Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

Novell Headquarters

404 Wyman, Suite 500

Waltham, Massachusetts 02451

USA

Phone: 781.464.8000

Fax: 781.464.8100

www.novell.com/documentation

LINUX OPERATING SYSTEM SOFTWARE

ADMINISTRATION AND INSTALLATION GUIDE

www.suse.com

SUSE® LINUX

Enterprise Server 9

August 2004

SUSE LINUX Enterprise Server 9

100-004924-001

ADMINISTRATION AND INSTALLATION GUIDEE

SUSE LINUX AG

Maxfeldstr. 5

D-90409 Nürnberg

Germany

Phone: +49 911-740 53 0

Fax: +49 911-741 77 55

This cropmark is for saddle stiched guides only

Adjust for prefect bound manuals

A NOVELL BUSINESS

Summary of content (789 pages)

PAGE 1
SUSE LINUX Enterprise Server 9 SUSE LINUX Enterprise Server 9 ® www.suse.com August 2004 L I N U X O P E R AT I N G S Y S T E M S O F T WA R E A D M I N I S T R AT I O N A N D I N S TA L L AT I O N G U I D E A D M I N I S T R AT I O N A N D I N S TA L L AT I O N G U I D E E 9 Novell Headquarters SUSE LINUX AG 404 Wyman, Suite 500 Maxfeldstr. 5 Waltham, Massachusetts 02451 D-90409 Nürnberg USA Germany Phone: 781.464.8000 Phone: +49 911-740 53 0 Fax: 781.464.8100 Fax: +49 911-741 77 55 www.
PAGE 2
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page i — #1 i i i SUSE LINUX Enterprise Server I NSTALLATION AND A DMINISTRATION i i i i
PAGE 3
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page ii — #2 i i i 9. Edition 2004 Copyright © This publication is intellectual property of SUSE LINUX AG. Its contents can be duplicated, either in part or in whole, provided that a copyright label is visibly located on each copy. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy.
PAGE 4
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page iii — #3 i i i Contents I Installation 5 1 Installation with YaST 7 1.1 S/390, zSeries: System Start-up for Installation . . . . . . . . 8 1.2 System Start-up for Installation . . . . . . . . . . . . . . . . . 8 1.2.1 8 Possible Problems when Starting from the CD or DVD 1.3 The Boot Screen . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4 Language Selection . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page iv — #4 i i 1.7.12 S/390, zSeries: Connecting to the Installed System . . 34 Finishing the Installation . . . . . . . . . . . . . . . . . . . . . 35 1.8.1 root Password . . . . . . . . . . . . . . . . . . . . . . . 36 1.8.2 Network Configuration . . . . . . . . . . . . . . . . . 37 1.8.3 Testing the Internet Connection . . . . . . . . . . . . . 38 1.8.4 Loading Software Updates . . . . . . . . . . . . . . . 38 1.8.
PAGE 6
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page v — #5 i i 2.4.6 Hardware Information . . . . . . . . . . . . . . . . . . 84 2.4.7 IDE DMA Mode . . . . . . . . . . . . . . . . . . . . . 84 2.4.8 Mouse . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 2.4.9 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . 85 2.4.10 Sound . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 2.4.11 ZFCP . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page vi — #6 i i 2.8.9 Runlevel Editor . . . . . . . . . . . . . . . . . . . . . . 103 2.8.10 Sysconfig Editor . . . . . . . . . . . . . . . . . . . . . 104 2.8.11 Time Zone Selection . . . . . . . . . . . . . . . . . . . 104 2.8.12 Language Selection . . . . . . . . . . . . . . . . . . . . 105 2.8.13 Keyboard Layout Selection . . . . . . . . . . . . . . . 105 2.9 2.10 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page vii — #7 i i 3.5 3.6 Special Installation Procedures . . . . . . . . . . . . . . . . . . 128 3.5.1 Automatic Installation with AutoYaST . . . . . . . . . 128 3.5.2 Installation from a Network Source . . . . . . . . . . 128 Tips and Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 3.6.1 Creating a Boot Disk in DOS . . . . . . . . . . . . . . 129 3.6.2 Creating a Boot Disk in a UNIX-Type System . . . . .
PAGE 9
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page viii — #8 i i 4 Central Software Installation and Update 4.1 4.2 4.3 Setting up a Central Installation Server . . . . . . . . . . . . . 152 4.1.1 Configuration with YaST . . . . . . . . . . . . . . . . 152 4.1.2 Client Installation Using the Installation Server . . . 155 Managing Software Updates with the YOU Server . . . . . . 156 4.2.1 Configuring the Local YOU Server . . . . . . . . . . . 156 4.2.
PAGE 10
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page ix — #9 i i 6 System Repair 185 6.1 Starting YaST System Repair . . . . . . . . . . . . . . . . . . . 186 6.2 Automatic Repair . . . . . . . . . . . . . . . . . . . . . . . . . 187 6.3 User-Defined Repair . . . . . . . . . . . . . . . . . . . . . . . . 188 6.4 Expert Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 6.5 S/390, zSeries: Using initrd as a Rescue System . . . . . . . . 190 6.5.
PAGE 11
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page x — #10 i i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 214 215 215 216 217 218 221 222 223 224 226 226 226 227 227 229 229 230 9 The Linux Kernel 9.1 Kernel Update . . . . . . . . . . . . . . . . . . . . . . . 9.2 Kernel Sources . . . . . . . . . . . . . . . . . . . . . . . 9.
PAGE 12
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xi — #11 i i 10 Special Features of SUSE LINUX 10.1 243 Linux Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 244 10.1.1 Linux Standard Base (LSB) . . . . . . . . . . . . . . . 244 10.1.2 File System Hierarchy Standard (FHS) . . . . . . . . . 244 10.1.3 teTeX — TeX in SUSE LINUX . . . . . . . . . . . . . . 244 10.1.4 Example Environment for FTP Server . . . . . . . . . 244 10.1.
PAGE 13
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xii — #12 i i 11 The SUSE LINUX Boot Concept 265 11.1 The init Program . . . . . . . . . . . . . . . . . . . . . . . . . . 266 11.2 Runlevels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 11.3 Changing Runlevels . . . . . . . . . . . . . . . . . . . . . . . . 268 11.4 Init Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 11.4.1 Adding init Scripts . . . . . . . . . . . . . . . . . . .
PAGE 14
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xiii — #13 i i 13.5 Configuring the Printer . . . . . . . . . . . . . . . . . . . . . . 302 13.5.1 Local Printers . . . . . . . . . . . . . . . . . . . . . . . 302 13.5.2 Network Printers . . . . . . . . . . . . . . . . . . . . . 302 13.5.3 Configuration Tasks . . . . . . . . . . . . . . . . . . . 304 13.6 Special Features in SUSE LINUX . . . . . . . . . . . . . . . . . 305 13.6.1 Administration with the Web Front-End (CUPS) . .
PAGE 15
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xiv — #14 i i 15 Dynamic Device Nodes with udev 323 15.1 Creating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 15.2 Automization with NAME and SYMLINK . . . . . . . . . . . 325 15.3 Regular Expressions in Keys . . . . . . . . . . . . . . . . . . . 325 15.4 Key Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 15.5 Consistent Names for Mass Storage Devices . . . . . . . . . .
PAGE 16
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xv — #15 i i 16.4.1 Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 16.4.2 Software . . . . . . . . . . . . . . . . . . . . . . . . . . 349 16.4.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . 350 16.4.4 System Components and Useful Tools . . . . . . . . . 350 16.4.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 352 16.4.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . .
PAGE 17
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xvi — #16 i i 18 File Systems in Linux 381 18.1 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 18.2 Major File Systems in Linux . . . . . . . . . . . . . . . . . . . 382 18.2.1 Ext2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 18.2.2 Ext3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 18.2.3 Converting an Ext2 File System into Ext3 . . . . . . . 385 18.2.4 ReiserFS . . .
PAGE 18
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xvii — #17 i i 20 PAM — Pluggable Authentication Modules 403 20.1 Structure of a PAM Configuration File . . . . . . . . . . . . . 404 20.2 The PAM Configuration of sshd . . . . . . . . . . . . . . . . . 406 20.3 Configuration of PAM Modules . . . . . . . . . . . . . . . . . 407 20.3.1 pam_unix2.conf . . . . . . . . . . . . . . . . . . . . . . 407 20.3.2 pam_env.conf . . . . . . . . . . . . . . . . . . . . . . . 408 20.3.
PAGE 19
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xviii — #18 i i i 21.4.7 Hotplug and PCMCIA . . . . . . . . . . . . . . . . . . 452 21.4.8 Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . 453 21.5 Routing in SUSE LINUX . . . . . . . . . . . . . . . . . . . . . 454 21.6 SLP Services in the Network . . . . . . . . . . . . . . . . . . . 455 21.6.1 SLP Support in SUSE LINUX . . . . . . . . . . . . . . 455 21.6.2 For More information . . . . . . . . . . . . . . . . . .
PAGE 20
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xix — #19 i i 21.10.3 Exporting File Systems with YaST . . . . . . . . . . . 511 21.10.4 Exporting File Systems Manually . . . . . . . . . . . . 512 21.11 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 21.11.1 The DHCP Protocol . . . . . . . . . . . . . . . . . . . 514 21.11.2 DHCP Software Packages . . . . . . . . . . . . . . . . 515 21.11.3 The DHCP Server dhcpd . . . . . . . . . . . . . . . . 516 21.11.
PAGE 21
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xx — #20 i i i 22.7.2 Manual Configuration . . . . . . . . . . . . . . . . . . 537 22.8 Using Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 22.9 Active Contents . . . . . . . . . . . . . . . . . . . . . . . . . . 541 22.9.1 Server Side Includes: SSI . . . . . . . . . . . . . . . . . 543 22.9.2 Common Gateway Interface: CGI . . . . . . . . . . . 543 22.9.3 GET and POST . . . . . . . . . . . . . . . . . . . . . .
PAGE 22
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxi — #21 i i 23 File Synchronization 23.1 555 Available Data Synchronization Software . . . . . . . . . . . . 556 23.1.1 Unison . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 23.1.2 CVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 23.1.3 subversion . . . . . . . . . . . . . . . . . . . . . . . . . 557 23.1.4 mailsync . . . . . . . . . . . . . . . . . . . . . . . . . . 557 23.1.5 rsync . . . . . . . . .
PAGE 23
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxii — #22 i i 23.6.1 Configuration and Operation . . . . . . . . . . . . . . 569 23.6.2 For More Information . . . . . . . . . . . . . . . . . . 571 23.7 Introduction to mailsync . . . . . . . . . . . . . . . . . . . . . 571 23.7.1 Configuration and Use . . . . . . . . . . . . . . . . . . 571 23.7.2 Possible Problems . . . . . . . . . . . . . . . . . . . . 573 23.7.3 For More Information . . . . . . . . . . . . . . . . . .
PAGE 24
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxiii — #23 i i 25.3.4 Starting Squid . . . . . . . . . . . . . . . . . . . . . . . 603 25.3.5 The Configuration File /etc/squid/squid.conf . . . . 605 25.3.6 Configuring a Transparent Proxy . . . . . . . . . . . . 610 25.3.7 cachemgr.cgi . . . . . . . . . . . . . . . . . . . . . . . 613 25.3.8 squidGuard . . . . . . . . . . . . . . . . . . . . . . . . 614 25.3.9 Cache Report Generation with Calamaris . . . . . . . 616 25.3.
PAGE 25
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxiv — #24 i i i 26.5.2 How Kerberos Works . . . . . . . . . . . . . . . . . . 659 26.5.3 Users’ View of Kerberos . . . . . . . . . . . . . . . . . 662 26.5.4 For More Information . . . . . . . . . . . . . . . . . . 663 26.6 Installing and Administering Kerberos . . . . . . . . . . . . . 664 26.6.1 Choosing the Kerberos Realms . . . . . . . . . . . . . 664 26.6.2 Setting up the KDC Hardware . . . . . . . . . . . . . 665 26.6.
PAGE 26
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxv — #25 i i 28 System Monitoring Utilities 707 28.1 List of Open Files: lsof . . . . . . . . . . . . . . . . . . . . . . . 708 28.2 User Accessing Files: fuser . . . . . . . . . . . . . . . . . . . . 709 28.3 File Properties: stat . . . . . . . . . . . . . . . . . . . . . . . . 710 28.4 Processes: top . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 28.5 Process List: ps . . . . . . . . . . . . . . . . . . .
PAGE 27
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page xxvi — #26 i i i i i i i
PAGE 28
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 1 — #27 i i i Introduction This book guides you from the initial installation of your SUSE LINUX Enterprise Server through to full configuration of your system and complex administration tasks. It contains, in compressed form, descriptions of the installation and administration tasks for all hardware platforms supported by SUSE LINUX Enterprise Server.
PAGE 29
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 2 — #28 i i i System This part provides detailed information about the organization of your Linux system and how it works, how to distinguish between the 32-(31-)bit and 64-bit worlds, and how to configure a graphical interface and a print infrastructure. Services This part covers the main server services on your system and their configuration with YaST.
PAGE 30
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 3 — #29 i i - Alt - Del Ctrl This indicates two or more keys to press simultaneously. "Permission denied" This is a system message. ‘Update system’ Menu option or button.
PAGE 31
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 4 — #30 i i i AMD64: A Section That Applies to AMD64 Only If a complete section of a chapter is concerned with a single platform, this is introduced, as in the case of tips, notes, and warnings, by the platform abbreviation in the title, so the table of contents for the manual reflects this difference.
PAGE 32
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 5 — #31 i i i Part I Installation i i i i
PAGE 33
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 6 — #32 i i i i i i i
PAGE 34
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 7 — #33 i i 1 After your hardware has been prepared for the installation of SUSE LINUX Enterprise Server as described in the Architecture-Specific Information manual and after the connection with the installation system has been established, you are presented with the interface of SUSE’s system assistant YaST.
PAGE 35
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 8 — #34 i i i 1.1 S/390, zSeries: System Start-up for Installation For IBM S/390 and zSeries platforms, the system is initialized (IPL) as described in the Architecture-Specific Information manual. SUSE LINUX Enterprise Server does not show a splash screen on these systems. During the installation, load the kernel, initrd, and parmfile manually.
PAGE 36
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 9 — #35 i i Note Keyboard Layout in the BIOS The BIOS is often limited to the US keyboard layout. Note 1 Installation with YaST Normally, the BIOS setup can only be accessed at a specific time — when the machine is booting. During this initialization phase, the machine performs a number of diagnostic hardware tests. One of them is a memory check, as indicated by a memory counter.
PAGE 37
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 10 — #36 i i i 1.3 The Boot Screen The boot screen has a number of menu items from which to select. ‘Boot from Hard Disk’ boots the system already installed on the host (if any). This item is selected by default, because the CD is often left in the drive. To install the system, select ‘Installation’ with the arrow keys. This loads YaST and starts the installation. Figure 1.
PAGE 38
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 11 — #37 i i Manual Installation By default, drivers are loaded automatically during the installation. If this appears to cause problems, use this option to load drivers manually. However, this does not work if you use a USB keyboard on your machine. Rescue System If you are unable to boot into your installed Linux system for some reason, you can boot the computer from the DVD or CD1 and select this item.
PAGE 39
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 12 — #38 i i i F4 Select the display language for the installation. F5 By default, diagnostic messages of the Linux kernel are not displayed during system start-up. You only see a progress bar. To display these messages, select ‘Native’. For a maximum of information, select ‘Verbose’. F6 Allows you to tell the system that you have an optional disk with a driver update for SUSE LINUX.
PAGE 40
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 13 — #39 i i 1 Installation with YaST Figure 1.2: Selecting the Language 1.5 S/390, zSeries: Hard Disk Configuration When installing on IBM S/390 and zSeries platforms, the language selection dialog is followed by a dialog to configure the attached hard disks . Select DASDs and Fibre Channel Attached SCSI Disks (ZFCP) for the installation of SUSE LINUX Enterprise Server.
PAGE 41
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 14 — #40 i i i Figure 1.3: S/390, zSeries: Selecting a DASD Now specify the DASDs to use for the installation by selecting the corresponding entries in the list then clicking ‘Select or Deselect’. After that, activate and make the DASDs available for the installation by selecting ‘Perform Action’ ➝ ‘Activate’ (see Figure 1.4).
PAGE 42
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 15 — #41 i i 1 Installation with YaST Figure 1.5: S/390, zSeries: Overview of Available ZFCP Disks To use ZFCP disks for the SUSE LINUX Enterprise Server installation, select ‘Configure ZFCP Disks’ in the selection dialog . This opens a dialog with a list of the ZFCP disks available on the system. In this dialog, select ‘Add’ to open another dialog in which to enter ZFCP parameters (see Figure 1.5).
PAGE 43
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 16 — #42 i i i The following sections describe the procedure of installing a new system. Detailed instructions for a system update can be found in Section 2.3.5 on page 63. A description of the system repair options can be found in Chapter 6 on page 185. Figure 1.6: Selecting the Installation Mode 1.7 Installation Suggestion After hardware detection, the suggestion window (shown in Figure 1.
PAGE 44
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 17 — #43 i i 1 Installation with YaST Figure 1.7: Suggestion Window 1.7.2 Keyboard Layout Note S/390, zSeries: Keyboard and Mouse Configuration On IBM S/390 and zSeries platforms, the installation is performed from a remote terminal. The host as such has no keyboard or mouse locally connected to it. Note Select the keyboard layout. By default, the layout corresponds to the se lected language.
PAGE 45
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 18 — #44 i i i 1.7.3 Mouse in the sugIf YaST failed to detect your mouse automatically, press Tab gestion window several times until ‘Mouse’ is selected. Then use Space to open the dialog in which to set the mouse type. This dialog is shown in Figure 1.8. Figure 1.8: Selecting the Mouse Type and ↓ . Consult your mouse documentaTo select the mouse type, use ↑ tion for information about the mouse type.
PAGE 46
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 19 — #45 i i 1 Partition Types S/390, zSeries: Hard Disks On IBM S/390 and zSeries platforms, SUSE LINUX Enterprise Server supports SCSI hard disks as well as DASDs (direct access storage devices). While SCSI disks can be partitioned as described below, DASDs can have no more than three partition entries in their partition tables. Note Every hard disk has a partition table with space for four entries.
PAGE 47
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 20 — #46 i i i Minimal System with Graphical Interface: 700 MB This includes the X Window System and some applications. Default System: 1.5 GB This includes a modern desktop environment, like KDE or GNOME, and also provides enough space for large application suites like Netscape or Mozilla. Full Installation: 2.5 GB All the packages included with SUSE LINUX can be installed.
PAGE 48
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 21 — #47 i i 1 Installation with YaST Figure 1.9: Editing the Partitioning Setup Setup’, the ‘Expert Partitioner’ opens. It allows tweaking the partition setup in every detail. This dialog is explained in Section 1.7.5 on the next page. The original setup as proposed by YaST is offered there as a starting point. Selecting ‘Create Custom Partitioning Setup’ opens the dialog as shown in Figure 1.10 on the following page.
PAGE 49
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 22 — #48 i i i Figure 1.10: Selecting the Hard Disk Caution Using the Entire Hard Disk for Installation If you choose ‘Use Entire Hard Disk’, all existing data on that disk is completely erased later in the installation process and is then lost. Caution YaST checks during the installation whether the disk space is sufficient for the software selection made.
PAGE 50
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 23 — #49 i i 1 Installation with YaST Figure 1.11: The YaST Partitioner in Expert Mode All existing or suggested partitions on all connected hard disks are displayed in the list of the expert dialog. Entire hard disks are listed as devices without numbers, such as /dev/hda or /dev/sda (or /dev/dasda, respectively). Partitions are listed as parts of these devices, such as /dev/ hda1 or /dev/sda1 (or /dev/dasda1, respectively).
PAGE 51
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 24 — #50 i i i Creating a Partition Select ‘New’. If several hard disks are connected, a selection dialog appears in which to select a hard disk for the new partition. Then, specify the partition type (primary or extended). Create up to four primary partitions or up to three primary partitions and one extended partition. Within the extended partition, create several logical partitions (see Section 1.7.4 on page 19).
PAGE 52
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 25 — #51 i i 3. Select ‘Next’ to activate the partition. If you partition manually, create a swap partition. The swap partition is used to free the main memory of data that is not used at the present moment. This keeps the main memory free for the most frequently-used important data. Note 1 Installation with YaST Mount Point This specifies the directory at which the partition should be mounted in the file system tree.
PAGE 53
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 26 — #52 i i i Figure 1.12: Possible Options for Windows Partitions To shrink the Windows partition, interrupt the installation and boot Windows to prepare the partition from there. Although this step is not strictly required for FAT partitions, it speeds up the resizing process and also makes it safer. These steps are vital for NTFS partitions.
PAGE 54
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 27 — #53 i i Note Disabling the Windows Swap File If you operate your system with a permanent swap file on an NTFS file system, this file may be located at the end of the hard disk and remain there despite defrag. Therefore, it may be impossible to shrink the partition sufficiently. In this case, temporarily deactivate the swap file (the virtual memory in Windows).
PAGE 55
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 28 — #54 i i i Figure 1.13: Resizing the Windows Partition More Partitioning Tips If the partitioning is performed by YaST and other partitions are detected in the system, these partitions are also entered in the file /etc/fstab to enable easy access to this data. This file contains all partitions in the system with their properties (parameters), such as the file system, mount point, and user permissions. Example 1.
PAGE 56
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 29 — #55 i i Detailed background information and tips for partitioning are provided in Section 3.9 on page 134. 1.7.6 Software SUSE LINUX contains a number of software packages for various application purposes. As it would be burdensome to select the needed packages one by one, SUSE LINUX offers three system types with various installation scopes.
PAGE 57
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 30 — #56 i i i Figure 1.14: Installing and Removing Software with the YaST Package Manager Changing the Installation Scope If you install the default system, there is usually no need to add or remove individual packages. It consists of a software selection that meets most requirements without any changes. If you have specific needs, modify this selection with the package manager, which greatly eases this task.
PAGE 58
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 31 — #57 i i Other Filters Click the filter selection box to view the other possible filters. The selection according to ‘Package Groups’ can also be used for the installation. This filter sorts the program packages by subjects in a tree structure to the left. The more you expand the branches, the more specific the selection of packages is and the fewer packages are displayed in the list of associated packages to the right.
PAGE 59
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 32 — #58 i i i 1.7.7 Boot Configuration (Boot Loader Installation) Note S/390, zSeries: Boot Loader Configuration The module described below cannot be used to configure the boot loader (zipl) on IBM S/390 and zSeries platforms. Note During the installation, YaST proposes a boot configuration for your system. Normally, leave these settings unchanged. However, if you need a custom setup, modify the proposal for your system.
PAGE 60
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 33 — #59 i i 1 Installation with YaST Figure 1.15: Selecting the Time Zone ctype The value of the variable LC_CTYPE in the file /etc/sysconfig/ language is adopted for the user root. This sets the localization for language-specific function calls. yes The user root has the same language settings as the local user. no The language settings for the user root are not affected by the language selection.
PAGE 61
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 34 — #60 i i i 1.7.11 S/390, zSeries: IPLing the Installed System On IBM S/390 and zSeries platforms, another IPL must be performed after installing the selected software packages. However, the procedure varies according to the type of installation: ESA Native and LPAR Installation In the S/390 or zSeries HMC, select ‘LOAD’, select ‘Clear’, then enter the loading address (the device address of the root device).
PAGE 62
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 35 — #61 i i Using SSH to Connect Note S/390, zSeries: Connecting from a Linux or UNIX system Start ssh in an xterm. Other terminal emulators lack complete support for the text-based interface of YaST. Note 1 Installation with YaST Using X to Connect When IPLing the installed system, make sure the X server used for the first phase of the installation is still available. YaST opens on this X server to finish the installation.
PAGE 63
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 36 — #62 i i i 1.8.1 root Password root is the name of the superuser, the administrator of the system. Unlike regular users, which may or may not have permission to do certain things on the system, root has unlimited power to do anything: change the system configuration, install programs, and set up new hardware. If users forget their passwords or have other problems with the system, root can help.
PAGE 64
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 37 — #63 i i 1 1.8.2 Network Configuration S/390, zSeries: Network Configuration For IBM S/390 and zSeries platforms, a working network connection is needed at installation time to connect to the target system, the installation source, and the YaST terminal controlling the process. The steps to set up the network are discussed in the network configuration chapter of the Architecture-Specific Information manual.
PAGE 65
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 38 — #64 i i i Figure 1.17: Configuring the Network Devices 1.8.3 Testing the Internet Connection If you have configured an Internet connection, you can test it now. For this purpose, YaST establishes a connection to the SUSE server and checks if any product updates are available for your version of SUSE LINUX. If there are such updates, they can be included in the installation. Also, the latest release notes are downloaded.
PAGE 66
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 39 — #65 i i 1 Installation with YaST Figure 1.18: Testing the Internet Connection available patches (if any), which can be selected and loaded. To learn about the process, read Section 2.3.2 on page 52. This kind of update can be performed at any time after the installation. If you prefer not to update now, select ‘Skip Update’ then click ‘OK’. 1.8.
PAGE 67
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 40 — #66 i i i Figure 1.19: Proposed Setup for Network Services LDAP Server You can run an LDAP service on your host to have a central facility managing a range of configuration files. Typically, an LDAP server handles user account data, but with SUSE LINUX Enterprise Server it can also be used for mail, DHCP, and DNS related data. By default, an LDAP server is set up during the installation.
PAGE 68
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 41 — #67 i i NIS User account data is managed centrally by a NIS server. Locally (/etc/passwd) This setup is used for systems where no network connection is available or where users are not supposed to log in from a remote location at all. User accounts are managed using the local /etc/passwd file. If all requirements are met, YaST opens a dialog in which to select the user administration method. It is shown in Figure 1.20.
PAGE 69
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 42 — #68 i i i Figure 1.21: NIS Client Configuration In the following dialog, shown in Figure 1.21, first select whether the host has a fixed IP address or gets one via DHCP. If you select DHCP, you cannot specify a NIS domain or NIS server address, because these are provided by the DHCP server. For information about DHCP, read Section 21.11 on page 514.
PAGE 70
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 43 — #69 i i 1.8.8 Creating Local User Accounts Linux is an operating system that allows several users to work on the same system at the same time. Each user needs a user account to log in to the system. By having user accounts, the system gains a lot in terms of security. For instance, regular users cannot change or delete files needed for the system to work properly.
PAGE 71
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 44 — #70 i i i To provide effective security, a password should be between five and eight characters long. The maximum length for a password is 128 characters. However, if no special security modules are loaded, only the first eight characters are used to discern the password. Passwords are case-sensitive. Special characters like umlauts are not allowed. Other special characters (7-bit ASCII) and the digits 0 to 9 are allowed.
PAGE 72
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 45 — #71 i i 1.9 1 Hardware Configuration Installation with YaST At the end of the installation, YaST opens a dialog in which to configure the graphics card and other hardware devices. Just click a component to start its configuration. For the most part, YaST detects and configure the devices automatically. Figure 1.
PAGE 73
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 46 — #72 i i i You may skip any peripheral devices and configure them later. However, you should configure the graphics card right away. Although the display settings as autoconfigured by YaST should be generally acceptable, most users have very strong preferences as far as resolution, color depth, and other graphics features are concerned. To change these settings, select ‘Graphics Cards’.
PAGE 74
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 47 — #73 i i 1 Installation with YaST Figure 1.
PAGE 75
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 48 — #74 i i i i i i i
PAGE 76
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 49 — #75 i i 2 In SUSE LINUX Enterprise Server, YaST handles both the installation and the configuration of your system. This chapter describes the configuration of system components (hardware), network access, and security settings and administration of users. A short introduction to the text-based YaST can be found at the end of the chapter. 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 Starting YaST . . . . . . . . .
PAGE 77
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 50 — #76 i i i 2.1 Starting YaST Use various dedicated YaST modules customized for specific purposes to configure a system. Depending on the underlying hardware platform, there are different ways to access YaST in the installed system. 2.1.1 Running YaST on a Graphical Desktop If you are running KDE or GNOME, start the YaST Control Center from the SUSE menu (‘System’ ➝ ‘YaST’).
PAGE 78
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 51 — #77 i i 2.2 The YaST Control Center The left frame displays a help text for the topic, explaining the required entries. After making the needed settings, complete the procedure by pressing ‘Finish’ in the last configuration dialog. The configuration is then saved. YaST — Configuration When you start YaST in the graphical mode, the YaST Control Center, as shown in Figure 2.1, opens.
PAGE 79
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 52 — #78 i i i 2.3 Software 2.3.1 Change Installation Source The installation source is the medium containing the software to install. YaST can administer a number of different installation sources. It enables their selection for installation or update purposes. For example, add the SUSE Software Development Kit CDs as an installation source. When this module starts, it displays a list of all previously registered sources.
PAGE 80
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 53 — #79 i i 2 YaST — Configuration Figure 2.2: Change Installation Source Note Availability of a Local Update Server If a dedicated YOU Server was installed in the local intranet using the ‘YOU Server’ module (see Section 4.2 on page 156), the YOU clients can be configured to poll this server instead of an external one. The configuration of the clients is described in Section 4.2.2 on page 158.
PAGE 81
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 54 — #80 i i i Additionally, there is a possibility to update your system automatically. Click ‘Configure Fully Automatic Update’ to configure a process that automatically looks for updates and applies them on a regular basis. This procedure is fully automated and does not require any interaction. This only works if a connection to the update server, such as an Internet connection, exists at the time of the update.
PAGE 82
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 55 — #81 i i 2 YaST — Configuration Figure 2.3: YaST Online Update -a architecture Base architecture for which patches should be fetched. -d “Dry run” cycle. Fetch patches and simulate installation for test purposes. The system remains unchanged. -n No signature checking of the fetched files. -s Display list of available patches. -V Verbose mode. Print progress messages. -D Debug mode for experts and for troubleshooting.
PAGE 83
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 56 — #82 i i i 2.3.4 Installing and Removing Software This module enables installation, uninstallation, and update of software on your machine. In Linux, software is available in the form of packages. Normally, a package contains everything needed for a program (such as an editor or a compiler). Usually, this includes the actual program, associated configuration files, and documentation.
PAGE 84
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 57 — #83 i i 2 The Package Manager YaST — Configuration To change the software selection on your system with the package manager, select ‘Install or Remove Software’ in the YaST Control Center. The dialog window of the package manager is shown in Figure 2.4. Figure 2.4: YaST Package Manager The window comprises various frames. Modify the frame sizes by clicking and moving the lines separating the areas.
PAGE 85
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 58 — #84 i i i The Selections Filter At start-up, the ‘Selections’ filter is active. This filter groups the program packages according to their application purpose, such as multimedia or office applications. The various groups of the ‘Selections’ filter are listed under the filter selection box. The packages already installed on the system are preselected.
PAGE 86
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 59 — #85 i i 2 Note Note Installation Summary After selecting the packages for installation, update, or deletion, use the filter selection to view the installation summary. It shows what will happen with packages when you click ‘Accept’. Use the check boxes to the left to filter the packages to view in the individual package window.
PAGE 87
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 60 — #86 i i i The package manager offers the following package status flags: Do Not Install This package is not installed and will not be installed. Install This package is not yet installed but will be installed. Keep This package is already installed and will not be changed. Update This package is already installed and will be replaced by the version on the installation medium.
PAGE 88
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 61 — #87 i i Automatic Update (after selection) This package is already installed, but a newer version exists on the installation media. This package is part of a predefined selection, such as “Multimedia” or “Development,” selected for update and will automatically be updated.
PAGE 89
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 62 — #88 i i i The Resource Window The resource window at the bottom left displays the disk space needed for your current selection of software on all currently mounted file systems. The colored bar graph grows with every selection. As long as it remains green, there is sufficient space. The bar color slowly changes to red as you approach the limit of disk space.
PAGE 90
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 63 — #89 i i Dependency Check ‘Check Dependencies’ and ‘Autocheck’ are located in the information window. If you click ‘Check Dependencies’, the package manger checks if the current package selection results in any unresolved package dependencies or conflicts. In the event of unresolved dependencies, the required additional packages are selected automatically.
PAGE 91
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 64 — #90 i i i Figure 2.5: Conflict Management of the Package Manager The procedure for updating the system is similar to the new installation. Initially, YaST examines the system, determines a suitable update strategy, and presents the results in a suggestion dialog like that in Figure 2.6 on the facing page. Click the individual items with the mouse to change any details.
PAGE 92
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 65 — #91 i i 2 YaST — Configuration Figure 2.6: Suggestion Dialog for Updates Update with Installation of New Software To update the entire system to the latest software versions, select one of the predefined selections. These selections are the same as those offered during the installation. They make sure new packages that did not exist previously are also installed.
PAGE 93
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 66 — #92 i i i Figure 2.7: Update Options Backup During the update, the configuration files of some packages may be replaced by those of the new version. As you may have modified some of the files in your current system, the package manager normally makes backup copies of the replaced files. With this dialog, determine the scope of these backups. Note Scope of the Backup This backup does not include the software.
PAGE 94
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 67 — #93 i i Note Updating the System This manual includes a chapter about updating (see Chapter 5 on page 163). All important changes from previous versions are listed, including alerts for possible update problems (see Section 5.2.1 on page 168). Note 2 YaST — Configuration In most cases, YaST replaces old versions with new ones without problems.
PAGE 95
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 68 — #94 i i i 2.4 Hardware New hardware must first be installed or connected as specified by the vendor. Turn on external devices and start the respective YaST module. Most devices are automatically detected by YaST and the technical data is displayed. If the automatic detection fails, YaST offers a list of devices (model, vendor, etc.) from which to select the suitable device.
PAGE 96
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 69 — #95 i i 2 2.4.2 S/390, zSeries: DASD Devices If using a dasd list in the parameter list of /etc/zipl.conf (e.g., dasd=301,302), edit /etc/zipl.conf to include the new DASD. If the DASD management is not done via /etc/zipl.conf, issue cd /boot and mkinitrd. To make sure the new DASD is included in the setup, check the output of mkinitrd.
PAGE 97
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 70 — #96 i i i Automatic Configuration YaST is able to configure the printer automatically if the parallel or USB port can be set up automatically and the connected printer can be autodetected. Additionally, the ID string of the printer, as supplied to YaST during hardware autodetection, must be included in the printer database.
PAGE 98
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 71 — #97 i i For non-PostScript models, all printer-specific data is produced by the Ghostscript driver. For this reason, the driver configuration is the single most important factor determining the output quality. The printout is affected both by the kind of Ghostscript driver (PPD file) selected and the options specified for it. If necessary, change additional options (as made available by the PPD file) after selecting ‘Edit’.
PAGE 99
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 72 — #98 i i i Advanced Settings Normally, there should be no need to change any of these settings. Configuration for Applications Applications rely on the existing printer queues in the same way as any command-line tools do. There is usually no need to reconfigure the printer for a particular application, as you should be able to print from applications using the available queues.
PAGE 100
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 73 — #99 i i Configuring CUPS in the Network 1. Configure the queues for the printers belonging to the server on the server. 2. Permit access to the queues for the client computers. 3. Activate the transmission of browsing information to the client computer. In the case of point 1, the following cases must be distinguished: YaST — Configuration For guidelines on the installation of CUPS in the network, see http:// portal.suse.
PAGE 101
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 74 — #100 i i i 2.4.4 Hard Disk Controller Normally YaST configures the hard disk controller of your system during the installation. If you add controllers, integrate these into the system with this YaST module. You can also modify the existing configuration, but this is generally not necessary. The dialog presents a list of detected hard disk controllers and enables assignment of the suitable kernel module with specific parameters.
PAGE 102
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 75 — #101 i i 2 YaST — Configuration If you have just installed a new graphics card, a small dialog appears asking whether to activate 3D acceleration for your graphics card. Click ‘Edit’. SaX2, the configuration tool for the input and display devices, starts in a separate window. This window is shown in Figure 2.9. Figure 2.
PAGE 103
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 76 — #102 i i i Click ‘Finish’ in the main window following the completion of the settings for your monitor and your graphics card then test your settings. This ensures that your configuration is suitable for your devices. If the image is not and reduce the resteady, terminate the test immediately by pressing Esc fresh rate or the resolution and color depth.
PAGE 104
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 77 — #103 i i Caution Configuring the Monitor Frequencies There are safety mechanisms, but you should still be very careful when manually changing the allowed frequencies. False values may destroy your monitor. If in doubt, refer to the manual of the monitor. 2 YaST — Configuration ‘Expert’ Here, enter some options for your screen.
PAGE 105
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 78 — #104 i i i Figure 2.11: Selecting the Graphics Card ‘Resolution’ When the hardware is detected, the resolution is queried. Therefore, the module usually only offers resolution and color depth combinations that your hardware can display correctly. This keeps the danger of damaging your hardware with incorrect settings very low in SUSE LINUX.
PAGE 106
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 79 — #105 i i 2 YaST — Configuration Figure 2.12: Configuring the Resolution The virtual resolution can be set in two different ways. To set it using ‘By Drag&Drop’, move the mouse pointer over the monitor image so it turns into crosshairs. Keep the left mouse button pressed and move the mouse to enlarge the raster image, which corresponds with the virtual resolution.
PAGE 107
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 80 — #106 i i i Figure 2.13: Configuring the Virtual Resolution Multihead If you have installed more than one graphics card in your computer or a graphics card with multiple outputs, you can connect more than one screen to your system. If you operate two screens, this is referred to as dualhead. More than two is referred to as multihead.
PAGE 108
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 81 — #107 i i 2 YaST — Configuration Figure 2.14: Adjusting the Image Geometry The layout of a multihead environment describes the arrangement of and the relationship between the individual screens. By default, SaX2 configures a standard layout that follows the sequence of the detected graphics cards, arranging all screens in a row from left to right.
PAGE 109
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 82 — #108 i i i The status of the check box used for activating and deactivating the entry of accented letters depends on the respective language and does not need to be changed. Click ‘Finish’ to apply the new settings to your system. Touchscreen Currently, XFree86 only supports Microtouch and Elo TouchSystems touchscreens. SaX2 can only autodetect the monitor, not the toucher. The toucher is treated as an input device.
PAGE 110
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 83 — #109 i i Table 2.1: AccessX — Operating the Mouse with the Numeric Keypad description selects the left mouse button selects the middle mouse button selects the right mouse button invokes a click event of the previously selected mouse button. The left mouse button is preset if no other button was selected. The selection is reset to its default after the event.
PAGE 111
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 84 — #110 i i i 2.4.6 Hardware Information YaST detects hardware for the configuration of hardware components. The detected technical data is displayed in this screen. This is especially useful, for example, if you want to submit a support request for which you need information about your hardware. Figure 2.15: Displaying Hardware Information 2.4.
PAGE 112
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 85 — #111 i i 2 Note Note 2.4.8 Mouse Configure your mouse with this YaST module. As the procedure for the selection of the mouse was already explained for installation, refer to Section 1.7.3 on page 18. YaST — Configuration DMA (direct memory access) means that your data can be transferred directly to the RAM, bypassing the processor control. 2.4.
PAGE 113
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 86 — #112 i i i Network Scanner Enter the IP address or the host name. To configure a network scanner, refer to the Support Database article Scanning in Linux (http://sdb.suse.de/en/, keyword scanner). If your scanner was not detected, the device probably is not supported. However, sometimes even supported scanners are not detected. If that is the case, proceed with the manual scanner selection.
PAGE 114
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 87 — #113 i i 2 2.4.10 Sound Setup With ‘Quick Automatic Setup’, you are not required to go through any of the further configuration steps and no sound test is performed. The sound card is configured automatically. With ‘Normal Setup’, you have the possibility to adjust the output volume and play a test sound. ‘Advanced Setup’ allows you to manually customize the sound card options.
PAGE 115
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 88 — #114 i i i If you use a Creative Soundblaster Live or AWE sound card, automatically copy SF2 sound fonts to your hard disk from the original Soundblaster driver CD-ROM with ‘Install Sound Fonts’. The sound fonts are saved in the directory /usr/share/sfbank/creative/. Enable or disable the start-up of ALSA when booting the machine with ‘Start ALSA’. For playback of MIDI files, activate ‘Start Sequencer’.
PAGE 116
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 89 — #115 i i 2.5 Network Devices 2.6 Network Services 2.6.1 DHCP Server YaST can set up a custom DHCP server in only a few steps. Chapter 21.11 on page 514 provides basic knowledge about the subject as well as a step-by-step description of the configuration process in YaST.
PAGE 117
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 90 — #116 i i i printers available. A domain controller enables its clients to log in to a Windows domain. The primary domain controller manages users and passwords. A backup domain controller uses another domain controller for authenticating the users. More information about Samba is available in Section 24.1 on page 576. 2.6.
PAGE 118
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 91 — #117 i i Connection Type To configure your mail with YaST, specify the desired type of connection to the Internet in the first dialog of the e-mail configuration module. Choose one of the following options: ‘Permanent’ Select this option if you have a dedicated line to the Internet. Your machine is online permanently, so no dial-up is required.
PAGE 119
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 92 — #118 i i i The mail server module allows configuration of SUSE LINUX Enterprise Server as a mail server. YaST assists with the following steps of the configuration process: Global Settings Configures the identification of the local mail server as well as the maximum size of incoming or outgoing messages and the type of mail transport. Local Delivery Configures the type of local mail delivery.
PAGE 120
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 93 — #119 i i 2 2.6.10 Network Services (inetd) When this module starts, choose which of the two services to configure. The selected daemon can be started with a standard selection of network services. If desired, ‘Add’, ‘Delete’, or ‘Edit’ services to compose your own selection of services.
PAGE 121
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 94 — #120 i i i Configure the validity of the password in ‘Password Settings’. Click ‘Edit’ to change these settings whenever necessary. To delete a user, select the user from the list and click ‘Delete’. For advanced network administration, use ‘Expert Options’ to define the default settings for the creation of new users. Select the authentication method (NIS, LDAP, Kerberos, or Samba) and the algorithm for the password encryption.
PAGE 122
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 95 — #121 i i 2 YaST — Configuration Figure 2.17: Group Administration 2.7.3 Security Settings In ‘Local Security Configuration’, which can be accessed under ‘Security&Users’, select one of the following four options: Level 1 is for standalone computers (preconfigured). Level 2 is for workstations with a network (preconfigured). Level 3 is for a server with a network (preconfigured).
PAGE 123
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 96 — #122 i i i ‘Boot Settings’ Specify how the key combination Ctrl - Alt - Del should be interpreted by selecting the action from the drop-down list. Usually, this combination, entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization.
PAGE 124
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 97 — #123 i i Press ‘Finish’ to complete your security configuration. 2 YaST — Configuration on a daily basis or after booting, generates a database (locatedb) in which the location of each file on your computer is stored. If you select ‘Nobody’, any user can find only the paths in the database that can be seen by any other (unprivileged) user.
PAGE 125
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 98 — #124 i i i 2.8 System Note S/390, zSeries: Continuing For IBM S/390 and zSeries, continue with Section 2.8.5 on page 102. Note 2.8.1 Backup Copy of the System Areas The YaST backup module enables you to create a backup of your system. The backup created by the module does not comprise the entire system, but only saves information about changed packages and copies of critical storage areas and configuration files.
PAGE 126
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 99 — #125 i i 2 Caution Caution YaST — Configuration System Restoration As this module normally installs, replaces, or uninstalls many packages and files, use it only if you have experience with backups, as otherwise you may lose data. Figure 2.19: Start Window of the Restore Module 2.8.
PAGE 127
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 100 — #126 i i i Use this YaST module to create boot disks, rescue disks, and module disks. These floppy disks are helpful if the boot configuration of your system is damaged. The rescue disk is especially necessary if the file system of the root partition is damaged. In this case, you might also need the module disk with various drivers to be able to access the system (e.g., to access a RAID system). Figure 2.
PAGE 128
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 101 — #127 i i The following module disks are available: USB Modules This floppy disk contains the USB modules you might need if USB drives are connected. IDE, RAID, and SCSI Modules As the standard kernel only supports normal IDE drives, you will need this module disk if you use special IDE controllers. Furthermore, all RAID and SCSI modules are provided on this disk.
PAGE 129
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 102 — #128 i i i 2.8.4 Boot Loader Configuration Note S/390, zSeries: YaST Boot Loader Configuration Boot loader configuration through YaST is not supported on IBM S/390 and zSeries. Note A detailed description of how to configure the boot loader with YaST is available in Section 8.6 on page 222. 2.8.5 LVM The Logical Volume Manager (LVM) is a tool for custom partitioning of hard disks into logical drives.
PAGE 130
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 103 — #129 i i 2 2.8.8 Profile Manager (SCPM) S/390, zSeries: Profile Manager This module is not relevant for SUSE LINUX Enterprise Server on IBM S/390 and zSeries. Note The SCPM (System Configuration Profile Management) module offers the possibility of creating, managing, and switching among system configurations.
PAGE 131
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 104 — #130 i i i Caution Runlevel Configuration Incorrect settings for system services and runlevels can render your system useless. To retain the operability of your system, consider the possible consequences before modifying any of these settings. Caution More information about runlevels in SUSE LINUX can be found in Chapter 11 on page 265. 2.8.
PAGE 132
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 105 — #131 i i 2 2.8.12 Language Selection 2.8.13 Keyboard Layout Selection Note S/390, zSeries: Keyboard Layout Because IBM S/390 and zSeries do not have a locally attached keyboard, this module has no relevance for these architectures. YaST — Configuration Here, select the language for your Linux system. The language can be changed at any time.
PAGE 133
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 106 — #132 i i i YaST offers the possibility to send a support request directly by e-mail to the SUSE team. Registration is required first. Start by entering the required data — your registration code is located at the back of the CD cover. Regarding your query, select the problem category in the following window and provide a description of the problem (Figure 2.21).
PAGE 134
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 107 — #133 i i 2.9.4 Loading a Vendor’s Driver CD 2.10 YaST in Text Mode (ncurses) When YaST is started in text mode, the YaST Control Center appears first. See Figure 2.22. YaST — Configuration With this module, automatically install device drivers from a Linux driver CD that contains drivers for SUSE LINUX.
PAGE 135
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 108 — #134 i i i When the YaST Control Center is started, the category ‘Software’ is selected and ↑ to change the category. To start a module from automatically. Use ↓ the selected category, press → . The module selection now appears with a and ↑ to select the desired module. Keep the arrow thick border. Use ↓ keys pressed to scroll through the list of available modules.
PAGE 136
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 109 — #135 i i 2 YaST — Configuration Function Keys The F keys ( F1 to F12 ) enable quick access to the various buttons. Which function keys are actually mapped to which buttons depends on the active YaST module, as the different modules offer for ‘OK’, different buttons (Details, Info, Add, Delete, etc.). Use F10 ‘Next’, and ‘Finish’.
PAGE 137
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 110 — #136 i i i Restriction of Function Keys: The F keys are also used for functions. Certain function keys might be occupied by the terminal and may not be key combinations and F keys available for YaST. However, the Alt should always be fully available on a pure text console. 2.10.3 Starting the Individual Modules To save time, the individual YaST modules can be started directly. To a module, enter yast .
PAGE 138
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 111 — #137 i i Configure a cron job that executes the following command: -u introduces the base URL of the directory tree from which the patches should be downloaded. The following protocols are supported: http, ftp, smb, nfs, cd, dvd, and dir. -g downloads the patches to a local directory without installing them. Optionally, filter the patches by specifying the type: security, recommended, or optional.
PAGE 139
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 112 — #138 i i i i i i i
PAGE 140
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 113 — #139 i i 3 SUSE LINUX can be installed in a number of ways. The possibilities range from a graphical quick installation to a text-based installation allowing numerous manual adaptions. The following sections cover various installation procedures and the use of diverse installation sources (CD-ROM, NFS).
PAGE 141
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 114 — #140 i i i 3.1 linuxrc linuxrc is a program that runs in the start-up stage of the kernel prior to the actual boot process. This allows you to boot a small modularized kernel and to load the few drivers that are really needed as modules. linuxrc assists in loading relevant drivers manually. However, the automatic hardware detection performed by YaST is usually quite reliable.
PAGE 142
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 115 — #141 i i 3 3.1.1 Main Menu Special Installation Procedures After selecting the language and keyboard, continue to the main menu of linuxrc (see Figure 3.2). Normally, linuxrc is used to start Linux, in which case you should select ‘Start Installation or System’. You may be able to access this item directly, depending on the hardware and the installation procedure in general. Refer to Section 3.
PAGE 143
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 116 — #142 i i Figure 3.3: System Information hda: ide0 hdc: ide1 hda: hda: hda: IC35L060AVER07-0, ATA DISK drive at 0x1f0-0x1f7,0x3f6 on irq 14 DV-516E, ATAPI CD/DVD-ROM drive at 0x170-0x177,0x376 on irq 15 max request size: 128KiB 120103200 sectors (61492 MB) w/1916KiB Cache, CHS=65535/16/63, UDMA(100) hda1 hda2 hda3 If you have booted a kernel with a SCSI driver already compiled into it, also skip loading a SCSI driver module.
PAGE 144
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 117 — #143 i i Model: CD-ROM CD-532S Rev: 1.0A ANSI SCSI revision: 02 3.1.3 Loading Modules Select the modules (drivers) needed. linuxrc offers the available drivers in a list. The name of the respective module is displayed to the left and a brief description of the hardware supported by the driver is displayed to the right. For some components, linuxrc offers several drivers or newer alpha versions of them.
PAGE 145
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 118 — #144 i i i Figure 3.5: Selecting SCSI Drivers In many cases, it is not necessary to specify the hardware in detail, as most drivers find their components automatically. Only network cards and older CD-ROM drives with proprietary controller cards may require parameters. If unsure, try pressing Enter . For some modules, the detection and initialization of the hardware can take some time.
PAGE 146
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 119 — #145 i i 3 Special Installation Procedures Figure 3.6: Entering Parameters for a Module Note If it turns out that no driver is included for your installation device (proprietary or parallel port CD-ROM drive, network card, PCMCIA) among the standard modules, you may be able to use one of the drivers of an extra module disk (to learn how to make such a floppy, refer to Section 3.6 on page 129).
PAGE 147
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 120 — #146 i i i Figure 3.7: The linuxrc Installation Menu ‘Start LiveEval CD’ is only available if you booted a LiveEval CD. Download ISO images from the FTP server (live-cd-) at ftp: //ftp.suse.com/pub/suse/i386/ Note ‘Start LiveEval CD’ is very useful for testing the compatibility of a computer or laptop without installing the system on the hard disk.
PAGE 148
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 121 — #147 i i 3 Special Installation Procedures Figure 3.8: Selecting the Source Medium in linuxrc 3.1.6 Potential Problems The desired keyboard layout is not offered by linuxrc. To solve this, select an alternative, such as ‘English (US)’. After the installation is completed, adjust this setting with YaST. The SCSI adapter of your machine is not recognized. Try loading the module of a compatible adapter.
PAGE 149
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 122 — #148 i i i 3.1.7 Passing Parameters to linuxrc If linuxrc does not run in manual mode, it looks for an info file on a floppy disk or in the initrd in /info. Subsequently, linuxrc loads the parameters at the kernel prompt. You can edit the default values in the file /linuxrc.config. However, the recommended method is to implement changes in the info file. An info file consists of keywords and values in the format key: value.
PAGE 150
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 123 — #149 i i VNCPassword: password This sets a password for a VNC installation to control access to the session. UseSSH: 0|1 This keyword enables access to linuxrc via SSH when performing the installation with YaST in text mode. SSHPassword: password This sets the password for the user root to access linuxrc. Insmod: module parameters This specifies a module the kernel should load, together with any parameters needed for it.
PAGE 151
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 124 — #150 i i i 3.2.1 Preparing for the VNC Installation I S/390, zSeries As described in the Architecture-Specific Information manual, it is only necessary to choose the VNC connection option in the installation process for S/390 and zSeries. This option allows any VNC client to be connected to the installation system and ensures that the installation process can be carried out with the graphical YaST.
PAGE 152
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 125 — #151 i i 3.3 Text-Based Installation with YaST First, set the boot sequence in the BIOS to enable booting from the CDROM drive. Insert the DVD or CD 1 in the drive and reboot the machine. The start screen is displayed after a few seconds. Use ↑ and ↓ to select ‘Manual Installation’ within ten seconds to prevent YaST from starting automatically.
PAGE 153
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 126 — #152 i i i Also refer to the SDB article http://portal.suse.com/sdb/en/ 2002/10/81_acpi.html. If unexplainable errors occur when the kernel is loaded or during the installation, select ‘Memory Test’ in the boot menu to check the memory. Linux requires the hardware to meet high standards, which means the memory and its timing must be set correctly. More information is available at http://portal.suse.
PAGE 154
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 127 — #153 i i 3.4.1 The Graphical SUSE Screen Starting with SUSE LINUX 7.2, the graphical SUSE screen is displayed on the first console if the option “vga=” is used as a kernel parameter. If you install using YaST, this option is automatically activated in accordance with the selected resolution and the graphics card. 3.4.
PAGE 155
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 128 — #154 i i i 3.5 Special Installation Procedures 3.5.1 Automatic Installation with AutoYaST If the installation needs to be performed on many similar machines, it makes sense to use AutoYaST for the task. AutoYaST relies on the hardware detection mechanism of YaST and normally uses default settings, but it can also be configured to suit your needs. Therefore, installation hosts need not be strictly identical.
PAGE 156
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 129 — #155 i i 3.6 3 Tips and Tricks You need formatted 3.5” HD floppy disks and a bootable 3.5” floppy disk drive. The boot directory on CD 1 contains a number of disk images. With a suitable utility, these images can be copied to floppy disks. A floppy disk prepared in this way is referred to as a boot disk. The disk images also include the loader SYSLINUX and the program linuxrc.
PAGE 157
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 130 — #156 i i i 4. On start-up, the utility asks for the source and destination of the file to copy. The image of the boot disk is located in the directory boot/ on CD 1. The file name is bootdisk. Remember to specify the path for your CD drive. d:\dosutils\rawrite\rawrite RaWrite 1.
PAGE 158
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 131 — #157 i i The other disk images (modules1, modules2, modules3, and modules4) can be created in the same way. These floppy disks are required if you have USB or SCSI devices or a network or PCMCIA card that you want to address during the installation. A module disk may also be needed to use a special file system during the installation. To use a custom kernel during the installation, the procedure is a bit more complex.
PAGE 159
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 132 — #158 i i i Note If you keep Shift pressed when SYSLINUX starts, all these steps are skipped. For troubleshooting purposes: insert the line verbose 1 in syslinux.cfg for the boot loader to display which action is currently being performed. Note If the machine does not boot from the floppy disk, you may have to change the boot sequence in the BIOS to A,C,CDROM. 3.6.4 Using CD 2 for Booting CD 2 is also bootable.
PAGE 160
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 133 — #159 i i 3.7 If your ATAPI CD-ROM is not recognized or it hangs while reading, this is most frequently due to incorrectly installed hardware. All devices must be connected to the EIDE controller in the correct order. The first device is master on the first controller. The second device is slave on the first controller. The third device should be master on the second controller.
PAGE 161
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 134 — #160 i i i 3.8 Assigning Permanent Device File Names to SCSI Devices When the system is booted, SCSI devices are assigned device file names in a more or less dynamic way. This is no problem as long as the number or configuration of the devices does not change.
PAGE 162
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 135 — #161 i i 3 First, consider the following questions: How many people will work with this machine (concurrent logins)? How many hard disks are installed? What is their size and type (EIDE, SCSI, or RAID controllers)? 3.9.1 Size of the Swap Partition Many sources state the rule that the swap size should be at least twice the size of the main memory. This is a relic of times when 8 MB RAM was considered a lot.
PAGE 163
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 136 — #162 i i i Compute Server A compute server is generally a powerful machine that carries out extensive calculations in the network. Normally, such a machine is equipped with a large main memory (more than 512 RAM). Fast disk throughput is only needed for the swap partitions. If possible, distribute swap partitions to multiple hard disks. 3.9.3 Optimization The hard disks are normally the limiting factor.
PAGE 164
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 137 — #163 i i On a multitasking, multiuser system like Linux, these parameters can be optimized effectively. For example, examine the excerpt of the output of the command df in Example 3.1. Example 3.1: Example df Output Filesystem Size Used Avail Use% Mounted on /dev/sda5 1.8G 1.6G 201M 89% / /dev/sda1 23M 3.9M 17M 18% /boot /dev/sdb1 2.9G 2.1G 677M 76% /usr /dev/sdc1 1.
PAGE 165
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 138 — #164 i i i Speed and Main Memory In Linux, the size of main memory is often more important than the processor speed. One reason, if not the main reason, for this is the ability of Linux to create dynamic buffers containing hard disk data. For this purpose, Linux uses various tricks, such as read ahead (reading of sectors in advance) and delayed write (postponement and bundling of write access).
PAGE 166
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 139 — #165 i i 3.10.1 Logical Volume Manager (LVM) Starting from kernel version 2.6, you can use LVM version 2, which is downward-compatible with the previous LVM and enables the continued management of old volume groups. When creating new volume groups, decide whether to use the new format or the downward-compatible version. LVM2 does not require any kernel patches. It makes use of the device mapper integrated in kernel 2.6.
PAGE 167
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 140 — #166 i i i Implementing LVM already makes sense for heavily used home PCs or small servers. If you have a growing data stock, as in the case of databases, MP3 archives, or user directories, LVM is just the right thing for you. This would allow file systems that are larger than the physical hard disk. Another advantage of LVM is that up to 256 LVs can be added.
PAGE 168
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 141 — #167 i i 3 3.10.3 LVM — Partitioning Special Installation Procedures After selecting ‘LVM...’ in the partitioning section, continue automatically to a dialog in which to repartition your hard disks. Delete or modify existing partitions here or add new ones. A partition to use for LVM must have the partition identifier 8E. These partitions are indicated with “Linux LVM” in the partition list. Figure 3.
PAGE 169
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 142 — #168 i i i You do not need to set the 8E label for all partitions designated for LVM. If needed, YaST automatically sets the partition label of a partition assigned to an LVM volume group to 8E. For any unpartitioned areas on your disks, create LVM partitions in this dialog. These partitions should then be designated the partition label 8E. They do not need to be formatted and no mount point can be entered.
PAGE 170
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 143 — #169 i i 3 To add a previously unassigned partition to the selected volume group, first click the partition then ‘Add Volume’. At this point, the name of the volume group is entered next to the selected partition. Assign all partitions reserved for LVM to a volume group. Otherwise, the space on the partition remains unused. Before exiting the dialog, every volume group must be assigned at least one physical volume.
PAGE 171
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 144 — #170 i i i Figure 3.12: Partition List Caution Using LVM might be associated with increased risk factors, such as data loss. Risks also include application crashes, power failures, and faulty commands. Save your data before implementing LVM or reconfiguring volumes. Never work without a backup. Caution If you have already configured LVM on your system, the existing logical volumes must be entered now.
PAGE 172
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 145 — #171 i i 3 3.11 Soft RAID Special Installation Procedures Figure 3.13: Logical Volume Management The purpose of RAID (redundant array of inexpensive disks) is to combine several hard disk partitions into one large virtual hard disk for the optimization of performance and data security. Using this method, however, one advantage is sacrificed for another.
PAGE 173
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 146 — #172 i i i Figure 3.14: Creating Logical Volumes 3.11.1 Common RAID Levels RAID 0 This level improves the performance of your data access. Actually, this is not really a RAID, because it does not provide data backup, but the name RAID 0 for this type of system has become the norm. With RAID 0, two hard disks are pooled together.
PAGE 174
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 147 — #173 i i RAID 5 RAID 5 is an optimized compromise between the two other levels in terms of performance and redundancy. The hard disk space equals the number of disks used minus one. The data is distributed over the hard disks as with RAID 0. Parity blocks, created on one of the partitions, are there for security reasons.
PAGE 175
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 148 — #174 i i i 3.11.3 Troubleshooting Find out whether a RAID partition has been destroyed by the file contents /proc/mdstats. The basic procedure in case of system failure is to shut down your Linux system and replace the defective hard disk with a new one partitioned the same way. Then restart your system and give the raidhotadd /dev/mdX /dev/sdX command.
PAGE 176
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 149 — #175 i i 3 In this very simple example, the storage system does not use authentication. Many properties of iSCSI can be set in /etc/iscsi.conf. Find details in the manual page for iSCSI. After iSCSI has been configured, start the iSCSI subsystem with the rciscsi start command. The system should output the following messages: rciscsi start Starting iSCSI: iscsi iscsid fsck/mount done The /etc/initiatorname.
PAGE 177
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 150 — #176 i i i i i i i
PAGE 178
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 151 — #177 i i 4 If you want to install a pool of systems within a network with SUSE LINUX Enterprise Server, you can use YaST to provide installation data from a central location. YaST also provides a module for central management of software updates. 4.1 4.2 4.3 Central Software Installation and Update Central Software Installation and Update Setting up a Central Installation Server . . . . . . .
PAGE 179
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 152 — #178 i i i 4.1 Setting up a Central Installation Server Instead of installing each computer with a set of installation media, provide the installation data on a dedicated installation server in your network and fetch it from there to install the clients. The YaST installation server supports HTTP, FTP, and NFS. With the help of the service location protocols (SLP), this server can be made known to all clients in the network.
PAGE 180
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 153 — #179 i i 4 hNamei stands for the name of the installation source, which is defined in the following step. If you have selected NFS in the previous step, define wild cards and exports options. The NFS server will be accessible under nfs:///. Details of NFS and exports can be found in Section 21.10.4 on page 512. Central Software Installation and Update Figure 4.
PAGE 181
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 154 — #180 i i i Uploading the Installation Data The most lengthy step in configuring an installation server is the copying of the actual SUSE LINUX CDs. Insert the media in the sequence requested by YaST and wait for the copying procedure to end. When the sources have been fully copied, return to the overview of existing information sources and close the configuration by selecting ‘Finish’.
PAGE 182
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 155 — #181 i i 4.1.2 Client Installation Using the Installation Server As soon as the installation server is available with the required installation data in the network, all computers in the local network can access the data. If a client should be installed from scratch, all you need is a bootable medium to initialize the process. At the boot prompt — as described in Section 3.1.
PAGE 183
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 156 — #182 i i i 4.2 Managing Software Updates with the YOU Server With the YaST ‘YOU server’ module, create a local update server, which can provide the current software updates to all YOU clients contained in the network. This centralizes the update of all systems contained in the network. The YOU server is compared manually or automatically with one of the update servers in the Internet authorized by SUSE.
PAGE 184
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 157 — #183 i i The product list shows the names of all products for which the YOU server currently provides updates as well as the respective URLs used to synchronize the update data on your local YOU server. The product running on the machine on which the server is set up is displayed as the default. Use ‘Add’, ‘Change’, and ‘Delete’ to edit the product list.
PAGE 185
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 158 — #184 i i i 4.2.2 Configuring the Clients The local YOU clients (‘YaST Control Center’ ➝ ‘Online Update’) should be configured manually to obtain the updates from your YOU server or use the SLP functionality of YaST to determine the server address automatically. Manual Configuration Enter the URL of the local server in the URL field of the YOU client: http:///YOU. Alternatively, add this path to /etc/youservers.
PAGE 186
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 159 — #185 i i 4 4.3.1 Configuring tftpd I x86 The PXE image pxelinux.0 is loaded by BIOS. This takes control of the remainder of the boot process. First, PXE fetches a configuration file from the tftp server. J I IPF The computer firmware starts by loading the boot image elilo.efi from the tftp server. This then loads a configuration file from the tftp server, which controls the boot process from this point.
PAGE 187
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 160 — #186 i i i In the configuration file for PXE, a number of options are available.
PAGE 188
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 161 — #187 i i 4 4.3.2 Configuring dhcpd I x86, AMD64, EM64T filename "pxelinux.0"; J I IPF filename "elilo.efi"; J If tftpd is not running on the same server as dhcpd, also enter the address of the tftpd server in the configuration: next-server sun 4.3.3 Launching the Boot Process Central Software Installation and Update dhcpd is responsible for telling the computer where it can find the boot image.
PAGE 189
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 162 — #188 i i i i i i i
PAGE 190
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 163 — #189 i i 5 SUSE LINUX provides the option of updating an existing system without completely reinstalling it. There are two types of updates: updating individual software packages and updating the entire system. Packages can also be installed by hand using the package manager RPM. 5.1 5.2 5.3 Updating SUSE LINUX . . . . . . . . . . . . . . . . 164 Software Changes from Version to Version . . . . .
PAGE 191
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 164 — #190 i i i 5.1 Updating SUSE LINUX Software tends to grow from version to version. Therefore, take a look at the available partition space with df before updating. If you suspect you are running short of disk space, secure your data before updating and repartition your system. There is no general rule of thumb regarding how much space each partition should have.
PAGE 192
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 165 — #191 i i PostgreSQL x86: Promise Controller The hard disk controller manufactured by Promise is currently found on high-end motherboards in numerous computer models, either as a pure IDE controller (for UDMA 100) or as an IDE-RAID controller. As of SUSE LINUX 8.0, these controllers are directly supported by the kernel and treated as a standard controller for IDE hard disks.
PAGE 193
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 166 — #192 i i i 5.1.3 Updating with YaST Following the preparation procedure outlined in Section 5.1.1 on page 164, you can now update your system: 1. Boot the system as for the installation. In YaST, choose a language and select ‘Update Existing System’. Do not select ‘New Installation’. 2. YaST determines whether there are multiple root partitions. If there is only one, continue with the next step.
PAGE 194
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 167 — #193 i i 5 5.1.4 Manual Update As basic system components, such as libraries, must be exchanged when updating a base system, an update cannot be run from within a currently running Linux system. First, set up the update environment. This is normally done using the CD or DVD or with a custom boot disk.
PAGE 195
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 168 — #194 i i i In the warning dialog, select ‘Yes’ to start the installation of the new software from the source medium to the system hard disk. First, the RPM database is checked, then the main system components are updated. YaST automatically creates backups of files modified in the running system since the last installation. In addition, old configuration files are backed up with the endings .rpmorig and .rpmsave.
PAGE 196
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 169 — #195 i i Modules now have the suffix .ko. The module ide-scsi is no longer needed for burning CDs. The prefix snd_ has been removed from the ALSA sound module options. sysfs now complements the /proc file system. Power management (especially ACPI) has been improved and can now be configured by means of a YaST module. Mounting VFAT Partitions When mounting VFAT partitions, the parameter code= must be changed to codepage=.
PAGE 197
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 170 — #196 i i i Notes regarding the kernel and linuxthreads with floating stacks: Applications using errno, h_errno, and _res must include the header files (errno.h, netdb.h, and resolv.h) with #include. For C++ programs with multithread support that use thread cancellation, the environment variable LD_ASSUME_KERNEL=2.4.1 must be used to prompt the use of the linuxthreads library.
PAGE 198
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 171 — #197 i i 5 Systemwide UTF-8 Encoding Converting File Names to UTF-8 Files in previously created file systems do not use UTF-8 encoding for the file names (unless specified otherwise). If these files names contain nonASCII characters, they will be garbled. To correct this, use the convmv script which converts the encoding of file names to UTF-8.
PAGE 199
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 172 — #198 i i i Note Third-party software may not yet comply with the new standard. In this case, set the environment variable as described above: _POSIX2_VERSION=199209. Note /etc/gshadow Obsolete /etc/gshadow has been abandoned and removed, as this file is superfluous for the following reasons: It is not supported by glibc. There is no official interface for this file; even the shadow suite does not contain such an interface.
PAGE 200
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 173 — #199 i i /usr/sbin/wb_auth /usr/sbin/wb_ntlmauth /usr/sbin/wb_info_group.pl See also http://www.squid-cache.org/Doc/FAQ/FAQ-23.html# ss23.5. OpenSSH Update (Version 3.8p1) gssapi support has been replaced with gssapi-with-mic to prevent potential MITM attacks. These two versions are not compatible.
PAGE 201
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 174 — #200 i i i Removable Media with subfs Removable media are now integrated with subfs. Media no longer need to be mounted manually with mount. The command cd /media/* launches the automatic mounting process. Media cannot be ejected as long as they are accessed by a program. Printer Configuration Information about the changes in the print system is available in Section 13.1 on page 296. 5.
PAGE 202
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 175 — #201 i i 5.3.1 Verifying Package Authenticity 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig apache-1.3.12.rpm can be used to verify the signature of an RPM package to determine whether it really originates from SUSE or from another trustworthy facility.
PAGE 203
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 176 — #202 i i i If a configuration file was changed by the system administrator before the update, rpm saves the changed file with the extension .rpmorig or .rpmsave (backup file) and installs the version from the new package, but only if the originally installed file and the newer version are different. If this is the case, compare the backup file (.rpmorig or .
PAGE 204
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 177 — #203 i i The most important considerations are demonstrated using pine as an example: Is the patch RPM suitable for my system? To check this, first query the installed version of the package. For pine, this can be done with rpm -q pine pine-4.44-188 Then check if the patch RPM is suitable for this version of pine: rpm -qp --basedon pine-4.44-224.i586.patch.rpm pine = 4.44-188 pine = 4.44-195 pine = 4.
PAGE 205
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 178 — #204 i i i Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa. If only one patch is installed in a new system (as in this example), the list appear as follows: rpm -qPa pine-4.
PAGE 206
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 179 — #205 i i List features of the package that another package can request with --requires --requires, -R Capabilities the package requires --scripts Installation scripts (preinstall, postinstall, uninstall) For example, the command rpm -q -i wget displays the information shown in Example 5.2. Example 5.2: rpm -q -i wget Name :wget Relocations: (not relocateable) Version :1.8.
PAGE 207
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 180 — #206 i i i Example 5.3: Script to Search for Packages #! /bin/sh for i in $(rpm -q -a -l | grep $1); do echo "\"$i\" is in package:" rpm -q -f $i echo "" done The command rpm -q --changelog rpm displays a detailed list of information (updates, configuration, modifications, etc.) about a specific package. This example shows information about the package rpm.
PAGE 208
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 181 — #207 i i 5 The files of the RPM database are placed in /var/lib/rpm. If the partition /usr/ has a size of 1 GB, this database can occupy nearly 30 MB, especially after a complete update. If the database is much larger than expected, it is useful to rebuild the database with the option --rebuilddb. Before doing this, make a backup of the old database. The cron script cron.
PAGE 209
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 182 — #208 i i i SRPMS/ here are the source RPMs When you install a source package with YaST, all the necessary components will be installed in /usr/src/packages/: the sources and the adjustments in SOURCES/ and the relevant .spec file in SPECS/. Caution Do not experiment with system components (glibc, rpm, sysvinit, etc.), as this endangers the operability of your system. Caution The following example uses the wget.src.
PAGE 210
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 183 — #209 i i 5.3.6 Compiling RPM Packages with build cd /usr/src/packages/SOURCES/ mv ../SPECS/wget.spec . build --rpms /media/dvd/suse/ wget.spec Subsequently, a minimum environment will be established at /var/ tmp/build-root. The package will be built in this environment. Upon completion, the resulting packages are located in /var/tmp/buildroot/usr/src/packages/RPMS. The build script offers a number of additional options.
PAGE 211
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 184 — #210 i i i i i i i
PAGE 212
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 185 — #211 i i 6 System Repair System Repair In addition to numerous YaST modules for system installation and configuration, SUSE LINUX Enterprise Server also offers a feature for repairing the installed system. This chapter describes the various types and steps of system repair. 6.1 6.2 6.3 6.4 6.5 Starting YaST System Repair . . . . . . . . . . . Automatic Repair . . . . . . . . . . . . . . . . . User-Defined Repair . . . . .
PAGE 213
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 186 — #212 i i i 6.1 Starting YaST System Repair Because it cannot be assumed that a damaged system can boot by itself and a running system cannot be easily repaired, the YaST System Repair utility is run from the SUSE LINUX installation CD or DVD. Follow the steps outlined in Chapter 1 on page 7 to get to the dialog offering the various installation options then select ‘Repair Installed System’. See Figure 6.1.
PAGE 214
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 187 — #213 i i 6.2 Automatic Repair System Repair This method is best suited to restoring a damaged system with unknown cause. Selecting it starts an extensive analysis of the installed system, which takes quite some time due to the large number of tests and examinations. The progress of the procedure is displayed at the bottom of the screen with two progress bars. The upper bar shows the progress of the currently running test.
PAGE 215
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 188 — #214 i i i Figure 6.2: Automatic Repair Mode 6.3 User-Defined Repair The automatic repair explained in the preceding section performs all tests. This is useful if the extent of the system damage is unknown. However, if you already know what part of the system is affected, the range of the applied tests can be narrowed. Choosing ‘User-Defined Repair’ shows a list of test runs that are all marked for execution at first.
PAGE 216
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 189 — #215 i i 6.4 6 Expert Tools Install New Boot Loader This starts the YaST boot loader configuration module. Details can be found in Section 8.6 on page 222. Run Partitioning Tool This starts the expert partitioning tool in YaST. Details can be found in Section 1.7.5 on page 22.
PAGE 217
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 190 — #216 i i 6.5 S/390, zSeries: Using initrd as a Rescue System If the kernel of the SUSE LINUX Enterprise Server for S/390 and zSeries is upgraded or modified, it is possible to reboot the system accidentally in an inconsistent state, so standard procedures of IPLing the installed system fail.
PAGE 218
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 191 — #217 i i 6 To continue the installation, enter: ./inst_source bash: no job control in this shell SuSE Instsys suse:/ # This opens a root shell from which to issue all necessary commands directly. System Repair netsetup 6.5.2 Loading DASD Modules To access the root device, load the required kernel modules. First, load the DASD modules.
PAGE 219
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 192 — #218 i i 6.5.3 Mounting the Root Device If the modules have loaded correctly, you should now be able to mount the root device. Assuming that the root device is on the second partition of the DASD device (/dev/dasda2) the corresponding command is mount /dev/dasda2 /mnt.
PAGE 220
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 193 — #219 i i 6 6.5.5 Executing zipl Example 6.5: Installing the IPL Record with zipl sh-2.05b# zipl building bootmap : /boot/zipl/bootmap adding Kernel Image : /boot/kernel/image located at 0x00010000 adding Ramdisk : /boot/initrd located at 0x00800000 adding Parmline : /boot/zipl/parmfile located at 0x00001000 Bootloader for ECKD type devices with z/OS compatible layout installed. Syncing disks.... ...
PAGE 221
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 194 — #220 i i i i i i i
PAGE 222
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 195 — #221 i i i Part II System i i i i
PAGE 223
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 196 — #222 i i i i i i i
PAGE 224
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 197 — #223 i i 7 SUSE LINUX Enterprise Server is available for several 64-bit platforms. This does not necessarily mean that all the applications included have already been ported to 64-bit platforms. SUSE LINUX Enterprise Server supports the use of 32-bit applications in a 64-bit system environment. This section offers a brief overview of how this support is implemented on 64bit SUSE LINUX Enterprise Server platforms. 7.1 7.2 7.
PAGE 225
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 198 — #224 i i i SUSE LINUX Enterprise Server for the ipf, ppc64, s390x, sparc64, amd64, and em64t 64-bit platforms is designed so that existing 32-bit applications run in the 64-bit environment “out-of-the-box.” The corresponding 32-bit platforms are x86 for ipf, ppc for ppc64, s390 for s390x, and x86 for amd64 and em64t.
PAGE 226
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 199 — #225 i i 7.2 Software Development All 64-bit architectures support the development of 64-bit objects. However, the level of support for 32-bit compiling depends on the architecture.
PAGE 227
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 200 — #226 i i i All header files must be written in an architecture-independent form. The installed 32-bit and 64-bit libraries must have an API (application programming interface) that matches the installed header files. The normal SUSE environment is designed according to this principle. In the case of manually updated libraries, resolve these issues yourself. 7.
PAGE 228
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 201 — #227 i i 2. Instruct the linker to process 64-bit objects: 3. Set the assembler to generate 64-bit objects: AS="gcc -c -m64" 4. Determine that the libraries for libtool and so on come from /usr/ lib64/: LDFLAGS="-L/usr/lib64" 5. Determine that the libraries are stored in the lib64 subdirectory: --libdir=/usr/lib64 6.
PAGE 229
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 202 — #228 i i i For this reason, a small number of applications, like lspci or the LVM administration programs, have to exist even on non-64-bit platforms as 64-bit programs to function correctly. A 64-bit kernel can only load 64-bit kernel modules that have been specially compiled for this kernel. It is not possible to use 32-bit kernel modules. Note Some applications require separate, kernel-loadable modules.
PAGE 230
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 203 — #229 i i 8 This chapter introduces various methods for booting the installed system. First, some of the technical details of the boot process are explained to help with understanding the various methods. This is followed by a detailed description of the default boot manager GRUB. 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 Booting a PC . . . . . . . . . . . . . . . . Boot Concepts . . . . . . . . . . . . . . .
PAGE 231
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 204 — #230 i i i 8.1 Booting a PC After turning on your computer, the first thing that happens is that the BIOS (basic input output system) takes control, initializes the screen and keyboard, and tests the main memory. At this point, no storage media or external devices are known to the system.
PAGE 232
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 205 — #231 i i 8 8.1.2 Boot Sectors 8.1.3 Booting DOS or Windows The DOS MBR of the first hard disk contains information that determines which partition of a hard disk is active (bootable). The active partition is searched for the operating system to boot. Therefore, DOS must be installed on the first hard disk. The DOS program code in the MBR is the first stage of the boot loader.
PAGE 233
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 206 — #232 i i i Booting Other Operating Systems from a Floppy Disk One operating system is booted from the hard disk. Other operating systems can be booted from the floppy disk drive. For example, use it for an installation of Linux alongside Windows — boot Linux from a boot disk. This method requires a bootable floppy disk drive. The advantage is that no boot loader needs to be installed.
PAGE 234
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 207 — #233 i i 8 Note CPU-controlled RAID controllers, such as many Promise and Highpoint controllers Software RAID LVM For information about the installation of LILO, search for the keyword “LILO” in the Support Database (http://portal. suse.de/sdb/en/index.html).
PAGE 235
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 208 — #234 i i i One major advantage of GRUB is that all boot parameters can easily be changed before booting. If, for example, the menu file contains an error, it can be fixed. Boot parameters can be entered interactively at a prompt. GRUB offers the possibility to find the location of the kernel and initrd before booting. With this, you can even boot operating systems for which no entry exists in the boot menu. 8.4.
PAGE 236
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 209 — #235 i i The root command simplifies specification of kernel and initrd files. The only argument for the command root is a device or partition (in GRUB notation). This device is used for all kernel, initrd, or other file paths for which no device is specified. This applies up to the next root command. The command is not used in the default menu.lst file created during the installation. It merely facilitates manual editing.
PAGE 237
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 210 — #236 i i i The fact that BIOS device names do not correspond to Linux devices is an issue resolved with algorithms that establish a mapping. GRUB stores the result in a file (device.map), which can be edited. For more information about device.map, refer to Section 8.4.2 on page 212. For GRUB, a file name must be specified as a device name written in parentheses followed by the full path to the file and the file name.
PAGE 238
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 211 — #237 i i timeout 8 After eight seconds without user input, GRUB automatically boots the default entry. The second, larger part defines the different operating systems to boot. The first entry (title linux) is responsible for booting SUSE LINUX. The kernel (vmlinuz) is located on the first hard disk on the first logical partition (which is the boot partition in this case).
PAGE 239
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 212 — #238 i i i Editing Menu Entries during the Boot Procedure From the graphical boot menu of GRUB, use the arrow keys to select the operating system to boot. If you select a Linux system, you can add boot and exiting the splash screen, press E to parameters. After pressing Esc edit individual menu entries directly. Changes made in this way only apply to the current boot procedure and are not adopted permanently.
PAGE 240
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 213 — #239 i i Any manual change to the device.map file requires that you update your GRUB installation. Use the following command: grub --batch --device-map=/boot/grub/device.map \ < /etc/grub.conf 8.4.3 The File /etc/grub.conf GRUB stores another important part of its configuration in the file grub. conf.
PAGE 241
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 214 — #240 i i i 8.4.4 The GRUB Shell GRUB actually consists of two parts: the boot loader and a normal Linux program (/usr/sbin/grub). This program is referred to as the GRUB shell. The functionality to install the boot loader on a hard disk or floppy disk is integrated into the GRUB shell through the internal commands install and setup — these commands can be executed using the GRUB shell on a running Linux system.
PAGE 242
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 215 — #241 i i title linux kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791 initrd (hd0,4)/initrd lock After rebooting, trying to boot this entry from the menu would result in the following error message: Error 32: Must be authenticated Return to the menu by pressing Enter . From the menu, pressing P prompts for the password. The selected system (Linux in this case) .
PAGE 243
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 216 — #242 i i i 8.5 Booting with LILO The Linux boot loader LILO is suitable for installation in the MBR. LILO has access to two real-mode hard disks and is able to find all the data it needs from the raw hard drives without any partitioning data. Therefore, operating systems can also be booted from the second hard disk. Unlike with the DOS boot process, the entries in the partition table are ignored when using LILO.
PAGE 244
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 217 — #243 i i The following locations are suitable for storing the LILO boot sector: In the Boot Sector of a Primary Linux Partition on the First Hard Disk This leaves the MBR untouched. Before it can be booted, the partition must be marked active. Start fdisk as root with the command fdisk -s hpartitioni. The program asks for a command. Obtain a list of the available commands by entering m.
PAGE 245
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 218 — #244 i i i 8.5.2 Structure of lilo.conf /etc/lilo.conf starts with a global section, followed by one or more system sections for each operating system LILO should start. Each system section starts with a line beginning with image or other. The order of entries in /etc/lilo.
PAGE 246
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 219 — #245 i i ### LILO memory test section (memtest) image = /boot/memtest.bin label = memtest86 Anything between a # and the end of a line is regarded as a comment. Spaces and comments are ignored by LILO and can be used to improve readability. The entries in the above sample file include mandatory options, which are explained in the list below, and others that are described in Section 8.5.2 on the preceding page.
PAGE 247
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 220 — #246 i i i Linux section . image=kernelimage This specifies the name of the kernel image to boot, including its directory location. With a new system, this is most likely /boot/vmlinuz. . label=name A name for the system in question (e.g., Linux). It may be freely chosen but must be unique as far as the contents of /etc/lilo.conf are concerned.
PAGE 248
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 221 — #247 i i Linux part (Linux — Safe Settings) . optional If you decide to delete /boot/vmlinuz.shipped (not recommended), this section is skipped without an error message during LILO installation. Other systems . other=partition other tells LILO to start the partitions of other systems (e.g., /dev/hda1). . label=name Select a name for the system.
PAGE 249
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 222 — #248 i i i Updating after Changing the Configuration If any of the LILO components have changed, or if you have modified your configuration in /etc/lilo.conf, update the LILO boot loader. This is easily done by launching the map installer as root with the command /sbin/lilo LILO creates a backup of the target boot sector, writes its first stage into the boot sector, then generates a new map file (also see Section 8.
PAGE 250
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 223 — #249 i i 8 Booting and Boot Managers Figure 8.1: Configuring the Boot Loader with YaST 8.6.1 The Main Window The table listing the configuration data consists of three columns. Under ‘Changed’ (to the left), flags mark the changed options listed in the center column. To add an option, click ‘Add’. To change the value of an existing option, select it with a mouse click and click ‘Edit’.
PAGE 251
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 224 — #250 i i i Propose and Merge with Existing GRUB Menus If another operating system and an older Linux version are installed in other partitions, the menu is generated from an entry for the new SUSE LINUX, an entry for the other system, and all entries of the old boot loader menu. This procedure might take some time. This is not possible if LILO is used.
PAGE 252
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 225 — #251 i i Boot Loader Location Use this dialog to define where to install the boot loader: in the master boot record (MBR), in the boot sector of the boot partition (if available), in the the boot sector of the root partition, or on a floppy disk. Use ‘Others’ to specify a different location.
PAGE 253
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 226 — #252 i i i 8.7 Uninstalling the Linux Boot Loader There are two ways to uninstall the Linux boot loader: Restore the backup of the original MBR by means of the YaST boot loader module. YaST creates this backup automatically. Install a different boot loader or restore the DOS or Windows MBR. Caution Invalid Backups of Boot Sectors A boot sector backup is no longer valid if the partition in question has a new file system.
PAGE 254
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 227 — #253 i i 8.7.3 Restoring the MBR of Windows 2000 8.8 Creating Boot CDs Problems may arise when attempting to boot a system with the LILO boot manager configured with YaST. The creation of a system boot disk fails with more recent SUSE LINUX versions because the space available on a floppy disk is no longer sufficient for the start-up files. Instead, create a boot CD. This solution is only a work-around.
PAGE 255
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 228 — #254 i i i mkdir /tmp/CDroot cp /usr/share/syslinux/isolinux.bin /tmp/CDroot/ cp /boot/vmlinuz /tmp/CDroot/linux cp /boot/initrd /tmp/CDroot 4. Create the boot loader configuration file /tmp/CDroot/isolinux. cfg with your preferred editor. Enter the following content: DEFAULT linux LABEL linux KERNEL linux APPEND initrd=initrd root=/dev/hdXY [boot parameter] Enter your root partition for the parameter root=/dev/hdXY.
PAGE 256
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 229 — #255 i i 8.9 S/390, zSeries: The Boot Loader ZIPL 8.9.1 For Kernel Version 2.6.x The syntax of ZIPL is as follows: zipl [options] [configuration] Options: -h or --help prints this information -c or --config= specifies the config file to be used. This option overrides the environment variable ZIPLCONF.
PAGE 257
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 230 — #256 i i i -d or --dumpto hPARTITIONi specifies the device node of the partition on which the dump will be created. Example:/dev/dasdb1 or /devfs/dasd/0192/part1 The command ZIPL reads the configuration file in /etc/zipl.conf and uses the parameters listed in the file. 8.9.2 The ZIPL Configuration File The configuration file for the ZIPL boot loader resides in the directory /etc/zipl.conf. Example 8.
PAGE 258
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 231 — #257 i i 8 Note Note SUSE LINUX Enterprise Server Booting and Boot Managers DASDs and the Command Line Add or delete DASDs or DASD ranges from the parameter line. However, do not remove the DASD containing the root file system. Otherwise, the system will not be able to boot.
PAGE 259
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 232 — #258 i i i i i i i
PAGE 260
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 233 — #259 i i 9 The Linux Kernel The Linux Kernel The kernel manages the hardware of every Linux system and makes it available to the various processes. Although the information provided in this chapter will not make you a kernel hacker, you will learn how to perform a kernel update and how to compile and install a custom kernel.
PAGE 261
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 234 — #260 i i i The kernel that is installed in the /boot/ directory is configured for a wide range of hardware. Normally, there is no need to compile a custom kernel, unless you want to test experimental features and drivers. Several Makefiles are provided with the kernel to automate the process. Select the hardware settings and other kernel features.
PAGE 262
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 235 — #261 i i 9.2 9 Kernel Sources After installation, the kernel sources are located in /usr/src/linux/. If you plan to experiment with different kernels, unpack them in different subdirectories and create a symbolic link to the current kernel source. As there are software packages that rely on the sources being in /usr/src/linux/, maintain this directory as a symbolic link to your current kernel source.
PAGE 263
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 236 — #262 i i i 9.3.2 Configuration in Text Mode menuconfig is a more comfortable way to configure the kernel. If necessary, install ncurses-devel with YaST. Start the kernel configuration with the command make menuconfig. For minor changes in the configuration, you do not have to go through all the questions. Instead, use the menu to access certain sections directly. The default settings are loaded from the file .config.
PAGE 264
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 237 — #263 i i Kernel modules are located in /lib/modules//. Version stands for the current kernel version. 9.4.1 Hardware Detection with the Help of hwinfo 9 The Linux Kernel required for booting the system should be built as modules. This makes sure the kernel does not become too big to be loaded by the BIOS or a boot loader.
PAGE 265
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 238 — #264 i i i lsmod Shows which modules are currently loaded as well as how many other modules are using them. Modules started by the kernel daemon are tagged with autoclean. This label denotes that these modules will automatically be removed once they reach their idle time limit. modinfo Shows module information. 9.4.3 /etc/modprobe.conf The loading of modules is affected by the files /etc/modprobe.conf and /etc/modprobe.conf.
PAGE 266
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 239 — #265 i i 9.6 Compiling the Kernel make clean make bzImage The Linux Kernel Compiling a “bzImage” is recommanded. As a rule, this avoids the problem of the kernel getting too large, as can easily happen if you select too many features and create a “zImage”. You will then get error messages like "kernel too big" or "System is too big".
PAGE 267
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 240 — #266 i i i 9.7 Installing the Kernel After the kernel is compiled, it must be installed so it can be booted. I x86 If you use LILO, LILO must be updated as well. To prevent unpleasant surprises, it is recommended to keep the old kernel (e.g., as /boot/vmlinuz. old), so you can still boot it if the new kernel does not function as expected: J cp /boot/vmlinuz /boot/vmlinuz.
PAGE 268
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 241 — #267 i i 9 Note Note I x86 To enable GRUB or LILO to boot the old kernel (now /boot/vmlinuz. old), add an image entry with the label Linux.old in your /boot/ grub/menu.lst or /etc/lilo.conf This procedure is described in detail in Chapter 8 on page 203. If you are using LILO as the boot loader, LILO must be reinstalled after modifications to /etc/lilo.conf with the command lilo. GRUB does not need to be reinstalled.
PAGE 269
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 242 — #268 i i i i i i i
PAGE 270
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 243 — #269 i i 10 This chapter provides information about the Filesystem Hierarchy Standard (FHS) and Linux Standard Base (LSB). Various software packages and special features, such as booting with initrd and using the rescue system, are described in detail. 10.1 10.2 10.3 10.4 10.5 10.6 10.7 Linux Standards . . . . . . . . . . . . Hints on Special Software Packages . Booting with the Initial RAM Disk . .
PAGE 271
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 244 — #270 i i i 10.1 Linux Standards 10.1.1 Linux Standard Base (LSB) SUSE actively supports the efforts of the Linux Standard Base project. Upto-date information about the project can be found at http://www. linuxbase.org. The currently valid LSB specification is version 1.3.x.
PAGE 272
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 245 — #271 i i 10.1.5 Example Environment for HTTP Server 10.2 Hints on Special Software Packages 10.2.1 Package bash and /etc/profile 1. /etc/profile 2. ~/.profile 3. /etc/bash.bashrc Special Features of SUSE LINUX Apache is the standard web server in SUSE LINUX. Together with the installation of Apache, some example documents are made available in /srv/www.
PAGE 273
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 246 — #272 i i i 10.2.2 cron Package The cron tables are now located in /var/cron/tabs. /etc/crontab serves as a system-wide cron table. Enter the name of the user who should run the command directly after the time table (see Example 10.1, here root is entered). Package-specific tables, located in /etc/cron.d, have the same format. See man cron. Example 10.
PAGE 274
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 247 — #273 i i 10 Configuration Example 10.2: Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress Special Features of SUSE LINUX Configure logrotate with the file /etc/logrotate.conf.
PAGE 275
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 248 — #274 i i i 10.2.4 Man Pages For some GNU applications (such as tar) the man pages are no longer maintained. For these commands, use the --help option to get a quick overview or the info pages, which provide more in-depth instructions. info is GNU’s hypertext system. Read an introduction to this system by entering info info. Info pages can be viewed with Emacs by entering emacs -f info or directly in a console with info.
PAGE 276
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 249 — #275 i i Note Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. Note 10.2.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used. The relevant information can be found in /proc/meminfo.
PAGE 277
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 250 — #276 i i i 10.2.8 Settings for GNU Emacs GNU Emacs is a complex work environment. More information is available at http://www.gnu.org/software/emacs/. The following sections cover the configuration files processed when GNU Emacs is started. On start-up, Emacs reads several files containing the settings of the user, system administrator, and distributor for customization or preconfiguration. The initialization file ~/.
PAGE 278
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 251 — #277 i i 10.3 Booting with the Initial RAM Disk For the problem of SCSI drivers, a number of different solutions are possible. The kernel could contain all imaginable drivers, but this might be a problem because different drivers could conflict with each other. Also, the kernel would become very large because of this. Another possibility is to provide different kernels, each one containing just one or a few SCSI drivers.
PAGE 279
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 252 — #278 i i i program can now do all the things necessary to mount the proper root file system. As soon as linuxrc finishes, the temporary initrd is unmounted and the boot process continues as normal with the mount of the proper root file system. Mounting the initrd and running linuxrc can be seen as a short interlude during a normal boot process.
PAGE 280
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 253 — #279 i i 10 initrd (hd0,0)/initrd LILO Enter the following line in /etc/lilo.conf: initrd=/boot/initrd syslinux Enter the following line in syslinux.cfg: append initrd=initrd Further parameters can be appended to the line. 10.3.4 Using initrd in SUSE Installing the System The initrd has been used for some time for the installation: the user can load modules and make the entries necessary for installation.
PAGE 281
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 254 — #280 i i i Creating an initrd An initrd is created by means of the script mkinitrd (previously mk_initrd). In SUSE LINUX, the modules to load are specified by the variable INITRD_MODULES in /etc/sysconfig/kernel. After installation, this variable is automatically set to the correct value (the installation linuxrc saves which modules were loaded).
PAGE 282
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 255 — #281 i i 10.3.5 Possible Difficulties — Custom Kernels There are several solutions to the problem. Configure the driver as a module (then it will be correctly loaded in the initrd. Alternatively, remove the entry for initrd from the file /etc/grub/menu.lst or /etc/lilo.conf, depending on your boot loader.
PAGE 283
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 256 — #282 i i i loaded from CD, the network, or the SUSE FTP server. Furthermore, there is a bootable SUSE LINUX CD (the LiveEval CD) that can be used as a rescue system. The rescue system includes several help programs with which you can remedy large problems with inaccessible hard disks, misconfigured configuration files, or other similar problems.
PAGE 284
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 257 — #283 i i 10 Special Features of SUSE LINUX Figure 10.1: Source Medium for the Rescue System Regardless of the medium chosen, the rescue system will be decompressed, loaded onto a RAM disk as a new root file system, mounted, and started. Now it is ready for use. 10.4.2 Working with the Rescue System Under Alt - F1 to Alt - F3 , the rescue system provides at least three virtual consoles.
PAGE 285
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 258 — #284 i i i Figure 10.2: Network Protocols A shell and many other useful utilities, such as the mount program, can be found in the /bin directory. The sbin directory contains important file and network utilities for reviewing and repairing the file system (e.g., reiserfsck or e2fsck).
PAGE 286
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 259 — #285 i i 10 Caution Caution To access your entire system, mount it step by step in the /mnt directory using the following commands: mount /dev/sdb3 /mnt mount /dev/sdb6 /mnt/usr Now, access your entire system and, for example, correct mistakes in configuration files, such as /etc/fstab, /etc/passwd, and /etc/inittab. The configuration files are now located in the /mnt/etc directory instead of in /etc.
PAGE 287
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 260 — #286 i i i 10.5 Virtual Consoles Linux is a multiuser and multitasking system. The advantages of these features can be appreciated, even on a stand-alone PC system. In text mode, there are six virtual consoles available. Switch between them using Alt - F1 to Alt - F6 . The seventh console is reserved for X. More or fewer consoles can be assigned by modifying the file /etc/inittab.
PAGE 288
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 261 — #287 i i 10.7 SUSE LINUX is, to a very large extent, internationalized and can be modified for local needs in a flexible manner. In other words, internationalization (I18N) allows specific localizations (L10N). The abbreviations I18N and L10N are derived from the first and last letters of the words and, in between, the number of letters omitted.
PAGE 289
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 262 — #288 i i i 10.7.1 Some Examples You should always set the language and country codes together. Language settings follow the standard ISO 639 (http://www.evertype. com/standards/iso639/iso639-en.html and http://www.loc. gov/standards/iso639-2/). Country codes are listed in ISO 3166, see (http://www.din.de/gremien/nas/nabd/iso3166ma/codlstp1/ en_listp1.html).
PAGE 290
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 263 — #289 i i 10.7.
PAGE 291
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 264 — #290 i i i i i i i
PAGE 292
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 265 — #291 i i 11 Booting and initializing a UNIX system can challenge even an experienced system administrator. This chapter gives a short overview of the SUSE LINUX boot concept. The current implementation is compatible with the System Initialization section of the LSB specification (Version 1.3.x). Refer to Section 10.1.1 on page 244 for more information about LSB. 11.1 11.2 11.3 11.4 11.5 11.6 11.7 The init Program . . . . .
PAGE 293
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 266 — #292 i i i The kernel takes control of the system’s hardware as soon as the simple message “Uncompressing Linux...” is printed on screen (or, in the case of the IBM S/390 and zSeries, after IPLing). The kernel checks and sets the console (the BIOS registers of graphics cards and the screen output format), reads BIOS settings, and initializes basic hardware interfaces.
PAGE 294
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 267 — #293 i i Note Runlevel 2 with a /usr/ Partition Mounted via NFS You should not use runlevel 2 if your system mounts the /usr/ partition via NFS. The /usr/ directory holds important programs essential for the proper functioning of the system. Because the NFS service is not made available by runlevel 2 (local multiuser mode without remote network), the system would be seriously restricted in many aspects.
PAGE 295
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 268 — #294 i i i page 279). After doing so, check whether the system works in the desired way by entering init 5. If everything turns out as expected, you can use YaST to set the default runlevel to 5. Caution Modifying /etc/inittab If /etc/inittab is damaged, the system might not boot properly. Therefore, be extremely careful while editing /etc/inittab and always keep a backup of an intact version.
PAGE 296
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 269 — #295 i i 11.4 11 Init Scripts Scripts executed directly by init. This is the case only during the boot process or if an immediate system shutdown is initiated (power fail ure or a user pressing Ctrl - Alt - Del ). For IBM S/390 and zSeries systems, this is the case only during the boot process or if an immediate system shutdown is initiated (power failure or via “signal quiesce”).
PAGE 297
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 270 — #296 i i i Links in each runlevel-specific subdirectory make it possible to associate scripts with different runlevels. When installing or uninstalling packages, such links are added and removed with the help of the program insserv (or using /usr/lib/lsb/install_initd, which is a script calling this program). See the manual page of insserv for details.
PAGE 298
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 271 — #297 i i rc 11.4.1 Adding init Scripts You can create your own scripts and easily integrate them into the scheme described above. For instructions about formatting, naming, and organizing custom scripts, refer to the specifications of the LSB and to the man pages of init, init.d/, and insserv. Additionally consult the man pages of startproc and killproc.
PAGE 299
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 272 — #298 i i i and Required-Stop: lines, specify all services that need to be started or stopped, respectively, before the service itself is started or stopped. This information is used later to generate the numbering of script names, as found in the runlevel directories. Under Default-Start: and Default-Stop:, specify the runlevels in which the service should automatically be started or stopped.
PAGE 300
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 273 — #299 i i 11 The SUSE LINUX Boot Concept Figure 11.1: YaST: Runlevel Editor This YaST dialog allows the selection of one of the runlevels (as listed in Table 11.1 on page 267) as the new default. Additionally use the table in this window to enable or disable individual services and daemons.
PAGE 301
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 274 — #300 i i i Caution Changing Runlevel Settings Faulty runlevel settings may render a system unusable. Before applying your changes, make absolutely sure you know about their consequences. Caution 11.6 SuSEconfig and /etc/sysconfig The main configuration of SUSE LINUX can be made with the configuration files in /etc/sysconfig/. In the past, SUSE LINUX relied on /etc/rc.
PAGE 302
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 275 — #301 i i 1. Bring the system into single user mode (runlevel 1) with init 1. Caution Manual Changes to the System Configuration If you do not use YaST to change the configuration files in /etc/sysconfig/, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation marks. Values consisting of one word only do not need to be quoted.
PAGE 303
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 276 — #302 i i i the options in an easy-to-read manner. The values can be modified and subsequently added to the individual configuration files in this directory. In general, it is not necessary to edit them manually, however, because these files are automatically adjusted when installing a package or configuring a service.
PAGE 304
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 277 — #303 i i SUSE LINUX Enterprise Server 11 The SUSE LINUX Boot Concept YaST asks you to confirm your changes and informs you which scripts will be executed after leaving the dialog by selecting ‘Finish’. Also select the services and scripts to skip for now, so they are started later.
PAGE 305
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 278 — #304 i i i i i i i
PAGE 306
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 279 — #305 i i 12 The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. Moreover, X11 is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet).
PAGE 307
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 280 — #306 i i i 12.1 Optimizing the X Configuration To use the available hardware (mouse, graphics card, monitor, keyboard) in the best way possible, the configuration can be optimized manually. Some aspects of this optimization are explained below. For detailed information about configuring the X Window System, review the various files in the directory /usr/share/doc/packages/xf86 and man XF86Config.
PAGE 308
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 281 — #307 i i Table 12.1: Sections in /etc/X11/XF86Config Meaning Files This section describes the paths used for fonts and the RGB color table. ServerFlags General switches are set here. InputDevice Input devices, like keyboards and special input devices (touchpads, joysticks, etc.), are configured in this section. Important parameters in this section: Driver and the options defining the Protocol and Device.
PAGE 309
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 282 — #308 i i i Monitor, Device, and Screen are explained in more detail below. Further information about the other sections can be found in the manual pages of XFree86 and XF86Config. There can be several different Monitor and Device sections in XF86Config. Even multiple Screen sections are possible. The following ServerLayout section determines which one is used. 12.1.
PAGE 310
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 283 — #309 i i After the color depth, a list of resolutions is set in the Modes section. This list is checked by the X server from left to right. For each resolution, a suitable Modeline is searched in the Modes section. The Modeline depends on the capability of both the monitor and the graphics card. The Monitor settings determine the resulting Modeline. The first resolution found is the Default mode.
PAGE 311
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 284 — #310 i i i Driver Identifier VendorName Option EndSection "mga" "Device[0]" "Matrox" "sw_cursor" If you use SaX2 for configuring, the device section should look something like the above example. Both the Driver and BusID are dependent on the hardware installed in your computer and are detected by SaX2 automatically. The BusID defines the PCI or AGP slot in which the graphics card is installed.
PAGE 312
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 285 — #311 i i 12 Caution Caution Those who try to develop their own monitor descriptions should be very familiar with the documentation in /usr/X11/lib/X11/doc. The section covering the video modes deserves a special mention. It describes in detail how the hardware functions and how to create modelines. Manual specification of modelines is rarely required today.
PAGE 313
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 286 — #312 i i i directory. Only CID-keyed fonts require a slightly different procedure. For this, see Section 12.2.1 on page 290. 12.2.1 Font Systems XFree contains two completely different font systems: the old X11 core font system and the newly designed Xft and fontconfig system. The following sections briefly describe these two systems.
PAGE 314
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 287 — #313 i i You can also insert rules that influence the appearance of the fonts. For example, enter false to disable antialiasing for all fonts or 12 The X Window System However, this is usually not necessary. By default, the user-specific directory ~/.fonts/ is already entered in /etc/fonts/fonts.conf.
PAGE 315
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 288 — #314 i i i monospace FreeMono Because nearly all applications use these aliases by default, this affects almost the entire system. Thus, you can easily use your favorite fonts almost everywhere without having to modify the font settings in the individual applications. Use the command fc-list to find out which fonts are installed and available for use.
PAGE 316
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 289 — #315 i i The font weight, e.g., 80 for regular, 200 for bold. slant The slant, usually 0 for none, 100 for italic. file The name of the file containing the font. outline true for outline fonts, false for other fonts. scalable true for scalable fonts, false for other fonts. bitmap true for bitmap fonts, false for other fonts. pixelsize Font size in pixels.
PAGE 317
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 290 — #316 i i i If the X server is already active, newly installed fonts in mounted directories can be made available with the command xset fp rehash. This command is executed by SuSEconfig --module fonts. As the command xset needs access to the running X server, this will only work if SuSEconfig --module fonts is started from a shell that has access to the running X server.
PAGE 318
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 291 — #317 i i 12 12.3.1 Hardware Support Table 12.3: Supported 3D Hardware OpenGL Driver Supported Hardware nVidia nVidia Chips: all except Riva 128(ZX) DRI 3Dfx Voodoo Banshee, 3Dfx Voodoo-3/4/5, Intel i810/i815/i830M, Intel 845G/852GM/855GM/865G, Matrox G200/G400/G450/G550, ATI Rage 128(Pro)/Radeon The X Window System SUSE LINUX includes several OpenGL drivers for 3D hardware support. Table 12.3 provides an overview.
PAGE 319
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 292 — #318 i i i 12.3.3 The Diagnosis Tool 3Ddiag The diagnosis tool 3Ddiag allows verification of the 3D configuration in SUSE LINUX. This is a command line tool that must be started in a terminal. Enter 3Ddiag -h to list possible options for 3Ddiag. To verify the XFree configuration, the tool checks if the packages needed for 3D support are installed and if the correct OpenGL library and GLX extension are used.
PAGE 320
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 293 — #319 i i 12 12.3.6 Installation Support 12.3.7 Additional Online Documentation The X Window System Apart from the software rendering fallback of the DRI driver, all OpenGL drivers in Linux are in developmental phases and are therefore considered experimental. The drivers are included in the distribution because of the high demand for 3D hardware acceleration in Linux.
PAGE 321
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 294 — #320 i i i i i i i
PAGE 322
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 295 — #321 i i 13 Printer Operation Printer Operation This chapter provides information about updating from SLES 8 to SUSE LINUX Enterprise Server 9. Additionally, it provides general information about operating printers and helps find suitable solutions for operating printers in networks. 13.1 13.2 13.3 13.4 13.5 13.6 13.7 Updating, Upgrading, and Migrating the Print System296 Preparation and Other Considerations . . . . . . .
PAGE 323
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 296 — #322 i i i 13.1 Updating, Upgrading, and Migrating the Print System In the previous version, SuSE Linux Enterprise Server 8, the two print systems, LPRng and lpdfilter and CUPS, were supplied as equal alternatives. In SUSE LINUX Enterprise Server 9, the focus shifts towards CUPS. Additionally, an LPRng configuration can no longer be converted to a CUPS configuration automatically.
PAGE 324
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 297 — #323 i i http://portal.suse.com/sdb/en/2004/03/jsmeix_printeinrichten-91.html http://portal.suse.com/sdb/en/2003/09/jsmeix_printeinrichten-90.html 13 Printer Operation Upgrading CUPS The existing software packages and the existing configuration files are replaced by the new software packages and their default configuration files. All new features are immediately available, but the queues must be created from scratch.
PAGE 325
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 298 — #324 i i i Using a Test System The parallel operation of a test system makes it possible to migrate to CUPS in a secure way. The existing LPD print server remains active. SUSE LINUX Enterprise Server 9 is installed with CUPS on an additional system.
PAGE 326
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 299 — #325 i i 13.2 Preparation and Other Considerations CUPS is the standard print system in SUSE LINUX. CUPS is highly useroriented. In many cases, it is compatible with LPRng or can be adapted with relatively little effort. LPRng is only included in SUSE LINUX Enterprise Server for reasons of compatibility (see Section 13.1 on page 296).
PAGE 327
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 300 — #326 i i i by HP, there are currently (2004) no printer manufacturers who develop Linux drivers and make them available to Linux distributors under an Open Source license. Most of these printers are in the medium price range. Proprietary Printers (usually GDI printers) Usually only one or several Windows drivers are available for proprietary printers.
PAGE 328
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 301 — #327 i i 13.3 13 There are various possibilities for connecting a printer to the system. The configuration of the CUPS print system does not distinguish between a local printer and a printer connected to the system over the network. In Linux, local printers must be connected as described in the manual of the printer manufacturer. CUPS supports serial, USB, parallel, and SCSI connections.
PAGE 329
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 302 — #328 i i i used with one of the included generic PPD files. Normally, PPD files are available on the driver CDs for Windows or MacOS. If the syntax is correct, these files can also be used in Linux. Some printer manufacturers also offer PPD files on the Internet. New PPD files can be stored in the directory /usr/share/cups/model/. However, the preferred approach is to add them to the print system with YaST (see Section 2.4.
PAGE 330
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 303 — #329 i i The current situation is such that you cannot act on the assumption that every protocol works smoothly in Linux. Therefore, you may have to experiment with various options to achieve a functional configuration. CUPS supports the socket, LPD, IPP, and smb protocols.
PAGE 331
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 304 — #330 i i i smb://user:password@workgroup/server/printer smb://user:password@host/printer smb://server/printer The protocol supported by the printer must be determined prior to the configuration. If the manufacturer does not provide the needed information, the command nmap (nmap package) can be used to guess the protocol. nmap checks a host for open ports. For example: nmap -p 35,137-139,515,631,9100-10000 13.5.
PAGE 332
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 305 — #331 i i 13 1. First, list all options: lpoptions -p -l Example: Resolution/Output Resolution: 150dpi *300dpi 600dpi 1200dpi Printer Operation Modifying Options YaST allows certain options to be activated by default during the installation. These options can be modified for every print job (depending on the print tool used) or specified later (e.g., with YaST).
PAGE 333
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 306 — #332 i i i 13.6.2 Changes in the CUPS Print Service (cupsd) There are three significant changes in the CUPS print service: cupsd runs as the user lp. Generalized functionality for BrowseAllow and BrowseDeny. cupsd is activated by default. For more information about these changes, see the Support Database article “Printer Configuration from SUSE LINUX 9.0 on” at http://portal. suse.com/sdb/en/2003/09/jsmeix_print-einrichten-90.
PAGE 334
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 307 — #333 i i Generalized Functionality for BrowseAllow and BrowseDeny BrowseAllow @LOCAL BrowseDeny All and Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 127.0.0.2 Allow From @LOCAL Printer Operation The access permissions set for BrowseAllow and BrowseDeny apply to all kinds of packages sent to cupsd. The default settings in /etc/cups/ cupsd.
PAGE 335
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 308 — #334 i i i cups/model/ on the system. For this purpose, the YaST printer configuration generates a database from the vendor and model information extracted from the PPD files. When you select a printer from the list of vendors and models, receive the PPD files matching the respective vendor and model.
PAGE 336
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 309 — #335 i i PPD Files from Printer Manufacturers in the manufacturer-PPDs Package The manufacturer-PPDs package contains PPD files from printer manufacturers that are released under a sufficiently liberal license. PostScript printers should be configured with the suitable PPD file of the printer manufacturer, as this file enables the use of all functions of the PostScript printer.
PAGE 337
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 310 — #336 i i i 13.7 Printer Hardware 13.7.1 Printers without Standard Printer Language Support Printers that do not support any common printer language and can only be addressed with special control sequences are called GDI printers. These printers only work with the operating system versions for which the manufacturer delivers a driver. GDI is a programming interface developed by Microsoft for graphics devices.
PAGE 338
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 311 — #337 i i 13 13.7.3 Parallel Ports Parallel ports exist on PC-like platforms only.
PAGE 339
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 312 — #338 i i i Checking the TCP/IP Network The TCP/IP network and the name resolution must be functional. Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on hhosti: netcat -z 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
PAGE 340
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 313 — #339 i i The following command can be used to test if a TCP connection can be established to the cupsd (port 631) on hhosti: netcat -z 631 && echo ok || echo failed If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems.
PAGE 341
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 314 — #340 i i i 80/tcp 515/tcp 631/tcp 9100/tcp open open open open http printer cups jetdirect This output indicates that the printer connected to the print server box can be addressed via TCP socket on port 9100. By default, nmap only checks a number of commonly known ports listed in /usr/share/nmap/nmap-services. To check all possible ports, use the command nmap -p hfrom_porti-hto_porti hIP-addressi. This may take some time.
PAGE 342
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 315 — #341 i i 13.7.7 CUPS Browsing: Deleting Print Jobs Printer Operation If a CUPS network server broadcasts its queues to the client hosts via browsing and a suitable local cupsd is active on the client hosts, the client cupsd accepts print jobs from the applications and forwards them to the cupsd on the server. When a cupsd accepts a print job, it is assigned a new job number.
PAGE 343
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 316 — #342 i i i 3. Some data may still be transferred to the printer even though the print job has been deleted from the queue. Check if a CUPS back-end process is still running for the respective queue and terminate it. For example, for a printer connected to the parallel port, the command fuser -k /dev/lp0 can be used to terminate all processes that are still accessing the printer (more precisely: the parallel port). 4.
PAGE 344
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 317 — #343 i i 14 The Hotplug System The Hotplug System The hotplug system under SUSE LINUX was developed in connection with the Linux Hotplug project, but it has a few distinguishing features. The main difference is that, under SUSE LINUX, the scripts /sbin/hwup and /sbin/hwdown are used instead of the event multiplexer /etc/ hotplug.d to initialize or stop hotplug devices.
PAGE 345
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 318 — #344 i i i The hotplug system is not only used for devices that can be inserted and removed during operation, but also for all devices only detected after the kernel has been booted. These devices are entered in the sysfs file system, which is mounted under /sys. Until the kernel has been booted, only devices that are absolutely necessary, such as bus system, boot disks, or keyboard, are initialized.
PAGE 346
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 319 — #345 i i A hotplug event is a call to a hotplug user-mode tool, such as /sbin/ hotplug, which is specified in file /proc/sys/kernel/hotplug. /sbin/hotplug searches for a hotplug agent that matches the type of event. If there is no suitable agent but there is a dev file in the device path, the agent generic_udev.agent is called.
PAGE 347
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 320 — #346 i i i page for udev (man udev). Another source of information is Section 15 on page 323. 14.4 Automatic Module Loading If it has not been possible to initialize a device with /sbin/hwup, the agent searches through module maps for a suitable driver. The first place it looks is the maps contained in /etc/hotplug/*.handmap. If it does not find the driver there, it also searches in /lib/modules/ /modules.
PAGE 348
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 321 — #347 i i 14.5 If a computer has more than one network device with different drivers, it is possible for the interface designations to change after the boot process has completed if another driver has been loaded more quickly. For this reason, network devices in SUSE LINUX are administered via a queue. Alter this behavior by setting HOTPLUG_PCI_QUEUE_NIC_EVENTS=no in /etc/ sysconfig/hotplug.
PAGE 349
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 322 — #348 i i i . Device is already initialized and will be skipped. * Hotplug event will be created for the device. W Device is not on the whitelist and will be skipped. B Device is on the blacklist and will be skipped. 14.8 Error Analysis 14.8.1 Log Files Unless otherwise specified, hotplug only sends a few important messages to syslog. To obtain more information, set HOTPLUG_DEBUG=yes.
PAGE 350
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 323 — #349 i i 15 Linux kernel 2.6 introduces a new user space solution for a dynamic device directory /dev with consistent device designations: udev. The previous implementation of /dev with devfs no longer works and has been replaced by udev. 15.1 15.2 15.3 15.4 15.5 Creating Rules . . . . . . . . . . . . . . . . . Automization with NAME and SYMLINK . Regular Expressions in Keys . . . . . . . . . Key Selection . . . . . . . .
PAGE 351
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 324 — #350 i i i Traditionally, device nodes were stored in the /dev directory on Linux systems. There was a node for every possible type of device, regardless of whether it actually existed in the system. The result was that this directory took up a lot of space. The command devfs has brought a significant improvement, because now only devices that really exist are given a device node in /dev.
PAGE 352
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 325 — #351 i i 15.2 Automization with NAME and SYMLINK The parameters NAME and SYMLINK allow the use of operators for automatic assignments. These operators refer to kernel data on the corresponding device. A simple example illustrates the procedure: BUS="usb", SYSFS{vendor}="abc", SYSFS{model}="xyz", NAME="camera%n" The operator %n in the name is replaced by the number of the camera device: for example, camera0, camera1.
PAGE 353
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 326 — #352 i i i 15.4 Key Selection It is essential to choose a good key for every functioning udev rule. Here are some examples of standard keys: BUS device bus type KERNEL device name the kernel uses ID device number on the bus (for example, PCI bus ID) PLACE physical point where the device is connected (for example, on USB) The keys ID and PLACE can be useful, but usually the keys BUS, KERNEL, and SYSFS{...} are used.
PAGE 354
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 327 — #353 i i 15 " From the output information, look for suitable keys that will not change. Remember that you cannot normally use keys from different directories. 15.5 Consistent Names for Mass Storage Devices SUSE LINUX comes with scripts that help always assign the same designations to hard disks and other storage devices. /sbin/udev.get_ persistent_device_name.sh is a wrapper script. First it calls /sbin/ udev.
PAGE 355
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 328 — #354 i i i Note There are a number of tools and programs that rely on the fact that /dev/sda is a SCSI hard disk and /dev/hda is an IDE disk. If this is not the case, these programs will not work. YaST relies on these tools, so only works with the kernel device designations. Note 328 15.5.
PAGE 356
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 329 — #355 i i 16 This chapter focuses on the use of Linux on mobile devices — especially on laptops. It covers the configuration of PC cards (PCMCIA), the management of multiple system profiles with SCPM, and wireless communication with IrDA and Bluetooth.
PAGE 357
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 330 — #356 i i i 16.1 PCMCIA PCMCIA stands for Personal Computer Memory Card International Association. It is used as a collective term for all hardware and software involved. 16.1.1 The Hardware The essential component is the PCMCIA card. There are two distinct types: PC Cards These are currently the most used cards. They use a 16-bit bus for data transmission.
PAGE 358
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 331 — #357 i i Unfortunately, the two systems are not compatible. They contain different sets of card drivers. Depending on the hardware involved, only one of the systems may be suitable. The default in SUSE LINUX is the more recent kernel PCMCIA. To change the system, give the variable PCMCIA_SYSTEM in the file /etc/sysconfig/pcmcia/ either the value external or kernel. Then restart PCMCIA with rcpcmcia restart.
PAGE 359
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 332 — #358 i i i If a card is inserted, card manager or hotplug determines the type and function of the card then loads the corresponding modules. If this is successful, card manager or hotplug starts certain initialization scripts. Depending on the function of the card, they establish a network connection, mount partitions from external SCSI hard drives, or carry out other hardware-specific actions.
PAGE 360
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 333 — #359 i i Card manager refers to the files /etc/pcmcia/config and /etc/ pcmcia/*.conf for the assignment of drivers to PCMCIA cards. First, config is read then the *.conf files in alphabetical order. The last entry found for a card is used. Refer to the manual page of pcmcia for details on the syntax of these files. Network Cards (Ethernet, Wireless LAN, and Token Ring) These can be set up with YaST like normal network cards.
PAGE 361
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 334 — #360 i i i SCSI and IDE The corresponding driver module is loaded by the card manager or hotplug. When a SCSI or IDE card is inserted, the devices connected to it are available. The device names are detected dynamically. Information about existing SCSI or IDE devices can be found in /proc/scsi/ or /proc/ide/.
PAGE 362
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 335 — #361 i i 16 Note modprobe -t Note First, find out if the problem is with the card or with the PCMCIA base system. For this reason, always start the computer first without the card inserted. Only insert the card when the base system appears to function correctly. Use tail -f /var/log/messages to monitor the system log while searching for the cause of the PCMCIA failure.
PAGE 363
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 336 — #362 i i i If the chosen option is successful, write it to the variable PCMCIA_CORE_OPTS in /etc/sysconfig/pcmcia to use it permanently: PCMCIA_CORE_OPTS="do_apm=0" Checking free I/O areas may lead to problems if other hardware components are disturbed by this. Avoid this by using probe_io=0.
PAGE 364
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 337 — #363 i i Driver Not Loaded Wrong assignments of cards and drivers in the driver database may result in a driver not being loaded. This may happen if a vendor uses a different chip in an apparently unchanged card. Alternative drivers may also offer better support for a particular card than the default assignment. In these cases, precise information about the card is required.
PAGE 365
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 338 — #364 i i i One problem that sometimes occurs with 10/100-Mbit network cards is incorrect automatic identification of the transmission method. Use the command ifport or mii_tool to view and modify the transmission method. To have these commands run automatically, the script /etc/pcmcia/network must be adjusted.
PAGE 366
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 339 — #365 i i 16.1.6 Other Utilities cardctl is an essential tool for obtaining information from PCMCIA and carrying out certain actions. In cardctl, find many details. Enter just cardctl to obtain a list of the valid commands. The main functions can be controlled with the graphical front-end cardinfo. For this to work, the pcmcia-cardinfo package must be installed. 16 Linux on Mobile Devices knowledge of Linux, however.
PAGE 367
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 340 — #366 i i i 16.1.8 For More Information For more information about specific laptops, visit the Linux Laptop home page at http://linux-laptop.net. Another good source of information is the Mobilix home page at http://tuxmobil.org/. The SUSE LINUX Support Database features several articles on the use of SUSE LINUX on mobile devices. Go to http://portal.suse.de/sdb/en/ index.html and search for laptop. 16.
PAGE 368
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 341 — #367 i i 16.2.1 Basic Terminology and Concepts The term system configuration refers to the complete configuration of the computer. It covers all fundamental settings, like use of partitions, network settings, time zone selection, and keyboard mappings. A profile, also called configuration profile, is a state that has been preserved and can be restored at any time. Active profile refers to the profile last selected.
PAGE 369
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 342 — #368 i i i 16.2.3 Configuring SCPM SCPM must be activated before use. By default, SCPM handles network and printer settings as well as the XFree86 configuration. To manage special services or configuration files, activate appropriate resource groups. To list the predefined resource groups, use scpm list_groups. To see only the groups already activated, use scpm list_groups -a. Issue these commands as root on the command line.
PAGE 370
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 343 — #369 i i 16.2.5 Switching Configuration Profiles When switching profiles, SCPM first checks which resources of the active profile have been modified. It then queries whether the modification of each resource should be added to the active profile or dropped. If you prefer a separate listing of the resources (as in former versions of SCPM) use the switch command with the -r parameter: scpm switch -r work.
PAGE 371
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 344 — #370 i i i 2. The services are stopped. 3. The poststop action of the profile work is executed. 4. The system configuration is changed. 5. The prestart action of the profile home is executed. 6. The services are started. 7. The poststart action of the profile home is executed.
PAGE 372
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 345 — #371 i i Example 16.1: The File /boot/grub/menu.
PAGE 373
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 346 — #372 i i i image label root initrd append = = = = = /boot/vmlinuz road /dev/hda6 /boot/initrd "vga=0x317 hde=ide-scsi PROFILE=road" 16.2.8 Troubleshooting In most cases, SCPM should function smoothly. There are, however, some pitfalls, which are described here. SCPM is currently not able to survive a system update.
PAGE 374
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 347 — #373 i i There are two IrDA operation modes. The standard mode, SIR, accesses the infrared port through a serial interface. This mode works on almost all systems and is sufficient for most requirements. The faster mode, FIR, requires a special driver for the IrDA chip. Not all chip types are supported in FIR mode because of a lack of appropriate drivers. Set the desired IrDA mode in the BIOS of your computer.
PAGE 375
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 348 — #374 i i i 16.3.3 Usage Data can be sent to the device file /dev/irlpt0 for printing. The device file /dev/irlpt0 acts just like the normal /dev/lp0 cabled interface, except the printing data is sent wirelessly with infrared light. Printers used with the infrared interface are installed just like printers connected to parallel or serial ports.
PAGE 376
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 349 — #375 i i A simple CCD video camera can also help in determining whether the infrared LED lights up at all. Most video cameras can see infrared light; the human eye cannot. 16.4 Bluetooth — Wireless Connections Bluetooth is a wireless technology for connecting various devices.
PAGE 377
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 350 — #376 i i i 16.4.3 Configuration The configuration files described in this section can only be modified by the user root. Currently, there is no graphical user interface for setting the parameters. Therefore, the files must be modified with a text editor. A PIN number provides basic protection against unwanted connections.
PAGE 378
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 351 — #377 i i Note Other functionalities of the above-mentioned Bluetooth applications can be viewed with man . Note The following paragraphs describe the main tools needed for working with Bluetooth. Konqueror provides a Bluetooth extension. The URL sdp:// displays local Bluetooth devices (physically connected to the host) as well as remote Bluetooth devices (accessible by way of a wireless connection).
PAGE 379
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 352 — #378 i i i sdptool The program sdptool can be used to check which services are made available by a specific device. The command sdptool browse returns all services of a device. The command sdptool search can be used to search for a specific service. This command scans all accessible devices for the requested service.
PAGE 380
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 353 — #379 i i 16 On H2: Now H1 can be accessed from H2 under the IP 192.168.1.3. Use the command ssh 192.168.1.4 to access H2 from H1 (provided H2 runs an sshd, which is activated by default in SUSE LINUX). The command ssh 192.168.1.4 can also be run as a normal user.
PAGE 381
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 354 — #380 i i i 16.4.6 Troubleshooting If you have difficulties establishing a connection, proceed as follows: 1. Check the output of hcitool dev. Is the local device listed? If not, hcid may not have been started or the device may not be recognized as a Bluetooth device (either because the driver is not able to do this or because the device is defective).
PAGE 382
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 355 — #381 i i 16 16.4.7 For More Information SUSE LINUX Enterprise Server Linux on Mobile Devices An extensive overview of various instructions for the use and configuration of Bluetooth is available at http://www.holtmann.org/ linux/bluetooth/. For information about connecting to a PalmOS PDA, see http://www.cs.ucl.ac.uk/staff/s.zachariadis/ btpalmlinux.html.
PAGE 383
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 356 — #382 i i i i i i i
PAGE 384
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 357 — #383 i i 17 This chapter provides an overview of the various power management technologies in Linux. The configuration of all available APM (advanced power management), ACPI (advanced configuration and power interface), and CPU frequency scaling settings are described in detail.
PAGE 385
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 358 — #384 i i i Unlike APM, which was previously used on laptops for power management only, the hardware information and configuration tool ACPI is available on all modern computers (laptops, desktops, and servers). On many types of modern hardware, the CPU frequency can be adapted to the situation, which helps save valuable battery time especially on mobile devices (CPU frequency scaling).
PAGE 386
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 359 — #385 i i Battery monitor In addition to monitoring the battery charge level, something must be done when power reserves are low. This control function is handled by ACPI or APM. Automatic power-off Following a shutdown, the computer is powered off. This is especially important when an automatic shutdown is performed shortly before the battery is empty.
PAGE 387
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 360 — #386 i i i 17.2 APM Some of the power saving functions are performed by the APM BIOS itself. On many laptops, standby and suspend states can be activated with key combinations or by closing the lid, without any special operating system function. However, to activate these modes with a command, certain actions must be triggered before the system is suspended.
PAGE 388
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 361 — #387 i i 17.2.1 The APM Daemon (apmd) APMD_ADJUST_DISK_PERF Adapts the disk performance to the power supply status. This can be done with a number of additional variables beginning with APMD_BATTERY (for battery operation) or APMD_AC (for AC operation). Power Management The apmd daemon (package apmd) monitors the battery and can trigger certain actions when a standby or a suspend event occurs.
PAGE 389
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 362 — #388 i i i APMD_TURN_OFF_IDEDMA_BEFORE_SUSPEND Sometimes, resuming after a suspend may not work if an IDE device (hard disk) is still in DMA mode. Other options include the possibility to correct the key repeat rate or the clock after a suspend or to shut down the laptop automatically when the APM BIOS send a “battery critical” event.
PAGE 390
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 363 — #389 i i 17 17.3.1 ACPI in Action Subsequently, a number of modules must be loaded. This is done by the start script of the ACPI daemon. If any of these modules causes problems, the respective module can be excluded from loading or unloading in /etc/sysconfig/powersave/common. The system log (/var/log/ messages) contains the messages of the modules, enabling you to see which components were detected.
PAGE 391
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 364 — #390 i i i /proc/acpi/ac_adapter/AC/state Shows whether the AC adapter is connected. /proc/acpi/battery/BAT*/{alarm,info,state} Detailed information about the battery state. The charge level is read by comparing the last full capacity from info with the remaining capacity from state. A more comfortable way to do this is to use one of the special programs introduced in Section 17.3.3 on page 366.
PAGE 392
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 365 — #391 i i /proc/acpi/thermal_zone/*/temperature Current temperature of the thermal zone. /proc/acpi/thermal_zone/*/state The state indicates if everything is “ok” or if ACPI applies “active” or “passive” cooling. In the case of ACPI-independent fan control, this state will always be “ok”. 17 Power Management /proc/acpi/thermal_zone/ A separate subdirectory exists for every thermal zone.
PAGE 393
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 366 — #392 i i i powermanagement. For more options, modify the script /usr/sbin/ acpid_proxy or the acpid configuration in /etc/acpi/. Unlike apmd, little is preconfigured here, as ACPI in Linux is still in a very dynamic development stage. If necessary, configure acpid according to your needs. If you have any suggestions regarding preparatory actions, contact us through http://www.suse.de/feedback. 17.3.
PAGE 394
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 367 — #393 i i 17 Caution Caution Take a closer look at the boot messages, for example, with the command dmesg | grep -2i acpi (or all messages, as the problem may not be caused by ACPI) after booting. If an error occurs while parsing an ACPI table, the most important table — the DSDT — can be replaced with an improved version. In this case, the faulty DSDT of the BIOS will be ignored. The procedure is described in Section 17.5.
PAGE 395
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 368 — #394 i i i 17.4 Rest for the Hard Disk In Linux, a hard disk that is not used can be put to sleep. The hdparm utility modifies various hard disk settings. The option -y instantly switches the hard disk to the standby mode. -Y (caution) puts it to sleep. hdparm -S causes the hard disk to be spun down after a certain period of inactivity.
PAGE 396
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 369 — #395 i i Another important factor is the way active programs behave. For example, good editors regularly write hidden backups of the currently modified file to the hard disk, causing the disk to wake up. Features like this can be disabled at the expense of data integrity. In this connection, the mail daemon postfix makes use of the variable POSTFIX_LAPTOP.
PAGE 397
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 370 — #396 i i i 17.5.1 Configuration of powersave Normally, the configuration of powersave is distributed to several files: /etc/powersave.conf The powersave daemon needs this file for delegating system events to the powersave_proxy. Additionally, custom settings for the behavior of the daemon can be made in this file.
PAGE 398
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 371 — #397 i i POWERSAVE_EVENT_GLOBAL_SUSPEND="prepare_suspend" POWERSAVE_EVENT_GLOBAL_STANDBY="prepare_standby" POWERSAVE_EVENT_GLOBAL_RESUME_SUSPEND="restore_after_suspend" POWERSAVE_EVENT_GLOBAL_RESUME_STANDBY="restore_after_standby" In /etc/powersave.conf (configuration file of the powersave daemon), these events are allocated to the powersave_proxy script.
PAGE 399
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 372 — #398 i i i Adapting the Power Consumption to Various Conditions The system behavior can be adapted to the type of power supply. Thus, the power consumption of the system should be reduced when the system is disconnected from the AC power supply and operated with the battery. In the same way, the performance should automatically be increased as soon as the system is connected to the AC power supply.
PAGE 400
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 373 — #399 i i Further throttling of the CPU performance is possible if the CPU load does not exceed a specified limit for a specified time. Specify the load limit in POWERSAVED_CPU_LOW_LIMIT and the time-out in POWERSAVED_CPU_IDLE_TIMEOUT. 17.5.4 Troubleshooting All error messages and alerts are logged to /var/log/messages.
PAGE 401
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 374 — #400 i i i Whenever you uninstall the kernel and use mkinitrd to create an initrd, the modified DSDT is integrated and loaded when the system is booted. CPU Frequency Does Not Work Refer to the kernel sources (kernel-source) to see if your processor is supported. You may need a special kernel module or module option to activate CPU frequency control. This information is available in /usr/src/linux/Documentation/cpu-freq/*.
PAGE 402
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 375 — #401 i i Using ACPI, powersave Does Not Notice Battery Limit 17.6 The YaST Power Management Module Power Management With ACPI, the operating system can request the BIOS to send a message when the battery charge level drops under a certain limit. The advantage of this method is that the battery state does not need to be polled constantly, which would impair the performance of the computer.
PAGE 403
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 376 — #402 i i i Figure 17.1: YaST Power Management: Scheme Selection The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: ‘Warning Capacity’, ‘Low Capacity’, and ‘Critical Capacity’. Specific actions are triggered when the charge level drops under these limits.
PAGE 404
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 377 — #403 i i 17 Power Management Figure 17.2: YaST Power Management: Overview of Existing Schemes activates the power supply and boots the computer. The advantage of this method is that computers do not have to be switched on permanently (which saves energy), but they can be activated via WOL. Note Support for WOL Wake on LAN only works with more recent motherboards that support this functionality in their BIOS.
PAGE 405
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 378 — #404 i i i Figure 17.3: YaST Power Management: Adding a Scheme in the ‘OnBoard Device Configuration’, ‘Boot’, or ‘PowerSave’ menu. In case of doubt, consult the documentation for your motherboard. Further check that your system has the latest BIOS and, if necessary, update it. Information about BIOS updates can be found on the home page of the relevant motherboard vendor.
PAGE 406
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 379 — #405 i i 17 Power Management Figure 17.4: YaST Power Management: Battery Charge Level existing computers on your network that you can include in your WOL list. If a DHCP server is not running, enter the remote computers manually. Click ‘Add’ and enter the host name and MAC (media access connector) address for the network card.
PAGE 407
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 380 — #406 i i i Figure 17.5: YaST Power Management: ACPI Settings 17.7.4 Further Information Further information is available in the mini HOWTO for WOL at http:// gsd.di.uminho.pt/jpo/software/wakeonlan/mini-howto/wolmini-howto.html. 380 17.7.
PAGE 408
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 381 — #407 i i 18 File Systems in Linux File Systems in Linux Linux supports a number of different file systems. This chapter presents a brief overview of the most popular Linux file systems, elaborating on their design concept, advantages, and fields of application. Some additional information about LFS (large file support) in Linux is also provided. 18.1 18.2 18.3 18.4 18.5 Glossary . . . . . . . . . . . . . . . . .
PAGE 409
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 382 — #408 i i i 18.1 Glossary metadata A file system–internal data structure that assures all the data on disk is properly organized and accessible. Essentially, it is “data about the data.” Almost every file system has its own structure of metadata, which is partly why the file systems show different performance characteristics.
PAGE 410
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 383 — #409 i i 18 Note Note 18.2.1 Ext2 The origins of Ext2 go back to the early days of Linux history. Its predecessor, the Extended File System, was implemented in April 1992 and integrated in Linux 0.96c. The Extended File System underwent a number of modifications and, as Ext2, became the most popular Linux file system for years.
PAGE 411
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 384 — #410 i i i 18.2.2 Ext3 Ext3 was designed by Stephen Tweedie. Unlike all other “next-generation” file systems, Ext3 does not follow a completely new design principle. It is based on Ext2. These two file systems are very closely related to each other. An Ext3 file system can be easily built on top of an Ext2 file system. The most important difference between Ext2 and Ext3 is that Ext3 supports journaling.
PAGE 412
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 385 — #411 i i 18.2.3 Converting an Ext2 File System into Ext3 Creating the Journal Log in as root and run tune2fs -j. This creates an Ext3 journal with the default parameters. To decide yourself how large the journal should be and on which device it should reside, run tune2fs -J instead together with the desired journal options size= and device=.
PAGE 413
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 386 — #412 i i i not allocated in chunks of 1 or 4 kB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes. This keeps the file system more flexible than traditional file systems, like Ext2, where the inode density must be specified at file system creation time.
PAGE 414
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 387 — #413 i i 18.2.6 XFS Originally intended as the file system for their IRIX OS, SGI started XFS development in the early 1990s. The idea behind XFS was to create a highperformance 64-bit journaling file system to meet the extreme computing challenges of today. XFS is very good at manipulating large files and performs well on high-end hardware. However, even XFS has a drawback.
PAGE 415
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 388 — #414 i i i the time XFS decides where actually to save it. Thus XFS increases write performance and reduces file system fragmentation. Because delayed allocation results in less frequent write events than in other file systems, it is likely that data loss after a crash during a write is more severe.
PAGE 416
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 389 — #415 i i Server Message Block: used by products such as Windows to enable file access over a network. sysv Used on SCO UNIX, Xenix, and Coherent (commercial UNIX systems for PCs). ufs Used by BSD, SunOS, and NeXTstep. Only supported in read-only mode. umsdos UNIX on MSDOS: applied on top of a normal fat file system. Achieves UNIX functionality (permissions, links, long file names) by creating special files.
PAGE 417
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 390 — #416 i i i Ext2 or Ext3 (8 kB block size) (systems with 8 kB pages, like Alpha) ReiserFS 3.5 ReiserFS 3.6 (under Linux 2.
PAGE 418
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 391 — #417 i i http://www.zipworld.com.au/~akpm/linux/ext3/ http://oss.software.ibm.com/developerworks/ opensource/jfs/ http://oss.sgi.com/projects/xfs/ A comprehensive multipart tutorial about Linux file systems can be found at IBM developerWorks: http://www-106.ibm.com/developerworks/ library/l-fs.html. For a comparison of the different journaling file systems in Linux, look at Juan I.
PAGE 419
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 392 — #418 i i i i i i i
PAGE 420
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 393 — #419 i i 19 This chapter contains a short overview of the key concepts and tools from the area of high availability under Linux. It also offers suggested further reading for all the topics mentioned. 19.1 19.2 19.3 19.4 19.5 19.6 Important Terms . . . . . . . . . . . . . . . . A Sample Minimum Scenario . . . . . . . . Components of a High Availability Solution The Software Side of High Availability . . . Clustering . . . .
PAGE 421
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 394 — #420 i i i High availability describes systems that can mask certain malfunctions — in particular, the failure of individual computers — so the service can be made available to the user again after only a short downtime. Hardware and software are carefully coordinated and laid out for redundancy, enabling an automatic switch to the other components in the event of a malfunction.
PAGE 422
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 395 — #421 i i Load Balancing The distribution of load within a cluster of computers. Load balancing is used in an LVS scenario (Linux virtual server), for example (see Section 19.5.2 on page 399). STONITH Shot the other node in the head: Special hardware and software that ensures that a faulty node does not write-access distributed media within a cluster, threatening data consistency in the entire cluster.
PAGE 423
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 396 — #422 i i i Figure 19.1: A Simple High Availability Cluster hit by disaster or power failures. The environmental conditions of the servers should also be taken into account — (redundant) air conditioning systems are essential. Hardware Even the most sophisticated software cannot produce a high availability system without the greatest possible security from failure on a hardware level.
PAGE 424
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 397 — #423 i i Hard Disks Assign several hard disks to your system and arrange the data backup (e.g., using RAID or drbd) in such a way that if one of these disks is lost, the others always contain the intact data record. It must be possible to replace a faulty disk with a new one without stopping the system.
PAGE 425
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 398 — #424 i i i members of the cluster to find out which nodes in the cluster are active. If a node fails, it does not emit a signal. In this case, heartbeat ensures that another node takes over the relevant tasks and identity and makes the failover known within the network. This means that the cluster remains consistent. At present, the heartbeat failover function is limited to two nodes. 19.4.
PAGE 426
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 399 — #425 i i 19.5 19 Clustering The cluster alias is a technology that allows several nodes to be configured with a shared IP address, while also permitting TCP/IP connections to be established at this address. Inbound TCP/IP connections are automatically distributed. Unlike the Linux virtual server, a dedicated load balancer is not required.
PAGE 427
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 400 — #426 i i i 19.6 For More Information 19.6.1 HA in General and Heartbeat The primary source for information about high availability under Linux is the home page of the Linux-HA project (http://linux-ha.org). This contains a wide range of tips and links to documentation, reports, and scenarios.
PAGE 428
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 401 — #427 i i SUSE LINUX Enterprise Server 19 High Availability under Linux Find information about the Oracle cluster file system on the project home page at http://oss.oracle.com/projects/ocfs/ and detailed documentation under http://oss.oracle.com/projects/ocfs/ documentation/.
PAGE 429
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 402 — #428 i i i i i i i
PAGE 430
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 403 — #429 i i 20 Linux uses PAM (Pluggable Authentication Modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a system-wide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured. 20.1 20.2 20.3 20.
PAGE 431
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 404 — #430 i i i System administrators and programmers often want to restrict access to certain parts of the system or to limit the use of certain functions of an application. Without PAM, applications must be adapted every time a new authentication mechanism (such as LDAP or SAMBA) is introduced. This process, however, is rather time-consuming and error-prone.
PAGE 432
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 405 — #431 i i password The purpose of this type of module is to enable the change of an authentication token. In most cases, this is a password. session Modules of this type are responsible for managing and configuring user sessions. They are started before and after authentication to register login attempts in system logs and to configure the user’s specific environment (mail accounts, home directory, system limits, etc.).
PAGE 433
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 406 — #432 i i i The module path does not need to be specified explicitly, as long as the module is located in the default directory /lib/security/ (for all 64 bit platforms supported by SUSE LINUX, the directory is /lib64/ security/). The fourth column may contain an option for the given module, such as debug (enables debugging) or nullok (allows the use of empty passwords). 20.
PAGE 434
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 407 — #433 i i The following two modules are of the password type and must also be successfully completed (control flag required) whenever the application requests the change of an authentication token. Changing a password or another authentication token requires a security check.
PAGE 435
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 408 — #434 i i i /etc/passwd, /etc/shadow, NIS maps, NIS+ tables, or from an LDAP database. The behavior of this module can be influenced by configuring the PAM options of the individual application itself or globally by editing /etc/security/pam_unix2.conf. A very basic configuration file for the module is shown in Example 20.2. Example 20.2: pam_unix2.
PAGE 436
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 409 — #435 i i Example 20.3: pam_env.conf DEFAULT=localhost OVERRIDE=@{PAM_RHOST} DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. More information can be obtained from the comments in the file /etc/security/ pam_env.conf. 20.3.
PAGE 437
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 410 — #436 i i i 20.4 For More Information In the directory /usr/share/doc/packages/pam/ of your installed system, find the following additional documentation: READMEs In the top level of this directory, there are some general README files. The subdirectory modules/ holds README files about the available PAM modules.
PAGE 438
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 411 — #437 i i i Part III Services i i i i
PAGE 439
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 412 — #438 i i i i i i i
PAGE 440
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 413 — #439 i i 21 Linux, really a child of the Internet, offers all the necessary networking tools and features for integration into all types of network structures. An introduction into the customary Linux protocol, TCP/IP, follows. The various services and special features of this protocol are discussed. Network access using a network card can be configured with YaST.
PAGE 441
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 414 — #440 i i i 21.1 TCP/IP — The Protocol Used by Linux Linux and other Unix operating systems use the TCP/IP protocol. It is not a single network protocol, but a family of network protocols that offer various services. TCP/IP was developed based on an application used for military purposes and was defined in its present form in an RFC in 1981. RFC stands for Request for Comments.
PAGE 442
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 415 — #441 i i User Datagram Protocol: A connectionless, insecure protocol. The data to transmit is sent in the form of packets generated by the application. The order in which the data arrives at the recipient is not guaranteed and data loss is a possibility. UDP is suitable for record-oriented applications. It features a smaller latency period than TCP.
PAGE 443
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 416 — #442 i i i Figure 21.1: Simplified Layer Model for TCP/IP The diagram provides one or two examples for each layer. As you can see, the layers are ordered according to abstraction levels. The lowest layer is very close to the hardware. The uppermost layer, however, is almost a complete abstraction from the hardware. Every layer has its own special function.
PAGE 444
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 417 — #443 i i 21 Linux in the Network For every layer to serve its designated function, additional information regarding each layer must be saved in the data packet. This takes place in the header of the packet. Every layer attaches a small block of data, called the protocol header, to the front of each emerging packet. A sample TCP/IP data packet traveling over an ethernet cable is illustrated in Figure 21.2. Figure 21.
PAGE 445
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 418 — #444 i i i 21.1.2 IP Addresses and Routing Note The discussion in the following sections is limited to IPv4 networks. For information about IPv6 protocol, the successor to IPv4, refer to Section 21.2 on page 422. Note IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Table 21.1. Example 21.
PAGE 446
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 419 — #445 i i Netmasks and Routing Before a network packet is sent, the following runs on the computer: the IP address is linked to the netmask via a logical AND and the address of the sending host is likewise connected to the netmask via the logical AND. If there are several network interfaces available, normally all possible sender addresses are verified. The results of the AND links are compared.
PAGE 447
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 420 — #446 i i i However, the economical ethernet is not suitable for covering larger distances. You must transfer the IP packets to another hardware (such as FDDI or ISDN). Devices for this transfer are called routers or gateways. A Linux machine can carry out this task. The respective option is referred to as ip_forwarding. If a gateway has been configured, the IP packet is sent to the appropriate gateway.
PAGE 448
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 421 — #447 i i Table 21.3: Private IP Address Domains Domain 10.0.0.0/255.0.0.0 10.x.x.x 172.16.0.0/255.240.0.0 172.16.x.x – 172.31.x.x 192.168.0.0/255.255.0.0 192.168.x.x 21.1.3 Domain Name System DNS assists in assigning an IP address to one or more names and assigning a name to an IP address. In Linux, this conversion is usually carried out by a special type of software known as bind.
PAGE 449
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 422 — #448 i i i DNS can do more than just resolve host names. The name server also knows which host is receiving e-mails for an entire domain — the mail exchanger (MX). For your machine to resolve an IP address, it must know about at least one name server and its IP address. Easily specify such a name server with the help of YaST. If you have a modem dial-up connection, you may not need to configure a name server manually at all.
PAGE 450
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 423 — #449 i i With IPv6, both the address shortage and the complicated configuration should be a thing of the past. The following sections tell more about the improvements and benefits brought by IPv6 and about the transition from the old protocol to the new one.
PAGE 451
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 424 — #450 i i i Mobility IPv6 makes it possible to assign several addresses to one network interface at the same time.
PAGE 452
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 425 — #451 i i 21.2.2 The IPv6 Address System When dealing with IPv6, it is useful to know about three different types of addresses: Linux in the Network As mentioned, the current IP protocol is lacking in two important aspects: there is an increasing shortage of IP addresses and configuring the network and maintaining the routing tables is becoming a more complex and burdensome task.
PAGE 453
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 426 — #452 i i i double colon. However, only one such :: is allowed per address. This kind of shorthand notation is shown in Example 21.3, where all three lines represent the same address. Example 21.3: Sample IPv6 Address fe80 : 0000 : 0000 : 0000 : 0000 : 10 : 1000 : 1a4 fe80 : 0 : 0 : 0 : 0 : 10 : 1000 : 1a4 fe80 : : 10 : 1000 : 1a4 Each part of an IPv6 address has a defined function.
PAGE 454
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 427 — #453 i i Aggregatable global unicast addresses. As is the case with IPv4, an interface can be assigned to form part of a certain subnetwork. Currently, there are the following address spaces: 2001::/16 (production quality address space) and 2002::/16 (6to4 address space). fe80::/10 Link-local addresses. Addresses with this prefix should not be routed and should therefore only be reachable from within the same subnetwork.
PAGE 455
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 428 — #454 i i i On top of this basic structure, IPv6 distinguishes between five different types of unicast addresses: :: (unspecified) This address is used by the host as its source address when the interface is initialized for the first time — when the address cannot yet be determined by other means. ::1 (loopback) The address of the loopback device.
PAGE 456
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 429 — #455 i i For a host to go back and forth between different networks, it needs at least two addresses. One of them, the home address, not only contains the interface ID but also an identifier of the home network to which it normally belongs (and the corresponding prefix). The home address is a static address and, as such, it does not normally change.
PAGE 457
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 430 — #456 i i i However, the configuration and maintenance of static tunnels is often too labor-intensive to use them for daily communication needs. Therefore, IPv6 provides for three different methods of dynamic tunneling: 6over4 IPv6 packets are automatically encapsulated as IPv4 packets and sent over an IPv4 network capable of multicasting.
PAGE 458
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 431 — #457 i i http://www.bieringer.de/linux/IPv6/ Here, find the Linux IPv6-HOWTO and many links related to the topic. http://www.6bone.net/ Visit this site if you want to join a tunneled IPv6 network. http://www.ipv6.org/ The starting point for everything about IPv6. RFC 2640 The fundamental RFC about IPv6. 21 Linux in the Network http://www.ngnet.it/e/cosa-ipv6.
PAGE 459
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 432 — #458 i i i Hotplug network cards are not assigned a static interface name, so the configuration for one of those cards cannot be stored under the name of the interface. Instead, a name is used that contains the kind of hardware and the connection point. In the following, this name is referred to as the hardware description. ifup must be started with two arguments — the hardware description and the current interface name.
PAGE 460
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 433 — #459 i i 21 21.3.1 Configuration Files /etc/syconfig/hardware/* This directory contains a separate file for every device (network card). These files contain the configuration parameters (kernel module, start mode, script assocations, etc.). /etc/sysconfig/network/ifcfg-* These files contain data specific to a network interface.
PAGE 461
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 434 — #460 i i i /etc/resolv.conf The domain to which the host belongs is specified in this file (keyword search). Also listed is the status of the name server address (keyword nameserver) to access. Multiple domain names can be specified. When resolving a name that is not fully qualified, an attempt is made to generate one by attaching the individual search entries.
PAGE 462
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 435 — #461 i i 21 /etc/hosts Example 21.6: /etc/hosts 127.0.0.1 localhost 192.168.0.20 sun.example.com sun 192.168.0.0 earth.example.com earth Linux in the Network In this file (see Example 21.6), IP addresses are assigned to host names. If no name server is implemented, all hosts to which an IP connection will be set up must be listed here.
PAGE 463
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 436 — #462 i i i Table 21.5: Parameters for /etc/host.conf order hosts, bind Specifies in which order the services are accessed for the name resolution. Available arguments are (separated by blank spaces or commas): hosts: Searches the /etc/hosts file bind: Accesses a name server nis: Via NIS multi on/off Defines if a host entered in /etc/hosts can have multiple IP addresses.
PAGE 464
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 437 — #463 i i Example 21.9: /etc/nsswitch.conf compat compat hosts: networks: files dns files dns services: protocols: db files db files netgroup: automount: files files nis Linux in the Network passwd: group: 21 The “databases” available over NSS are listed in Table 21.6. In addition, automount, bootparams, netmasks, and publickey are expected in the near future.
PAGE 465
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 438 — #464 i i i services Network services, used by getservent. shadow Shadow passwords of users, used by getspnam; see man 5 shadow. Table 21.7: Configuration Options for NSS Databases files directly access files, for example, /etc/aliases db access via a database nis NIS, see also Section 21.
PAGE 466
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 439 — #465 i i 21 21.3.2 Start-up Scripts Table 21.8: Some Start-up Scripts for Network Programs /etc/init.d/network This script handles the configuration of the network hardware and software when the system is booted. /etc/init.d/inetd Starts xinetd. xinetd can be used to make server services available on the system. For example, it can start vsftpd whenever an FTP connection is initiated. /etc/init.
PAGE 467
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 440 — #466 i i i 21.4.1 Requirements The machine must have a supported network card. Normally, the network card is detected during the installation and a suitable driver is loaded. To see if your card has been integrated correctly with the appropriate driver, enter the command ifstatus eth0. The output should list all information about the network device eth0 or display an error message.
PAGE 468
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 441 — #467 i i Device Type Specify the type of network device and the device number. I S/390, zSeries Wireless LAN devices are not supported on IBM S/390 and zSeries platforms. J Kernel Module and Selection of Network Card If your network card is a PCMCIA or USB device, enable the corresponding check boxes then leave the dialog by selecting ‘Next’. Otherwise, use ‘Select from List’ then specify your network card.
PAGE 469
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 442 — #468 i i i Setting the Network Address This lets you specify how the address should be assigned to your network card: ‘Automatic Address Setup (via DHCP)’ If your network includes a DHCP server, you can rely on it to set up your network address automatically. The option should also be used if you are using a DSL line but with no static IP assigned by the ISP.
PAGE 470
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 443 — #469 i i 21.4.3 S/390, zSeries: Configuring Network Devices 21 Linux in the Network network card on the other (using a 10Base-TG twisted pair cable). The cable modem then provides a dedicated Internet connection with a fixed IP address. Depending on the instructions provided by your ISP, when configuring the network card either select ‘Automatic Address Setup (via DHCP)’ or ‘Static Address Setup’.
PAGE 471
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 444 — #470 i i i The lcs Device To add an lcs (IBM OSA-2 Adapter) interface to the installed system, start the YaST network card module (‘Network Devices’ ➝ ‘Network Card’). Select one of the devices marked ‘IBM OSA-2 Adapter’ and click ‘Configure’.
PAGE 472
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 445 — #471 i i 21 Linux in the Network Figure 21.4: Modem Configuration Under ‘Details’, set the baud rate and the modem initialization strings. Only change these settings if your modem was not autodetected or if it requires special settings for data transmission to work. This is mainly the case with ISDN terminal adapters. Leave this dialog by selecting ‘OK’. In the next dialog, select the ISP (Internet service provider).
PAGE 473
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 446 — #472 i i i ‘Stupid Mode’ This option is enabled by default. It has the effect that input prompts sent by the ISP’s server are ignored to prevent it from interfering with the connection process. ‘Activate Firewall’ Selecting this option enables the SUSE firewall, which protects you from outside attacks for the time of your Internet connection.
PAGE 474
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 447 — #473 i i Note Values in the ‘IP Address’ and ‘Subnet Mask’ fields are only placeholders. They are only needed to initialize the network card and do not represent the DSL link as such. 21 Linux in the Network The configuration of a DSL connection based on PPPoE or PPTP requires that the corresponding network card has already been set up in the correct way.
PAGE 475
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 448 — #474 i i i To begin the DSL configuration (see Figure 21.5 on the preceding page), first select the PPP mode and the ethernet card to which the DSL modem is connected (in most cases, this is eth0). Then use ‘Device Activation’ to specify whether the DSL link should be established during the boot process. The dialog also lets you select your country and allows you to choose from a number of ISPs operating in it.
PAGE 476
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 449 — #475 i i 21 Linux in the Network Figure 21.6: T-DSL Configuration (Germany) 21.4.6 ISDN Note S/390, zSeries: ISDN The configuration of this type of hardware is not supported on IBM S/390 and zSeries platforms. Note Use this module to configure one or several ISDN cards for your system. If YaST did not autodetect your ISDN card, manually select it.
PAGE 477
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 450 — #476 i i i Figure 21.7: ISDN Configuration ‘Start Mode’ defines how the ISDN interface should be started. ‘OnBoot’ causes the ISDN driver to be initialized each time during the boot process. ‘Manual’ requires you to load the ISDN driver as root with the command rcisdn start. ‘Hotplug’, used for PCMCIA or USB devices, loads the driver after the device is plugged in. When finished with all these settings, select ‘OK’.
PAGE 478
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 451 — #477 i i 21 Linux in the Network Figure 21.8: ISDN Interface Configuration 2. ISDN card connected to a phone exchange Again, the configuration may vary depending on the equipment installed: (a) Smaller phone exchanges built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them.
PAGE 479
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 452 — #478 i i i For the connection to be terminated just before the next charge unit is due, enable ‘ChargeHUP’. However, remember that may not work with every ISP. You can also enable channel bundling (multilink PPP) by selecting the corresponding check box. Finally, you can enable SuSEfirewall2 for your link by selecting ‘Activate Firewall’. ‘Details...’ opens a dialog in which to implement more complex connection schemes.
PAGE 480
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 453 — #479 i i PCMCIA-related configuration and start scripts are located in the directory /etc/sysconfig/pcmcia. The scripts are executed as soon as cardmgr, the PCMCIA device manager, detects a newly inserted PCMCIA card, which is why PCMCIA services do not need to be started before the network during boot. 21.4.
PAGE 481
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 454 — #480 i i i 21.5 Routing in SUSE LINUX The routing table is set up in SUSE LINUX via the configuration files /etc/sysconfig/network/routes and /etc/sysconfig/network/ ifroute-*. All the static routes required by the various system tasks can be entered in the /etc/sysconfig/network/routes file: routes to a host, routes to a host via a gateway, and routes to a network.
PAGE 482
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 455 — #481 i i 21.6 21 SLP Services in the Network Note SLP Support in SUSE LINUX Enterprise Server Services that offer SLP support include cupsd, rsyncd, ypserv, openldap2, openwbem (CIM), ksysguardd, saned, kdm vnc login, smpppd, rpasswd, postfix, and sshd (via fish.
PAGE 483
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 456 — #482 i i i Static Registration via /etc/slp.reg.d/ Create a separate registration file for each new service. The following is an example of a file for registering a scanner service: ## Register a saned service on this system ## en means english language ## 65535 disables the timeout, so the service registration does ## not need refreshes service:scanner.
PAGE 484
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 457 — #483 i i SLP Front-Ends in SUSE LINUX SUSE LINUX contains several front-ends that enable SLP information to be checked and used by means of a network: slptool slptool is a simple command line program that can be used to announce SLP inquiries in the network or to announce proprietary services. slptool --help lists all available options and functions. slptool can also be called from scripts that process SLP information.
PAGE 485
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 458 — #484 i i i 21.6.2 For More information The following sources are available for further information about SLP: RFC 2608, 2609, 2610 RFC 2608 generally deals with the definition of SLP. RFC 2609 deals with the syntax of the service URLs used in greater detail and RFC 2610 deals with DHCP via SLP. http://www.openslp.com The home page of the OpenSLP project.
PAGE 486
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 459 — #485 i i 21 Linux in the Network in the documentation as /usr/share/doc/packages/bind/sampleconfig. However, do not set up any official domains until assigned one by the responsible institution. Even if you have your own domain and it is managed by the provider, you are better off not to use it, as BIND would otherwise not forward any more requests for this domain.
PAGE 487
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 460 — #486 i i i 21.7.2 The Configuration File /etc/named.conf All the settings for the BIND name server itself are stored in the file /etc/named.conf. However, the zone data for the domains to handle, consisting of the host names, IP addresses, and so on, are stored in separate files in the /var/lib/named directory. The details of this are described further below. /etc/named.conf is roughly divided into two areas.
PAGE 488
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 461 — #487 i i 21.7.3 Important Configuration Options forwarders 10.0.0.1;; Specifies the name servers (mostly of the provider) to which DNS requests should be forwarded if they cannot be resolved directly. forward first; Causes DNS requests to be forwarded before an attempt is made to resolve them via the root name servers.
PAGE 489
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 462 — #488 i i i cleaning-interval 720; This option defines at which time intervals BIND clears its cache. This triggers an entry in /var/log/messages each time it occurs. The time specification is in minutes. The default is sixty minutes. interface-interval 0; BIND regularly searches the network interfaces for new or nonexisting interfaces.
PAGE 490
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 463 — #489 i i Example 21.14: Zone Entry for other-domain.de zone "other-domain.de" in { type slave; file "slave/other-domain.zone"; masters { 10.0.0.1; }; }; 21 Linux in the Network After zone, specify the name of the domain to administer, my-domain.de, followed by in and a block of relevant options enclosed in curly braces, as shown in Example 21.13 on the preceding page.
PAGE 491
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 464 — #490 i i i 21.7.6 Structure of Zone Files Two types of zone files are needed. One assigns IP addresses to host names and the other does the reverse — supplies a host name for an IP address. Note Using the Dot in Zone Files The . has an important meaning in the zone files. If host names are given without a final ., the zone is appended. Complete host names specified with a full domain name must end with a .
PAGE 492
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 465 — #491 i i Line 2: This is where the SOA (start of authority) control record begins: After IN SOA is the name of the name server in charge as master for this zone. The name is expanded from gateway to gateway.world.cosmos, because it does not end with a .. An e-mail address of the person in charge of this name server follows. Because the @ sign already has a special meaning, . is entered here instead. For root@world.
PAGE 493
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 466 — #492 i i i set to no in /etc/named.conf, all the name servers listed here are informed of the changes made to the zone data. Line 10: The MX record specifies the mail server that accepts, processes, and forwards e-mails for the domain world.cosmos. In this example, this is the host sun.world.cosmos. The number in front of the host name is the preference value.
PAGE 494
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 467 — #493 i i Lines 3–7: See the previous example for world.cosmos. Line 9: Again this line specifies the name server responsible for this zone. This time, however, the name is entered in its complete form with the domain and a . at the end. Lines 11–13: These are the pointer records hinting at the IP addresses on the respective hosts. Only the last part of the IP address is entered at the beginning of the line, without the .
PAGE 495
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 468 — #494 i i i The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files. To use it for transactions, the second file (Khost1-host2. +157+34265.key) must be transferred to the remote host, preferably in a secure way (using scp, for instance). On the remote server, the key must be included in the file /etc/named.conf to enable a secure communication between host1 and host2: key host1-host2.
PAGE 496
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 469 — #495 i i 21.7.8 Dynamic Update of Zone Data 21.7.9 DNSSEC Linux in the Network The term dynamic update refers to operations by which entries in the zone files of a master server are added, changed, or deleted. This mechanism is described in RFC 2136. Dynamic update is configured individually for each zone entry by adding an optional allow-update or update-policy rule.
PAGE 497
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 470 — #496 i i i Wizard Configuration The wizard consists of three steps or dialogs. At the appropriate places in the dialogs, you are given the opportunity to enter the expert configuration mode. DNS Server Installation: Forwarder Settings When starting the module for the first time, see the dialog shown in Figure 21.9.
PAGE 498
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 471 — #497 i i 21 Linux in the Network Figure 21.10: DNS Server Installation: Finish Wizard Expert Configuration After starting the module, YaST opens a window displaying several configuration options. Completing it results in a DNS server configuration with the basic functions in place: DNS Server: Start-up Under ‘Booting’, define whether the DNS server should be ‘On’ or ‘Off’ by default.
PAGE 499
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 472 — #498 i i i DNS Server: Logging This section allows you to set options concerning the contents and the location of the DNS server’s log data. Under ‘Log Type’, specify where the DNS server should write its log data. Use the system-wide log file /var/log/messages by selecting ‘Log to System Log’ orspecify a different file by selecting ‘Log to File’.
PAGE 500
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 473 — #499 i i DNS Server: TSIG Keys The main purpose of TSIGs (transaction signatures) is to secure communications between DHCP and DNS servers. They are described in Section 21.7.7 on page 467. To generate a TSIG key, enter a distinctive name in the field labeled ‘Key ID’ and specify the file where the key should be stored (‘File Name’). Confirm your choices with ‘Add’.
PAGE 501
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 474 — #500 i i i DNS Server: Slave Zone Editor This dialog opens if you select the zone type ‘Slave’ in the step described in Section 21.7.10 on the preceding page. Under ‘Master DNS Server’, specify the master from which the slave shall fetch its data. To limit access to the server, you can select one of the previously defined ACLs from the list. See Figure 21.13. Figure 21.
PAGE 502
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 475 — #501 i i 21 Linux in the Network Figure 21.14: DNS Server: Zone Editor (Basic) DNS Server: Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under ‘Name Server to Add’ then confirm with ‘Add’.
PAGE 503
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 476 — #502 i i i Figure 21.15: DNS Server: Zone Editor (SOA) 21.7.11 For More Information For additional information, refer to the BIND Administrator Reference Manual, which is installed under /usr/share/doc/packages/bind/. Consider additionally consulting the RFCs referenced by the manual and the manual pages included with BIND. 21.
PAGE 504
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 477 — #503 i i A directory in this context is a type of database optimized for quick and effective reading and searching: To make numerous (concurrent) reading accesses possible, write access is limited to a small number of updates by the administrator. Conventional databases are optimized for accepting the largest possible data volume in a short time.
PAGE 505
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 478 — #504 i i i LDAP, meanwhile, has evolved and is increasingly employed as a standalone solution without X.500 support. LDAP supports referrals with LDAPv3 (the protocol version in package openldap2), making it possible to realize distributed databases. The usage of SASL (simple authentication and security layer) is also new. LDAP is not limited to querying data from X.500 servers, as it was originally planned.
PAGE 506
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 479 — #505 i i Employment as a replacement for the NIS service. Mail routing (postfix, sendmail). Address books for mail clients, like Mozilla, Evolution, and Outlook. Administration of zone descriptions for a BIND9 name server. This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, because it can be searched better.
PAGE 507
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 480 — #506 i i i Figure 21.16: Structure of an LDAP Directory The global determination of which types of objects should be stored in the DIT is done following a scheme. The type of an object is determined by the object class. The object class determines what attributes the concerned object must or can be assigned.
PAGE 508
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 481 — #507 i i inetOrgPerson Geeko Linux sn and cn Example 21.17 shows an excerpt from a scheme directive with explanations. Example 21.17: Excerpt from schema.core (line numbering for explanatory reasons) 21 Linux in the Network inetOrgPerson (person-related data for the intranet or Internet) #1 attributetype (2.5.4.
PAGE 509
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 482 — #508 i i i Line 7, starting with MUST, lists all attribute types that must be used in conjunction with an object of the type organizationalUnit. Line 8, starting with MAY, lists all attribute types that are permitted in conjunction with this object class. A very good introduction to the use of schemes can be found in the documentation of OpenLDAP. When installed, find it in /usr/share/doc/ packages/openldap2/admin-guide/index.
PAGE 510
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 483 — #509 i i Example 21.20: slapd.
PAGE 511
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 484 — #510 i i i Table 21.10: User Groups and Their Access Grants Tag Scope * all users without exception anonymous not authenticated (“anonymous”) users users authenticated users self users connected with the target object dn.regex= all users matching the regular expression haccessi specifies the type of access. Use the options listed in Table 21.11. Table 21.
PAGE 512
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 485 — #511 i i Note Establishing Access Rules If there is no access to rule or no matching by directive, access is denied. Only explicitly declared access rights are granted. If no rules are declared at all, the default principle is write access for the administrator and read access for the rest of the world.
PAGE 513
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 486 — #512 i i i The following rootdn determines who owns administrator rights to this server. The user declared here does not need to have an LDAP entry or exist as regular user. The administrator password is set with rootpw. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd.
PAGE 514
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 487 — #513 i i Example 21.23: Example for an LDIF File # The SUSE Organization dn: dc=suse,dc=de objectClass: dcObject objectClass: organization o: SUSE AG dc: suse # The organizational unit development (devel) dn: ou=devel,dc=suse,dc=de objectClass: organizationalUnit ou: devel 21 Linux in the Network of attribute and value. Refer to the schema files declared in slapd.conf for the available object classes and attributes.
PAGE 515
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 488 — #514 i i i -x switches off the authentication with SASL in this case. -D declares the user that calls the operation. The valid DN of the administrator is entered here just like it has been configured in slapd.conf. In the current example, this is cn=admin,dc=suse,dc=de. -W circumvents entering the password on the command line (in clear text) and activates a separate password prompt.
PAGE 516
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 489 — #515 i i Example 21.26: Modified LDIF File tux.ldif Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=admin,dc=suse,dc=de -W -f tux.ldif Linux in the Network # coworker Tux dn: cn=Tux Linux,ou=devel,dc=suse,dc=de changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10 21 Alternatively, pass the attributes to change directly to ldapmodify.
PAGE 517
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 490 — #516 i i i The option -b determines the search base — the section of the tree within which the search should be performed. In the current case, this is dc=suse,dc=de. To perform a more finely-grained search in specific subsections of the LDAP directory (for instance, only within the devel department), pass this section to ldapsearch with -b. -x requests activation of simple authentication.
PAGE 518
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 491 — #517 i i 21 Linux in the Network Figure 21.17: YaST OpenLDAP Server Configuration: Log Level In ‘Allow Settings’, define which connection types should be allowed by the LDAP server. See Figure 21.18 on the next page. The individual ‘Allow Flags’ have the following meaning: bind_v2 This option enables connection requests (bind requests) from clients using the previous version of the protocol (LDAPv2).
PAGE 519
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 492 — #518 i i i Figure 21.18: YaST OpenLDAP Server Configuration: Allow First decide whether the data traffic between server and client should be TLS and SSL encrypted. Then use ‘Select Certificate...’ to choose a certificate. In the dialog that opens, shown in Figure 21.
PAGE 520
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 493 — #519 i i 21 Linux in the Network Figure 21.19: YaST OpenLDAP Server Configuration: TLS YaST now shows a dialog in which to provide the necessary entries (see Figure 21.23 on page 496). In ‘Base DN’, enter the base DN of your LDAP server. In ‘Root DN’, enter the DN of the administrator in charge of the server.
PAGE 521
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 494 — #520 i i i Figure 21.21: YaST OpenLDAP Server Configuration: Importing a Certificate To edit a previously created database, select its base DN in the tree to the left. In right part of the window, YaST displays a dialog similar to the one used for the creation of a new database — with the main difference that the base ID should not be changed so is grayed out (see Figure 21.24 on page 497).
PAGE 522
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 495 — #521 i i 21 Linux in the Network Figure 21.22: YaST OpenLDAP Server Configuration: Available Databases Example 21.27: pam_unix2.conf Adapted to LDAP auth: account: password: session: use_ldap nullok use_ldap use_ldap nullok none When manually configuring additional services to use LDAP, include the PAM LDAP module in the PAM configuration file corresponding to the service in /etc/pam.d/.
PAGE 523
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 496 — #522 i i i Figure 21.23: YaST OpenLDAP Server Configuration: New Database Example 21.28: Adaptations in nsswitch.conf passwd: compat group: compat passwd_compat: ldap group_compat: ldap These lines order the resolver library of glibc first to evaluate the corresponding files in /etc/ and additionally access the LDAP server as sources for authentication and user data.
PAGE 524
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 497 — #523 i i 21 Linux in the Network Figure 21.24: YaST OpenLDAP Server Configuration: Editing a Database Configuration of the LDAP Client After nss_ldap, pam_ldap, /etc/passwd, and /etc/group have been modified by YaST in the required way, the actual configuration work can begin on the first YaST dialog. See Figure 21.25 on the following page. Activate the use of LDAP for user authentication in the first dialog.
PAGE 525
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 498 — #524 i i i Figure 21.25: YaST: Configuration of the LDAP Client Group Member Attribute With this, specify the type of LDAP group to use, ‘member’ (default setting) or ‘uniquemember’. Enter the required access data for modifying configurations on the LDAP server here. These are ‘Configuration Base DN’ below which all configuration objects are stored and ‘Administrator DN’.
PAGE 526
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 499 — #525 i i 21 Linux in the Network Figure 21.26: YaST: Advanced Configuration Note Using the YaST Client Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. It is furthermore possible to define templates with default values for the individual attributes to simplify the actual registration of the data.
PAGE 527
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 500 — #526 i i i Figure 21.27: YaST: Module Configuration To copy a module, it is only necessary to change cn. To modify individual attribute values, select them from the content list then click ‘Edit’. A dialog opens in which to change all settings belonging to the attribute. Accept the changes with ‘OK’. Figure 21.
PAGE 528
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 501 — #527 i i 21 The YaST modules for group and user administration embed templates with sensible standard values, if these were previously defined with the YaST LDAP clients. To edit a template as desired, click ‘Configure Template’. The drop-down menu contains already existing, modifiable templates or an empty entry.
PAGE 529
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 502 — #528 i i i The second view (‘Default Values for New Objects’) lists all attributes of the corresponding LDAP object (in this case, group or user configuration) for which a standard value is defined. Additional attributes and their standard values can be added, existing attribute and value pairs can be edited, and entire attributes can be deleted. Copy a template by changing the cn entry.
PAGE 530
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 503 — #529 i i 21 Linux in the Network Figure 21.31: YaST: Additional LDAP Settings 21.8.7 For More Information More complex subjects, like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slaves, were intentionally not included in this chapter. Detailed information about both subjects can be found in the OpenLDAP 2.2 Administrator’s Guide (see below for references).
PAGE 531
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 504 — #530 i i i OpenLDAP 2.2 Administrator’s Guide A detailed introduction to all important aspects of LDAP configuration, including access controls and encryption. http://www.openldap.org/doc/admin22/ or on an installed system in /usr/share/doc/packages/openldap2/adminguide/index.
PAGE 532
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 505 — #531 i i 21.9 As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to the user: whatever machine a user uses, he always finds himself in exactly the same environment. This is made possible by means of NIS and NFS services.
PAGE 533
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 506 — #532 i i i Figure 21.32: YaST: NIS Server Configuration Tool To allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd), activate the corresponding option. This makes ‘Allow Changes to GECOS Field’ and ‘Allow Changes to Login Shell’ available.
PAGE 534
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 507 — #533 i i 21 Linux in the Network Figure 21.33: YaST: Changing the Directory and Synchronizing Files for a NIS Server ‘Next’ continues to the last dialog, shown in Figure 21.34 on the next page. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 0.0.0.0 127.0.0.0 0.0.0.
PAGE 535
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 508 — #534 i i i Figure 21.34: YaST: Setting Request Permissions for a NIS Server 21.9.2 The NIS Client Module of YaST This module facilitates the configuration of the NIS client. After choosing to use NIS and, depending on the circumstances, the automounter, this dialog opens. Select whether the host has a fixed IP address or receives one issued by DHCP. DHCP also provides the NIS domain and the NIS server.
PAGE 536
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 509 — #535 i i 21 Linux in the Network In the expert settings, check ‘Answer to the Local Host Only’ if you do not want other hosts to be able to query which server your client is using. By checking ‘Broken Server’, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind. Figure 21.
PAGE 537
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 510 — #536 i i i 21.10 NFS — Shared File Systems As mentioned in Section 21.9 on page 505, NFS (together with NIS) makes a network transparent to the user. With NFS, it is possible to distribute file systems over the network. It does not matter at which terminal a user is logged in. He will always find himself in the same environment. As with NIS, NFS is an asymmetric service. There are NFS servers and NFS clients.
PAGE 538
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 511 — #537 i i mount host:remote-path local-path mount sun:/home /home 21.10.3 Exporting File Systems with YaST With YaST, turn a host in your network into an NFS server — a server that exports directories and files to all hosts granted access to it. This could be done to provide applications to all coworkers of a group without installing them locally on each and every host.
PAGE 539
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 512 — #538 i i i Figure 21.38: Configuring an NFS Server with YaST 21.10.4 Exporting File Systems Manually If you do not want to use YaST, make sure the following systems run on the NFS server: RPC portmapper (portmap) RPC mount daemon (rpc.mountd) RPC NFS daemon (rpc.nfsd) For these services to be started by the scripts /etc/init.d/portmap and /etc/init.d/nfsserver when the system is booted, enter the commands insserv /etc/init.
PAGE 540
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 513 — #539 i i Set permissions for the file system to export in brackets after the machine name. The most important options are: Table 21.12: Permissions for Exported File System option meaning ro File system is exported with read-only permission (default). rw File system is exported with read-write permission. root_squash This makes sure the user root of the given machine does not have root permissions on this file system.
PAGE 541
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 514 — #540 i i i Your exports file might look like Example 21.29. Example 21.29: /etc/exports # # /etc/exports # /home /usr/X11 /usr/lib/texmf / /home/ftp # End of exports sun(rw) venus(rw) sun(ro) venus(ro) sun(ro) venus(rw) earth(ro,root_squash) (ro) /etc/exports is read by mountd and nfsd. If you change anything in this file, restart mountd and nfsd for your changes to take effect.
PAGE 542
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 515 — #541 i i 21 Linux in the Network One way to use DHCP is to identify each client using the hardware address of its network card (which is fixed in most cases) then supply that client with identical settings each time it connects to the server. DHCP can also be configured so the server assigns addresses to each interested host dynamically from an address pool set up for that purpose.
PAGE 543
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 516 — #542 i i i 21.11.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd. conf. By changing the parameters and values in this file, a system administrator can influence the program’s behavior in numerous ways. Look at the basic sample /etc/dhcpd.
PAGE 544
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 517 — #543 i i The line option broadcast-address defines the broadcast address to be used by the requesting host. With option routers, tell the server where to send data packets that cannot be delivered to a host on the local network (according to the source and target host address and the subnet mask provided). In most cases, especially in smaller networks, this router is identical to the Internet gateway.
PAGE 545
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 518 — #544 i i i 21.11.4 Hosts with Fixed IP Addresses As mentioned above, DHCP can also be used to assign a predefined, static address to a specific host for each request. As might be expected, addresses assigned explicitly always take priority over addresses from the pool of dynamic addresses.
PAGE 546
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 519 — #545 i i 21.11.5 The SUSE LINUX Version Control the server’s behavior with regard to this feature through the configuration file /etc/sysconfig/dhcpd. To continue running dhcpd without the chroot environment, set the variable DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to “no”. Linux in the Network To improve security, the SUSE version of the ISC’s DHCP server comes with the non-root/chroot patch by Ari Edelkind applied.
PAGE 547
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 520 — #546 i i i 21.11.6 DHCP Configuration with YaST Note LDAP Support In this version of the SUSE LINUX Enterprise Server, the DHCP server as configured with YaST can be set up to store the server configuration locally (on the host that runs the DHCP server), or alternatively to have its configuration data managed by an LDAP server. Note The DHCP module of YaST allows you to set up your own DHCP server for the local network.
PAGE 548
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 521 — #547 i i 21 Linux in the Network Selecting the Network Interface In the first step, YaST looks for the network interfaces available on your system then displays them in a list. From the list, select the interface on which the DHCP server should listen. See Figure 21.39. Figure 21.
PAGE 549
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 522 — #548 i i i Finishing the Configuration and Setting the Start Mode After the third part of the configuration assistant, a last dialog is shown in which to define how the DHCP server should be started. Selecting ‘On’ causes DHCP to be started automatically as part of the boot procedure. If you select ‘Off’, the server must be started manually. To finish the server configuration, select ‘Ok’.
PAGE 550
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 523 — #549 i i Expert Configuration Chroot Environment and Declarations In this first dialog, make the existing configuration editable by selecting ‘Start DHCP Server’. An important feature of the behavior of the DHCP server is its ability to run in a chroot environment, or chroot jail, to secure the server host.
PAGE 551
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 524 — #550 i i i Selecting the Declaration Type The ‘Global Options’ of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types ‘Subnet’, ‘Host’, ‘Shared Network’, ‘Group’, ‘Pool of Addresses’, and ‘Class’. This example shows the selection of a new subnetwork (see Figure 21.42). Figure 21.
PAGE 552
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 525 — #551 i i 21 Linux in the Network Figure 21.43: DHCP Server: Configuring Subnets server. With ‘Update Global Dynamic DNS Settings’, enable the automatic update and adjustment of the global DHCP server settings according to the dynamic DNS environment. Lastly, define which forward and reverse zones should be updated per dynamic DNS, specifying the name of the primary name server for each of the two zones.
PAGE 553
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 526 — #552 i i i After completing all of the configuration steps, close the dialog with ‘Ok’. The server is now started with its new configuration. 21.11.7 For More Information For more information, the page of the Internet Software Consortium on the subject (http://www.isc.org/products/DHCP/) is a good source about the details of DHCP, including about version 3 of the protocol, currently in beta testing.
PAGE 554
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 527 — #553 i i If the time server in your network can be reached via broadcast, you do not need the server name. In this case, enter the command broadcastclient in the configuration file /etc/ntp.conf. To avoid an incorrect time server in the network from changing the computer time, set up the authentication mechanisms. Normally, every xntpd in the network can also be addressed as time server.
PAGE 555
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 528 — #554 i i i server 127.127.8.0 mode 5 prefer Other clocks follow the same pattern. Following the installation of the xntp-doc package, the documentation for xntp is available in the directory /usr/share/doc/packages/xntp-doc/html. 528 21.12.
PAGE 556
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 529 — #555 i i 22 With a share of more than sixty percent, Apache is the world’s most widely-used web server (source: http://www.netcraft.com). For web applications, Apache is often combined with Linux, the database MySQL, and the programming languages PHP and Perl. This combination is commonly referred to as LAMP. 22.1 22.2 22.3 22.4 22.5 22.6 22.7 22.8 22.9 22.10 22.11 22.12 22.13 Basics . . . . . . . . . . . . . . . . . . .
PAGE 557
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 530 — #556 i i i 22.1 Basics 22.1.1 Web Server A web server issues HTML pages requested by a client. These pages can be stored in a directory (passive or static pages) or generated in response to a query (active contents). 22.1.2 HTTP The clients are usually web browsers, like Konqueror or Mozilla. Communication between the browser and the web server takes place by way of the hypertext transfer protocol (HTTP).
PAGE 558
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 531 — #557 i i The file path is relative to the DocumentRoot, which can be changed in the configuration file. Section 22.7.2 on page 537 describes how this is done. 22.1.4 Automatic Display of a Default Page If no default page is specified, Apache automatically appends one of the common names to the URL. The most frequently-used name for such pages is index.html.
PAGE 559
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 532 — #558 i i i 22.3 Apache Modules By means of modules, Apache can be expanded with a wide range of functions. For example, Apache can execute CGI scripts in diverse programming languages by means of modules. Apart from Perl and PHP, additional scripting languages, such as Python or Ruby, are also available.
PAGE 560
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 533 — #559 i i Flexible Error Handling React flexibly and provide a suitable response in the event of an error, such as nonexistent pages. The response can even be generated actively, for example, with CGI. 22.4 New Features of Apache 2 The following is a list of the main new features of Apache 2. For detailed information about version 2.0 of the Apache HTTP server, refer to http: //httpd.apache.org/docs-2.0/en/.
PAGE 561
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 534 — #560 i i i 22.5 Threads A thread is a “lighter” form of a process. The advantage of a thread over a process is its lower resource consumption. For this reason, the use of threads instead of processes increases the performance. The disadvantage is that applications executed in a thread environment must be thread-safe.
PAGE 562
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 535 — #561 i i 22.6.3 Modules for Active Contents To use active contents with the help of modules, install the modules for the respective programming languages. These are apache2-mod_perl for Perl, mod_php4 for PHP, and mod_python for Python. The use of these modules is discribed in Section 22.9.5 on page 544. 22.6.4 Other Recommended Packages Additionally, you should install the extensive documentation provided in apache2-doc.
PAGE 563
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 536 — #562 i i i The option -a should not be used with Apache 2, as this would cause the changes to be written directly to /etc/apache2/httpd.conf. Rather, modules should be activated by means of the entry APACHE_MODULES in /etc/sysconfig/apache2 as described in Section 22.7.1. 22.7 Configuration Following the installation of Apache, additional changes are only necessary if you have special needs or preferences.
PAGE 564
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 537 — #563 i i 22 it is only activated if the respective flag is set in ACTIVE_SERVER_FLAGS: ACTIVE_SERVER_FLAGS = ... someflag ... . In this way, extensive sections of the configuration file can easily be activated or deactivated for test purposes. 22.7.2 Manual Configuration You can edit the configuration file /etc/apache2/httpd.
PAGE 565
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 538 — #564 i i i Port Specifies the port on which Apache listens for queries. Usually, this is port 80, the default port for HTTP. Normally, this setting should not be changed. One reason for letting Apache listen to another port may be the test of a new version of a web site. In this way, the operational version of the web site continues to be accessible via default port 80.
PAGE 566
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 539 — #565 i i 22 Order Order allow,deny Accordingly, the access permissions for allowed accesses are applied first, followed by the access permissions for denied accesses.
PAGE 567
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 540 — #566 i i i Alias Using an alias, specify a shortcut for a directory that enables direct access to this directory. For example, the alias /manual/ enables access to the directory /srv/www/htdocs/manual even if the DocumentRoot is set to a directory other than /srv/www/htdocs (the alias makes no difference at all if the DocumentRoot is set to that directory).
PAGE 568
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 541 — #567 i i UserDir public_html 22.8 Using Apache To display static web pages with Apache, simply place your files in the correct directory. In SUSE LINUX, the correct directory is /srv/www/ htdocs. A few small example pages may already be installed there. Use these pages to check if Apache was installed correctly and is currently active.
PAGE 569
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 542 — #568 i i i Apache offers three ways of generating active contents: Server Side Includes (SSI) These are directives that are embedded in an HTML page by means of special comments. Apache interprets the content of the comments and delivers the result as part of the HTML page. Common Gateway Interface (CGI) These are programs that are located in certain directories.
PAGE 570
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 543 — #569 i i 22.9.1 Server Side Includes: SSI SSIs can be activated in several ways. The easiest approach is to search all executable files for SSIs. Another approach is to specify certain file types to search for SSIs. Both settings are explained in Section 22.7.2 on page 540. 22.9.2 Common Gateway Interface: CGI CGI is the abbreviation for common gateway interface.
PAGE 571
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 544 — #570 i i i 22.9.4 Languages for CGI Theoretically, CGI programs can be written in any programming language. Usually, scripting languages (interpreted languages), such as Perl or PHP, are used for this purpose. If speed is critical, C or C++ may be more suitable. In the simplest case, Apache looks for these programs in a specific directory (cgi-bin). This directory can be set in the configuration file, described in Section 22.
PAGE 572
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 545 — #571 i i Setting up mod_perl mod_perl versus CGI In the simplest case, run a previous CGI script as a mod_perl script by requesting it with a different URL. The configuration file contains aliases that point to the same directory and execute any scripts it contains either via CGI or via mod_perl. All these entries already exist in the configuration file.
PAGE 573
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 546 — #572 i i i # # set Apache::PerlRun Mode for /cgi-perl Alias # SetHandler perl-script PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On These entries create aliases for the Apache::Registry and Apache::PerlRun modes. The difference between these two modes is as follows: Apache::Registry All scripts are compiled and kept in a cache.
PAGE 574
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 547 — #573 i i 22 22.9.7 mod_php4 The home page for PHP is http://www.php.net/. For PHP to work, install mod_php4-core and, in addition, apache2-mod_php4 for Apache 2. 22.9.8 mod_python Python is an object-oriented programming language with a very clear and legible syntax. An unusual but convenient feature is that the program structure depends on the indentation.
PAGE 575
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 548 — #574 i i i 22.10 Virtual Hosts Using virtual hosts, host several domains with a single web server. In this way, save the costs and administration workload for separate servers for each domain. One of the first web servers that offered this feature, Apache offers several possibilities for virtual hosts: Name-based virtual hosts IP-based virtual hosts Operation of multiple instances of Apache on one machine 22.10.
PAGE 576
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 549 — #575 i i Just as in NameVirtualHost, a * is used in the VirtualHost directives. Apache uses the host field in the HTTP header to connect the request with the virtual host. The request is forwarded to the virtual host whose ServerName matches the host name specified in this field. For the directives ErrorLog and CustomLog, the log files do not need to contain the domain name. Here, use a name of your choice.
PAGE 577
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 550 — #576 i i i All these IPs will be assigned to the same physical network device (eth0). Virtual Hosts with IPs Once IP aliasing has been set up on the system or the host has been configured with several network cards, Apache can be configured. Specify a separate VirtualHost block for every virtual server: ServerName www.myothercompany.com DocumentRoot /srv/www/htdocs/myothercompany.
PAGE 578
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 551 — #577 i i 22.11 22 Security If you do not need a web server on a machine, deactivate Apache in the runlevel editor, uninstall it, or refrain from installing it in the first place. To minimize the risk, deactivate all unneeded servers. This especially applies to hosts used as firewalls. If possible, do not run any servers on these hosts. 22.11.
PAGE 579
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 552 — #578 i i i 22.12 Troubleshooting If problems appear, for example, Apache does not display a page or does not display it correctly, the following procedures can help find the problems. First, take a look at the error log and check if the messages it contains reveal the error. The general error log is located in /var/log/ httpd/error_log or /var/log/apache2/error_log.
PAGE 580
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 553 — #579 i i 22 http://perl.apache.org/ http://www.modperlcookbook.org/ http://www.fastcgi.com/ http://www.boutell.com/cgic/ 22.13.3 Security The latest patches for the SUSE packages are made available at http:// www.suse.com/us/security/. Visit this URL at regular intervals. Here, you can also sign up for the SUSE mailing list for security announcements.
PAGE 581
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 554 — #580 i i i i i i i
PAGE 582
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 555 — #581 i i 23 File Synchronization File Synchronization Today, many people use several computers — one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able work with all computers and modify the files and subsequently have the latest version of the data available on all computers. 23.1 23.2 23.3 23.4 23.
PAGE 583
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 556 — #582 i i i 23.1 Available Data Synchronization Software Data synchronization is no problem for computers that are permanently linked by means of a fast network. In this case, use a network file system like NFS and store the files on a server, enabling all hosts to access the same data via the network. This approach is impossible if the network connection is poor or not permanent.
PAGE 584
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 557 — #583 i i 23 23.1.2 CVS CVS maintains a central repository on the server in which the files and changes to files are saved. Changes that are performed locally are committed to the repository and can be retrieved from other computers by means of an update. Both procedures must be initiated by the user. CVS is very resilient to errors when changes occur on several computers.
PAGE 585
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 558 — #584 i i i 23.1.5 rsync When no version control is needed but large directory structures need to be synchronized over slow network connections, the tool rsync offers welldeveloped mechanisms for transmitting only changes within files. This not only concerns text files, but also binary files. To detect the differences between files, rsync subdivides the files into blocks and computes checksums over them.
PAGE 586
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 559 — #585 i i 23.2.4 Conflicts: Incidence and Solution Unison reports conflicts, allowing the affected files to be excluded from the synchronization. However, changes cannot be merged as easily as in subversion or CVS. There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts.
PAGE 587
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 560 — #586 i i i 23.2.7 Data Volume and Hard Disk Requirements A sufficient amount of free space for all distributed data is required on the hard disks of all involved hosts. subversion or CVS require additional space for the repository database on the server. The file history is also stored on the server, requiring even more space. When files in text format are changed, only the modified lines need to be saved.
PAGE 588
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 561 — #587 i i 23 23.2.11 Protection against Data Loss CVS has been used by developers for a long time to manage program projects and is extremely stable. As the development history is saved, CVS even provides protection against certain user errors, such as the unintentional deletion of a file.
PAGE 589
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 562 — #588 i i i 23.3 Introduction to Unison Unison is an excellent solution for synchronizing and transferring entire directory trees. The synchronization is performed in both directions and can be controlled by means of an intuitive graphical front-end. A console version can also be used. The synchronization can be automated so interaction with the user is not required, but experience is necessary. 23.3.
PAGE 590
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 563 — #589 i i Neither of the two specified paths exists. The arrow keys can be used to set the transfer direction for the individual entries. If the transfer directions are correct for all displayed entries, simply click ‘Go’. File Synchronization If everything works, omit the option -testserver.
PAGE 591
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 564 — #590 i i i 23.4.1 Configuring a CVS Server The server is the host on which all valid files are located, including the latest versions of all files. Any stationary workstation can be used as a server. If possible, the data of the CVS repository should be included in regular backups. When configuring a CVS server, it might be a good idea to grant users access to the server via SSH.
PAGE 592
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 565 — #591 i i U The local version was updated. M The local version was modified. If there were changes on the server, it was possible to merge the differences in the local copy. P The local version was patched with the version on the server. C The local file conflicts with current version in the repository. ? This file does not exist in CVS. 23 File Synchronization as in cvs commit file1 directory1.
PAGE 593
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 566 — #592 i i i 23.5 Introduction to Subversion Subversion is a free open source versioning control system and is widely regarded as the successor to CVS, meaning that features already introduced for CVS are normally also in subversion. It is especially recommended when the advantages of CVS are sought without having to put up with its disadvantages. Many of these features have already been briefly introduced in Section 23.1.
PAGE 594
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 567 — #593 i i 23 23.5.2 Usage and Operation svn list http://svn.example.com/path/to/project or svn list svn://svn.example.com/path/to/project File Synchronization Use the command svn (similar to cvs) to access a subversion repository.
PAGE 595
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 568 — #594 i i i Save the changes to the server with svn commit Another user can incorporate your changes in his working directory by synchronizing with the server using svn update. Unlike CVS, the status of a working directory in subversion can be displayed without accessing the repository with svn status. Local changes are displayed in five columns, with the first one being the most important one: ” No changes.
PAGE 596
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 569 — #595 i i 23 23.5.3 For More Information 23.6 Introduction to rsync rsync is useful when large amounts of data need to be transmitted regularly while not changing too much. This is, for example, often the case when creating backups. File Synchronization The first point of reference is the home page of the subversion project at http://subversion.tigris.org/.
PAGE 597
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 570 — #596 i i i Up to this point, the handling does not differ much from that of a regular copying tool, like scp. rsync should be operated in “rsync” mode to make all its features fully available. This is done by starting the rsyncd daemon on one of the systems. Configure it in the file /etc/rsyncd.conf.
PAGE 598
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 571 — #597 i i To ensure that no newer files are deleted, the option --update can be used instead. Any conflicts that arise must be resolved manually. 23.6.2 For More Information Important information about rsync is provided in the man pages man rsync and man rsyncd.conf. A technical reference about the operating principles of rsync is featured in /usr/share/doc/packages/rsync/tech_report.ps.
PAGE 599
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 572 — #598 i i i Mail/ is a subdirectory of the user’s home directory that contains e-mail folders, including the folder saved-messages. If mailsync is started with mailsync -m saved-messages, it lists an index of all messages in saved-messages. If the following definition is made store localdir { pat Mail/* prefix Mail/ } the command mailsync -m localdir lists all messages stored under Mail/.
PAGE 600
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 573 — #599 i i The command mailsync folder does the following: Expands the mailbox pattern on both sides. Removes the prefix from the resulting folder names. Synchronizes the folders in pairs (or creates them if they do not exist). Accordingly, the folder INBOX.sent-mail on the IMAP server is synchronized with the local folder Mail/sent-mail (provided the definitions explained above exist).
PAGE 601
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 574 — #600 i i i Only messages with a message ID are included in the synchronization. Messages lacking a message ID are simply ignored, which means they are not transmitted or deleted. A missing message ID is usually caused by faulty programs when sending or writing a message. On certain IMAP servers, the main folder is addressed with INBOX and subfolders are addressed with a randomly selected name (in contrast to INBOX and INBOX.
PAGE 602
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 575 — #601 i i 24 In addition to connecting to other Linux systems, Linux is also able to connect to Windows and Macintosh computers and communicate over Novell networks. This chapter shows the requirements for and configuration of heterogenous networks. 24.1 24.2 Heterogenous Networks Heterogenous Networks Samba . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Netatalk . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 603
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 576 — #602 i i i 24.1 Samba 24.1.1 Introduction to Samba With the program Samba, convert a UNIX machine into a file and print server for DOS, Windows, and OS/2 machines. The Samba Project is run by the Samba Team and was originally developed by the Australian Andrew Tridgell. Samba has now become a fully-fledged and rather complex product. This section presents an overview of its basic functionality.
PAGE 604
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 577 — #603 i i NetBIOS Note S/390, zSeries: NetBIOS Support IBM S/390 and zSeries merely support SMB over TCP/IP. NetBIOS support is not available on these systems. Note 24 Heterogenous Networks Samba uses the SMB protocol (server message block) that is based on the NetBIOS services.
PAGE 605
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 578 — #604 i i i SMB servers provide hardware space to their clients by means of shares. A share includes a directory and its subdirectories on the server. It is exported by means of a name and can be accessed by its name. The share name can be set to any name — it does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name. 24.1.
PAGE 606
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 579 — #605 i i When changing this setting, consider carefully how this could affect an existing Windows network environment. A misconfigured Samba server can cause serious problems when trying to become LMB for its workgroup. Contact your administrator and subject your configuration to some heavy testing either in an isolated network or at a noncritical time of day.
PAGE 607
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 580 — #606 i i i path = /media/cdrom path exports the directory /media/ cdrom. By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system. If this share should be made available to everybody, add a line guest ok = yes to the configuration. This setting gives read permissions to anyone on the network. It is recommended to handle this parameter with great care.
PAGE 608
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 581 — #607 i i Security Levels The SMB protocol comes from the DOS and Windows world and directly takes into consideration the problem of security. Each share access can be protected with a password.
PAGE 609
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 582 — #608 i i i Note For simple administration tasks with the Samba server, there is also the program swat. It provides a simple web interface with which to configure the Samba server conveniently. In a web browser, open http://localhost:901 and log in as user root. However, swat must also be activated in the files /etc/xinetd.d/samba and /etc/services. To do so in /etc/xinetd.d/samba, edit the disable line so it reads disable = no.
PAGE 610
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 583 — #609 i i Example 24.4: Setting up a Machine Account With the useradd command, a dollar sign is added. The command smbpasswd inserts this automatically when the parameter -m is used. The commented configuration example (/usr/share/doc/packages/ Samba/examples/smb.conf.SuSE) contains settings that automate this task. Example 24.
PAGE 611
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 584 — #610 i i i 24.1.4 Installation and Configuration with YaST Figure 24.1: Samba Configuration -– Start Up In ‘Start Up’ (Figure 24.1), select whether to start Samba. If you activate Samba, the service is started every time the system boots. In ‘Shares’ (Figure 24.2 on the next page), determine the Samba shares to activate. Use ‘Toggle Status’ to switch between ‘Active’ and ‘Inactive’. Click ‘Add’ to add new shares.
PAGE 612
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 585 — #611 i i 24 Heterogenous Networks Figure 24.2: Samba Configuration -– Shares 24.1.5 Installing Clients Clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS via IPX cannot be used with Samba. Windows 9x and ME Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default.
PAGE 613
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 586 — #612 i i i Figure 24.3: Samba Configuration -– Identity 24.1.6 Optimization socket options is one possible optimization provided with the sample configuration that ships with your Samba version. Its default configuration refers to a local ethernet network. For additional information about socket options, refer to the relevant section of the manual pages of smb.conf and to the manual page of socket(7).
PAGE 614
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 587 — #613 i i 24 Heterogenous Networks Figure 24.4: Samba Configuration -– Trusted Domains Note The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. Note 24.2 Netatalk Note Netatalk on S/390 and zSeries IBM S/390 and zSeries can use the AppleTalk protocol over TCP/IP.
PAGE 615
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 588 — #614 i i i With Netatalk, obtain a high-performance file and print server for MacOS clients. With it, access data on a Linux machine from a Macintosh or print to a connected printer. Netatalk is a suite of Unix programs that run on kernel-based DDP (datagram delivery protocol) and implement the AppleTalk protocol family (ADSP, ATP, ASP, RTMP, NBP, ZIP, AEP, and PAP).
PAGE 616
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 589 — #615 i i 24.2.1 Configuring the File Server All configuration files are pure text files. Text that follows a # (comments) and empty lines can be disregarded. Activate the various services (printing, Appletalk broadcast, Appletalk via TCP/IP, time server) through the file /etc/netatalk/netatalk.
PAGE 617
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 590 — #616 i i i If you do not change anything here, the default server is simply started and displayed with the host name in ‘Chooser’. Therefore, you do not necessarily need to enter anything. However, you can give additional file servers a variety of names and options here, for example, to provide a specific guest server on which everybody can save files as guest. "Guest server" -uamlist uams_guest.
PAGE 618
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 591 — #617 i i 24 Directories and Access Permissions — AppleVolumes.default Note Here, the syntax has partially changed. Take this into consideration if you are updating this version from a previous one. For example, it is now allow: instead of access= (a typical symptom would be if, instead of the drive descriptions, you were to see a display of the drive options on the Mac clients in the ‘Chooser’).
PAGE 619
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 592 — #618 i i i This restricts access to the volume “PostScript Fonts” to the user “User1” and all members of the group “group0”. The users and groups entered here must be known to the Linux system. Likewise, explicitly deny users access with deny:User2. These restrictions only apply to access via AppleTalk and not to the normal access rights users have if they can log in to the server itself.
PAGE 620
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 593 — #619 i i 24.2.2 Configuring the Print Server Printer_Reception:pr=lp:pd=/etc/netatalk/kyocera.ppd This causes the printer named Printer_Reception to appear as a ‘Chooser’ item. The corresponding printer description file is usually provided by the vendor. Otherwise, refer to the file Laserwriter located in the ‘System Extensions’ folder. However, when using this file you often cannot use all of the printer’s features.
PAGE 621
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 594 — #620 i i i Note The S/390 and zSeries are only able to “understand” AppleTalk if the AppleShare server is configured to use TCP/IP encapsulated AppleTalk. Note 24.2.4 For More Information To take full advantage of all the options Netatalk offers, read the corresponding manual pages. Find them by entering the command rpm -qd netatalk. The /etc/netatalk/netatalk.conf file is not used in this Netatalk version, so disregard it.
PAGE 622
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 595 — #621 i i 25 Internet Internet The Internet has become the number one platform for network communications worldwide. As a true network system, Linux can handle a broad range of Internet related tasks — both as a server and as a client system.
PAGE 623
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 596 — #622 i i i 25.1 smpppd as Dial-up Assistant 25.1.1 Program Components for the Internet Dial-Up Most home users do not have a dedicated line connecting them to the Internet. Rather, they use dial-up connections. Depending on the dial-up method (ISDN or DSL), the connection is controlled by ipppd or pppd. Basically, all that needs to be done to go online is to start these programs correctly.
PAGE 624
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 597 — #623 i i password = By assigning a password, limit the clients to authorized hosts. As this is a plain-text password, you should not overrate the security it provides. If no password is assigned, all clients are permitted to access smpppd. 25 Internet host-range = The parameter host-range defines a network range. Hosts whose IP addresses are within this range are granted access to smpppd.
PAGE 625
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 598 — #624 i i i 25.2 Configuring an ADSL or T-DSL Connection 25.2.1 Default Configuration Currently, SUSE LINUX supports DSL connections that work with the point-to-point over ethernet protocol (PPPoE) used by most major providers. If you are not sure what protocol is used for your DSL connections, ask your provider.
PAGE 626
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 599 — #625 i i Although a permanent online connection would also be possible using a DSL flat-rate connection, there are certain advantages to having a connection that only exists for a short amount of time when needed: 25 Internet Using dial-on-demand, however, really only makes sense if you have a flatrate connection.
PAGE 627
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 600 — #626 i i i 25.3 Proxy Server: Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This section discusses its configuration, the settings required to get it running, how to configure the system to do transparent proxying, how to gather statistics about using the cache with the help of programs, like Calamaris and cachemgr, and how to filter web contents with squidGuard. 25.3.
PAGE 628
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 601 — #627 i i 25 Multiple Caches Internet Several proxies can be configured in such a way that objects can be exchanged between them. This reduces the total system load and increases the chances of finding an object already existing in the local network.
PAGE 629
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 602 — #628 i i i The question remains as to how long all the other objects stored in the cache should stay there. To determine this, all objects in the cache are assigned one of various possible states. Web and proxy servers find out the status of an object by adding headers to these objects, such as “Last modified” or “Expires” and the corresponding date. Other headers specifying that objects must not be cached are used as well.
PAGE 630
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 603 — #629 i i 25 Internet The easiest way to determine the needed cache size is to consider the maximum transfer rate of the connection. With a 1 Mbit/s connection, the maximum transfer rate is 125 KB/s. If all this traffic ends up in the cache, in one hour it would add up to 450 MB and, assuming that all this traffic is generated in only eight working hours, it would reach 3.6 GB in one day.
PAGE 631
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 604 — #630 i i i To start Squid, enter rcsquid start at the command line as root. For the initial start-up, the directory structure must first be defined in /var/ squid/cache. This is done by the start script /etc/init.d/squid automatically and can take a few seconds or even minutes. If done appears to the right in green, Squid has been successfully loaded.
PAGE 632
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 605 — #631 i i Local DNS Server Internet Setting up a local DNS server, such as BIND9, makes sense even if the server does not manage its own domain. It then simply acts as a cachingonly DNS and is also able to resolve DNS requests via the root name servers without requiring any special configuration. If you enter the local DNS server in the /etc/resolv.conf file with the IP address 127.0.0.
PAGE 633
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 606 — #632 i i i General Configuration Options (Selection) http_port 3128 This is the port on which Squid listens for client requests. The default port is 3128, but 8080 is also common. If desired, specify several port numbers separated by blank spaces. cache_peer Here, for example, enter a parent proxy to use the proxy of your ISP.
PAGE 634
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 607 — #633 i i These three entries specify the paths where Squid logs all its actions. Normally, nothing is changed here. If Squid is experiencing a heavy usage burden, it might make sense to distribute the cache and the log files over several disks. 25 Internet cache_store_log /var/log/squid/store.log Path for log messages. emulate_httpd_log off If the entry is set to on, obtain readable log files.
PAGE 635
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 608 — #634 i i i never_direct allow To prevent Squid from taking requests directly from the Internet, use the above command to force connection to another proxy. This must have previously been entered in cache_peer. If all is specified as the , force all requests to be forwarded directly to the parent.
PAGE 636
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 609 — #635 i i http_access http_access http_access http_access deny localhost allow teachers allow students lunch time deny all 25 Internet In another example using these rules, the group teachers always has access to the Internet. The group students only gets access Monday to Friday during lunch time.
PAGE 637
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 610 — #636 i i i clients. For Linux, install the pidentd package for this purpose. For Windows, there is free software available for download from the Internet. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL here: acl identhosts ident REQUIRED http_access allow identhosts http_access deny all Here, too, replace REQUIRED with a list of permitted user names.
PAGE 638
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 611 — #637 i i Configuration Options in /etc/squid/squid.conf httpd_accel_host virtual Internet The options to activate in the /etc/squid/squid.
PAGE 639
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 612 — #638 i i i The most important option is the number 15: Example 25.1: Firewall Configuration: Option 15 # # # # # # # # # # # # # # # # 15.) Which accesses to services should be redirected to a local port on the firewall machine? This can be used to force all internal users to surf via your Squid proxy, or transparently redirect incoming web traffic to a secure web server.
PAGE 640
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 613 — #639 i i 25 25.3.7 cachemgr.cgi Internet The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the memory usage of a running Squid process. It is also a more convenient way to manage the cache and view statistics without logging the server. Setup First, a running web server on your system is required. To check if Apache is already running, as root enter the command rcapache status.
PAGE 641
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 614 — #640 i i i Example 25.2: Access Rules acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl webserver src 192.168.1.7/255.255.255.255 # webserver IP Then add the rules in Example 25.3. Example 25.
PAGE 642
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 615 — #641 i i 25 squidGuard can do the following: Block access to some listed or blacklisted web servers or URLs for some users. Internet Limit the web access for some users to a list of accepted or wellknown web servers or URLs. Block access to URLs matching a list of regular expressions or words for some users. Redirect blocked URLs to an “intelligent” CGI-based information page.
PAGE 643
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 616 — #642 i i i Another option called redirect_children configures the number of “redirect” (in this case squidGuard) processes running on the machine. squidGuard is fast enough to handle many requests: on a 500 MHz Pentium with 5,900 domains and 7,880 URLs (totalling 13,780), 100,000 requests can be processed within 10 seconds.
PAGE 644
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 617 — #643 i i 25 25.3.10 For More Information Following the installation, a small howto about transparent proxies is available in howtoen as /usr/share/doc/howto/en/txt/ TransparentProxy.gz. In addition, mailing lists are available for Squid at squid-users@squid-cache.org. The archive for this is located at http://www.squid-cache.org/mail-archive/squid-users/.
PAGE 645
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 618 — #644 i i i i i i i
PAGE 646
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 619 — #645 i i 26 The security of data, services, and transfers within networks is and always will be an important issue. This chapter provides information about how to prevent unauthorized access to the system and how guard against attacks from the outside.
PAGE 647
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 620 — #646 i i i 26.1 X.509 Certification with YaST An increasing number of authentication mechanisms are based on cryptographic procedures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are not only used for communication, but can also be found on company ID cards, for example.
PAGE 648
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 621 — #647 i i 26 Security in the Network Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation. Successful use of this system requires that every user be sure that a public key does indeed belong to the assumed owner. The assignment of users and public keys will be confirmed by trustworthy instances by means of public key certificates.
PAGE 649
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 622 — #648 i i i The extensions can contain any additional information. An application does not normally need to be able to evaluate an extension unless it is identified as critical. If an application does not recognize a critical extension, it must reject the certificate. Some extensions reduce the use of the certificate to a specific application, such as signature or encryption. Table 26.1 shows the principle underlying an X.
PAGE 650
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 623 — #649 i i Table 26.2: X.509 Certificate Revocation List (CRL) Field Content Version The version of the CRL, e.g., v2. Signature The ID of the algorithm used to sign the CRL. Issuer Unique name (DN) of the publisher of the CRL (usually the issuing CA). This Update Time of publication (date, time) of this CRL. Next Update Time of publication (date, time) of the next CRL.
PAGE 651
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 624 — #650 i i i Proprietary PKI YaST contains modules for the elementary management of X.509 certificates. This mainly involves the creation of CAs, sub-CAs and their certificates. At this point it should be noted that the services of a PKI go far beyond simply creating and distributing certificates and CRLs. The operation of a PKI is a service that also requires a well-conceived administrative infrastructure.
PAGE 652
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 625 — #651 i i 26 Security in the Network Figure 26.1: YaST CA module -– Basic Data for a Root CA (roughly ten years). This long period makes sense because the replacement of a deleted CA involves an enormous administrative effort. Clicking ‘Extended’ opens a dialog for setting different attributes from the X.509 extensions (Figure 26.4 on page 629).
PAGE 653
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 626 — #652 i i i Creating or Revoking a Sub-CA A sub-CA is created in exactly the same way as a root CA, except it is first necessary to select the CA in which to create the sub-CA is to be created. After the program starts, select the required CA from the list and click ‘Enter CA’.
PAGE 654
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 627 — #653 i i Creating or Revoking User Certificates To create client and server certificates, first enter a CA, as described in 26.1.2 on the facing page. User certificates should only be created in subCAs to preserve root CA security. After clicking ‘Certificates...’, see the dialog for administering certificates, shown in Figure 26.3 on the next page.
PAGE 655
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 628 — #654 i i i Figure 26.3: Certificates of a CA Changing Standard Values The previous sections explained how to create sub-CAs, client certificates, and server certificates. Special settings are used in the extensions of the X.509 certificate. These settings have been given rational defaults for every certificate type and do not normally need to be changed.
PAGE 656
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 629 — #655 i i 26 Security in the Network Figure 26.4: YaST CA Module -– Extended Settings The tree structure and all extensions known to the system are displayed on the left. If you click a field here, change the associated value on the right side and set or delete the “critical” marking with ‘critical’. After clicking ‘Next’, see a short summary and save your changes with ‘Save’.
PAGE 657
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 630 — #656 i i i The system administers precisely one CRL for every CA. To create or update this CRL, first enter the required CA, as described in Section 26.1.2 on page 626 and click ‘CRL...’. The following dialog then displays a summary of the last CRL of this CA. If you have revoked new sub-CAs or certificates since its creation, create a new CRL so this information can be added to the CRL.
PAGE 658
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 631 — #657 i i Exporting a Certificate to LDAP Enter the CA containing the certificate to export then select ‘Certificates’. Select the required certificate from the certificate list in the upper part of the dialog and select ‘Export’ ➝ ‘Export to LDAP’. The LDAP data is entered here in the same way as for CAs.
PAGE 659
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 632 — #658 i i i Note You can select any storage location in the file system. This option can also be used to save CA objects on a USB stack as transport medium for example. Note Exporting Certificates to Floppy YaST also allows certificates (but not CAs or CRLs) to be exported to a floppy.
PAGE 660
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 633 — #659 i i 26 Note Note 26.2 VPN with SUSE LINUX VPN (virtual private network) refers to a technology used to implement secure data connections via the insecure medium of the Internet. Communication is not with the Internet, but via the Internet. The data packages are encrypted here for authentication and confidentiality and are packed into a new package (tunneling).
PAGE 661
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 634 — #660 i i i Creating Server Certificates Create the server certificate with the YaST CA Management module (see Section 26.1.2 on page 627). Then save the certificate together with the key and all participating CAs in a PKCS12 file (see Section 26.1.2 on page 631). Note If certificates should be created for IPsec applications with Windows XP, client certificates must be used.
PAGE 662
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 635 — #661 i i 26 Security in the Network Figure 26.5: YaST VPN Module -– Overview If the connection should be set up and cleared dynamically when a network interface without a default route is activated and deactivated, enter %dynamic instead. The IP addresses of the relevant interface are then used. If the server should act as a gateway and permit access to a network, ‘Function as Gateway’ should be activated.
PAGE 663
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 636 — #662 i i i Figure 26.6: YaST VPN Module -– Connection Settings This is only possible if the local IP address is already known. This means, in the case of %defaultroute, that the default route must already be set and the computer must already have connected to the Internet.
PAGE 664
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 637 — #663 i i 26 3. Import files on the client computer The client certificate is created with the YaST CA Management module (see Section 26.1.2 on page 627). The finished certificate is then saved together with the key and all participating CAs in a PKCS12 file (see Section 26.1.2 on page 631).
PAGE 665
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 638 — #664 i i i Manual Client Configuration If the client computer does not have a YaST VPN module, import the certificates manually: 1. Copy the client certificate to /etc/ipsec.d/certs. 2. Copy the CA certificate to /etc/ipsec.d/cacerts. 3. Copy the key to /etc/ipsec.d/private. Only the root user should have access to this file. Adjust the permissions accordingly. 4. Enter the password for the key in /etc/ipsec.secrets.
PAGE 666
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 639 — #665 i i rcipsec start starts IPsec and establishes the connection (if auto=start has been configured). ipsec auto --status or setkey-D and an inspection of /var/log/messages enable you to check that everything has worked. rcipsec stop ends IPsec and all connections are cleared. 26.2.3 IPsec Clients on Windows XP and Windows 2000 You can also set up IPsec connections to SUSE LINUX from Windows XP and Windows 2000 clients.
PAGE 667
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 640 — #666 i i i Exporting a Windows Configuration File On the server, start the ‘VPN’ YaST module in the YaST control center under the heading ‘Security and Users’. In the overview (Figure 26.5 on page 635), click ‘Connections’ then select the required server connection in the connection overview. After you select ‘Experts...’ ➝ ‘Export’ ➝ ‘Windows’, select the storage location for the windows_ipsec.
PAGE 668
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 641 — #667 i i 26 Note Note Configuring the Required Snap-Ins Open MMC on the Windows client. In the start menu, go to ‘Run’ ➝ ‘MMC’. In MMC, click ‘File’ ➝ ‘Add/Remove Snap-In’. A dialog opens in which you may see active snap-ins. Click ‘Add’. A selection window opens to display all available snap-ins. ‘Certificates’ ➝ ‘Add’ takes you to the configuration wizard. Here, select ‘Computer Account’ and click ‘Next’.
PAGE 669
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 642 — #668 i i i When you click ‘Issuer’, see entries similar to those below, of which you should take note: E=bsupport@suse.de CN=mainca OU=bu O=SuSE L=Nuremberg S=Franconia C=DE Close the certificate view with ‘OK’ and MMC with ‘File’ ➝ ‘Exit’ ➝ ‘Save’ ➝ ‘Yes’. Configuring an IPsec Connection Install the ipsec.exe tool by decompressing package.zip to C: \Programs\IPsec\. In the next step, replace the standard version of the ipsec.
PAGE 670
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 643 — #669 i i 26 Creating Desktop Links Closing a Connection To deactivate the IPsec filter and the tunnel, first call IPSEC.exe -off then IPSEC.exe -delete. It is best to create a desktop link for this too. 26.3 Security in the Network Finally, create a link to the C:\Programs\IPsec\IPSEC.exe file on the desktop. Now establish the connection to the Internet and click the first link.
PAGE 671
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 644 — #670 i i i filter This table holds the bulk of the filter rules, because it implements the packet filtering mechanism in the stricter sense, which determines whether packets are let through (ACCEPT) or discarded (DROP), for instance. nat This table defines any changes to the source and target addresses of packets.
PAGE 672
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 645 — #671 i i 26 Security in the Network Figure 26.
PAGE 673
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 646 — #672 i i i 26.3.2 Masquerading Basics Masquerading is the Linux-specific form of NAT (network address translation). It can be used to connect a small LAN (where hosts use IP addresses from the private range — see Section 21.1.2 on page 419) with the Internet (where official IP addresses are used). For the LAN hosts to be able to connect to the Internet, their private addresses are translated to an official one.
PAGE 674
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 647 — #673 i i 26.3.3 Firewalling Basics Firewall is probably the term most widely used to describe a mechanism that provides and manages a link between networks while also controlling the data flow between them. Strictly speaking, the mechanism described in this section is called a packet filter. A packet filter regulates the data flow according to certain criteria, such as protocols, ports, and IP addresses.
PAGE 675
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 648 — #674 i i i 26.3.4 SuSEfirewall2 SuSEfirewall2 is a script that reads the variables set in /etc/sysconfig/ SuSEfirewall2 to generate a set of iptables rules. It defines three security zones, although only the first and the second one are considered in the following sample configuration: External Network Given that there is no way to control what is happening on the external network, the host needs to be protected from it.
PAGE 676
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 649 — #675 i i FW_DEV_EXT (firewall, masquerading) The device linked to the Internet. For a modem or DSL connection, enter ppp0. For an ISDN link, use ippp0. Specify auto to use the interface that corresponds to the default route. FW_DEV_INT (firewall, masquerading) The device linked to the internal, private network (such as eth0).
PAGE 677
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 650 — #676 i i i FW_SERVICES_EXT_UDP (firewall) Leave this blank unless you run a name server and want to make it available to the outside. In that case, enter the UDP ports to use. FW_SERVICES_INT_TCP (firewall) With this variable, define the services available for the internal network. The notation is the same as for FW_SERVICES_EXT_TCP, but the settings are applied to the internal network.
PAGE 678
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 651 — #677 i i Features Here, select the main features of your firewall: ‘Forward Traffic and Do Masquerading’ Protects hosts in the internal network from the Internet — all Internet services appear to be used by your firewall, while the internal hosts remain invisible. ‘Protect from Internal Network’ If enabled, internal hosts can only use the services explicitly made available to them.
PAGE 679
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 652 — #678 i i i 26.4 SSH — Secure Shell, the Safe Alternative With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes.
PAGE 680
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 653 — #679 i i ssh otherplanet "uptime; mkdir tmp" tux@otherplanet’s password: 1:21pm up 2:17, 9 users, load average: 0.15, 0.04, 0.02 Quotation marks are necessary here to send both instructions with one command. It is only by doing this that the second command is executed on sun. 26.4.3 scp — Secure Copy 26 Security in the Network Furthermore, ssh offers the possibility to run commands on remote systems, as known from rsh.
PAGE 681
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 654 — #680 i i i 26.4.5 The SSH Daemon (sshd) — Server-Side To work with the SSH client programs ssh and scp, a server, the SSH daemon, must be running in the background, listening for connections on TCP/IP port 22. The daemon generates three key pairs when starting for the first time. Each key pair consist of a private and a public key. Therefore, this procedure is referred to as public key–based.
PAGE 682
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 655 — #681 i i It is recommended to backup the private and public keys stored in /etc/ ssh/ in a secure, external location. In this way, key modifications can be detected and the old ones can be used again after a reinstallation. This spares users any unsettling warnings. If it is verified that, despite the warning, it is indeed the correct SSH server, the existing entry regarding this system must be removed from ~/.
PAGE 683
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 656 — #682 i i i In the long run, this procedure is more troublesome than giving your password each time. Therefore, the SSH package provides another tool, sshagent, which retains the private keys for the duration of an X session. The entire X session is started as a child process of ssh-agent. The easiest way to do this is to set the variable usessh at the beginning of the .
PAGE 684
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 657 — #683 i i ssh -L 110:sun:110 earth Both commands must be executed as root, because the connection is made to privileged local ports. E-mail is sent and retrieved by normal users in an existing SSH connection. The SMTP and POP3 host must be set to localhost for this to work.
PAGE 685
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 658 — #684 i i i Note The original Kerberos was designed at the MIT. Besides the MIT Kerberos, several other implementations of Kerberos exist. SUSE LINUX ships with a free implementation of Kerberos 5, the Heimdal Kerberos 5 from KTH. Because the following text covers features common to all versions, the program itself is referred to as Kerberos as long as no Heimdal-specific information is presented. Note 26.5.
PAGE 686
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 659 — #685 i i mutual authentication Kerberos ensures that both client and server can be sure of each others identity. They share a session key, which they can use to communicate securely. session key Session keys are temporary private keys generated by Kerberos. They are known to the client and used to encrypt the communication between the client and the server for which it requested and received a ticket.
PAGE 687
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 660 — #686 i i i the names both of the client and the ticket-granting server the current time a lifetime assigned to this ticket the client’s IP address the newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used.
PAGE 688
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 661 — #687 i i Ticket Granting — Contacting All Servers Tickets are designed to be used for one server at a time. This implies that you have to get a new ticket each time you request another service. Kerberos implements a mechanism to obtain tickets for individual servers. This service is called the “ticket-granting service”.
PAGE 689
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 662 — #688 i i i encrypted with the session key that came with the original ticketgranting ticket. The client can decrypt the response without requiring the user’s password when a new service is contacted. Kerberos can thus acquire ticket after ticket for the client without bothering the user more than once at login time. Compatibility to Windows 2000 Windows 2000 contains a Microsoft implementation of Kerberos 5.
PAGE 690
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 663 — #689 i i 26 imapd You no longer have to type your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure the encrypted contents of the tickets are adjusted to the new situation.
PAGE 691
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 664 — #690 i i i The official Kerberos FAQ is available at http://www.nrl.navy.mil/ CCS/people/kenh/kerberos-faq.html. The book Kerberos — A Network Authentication System by Brian Tung (ISBN 0-201-37924-4) offers extensive information. 26.6 Installing and Administering Kerberos This section covers the installation of the Heimdal Kerberos implementation as well as some aspects of administration.
PAGE 692
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 665 — #691 i i 26.6.2 Setting up the KDC Hardware The KDC is the most important part of your security infrastructure — if someone breaks into it, all user accounts and all of your infrastructure protected by Kerberos is compromised. An attacker with access to the Kerberos database can impersonate any principal in the database.
PAGE 693
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 666 — #692 i i i Disable all user accounts except root’s account by editing /etc/ shadow and replacing the hashed passwords with * or ! characters. 26.6.3 Clock Synchronization To use Kerberos successfully, make sure all system clocks within your organization are synchronized within a certain range. This is important because Kerberos protects against replayed credentials.
PAGE 694
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 667 — #693 i i 26.6.5 Installing the KDC This section covers the initial installation of the KDC, including creation of an administrative principal. Installing the RPMs Before you can start, install the Kerberos software. On the KDC, install the packages heimdal, heimdal-lib, and heimdal-tools with rpm -ivh heimdal-*.rpm heimdal-lib-*.rpm heimdal-tools*.rpm.
PAGE 695
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 668 — #694 i i i Creating the Realm Finally, create entries for your realm in the Kerberos database. Run kadmin with the -l option as shown. This option tells kadmin to access the database locally. By default, it tries to contact the Kerberos admin service over the network. At this stage, this will not work because it is not running yet. Now, tell kadmin to initialize your realm. It will ask you a number of questions in return.
PAGE 696
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 669 — #695 i i Starting the KDC Start the KDC daemons. This includes kdc itself (the daemon handling user authentication and ticket requests), kadmind (the server performing remote administration), and kpasswddd (handling user’s password change requests). To start the daemon manually, enter rckdc start. Also make sure KDC is started by default when the server machine is rebooted with the command insserv kdc.
PAGE 697
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 670 — #696 i i i To configure your Kerberos clients, add the following stanza to krb5. conf (where kdc.sample.com is the host name of the KDC): [libdefaults] default_realm = SAMPLE.COM [realms] SAMPLE.COM = { kdc = kdc.sample.com kpasswd_server = kdc.sample.com admin_server = kdc.sample.com } The default_realm line sets the default realm for Kerberos applications.
PAGE 698
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 671 — #697 i i Heimdal Kerberos currently looks up the following names when looking for services: _kerberos This defines the location of the KDC daemon (the authentication and ticket granting server). Typical records look like this: _kerberos._udp.SAMPLE.COM. _kerberos._tcp.SAMPLE.COM. IN IN SRV SRV 0 0 88 kdc.sample.com. 0 0 88 kdc.sample.com. _kpasswd This describes the location of the password changing server.
PAGE 699
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 672 — #698 i i i Adjusting the Clock Skew The clock skew is the tolerance for accepting tickets with time stamps that do not exactly match the host’s system clock. Usually, the clock skew is set to 300 seconds (five minutes). This means a ticket can have a time stamp somewhere between five minutes ago and five minutes in the future from the server’s point of view.
PAGE 700
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 673 — #699 i i 26.6.7 Remote Kerberos Administration To be able to add and remove principals from the Kerberos database without accessing the KDC’s console directly, tell the Kerberos administration server which principals are allowed to do what. Do this by editing the file /var/heimdal/kadmind.acl (ACL is an acronym for access control list). The ACL file allows you to specify privileges with a fine degree of control.
PAGE 701
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 674 — #700 i i i This changes the maximum ticket life time to two days and sets the expiration date for the account to January 1, 2005. Basic kadmin Commands Here is a brief list of kadmin commands. For more information, refer to the manual page of kadmin.
PAGE 702
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 675 — #701 i i Instead, the key required to decrypt the initial ticket for the host principal is extracted by the administrator from the KDC once and stored in a local file called the keytab. Services such the SSH daemon read this key and use it to obtain new tickets automatically when needed. The default keytab file resides in /etc/krb5.keytab. To create a host principal for machine.sample.
PAGE 703
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 676 — #702 i i i 26.6.9 Enabling PAM Support for Kerberos SUSE LINUX comes with a PAM module named pam_krb5, which supports Kerberos login and password update. This module can be used by applications, such as console login, su, and graphical login applications like KDM, where the user presents a password and would like the authenticating application to obtain an initial Kerberos ticket on his behalf.
PAGE 704
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 677 — #703 i i # These are for protocol version 1 KerberosAuthentication yes KerberosTicketCleanup yes # These are for version 2 GSSAPIAuthentication yes GSSAPICleanupCredentials yes Then restart your SSH daemon using rcsshd restart. To use Kerberos authentication with protocol version 2, enable it on the client-side as well.
PAGE 705
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 678 — #704 i i i To enable Kerberos to bind to the OpenLDAP server, create a principal ldap/earth.sample.com and add that to the keytab: kadmin add -r ldap/earth.sample.com ktutil get ldap/earth.sample.com By default, the LDAP server slapd runs as user and group ldap, while the keytab file is readable by root only.
PAGE 706
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 679 — #705 i i In Kerberos, authentication is always mutual. This means that not only have you authenticated yourself to the LDAP server, but also the LDAP server authenticated itself to you. In particular, this means communication is with the desired LDAP server, rather than some bogus service set up by an attacker.
PAGE 707
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 680 — #706 i i i To understand how this works, you need to know that when SASL authenticates a user, OpenLDAP forms a distinguished name from the name given to it by SASL (such as joe) and the name of the SASL flavor (GSSAPI). The result would be uid=joe,cn=GSSAPI,cn=auth. If a saslRegexp has been configured, it checks the DN formed from the SASL information using the first argument as a regular expression.
PAGE 708
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 681 — #707 i i 26.7.1 Local Security and Network Security personal communication with people who have the desired information or access to the data on a computer directly from the console of a computer (physical access) over a serial line using a network link In all these cases, a user should be authenticated before accessing the resources or data in question.
PAGE 709
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 682 — #708 i i i Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
PAGE 710
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 683 — #709 i i Replacing some letters of a word with similar looking numbers is not safe enough. Password cracking programs that use dictionaries to guess words also play with substitutions like that. A better way is to make up a word with no common meaning, something that only makes sense to you personally, like the first letters of the words of a sentence or the title of a book, such as “The Name of the Rose” by Umberto Eco.
PAGE 711
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 684 — #710 i i i The permissions of the more than 200,000 files included in a SUSE distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits.
PAGE 712
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 685 — #711 i i Format string bugs work in a slightly different way, but again it is the user input that could lead the program astray. In most cases, these programming errors are exploited with programs executed with special permissions — setuid and setgid programs — which also means that you can protect your data and your system from such bugs by removing the corresponding execution privileges from programs.
PAGE 713
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 686 — #712 i i i Network Security Network security is important for protecting from an attack that is started outside. The typical login procedure requiring a user name and a password for user authentication is still a local security issue. In the particular case of logging in over a network, differentiate between the two security aspects.
PAGE 714
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 687 — #713 i i Caution If you do not consider the host where you log in to be a secure host, do not use X forwarding. With X forwarding enabled, an attacker could authenticate via your SSH connection to intrude on your X server and sniff your keyboard input, for instance.
PAGE 715
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 688 — #714 i i i making the service disappear. However, once a given service has become unavailable, communications could become vulnerable to man-in-the-middle attacks (sniffing, TCP connection hijacking, spoofing) and DNS poisoning. Man in the Middle: Sniffing, Hijacking, Spoofing In general, any remote attack performed by an attacker who puts himself between the communicating hosts is called a man-in-the-middle attack.
PAGE 716
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 689 — #715 i i Worms Worms are often confused with viruses, but there is a clear difference between the two. Unlike viruses, worms do not need to infect a host program to live. Rather, they are specialized to spread as quickly as possible on network structures. The worms that appeared in the past, such as Ramen, Lion, or Adore, make use of well-known security holes in server programs like bind8 or lprNG.
PAGE 717
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 690 — #716 i i i The following is a list of rules you may find useful in dealing with basic security concerns: According to the rule of using the most restrictive set of permissions possible for every job, avoid doing your regular jobs as root. This reduces the risk of getting a cuckoo egg or a virus and protects you from your own mistakes. If possible, always try to use encrypted connections to work on a remote machine.
PAGE 718
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 691 — #717 i i Take proper care when installing any third-party software. There have been cases where a hacker had built a trojan horse into the tar archive of a security software package, which was fortunately discovered very quickly. If you install a binary package, have no doubts about the site from which you downloaded it. SUSE’s RPM packages are gpg-signed.
PAGE 719
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 692 — #718 i i i 26.7.3 Using the Central Security Reporting Address If you discover a security-related problem (please check the available update packages first), write an e-mail to security@suse.de. Please include a detailed description of the problem and the version number of the package concerned. SUSE will try to send a reply as soon as possible. You are encouraged to pgp encrypt your e-mail messages.
PAGE 720
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 693 — #719 i i i Part IV Administration i i i i
PAGE 721
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 694 — #720 i i i i i i i
PAGE 722
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 695 — #721 i i 27 This chapter provides a brief summary of the background and functions of POSIX ACLs for Linux file systems. Learn how the traditional permission concept for file system objects can be expanded with the help of ACLs (access control lists) and which advantages this concept provides. 27.1 27.2 27.3 27.4 Advantages of ACLs . . Definitions . . . . . . . . Handling ACLs . . . . . Support by Applications . . . . . .
PAGE 723
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 696 — #722 i i i 27.1 Advantages of ACLs Note POSIX ACLs The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard. The respective draft standards POSIX 1003.1e and POSIX 1003.2c have been withdrawn for several reasons.
PAGE 724
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 697 — #723 i i 27.2 Definitions user class The conventional POSIX permission concept uses three classes of users for assigning permissions in the file system: the owner, the owning group, and other users. Three permission bits can be set for each user class, giving permission to read (r), write (w), and execute (x).
PAGE 725
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 698 — #724 i i i 27.3.1 Structure of ACL Entries There are two basic classes of ACLs: A minimum ACL merely comprises the entries for the types owner, owning group, and other, which correspond to the conventional permission bits for files and directories. An extended ACL goes beyond this. It must contain a mask entry and may contain several entries of the named user and named group types. Table 27.
PAGE 726
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 699 — #725 i i 27.3.2 ACL Entries and File Mode Permission Bits Access Control Lists in Linux Figure 27.1 and Figure 27.2 illustrate the two cases of a minimum ACL and an extended ACL.
PAGE 727
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 700 — #726 i i i This mapping approach ensures the smooth interaction of applications, regardless of whether they have ACL support. The access permissions that were assigned by means of the permission bits represent the upper limit for all other “fine adjustments” made by means of ACLs. Any permissions not reflected here were either not set in the ACL or are not effective.
PAGE 728
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 701 — #727 i i Your first modification of the ACL is the assignment of read, write, and execute permissions to an additional user jane and an additional group djungle. setfacl -m user:jane:rwx,group:djungle:rwx mydir The option -m prompts setfacl to modify the existing ACL. The following argument indicates the ACL entries to modify (several entries are separated by commas).
PAGE 729
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 702 — #728 i i i 3. According to the output of the ls command, the permissions for the mask entry include write access. Traditionally, such permission bits would mean that the owning group (here project3) also has write access to the directory mydir/.
PAGE 730
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 703 — #729 i i 27 getfacl mydir 27.3.4 A Directory with a Default ACL Directories can have a default ACL, which is a special kind of ACL defining the access permissions that objects under the directory inherit when they are created. A default ACL affects subdirectories as well as files.
PAGE 731
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 704 — #730 i i i 1. Add a default ACL to the existing directory mydir/ with: setfacl -d -m group:djungle:r-x mydir The option -d of the setfacl command prompts setfacl to perform the following modifications (option -m) in the default ACL.
PAGE 732
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 705 — #731 i i 27 As expected, the newly-created subdirectory mysubdir/ has the permissions from the default ACL of the parent directory. The access ACL of mysubdir/ is an exact reflection of the default ACL of mydir/, as is the default ACL that this directory will hand down to its subordinate objects. 3. Use touch to create a file in the mydir/ directory: touch mydir/myfile ls -l mydir/myfile -rw-r-----+ ... tux project3 ...
PAGE 733
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 706 — #732 i i i 27.3.5 The ACL Check Algorithm A check algorithm is applied before any process or application is granted access to an ACL-protected file system object. As a basic rule, the ACL entries are examined in the following sequence: owner, named user, owning group or named group, and other. The access is handled in accordance with the entry that best suits the process. Permissions do not accumulate.
PAGE 734
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 707 — #733 i i 28 A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. 28.1 28.2 28.3 28.4 28.5 28.6 28.7 28.8 28.9 28.10 28.11 28.12 28.13 28.14 28.15 28.16 28.17 List of Open Files: lsof . . . . . . . . . . . . . . . . User Accessing Files: fuser . .
PAGE 735
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 708 — #734 i i i For each of the commands introduced, examples of the relevant outputs are presented. In these examples, the first line is the command itself (after the dollar sign prompt). Comments are indicated by the use of square brackets [...] and long lines are wrapped where necessary. Line breaks for long lines are indicated by a backslash (\).
PAGE 736
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 709 — #735 i i $ lsof | wc -l 3749 List all the character devices used with: $ lsof | grep CHR sshd 4685 sshd 4685 sshd 4693 sshd 4693 zsh 4694 zsh 4694 zsh 4694 zsh 4694 X 6476 lsof 13478 lsof 13478 grep 13480 grep 13480 28.
PAGE 737
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 710 — #736 i i i 28.3 File Properties: stat The command stat displays details of the properties of a file: $ stat xml-doc.txt File: ‘xml-doc.txt’ Size: 632 Blocks: 8 IO Block: 4096 Device: eh/14d Inode: 5938009 Links: 1 Access: (0644/-rw-r--r--) Uid: (11994/ jj) Gid: ( Access: 2004-04-27 20:08:58.000000000 +0200 Modify: 2003-06-03 15:29:34.000000000 +0200 Change: 2003-07-23 17:48:27.
PAGE 738
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 711 — #737 i i The parameter -U hUIDi monitors only the processes associated with a particular user. Here, hUIDi is the user ID of the user. The following variant is useful: $ top -U $(id -u ) 28.5 Process List: ps The command ps produces a list of processes.
PAGE 739
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 712 — #738 i i i $ ps www -p $(pidof xterm) PID TTY STAT TIME COMMAND 9025 ? S 0:01 xterm -g 100x45+0+200 9176 ? S 0:00 xterm -g 100x45+0+200 29854 ? S 0:21 xterm -g 100x75+20+0 -fn \ -B&H-LucidaTypewriter-Medium-R-Normal-Sans-12-120-75-75-M-70-iso10646-1 4378 ? S 0:01 xterm -bg MistyRose1 -T root -n root -e su -l 25543 ? S 0:02 xterm -g 100x45+0+200 22161 ? R 0:14 xterm -g 100x45+0+200 16832 ? S 0:01 xterm -bg MistyRose1 -T root -n
PAGE 740
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 713 — #739 i i 28.7 Who Is Doing What: w With the command w, find out who is logged onto the system and what each user is doing. For example: 28 System Monitoring Utilities $ pstree -pa init,1 |-atd,1255 [...] ‘-zsh,1404 ‘-startx,1407 /usr/X11R6/bin/startx ‘-xinit4,1419 /suse/jj/.xinitrc [...] |-X,1426 :0 -auth /suse/jj/.Xauthority ‘-ctwm,1440 |-xclock,1449 -d -geometry -0+0 -bg grey |-xload,1450 -scale 2 ‘-xosview.
PAGE 741
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 714 — #740 i i 28.8 Memory Usage: free The utility free examines RAM usage.
PAGE 742
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 715 — #741 i i The last line indicates that there is a temporary problem in the NFS server totan. The lines up to that point are triggered by the insertion of a USB memory stick. Older events are logged in the files /var/log/messages and /var/log/ warn. 28.
PAGE 743
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 716 — #742 i i i Users of the NFS file server totan should clear their home directory immediately. Display the total size of all the files in a given directory and its subdirectories with the command du. The parameter -s suppresses the output of detailed information. -h again transforms the data into a form that ordinary people can understand.
PAGE 744
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 717 — #743 i i Some of the important files and their contents are as follows: /proc/modules kernel modules loaded /proc/cmdline kernel command line /proc/meminfo detailed information about memory usage /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt. Query Memory usage with the command vmstat.
PAGE 745
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 718 — #744 i i The address assignment of executables and libraries is contained in the maps file: $ cat /proc/self/maps 08048000-0804c000 r-xp 0804c000-0804d000 rw-p 0804d000-0806e000 rwxp 40000000-40016000 r-xp 40016000-40017000 rw-p 40017000-40018000 rw-p 4002b000-40135000 r-xp 40135000-4013d000 rw-p 4013d000-40141000 rw-p bfffe000-c0000000 rw-p ffffe000-fffff000 ---p 28.
PAGE 746
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 719 — #745 i i Total 0 0 Used 2 0 Bootup: Wed Feb 25 09:44:17 2004 user : nice : system: idle : uptime: irq irq irq irq irq irq 64d 0: 1: 2: 6: 8: 9: 28.13 0:00:00.02 0:00:00.00 0:00:00.00 0:00:04.99 3:59:12.62 501 1 0 0 0 0 0.4% 0.0% 0.0% 99.6% timer keyboard cascade [4] rtc acpi Free -2 0 Shared 0 Buffers 0 Cached 0 Load average: 0.00 0.00 0.
PAGE 747
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 720 — #746 i i Information about device name resolution is obtained from file /usr/ share/pci.ids. PCI IDs not listed in this file are marked “Unknown device”. The parameter -vv produces all the information that could be queried by the program. To view the pure numeric values, you should use the parameter -n. 28.
PAGE 748
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 721 — #747 i i = = = = 3 3 3 3 To trace all the child processes, use the parameter -f. The behavior and output format of strace can be largely controlled. For information, see man strace. 28.15 Library Calls of a Program Run: ltrace The command ltrace enables you to trace the library calls of a process. This command is used in a similar fashion to strace.
PAGE 749
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 722 — #748 i i i 28.16 Specifying the Required Library: ldd With the command ldd, find out which libraries the dynamic executable specified as argument would be subsequently loaded: $ ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/tls/librt.so.1 (0x4002b000) libacl.so.1 => /lib/libacl.so.1 (0x40033000) libselinux.so.1 => /lib/libselinux.so.1 (0x40039000) libc.so.6 => /lib/tls/libc.so.6 (0x40048000) libpthread.so.
PAGE 750
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 723 — #749 i i i Part V Appendix i i i i
PAGE 751
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 724 — #750 i i i i i i i
PAGE 752
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 725 — #751 i i A A wide range of information sources exist that are applicable to your SUSE LINUX system. Some of these sources are SUSE-specific, but many are more general sources. Some are already available on your system or installation media and others can be accessed over the Internet.
PAGE 753
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 726 — #752 i i i DHCP server is described in a HOWTO, as well as the points to be noted, but not how Linux itself is installed. As a rule, documentation of this kind is kept quite general so it can be applied to every distribution. The howto package contains HOWTOs in ASCII format. Users who prefer HTML should install howtoenh.
PAGE 754
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 727 — #753 i i Standards and Specifications http://www.w3.org The World Wide Web Consortium (W3C) is certainly one of the best-known standards organizations. It was founded in October 1994 by T IM B ERNERS -L EE and concentrates on standardizing web technologies. W3C promotes the dissemination of open, license-free, and manufacturer-independent specifications, such as HTML, XHTML, and XML.
PAGE 755
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 728 — #754 i i i http://www.din.de, http://www.din.com The Deutsches Institut fÃ¼r Normung (DIN) is a registered technical and scientific association. It was founded in 1917. According to DIN, the organization is “the institution responsible for standards in Germany and represents German interests in worldwide and European standards organizations.
PAGE 756
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 729 — #755 i i B E2FSCK(8) E2FSCK(8) Manual Page of e2fsck Manual Page of e2fsck NAME e2fsck - check a Linux second extended file system SYNOPSIS e2fsck [ -pacnyrdfvstDFSV ] [ -b superblock ] [ -B block size ] [ -l|-L bad_blocks_file ] [ -C fd ] [ -j externaljournal ] [ -E extended_options ] device DESCRIPTION e2fsck is used to check a Linux second extended file sys tem (ext2fs).
PAGE 757
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 730 — #756 i i backup superblock is dependent on the filesystem’s blocksize. For filesystems with 1k blocksizes, a backup superblock can be found at block 8193; for filesystems with 2k blocksizes, at block 16384; and for 4k blocksizes, at block 32768. Additional backup superblocks can be determined by using the mke2fs program using the -n option to print out where the superblocks were created.
PAGE 758
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 731 — #757 i i -E extended_options Set e2fsck extended options. Extended options are comma separated, and may take an argument using the equals (’=’) sign. The following options are sup ported: ea_ver=extended_attribute_version Assume the format of the extended attribute blocks in the filesystem is the specified version number. The ver sion number may be 1 or 2. The default extended attribute version format is 2.
PAGE 759
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 732 — #758 i i no other changes will be made to the filesystem.) -p Automatically repair ("preen") without any questions. the -r This option does nothing at all; only for backwards compatibility. -s This option will byte-swap the filesystem so that it is using the normalized, standard byte-order (which is i386 or little endian). If the filesys tem is already in the standard byte-order, e2fsck will take no action.
PAGE 760
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 733 — #759 i i Please include as much information as possible in your bug report. Ideally, include a complete transcript of the e2fsck run, so I can see exactly what error messages are displayed. If you have a writeable filesystem where the transcript can be stored, the script(1) program is a handy way to save the output of e2fsck to a file. It is also useful to send the output of dumpe2fs(8).
PAGE 761
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 734 — #760 i i i i i i i
PAGE 762
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 735 — #761 i i C REISERFSCK(8) REISERFSCK(8) NAME reiserfsck - check a Linux Reiserfs file system Manual Page of reiserfsck Manual Page of reiserfsck SYNOPSIS reiserfsck [ -afprVy ] [ --rebuild-sb | --check | --fixfixable | --rebuild-tree | --clean-attributes ] [ -j | --journal device ] [ -z | --adjust-size ] [ -n | --nolog ] [ -l | --logfile file ] [ -q | --quiet ] [ -y | --yes ] [ -S | --scan-whole-partition ] [ --no-journal
PAGE 763
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 736 — #762 i i This option recovers certain kinds of corruption that do not require rebuilding the entire file sys tem tree (--rebuild-tree). Normally you only need this option if the --check option reports "corrup tion that can be fixed with --fix-fixable". This includes: zeroing invalid data-block pointers, cor recting st_size and st_blocks for directories, and deleting invalid directory entries.
PAGE 764
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 737 — #763 i i -a, -p These options are usually passed by fsck -A during the automatic checking of those partitions listed in /etc/fstab. These options cause reiserfsck to print some information about the specified file system, check if error flags in the superblock are set and do some light-weight checks.
PAGE 765
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 738 — #764 i i i some way you should also run reiserfsck --rebuild-tree, but we also encourage you to submit this as a bug report. 5. Before running reiserfsck --rebuild-tree, please make a backup of the whole partition before proceeding. Then run reiserfsck --rebuild-tree --logfile rebuild.log /dev/hda1. 6. If the --rebuild-tree step fails or does not recover what you expected, please submit this as a bug report.
PAGE 766
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 739 — #765 i i D GNU General Public License Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA The GNU General Public License The GNU General Public License Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
PAGE 767
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 740 — #766 i i i can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
PAGE 768
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 741 — #767 i i D The GNU General Public License is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
PAGE 769
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 742 — #768 i i i License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
PAGE 770
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 743 — #769 i i If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4.
PAGE 771
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 744 — #770 i i i particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
PAGE 772
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 745 — #771 i i D No Warranty 12.
PAGE 773
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 746 — #772 i i i This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.
PAGE 774
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 747 — #773 i i i Bibliography [1] SUSE LINUX (User Guide). SUSE, 9. Edition ©2004 . [2] E DWARD C. B AILEY. Maximum RPM. ©1997 . ISBN 1-888172-78-9. [3] B RYAN C OSTALES, E RIC A LLMAN, N EIL R ICKERT. sendmail. ©1993 . ISBN 1-56592-056-2. [4] W ERNER A LMESBERGER. LILO User’s guide. file:///usr/share/doc/lilo/user.dvi. [5] O LAF K IRCH. LINUX Network Administrator’s Guide. ©1995 . ISBN 156592-087-2.
PAGE 775
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 748 — #774 i i i [13] B RENT C HAPMAN, E LISABETH D. Z WICKY. Building Internet Firewalls. ©1995 O’Reilly and Associates. ISBN 1-565-92124-0. [14] C LIFFORD S TOLL. Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage . ©2000 Pocket Books. ISBN 0-743-41146-3. [15] B RIAN T UNG. Kerberos: A Network Authentication System. ©1999 Fischer-TB. Verlag. ISBN 0-201-37924-4.
PAGE 776
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 749 — #775 i i i Index symbols .local as top-level domain . . . . . . . . . . . . . . 64-bit Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . - kernel specifications . . . . . . . . . . . . - runtime support . . . . . . . . . . . . . . . . - software development . . . . . . . . . . A 170 197 201 198 199 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695–706 - access . . . . . . . . . . . . . . . . . .
PAGE 777
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 750 — #776 i i i - creating with dd . . . . . . . . . . . . . . . . 130 - creating with rawrite . . . . . . . . . . . 129 booting . . . . . . . . . . . . . . . . . . . . . . . . . . . 203–735 - BIOS . . . . . . . . . . . . . . . . . . . . . . . . . 8, 204 - boot loaders . . . . . . . . . . . . . . . 207, 252 - boot managers . . . . . . . . . . . . . 203–205 - boot sectors . . . . . . . . . . . . . . . . . . . . . 205 - CD, from . . .
PAGE 778
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 751 — #777 i i - asound.conf . . . . . . . . . . . . . . . . . . . . . 88 - atalkd.conf . . . . . . . . . . . . . . . . . . . . . 589 - boot/grub/menu.lst . . . . . . . . . . . . 208 - config . . . . . . . . . . . . . . . . . . . . . . . . . . 235 - crontab . . . . . . . . . . . . . . . . . . . . . . . . . 246 - csh.cshrc . . . . . . . . . . . . . . . . . . . . . . . 262 - dhclient.conf . . . . . . . . . . . . . . . . . . .
PAGE 779
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 752 — #778 i i i - printing . . . . . . . . . . . . . . . . . . . . . . . . . 69 - routing . . . . . . . . . . . . . . . . . . . . . . 90, 454 - Samba . . . . . . . . . . . . . . . . . . . . . 578–584 · clients . . . . . . . . . . . . . . . . . . . . . . . . 90 · servers . . . . . . . . . . . . . . . . . . . . . . . . 89 - scanner . . . . . . . . . . . . . . . . . . . . . . . . . . 85 - security . . . . . . . . . . . . . . . . . . .
PAGE 780
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 753 — #779 i i files - NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 - ReiserFS . . . . . . . . . . . . . . . . . . . 385–386 - reiserfsck . . . . . . . . . . . . . . . . . . . . . . . 735 - repairing . . . . . . . . . . . . . . . . . . . . . . . 259 - selecting . . . . . . . . . . . . . . . . . . . . . . . . 382 - supported . . . . . . . . . . . . . . . . . 388–389 - sysfs . . . . . . . . . . . . . . . . . . . .
PAGE 781
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 754 — #780 i i i - blacklist . . . . . . . . . . . . . . . . . . . . . . . . - device names . . . . . . . . . . . . . . . . . . . - error analysis . . . . . . . . . . . . . . . . . . . - event recorder . . . . . . . . . . . . . . . . . . - events . . . . . . . . . . . . . . . . . . . . . . . . . . - log files . . . . . . . . . . . . . . . . . . . . . . . . . - map files . . . . . . . . . . . . . . . . . . . . . . .
PAGE 782
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 755 — #781 i i · network cards . . . . . . . . . . . . . . . 440 · PCMCIA . . . . . . . . . . . . . . . . . . . . 330 - pcmcia . . . . . . . . . . . . . . . . . . . . . . . . . 335 - problems . . . . . . . . . . . . . . . . . . . . . . . 255 - sources . . . . . . . . . . . . . . . . . . . . . . . . . 235 - System.map . . . . . . . . . . . . . . . . . . . . 241 - version 2.6 . . . . . . . . . . . . . . . . . . . . . .
PAGE 783
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 756 — #782 i i i MBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 - LILO . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 memory - RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 modems - YaST . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 modinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 modprobe . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 784
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 757 — #783 i i - types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 PCMCIA . . . . . . . . . . . . . . . . . . . . . . . . . . 330–340 - booting from . . . . . . . . . . . . . . . . . . . 334 - card manager . . . . . . . . . . . . . . . . . . . 331 - cardctl . . . . . . . . . . . . . . . . . . . . . . . . . . 339 - configuring . . . . . . . . . . . . . . . . 332–334 - driver assignment . . . . . . . . . . . . . .
PAGE 785
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 758 — #784 i i i - security . . . . . . . . . . . . . . . . . . . . . . . . 691 - SRPMS . . . . . . . . . . . . . . . . . . . . . . . . . 182 - tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 - uninstalling . . . . . . . . . . . . . . . . . . . . 176 - updating . . . . . . . . . . . . . . . . . . . . . . . 175 - verify . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 - verifying . . . . . . . . . . . . . .
PAGE 786
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 759 — #785 i i SGML - directories . . . . . . . . . . . . . . . . . . . . . . 173 SLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 - browser . . . . . . . . . . . . . . . . . . . . . . . . 457 - Konqueror . . . . . . . . . . . . . . . . . . . . . . 457 - registering services . . . . . . . . . . . . . 455 - slptool . . . . . . . . . . . . . . . . . . . . . . . . . . 457 slptool . . . . . . . . . . . .
PAGE 787
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 760 — #786 i i i - YaST . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 ulimit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 - options . . . . . . . . . . . . . . . . . . . . . . . . . 248 uninstalling - GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . 226 - LILO . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 updating . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 788
i i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 761 — #787 i i - DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . 520 - disk creation . . . . . . . . . . . . . . . . . . . . . 99 - disk space . . . . . . . . . . . . . . . . . . . . . . . 19 - DMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 - DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 - driver CDs . . . . . . . . . . . . . . . . . . . . . 107 - DSL . . . . . . . . . . . . . . . . . . .
PAGE 789
i “main” (Installation and Administration) — 2004/6/25 — 13:29 — page 762 — #788 i i i Z z/VM Installation - IPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 ZIPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .