|
Related YoLinux Tutorials:
°Network configuration
°Internet Security
°Linux Fonts
°Firefox Configuration
°Using DOS Floppies
°Integrate Linux into MS/Windows environment
°YoLinux Tutorials Index
Free Information Technology Magazine Subscriptions and Document Downloads
Advertisement:
Recover Linux Data
|
| Related YoLinux Configuration and Admin Tutorials: |
Basic command line:
-
| pstree |
Processes and parent-child relationships |
| top |
Show top processes |
| iostat |
Report CPU statistics and input/output statistics for devices and partitions. |
| ps -auxw |
process status |
| uname -a |
print system information |
| cat /proc/version |
Display Linux kernel version in use. |
| cat /etc/redhat-release |
Display Red Hat Linux Release. (also /etc/issue) |
| uptime |
Tell how long the system has been running. Also number of users and system's load average. |
| w |
Show who is logged on and what they are doing. |
| /sbin/lsmod |
List all currently loaded kernel modules.
Same as cat /proc/modules |
| /sbin/runlevel |
Displays the system's current runlevel. |
| hostname |
Displays/changes the system's node name. (Must also manually change hostname setting in /etc/sysconfig/network. Command will change entry in /etc/hosts) |
| service |
Red Hat/Fedora command to display status of system services.
Example: service --status-all
Help: service --help |
GUI/Graphical:
-
| gnome-system-monitor |
Operating system monitor and usage graphing. |
| gkrellm |
Graphical system monitor. (Additional RPM package: gkrellm) |
| ps3 |
3D load meter. Very cool 3-D graphics. |
| xosview |
Operating system monitor: load, memory, swap, net, disk, ... |
List of tools:
The basic monitoring commands such as pstree and ps -auxw
and top will inform you of the processes running on your system.
Sometimes a process must be terminated. To terminate a process:
- Identify the process:
- pstree -p
OR
- ps -auxw
OR
- top
- Kill the process:
- kill <process-id-number>
- killall <command-name>
This will perform an orderly shutdown of the process.
If it hangs give a stronger signal with:
kill -9 <process-id-number>.
This method is not as sanitary and thus less preferred.
A signal may be given to the process. The program must be programmed to handle the given signal. See /usr/include/bits/signum.h for a full list.
For example, to restart a process after updating it's configuration file,
issue the command kill -HUP <process-id-number>
In the previous example, the HUP signal was sent to the process.
The software was written to trap for the signal so that it could respond
to it. If the software (command) is not written to respond to a particular
signal, then the sending of the signal to the process is futile.
Identify all known signals: fuser -l
Process Management GUI Tools:
- xosview: Oldie but goodie.
- gnome-system-monitor
- ksysguard (comes with SuSE)
- QPS (See below)
QPS:
-
Also see the GUI tool QPS. (Handles MOSIX cluster)
This tool is outstanding for monitoring, adjusting nice values (priorities),
issue signals to the process, view files the process is using, the memory,
environmnet variables and sockets the process is using.
RPM available from this site.
It is so simple to use, no instructions are necessary.
It can monitor a program to make sure it isn't doing something bad.
It is also reverse engineer what applications are doing and the environments
under which they run.
I love this tool!!
Note: The RPM provided was compiled for RedHat 7.x. For RedHat 8.0+ one must
install the appropriate QT library RPMs to satisfy dependencies:
rpm -ivh qt2-2.3.1-8.i386.rpm qt2-Xt-2.3.1-8.i386.rpm qt2-devel-2.3.1-8.i386.rpm qt2-static-2.3.1-8.i386.rpm
Then install qps: rpm -ivh qps-1.9.7-5.i386.rpm
Note Fedora Core 3: rpm -ivh qt2-2.3.1-8.i386.rpm qps-1.9.7-5.i386.rpm
These older RH 8.0 and 7 binary release rpms even work on my AMD64 Fedora Core 3 x86_64 OS system.
Configuring QPS to run applications against a process: Select "Command" + "Edit Commands..." + "Add..."
- Description: GDB
Command Line: xterm -T "GDB %C" -e gdb -d /directory-where-source-code-is-located --pid=%p
- Description: gdb
Command Line: xterm -T "gdb %c (%p)" -e gdb /proc/%p/exe %p &
(As issued in RPM)
gdb man page
- Description: strace
Command Line: xterm -T "strace %c (%p)" -e sh -c 'strace -f -p%p; sleep 10000'&
(show process system calls and signals. Try it with the process qps itself.)
Show output written by process:
xterm -T "strace %c (%p)" -e sh -c 'strace -f -q -e trace=write -p%p; sleep 10000'&
strace man page
- Description: truss (Solaris command)
Command Line: xterm -T "truss %C (%p) -e sh -c 'truss -f -p %p; sleep 1000'&
IPCs: Semaphores, Shared Memory and Queues
-
Note that some processes may use Linux InterProcess Communication or IPC
(semaphores, shared memory or queues) which
may need to be cleaned up manually:
- Identify the semaphores: ipcs
ipcs -q List share queues.
ipcs -m Shared memory.
ipcs -s List Semaphores.
- Remove the semaphores: ipcrm -s <ipcs id>
Example: If you are running Apache, you may see the following:
-
[root@node DIR]# ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 341504 nobody 600 46084 27 dest
lsof - Processes attached to open files or open network ports:
-
The command lsof
shows a list of processes attached to open files or network ports.
- List processes attached to a given file: lsof filename:
-
[root@node DIR]# lsof /var/log/mailman/qrunner
python 18538 mailman 4u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18578 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18579 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18580 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18581 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18582 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18583 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
python 18584 mailman 6u REG 3,5 657 486746 /var/log/mailman/qrunner
The process attached to an open file can be killed using the command
fuser -ki filename
- List all open files on system: lsof
(Long list)
- List all files opened by user: lsof -u user-id
- The commands netstat -punta and socklist will list open network connections.
Use the command lsof -i TCP:port-number to see the processes
attached to the port. Example:
-
[root@node DIR]# lsof -i TCP:389
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
slapd 5927 ldap 6u IPv4 7560023 TCP *:ldap (LISTEN)
slapd 5928 ldap 6u IPv4 7560023 TCP *:ldap (LISTEN)
slapd 21185 ldap 6u IPv4 7560023 TCP *:ldap (LISTEN)
slapd 21186 ldap 6u IPv4 7560023 TCP *:ldap (LISTEN)
slapd 21193 ldap 6u IPv4 7560023 TCP *:ldap (LISTEN)
This shows that the command slapd running under user id ldap
is running five process connected to port 389.
Restricting user resources:
-
Linux Commands to Monitor Memory Usage:
-
| vmstat |
Monitor virtual memory |
| free |
Display amount of free and used memory in the system. (Also: cat /proc/meminfo) |
| pmap |
Display/examine memory map and libraries (so). Usage: pmap pid |
| top |
Show top processes |
| sar -B |
Show statistics on page swapping. |
| time -v date |
Show system page size, page faults, etc of a process during execution. Note you must fully qualify the command as "/usr/bin/time" to avoid using the bash shell command "time". |
| cat /proc/sys/vm/freepages |
Display virtual memory "free pages".
One may increase/decrease this limit: echo 300 400 500 > /proc/sys/vm/freepages |
| cat /proc/meminfo |
Show memory size and usage. |
Examination of memory usage:
- Show system page size: /usr/bin/time -v date
-
...
Page size (bytes): 4096
Exit status: 0
|
- Show paging: /usr/bin/time -v firefox
-
...
Major (requiring I/O) page faults: 24
Minor (reclaiming a frame) page faults: 11271
Voluntary context switches: 302
Involuntary context switches: 3689
...
|
Explanation of terms:
- Major Page Fault (MPF): When a request for memory is made
but it does not exist in physical memory, a request to the disk
subsystem to retrieve pages from virtual memory and buffer them in RAM.
The MPF occurs most when an application is started.
- Minor Page Fault (MnPF): Reusing a page in memory as opposed to placing it back on disk.
| Filesystems and Storage Devices: |
Hard Drive Info:
-
| df -k |
report filesystem disk space usage. (-k reports in Kbytes) |
| du -sh |
Calculates file space usage for a given directory. (and everything under it) (-s option summarizes) |
| mount |
Displays all mounted devices, their mount point, filesystem, and access. Used with command line arguments to mount file system. |
| cat /proc/filesystems |
Display filesystems currently in use. |
| cat /proc/mounts |
Display mounted filesystems currently in use. |
| showmount |
Displays mount info for NFS filesystems. |
| cat /proc/swaps |
Displays swap partition(s) size, type and quantity used. |
| cat /proc/ide/hda/any-file |
Displays disk information held by kernel. |
Adding an extra hard drive:
(See commands and dialog of adding a second IDE hard drive)
- fdisk /dev/<drive> - Allocate drive space and register info on the partition table. (Option "n"/"p", then "w" to write.)
Also see: sfdisk -
cfdisk
- mkfs -t ext3 /dev/<drive> - Create file system. (RH 7.1 and earlier use ext2, RH 7.2-8.0 use ext3)
- mount -t ext3 /dev/<drive's device name> /<home2 or some suitable directory> - Mount the drive
Mount a raw ISO file: mount -t iso9660 -o loop /home/user1/RedHat-9.0-i386-Disk1.iso /mnt/iso-1
(Fstab entry: /home/user1/RedHat-9.0-i386-Disk1.iso /mnt/iso-1 iso9660 loop,ro 0 3)
Also see: mkefs man page
Where the drive is /dev/hdb or some device as conforms to the Linux device names:
IDE drives are referred to as hda for the first drive, hdb for the second etc...
IDE uses separate ribbon cables for primary and secondary drives.
The partitions on each drive are referred numerically.
The first partition on the first drive is referred to as hda1,
the second as hda2, the third as hda3 etc ...
Linux IDE naming conventions:
-
| Device |
Description |
Configuration |
| /dev/hda |
1st (Primary) IDE controller |
Master |
| /dev/hdb |
1st (Primary) IDE controller |
Slave |
| /dev/hdc |
2nd (Secondary) IDE controller |
Master |
| /dev/hdd |
2nd (Secondary) IDE controller |
Slave |
Note: SCSI disks are labeled /dev/sda, sdb, etc... For more info see SCSI info.
Use the command cat /proc/partitions to see full list of disks and
partitions that your system can see.
See Linux devices:
- Kernel 2.4: (Red Hat 7.1+)
- Kernel 2.2: (Red Hat 7.0-)
To make the drive a permanent member of your system and have it mount upon
system boot, add it to your /etc/fstab file which holds all the
file system information for your system. See
man page for fstab.
Example of existing /etc/fstab file:
-
/dev/sdb6 / ext2 defaults 1 1
/dev/sdb1 /boot ext2 defaults 1 2
/dev/cdrom /mnt/cdrom iso9660 noauto,user,users,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/sdb5 swap swap defaults 0 0
|
Add SCSI drive by adding line:
-
/dev/sdc1 /home2 ext2 defaults 1 2
|
At this point one may optionally check the file system created with the command: fsck /dev/sdc1
Note that fsck is NOT run against a mounted file system. Unmount it first
if necessary. (umount)
Also see the man page for:
- cfdisk
- Curses based disk partition table manipulator. (very nice)
- fdisk - Manipulate/configure the partition table.
- sfdisk - Manipulate/configure the partition table.
- fsck
Mounting other file systems: (locally attached drives)
- Mounting a CD: mount -r -t iso9660 /dev/cdrom /mnt/cdrom
Un-Mount the CD-ROM: umount /dev/cdrom (No "n" in umount)
This command should work for a Red Hat installation. Other distributions
may require the following set-up:
ln -sf /dev/hdc /dev/scd0 Reference SCSI device directly.
OR
ln -sf /dev/hdc /dev/cdrom A more typical system
cd /mnt
mkdir cdrom
mount -t iso9660 -o ro /dev/cdrom /mnt/cdrom
Don't forget to un-mount the CD with umount /mnt/cdrom
[Potential Pitfall]: There is NO "N" in umount!!!
For trouble shooting your CD see your kernel documentation:
- Mounting a Windows partition.
- Mounting a floppy:
- Ramdisk: Using a portion of RAM memory to act like a superfast disk.
/sbin/mkfs -t ext2 /dev/ram
mount /dev/ram /mnt/ramd
[Potential Pitfall]: I've never actually tried this. Use at your own risk!
See How to use a Ramdisk for Linux
- Add system swap space for virtual memory paging:
Swap space may be a swap partition, a swap file or a combination of the two.
One should size swap space to be at least twice the size of the computer's RAM. (but less than 2GB)
dd if=/dev/zero of=/swapfile bs=1024 count=265032 - Create file filled with zeros of size 256Mb
mkswap /swapfile - Create swap file
swapon /swapfile - Begin use of given swap file. Assign a priority with the "-p" flag.
swapon -s - List swap files
cat /proc/swaps - Same as above
This example refers to a swap file. One may also use a swap partition.
Make entry to /etc/fstab to permanently use swap file or partition.
-
/swapfile swap swap defaults 0 0
|
Note: To remove the use of swap space, use the command swapoff.
If using a swap partition, the partition must be unmounted.
Man pages:
Increase open files limit:
cat /proc/sys/fs/file-max - Kernel configuration for max number of files
cat /proc/sys/fs/file-nr - Number of files presently open
echo 4096 > /proc/sys/fs/file-max - Set max file limit. (This is default)
cat /proc/sys/fs/inode-max - Kernel 2.2 configuration for max number of inodes
To change: echo 12288 > /proc/sys/kernel/inode-max
Reboot count and fsck:
-
Pertains to Red Hat systems using the EXT2 filesystem (RH 7.2+ uses EXT3)
After 20 reboots of the system, Linux will perform a file system check using
fsck. This is annoying for systems with many file systems because they
will all be checked at once. The individual file system's mount count may be
changed so that they will be checked on a different reboot.
Check current reboot status: /sbin/dumpe2fs /dev/sdb6 | grep '[mM]ount count'
-
dumpe2fs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09
Mount count: 2
Maximum mount count: 20
(This of course is specific for my system. Refer to your particular filesystem.)
Perform the previous command on all the filesystems to obtain their mount counts. Next change the mount counts for some of them.
-
umount /dev/sdb6
tune2fs -C 9 /dev/sdb6
mount /dev/sdb6
Now the filesystems will have an fsck performed on them on different
system boots rather than all at the same time.
For home users who routinely shutdown and boot their systems, one can increase
the maximum mount count: tune2fs -c 40
This feature can also be disabled: tune2fs -c -1
Check every week: tune2fs -i 7
System crash and disk check upon boot:
-
Pertains to Red Hat 7.1 EXT2 filesystems and earlier which require an integrity check.
(RH 7.2+ uses EXT3 which is a journaled file system which maintains file system integrity even with a crash.)
If the system crashes (due to power outage etc...) then upon boot the
system will check if the disk was unmounted cleanly. If not you may get the
following message:
-
Unexpected inconsistency; Run fsck Manually
...
*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
...
.
Give root password for maintenance
(or type Control-D for normal startup):
At this point enter the root password then run fsck:
-
(repair file system) 1# fsck -A -y
...
..
.
***** FILE SYSTEM WAS MODIFIED *****
...
..
.
(repair file system) 2# exit
The system will hopefully reboot properly at this point.
fsck man page
Note that fsck is NOT run against mounted file systems.
Journaled Filesystem EXT3:
-
Convert from ext2 to ext3:
- Red Hat 7.2 upgrade gives one the option to perform this file system upgrade.
- Manual method:
- Convert: tune2fs -j /dev/hda1
- Configuration file changes: /etc/fstab change ext2 to ext3
Also see:
Other journaled file systems: SGI XFS, IBM JFS and reiserfs. For files larger than 2Gb use SGI XFS and the SGI Linux Red Hat RPM or Red Hat ISO CD install image.
Raw Devices: Commercial databases such as Oracle and IBM DB2 can
maximize performance by using raw I/O. One may use the raw command for both
IDE and SCSI devices.
This will map a raw device to a blocked device for an entire disk partition.
To see if your system is using raw I/O issue the command: raw -a
- raw man page
- Configuration file: /etc/sysconfig/rawdevices
Add entries to this file to invoke raw I/O upon system boot.
- Devices: /dev/raw/raw??
- Raw device controller: /dev/rawctl
- Sample use of command: raw /dev/raw/raw1 /dev/hdb5
- One must be of group disk to use the raw device or change
permissions:
- chmod a+r /dev/rawctl
- chmod a+r /dev/hdb5
- chmod a+rw /dev/raw/raw1
Note: The above information applies to Red Hat distributions. This info may be
different for other distributions. i.e. S.U.S.E. uses /dev/raw1 as
a device and /dev/raw as the controller.
You can mimic Red Hat behavior with a symbolic link: ln -s /dev/your_raw_controller /dev/rawctl
Mounting Network Drives:
NIS (Network Information Systems) is often used in NFS clusters to manage authentication. See the YoLinux.com NIS tutorial.
Commands:
-
| who |
Displays currently logged in users.
Use who -uH for idle time and terminal info. |
| users |
Show all users logged in. |
| w |
Displays currently logged in users and processes they are running. |
| whoami |
Displays user id. |
| groups |
Display groups you are part of.
Use groups user-id to display groups for a given user. |
| set |
Display all environment variables in your current environment. |
| id |
Display user and all group ids.
Use id user-id to display info for another user id. |
| last |
Listing of most recent logins by users. Show where from, date and time of login (ftp, ssh, ...) Also see lastlog command.
Show last 100 logins: last -100 |
| history |
Shell command to display previously entered commands. |
The greeting messages and login displays are all customizable.
-
| Type of greeting |
File |
| Telnet pre-login Text: |
File containing text: /etc/issue |
| Ssh pre-login Text: |
/etc/ssh/sshd_config
Specify text file: Banner /etc/issue |
| vsftpd Login Text: |
vsftpd config file: /etc/vsftpd/vsftpd.conf
Set text greeting: ftpd_banner=Put welcome greeting here |
Post login text message:
(message of the day) |
/etc/motd
Default is blank. |
| GDM graphical login display: |
/etc/X11/gdm/gdm.conf (or /etc/gdm/gdm.conf)
Set image: DefaultFace=/path/file.png
Set logo: Logo=/path/file.png
Set background: BackgroundImage=/path/file.png |
| Creating a new system local user account: |
The three most common methods of defining a Linux user and authenticating their logins are:
- Local user authenticated locally with the password files
/etc/passwd
and
/etc/shadow
- Network authentication using an LDAP authentication server
- NIS authentication server. To specify an NIS authentication server, use /etc/ypconf which contains the line: ypserver ip.address.of.server.
Find with ypwhich
The following describes creating a local user:
- Command Line Method: (My preference)
- useradd user_name : Add a user to the system. System uses configuration and security defaults set in /etc/default/useradd and /etc/login.defs
- useradd -m user_name : Add a user to the system and create a home directory populated with default files from /etc/skel/
- useradd -m user_name -G floppy :
Will grant the user read/write privileges to the floppy (/dev/fd0) upon
creation of user by adding user to group floppy in addition to the
default group specified in /etc/default/useradd.
- useradd options:
-
| Option |
Description |
| -c |
Adds a comment or description to the password record. |
| -d HOME_DIR |
Specify but don't create the user's home directory. |
| -m |
Create (if it does not already exist by appending username to "/home/") and specify this as the users home directory. Default files from /etc/skel/ will be placed in the users home directory. eg. ~/.bashrc |
| -g |
Initial (default) group |
| -G grp1, grp2 |
Specify additional supplementary groups to which the user belongs. |
| -s |
Specify default shell. Default is /bin/bash in most Linux distributions. |
See the useradd man page for a full list of options.
- userdel user_name : Delete user from system. Purges user from /etc/passwd, group and shadow files
- userdel -r user_name : Delete user and remove his home directory from the system. Other files will remain.
[Potential Pitfall]: Use the command
"df" to see if there are any mount points to the user's directory.
If there are any, they will get wiped out with the
recursive delete. Thus as a policy it is best to NEVER generate a mount
point within a user's directory. It is best to mount to /mnt/mount-dir and
use a sym-link (ln -s /mnt/mount-dir /home/user-name/mount-dir-local) to the user's directory.
The default is to not follow symlinks during the delete.
- passwd user_name : Assign a password to the user. (Also see pwgen, a password generator)
Also see man page for:
usermod.
Configuration file for useradd command: /etc/default/useradd
Default directory configuration and files for a new user are copied
from the directory /etc/skel/.
The default shell is called bash (bsh) and is a cross of the UNIX ksh and
csh command shells. The users personal bash shell customizations are held in
$HOME/.bashrc.
- GUI Method:
- system-config-users: GUI admin tool for managing users and groups. (Fedora Core 2+, RHEL4)
- redhat-config-users: GUI admin tool for managing users and groups. (Fedora Core 1)
- linuxconf: (Note: Linuxconf is no longer included with Red Hat Linux 7.3+)
- Start linuxconf:
- RH 5.2: Select Start + Programs + Administration + linuxconf .
- RH 6+: Select Gnome Start icon (located lower left corner) + System + Linuxconf .
- Add the user: Select options Config + User accounts +Normal + User accounts + select button Add . There is
also the option of adding the user to additional groups. (I.e
enter floppy under the heading Supplementary groups and then Accept )
For a list of groups, the group names should be separated by a simple space.
This tool will allow you to set
default directories, shells, add rules about passwords, set e-mail aliases,
group membership and disk quotas. One can
modify or delete users from linuxconf as well.
- Set user password: After creating the user, use
options Config + User accounts + Normal + User accounts .Select the
user from the list. Then select the Passwd button. This will allow you
to enter an initial password for the account.
- File Editing Method: - (as root) Edit files to add/remove a user
- Create user entry in /etc/passwd
user:x:505:505:Mr. Dude User:/home/user:/bin/bash
- Create group: /etc/group
user:x:505:
- Create home directory:
cd /home
mkdir user
- Copy default files:
cp -pR /etc/skel/. /home/user
chown -R user.user /home/user
- The creation of /etc/shadow and /etc/gshadow
require the execution of a program to encrypt passwords.
Use the commands pwconv and grpconv to
synchronize the shadow files.
- Assign a password: passwd user
- Also see:
- Shadow integrity verification: grpck [-r] [group shadow]
- File editor: vipw.
Note:
- For every user ID text string there is an associated UID integer.
See the third ":" delimited field in the file /etc/passwd.
- Red Hat/Fedora Linux distributions
begin incrementing user UIDs from 500.
By default the useradd command will increment by one for each new ID.
- Large organizations need to think ahead when creating a new user.
Autonomous systems are often eventually linked together to share files
using NFS at a later date and have synchronization problems.
The same user ID (text string) on two different systems may have different
UIDs. The problem this creates is when a file with one system can not
be edited when accessed from the second system as the second system regard
him as a different user because the system has a different UID.
It is best to use the useradd "-u" option to assign users a
UID integer associated
with the text string ID. Many systems administrators use the employee ID
as they know it will be unique across the corporation.
Group GIDs can be assigned to department or division numbers.
This will allow smooth operation of connected systems.
- NFS: For systems which will use NFS to share files, one can administer
user accounts to make creation, editing and ownership of files seamless and
consistent.
Look at the file /etc/passwd on the
file server which you will mount to determine the user ID number and group
ID number.
-
user1:x:505:505:Joe Hacker:/home/user1:/bin/bash
User-ID:User-ID-Number:Group-ID-Number:comment:/home/User-ID-Home-Directory:default-shell
|
Add a user to the system which matches. This will allow files
generated on the file server to match ownership of those generated on the
client system.
[root]# useradd -u User-ID-Number -g Group-ID-Number User-ID
Ideally you would configure an NIS or LDAP authentication
server so that login id's and group id's
would reside on one server. This tip is for separate autonomous systems
or for systems using different authentication servers which are
sharing files using NFS.
This tip also can also apply to smbmounted MS/Windows shares.
- Default settings for new users are stored in /etc/skel/.
To modify default .bash_logout .bash_profile .bashrc .gtkrc .kde/
configuration files for new users, make the changes here.
- Also see the YoLinux tutorial on Managing groups
| SELinux security policies and context: |
Security Enhanced Linux (SELinux) enhancements developed by
the US Federal National Security Agency (NSA) are included with Fedora
Core beginning with version 3 and Red Hat Enterprise Linux version 4.
The fine-grained access control architecture is supported in the Linux
kernel.
Both "type" enforcement and Role Based Access Control (RBAC) are
supported.
System processes and files (including socket descriptors, IPC's,
devices, ...)
are each assigned a collection of security attributes known as a
security context.
Security Goals:
- Protect the system from the users
- Protect the users from each other
- Protect the files from scripts/programs
The following RPM packages comprise SELinux:
- selinux-policy-strict
- selinux-policy-strict-sources: Configuration files
- selinux-policy-targeted
- selinux-policy-targeted-sources: Configuration files
- libselinux: Library which provides a set of interfaces for security-aware
applications to get and set process and file security contexts.
- selinux-doc
Configuration file: /etc/selinux/config
-
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
|
One may turn off the SELinux features by setting: SELINUX=disabled
(Requires reboot to read new configuration.)
Direct setting of enforcement:
- Enforce:
- Use command: setenforce 1
(Alter SELinux enforcement while kernel is running.)
or
- echo 1 > /selinux/enforce
or
- Specify in /etc/grub.conf on the "kernel" command line: enforcing=1
(Sets enforcement during boot.)
- Disable:
- Use command: setenforce 0
or
- echo 0 > /selinux/enforce
or
- Specify in /etc/grub.conf on the "kernel" command line: selinux=0
See current setting using the command: getenforce
Security contexts:
- View file/directory contexts: ls -Z /var/www
- Set file/directory context: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:
- -R: Recursive. Files and directories in current directory and all subdirectories.
- -h: Affect symbolic links.
- -t: Specify type of security context.
- View security context of running processes: ps -eZ
- View security context of a user: id
-
uid=500(user1) gid=500(user1) groups=500(user1) context=user_u:system_r:unconfined_t
- Security contexts for a new file default to that of the parent directory.
Also see YoLinux Tutorials on Web Site configuration and SELinux policies.
For tar backups which preserve SELinux file and directory policies, see
star discussed in backups and archiving below.
| Restrict/Limit Users: (/etc/security/) |
User limitations are set in the following files:
- File: /etc/security/limits.conf :
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit
- maxlogins - max number of logins for this user
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
- File: /etc/security/access.conf :
Limit access by network or local console logins.
- File: /etc/security/group.conf :
Grant/restrict group device access.
Also see the YoLinux tutorial on Managing groups
- File: /etc/security/time.conf :
Restrict user access by time, day.
Also see:
| Operating as root: (System Administrator) |
If you are planning to administer the system, one would login as root to
perform the tasks. In many instances one would be logged in as a user and
wish to perform some "root" sys-admin tasks. Here is how:
- Switch user account to root:
Shell/command mode:
su -
and then you will
be prompted to enter the root password.
- GUI mode:
- Allow console to be accessed by another user from same system:
xhost +localhost
- Switch user and then you will be prompted to enter the root password:
su -
- Set environment variable for GUI sessions so that
display used is local display. (Remember X-windows is a network enables
windowing system)
export DISPLAY=:0.0
- Launch GUI application.
Note: The su command was issued with a trailing "-" which means that the
login process will follow the login steps of the user and will execute its
profiles. Since no user id was given, the default is root user. This all would be equivalent to: su - root
Some systems may be configured so that only the switch user
(su) command may be required without all of the X-window configuration.
| APT/dpkg - Ubuntu / Debian Package Manager: |
dpkg:
Ubuntu/Debian package management.
(equivalent to rpm in functionality.)
-
| Command |
Description |
| dpkg -l |
List all packages installed on system. Often used with grep: dpkg -l | grep partial-name-of-package |
| dpkg -l package-name |
Query version of package and if package is installed. |
| dpkg -L package-name |
List all files on the system associated with the package. |
| dpkg -S file-name |
List the package name to which this file is associated. |
| dpkg -p file-name |
Print package information. See /var/lib/dpkg/available |
| dpkg -i package-name.deb |
Install package.
Also see "apt-get install package-name". |
| dpkg -r package-name |
Remove package. Keep configuration files.
Also see "apt-get remove package-name". |
| dpkg -P package-name |
Remove package. Remove configuration files.
Also see "apt-get remove package-name". |
apt-get:
Ubuntu/Debian package installer using an internet repository.
(equivalent to yum in functionality.)
-
| Command |
Description |
apt-get install package-name
apt-get install package-1, package-2 |
Query repository for package and if package is available, download and install. |
| apt-get remove package-name |
Remove package from system. Keeps configuration files. Use flag "--purge" to remove configuration files. |
apt-get -s update
or
apt-get --simulate update |
Simulate apt-get actions to be taken but no action is performed. In this example, apt-get simulates an update. |
| apt-get update |
Update the package index on the system
to the latest version associated with the OS release in use. Only the
index (package list) is changed. An update should always be performed
before an upgrade |
| apt-get -s upgrade |
The command will identify all packages
to be upgraded without performing an upgrade. Stop any services
targeted for upgrade before perfoming the upgrade. |
| apt-get upgrade |
Upgrade all packages on the system to
the newest versions of all the packages. The command will first
identify all packages to be upgraded and then with permission, will
perform an upgrade on the packages. Use flag "-y" to grant permission
and avoid question. |
| apt-get dist-upgrade |
Upgrade the OS and all packages on the system to the newest version. |
| apt-get source package-name |
Download package source. |
| apt-get build-dep package-name |
Configure build-dependencies for source packages. |
Uses the configuration file: /etc/apt/apt.conf
Uses the repository source list: /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ dapper main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://us.archive.ubuntu.com/ubuntu/ dapper universe
deb-src http://us.archive.ubuntu.com/ubuntu/ dapper universe
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
#deb http://us.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
#deb-src http://us.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted
# deb http://security.ubuntu.com/ubuntu dapper-security universe
# deb-src http://security.ubuntu.com/ubuntu dapper-security universe
|
[Potential Pitfall]: If you add a new repository you must execute the command: apt-get update.
Attempting to install a package (apt-get install xxxxxxx) from a new archive without first updating, will give you the following error message:
-
Package xxxxxxx is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package mplayer has no installation candidate
Where "xxxxxxx" is the package you were trying to install.
Other:
-
| Command |
Description |
| apt-cache search package-name |
Query repositories to see if package is available. |
Also see the man pages for: dpkg, dselect, apt-get, apt-cache, apt-cdrom (add CD-Rom to sources list), apt-config
| RPM - Redhat Package Manager: |
The rpm command is used to manage software applications
and system modules for Red Hat, Fedora, CentOS, Suse and many other Linux distributions.
Step One: Import Red Hat and Fedora GPG signature keys:
-
[root@yoserver2 ~]# rpm --import /usr/share/rhn/RPM-GPG-KEY
[root@yoserver2 ~]# rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
Do this once to configure RPM so that you won't constantly get the warning message that the signature is "NOKEY".
The purpose is to protect you from using a corrupt or hacked RPM.
Once these command are performed, you are ready to use the RPM command.
(This is also required for the YUM commands below.)
Note:
Many GPG public keys for other RPM packages (i.e. MySQL: 0x5072E1F5),
can be obtained from
http://www.keyserver.net/.
(The following RPM installation warning will inform you of the key to obtain:
warning: MySQL-XXXX.rpm: V3 DSA signature: NOKEY, key ID 5072e1f5)
Importing a new key from key server:
- gpg --keyserver keyserver.veridis.com --recv-key 5072e1f5
- gpg --export -a 5072e1f5 > pubkey_mysql.asc
- rpm --import pubkey_mysql.asc
Step Two: RPM commands and their use
-
| RPM Command |
Description |
rpm -qilp program_package-ver.rpm
|
Query for information on package and list destination of files to be installed by the package.
You can also use the Gnome GUI program file-roller to view and
read the contents of an RPM. Great tool for inspecting an RPM package
and reading the package documentation before you decide to install the
package. |
| rpm2cpio - < program_package-ver.rpm | cpio -id ./path/and/file-name |
Extract a single file (with path) from the RPM package to the local directory. |
rpm -Uvh program_package-ver.rpm
|
Upgrade the system with the RPM package |
rpm -ivh program_package-ver.rpm
|
New Install |
rpm -Fvh program_package-ver.rpm
|
Freshen install. Removes all files (including config files) of older version during upgrade. |
rpm -q program_package
|
Query system RPM database (/var/lib/rpm), to see if package is installed. |
rpm -qi program_package
|
Query system RPM database for info/description on package (if installed) |
rpm -ql program_package
|
List all files on the system associated with the package. |
rpm -qf file
|
Identify the package to which this file belongs. |
rpm -e program_package
|
Uninstall package from your system |
rpm -qa
|
List ALL packages on your system. Use this with grep to find families of packages. |
rpm -qp --requires program_package-ver.rpm
|
List dependancies (files and packages) of RPM. List prerequisites. |
rpm -q --whatrequires program_package
|
List dependant packages of RPM. What packages will break if this RPM is removed. |
rpm -K --nogpg *.rpm
|
Non sure if RPM downloaded ok? Verify md5 sum. |
| RPM Flag |
Description |
| --nodeps |
RPM flag to force install even if dependency requirements are not met. |
| --force |
Overwrite of other packages allowed. |
| --notriggers |
Don't execute scripts which are triggered by the installation of this package. |
| --root /directory-name |
Use the system chrooted at /directory-name. This means the database will be read or modified under /directory-name. (Used by developers to maintain multiple environments) |
| --ignorearch |
Allow installation even if the architectures of the
binary RPM and host don't match. This is often required for RPM's which
were assembled incorrectly |
Notes:
Useful man pages:
- rpm - Red Hat Package Manager
- rpmbuild - Build/create an RPM package.
- redhat-config-packages - RH 8.0 GUI
- gnorpm - RH 6.0+ GUI
- glint - RH 5.2 GUI
Also see:
- RPM HowTo.
- RPM.org Home Page
- Alien - package converter between rpm, dpkg, stampede slp, and slackware tgz file formats.
- CheckInstall - Create packages for RPM (Red Hat, Fedora, Suse), Debian or Slackware for install and uninstall.
| Automated System Updates: up2date (Red Hat 7.1 and later) |
|
Select the red dot and exclamation mark icon on the toolbar to launch up2date
and follow the GUI. One may also use the command line if managing a remote
server.
|
|
Execute the following commands (in order given)
to perform an automatic system update:
- /usr/bin/rhn_register :You must first register your system
with the Red Hat database. This command will perform a hardware inventory
and reporting of your system so that Red Hat knows which software to load
to match your needs.
- /usr/bin/up2date-config :This allows you to configure the
"up2date" process. It allows you to define directories to use, actions
to take (i.e. download updates, install or not install, keep RPM's
after install or not), network access (i.e. proxy configuration),
use of GPG for package verification, packages or files to skip, etc.
Use of GPG requires the Red Hat public key: rpm -import /usr/share/rhn/RPM-GPG-KEY
- /usr/sbin/up2date :This command will perform an audit of RPM's
on your system and discover what needs to be updated. It gives you a
chance to unselect packages targeted for upgrade. It will download
RPM packages needed, resolve dependencies and perform a system update
if requested.
[Potential Pitfall]:
This works quite well but it is not perfect.
Red Hat 7.1 Apache upgrade to 1.3.22 changed the
configuration completely. (Beware. manual clean-up and re-configuration is
required). When up2date finds the first
messed up dependency it stops to tells you. You then have to unselect the
package. It then starts again from the beginning.
Installing a new package with up2date: up2date package-name
The package name is given without the version number. If the package is not
currently installed, it will be downloaded and installed, along with any
dependencies that package requires.
Command line options (partial list) for up2date:
-
| Option |
Description |
| --nox |
Do not display the GUI interface. |
-u
--update |
Completely update the system |
-h
--help |
Display command line arguments |
-v
--verbose |
Print more info about what up2date is doing |
| --showall |
Show a list of all packages available for your release of Red Hat Linux, including those not currently installed. |
Also see man pages for:
- up2date-gnome
- rhn_register-gnome
Notes:
- Update in console mode (no GUI): up2date --nox --update
- Configuration file for up2date: /etc/sysconfig/rhn/up2date
- System id and configuration info held in XML format for up2date: /etc/sysconfig/rhn/systemid
- The default download directory for up2date is
/var/spool/up2date/. RPM packages and support files are downloaded
to this directory.
- An automated alert to the need to update utilizes the rhnsd which can be
started by issuing the command:
/etc/rc.d/init.d/rhnsd start
YUM (Yellowdog Updater, Modified) is a client command line
application for updating an RPM based system from an internet
repository (YUM "yum-arch" server) accessible by URL (http://xxx, ftp://yyy or even file://zzz local or NFS).
The YUM repository has a directory of the headers with RPM info and directory path information.
YUM will resolve RPM package dependencies and manage the importation and installation of dependencies.
YUM is also capable of upgrading across releases. One can
upgrade Red Hat Linux 7 and 8 to 9. Red Hat 8 and 9 can be upgraded to
Fedora Core. See Red Hat YUM upgrades.
YUM config file: /etc/yum.conf (Fedora Core 3)
-
[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
retries=20
obsoletes=1
gpgcheck=1
exclude=firefox mozplugger gftp
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
|
You may list packages you wish NOT to update (Space delimited list. '*' wildcards allowed.): exclude=package-name
(i.e. On x86_64 I do not update firefox or mozplugger with the 64 bit
version, I use the 32 bit version so that 32 bit plugins will work.)
Set "gpgcheck=0" to avoid the signature check.
For the option "gpgcheck=1" to work,
use the "rpm --import GPG-KEY commands as detailed above in section one of the RPM tutorial.
-
[root@server2 ~]# rpm --import /usr/share/rhn/RPM-GPG-KEY
[root@server2 ~]# rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
File: /etc/yum.repos.d/fedora.repo (Fedora Core 3)
-
[base]
name=Fedora Core $releasever - $basearch - Base
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/
mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever
enabled=1
gpgcheck=1
|
Mirror site/sites which contain Fedora base configuration RPM's.
Other protocols such as ftp can be used as well as http.
File: /etc/yum.repos.d/fedora-updates.repo (Fedora Core 3)
-
[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/updates/$releasever/$basearch/
mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever
enabled=1
gpgcheck=1
|
Mirror site which contain Fedora updated RPM's.
List of mirrors: http://fedora.redhat.com/download/mirrors.html
Terms:
- releasever: Release Version - current version of Fedora.
- basearch: Base Architecture - system hardware architecture i.e. i386
Add other repositories: (not included in default install)
Registering Red Hat Enterprise Linux to enable YUM repository use:
Commands:
- rhn_register: GUI to enter user account and "Installation Number". Must purchase a license to get this.
- rhnreg_ks: Register a login/user account
Data is stored in /etc/sysconfig/rhn/
Using YUM and YUM examples:
- Update:
- To install a single package: yum -y install package-name
This will also resolve package dependencies.
- Remove a package: yum remove package-name
- Info:
- List available packages, version and state (base, installed, updates-released): yum list
- List the packages installed which are not available in repository listed in config file: yum list extras
- List packages which are obsoleted by packages in yum repository: yum list obsoletes
- Clean local cache of headers and RPM's: yum clean all
(See: /var/cache/yum/)
Yum Commands:
-
| YUM Command |
Description |
yum -y install package-name
|
Install package. |
yum -y update package-name
yum -y update
yum -y --exclude=package-name update
|
Update package.
Update all packages on system for which updates are available.
Update all packages which have available updates excluding the specified package. |
yum remove package-name
yum remove package-name-1 package-name
yum remove package-name-2
|
Remove package.
Remove packages. |
yum clean headers
yum clean cache
yum clean all
|
Remove RPM header files.
Remove files from YUM cache: /var/cache/yum/
Clean up all YUM files left over from previous installations. |
yum list package-name
|
List information about available packages from configured YUM repository. |
yum check-update
|
Show which packages are available to be updated. |
yum search partial-package-name
|
List all packages which match the string specied in the package name or description. |
See yum man page for a full listing of commands and command arguments.
Notes:
- yum man page
- yum.conf man page
- You can set up your own YUM server for your own cluster or intranet.
Set up a web server with the same paths as used in the configuration files
and point your configuration files to your server.
See YoLinux web server tutorial for configuration information.
- Fedora configures YUM as a daily cron job: /etc/cron.daily/yum.cron
#!/bin/sh
if [ -f /var/lock/subsys/yum ]; then
/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
/usr/bin/yum -R 120 -e 0 -d 0 -y update
fi
|
Links:
YumEx: (Yum Extender) GUI interface to YUM commands and configuration
YumEx will allow you to manage the RPM packages on your system. It allows
the administrator to install/update packages from internet repositories
as well as un-install RPMs from the system.
| RDIST: Remotely distributing and installing software/files |
The command rdist helps the system administrator install software or
update files across many machine |
