server flag SSL defines the SSL variable when
evaluating the Apache configuration files. This enables some
directives that are necessary for SSL encryption.
For example, it lets Apache listen on port 443 instead of only to port
80.
You also need to change the server configuration files to enable SSL
by doing one of the following:
■ Configure the Main Server to Use SSL Encryption
■ Configure a Virtual Host to Use SSL Encryption
This directive sets the details of the encryption method. The line
displayed above is the default configuration that comes with
Apache.
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
After you make the described changes, you have to restart Apache.
Apache prompts you for the passphrase of the server key file.
You can also configure a virtual host instead of the main server to
use SSL. Place the directives described above in your virtual host
configuration and define you virtual host with a directive such as
the following:
<VirtualHost your_hostname:443>
Do the following:
1. From the KDE start menu, select System > YaST; then enter a
password of novell and select OK.
2. From the YaST Control Center, select Software > Install and
Remove Software.
6. Select Accept.
Do the following:
Do the following:
12. Open a web browser and access the virtual host by entering the
following:
http://accounting.da.com
The accounting intranet page is displayed.
Do the following:
Do the following:
1. From the terminal window (as root), create the file random by
entering the following:
cat /dev/random > /tmp/random
Option Value
Country Name US
State or Province Name Utah
Locality Name Provo
Organization Name Digital Airlines
Organizational Unit Name Accounting
Common Name accounting.da.com
Email Address [email protected]
22. In the warning dialogs, select Continue and Forever to view the
web site.
(End of Exercise)
After the packages have been installed, you can start the 2 Samba
daemons with the following commands:
rcnmb start
rcsmb start
The options in the this file are grouped into different sections. Each
section starts with a keyword in square brackets.
The section for the general server configuration starts with the
keyword [global]. The following is an example of a basic global
section.
[global]
workgroup = DigitalAirlines
netbios name = Fileserver
security = share
The entries of the global section in this example are shown and
described below:
workgroup = DigitalAirlines
This line sets the Windows workgroup of the Samba server (in this
case, DigitalAirlines).
This line sets the name of the system in the NetBIOS name space
(in this case, Fileserver).
security = share
You might need to configure additional settings for these options to work
correctly. For more information, see the man page of smb.conf.
After the global section, you need to add a section for the share of
your file server. The following example is the simplest way to set up
for a share:
[data]
comment = Data
path = /export
read only = Yes
guest ok = Yes
The entries of the section in this example are shown and described
below:
[data]
This is the identifier for the share. The share can later be accessed
with the address \\Fileserver\data.
comment = Data
This option sets the path to the exported data on the local file
system. You have to make sure that the local user who needs to
access the files of this share has sufficient file system rights.
read only = Yes
If this option is set to yes, the client accessing the share is not
allowed to modify, delete or create any files.
guest ok = Yes
After you have created a smb.conf file, you should restart the
Samba server daemons.
Before you restart the daemons, you can test the syntax of the
Samba configuration file with the following command:
testparm
In this case, no errors are found. If there were any errors in the file,
the command would display the errors grouped by configuration
sections.
With the tool nmblookup, you can resolve NetBIOS names into IP
addresses. In the following example, the IP address for the Samba
server with the NetBIOS name Fileserver is looked up:
nmblookup Fileserver
In the first line, nmblookup states that it queries the IP address with
a broadcast to the address 10.0.0.255. In the second line, it displays
the result of the query, in this case, address 10.0.0.1 for the system
with the NetBIOS name Fileserver.
If the system you are querying is not in the same subnet as yours, the name
cannot be resolved with a broadcast query. Instead nmblookup, uses a
WINS server to resolve the name.
With the smbclient tool, you can access SMB shares on the
network. It's also a very useful tool to test a Samba server
configuration.
This command can also very be valuable for testing purposes. After
you have set up a share, you can check the availability of the share
with smbclient.
In the example, smbclient connects to the server with the user name
tux and prompt for the corresponding password.
You can also use the command print on the smbclient command line
after you have connected to the server. The -c option performs the
given command automatically after the connection to the server has
been established.
The first task is to change the security option in the smb.conf file to
the following:
security = user
The value user for the option security forces user authentication
when the client attempts to connect to the server.
The following example sets a SMB password for the user tux:
smbpasswd -a tux
This option lists all user who are allowed to connect to this share.
User names have to be separated by commas. You can add an entire
UNIX group with the syntax @group_name. However, all the users
of the UNIX group need accounts in the smbpasswd file.
read only = no
This option makes the share writable by setting the read only option
to no.
This line allows all users who are in the UNIX group accounting to
access the shared folder.
force user = tux
This line forces the Samba server to perform all file operations in
the shared folder as user tux. This ensures that all files in the shared
folder are readable and writable for every user who is allowed to
access the share.
....force group
This line forces the Samba server to perform all file operations with
the group accounting.
In this example, you must name the share homes. If Samba finds a
share with this name in the configuration file, it is treated in a
special way.
If the user is found and the the correct password is supplied, Samba
automatically creates a share for the home directory of the user.
The %S macro sets the value of the valid users option to the name
of the requested share.
read only = No
This section explained only the basic usage of Samba. Many more
features and configuration options are available to help you
customize Samba for your environment.
You can find more information about Samba and the possible
configurations from the following:
■ The samba-doc package in the directory
/usr/share/doc/packages/samba/
■ The man page of smb.conf
■ The Samba project site at http://www.samba.org/
In this exercise, you configure a file server with Samba by doing the
following:
■ Part I: Install Samba
■ Part II: Configure a Share for the User Geeko
■ Part III: Access the Share of the User Geeko With smbclient
■ Part IV: Mount Geeko' Share
Do the following:
Do the following:
[geeko-dir]
comment = Geeko Directory
path = /srv/samba/geeko
valid users = geeko
read only = no
This file is available on your 3038 Course CD in the directory
/exercises/section_3.
10. Add geeko to the file smbpasswd file by entering the following:
smbpasswd -a geeko
Part III: Access the Share of the User Geeko With smbclient
Do the following:
Do the following:
(End of Exercise)
Summary
The following is the summary of the objectives.
Objective Summary
1. Configure a DNS Server Using ■ DNS translates host names
BIND into IP addresses.
■ DNS is a distributed database.
■ Under SLES 9 you can use the
BIND software to set up your
own DNS server.
■ A caching-only DNS server is
not responsible for its own
domain, it just forwards
requests to other name
servers and caches the result
for later requests.
■ A master server is responsible
for its domain. It also provides
resource information to host
entries like the IP address of
the mail server.
■ DNS server information is
stored in zone files.
■ A slave DNS server receives
copies of the domain zone files
from the master server. Using
slave servers enhances the
reliability of the DNS.
■ On a client, the name
resolution is configured in the
files /etc/resolve.conf and /
etc/nsswitch.conf.
■ To query DNS from the
command line, you can use the
host and the dig commands.
Objective Summary
2. Deploy OpenLDAP on a SLES 9 ■ Directory services are tree-like
Server structured databases that
contain entry-based
information.
■ OpenLDAP is the most popular
open source LDAP directory
and is used for user
authentication in SLES 9.
■ If you did not configure an
OpenLDAP server during the
installation, you need to install
the following software
packages.
■ openldap2
■ openldap2-client
■ The configuration of the
OpenLDAP server is located in
the file
/etc/openldap/slapd.conf.
■ You can create passwords for
the administrator entry of the
configuration file with the
command slappasswd.
■ The default configuration file
for LDAP clients is
/etc/openldap/ldap.conf.
■ Use ldapadd to insert data
from LDIF files into the
directory.
Objective Summary
■ Make sure that LDIF files
conform to Unicode.
■ Use ldapsearch to query
information from the directory.
■ Use ldapmodify to change
entries in the directory.
■ Use ldapdelete to delete
directory entries.
■ You can use the graphical
program GQ to browse and
query the directory.
3. Configure an Apache Web Server ■ Apache is the leading web
server software.
■ Apache delivers data to a web
browser using the HTTP
protocol.
■ For a basic web server, you
need to install the following
packages:
■ apache2
■ apache2-prefork
■ apache2-example-pages
■ The locally running web server
can be accessed using the
address http://localhost.
■ The default document root of
the web server is
/etc/www/htdocs.
■ The Apache configuration files
are located in the directory
/etc/apache2.
■ The options of the Apache
configuration files are called
directives.
Objective Summary
■ You can check the syntax of
the configuration file with the
command apache2ctl
configtest.
■ By configuring virtual hosts you
can host multiple domains on
one physical machine.
■ You need to create a
configuration file in the
directory
/etc/apache2/vhosts.d/ for
every virtual host.
■ You can limit the access to the
Apache web server
■ On an IP address basis
■ Based on user
authentication
■ To encrypt the connection
between the browser and
server, you can configure
Apache to use SSL.
■ To run a production system
under SSL, you need a
certificate signed by a CA.
■ To access an SSL-enabled
system, use an address
starting with https://.
Objective Summary
4. Configure a Samba Server as a ■ Samba can be used to
File Server integrate a Linux system into a
Windows environment.
■ Windows services are
delivered using the SMB
protocol.
■ The network protocol NetBIOS
is used in a Windows
environment.
■ NetBIOS creates its own name
space independently from
DNS.
■ An SMB share can be
accessed with the address
schema
\\server_name\service_name.
■ Samba can be used for the
following purposes:
■ As a file and print server
■ To access SMB shares
■ As a domain controller
■ The Samba server is
configured in the file
/etc/samba/smb.conf.
■ The Samba configuration file is
structured in sections.
■ You can check the syntax of
the configuration file with the
command testparm.
Objective Summary
■ Use nmblookup to resolve
NetBIOS names to IP
addresses.
■ Use smbclient to access
shares from the command line.
■ Use mount -t smbfs to mount
SMB shares into the Linux file
system.
■ You can limit access to a
Samba server with user
authentication.
In this section, you learn how to create a general security policy and
how to secure a SLES 9 server against local attacks.
Objectives
1. Create a Security Concept
2. Limit Physical Access to Server Systems
3. Limit the Installed Software Packages
4. Understand the Linux User Authentication
5. Ensure File System Security
6. Use ACLs for Advanced Access Control
7. Configure Security Settings with YaST
8. Stay Informed About Security Issues
9. Apply Security Updates
Introduction
Given the number of press reports about attacks on computers, it is
not surprising that computer security is being taken more seriously.
After the introduction, you will learn details about local security.
Local security covers every threat that can be caused by users of the
local system.
This section does not cover topics that belong to the area of network
security. Topics such as firewalls and packet filtering are beyond the
scope of this course.
First, you must know what you are protecting your system from. A
security concept for a computer used by multiple users at different
times is different from a security concept for an environment in
which many different users use multiple computers at the same
time.
If users should not have access to certain resources, you can assign
different access rights. For example, you can determine which user
groups can use a resource or if the user groups can only access the
resource during a certain time period.
WorkstationWeb ssh
Designer 8080
The security policy always also describes the current actual state of
security. For this, information is needed on who is required to do
what to achieve the desired security level.
The reasons given in the description of the actual state show that:
■ Members of the staff need to be told why they can no longer
patch their network connections themselves.
■ Administrators must be made available to patch the network
connections in the future.
The following table covers dial-up to and from the internal network:
The following tables cover other data security measures you should
consider:
The server room should be locked with a solid door, and only
system administrators should have access. The room should be
protected against fire and be equipped with an automatic fire
extinguishing system.
What can be done depends on the size of the company and on the
available financial resources. At the least, a separated locked room
for all servers is recommended.
The exact procedure for protecting the BIOS depends on the BIOS vendor
and version. For more details on this, please consult your vendor
documentation.
You can find the global section at the beginning of the configuration
file. The password needs to be placed into that section as shown in
the following example:
color white/blue black/light-gray
default 0
timeout 8
gfxmenu (hd0,5)/boot/message
password --md5 $1$h8GCU0$Vt3impL0.Cr0nkGQY1jjJ1
You can use the the following command to check which services are
configured to start and their run levels:
chkconfig -l
After the service name, the configuration for all six default run
levels is displayed. On means the service is configured to be started
in the corresponding run level; off means the service will not be
started.
You can use the following command to remove a service from its
default run levels:
insserv -r <service_name>
Removing a service from the run level configuration does not stop an
already running daemon. A daemon that is already running needs to be
stopped manually or the system needs to be rebooted to start with the new
run-level configuration.
Login requires a user's login name and the password. The password
is encrypted and then compared with the encrypted password stored
in an authentication database. If the encrypted passwords are
identical, login grants the user access to the system by starting the
user´s login shell.
Before PAM was introduced, login and all other applications that
handle authentication like FTP, SSH, or the KDM Display Manager
had to be extended to support a chip card reader.
PAM makes things easier. PAM creates a software level with clearly
defined interfaces between applications (such as login) and the
current authentication mechanism. Instead of modifying every
program, a new PAM module just needs to be added to enable
authentication with a chip card reader.
PAM
There is one special configuration file with the name other. This file
contains the default configuration if no application-specific file is
found.
The following is the default configuration file for the login program
on SLES 9:
auth requisite pam_unix2.so nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
This module checks the file /etc/securetty for a list of valid login
terminals. If a terminal is not listed in that file, the login is denied
from that terminal. This concerns only the root user.
auth required pam_nologin.so
This module displays a message if any new mail is in the user's mail
box. It also sets an environment variable pointing to the
user´s mail directory.
account required pam_unix2.so
In this entry the pam_unix2.so module is used again, but in this case
it checks whether the password of the user is still valid or if the user
needs to create a new one.
password required pam_pwcheck.so nullok
The pam_limits.so sets resource limits for the users that can be
configured in the file /etc/security/limits.conf.
Third party vendors can supply other PAM modules to enable specific
authentication features for their products, such as the PAM modules that
enable Novell´s Linux User Management (LUM) authentication with
eDirectory.
Even the best security setup for a system can be defeated if users
choose easy to guess passwords. With today's computing power, a
simple computer can be used to crack an easy password within
seconds. These attacks are also called dictionary attacks, as the
password cracking program just tries one word after another from a
dictionary file.
You can also force users to change their passwords after a specific
period of time.
2. When the KDM login screen appears, log in with the following:
■ Username: root
■ Password: novell
Notice that you can log in as root without a root entry in the
login screen.
9. Log out and try to log in as root user at the KDM login screen
again.
14. Log out and try to log in as root at the KDM login screen again.
(End of Exercise)
The file systems used in Linux are structurally UNIX file systems.
They support the typical file access permissions (read, write,
execute, sticky bit, SUID, SGID, etc.). Apart from additional
standard functionalities, such as various time stamps, the access
permissions can be administered separately for file owners, user
groups, and the rest of the world (user, group, other).
Some device files (like those for sound cards) might also be
writable for users since applications need to send data to the
corresponding devices.
Some files in the system should be protected from user read access.
This is important for files that store passwords.
This list is not complete. There can be more password files on your system,
depending on your system configuration and your software selection.
In this case you have to make sure that only this daemon account
can read the file and not any other user.
There are three file system rights that influence the security in a
special way:
■ The SUID bit. If the SUID bit is set for an executable, the
program is started under the user ID of the owner of the file. In
most cases, this is used to allow normal users to run application
with the rights of the root users.
This bit should only be set for applications that are well tested
and in cases where no other way can be used to grant access to
a specific task.
An attacker could get access to the root account by exploiting
an application that runs under the UID of root.
■ The SGID bit. If this bit is set, it lets a program run under the
GID of the group the executable file belongs to. It should be
used as carefully as the SUID bit.
■ The sticky bit. The sticky bit can influence the security of a
system in a positive way. In a globally writable directory, it
prevents users from deleting each others files that are stored in
these directories.
Typical application areas for the sticky bit include directories
for temporary storage (such as /tmp and /var/tmp). Such a
directory must be writable by all users of a system. However,
the write permissions for a directory do not only include the
permission to create files and subdirectories, but also the
permission to delete these, regardless of whether the user has
access to these files and subdirectories.
If the sticky bit is set for such a writable directory, deleting or
renaming files in this directory is only possible if one of the
following conditions is fulfilled:
ACLs are a feature of the Linux kernel and are supported by the
ReiserFS, Ext2, Ext3, JFS, and XFS file systems. Using ACLs, you
can create complex scenarios without implementing complex
permission models on the application level.
The permissions defined in the entries owner and other are always
effective. Except for the mask entry, all other entries (named user,
owning group, and named group) can be either effective or masked.
This means that the entries for named user, owning group, and
named group are combined by a logical AND with the mask entry.
The ACL contains two entries, one for the named user jane and one
mask entry. Jane has permissions to read and execute the
corresponding file, but the mask only contains permissions for
reading and writing. Because of the AND combination, the effective
rights allow jane to read the file only.
In both cases, the owner class permissions are mapped to the ACL
entry owner. Other class permissions are mapped to their respective
ACL entries. However, the mapping of the group class permissions
is different in the second case.
Any permissions not reflected here are either not in the ACL or are
not effective. Changes made to the permission bits are reflected by
the ACL and vice versa.
To manage the ACL settings, you can use the following command
line tools:
■ getfacl. The command getfacl can be used to display the ACL
of a file.
■ setfacl. The command setfacl can be used to change the ACL of
a file.
The following are the most important options for the setfacl
command:
Option Meaning
-m Adds or modifies an ACL entry.
-x Removes an ACL entry.
-d Sets a default ACL.
-b Removes all extended ACL entries.
For more information about umask, see the corresponding man page
man umask.
All system functions that create file system objects use a mode
parameter that defines the access permissions for the newly created
file system object.
If the parent directory does not have a default ACL, the permission
bits as defined by the umask are subtracted from the permissions as
passed by the mode parameter, with the result being assigned to the
new object.
If a default ACL exists for the parent directory, the permission bits
assigned to the new object correspond to the overlapping portion of
the permissions of the mode parameter and those that are defined in
the default ACL. The umask command is disregarded in this case.
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
getfacl returns both the access ACL and the default ACL. The
default ACL is formed by all lines that start with default.
Although you merely executed the setfacl command with an
entry for the jungle group for the default ACL, setfacl
automatically copied all other entries from the access ACL to
create a valid default ACL.
Default ACLs do not have an immediate effect on access
permissions. They only come into play when file system objects
are created. These new objects inherit permissions only from
the default ACL of their parent directory.
The basic file commands (cp, mv, ls, and so on) support ACLs, but
many editors and file managers (such as Konqueror) do not.
For example, when you copy files with Konqueror, the ACLs of
these files are lost. When you modify files with an editor, the ACLs
of files are sometimes preserved, sometimes not, depending on the
backup mode of the editor used.
If the editor writes the changes to the original file, the access ACL is
preserved. If the editor saves the updated contents to a new file that
is subsequently renamed to the old filename, the ACLs might be
lost, unless the editor supports ACLs.
Do the following:
10. Switch to the geeko terminal and try to access the directory
again by entering the following:
cd /tmp/acl_test
Because of the extended ACL, you can view the directory.
11. Switch to the root terminal and display the extended ACL of the
directory by entering the following:
getfacl /tmp/acl_test/
Do the following:
Do the following:
(End of Exercise)
With the module you can easily change the following settings of the
system configuration:
■ The password settings
■ The boot behavior of the system
■ The login behavior
■ The user ID limitations
■ General file system security
In the dialog you can choose between four different levels of local
security:
Level Meaning
Level 1 (Home Workstation) This option represents the lowest
level of local security. It should
only be used on a home
workstation that is not connected
to any kind of network.
Level 2 (Networked Workstation) This option provides an
intermediate level of local
security. It is suitable for
workstations that are connected
to a network.
Level 3 (Network Server) This option enables a high level
of local security. Systems that are
used as a network server should
be run with this setting.
Custom Settings This option lets you create your
own level of local security.
If you choose the Customs Settings and then select Next, you can
directly change the details of the security configuration.
The dialogs for the detail settings look the same for every security
level, but the preselected options are different. In the following you
can see the settings for Level 3 (Network Server).
Option Meaning
Checks This option enables the checking of
newly created passwords. The
following two methods can be
enabled:
■ Checking New Passwords: New
passwords will be checked to see
if they can be found in a dictionary.
■ Plausibility Test For Passwords:
Passwords will be checked to see
if they contain a mixture of different
kind of characters (such as
lowercase and uppercase
characters).
For a server system, you should at
least enable Checking New
Passwords.
Password Encryption Method You can choose between different
kinds of password encryption
methods. This option sets the
maximum length of the password.
The default option DES supports only
passwords with a length up to 8
characters.
MD5 and blowfish support longer
passwords but are not well supported
by older systems and applications.
Unless your system does not need to
meet very high security demands,
you can stay with the default DES.
Option Meaning
Number Of Significant This option corresponds to the
Characters In The Password previous one. You can only choose a
value higher than 8 if you have
chosen a different encryption method
than DES.
For normal security demands, a
value of 8 is sufficient.
Minimum Acceptable This value determines the minimum
Password Length length of a password. The shorter a
password is, the easier it is to crack
it.
A password should never be shorter
than 6 characters.
Days To Password Change The name of this option is a little bit
Warnings misleading. There are two values to
be set:
■ Minimum: The number of days
after a user can change the
password.
■ Maximum: The number of days
after a user must change the
password.
In this dialog you can configure how the system can be rebooted.
Option Meaning
Interpretation Of Crtl+Alt+Del This option determines how the Key
Combination Crtl+Alt+Del is
evaluated. You can choose between
the following possibilities:
■ Ignore: The key combination is
ignored; nothing happens.
■ Reboot: When the combination is
pressed, the system reboots.
■ Halt: The can be halted by
pressing the key combination.
On a server you should always
choose Ignore because otherwise
someone could halt or reboot the
system even without being logged in.
Option Meaning
Shutdown Behavior Of KDM This option determines how the
system can be halted with the
graphical login manager KDM. You
have the following choices:
■ Only Root: To halt the system, the
root password has to be entered.
■ All users: Everyone, even
remotely connected users, can halt
the system using KDM.
■ Nobody: Nobody can halt the
system with KDM.
■ Local Users: Only locally
connected users can halt the
system with KDM.
■ Automatic: The system is halted
automatically after log out.
For a server system you should use
Only Root or Nobody to prevent
normal or even remote users from
halting the system.
In this dialog you can configure the login behavior of the system.
Option Meaning
Delay After Incorrect Login The value of this option determines
Attempts the number of seconds the next login
try will be delayed after a failed login
attempt.
This is useful to prevent attackers
from trying various passwords very
quickly.
The default value 3 is sufficient in
most cases.
Record Failed Login Attempts If this option is checked, failed login
attempts are logged.
This option should be enabled.
Record Successful Login If this option is checked, successful
Attempts login attempts are logged.
This option should also be enabled.
Allow Remote Graphical The display manager KDM lets you
Login. log in remotely to the X-Window
system.
If this option is selected, remote login
is allowed.
For a server system, you should not
enable this option unless it is needed
for purpose of the server (for
example, the system is a terminal
server.)
In this dialog you can adjust the Minimum and the Maximum value
for User and Group IDs. The default values should be acceptable
for most purposes.
Option Meaning
Setting Of File Permissions From this menu, you can choose
between three different presets for
file system permissions.
You have the following options:
■ Easy: Most configuration files are
readable for normal users.
■ Secure: Certain system files (like
/var/log/messages) can only be
viewed by root. Some programs
can only launched by root or by
daemons.
■ Paranoid: This is the preset with
the highest level of file system
security. Access rights are even
more restricted than with the
Secure setting.
The security settings for every preset
are read from configuration files
following the naming scheme
/etc/permissions.<level>.
For example, the configuration for the
Secure level is read from the file
/etc/permissions.secure
Each file contains a description of the
file syntax and purpose of the
preset.
You can also add your own rules to
the file /etc/permissions.local.
Option Meaning
User Launching Updatedb This option determines under which
user ID the command updatedb is
executed by cron.
The updatedb program indexes all
files in the file system. The generated
database can be queried with the
locate command.
The choices of this option are:
■ nobody: The command is
launched under the user ID of the
system user nobody.
This way only files that are
accessible for the user nobody
are indexed.
■ root: The command is executed
under the user ID of the root user.
This way all files in the file system
can be indexed.
For security reasons you should use
the user nobody. This way no files
are indexed that should not be
accessible for normal users.
Current Directory In Root If this option is selected, the current
Path directory is added to the search path
of root.
This could lead to security problems
if an attacker places an executable
with a common name like ls into a
directory.
If root enters ls in that directory, the
executable of the attacker could be
launched instead of the normal ls
command.
Never select this option.
Option Meaning
Current Directory In Path Of If this option is selected, the current
Regular Users directory is added to the search path
of normal users.
In a security sensitive environment,
this option should not be enabled.
Enable Magic SysRq Keys This option enables special key
combinations that give you some
control over the system even in the
case of a system crash.
This is useful for debugging purposes
but should be disabled on production
systems.
After confirming this dialog with Finish, the changes are saved and
applied to the system.
Do the following:
1. From the KDE start menu, select Internet > Web Browser.
4. Scroll down to the bottom of that page and in the email address
field enter your email address.
(End of Exercise)
To access the update packages you need to enter a user name and a
password. To get these credentials, you need to create an account
for the SUSE support portal.
First you need to start the YOU module from the YaST Control
Center under Software > Online Update.
Select Next to start the update process. There are some additional
configuration options but the defaults are sufficient unless you want
to run your own YOU server.
In the next step, YOU asks you for your account at the SUSE
support portal. Enter your login name and password in the
following dialog:
On the top left side of the dialog all available patches are displayed.
Security relevant patches are indicated by red characters.
Summary
The following is the summary of the objectives.
Objective Summary
1. Create a Security Concept The security of a system must
always be seen in the context of
the whole IT environment.
We highly recommended that you
create a security concept for the
company.
The process of creating a
security concept includes the
following steps.
■ Understand the basics of a
security concept.
■ Perform a communication
analysis.
■ Analyze the protection
requirements.
■ Analyze the current situation
and necessary enhancements.
Objective Summary
2. Limit Physical Access to Server If a server is not protected from
Systems unauthorized physical access,
even the best software
configuration cannot prevent
someone from misusing a
system.
To make the server as secure as
possible, do the following:
■ Place the server in a separated
and locked server room.
■ Secure the BIOS with a
password.
■ Secure the GRUB boot loader
with a password.
3. Limit the Installed Software You should install only those
Packages software packages that are
needed to fulfill the purpose of a
server.
To set up a production system,
minimize the software selections
you install and add only
packages which are definitely
needed.
It is important that no network
services are installed that are not
needed on a server.
Objective Summary
4. Understand the Linux User User authentication is the base
Authentication for every kind of access control.
The user authentication of a
modern Linux system is based on
PAM, the Pluggable
Authentication Modules.
PAM creates a software layer
between the applications,
handling user authentication, and
the currently used authentication
mechanism.
PAM is configured in the directory
/etc/pam.d/
This directory contains a
configuration file for every
application that uses PAM.
Every line of a configuration file
enables a PAM module for the
corresponding application.
Another important aspect of user
authentication is the
requirements for a secure
password.
A password should never be a
word from a dictionary and
should always contain some
uppercase characters and
numbers.
Objective Summary
5. Ensure File System Security The permission settings in the
files system have an important
meaning to the overall system
security.
You should always follow some
basic rules about file system
security.
■ A user should only have write
access in the home and the
/tmp directory.
■ Users should never have read
access to configuration files
that contain passwords.
■ The following special file
permissions affect the security
of a system:
■ The SUID bit
■ The SGID bit
■ The sticky bit
6. Use ACLs for Advanced Access ACLs extend the classic Linux file
Control system permissions.
They let you assign permissions
to named users and named
groups.
ACLs also provide a mask entry,
which basically limits the
permissions of named users and
names groups.
The ACL entries are managed
with getfacl and setfacl.
Directories can have a default
ACL that is inherited by newly
created files or subdirectories.
Objective Summary
7. Configure Security Settings with YaST offers a module that can be
YaST used to configure various security
relevant system settings.
The module can be found in the
YaST Control Center under
Security and Users > Security
Settings.
You can change the following
settings:
■ The password settings
■ The boot behavior
■ The login behavior
■ The user and group ID
imitations
■ The file system security
8. Stay Informed About Security It is very important to be informed
Issues about the current security issues.
The following resources can be
used to gather security relevant
information:
■ http://www.suse.de/en/
business/security.html
■ http://www.suse.de/en/
business/mailinglists.html
■ http://www.securityfocus.
com/
Objective Summary
9. Apply Security Updates To get and apply security updates
for SLES 9, you need to do the
following:
■ Register SLES 9 at the SUSE
support portal at
http://portal.suse.com.
■ Download and apply updates
with YOU, the YaST Online
Update.
The YOU module can be
found in the YaST Control
Center under Software >
Online Update.
In this section, you learn how to develop a backup strategy and how
to use the backup tools shipped with SLES 9. You also learn about
possible problems you might encounter during the boot process and
how to configure the GRUB boot loader.
Objectives
1. Develop a Backup Strategy
2. Creat3 Backup Files With tar
3. Work With Magnetic Tapes
4. Copy Data With the dd Command
5. Mirror Directories With the rsync Command
6. Automate Data Backups With the cron Service
7. Troubleshoot the Boot Process of a SLES 9 System
8. Configure and Install the GRUB Boot Loader
Introduction
Even the best security measures cannot guarantee that data will
never be lost. There is always the possibility that
■ A hard disk failure will fail, destroying data on the affected
disk.
■ Users will delete files by accident.
■ A virus will delete important files on a desktop computer.
■ A notebook will be lost or destroyed.
■ An attacker will delete data on a server.
■ Natural influences like thunderstorms will destroy storage
systems.
In this section you learn how to develop a backup strategy and how
to use the standard UNIX backup tools tar, rsync, and dd.
You will learn about possible issues during the boot process and
how to configure the GRUB boot loader.
You must choose the right backup media for the amount of data to
be backed up and the backup method.
Tape drives are used most often because they still have the best
price-to-capacity ratio. Normally these are SCSI drives, so that all
kinds of tape drives can be accessed in the same way (such as DAT,
EXABYTE, and DLT). In addition, tapes can be reused.
The following are tasks you perform when backing up files with tar:
■ Create tar Archives
■ Unpack tar Archives
■ Exclude Files from Backup
■ Perform Incremental and Differential Backups
■ Use tar Command Line Options
Normally the data in the archive files is not compressed, but you
can enable compression with additional compression commands. If
archive files are compressed (usually with the command gzip), then
the extension of the filename is either .tar.gz or .tgz.
The tar command first expects an option, then the name of the
archive to be written (or the device file of a tape recorder), and the
name of the directory to be backed up. All directories and files
under this directory are also saved.
This writes all files in the archive to the current directory. Due to the
relative path specifications in the tar archive, the directory structure
of the archive is created here.
If you want to extract to another directory, this can be done with the
option -C, followed by the directory name.
If you want to extract just one file, you can specify the name of the
file with the -C option, as in the following:
tar -xvf /test1/backup.tar -C /home/user1/.bashrc
If you want to exclude specific files from the backup, a list of these
files must be written in an exclude file, line by line, as in the
following:
/home/user1/.bashrc
/home/user2/Text*
In this example, the file /home/user1/.bashrc from user1 and all files
that begin with Text in the home directory of user2 will be excluded
from the backup.
This list is then passed to tar with the option -X, as in the following:
tar -cvf /dev/st0 /home -X exclude.files
The following are 2 methods you can use to accomplish the same
thing with tar:
■ Use a Snapshot File for Incremental Backups
■ Use the find Command to Search for Files to Back Up
Tar lets you use a snapshot file that contains information about the
last backup process. This file needs to be specified with the -g
option.
First, you need to make a full backup with a tar command, as in the
following:
tar -cz -g /backup/snapshot_file
-f /backup/backup_full.tar.gz /home
The next time, you can perform an incremental backup with the
following command:
tar -cz -g /backup/snapshot_file
-f /backup/backup_mon.tar.gz /home
In this example, tar uses the snapshot file to determine which files
or directories have changed since the last backup. Only changed
files are included in the new backup /backup/backup_mon.tar.gz.
You can also use the find command to find files that need to be
backed up as a differential backup.
In this example, all files (-type f) in the directory /home that are
newer than the file /backup/backup_mon.tar.gz are archived.
The options -print0 and --null ensure that files with spaces in their
names are also archived. The option -T determines that files piped
to stdin are included in the archive.
Option Meaning
-c Creates an archive.
-C Changes to the specified directory.
-d Compares files in the archive with those in the file system.
-f Uses the specified archive file or device.
-j Directly compresses or decompresses the tar archive
using bzip2, a modern efficient compression program.
-r Appends files to an archive.
-u Only includes files in an archive that are newer than the
version in the archive (update).
-v Displays the files, which are being processed (verbose
mode).
-x Extracts files from an archive.
-X Excludes files listed in a file.
-z Directly compresses or decompresses the tar archive
using gzip.
For more information about tar, consult the man page for tar.
In this exercise, you copy backup files to the directory /tmp. This is only
done to demonstrate using backup methods. You should never make an
actual backup to the directory /tmp.
Do the following:
Do the following:
(End of Exercise)
Magnetic tape drives used under Linux are always SCSI devices
and can be accessed with the following device names:
■ /dev/st0. Refers to the first tape drive.
■ /dev/nst0. Addresses the same tape drive in the no rewind
mode. This means that after writing or reading, the tape remains
at that position and is not rewound back to the beginning.
You can query the status of the tape by entering the following
command:
mt -f /dev/st0 status
To position the tape at the beginning of the next file, use the
following command:
mt -f /dev/nst0 fsf 1
In this example, the command fsf forwards the tape by the given
number of files, and the tape will start before the first block of the
second file.
Now the file number is set to 1, and the final line of the output
contains EOF (end of file) instead of BOT (beginning of tape).
If you want the tape to be spooled back to the beginning after the
reading or writing process, enter the following command:
mt -f /dev/nst0 rewind
If you want to eject the tape from the drive, then enter the following
command:
mt -f /dev/nst0 offline
You can copy all kinds of data with this command, including entire
hard disk partitions. Exact copies of an installed system (or just
parts of it) can be created very simply.
Use the option if= (input file) to specify the file to be copied, and
the option of= (output file) to specify the name of the copy.
Copying files in this way is done using records. The standard size
for a record is 512 bytes. The output shown above indicates that 12
complete records of the standard size and an incomplete record (that
is, less than 512 bytes) were copied.
If the record size is now modified by the option bs=block size, then
the output will also be modified:
dd if=/etc/protocols of=protocols.old bs=1
6561+0 records in
6561+0 records out
You can also use dd to create a backup copy of the MBR (master
boot record), as in the following:
dd if=/dev/sda of=/tmp/mbr_copy bs=512 count=1
In this example, a copy of the MBR is created from the hard disk
/dev/sda and is written to the file /tmp/mbr_copy.
(End of Exercise)
When coping data, rsync compares the source and the target
directory and transfers only data that has changed or been created.
If you want to mirror the content of a directory and not the directory
itself, you can use a command such as the following:
rsync -a /home/. /shadow
By adding a /. to the end of the source directory, only the data under
/home is copied.
If you run the same command again, only files that have changed or
that are new will be transfered.
The option -a used in the examples puts rsync into archive mode.
Archive mode is a combination of various other options (namely
rlptgoD) and ensures that the characteristics of the copied files are
identical to the originals.
Option Description
-a Puts rsync into the archive mode.
-x Saves files on one file system only, which means
that rsync does not follow symbolic links to other file
systems.
-v Enables the verbose mode. Use verbose mode to
outputs information about the transfered files and
the progress of the copying process.
-z Compresses the data during the transfer. This is
especially useful for remote synchronization.
--delete Deletes files that no longer exist in the original
directory from the mirrored directory.
--exclude-from Does not back up files listed in an exclude file.
In this example, all files listed in the file /home/exclude are not
backed up. Empty lines or lines beginning with ; or # are ignored.
With rsync and SSH, you can log in to other systems and perform
data synchronization remotely over the network.
The following command copies the home directory of the user tux
to a backup server:
rsync -ave ssh root@DA1:/home/tux /backup/home/
In this example, the option -e specifies the remote shell (ssh) that
should be used for the transmission. The source directory is
specified by the expression root@DA1:/home/tux. This means that
rsync should log in to DA1 as root and transfer the directory
/home/tux.
rsync must be installed on both the source and the target computer.
Do the following:
6. Switch to the root terminal window and enter the same rsync
command again:
rsync -av /home/geeko /tmp/rsync_test
Notice that rsync transfers only the new file and the
corresponding directory.
(End of Exercise)
System jobs are controlled with the file /etc/crontab and the files in
the directory /etc/cron.d. They are defined with the scripts in the
directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and
/etc/cron.monthly.
Specifying which users can create cron jobs is done through the
files /var/spool/cron/allow and /var/spool/cron/deny, which are
evaluated in this order. If both files do not exist, then only root can
define jobs.
In this exercise, you use cron for data backup by doing the
following:
(End of Exercise)
In all of these cases you must access the file system of the corrupted
system to detect and fix the problem.
The boot screen of the GRUB boot loader lets you pass parameters
that modify the Linux kernel before the kernel is actually loaded.
You can use this bash file to access the file system and to fix a
misconfiguration.
The file systems are mounted read-only after booting into a shell. To
change configuration files, you need to remount the file system with the
following command:
You can use the SUSE LINUX installation media to boot a system
with a misconfigured boot loader. To boot the system, you need to
do the following:
1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the
system.
Make sure that the system boots from the drive.
2. Select Installation; then press Enter.
Wait until the installation program starts.
3. When YaST displays the language selection dialog, select
Accept.
4. In the next dialog, select Boot installed system; then select OK.
YaST analyzes the the hard disk and displays all Linux root
partitions.
5. Select the root partition of the system you would like to boot;
then select Boot.
The selected system is now booted.
After the system has started, you can log in as root user and fix the
boot loader problem.
When this system is running, you can mount partitions from the
corrupted system and fix problems.
Now you can access the file system, fix any errors, or copy data to
another media.
title linux
kernel (hd0,0)/boot/vmlinuz
root=/dev/hda1
initrd (hd0,0)/boot/initrd
The first entry (numbering from 0) is the default boot entry that
starts automatically if no other entry is selected with the keyboard.
timeout 8
This is the first entry in the boot menu. By default, this entry is
started.
kernel (hd0,0)/boot/vmlinuz
This entry describes the kernel location (in this example, the first
partition of the first hard disk).
Note the following regarding the designations for hard disks and
partitions:
■ GRUB does not distinguish between IDE and SCSI hard disks.
The hard disk that is recognized by the BIOS as the first hard
disk is designated as hd0, the second hard disk as hd1, and so
on.
■ The first partition on the first hard disk is called hd0,0, the
second partition hd0,1, and so on.
root=/dev/hda1
The root= option specifies the root partition of the system. This can
be followed by other kernel parameters.
initrd (hd0,0)/boot/initrd
This entry sets the location of the initial ramdisk (initrd). The initrd
contains hardware drivers that are needed before the kernel can
access the hard disk (such as a driver for the IDE or SCSI
controller).
This file is read only once when the boot loader is first installed.
Exercise 5-5: Boot to a Shell and Configure the GRUB Boot Loader
This exercise demonstrates booting from the Rescue System and editing
the GRUB configuration file for learning purposes, and does not
necessarily reflect what you might do in an emergency situation.
For example, you can boot the Rescue System and enter a 3 in the boot
options field to boot into runlevel 3 without editing the GRUB
configuration file.
Do the following:
Do the following:
4. When you have duplicated the entry, change the title of the
copy to the following:
title Linux-Runlevel 3
11. When the the system boots to runlevel 3, log in as root; then
access the graphical login by entering init 5.
Summary
The following is the summary of the objectives.
Objective Summary
1. Develop a Backup Strategy To develop a backup strategy,
you need to complete the
following steps:
■ Choose a backup method
■ Choose a backup media
There are 3 basic backup
strategies:
■ Full backup. All data is
backed up every day.
■ Incremental backup. Only the
data that has been changed
since the last Incremental or
full backup is saved every day.
■ Differential backup. Only the
data that has been changed
since the last full backup is
saved every day.
Which method you use depends
on the backup window.
The backup window is the time
period in which a system is not
used and is available for a
backup.
Objective Summary
2. Create Backup Files With the tar tar is a commonly-used tool for
Command performing data backups under
Linux.
tar can write data directly to a
backup media or to an archive
file.
Archive files normally end in .tar,
if they are compressed in .tar.gz
or .tgz.
The following is the basic syntax
to create a tar archive:
tar -cvf home.tar /home
To unpack a tar archive, use the
following command:
tar -xvf /home.tar
If you want to use tar with gzip for
compression, you need to add
the option z to the tar command.
Archives can also be written
directly to tape drives.
In this case, the device name of
the tape drive must be used
instead of a filename.
tar can also be used for
incremental or differential
backups.
Objective Summary
3. Work with Magnetic Tapes mt is the Linux standard tool to
work with magnetic tapes.
Use the following command to
query the status of the drive:
mt -f /dev/st0 status
The following command moves
the tape to the beginning of the
next file:
mt -f /dev/nst0 fsf 1
To rewind the tape by a certain
amount of files, use the bsf
command.
To rewind the tape to the
beginning, use the following:
mt -f /dev/nst0 rewind
The following command ejects
the tape from the drive:
mt -f /dev/nst0 offline
4. Copy Data With the dd Command With the command dd files can
be converted and copied byte-
wise.
To copy a file, use the following
command:
dd if=/etc/protocols
of=protocols.org
To copy an entire partition into a
file, use the following command:
dd if=/dev/sda1
of=boot.partition
Objective Summary
5. Mirror Directories With the rsync The command rsync is used to
service synchronize the content of
directories, locally or remotely,
over the network.
rsync uses special algorithms to
ensure that only those files are
transferred that are new or have
been changed since the last
synchronization.
The basic command to
synchronize the content of two
local directories is the following:
rsync -a /home /shadow
To perform a remote
synchronization, use a command
like the following:
rsync -ave ssh
root@DA1:/home/tux /
backup/home/
6. Automate Data Backups with cron Because backups are recurring
tasks, they can be automated
with the cron daemon.
System jobs are controlled using
the file /etc/crontab and the files
in the directory /etc/cron.d.
The jobs are defined by the
scripts in the directories
/etc/cron.hourly, /etc/cron.daily,
/etc/cron.weekly and
/etc/cron.monthly.
The following is an example of a
job entry:
0 22 * * 5 /bin/backup
Objective Summary
7. Troubleshoot the Boot Process of A SLES 9 installation can be
a SLES 9 System prevented from booting normally
if
■ The system cannot boot due to
a misconfigured boot loader.
■ The system cannot boot
because of a file system
corruption.
■ An init script malfunctioned
and is blocking the boot
process.
■ The system does not start
correctly because of hardware
changes.
When a system is not booting
any more, you can do the
following to access the file
system of the corrupted system:
■ Boot a corrupted system
directly into a shell.
■ Boot a corrupted system with
the installation media.
■ Start and use the SLES 9
Rescue System.
Objective Summary
8. Configure and Install the GRUB The most important configuration
Boot Loader file for GRUB is
/boot/grub/menu.lst.
The file contains a general
section at the beginning and a
section for every operating
system.
A section for a Linux operating
system contains at least the
following options:
title
This is the title of the system that
is displayed in the boot menu.
Kernel
This option specifies the location
of the Linux kernel.
Root
This option sets the root partition
of the system.
Initrd
This option points to the initrd file
of the system.
In this section, you learn about the basic scripting elements and
structures of the shell programing language.
Objectives
1. Use Basic Script Elements
2. Use Variable Substitution Operators
3. Use Control Structures
4. Use Advanced Scripting Techniques
5. Learn About Useful Commands in Shell Scripts
Introduction
The Linux shell can control the system with commands and perform
file operations or start applications. You can also create a file that
includes several shell commands and start this file like a
application.
This type of file is called a shell script. The following are several
reasons why you need to understand and create shell scripts:
■ You can automate many daily tasks with shell scripts. In many
cases this increases speed and convenience in everyday work.
■ The boot procedure and many other system functions are
controlled by shell scripts. To understand and manipulate the
system behavior, you need a basic understanding of shell
programming.
■ Shell programming is relatively easy to learn compared to other
programming languages.
■ A shell script runs on almost every UNIX-like operating system
and does not need to be adapted to other platforms.
For this reason, this section focuses on the Bash shell, which is the
default shell in SLES 9.
You can find all these scripts on the 3038 Course CD in the
directory /exercises/section_6. By using these scripts as a template,
you can customize them to meet the needs of your production
environment.
In this objective, you learn the following about the basics of the
shell programming language and how to create simple shell scripts.
Before writing your first shell script, you should consider a few
points about scripting in general.
You can also run the script from another shell with a command such
as the following:
sh script.sh
A good way to deal with this is to create a /bin directory for scripts
under each user´s home directory. Then you can add this directory
to the user's search path by adding a line such as the following to
your ~.bashrc:
export PATH=$PATH:~/bin
If you do not add the suffix, you need to make sure the filename is
not identical to existing commands. For example, a common
mistake is to name a script test.
Every script that you write should use this basic structure.
Do the following:
2. Find out the purpose of the \a, the \n and the -e options (try
accessing the man pages).
3. Compare your solution with the script at the end of the section.
(End of Exercise)
One way create scripts that read user input is to use the read
command. The read command takes a variable as an argument and
stores the read input in the variable. The variable can then be used
to process the user input.
The following example reads user input into the variable with the
name VARIABLE:
read VARIABLE
The script pauses at this point, waiting for user input until the Enter
key is pressed. To tell the user to enter something, you need to print
(echo) a line with some information, such as the following:
echo "Please enter a value for the variable:"
read VARIABLE
First, the script produces some output with echo to ask the user to
enter something. Then the read command waits until the input is
provided to store it in the variable VARIABLE. At the end the
content, the variable is printed out with echo.
Do the following:
1. Create a simple shell script that prompts the user to enter her
first and last name, and then greets the user with her full name.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
In this part of the section, you learn how to uses variables in shell
scripts.
The following flowchart and script show how a string value can be
assigned to a variable:
You want to read the user´s first and last name and then print both
names to the screen. However, this time you create a variable called
NAME, which holds both the first and the last name.
This line shows how you can combine two variables, in this case,
FIRSTNAME and LASTNAME, and assign the combined value to
another variable, in this case, NAME.
In this example, you can also see another rule of the variable
handling in shell scripts. If you assign a value to a variable, you use
just the name of the variable, in this case, NAME=.
If you want to use the value of a variable, put a $ before the name,
in this case, $FIRSTNAME.
Do the following:
1. Modify your script from Exercise 6-2 so that it reads the user's
first and last name, combines both in one variable, and outputs
the variable.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
TODAY=`date +%m/%d/%Y`
echo "Today is $TODAY"
Do the following:
1. Create a shell script that outputs the current login name and the
current working directory.
The output of the commands whoami and pwd should be read
into variables with the variables printed to the screen.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
The Bourne shell is limited in this regard, but it can perform such
operations by relying on external commands (such as expr).
The following paragraphs list all the possible methods and formats
for arithmetic operations. All of them use this sample operation:
A=B+10
A=$[B + 10]
With the expr command, only the following five operators are
available: + , - , * , / , and %. Additional operators (which are
identical to those of the C programming language) can be used with
all of the above Bash formats.
Do the following:
5. Compare your solution with the script at the end of the section.
(End of Exercise)
They also allow you to set a default for a variable for situations
where no value can be assigned to it.
tux@DA1:~> VAR=
tux@DA1:~> echo ${VAR=value}
Do the following:
1. Write a script that asks the user for a filename, and then
performs a search for that filename using the command find.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
In this objective, you learn how to use control structures to make the
execution of parts of your script dependent on certain conditions or
to repeat script parts.
A branch of this type must begin with if and end with fi. Command1
is only executed if the condition is true.
In the above case, the separator is a new line. The separator could
also be a semicolon, which would allow you to enter the same if
statement as one command, as in the following:
if condition; then commands; fi
This script asks the user to enter his date of birth; if that happens to
be today, the script congratulates him on his birthday. It does
nothing if his birthday is another day.
The branch is the actual mechanism that compares the current date
and the date of birth.
You need to know the format in which the system obtains the
current date. The obvious choice to get a date string is with the
command date.
The command date + %m-%d returns the current date in the form
month-day, as in the following:
date + %m-%d
06-21
This format should also be used for the birth date the user is
requested to enter:
echo "Please enter your date of birth (YYYY-MM-DD, for
instance 1978-06-21): "
read BIRTHDAY
Now you can compare the two values with the help of an if branch.
Most variables are compared using the test command. The test
command is followed by a string condition such as
test $VARIABLE1 = $VARIABLE2.
So the second part of the shell script could look like this:
if test "$BIRTHDAY" = "$TODAY"
then
echo "Tada! Happy birthday to you! Nice presents
awaiting you ..."
else
echo "Sorry to disappoint you, no presents today ..."
fi
Finally, you want the script to use the exit command to finish with a
certain exit status, which depends on whether today is the user´s
birthday. This is implemented by defining yet another variable, as in
the following:
if test "$BIRTHDAY" = "$TODAY"
then
echo "Tada! Happy birthday to you! Nice presents
awaiting you ..."
STATUS=0
else
echo "Sorry to disappoint you, no presents today ..."
STATUS=1
fi
exit $STATUS
There are several ways to use the Bash shell to successively execute
several commands. This includes using the separators && and ||,
which make it possible to execute a second command depending on
the success or failure of the first, as in the following:
command1 && command2
command1 || command2
Do the following:
1. Write a shell script that checks for the existence of a given file,
and if the file is executable.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
You can create multiple branches with case. In a case statement, the
expression contained in a variable is compared with a number of
expressions, and a command is executed for each expression
matched.
read CREATURE
case "$CREATURE" in
dog | cat | mouse ) echo "A $CREATURE has 4 legs."
;;
bird | human | monkey ) echo "A $CREATURE has 2
legs."
;;
spider ) echo "A $CREATURE has 8 legs."
;;
fly ) echo "A $CREATURE has 6 legs."
;;
* ) echo "I haven t the faintest idea how many
legs a(n) $CREATURE has."
;;
esac
exit 0
This script prompts the user to enter the name of an animal. The
name is then stored in a variable and compared with a number of
possible matches. For the matches found, the script tells the user
how many legs the animal has.
The case statement then compares this value against each of the
expressions provided as alternatives. For instance, if the user enters
cat, the script prints the matching sentence that says that this animal
has four legs.
case "$CREATURE" in
[dD]og | [cC]at | [mM]ouse )
...
Do the following:
(End of Exercise)
Do the following:
3. Compare your solution with the script at the end of the section.
(End of Exercise)
A for loop executes the given commands once for every element on
the list, and the value of the variable matches one list element with
each loop iteration. The list itself is often created through command
substitution.
In the example above, the command separator is a line break and the
loop is started only after entering the final done.
If you want to use a range of numbers in your for loop, you can use
the following C-Style syntax:
LIMIT=10
Do the following:
Hints:
2. Compare your solution with the script at the end of the section.
(End of Exercise)
This script writes a backup copy of all files ending with .mp3 to the
directory /MP3/ unless there is already a file with the same name in
that directory. If there is, the script prints a message stating that the
file already exists and exits from the current loop iteration.
Do the following:
1. Modify the script from Exercise 6-10 so that existing files in the
current directory are not overwritten.
Use continue to interrupt the iteration over the files in the
directory if a file with the target name already exists.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
Shell functions act like script modules because they make an entire
script section available with a single name. Shell functions are
normally defined at the beginning of a script. You can store several
functions in a file and include this file whenever the functions are
needed.
mcd (){
mkdir $1
cd $1
}
pause (){
echo "To continue, hit RETURN."
read q
}
You can also create functions that stop their processing from within,
similar to exiting a loop (iteration) with the commands break and
continue.
Do the following:
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I cannot understand you over here."
;;
esac
done }
2. Use the above yesno function to write a script that lets the
system administrator delete user accounts. The script should
prompt for the account to delete, and then asks whether the
user's home directory should also be deleted.
If the question is answered with no, the script should change
the user and group ownership of the corresponding home
directory to root.
After doing so, the script should use the yesno function again to
ask whether the administrator really wants to delete the account.
4. Compare your solution with the script at the end of the section.
(End of Exercise)
With the shell built-in command getopts, you can extract the options
supplied to a script on the command line. The shell interprets
command-line arguments as command options only if they are
prefixed with a - (the default when using the shell interactively).
echo $option_c
If the option -a or -b is used, the script prints out a message that the
corresponding option was used. If the option -c value is used, the
value is assigned to the variable option_c, which is printed to the
screen at the end of the script.
Do the following:
1. Modify the script from Exercise 6-12 so that it does not prompt
the user for input. Instead, the script should use the following
options:
■ -u username. This option determines the user which shall
be deleted.
■ -r. If this option is set, the home directory should be
removed. If this option is not set, the owner of the home
directory should be set to root.
3. Compare your solution with the script at the end of the section.
(End of Exercise)
When combined with the here operator ( << ), the cat command is a
good choice to output several lines of text from a script. In
interactive use, the command is mostly run with a filename as an
argument, in which case cat prints the file contents on standard
output.
You can use the cut command to cut out sections of lines from a
file, so only the specified section is printed on standard output.
The above command takes the output of the ls command and cuts
out everything from the thirty-fifth character. This is piped to sort,
so the final output is sorted according to file size.
You can use the date command whenever there is a need to obtain a
date or time string for further processing by a script. Without any
options specified, the command´s output looks like the following:
date
Fre Sep 03 14:18:12 CEST 2004
The date command lets you change the output format in almost
every detail. With the -I option (as in the following), date prints the
date and time in ISO format (which is the same as if the options had
been +%Y-%m-%d):
date -I
2004-09-03
date +%D, %r
09/03/02, 02:19:58 PM
date +%d.%m.%y
03.09.02
date +%d.%m.%Y
03.09.2004
To view a list with all the possible format options for date, see man
date. In any case, you should be able to customize the output to
exactly match the requirements of your script.
The command grep and its variant egrep are used to search files for
certain patterns, and use the following syntax:
grep searchpattern filename ...
The command prints lines that contain the given search pattern. You
can specify several files, in which case the output will print the
matching line and the corresponding filenames.
Several options are available to specify that only the line number
should be printed, for instance, or that the matching line should be
printed together with leading and trailing context lines.
You can specify sed commands either directly on the command line
or in a special command script loaded by the program on execution.
This command deletes everything from line 10 to the end of the file
and also prints the first 9 lines of somefile.
This example prints all lines that have the pattern Murphy.* in them.
If you want sed to perform several editing commands for the same
address, you need to enclose the commands in braces, as in the
following:
sed ´1,10{command1 ; command2}´
You can use the following options with the s command (search and
replace):
■ I. Do not distinguish between uppercase and lowercase letters.
■ g. Replace globally wherever the search pattern is found in the
line (instead of replacing only the first instance).
■ n. Replace the nth matching pattern only.
This command replaces the first colon in each line with a space.
sed ´s/:/ /g´ /etc/passwd
This command replaces only the second colon in each line with a
space.
sed -n ´s/\([aeiou]\)/\1\1/Igp´
This command replaces all single vowels with double vowels. The
example shows how matched patterns can be referenced with “\1” if
the search pattern is given in parentheses (which have to be
escaped). The I option ensures that sed ignores the case.
Option Description
-e File exists
-f File exists and is a regular file
-d File exists and is a directory
-x File exists and is an executable file
Option Description
-nt Newer than
-ot Older than
-ef Refers to the same inode (such as in the case of a
hard link)
Option Description
-eq Equal
-ne Not equal
-gt Greater than
-lt Less than
-ge Greater than or equal
-le Less than or equal
Option Description
test -z string Exit status is 0 (true) if the string has
zero length (is empty).
test string Exit status is 0 (true) if the string has
nonzero length (consists of at least one
character).
test string1 = string2 Exit status is 0 (true) if the strings are
equal.
test string1 != string2 Exit status is 0 (true) if the strings are not
equal.
Option Description
test ! condition Exit status is 0 (true) if the
condition is not true
test condition1 -a condition2 Exit status is 0 (true) if both
conditions are true
test condition1 -o condition2 Exit status is 0 (true) if either
condition is true
For more detailed information about test, enter help test and man test (the
built-in test command and the external one have identical features).
You can use tr to delete characters from the first set by entering the
following:
tr -d set1
This will not translate anything; it only deletes the ones included in
set1, printing the rest to standard output.
In this example, tr deletes the percent sign from the original value of
VAR and the result is assigned as a new value to the same variable.
Exercise Answers
echo -e "\aHello\nworld"
exit 0
exit 0
login=`whoami`
path=`pwd`
declare -i INTEGER1
declare -i INTEGER2
declare -i SUM
exit 0
read FILENAME
if test -e $FILENAME
then
if test -x $FILENAME
then
echo "The file exists and is executable."
else
echo "The file exists but is not executable."
fi
else
echo "The file does not exist."
fi
exit 0
declare -i COUNTER=1
exit 0
declare -i COUNTER=1
exit 0
exit 0
exit 0
exit 0
Summary
The following is the summary of the objectives.
Objective Summary
1. Use Basic Script Elements ■ Before writing a shell script, it
is useful to draw a program
flow chart.
■ Before a file can be run as a
shell script, it must have both
read and execute permissions.
■ To produce some simple
output from a script, you can
use the echo command.
■ To read user input for
processing by a script, you can
use the read command.
■ There are several ways to
perform arithmetic operations
in a script:
■ Use the external command
expr.
■ Use the Bash built-in
command let.
■ Enclose arithmetic
expressions in double
parentheses for expansion
by the shell.
■ In Bash, arithmetic
operations can also be
performed with plain
variables, provided that
these have been declared
as integers before.
Objective Summary
2. Use Variable Substitution ■ In Bash, you can use special
Operators variable substitution operators
to assign different values to
variables without having to rely
on external commands.
■ These special substitution
operators allow changing
variables by deleting certain
patterns in their values and
returning the rest, for instance.
■ They also allow you to set a
default for a variable for
situations where no value can
be assigned to it.
Objective Summary
3. Use Control Structures ■ Conditional statements in shell
scripts can be implemented
with an if branch.
■ For relatively simple
structures, you can also use
the command separators &&
and || to express the same
statement as a command line.
■ To take decisions with a
number of possible choices in
a script, create a multiple
branch with a case statement.
■ With the commands while and
until, create loops that depend
on certain terminating
conditions.
■ The for command allows you
to create loops to process a list
of elements.
■ There are 2 ways to influence
the operation of a loop:
■ With the break command,
a loop can be terminated
completely according to a
given condition.
■ The continue command
allows exiting from the
current iteration of a loop if
the condition is true.
Objective Summary
4. Use Advanced Scripting ■ If you anticipate that certain
Techniques command sequences will be
used more than once in a
script or if you want to make a
complex script easier to read
and understand, consider
defining shell functions for
certain routines.
■ A function normally comprises
a part of a script and makes it
available under a user-
definable name, such that the
script part can be executed
simply by stating this name
further below in the script.
■ Use the Bash built-in
command getopts to easily
extract command-line options
for shell scripts.
■ With the getopts command,
you can tell the script which
options it should recognize and
which action should be
triggered by a given option.
Objective Summary
5. Learn About Useful You can use external commands
Commands in Shell Scripts in Shell scripts to perform certain
tasks.
The following is a list of
commonly-used commands:
■ cat
■ cut
■ date
■ echo
■ grep and egrep
■ sed
■ test
■ tr
In this section, you learn how to compile and install software that is
available as source code.
Objectives
1. Understand the Basics of C Programing
2. Understand the GNU Build Tool Chain
3. Understand the Concept of Shared Libraries
4. Perform a Standard Build Process
Introduction
Although SLES 9 is shipped with software packages for almost all
purposes, you might want to install software from other sources.
int main(void)
{
char name[80];
return(0);
}
This program prompts the user to enter his name, and then it prints
out Your name is: and the name the user has entered.
Files that contain function declarations are called header files and
their filenames typically end in .h.
int main(void)
This line starts the main function of the program. This is the
function that is initially called when the program is started. A
program can consist of more functions, but is must have at least a
main function.
This line declares a variable name. The type of the variable is char,
a variable type for a single character. In this example, since you
need to store more that just one character in the variable, declare 80
char variables [80].
This line prints out the message Please enter your name:. It uses the
function printf for this purpose. This line also shows a typical
function call in C. The arguments are given in parentheses after the
function name.
scanf("%s", name);
In this line the function scanf is used to read the input of the user.
The function takes two arguments: a format string %s, which
determines the way the input should be handled by the function, and
the variable name, in which the input should be stored.
printf("Your name is: %s\n", name);
This line uses the function printf again, this time to print out the
entered name of the user. The function takes 2 arguments in this
case, the string Your name is: and the variable name, which holds
the name of the user.
This line uses the return function to return 0 as the value of the
function. Because this is the main function, it also determines the
return value of whole program.
}
This curly bracket closes the main function and the whole program.
First, the name of the file that contains the source code is passed to
gcc, followed by the -o option and the name of the output binary
file.
After the compilation has finished, the binary can be started like any
other command line program, as in the following:
./my_name
Please enter your name: Florian
Your name is: Florian
If you did not complete this successfully, use the YaST Install and Remove
Software module to install this software before starting the exercise.
Do the following:
(End of Exercise)
To run the configure script, you need to use the following command
at the top of the source directory:
./configure
You can use the following command to list all available configure
options:
./configure --help
You use the tool make to compile multiple source files in the correct
order. Make is controlled by Makefiles. Normally, these Makefiles
are generated by the configure script, but you can also create them
manually.
You can also use make to install and uninstall the program to or
from the right location on the hard disk.
all: my_name
my_name: my_name.c
gcc my_name.c -o my_name
install: my_name
install -m 755 my_name /usr/local/bin/my_name
uninstall: /usr/local/bin/my_name
rm -f /usr/local/bin/my_name
clean:
rm -f my_name
If you execute the command make while you are in the respective
directory, the program make will search this directory for the files
GNUMakefile, Makefile, or makefile.
The command make can also be used with individual targets. For
example, the command make install (as root) installs the binary file
at the specified location and make uninstall removes the binary file.
Even large software projects are created in the same way, but the
Makefiles are much more extensive and complex. If the software
will be compiled to a functional program on multiple architectures,
things are much more complicated.
The last step when installing a program from source is to install the
binary file and additional files belonging to the application.
This step is usually done with make and an install target in the
corresponding Makefile.
This command must be entered b root at the top level of the source
directory.
libpng
Graphic-
Webbrowser
Program
For example, the package libpng contains the shared library, and the
package libpng-devel contains the corresponding header files.
When you run the configure script, it sometimes prompts you about
missing libraries that should be installed on the system. If you install
the required packages with YaST, you have to make sure that you
select both the shared library and the corresponding devel package.
Before you start the build process, you need to extract the tar
archive with the following command:
tar xzf xpenguins-2.2.tar.gz
Some tar archives end in .bz. In this case, the archive is compressed with
bzip and needs to be extracted with the options xjf.
In the source directory, you need to run the configure script with the
following command:
./configure
In the last line of the output you can see that the Makefiles are
created.
If the configure script does not report any errors, you can start the
compilation process by entering the following:
make
The most important part in the output of make are the compiler calls
starting with:
gcc -DHAVE_CONFIG_H -I ...
When the compilation process has finished without any errors, you
can install the software by entering the following (as root):
make install
Do the following:
cd /tmp/xpenguins-2.2/
(End of Exercise)
Summary
The following is the summary of the objectives.
Objective Summary
1. Understand the Basics of C There are basically 2 different
Programming programing language types:
■ Script languages. The source
code is executed by an
interpreter software.
■ Compiler languages. The
source code needs to be
converted into a binary file,
which can be directly executed
by the CPU.
The C and C++ programming
languages are the most important
compiler languages.
C has the following basic
characteristics:
■ A preprocessor processes the
source code before compiling.
■ Every program has at least a
main function.
■ Functions and variables need
to be declared before they can
be used in the code.
■ The declaration must include
the definition of variable types.
The name of C source files end
normally in .c.
The basic command to compile a
source file looks like the
following:
gcc <sfile.c> -o <bfile>
Objective Summary
2. Understand the GNU Build Tool The standard build process
Chain consists of the following steps:
■ The build process must be
prepared with the configure
script.
■ The make command is used to
compile the source code.
■ The make program is used
again to install the application.
The easiest way to install all
necessary software packages for
a build environment is to select
the C/C++ Compiler and Tools
selection in the YaST package
manager.
3. Understand the Concept of Shared libraries contain certain
Shared Libraries functions that are needed by
many programs.
These files are loaded when an
application needs a function from
the corresponding library.
A shared library consists of 2
basic parts:
■ The shared object
■ The header file
Some libraries are split into 2
software packages on SLES 9.
To run applications, you just need
the base library package. To
compile software, you also need
the header files in the package
with the extension -devel.
Objective Summary
4. Perform a Standard Build Process The following are the command
lines that are needed to build a
software from source, shown by
example of the xpenguins game:
tar xzf xpenguins-
2.2.tar.gz
This extracts the source archive.
cd xpenguins-2.2/
This changes to the source
directory.
./configure
This runs the configure script.
make
This starts the compilation
process.
make install
This installs the program.
Objectives
1. Find Performance Bottlenecks
2. Reduce System and Memory Load
3. Optimize the Storage System
4. Tune the Network Performance
Introduction
In this section, you learn about monitoring utilities that help you
find the component having performance problems.
No matter what measures you choose, make sure that all changes
are well tested before you enable them on the actual production
system. Changes to the kernel parameters need to be tested very
carefully.
Before you start to troubleshoot a system, you should ask for more
information to gain a better overview about the whole situation. The
following is a list of questions that can help you to find the
performance bottleneck:
■ What kind of server is affected? This includes information
about the hardware and the purpose of the server.
■ What are the exact symptoms of a problem? The more
information you have, the more likely you are to determine the
cause of a problem.
■ Does the problem occur at specific times of the day or the
week? For example, performance problems might occur in the
morning when people start to work or after lunch break when
people return to work.
■ When and how did the problem start? Did the problem occur
quickly or slowly over several days or months?
■ Who is experiencing the problems? Does just one person
have the problem, or is it a group of people who are using the
same file server?
■ Can the problem be reproduced? This can be very helpful
when you are analyzing the system.
To assign the CPU time, the kernel puts the running processes into a
queue. Depending on the priority of a process and the time since it
was executed last, the kernel decides which process should be
executed next.
If the value is lower than 1, some capacity is not used. If the average
value is higher than 1, the processor is not fast enough to handle all
currently running processes.
During these times the processes are not waiting in the kernel's
process queue and do not influence the load value of a system. This
means that an application can be slow, but CPU time is not the
reason for it.
Program Description
top Displays a sorted list of applications and the three
values for the average load values in the last 1, 5
and 15 minutes.
When you find that your system has a high load
value, top can also be very helpful to find out
which application is actually producing it.
You can view the utilization of the physical and the swap memory
with the free program, as in the following:
free
This can happen when the application crashes. It can also happen
during normal operation, when the implementation of the program
is faulty. In this case, the application has a memory leak.
You can use the top command to find programs that use a lot of
memory. By default, top sorts the process list by CPU utilization.
By pressing F, then n and then the Enter key, you can change the
sorting column memory utilization. This way the top memory
consumers can be found at the top of the list.
You can use the command vmstat to display the activity of swap
memory, as in the following:
vmstat 1
The option 1 lets vmstat repeat its output every second. This way
the usage of swap memory can be displayed over a period of time.
You can terminate the program pressing Ctrl+C.
The first line of the output displays the average values since the
system was started. The lines that follow show the average values
since the last output.
Program Description
free Displays the current utilization of the physical and
swap memory.
Before you analyze the hard disk performance and utilization, you
should make sure that you don´t have any problems with a too-high
system load or a lack of physical memory.
In this case, you can use the command vmstat to display the activity
of the disk subsystem. You start vmstat by entering the following:
vmstat 1
In this example, the columns of interest are bi and bo. They display
the number of blocks that are read from (bi) or written to (bo) the
disk subsystem.
As you can see in this column, the system has to deal with a lot of
writing activity to the disk subsystem.
However, a lot of data read from or written to the disk does not
necessarily mean that the disk subsystem is too slow. Depending on
the available disk types and the disk configuration, a disk load that
totally blocks one system can be easily handled by another system.
You can use the command iostat to determine the average time a
program has to wait for data from the disk.
The iostat command is not part of the SLES 9 default installation. You
need to install the package sysstat to use it.
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 3.18 17.90 3.37 1.32 146.73 153.78 73.36 76.89 64.11 0.25 53.50 4.57 2.14
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
The first output represents the average values since the system was
started. All following lines show the average values since the last
update period.
The block that displays the device information shows first some
details about the amount of data that is read from or written to the
device. To find out if the disk subsystem has a performance
bottleneck, focus on the following 2 columns:
■ await. This column displays the average time in milliseconds
an application has to wait till its I/O request is performed.
■ svctm. This column displays the average time in milliseconds
that an I/O request needs to be performed.
As you can see in the output above, the concerned system is not
really busy. The average await time since the system was booted is
53.50 milliseconds and the average svctm time is 2.14 milliseconds.
As you can see in the following lines, the current disk utilization is
even far below the average with await and svctm times of 0
milliseconds.
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0,00 9198,00 4,00 39,00 32,00 73872,00 16,00 36936,00 1718,70 103,83 1430,33 23,28 100,10
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0,00 9105,94 0,00 44,55 0,00 73140,59 0,00 36570,30 1641,60 99,97 2441,89 22,24 99,11
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0,00 10313,13 0,00 41,41 0,00 82828,28 0,00 41414,14 2000,00 93,90 2529,10 24,41 101,11
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
hda 0,00 9293,00 0,00 41,00 0,00 74640,00 0,00 37320,00 1820,49 92,70 2447,00 24,41 100,10
As you can see, the average await time on this system far beyond
2000 milliseconds, and the svctm time is much higher than before.
Such a system cannot fulfill the requested I/O operation at an
adequate speed.
Program Description
vmstat Monitors the amount of data that is read from or
written to disk.
You can monitor these parameters with KDE System Guard. To start
KDE System guard from the KDE start menu, select
System > Monitor > KDE System Guard.
On the left side of the window, you can browse the available
monitoring sensors. Browse to Network > Interfaces >
Interface_you_want_to_monitor.
The following describes some of the available sensors you can use
to analyze network problems:
Sensor Description
Data/Packets The amount of data or packets sent or received by
the interface. If performance problems occur
during a high network load, the network
connection or type might be too slow for the
purpose of the server.
Sensor Description
Dropped Packets This sensor displays the number of packets that
are either dropped when they are received by the
host or by other network components like routers
on their way to the destination.
Too many dropped packets can have a bad
influence on the network performance. The
following are some reasons for dropped packets:
■ Network components are running at a
different speed. For example, the server runs
at 100 Mbps, but the router at only 10 Mbps.
■ The network or system load of a server is too
high to handle all received network packets
properly.
■ A network component runs with a
misconfigured packet filter that drops network
packets.
The following are tools that you can use to monitor the network:
Program Description
KDE System Guard Displays network utilization and different kinds
of transmission errors.
Traffic-vis Analyzes network connections to specific
hosts. You need to install the package traffic-
vis in order to use this tool.
ip Displays the status of an interface as well as
transmission errors.
Do the following:
3. Enter top.
Watch the information about the system load and the process
list for a few moments.
If the directory /usr/src/linux does not exist, you need to install the
package kernel-source.
8. Wait until the load average value has reached 1; then quit the
compilation process in the second terminal window by pressing
Ctrl+C.
10. From the first terminal window, watch the load values for a few
moments.
Do the following:
Do the following:
Do the following:
1. From the KDE start menu, select System > Monitor > KDE
System Guard.
5. Select OK.
8. Drag the Packets sensor from the Receiver and drop it in the
upper part of the Network worksheet.
10. Drag the Packets sensor from the Transmitter and drop it in the
lower part of the Network worksheet.
14. Wait until a partner has reached this step of the exercise.
15. Produce some network load with the system of your partner by
entering the following:
ping -f partner_ip_address
16. Watch the network load rise in the receiver and the transmitter.
(End of Exercise)
In this case, you should try to get more information about the issue
by searching the Internet and the web site of the vendor or the
OpenSource project.
The easiest but most effective way to reduce the system load is to
run only the software that is required to fulfill the purpose of a
system. This includes the following methods:
■ Run a Server System Without X
■ Reduce the Number of Daemon Processes
Preventing the X-Server from being started saves memory and CPU
utilization. To do so, you can switch to runlevel 3 manually by
entering the following:
init 3
You can also set the default runlevel to 3 to boot the system to
runlevel 3 automatically.
To change the default runlevel, you need to open the following file
with a text editor:
/etc/inittab
In most cases, a server offers only a few services but a lot more
daemons are actually running. By reducing the number of running
daemon processes, you can reduce the processor and the memory
load.
Review the list and make sure that the only services that are running
are those needed in the default runlevel of your server. If you find a
service that is not necessary, you can prevent it from starting up at
boot time by removing its startscript from the init process.
Use a command like the following to remove a service from the init
process:
chkconfig apache2 off
However, there might be exceptions to the rule. For this reason, you
should test new releases carefully before using them in a production
environment.
First, you should make sure that you have enough available swap
space. The old rule–that you should have double the size of the
physical memory as swap space–is a bit outdated but still a
reasonable starting point.
Every swap partition has an entry in the file /etc/fstab that looks like
the following:
/dev/hda1 swap swap 0 0
You can use more than one swap partition by creating partitions and
adding these to /etc/fstab, as in the following:
/dev/hda1 swap swap pri=1 0 0
/dev/hdb1 swap swap pri=1 0 0
/dev/hdc1 swap swap pri=1 0 0
The drives that hold swap partitions should run at the same speed.
If your system shows a high system load but all other parameters
like memory, network and storage load or utilization are not
significantly high, you should consider upgrading the CPU.
Do the following:
3. Login as root.
4. Enter free.
10. Compare the amount of free physical memory with the number
you noted earlier.
The success of this depends on the amount of free memory you have
available on your hardware.
(End of Exercise)
You can use the tool hdparm to tune some settings of IDE hard
drives. Entering the following command displays the current
settings of a drive:
hdparm -i /dev/hda
The most important setting you can change with hdparm is DMA
(direct memory access). With DMA, data from a disk can be written
directly to the main memory of a system without CPU utilization.
This enhances performance in 2 ways:
■ The transfer itself is much faster than with disabled DMA.
■ The CPU is not utilized and can be used for other tasks.
You can use following command to check the current status of the
DMA configuration:
hdparm -d /dev/hda
In this example, the DMA settings for the device hda are checked,
with an output similar to the following:
/dev/hda:
using_dma = 1 (on)
In this example, DMA is enabled for the device hda; otherwise, the
variable using_dma would have the value 0.
With hdparm, you can also use command line options that affect a
drive's performance. The following lists the most important options:
Parameter Description
-c 1 Enables 32-bit transfers of disk data over the
PCI bus.
-u1 A setting of 1 permits the driver to unmask
other interrupts during processing of a disk
interrupt, which greatly improves Linux's
responsiveness and eliminates serial port
overrun errors.
-X <value> Configures the drive to use a specific transfer
mode.
-A 1 Enables read-ahead, which increases
performance when dealing with large,
sequential file operations.
Before you change any settings with hdparm, you should make sure that
important files on your system are saved and backed up. Improper settings
can lead to system crashes or data loss. For more information, see man
hdparm.
The output for this command might look like the following:
/dev/hda:
Timing buffered disk reads: 156 MB in 3.01 seconds
= 51.75 MB/sec
All changes that are made with hdparm are active only until the next
reboot. To make sure hdparm commands are executed every time
the system boots, you can add them to the file /etc/init.d/boot.local.
The components of the Linux kernel that are responsible for hard
disk access offer some parameters that can be changed at runtime.
For this reason, the Linux kernel contains a component called the
I/O Scheduler. This scheduler collects requests from the processes
and hands them over to the hardware driver that is responsible for
the drive.
The SLES 9 I/O Scheduler has one parameter that you can used to
tune the I/O performance. The parameter is stored in the file /
sys/block/device/queue/iosched/quantum
You can set the value of the parameter with a command similar to
the following:
echo 6 > /sys/block/hda/queue/iosched/quantum
When you change the value, you should always benchmark your
application to measure the success of the change.
Another kernel parameter lets you determine how much data should
be used for the read-ahead. Read-ahead basically means that more
data from a file is read than requested by an application.
The value determines how much data (in KB) is read ahead from
file. The default value on SLES 9 is 128 KB. Larger values can lead
to a better overall throughput with the drawback of a higher latency.
The swappiness parameter affects both the memory and the I/O
performance. It basically determines when a system starts to swap
out data to the disk, and can be set in the file
/proc/sys/vm/swappiness.
You can set the parameter value from 0 and 100. The higher the
value, the more the system will swap. The default value for SLES 9
is 60.
You can set the parameter with a command like the following:
echo 40 > /proc/sys/vm/swappiness
The parameter determines how much you value the page cache over
program memory.
If the atime attribute is not important to you, you can mount a data
partition with the noatime option. The following shows an fstab
entry for the partition /dev/hda2 that uses the noatime option:
/dev/hda2 /data reiserfs noatime 0 0
Beside the general disk tuning options, you can also configure the
file system to
■ Mount a Reiser File System With the notail Option
■ Configure the Journaling Mode of Ext3
Reiserfs can store this data much more efficiently in the file system
internal structure. However, this costs some performance. You can
use the mount option notail to disable this feature. The drawback is
a less space-efficient data storage.
You can use the notail option either with the -o option of mount or
in the /etc/fstab file, as in the following:
/dev/hda2 /data reiserfs notail 0 0
The ext3 file system offers 3 journaling modes that also affect the
disk performance:
■ data=journal. If you use this mode, the data of a transaction
and the file metadata are logged in the journal. This is the most
secure option for data security.
■ data=ordered. When an ext3 file system is mounted with this
option, only the file metadata is stored in the journal. However,
it forces the file data to be written to disk before the metadata.
This option is a good compromise between speed and
reliability, and is the default for SLES 9.
■ data=writeback. This is the fastest journaling option. Metadata
is logged to the journal, but file data is not treated in a special
way. However, you still have the advantages of a journaling file
system when a crash or a power failure occurs.
You can use these options with the -o option of the mount
command, or them to the /etc/fstab, as in the following:
/dev/hda2 /data ext3 data=writeback 0 0
In this exercise, you tune your IDE hard drive. It is assumed that the
IDE hard disk is /dev/hda. If your IDE hard disk is connected
differently (such as hdc), use the correct device name in the
following steps.
Do the following:
(End of Exercise)
The Linux kernel lets you change some network parameters during
runtime. This makes sense on systems that have to deal with a lot of
parallel connections (such as web servers).
The parameters can be set with the sysctl command. To use this
command, you have to be the root user, because changing kernel
parameters is not permitted for normal users.
You can also access the kernel parameters from the proc file system,
which is mounted under /proc. You change the parameters by
writing them into the corresponding files in the /proc directory.
Summary
The following is the summary of the objectives:
Objective Summary
1. Find Performance To find performance bottlenecks,
Bottlenecks you should monitor the following
components of your system:
■ CPU. The value of the CPU load
is measured by the average
number of process that are
waiting to be executed.
Objective Summary
1. Find Performance ■ Storage System. A good
Bottlenecks (continued) indicator for the storage load of a
system is the time that an
application needs to wait for an
I/O request and the amount of
time an average I/O request
takes.
Objective Summary
3. Optimize the Storage To enhance the performance of the
System storage system, you can do the
following:
■ Use hdparm to ensure an optimal
configuration of your hard disks.
■ Set kernel parameters to optimize
disk access.
■ Tune access to the file systems
on your disks.
■ Exchange slow components of
your storage system.
In this section, you learn how SLES 9 handles hardware and device
drivers. You also learn how to add and replace certain types of
hardware.
Objectives
1. Understand the Differences Between Devices and Interfaces
2. Understand How Device Drivers Work
3. Understand How Device Drivers Are Loaded
4. Understand the sysfs Files System
5. Understand How the SLES 9 hotplug System Works
6. Understand the hwup Command
7. Add New Hardware to a SLES 9 System
Introduction
Although most hardware devices can be configured with YaST or
are even automatically detected when plugged into the system, it is
sometimes helpful to understand how things work in the
background.
This course uses the following definitions for device and interface:
■ Device. A device is a real, physical piece of hardware. This can
be a PCI network card, an AGP graphic adapter, a USB printer,
or any kind of hardware that you can hold, feel, or break if you
want to.
■ Interface. An interface is a software component associated
with a device. To use a physical piece of hardware, it needs to
be accessed by a software interface.
A device can have more than one interface.
The following illustrates the roles of kernel and user space drivers:
Because modules normally work only with the kernel version they
are built for, a new directory is created for every kernel update you
install.
In this way, all interfaces of the system are linked with their
corresponding devices.
Beside the representation in sysfs, there are also the device files in
the /dev directory.
Every hotplug event has an event type. The event type is determined
by a single parameter that is passed to the hotplug script and some
additional environment variables that can be read by the hotplug
script.
Depending on the event type, the hotplug script starts the hotplug
agents.
It might not be possible to start some devices with the hwup script,
because no configuration file can be found.
In this case, the agents have routines to find and load the correct
driver module automatically by searching module map files in the
directories /etc/hotplug/ and /lib/modules/kernelversion/.
4. Because of the usb parameter, the hotplug script calls the USB
hotplug agent.
6. If hwup fails, the agent tries to find the correct usb module by
searching module mapfiles in /etc/hotplug and
/lib/modules/kernelversion.
Linux System
Linux Kernel
Hotplug Script
USB Agent
1. hwup
2. Automatic module
loading
● /etc/hotplug/usb.usermap
● /etc/hotplug/usb.handmap
● /lib/modules/<version>
/ modules.usbmap
...
Variable Meaning
STARTMODE This determines when and how a
device will be started:
■ auto. The device is
automatically started at boot
time or by hotplug when the
device is connected to the
system.
■ manual. The device should
not be started automatically,
but it can be started manually.
■ off. The device should never
be started.
Variable Meaning
SCRIPT{UP,DOWN}_[type] This specifies the script to be
called for initialization and
deconfiguration of a specific
device type.
This script is called if the type of
the device to be initialized
matches the type given in this
parameter.
SCRIPT{UP,DOWN} This specifies the script to be
called for initialization and
deconfiguration of the device.
It will be called only if no
matching type-specific scripts are
configured.
The module e100 is loaded, there are no options for this module and
the device is started automatically at boot time.
Do the following:
2. When the SLES 9 boot screen appears, add the following to the
Boot Options field:
NOCOLDPLUG=1 NOHOTPLUG=1
These parameters are case-sensitive.
Do the following:
2. Enter lspci.
Note the PCI address (in the first column), such as the
following:
0000:02:00.0
Notice the name of the module after this option. This is the
hardware driver for your network adapter.
hwup bus-pci-address_ethernet_controller
or
hwup id-address_ethernet_controller
3. Enter cd /etc/sysconfig/network.
(End of Exercise)
Do the following:
5. Copy the existing data from /srv to /mnt. Make sure that the file
permissions copy properly. (Use the -a option for the cp
command.)
6. Verify the copied data and delete the content of the /srv
directory.
8. Edit the file /etc/fstab to mount the new hard drive automatically
at boot time.
When you add a new graphics card to the system, the X Server
starts up with the wrong driver configuration when booting into
runlevel 5.
A similar problem occurs when you replace the monitor of your system.
You can also use the following instructions in this situation.
When adding a second network adapter, you have to make sure that
the interface names of the devices are not confused.
Do the following:
3. Shut down the system and install the new network adapter.
With this method, the old adapter always gets the interface external
while the new adapter gets internal.
Summary
The following is the summary of the objectives.
Objective Summary
1) Understand the Differences ■ The terms device and interface
Between Devices and are often confused. This
Interfaces section uses the following
definitions:
■ Device. A device is a
physical piece of
hardware.
■ Interface. An interface is
a software component
that is used to access a
device.
■ One device can have more
than one interface.
■ An interface is created by a
device driver.
Objective Summary
2) Understand How Device Drivers ■ There are 2 basic kinds of
Work device drivers:
■ Kernel modules. Kernel
modules are loaded into
the Linux kernel and
extend its functionality.
■ User space drivers.
These drivers run within
user space applications.
Some devices require both,
kernel modules and user
space drivers.
■ You can use the following
commands to manage kernel
modules:
■ lsmod. Use lsmod to list
loaded drivers.
■ modprobe. Use
modprobe load kernel
modules.
■ rmmod. Use rmmod to
remove loaded kernel
modules.
■ The kernel modules are files
that are stored in the
directory /lib/modules/kernel-
version/.
3) Understand How Device Drivers In a SLES 9 system, kernel
Are Loaded modules are loaded in the
following ways:
■ From initrd
■ By initscripts
■ By hotplug
■ By the X Server
■ Manually by the user root
Objective Summary
4) Understand the sysfs File ■ The sysfs file system provides
System a representation of all devices
and interfaces of a system.
■ Devices are represented in the
directories: /sys/bus and
/sys/devices.
■ Interfaces are represented by
the directories /sys/class and
/sys/block.
■ A device and its interfaces are
connected with file system
links.
Objective Summary
5) Understand How the SLES 9 ■ The hotplug system is used to
hotplug System Works configure some devices of a
SLES 9 system.
■ The following is the standard
hotplug process when a new
device is plugged into the
system:
1) The device is plugged into
the system.
2) The USB subsystem
recognizes the device and
triggers a hotplug event by
calling the hotplug script.
3) The subsystem passes
usb as the parameter to
script and provides
additional information
about the new device in
environment variables.
4) Because of the usb
parameter, the hotplug
script calls the usb hotplug
agent.
5) The USB agent tries to
configure the device by
calling hwup.
6) If hwup fails, the agent
tries to find the correct usb
module by searching
module mapfiles in
/etc/hotplug and
/lib/modules/kernelversion.
7) If a driver is found, the
corresponding module is
loaded.
Objective Summary
6) Understand the hwup ■ The hwup command is used to
Command start preconfigured devices.
■ The device configuration files
are stored in the directory
/etc/sysconfig/hardware/.
■ The filename of the
configuration file contains a
unique identifier for the
corresponding device.
In the configuration file, the
following variables can be
used:
■ STARTMODE
■ MODULE
■ MODULE_OPTIONS
■ SCRIPT{UP,DOWN}_
[type]
■ SCRIPT{UP,DOWN}
7) Add New Hardware to a SLES 9 In general, new hardware is
System either detected with hotplug or
can be easily configured with
YaST.
It some cases, however, some
manual work is necessary to
integrate new devices properly
into the system.
The following are 3 examples of
situations that require manual
configuration:
■ Adding a hard drive
■ Replacing a graphic adapter
■ Adding a new network adapter
You must complete Scenario 1. You can then select any of the
remaining scenarios to complete, depending on available time.
LPI objectives named 1.xxx.y are part of exams 101 and 102 (LPI
Certification Level 1). LPI objectives named 2.xxx.y are part of
exams 201 and 202 (LPI Certification Level 2). CLP courses
include the section (such as 3037/3 for Course 3037 Section 3).
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
A-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Novell CLP and LPI Requirements
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-3
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
Topic 110: X
A-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Novell CLP and LPI Requirements
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-5
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
A-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Novell CLP and LPI Requirements
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-7
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
A-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Novell CLP and LPI Requirements
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. A-9
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration
A-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.