Deployment, configuration and administration of Red Hat Enterprise Linux. 5 .....
Setting a Preferred Operating System Release Version in the Command Line.
Red Hat Enterprise Linux 5 Deployment Guide
Deployment, configuration and administration of Red Hat Enterprise Linux 5 Edition 11
Red Hat Customer Content Services
Red Hat Enterprise Linux 5 Deployment Guide
Deployment, configuration and administration of Red Hat Enterprise Linux 5 Edition 11 Red Hat Custo mer Co ntent Services
Legal Notice Co pyright © 20 0 7–20 13 Red Hat, Inc. This do cument is licensed by Red Hat under the Creative Co mmo ns Attributio n-ShareAlike 3.0 Unpo rted License. If yo u distribute this do cument, o r a mo dified versio n o f it, yo u must pro vide attributio n to Red Hat, Inc. and pro vide a link to the o riginal. If the do cument is mo dified, all Red Hat trademarks must be remo ved. Red Hat, as the licenso r o f this do cument, waives the right to enfo rce, and agrees no t to assert, Sectio n 4 d o f CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shado wman lo go , JBo ss, MetaMatrix, Fedo ra, the Infinity Lo go , and RHCE are trademarks o f Red Hat, Inc., registered in the United States and o ther co untries. Linux ® is the registered trademark o f Linus To rvalds in the United States and o ther co untries. Java ® is a registered trademark o f Oracle and/o r its affiliates. XFS ® is a trademark o f Silico n Graphics Internatio nal Co rp. o r its subsidiaries in the United States and/o r o ther co untries. MySQL ® is a registered trademark o f MySQL AB in the United States, the Euro pean Unio n and o ther co untries. No de.js ® is an o fficial trademark o f Jo yent. Red Hat So ftware Co llectio ns is no t fo rmally related to o r endo rsed by the o fficial Jo yent No de.js o pen so urce o r co mmercial pro ject. The OpenStack ® Wo rd Mark and OpenStack Lo go are either registered trademarks/service marks o r trademarks/service marks o f the OpenStack Fo undatio n, in the United States and o ther co untries and are used with the OpenStack Fo undatio n's permissio n. We are no t affiliated with, endo rsed o r spo nso red by the OpenStack Fo undatio n, o r the OpenStack co mmunity. All o ther trademarks are the pro perty o f their respective o wners.
Abstract The Deplo yment Guide do cuments relevant info rmatio n regarding the deplo yment, co nfiguratio n, and administratio n o f Red Hat Enterprise Linux 5.
T able of Cont ent s
T able of Contents I.nt . .roduct . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. 7. . . . . . . . . . 1. Do c ument Co nventio ns 27 2 . Send in Yo ur Feed b ac k 30 . .art P . . .I.. File . . . .Syst . . . .ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 ........... . .hapt C . . . .er . .1. .. File . . . .Syst . . . .em . . .St . .ruct . . . ure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 ........... 1.1. Why Share a Co mmo n Struc ture? 32 1.2. O verview o f File Sys tem Hierarc hy Stand ard (FHS) 32 1.2.1. FHS O rg aniz atio n 32 1.2.1.1. The /b o o t/ Direc to ry 32 1.2.1.2. The /d ev/ Direc to ry 33 1.2.1.3. The /etc / Direc to ry 33 1.2.1.4. The /lib / Direc to ry 33 1.2.1.5. The /med ia/ Direc to ry 1.2.1.6 . The /mnt/ Direc to ry 1.2.1.7. The /o p t/ Direc to ry 1.2.1.8 . The /p ro c / Direc to ry 1.2.1.9 . The /s b in/ Direc to ry 1.2.1.10 . The /s rv/ Direc to ry 1.2.1.11. The /s ys / Direc to ry 1.2.1.12. The /us r/ Direc to ry 1.2.1.13. The /us r/lo c al/ Direc to ry 1.2.1.14. The /var/ Direc to ry .3. Sp ec ial File Lo c atio ns Und er Red Hat Enterp ris e Linux 1
34 34 34 34 34 35 35 35 35 36 37
. .hapt C . . . .er . .2. .. Using . . . . . .t .he . . mount . . . . . . .Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 ........... 2 .1. Lis ting Currently Mo unted File Sys tems 38 2 .2. Mo unting a File Sys tem 38 2 .2.1. Sp ec ifying the File Sys tem Typ e 39 2 .2.2. Sp ec ifying the Mo unt O p tio ns 39 2 .2.3. Sharing Mo unts 40 2 .2.4. Mo ving a Mo unt Po int 44 2 .3. Unmo unting a File Sys tem 44 2 .4. Ad d itio nal Res o urc es 45 2 .4.1. Ins talled Do c umentatio n 2 .4.2. Us eful Web s ites
45 46
. .hapt C . . . .er . .3. . .T. he . . .ext . . .3. File . . . .Syst . . . .em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 7. . . . . . . . . . 3 .1. Features o f ext3 47 3 .2. Creating an ext3 File Sys tem 47 3 .3. Co nverting to an ext3 File Sys tem 48 3 .4. Reverting to an ext2 File Sys tem 48 . .hapt C . . . .er . .4. .. T. he . . . ext . . .4. .File . . . Syst . . . . em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ........... 4 .1. Features o f ext4 50 4 .2. Manag ing an ext4 File Sys tem 51 4 .3. Creating an ext4 File Sys tem 51 4 .4. Mo unting an ext4 File Sys tem 52 4 .5. Res iz ing an ext4 File Sys tem 54 . .hapt C . . . .er . .5. . .T. he . . .proc . . . . File . . . .Syst . . . .em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 ........... 5 .1. A Virtual File Sys tem 55 5 .1.1. Viewing Virtual Files 55
1
Deployment G uide 5 .1.1. Viewing Virtual Files
55
5 .1.2. Chang ing Virtual Files
56
5 .1.3. Res tric ting Ac c es s to Pro c es s Direc to ries
56
5 .2. To p -level Files within the p ro c File Sys tem 5 .2.1. /p ro c /ap m 5 .2.2. /p ro c /b ud d yinfo 5 .2.3. /p ro c /c md line 5 .2.4. /p ro c /c p uinfo 5 .2.5. /p ro c /c ryp to 5 .2.6 . /p ro c /d evic es 5 .2.7. /p ro c /d ma 5 .2.8 . /p ro c /exec d o mains 5 .2.9 . /p ro c /fb 5 .2.10 . /p ro c /files ys tems 5 .2.11. /p ro c /interrup ts 5 .2.12. /p ro c /io mem 5 .2.13. /p ro c /io p o rts 5 .2.14. /p ro c /kc o re
58 58 59 60 60 61 61 62 62 62 63 64 64
5 .2.15. /p ro c /kms g 5 .2.16 . /p ro c /lo ad avg 5 .2.17. /p ro c /lo c ks
65 65 65
5 .2.18 . /p ro c /md s tat 5 .2.19 . /p ro c /meminfo
66 66
5 .2.20 . /p ro c /mis c 5 .2.21. /p ro c /mo d ules
68 68
5 .2.22. /p ro c /mo unts 5 .2.23. /p ro c /mtrr
69 69
5 .2.24. /p ro c /p artitio ns 5 .2.25. /p ro c /p c i 5 .2.26 . /p ro c /s lab info
69 70 71
5 .2.27. /p ro c /s tat 5 .2.28 . /p ro c /s wap s
72 73
5 .2.29 . /p ro c /s ys rq -trig g er 5 .2.30 . /p ro c /up time
73 73
.2.31. /p ro c /vers io n 5 5 .3. Direc to ries within /p ro c /
73 74
5 .3.1. Pro c es s Direc to ries 5 .3.1.1. /p ro c /s elf/
74 76
5 .3.2. /p ro c /b us / 5 .3.3. /p ro c /d river/ 5 .3.4. /p ro c /fs
76 77 77
5 .3.5. /p ro c /id e/ 5 .3.5.1. Devic e Direc to ries
77 78
5 .3.6 . /p ro c /irq / 5 .3.7. /p ro c /net/
79 79
5 .3.8 . /p ro c /s c s i/ 5 .3.9 . /p ro c /s ys /
80 82
5 .3.9 .1. /p ro c /s ys /d ev/ 5 .3.9 .2. /p ro c /s ys /fs / 5 .3.9 .3. /p ro c /s ys /kernel/
83 84 84
5 .3.9 .4. /p ro c /s ys /net/ 5 .3.9 .5. /p ro c /s ys /vm/
88 90
5 .3.10 . /p ro c /s ys vip c / 5 .3.11. /p ro c /tty/
2
57 57
92 92
T able of Cont ent s 5 .3.11. /p ro c /tty/
92
.3.12. /p ro c /< PID> / 5 5 .4. Us ing the s ys c tl Co mmand
93 94
5 .5. Ad d itio nal Res o urc es 5 .5.1. Ins talled Do c umentatio n
94 94
5 .5.2. Us eful Web s ites
95
. .hapt C . . . .er . .6. .. Redundant . . . . . . . . . . .Array . . . . .of . .Independent . . . . . . . . . . . .Disks . . . . .(RAID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 6. . . . . . . . . . 6 .1. What is RAID? 96 6 .1.1. Who Sho uld Us e RAID? 6 .1.2. Hard ware RAID vers us So ftware RAID 6 .1.3. RAID Levels and Linear Sup p o rt 6 .2. Co nfig uring So ftware RAID 6 .2.1. Creating the RAID Partitio ns 6 .2.2. Creating the RAID Devic es and Mo unt Po ints 6 .3. Manag ing So ftware RAID 6 .3.1. Reviewing RAID Co nfig uratio n 6 .3.2. Creating a New RAID Devic e
96 96 97 98 99 10 2 10 6 10 6 10 8
6 .3.3. Rep lac ing a Faulty Devic e 6 .3.4. Extend ing a RAID Devic e
10 9 10 9
6 .3.5. Remo ving a RAID Devic e 6 .3.6 . Pres erving the Co nfig uratio n
110 111
6 .4. Ad d itio nal Res o urc es 6 .4.1. Ins talled Do c umentatio n
112 112
. .hapt C . . . .er . .7. .. Swap . . . . . Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 1. 3. . . . . . . . . . 7 .1. What is Swap Sp ac e? 113 7 .2. Ad d ing Swap Sp ac e 113 7 .2.1. Extend ing Swap o n an LVM2 Lo g ic al Vo lume 7 .2.2. Creating an LVM2 Lo g ic al Vo lume fo r Swap .2.3. Creating a Swap File 7 7 .3. Remo ving Swap Sp ac e 7 .3.1. Red uc ing Swap o n an LVM2 Lo g ic al Vo lume 7 .3.2. Remo ving an LVM2 Lo g ic al Vo lume fo r Swap .3.3. Remo ving a Swap File 7 7 .4. Mo ving Swap Sp ac e
114 114 115 115 115 116 116 117
. .hapt C . . . .er . .8. .. Managing . . . . . . . . . Disk . . . . St . . orage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1. 8. . . . . . . . . . 8 .1. Stand ard Partitio ns us ing p arted 118 8 .1.1. Viewing the Partitio n Tab le 8 .1.2. Creating a Partitio n 8 .1.2.1. Making the Partitio n 8 .1.2.2. Fo rmatting the Partitio n
119 120 120 121
8 .1.2.3. Lab eling the Partitio n 8 .1.2.4. Creating the Mo unt Po int 8 .1.2.5. Ad d to /etc /fs tab 8 .1.3. Remo ving a Partitio n
121 121 121 122
.1.4. Res iz ing a Partitio n 8 8 .2. LVM Partitio n Manag ement
122 123
. .hapt C . . . .er . .9. .. Implement . . . . . . . . . ing . . . .Disk . . . .Q. uot . . . as . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 2. 5. . . . . . . . . . 9 .1. Co nfig uring Dis k Q uo tas 9 .1.1. Enab ling Q uo tas 9 .1.2. Remo unting the File Sys tems 9 .1.3. Creating the Q uo ta Datab as e Files
125 125 126 126
3
Deployment G uide 9 .1.3. Creating the Q uo ta Datab as e Files
126
9 .1.4. As s ig ning Q uo tas p er Us er 9 .1.5. As s ig ning Q uo tas p er G ro up 9 .1.6 . Setting the G rac e Perio d fo r So ft Limits 9 .2. Manag ing Dis k Q uo tas 9 .2.1. Enab ling and Dis ab ling
127 128 128 128 128
9 .2.2. Rep o rting o n Dis k Q uo tas 9 .2.3. Keep ing Q uo tas Ac c urate 9 .3. Ad d itio nal Res o urc es 9 .3.1. Ins talled Do c umentatio n
129 129 130 130
9 .3.2. Related Bo o ks
130
. .hapt C . . . .er . .1. 0. .. Access . . . . . . .Cont . . . . rol . . . List ...s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 32 ........... 10 .1. Mo unting File Sys tems 10 .1.1. NFS 10 .2. Setting Ac c es s ACLs 10 .3. Setting Default ACLs 10 .4. Retrieving ACLs
132 132 132 133 134
10 .5. Arc hiving File Sys tems With ACLs 10 .6 . Co mp atib ility with O ld er Sys tems 10 .7. Ad d itio nal Res o urc es 10 .7.1. Ins talled Do c umentatio n
134 135 135 135
10 .7.2. Us eful Web s ites
136
. .hapt C . . . .er . .1. 1. .. LVM . . . . (Logical . . . . . . . .Volume . . . . . . .Manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 37 ........... 11.1. What is LVM? 137 11.1.1. What is LVM2? 11.2. LVM Co nfig uratio n 11.3. Auto matic Partitio ning 11.4. Manual LVM Partitio ning 11.4.1. Creating 11.4.2. Creating 11.4.3. Creating 11.4.4. Creating
the /b o o t Partitio n the LVM Phys ic al Vo lumes the LVM Vo lume G ro up s the LVM Lo g ic al Vo lumes
138 138 138 140 140 143 145 146
11.5. Us ing the LVM utility s ys tem-c o nfig -lvm 11.5.1. Utiliz ing uninitializ ed entities 11.5.2. Ad d ing Unallo c ated Vo lumes to a vo lume g ro up 11.5.3. Mig rating extents 11.5.4. Ad d ing a new hard d is k us ing LVM
149 152 153 155 157
11.5.5. Ad d ing a new vo lume g ro up 11.5.6 . Extend ing a vo lume g ro up 11.5.7. Ed iting a Lo g ic al Vo lume 1.6 . Ad d itio nal Res o urc es 1
158 16 0 16 1 16 4
11.6 .1. Ins talled Do c umentatio n 11.6 .2. Us eful Web s ites
16 4 16 4
. .art P . . .II.. .Package . . . . . . . Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 6. 5. . . . . . . . . . . .hapt C . . . .er . .1. 2. .. Package . . . . . . . .Management . . . . . . . . . . . .wit ..h . . RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.6. 6. . . . . . . . . . 12.1. RPM Des ig n G o als 16 6 12.2. Us ing RPM 12.2.1. Find ing RPM Pac kag es 12.2.2. Ins talling 12.2.2.1. Pac kag e Alread y Ins talled 12.2.2.2. Co nflic ting Files
4
16 7 16 7 16 7 16 8 16 9
T able of Cont ent s 12.2.2.2. Co nflic ting Files 12.2.2.3. Unres o lved Dep end enc y 12.2.3. Unins talling 12.2.4. Up g rad ing 12.2.5. Fres hening
16 9 16 9 16 9 170 171
12.2.6 . Q uerying 12.2.7. Verifying 12.3. Chec king a Pac kag e' s Sig nature 12.3.1. Imp o rting Keys
171 172 173 173
12.3.2. Verifying Sig nature o f Pac kag es 12.4. Prac tic al and Co mmo n Examp les o f RPM Us ag e 12.5. Ad d itio nal Res o urc es 12.5.1. Ins talled Do c umentatio n 12.5.2. Us eful Web s ites
174 174 176 176 176
12.5.3. Related Bo o ks
176
. .hapt C . . . .er . .1. 3. . . Package . . . . . . . .Management . . . . . . . . . . . .T.ool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.7. 7. . . . . . . . . . 13.1. Lis ting and Analyz ing Pac kag es 13.2. Ins talling and Remo ving Pac kag es
177 178
. .hapt C . . . .er . .1. 4. .. YUM . . . . .(Yellowdog . . . . . . . . . .Updat . . . . . er . . .Modified) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 8. 3. . . . . . . . . . 14.1. Setting Up a Yum Rep o s ito ry 18 3 14.2. yum Co mmand s 18 3 14.3. yum O p tio ns 18 4 14.4. Co nfig uring yum 18 4 14.4.1. [main] O p tio ns 14.4.2. [rep o s ito ry] O p tio ns 14.5. Up g rad ing the Sys tem O ff-line with ISO and Yum 14.6 . Us eful yum Variab les
18 5 18 6 18 7 18 9
. .hapt C . . . .er . .1. 5. . . Regist . . . . . .ering . . . . .a. Syst . . . . em . . . and . . . . Managing . . . . . . . . . Subscript . . . . . . . . . ions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.9. 1. . . . . . . . . . 15.1. Us ing Red Hat Sub s c rip tio n Manag er To o ls 19 1 15.1.1. Launc hing the Red Hat Sub s c rip tio n Manag er G UI 15.1.2. Running the s ub s c rip tio n-manag er Co mmand -Line To o l 15.2. Reg is tering and Unreg is tering a Sys tem 15.2.1. Reg is tering fro m the G UI 15.2.2. Reg is tering fro m the Co mmand Line
19 1 19 2 19 2 19 2 19 7
5.2.3. Unreg is tering 1 15.3. Attac hing and Remo ving Sub s c rip tio ns 15.3.1. Attac hing and Remo ving Sub s c rip tio ns thro ug h the G UI 15.3.1.1. Attac hing a Sub s c rip tio n
19 9 20 0 20 0 20 0
5.3.1.2. Remo ving Sub s c rip tio ns 1 15.3.2. Attac hing and Remo ving Sub s c rip tio ns thro ug h the Co mmand Line 15.3.2.1. Attac hing Sub s c rip tio ns 15.3.2.2. Remo ving Sub s c rip tio ns fro m the Co mmand Line 15.4. Red eeming Vend o r Sub s c rip tio ns
20 2 20 3 20 3 20 4 20 5
15.4.1. Red eeming Sub s c rip tio ns thro ug h the G UI 15.4.2. Red eeming Sub s c rip tio ns thro ug h the Co mmand Line 15.5. Attac hing Sub s c rip tio ns fro m a Sub s c rip tio n As s et Manag er Ac tivatio n Key 15.6 . Setting Preferenc es fo r Sys tems
20 5 20 6 20 7 20 7
15.6 .1. Setting Preferenc es in the UI 15.6 .2. Setting Servic e Levels Thro ug h the Co mmand Line 15.6 .3. Setting a Preferred O p erating Sys tem Releas e Vers io n in the Co mmand Line 15.6 .4. Remo ving a Preferenc e 15.7. Manag ing Sub s c rip tio n Exp iratio n and No tific atio ns
20 7 20 8 20 9 210 211
5
Deployment G uide 15.7. Manag ing Sub s c rip tio n Exp iratio n and No tific atio ns
211
. .art P . . .III. . . Net . . . work. . . . . Relat . . . . .ed . . Configurat . . . . . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.1. 6. . . . . . . . . . . .hapt C . . . .er . .1. 6. .. Net . . . work . . . . .Int . . erfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.1. 7. . . . . . . . . . 16 .1. Netwo rk Co nfig uratio n Files 217 16 .2. Interfac e Co nfig uratio n Files 218 16 .2.1. Ethernet Interfac es 16 .2.2. IPs ec Interfac es 16 .2.3. Channel Bo nd ing Interfac es 16 .2.4. Alias and Clo ne Files 16 .2.5. Dialup Interfac es
218 221 222 224 225
6 .2.6 . O ther Interfac es 1 16 .3. Interfac e Co ntro l Sc rip ts 16 .4. Static Ro utes and the Default G ateway Co nfig uring Static Ro utes Us ing the Co mmand Line
227 227 229 229
Co nfig uring The Default G ateway 16 .5. Co nfig uring Static Ro utes in ifc fg files 16 .5.1. Static Ro utes Us ing the IP Co mmand Arg uments Fo rmat 16 .5.2. Netwo rk/Netmas k Direc tives Fo rmat 16 .6 . Netwo rk Func tio n Files 16 .7. Ad d itio nal Res o urc es
230 230 230 231 232 232
16 .7.1. Ins talled Do c umentatio n
232
. .hapt C . . . .er . .1. 7. .. Net . . . work . . . . .Configurat . . . . . . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. 34 ........... 17.1. O verview
235
17.2. Es tab lis hing an Ethernet Co nnec tio n 17.3. Es tab lis hing an ISDN Co nnec tio n
235 238
17.4. Es tab lis hing a Mo d em Co nnec tio n 17.5. Es tab lis hing an xDSL Co nnec tio n
240 242
17.6 . Es tab lis hing a To ken Ring Co nnec tio n
248
17.7. Es tab lis hing a Wireles s Co nnec tio n 17.8 . Manag ing DNS Setting s
250 253
17.9 . Manag ing Ho s ts 17.10 . Wo rking with Pro files
254 256
17.11. Devic e Alias es
259
17.12. Saving and Res to ring the Netwo rk Co nfig uratio n
26 1
. .hapt C . . . .er . .1. 8. .. Cont . . . . .rolling . . . . . .Access . . . . . . t. o . .Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.6. 2. . . . . . . . . . 18 .1. Runlevels 18 .2. TCP Wrap p ers
26 3 26 3
8 .2.1. xinetd 1 18 .3. Servic es Co nfig uratio n To o l
26 4 26 4
18 .4. nts ys v
26 6
18 .5. c hkc o nfig 18 .6 . Ad d itio nal Res o urc es
26 7 26 8
18 .6 .1. Ins talled Do c umentatio n
26 8
18 .6 .2. Us eful Web s ites
26 8
. .hapt C . . . .er . .1. 9. .. Berkeley . . . . . . . . Int . . .ernet . . . . .Name . . . . . Domain . . . . . . . (BIND) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.6. 9. . . . . . . . . . 19 .1. Intro d uc tio n to DNS 19 .1.1. Names erver Zo nes 19 .1.2. Names erver Typ es 19 .1.3. BIND as a Names erver 19 .2. /etc /named .c o nf 19 .2.1. Co mmo n Statement Typ es
6
26 9 26 9 270 270 271 271
T able of Cont ent s 19 .2.1. Co mmo n Statement Typ es 19 .2.1.1. ac l Statement
271 271
19 .2.1.2. inc lud e Statement 19 .2.1.3. o p tio ns Statement
272 272
19 .2.1.4. z o ne Statement
274
9 .2.1.5. Samp le z o ne Statements 1 19 .2.2. O ther Statement Typ es 9 .2.3. Co mment Tag s 1 19 .3. Zo ne Files
276 277 278 278
19 .3.1. Zo ne File Direc tives
279
19 .3.2. Zo ne File Res o urc e Rec o rd s 19 .3.3. Examp le Zo ne File
28 0 28 2
19 .3.4. Revers e Name Res o lutio n Zo ne Files
28 4
19 .4. Us ing rnd c 19 .4.1. Co nfig uring /etc /named .c o nf
28 4 28 5
9 .4.1.1. Firewall Blo c king Co mmunic atio n 1 19 .4.2. Co nfig uring /etc /rnd c .c o nf
28 6 28 6
19 .4.3. Co mmand Line O p tio ns
28 7
19 .5. Ad vanc ed Features o f BIND 19 .5.1. DNS Pro to c o l Enhanc ements
28 8 28 8
19 .5.2. Multip le Views 19 .5.3. Sec urity
28 8 28 8
19 .5.4. IP vers io n 6
28 9
19 .6 . Co mmo n Mis takes to Avo id 19 .7. Ad d itio nal Res o urc es
28 9 28 9
19 .7.1. Ins talled Do c umentatio n 19 .7.2. Us eful Web s ites
29 0 29 1
19 .7.3. Related Bo o ks
29 1
. .hapt C . . . .er . .2. 0. .. O . .penSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.9. 2. . . . . . . . . . 2 0 .1. Features o f SSH
29 2
0 .1.1. Why Us e SSH? 2 2 0 .2. SSH Pro to c o l Vers io ns
29 2 29 3
2 0 .3. Event Seq uenc e o f an SSH Co nnec tio n
29 3
2 0 .3.1. Trans p o rt Layer 2 0 .3.2. Authentic atio n 0 .3.3. Channels 2 2 0 .4. Co nfig uring an O p enSSH Server 2 0 .4.1. Req uiring SSH fo r Remo te Co nnec tio ns 2 0 .5. O p enSSH Co nfig uratio n Files 2 0 .6 . Co nfig uring an O p enSSH Client
29 3 29 4 29 4 29 5 29 5 29 6 29 7
2 0 .6 .1. Us ing the s s h Co mmand 2 0 .6 .2. Us ing the s c p Co mmand
29 7 29 8
2 0 .6 .3. Us ing the s ftp Co mmand
29 9
2 0 .7. Mo re Than a Sec ure Shell 2 0 .7.1. X11 Fo rward ing
29 9 29 9
2 0 .7.2. Po rt Fo rward ing 2 0 .7.3. G enerating Key Pairs
29 9 30 0
2 0 .7.3.1. G enerating an RSA Key Pair fo r Vers io n 2
30 1
2 0 .7.3.2. G enerating a DSA Key Pair fo r Vers io n 2 2 0 .7.3.3. G enerating an RSA Key Pair fo r Vers io n 1.3 and 1.5
30 1 30 2
2 0 .7.3.4. Co nfig uring s s h-ag ent with a G UI
30 3
0 .7.3.5. Co nfig uring s s h-ag ent 2 2 0 .8 . Ad d itio nal Res o urc es
30 3 30 3
7
Deployment G uide 2 0 .8 . Ad d itio nal Res o urc es 2 0 .8 .1. Ins talled Do c umentatio n 2 0 .8 .2. Us eful Web s ites
30 3 30 4 30 4
. .hapt C . . . .er . .2. 1. .. Net . . . work . . . . .File . . . Syst . . . . em . . . (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 . . 5. . . . . . . . . . 2 1.1. Ho w It Wo rks 30 5 2 1.1.1. Req uired Servic es
30 6
2 1.2. NFS Client Co nfig uratio n 2 1.2.1. Mo unting NFS File Sys tems us ing /etc /fs tab
30 7 30 7
2 1.3. auto fs 2 1.3.1. What' s new in auto fs vers io n 5?
30 8 30 8
2 1.3.2. auto fs Co nfig uratio n
30 9
2 1.3.3. auto fs Co mmo n Tas ks 2 1.3.3.1. O verrid ing o r aug menting s ite c o nfig uratio n files
310 310
2 1.3.3.2. Us ing LDAP to Sto re Auto mo unter Map s 2 1.3.3.3. Ad ap ting Auto fs v4 Map s To Auto fs v5
311 313
2 1.4. Co mmo n NFS Mo unt O p tio ns
314
2 1.5. Starting and Sto p p ing NFS 2 1.6 . NFS Server Co nfig uratio n
315 316
2 1.6 .1. Exp o rting o r Sharing NFS File Sys tems
317
2 1.6 .2. Co mmand Line Co nfig uratio n 2 1.6 .3. Running NFS Behind a Firewall
320 321
1.6 .4. Ho s tname Fo rmats 2 2 1.7. The /etc /exp o rts Co nfig uratio n File
321 321
2 1.7.1. The exp o rtfs Co mmand
323
2 1.7.1.1. Us ing exp o rtfs with NFSv4 1.8 . Sec uring NFS 2
324 325
2 1.8 .1. Ho s t Ac c es s 2 1.8 .1.1. Us ing NFSv2 o r NFSv3
325 325
2 1.8 .1.2. Us ing NFSv4
326
1.8 .2. File Permis s io ns 2 2 1.9 . NFS and p o rtmap
327 327
2 1.9 .1. Tro ub les ho o ting NFS and p o rtmap 2 1.10 . Us ing NFS o ver TCP 2 1.11. Ad d itio nal Res o urc es
327 328 329
2 1.11.1. Ins talled Do c umentatio n 2 1.11.2. Us eful Web s ites
329 329
2 1.11.3. Related Bo o ks
329
. .hapt C . . . .er . .2. 2. .. Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 ............ 2 2.1. Intro d uc tio n to Samb a
330
2.1.1. Samb a Features 2 2 2.2. Samb a Daemo ns and Related Servic es
330 330
2 2.2.1. Samb a Daemo ns 2 2.3. Co nnec ting to a Samb a Share
331 331
2 2.3.1. Co mmand Line 2.3.2. Mo unting the Share 2 2 2.4. Co nfig uring a Samb a Server 2 2.4.1. G rap hic al Co nfig uratio n 2 2.4.1.1. Co nfig uring Server Setting s
334 334 334 335
2 2.4.1.2. Manag ing Samb a Us ers
337
2.4.1.3. Ad d ing a Share 2 2 2.4.2. Co mmand Line Co nfig uratio n
338 339
2 2.4.3. Enc ryp ted Pas s wo rd s 2 2.5. Starting and Sto p p ing Samb a
8
333
339 339
T able of Cont ent s 2 2.5. Starting and Sto p p ing Samb a
339
2 2.6 . Samb a Server Typ es and the s mb .c o nf File
340
2 2.6 .1. Stand -alo ne Server 2 2.6 .1.1. Ano nymo us Read -O nly
340 341
2 2.6 .1.2. Ano nymo us Read /Write
341
2 2.6 .1.3. Ano nymo us Print Server 2 2.6 .1.4. Sec ure Read /Write File and Print Server
341 342
2 2.6 .2. Do main Memb er Server 2 2.6 .2.1. Ac tive Direc to ry Do main Memb er Server
342 343
2 2.6 .2.2. Wind o ws NT4-b as ed Do main Memb er Server
344
2 2.6 .3. Do main Co ntro ller 2 2.6 .3.1. Primary Do main Co ntro ller (PDC) us ing td b s am
345 345
2 2.6 .3.2. Primary Do main Co ntro ller (PDC) with Ac tive Direc to ry 2 2.7. Samb a Sec urity Mo d es 2 2.7.1. Us er-Level Sec urity
347 347 347
2 2.7.1.1. Do main Sec urity Mo d e (Us er-Level Sec urity) 2 2.7.1.2. Ac tive Direc to ry Sec urity Mo d e (Us er-Level Sec urity)
347 347
2 2.7.1.3. Server Sec urity Mo d e (Us er-Level Sec urity)
348
2.7.2. Share-Level Sec urity 2 2 2.8 . Samb a Ac c o unt Info rmatio n Datab as es
348 348
2 2.9 . Samb a Netwo rk Bro ws ing 2 2.9 .1. Do main Bro ws ing
350 350
2 2.9 .2. WINS (Wind o ws Internetwo rking Name Server)
350
2 2.10 . Samb a with CUPS Printing Sup p o rt 2 2.10 .1. Simp le s mb .c o nf Setting s
351 351
2 2.11. Samb a Dis trib utio n Pro g rams 2 2.12. Ad d itio nal Res o urc es
351 357
2 2.12.1. Ins talled Do c umentatio n
357
2 2.12.2. Related Bo o ks 2 2.12.3. Us eful Web s ites
357 357
. .hapt C . . . .er . .2. 3. . . Dynamic . . . . . . . . Host . . . . .Configurat . . . . . . . . . ion . . . .Prot . . . .ocol . . . .(DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 ............ 2 3.1. Why Us e DHCP? 358 2 3.2. Co nfig uring a DHCP Server 2 3.2.1. Co nfig uratio n File
358 358
2 3.2.2. Leas e Datab as e
36 2
2 3.2.3. Starting and Sto p p ing the Server 2 3.2.4. DHCP Relay Ag ent
36 2 36 3
2 3.3. Co nfig uring a DHCP Client
36 3
2 3.4. Co nfig uring a Multiho med DHCP Server 2 3.4.1. Ho s t Co nfig uratio n
36 5 36 6
2 3.5. Ad d itio nal Res o urc es 2 3.5.1. Ins talled Do c umentatio n
36 8 36 8
. .hapt C . . . .er . .2. 4. .. Migrat . . . . . .ing . . . from . . . . .MySQ . . . . .L. 5.0 . . . .t o . . MySQ . . . . .L . .5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 . . 9. . . . . . . . . . 2 4.1. Up g rad ing fro m MySQ L 5.0 to MySQ L 5.5 36 9 . .hapt C . . . .er . .2. 5. . . Apache . . . . . . . HT . . .T. P. .Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 . . 2. . . . . . . . . . 2 5.1. Ap ac he HTTP Server 2.2 372 2 5.1.1. Features o f Ap ac he HTTP Server 2.2 2 5.2. Mig rating Ap ac he HTTP Server Co nfig uratio n Files 2 5.2.1. Mig rating Ap ac he HTTP Server 2.0 Co nfig uratio n Files 2 5.2.2. Mig rating Ap ac he HTTP Server 1.3 Co nfig uratio n Files to 2.0 2 5.2.2.1. G lo b al Enviro nment Co nfig uratio n
372 372 372 373 374
9
Deployment G uide 2 5.2.2.1.1. Interfac e and Po rt Bind ing
374
2 5.2.2.1.2. Server-Po o l Siz e Reg ulatio n 2 5.2.2.1.3. Dynamic Shared O b jec t (DSO ) Sup p o rt
374 375
2 5.2.2.1.4. O ther G lo b al Enviro nment Chang es 2 5.2.2.2. Main Server Co nfig uratio n
376 376
2 5.2.2.2.1. Us erDir Map p ing
376
2 5.2.2.2.2. Lo g g ing 2 5.2.2.2.3. Direc to ry Ind exing
377 377
2 5.2.2.2.4. Co ntent Neg o tiatio n 2 5.2.2.2.5. Erro r Do c uments
377 377
2 5.2.2.3. Virtual Ho s t Co nfig uratio n
378
2 5.2.2.4. Mo d ules and Ap ac he HTTP Server 2.0 2 5.2.2.4.1. The s uexec Mo d ule
378 379
2 5.2.2.4.2. The mo d _s s l Mo d ule
379
2 5.2.2.4.3. The mo d _p ro xy Mo d ule 2 5.2.2.4.4. The mo d _inc lud e Mo d ule
38 0 38 0
2 5.2.2.4.5. The mo d _auth_d b m and mo d _auth_d b Mo d ules 2 5.2.2.4.6 . The mo d _p erl Mo d ule
38 1 38 2
2 5.2.2.4.7. The mo d _p ytho n Mo d ule
38 2
2 5.2.2.4.8 . PHP 2 5.2.2.4.9 . The mo d _authz _ld ap Mo d ule
38 2 38 3
2 5.3. Starting and Sto p p ing http d 2 5.4. Ap ac he HTTP Server Co nfig uratio n
38 3 38 5
2 5.4.1. Bas ic Setting s
38 5
2 5.4.2. Default Setting s 2 5.4.2.1. Site Co nfig uratio n
38 7 38 9
2 5.4.2.2. SSL Sup p o rt 2 5.4.2.3. Lo g g ing
39 0 39 2
2 5.4.2.4. Enviro nment Variab les
39 4
5.4.2.5. Direc to ries 2 2 5.5. Co nfig uratio n Direc tives in http d .c o nf
39 5 39 7
2 5.5.1. G eneral Co nfig uratio n Tip s
39 8
2 5.5.2. Co nfig uratio n Direc tives fo r SSL 2 5.5.3. MPM Sp ec ific Server-Po o l Direc tives
413 414
2 5.6 . Ad d ing Mo d ules 2 5.7. Virtual Ho s ts 2 5.7.1. Setting Up Virtual Ho s ts
415 416 416
2 5.8 . Ap ac he HTTP Sec ure Server Co nfig uratio n 2 5.8 .1. An O verview o f Sec urity-Related Pac kag es
416 417
2 5.8 .2. An O verview o f Certific ates and Sec urity 2 5.8 .3. Us ing Pre-Exis ting Keys and Certific ates
417 418
2 5.8 .4. Typ es o f Certific ates
419
2 5.8 .5. G enerating a Key 2 5.8 .6 . Ho w to c o nfig ure the s erver to us e the new key
420 429
2 5.9 . Ad d itio nal Res o urc es
429
2 5.9 .1. Us eful Web s ites
430
. .hapt C . . . .er . .2. 6. .. FT . . .P. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 31 ........... 2 6 .1. The File Trans fer Pro to c o l 431 2 6 .1.1. Multip le Po rts , Multip le Mo d es 2 6 .2. FTP Servers 2 6 .2.1. vs ftp d
10
431 432 432
2 6 .2.2. Files Ins talled with vs ftp d
432
2 6 .2.3. Starting and Sto p p ing vs ftp d
433
T able of Cont ent s 2 6 .2.3. Starting and Sto p p ing vs ftp d 2 6 .2.3.1. Starting Multip le Co p ies o f vs ftp d
433 434
2 6 .2.4. Enc ryp ting vs ftp d Co nnec tio ns Us ing TLS 2 6 .2.5. vs ftp d Co nfig uratio n O p tio ns
435 435
2 6 .2.5.1. Daemo n O p tio ns
436
2 6 .2.5.2. Lo g In O p tio ns and Ac c es s Co ntro ls 2 6 .2.5.3. Ano nymo us Us er O p tio ns
436 438
2 6 .2.5.4. Lo c al Us er O p tio ns 2 6 .2.5.5. Direc to ry O p tio ns
438 439
2 6 .2.5.6 . File Trans fer O p tio ns
440
2 6 .2.5.7. Lo g g ing O p tio ns 2 6 .2.5.8 . Netwo rk O p tio ns
440 442
2 6 .2.6 . Ad d itio nal Res o urc es
444
2 6 .2.6 .1. Ins talled Do c umentatio n 2 6 .2.6 .2. Us eful Web s ites
444 444
. .hapt C . . . .er . .2. 7. .. Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.4. 6. . . . . . . . . . 2 7.1. Email Pro to c o ls
446
2 7.1.1. Mail Trans p o rt Pro to c o ls 2 7.1.1.1. SMTP
446 446
2 7.1.2. Mail Ac c es s Pro to c o ls
447
2 7.1.2.1. PO P 2 7.1.2.2. IMAP 7.1.2.3. Do vec o t 2 2 7.2. Email Pro g ram Clas s ific atio ns
447 447 448 448
2 7.2.1. Mail Trans p o rt Ag ent
449
2 7.2.2. Mail Delivery Ag ent 2 7.2.3. Mail Us er Ag ent
449 449
2 7.3. Mail Trans p o rt Ag ents 2 7.3.1. Send mail
449 449
2 7.3.1.1. Purp o s e and Limitatio ns
450
2 7.3.1.2. The Default Send mail Ins tallatio n 2 7.3.1.3. Co mmo n Send mail Co nfig uratio n Chang es
450 451
2 7.3.1.4. Mas q uerad ing
452
2 7.3.1.5. Sto p p ing Sp am 2 7.3.1.6 . Us ing Send mail with LDAP
452 453
2 7.3.2. Po s tfix 2 7.3.2.1. The Default Po s tfix Ins tallatio n
454 454
2 7.3.2.2. Bas ic Po s tfix Co nfig uratio n
455
2 7.3.3. Fetc hmail 2 7.3.3.1. Fetc hmail Co nfig uratio n O p tio ns 2 7.3.3.2. G lo b al O p tio ns
456 456 457
2 7.3.3.3. Server O p tio ns
457
2 7.3.3.4. Us er O p tio ns 2 7.3.3.5. Fetc hmail Co mmand O p tio ns
458 458
2 7.3.3.6 . Info rmatio nal o r Deb ug g ing O p tio ns
458
2 7.3.3.7. Sp ec ial O p tio ns
459
2 7.4. Mail Trans p o rt Ag ent (MTA) Co nfig uratio n
459
2 7.5. Mail Delivery Ag ents 2 7.5.1. Pro c mail Co nfig uratio n
46 0 46 1
2 7.5.2. Pro c mail Rec ip es
46 2
2 7.5.2.1. Delivering vs . No n-Delivering Rec ip es
46 3
2 7.5.2.2. Flag s
46 3
2 7.5.2.3. Sp ec ifying a Lo c al Lo c kfile
46 4
11
Deployment G uide 2 7.5.2.3. Sp ec ifying a Lo c al Lo c kfile 2 7.5.2.4. Sp ec ial Co nd itio ns and Ac tio ns
46 4 46 4
2 7.5.2.5. Rec ip e Examp les
46 4
2 7.5.2.6 . Sp am Filters 2 7.6 . Mail Us er Ag ents 2 7.6 .1. Sec uring Co mmunic atio n 2 7.6 .1.1. Sec ure Email Clients 2 7.6 .1.2. Sec uring Email Client Co mmunic atio ns 2 7.7. Ad d itio nal Res o urc es
46 5 46 6 46 7 46 7 46 7 46 9
2 7.7.1. Ins talled Do c umentatio n
46 9
2 7.7.2. Us eful Web s ites 2 7.7.3. Related Bo o ks
46 9 470
. .hapt C . . . .er . .2. 8. .. Light . . . . .weight . . . . . . Direct . . . . . .ory . . . Access . . . . . . .Prot . . . .ocol . . . .(LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.7. 1. . . . . . . . . . 2 8 .1. Why Us e LDAP? 2 8 .1.1. O p enLDAP Features 2 8 .2. LDAP Termino lo g y 2 8 .3. O p enLDAP Daemo ns and Utilities
471 472 472 473
2 8 .3.1. NSS, PAM, and LDAP
474
2 8 .3.2. PHP4, LDAP, and the Ap ac he HTTP Server
475
2 8 .3.3. LDAP Client Ap p lic atio ns
475
2 8 .4. O p enLDAP Co nfig uratio n Files 2 8 .5. The /etc /o p enld ap /s c hema/ Direc to ry
475 476
2 8 .6 . O p enLDAP Setup O verview
477
2 8 .6 .1. Ed iting /etc /o p enld ap /s lap d .c o nf 2 8 .7. Co nfig uring a Sys tem to Authentic ate Us ing O p enLDAP 2 8 .7.1. PAM and LDAP 2 8 .7.2. Mig rating O ld Authentic atio n Info rmatio n to LDAP Fo rmat
477 478 479 479
2 8 .8 . Mig rating Direc to ries fro m Earlier Releas es
48 0
2 8 .9 . Ad d itio nal Res o urc es
48 0
2 8 .9 .1. Ins talled Do c umentatio n
48 0
2 8 .9 .2. Us eful Web s ites 2 8 .9 .3. Related Bo o ks
48 1 48 2
. .hapt C . . . .er . .2. 9. .. Aut . . . hent . . . . .icat . . .ion . . . Configurat . . . . . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 8. 3. . . . . . . . . . 2 9 .1. Us er Info rmatio n
48 3
2 9 .2. Authentic atio n
48 6
2 9 .3. O p tio ns 2 9 .4. Co mmand Line Vers io n
48 8 49 0
. .hapt C . . . .er . .30 . . .. Using . . . . . .and . . . .Caching . . . . . . . Credent . . . . . . . ials . . . .wit ..h . . SSSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 9. 3. . . . . . . . . . 3 0 .1. Ab o ut the s s s d .c o nf File
49 3
3 0 .2. Starting and Sto p p ing SSSD 3 0 .3. Co nfig uring SSSD to Wo rk with Sys tem Servic es
49 3 49 4
3 0 .3.1. Co nfig uring NSS Servic es
49 4
3 0 .3.1.2. Co nfig uring NSS Servic es to Us e SSSD
49 5
0 .3.1.3. Co nfig uring SSSD to Wo rk with NSS 3 3 0 .3.2. Co nfig uring the PAM Servic e 3 0 .4. Creating Do mains
12
49 4
3 0 .3.1.1. Ab o ut NSS Servic e Map s and SSSD
49 5 49 7 49 9
3 0 .4.1. G eneral Rules and O p tio ns fo r Co nfig uring a Do main
50 0
3 0 .4.2. Co nfig uring an LDAP Do main
50 3
3 0 .4.2.1. Parameters fo r Co nfig uring an LDAP Do main
50 4
3 0 .4.2.2. LDAP Do main Examp le 3 0 .4.2.3. Ac tive Direc to ry Do main Examp le
50 7 50 8
T able of Cont ent s 3 0 .4.2.3. Ac tive Direc to ry Do main Examp le 3 0 .4.2.4. Us ing IP Ad d res s es in Certific ate Sub jec t Names
50 8 511
3 0 .4.3. Co nfig uring Kerb ero s Authentic atio n with a Do main
511
3 0 .4.4. Co nfig uring a Pro xy Do main
514
3 0 .5. Co nfig uring Ac c es s Co ntro l fo r SSSD Do mains 3 0 .5.1. Us ing the Simp le Ac c es s Pro vid er 3 0 .5.2. Us ing the LDAP Ac c es s Filter 3 0 .6 . Co nfig uring Do main Failo ver 3 0 .6 .1. Co nfig uring Failo ver
516 516 516 517 517
3 0 .6 .2. Us ing SRV Rec o rd s with Failo ver 3 0 .7. Deleting Do main Cac he Files
518 518
3 0 .8 . Us ing NSCD with SSSD
518
3 0 .9 . Tro ub les ho o ting SSSD
519
3 0 .9 .1. Chec king SSSD Lo g Files
519
3 0 .9 .2. Pro b lems with SSSD Co nfig uratio n
520
. .art P . . .IV. . . Syst . . . . em . . . Configurat . . . . . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 . . 4. . . . . . . . . . . .hapt C . . . .er . .31 . . .. Console . . . . . . . .Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 . . 5. . . . . . . . . . 3 1.1. Dis ab ling Shutd o wn Via Ctrl+ Alt+ Del
525
3 1.2. Dis ab ling Co ns o le Pro g ram Ac c es s 3 1.3. Defining the Co ns o le
526 526
3 1.4. Making Files Ac c es s ib le Fro m the Co ns o le
526
3 1.5. Enab ling Co ns o le Ac c es s fo r O ther Ap p lic atio ns
527
3 1.6 . The flo p p y G ro up
528
. .hapt C . . . .er . .32 . . .. T. he . . . sysconfig . . . . . . . . . Direct . . . . . .ory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 . . 9. . . . . . . . . . 3 2.1. Files in the /etc /s ys c o nfig / Direc to ry
529
3 2.1.1. /etc /s ys c o nfig /amd
529
3 2.1.2. /etc /s ys c o nfig /ap md
529
3 2.1.3. /etc /s ys c o nfig /arp watc h 3 2.1.4. /etc /s ys c o nfig /authc o nfig
529 529
3 2.1.5. /etc /s ys c o nfig /auto fs
530
3 2.1.6 . /etc /s ys c o nfig /c lo c k
530
3 2.1.7. /etc /s ys c o nfig /d es kto p
531
3 2.1.8 . /etc /s ys c o nfig /d hc p d
531
3 2.1.9 . /etc /s ys c o nfig /exim 3 2.1.10 . /etc /s ys c o nfig /firs tb o o t
531 532
3 2.1.11. /etc /s ys c o nfig /g p m
532
3 2.1.12. /etc /s ys c o nfig /hwc o nf
532
3 2.1.13. /etc /s ys c o nfig /i18 n
532
3 2.1.14. /etc /s ys c o nfig /init 3 2.1.15. /etc /s ys c o nfig /ip 6 tab les -c o nfig
532 533
3 2.1.16 . /etc /s ys c o nfig /ip tab les -c o nfig
533
3 2.1.17. /etc /s ys c o nfig /ird a
534
3 2.1.18 . /etc /s ys c o nfig /keyb o ard
534
3 2.1.19 . /etc /s ys c o nfig /kud z u 3 2.1.20 . /etc /s ys c o nfig /named
534 535
3 2.1.21. /etc /s ys c o nfig /netwo rk
535
3 2.1.22. /etc /s ys c o nfig /nfs
536
3 2.1.23. /etc /s ys c o nfig /ntp d
536
3 2.1.24. /etc /s ys c o nfig /rad vd 3 2.1.25. /etc /s ys c o nfig /s amb a
537 537
3 2.1.26 . /etc /s ys c o nfig /s elinux
537
3 2.1.27. /etc /s ys c o nfig /s end mail
537
13
Deployment G uide 3 2.1.27. /etc /s ys c o nfig /s end mail
537
3 2.1.28 . /etc /s ys c o nfig /s p amas s as s in
537
3 2.1.29 . /etc /s ys c o nfig /s q uid 3 2.1.30 . /etc /s ys c o nfig /s ys tem-c o nfig -s ec uritylevel
538 538
3 2.1.31. /etc /s ys c o nfig /s ys tem-c o nfig -s elinux
538
3 2.1.32. /etc /s ys c o nfig /s ys tem-c o nfig -us ers
538
3 2.1.33. /etc /s ys c o nfig /s ys tem-lo g viewer
538
3 2.1.34. /etc /s ys c o nfig /tux 3 2.1.35. /etc /s ys c o nfig /vnc s ervers
538 538
3 2.1.36 . /etc /s ys c o nfig /xinetd
539
3 2.2. Direc to ries in the /etc /s ys c o nfig / Direc to ry
539
3 2.3. Ad d itio nal Res o urc es
540
3 2.3.1. Ins talled Do c umentatio n
540
. .hapt C . . . .er . .33. . . .Dat . . . e. .and ...T . .ime . . . Configurat . . . . . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 . . 1. . . . . . . . . . 3 3.1. Time and Date Pro p erties
541
3 3.2. Netwo rk Time Pro to c o l (NTP) Pro p erties
542
3 3.3. Time Zo ne Co nfig uratio n
544
. .hapt C . . . .er . .34 . . .. Keyboard . . . . . . . . .Configurat . . . . . . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 . . 6. . . . . . . . . . . .hapt C . . . .er . .35. . . .T. he . . .X. .Window . . . . . . .Syst . . . .em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 . . 7. . . . . . . . . . 3 5.1. The X11R7.1 Releas e
547
3 5.2. Des kto p Enviro nments and Wind o w Manag ers
548
3 5.2.1. Des kto p Enviro nments 3 5.2.2. Wind o w Manag ers
548 548
3 5.3. X Server Co nfig uratio n Files
549
3 5.3.1. xo rg .c o nf
550
3 5.3.1.1. The Struc ture
550
3 5.3.1.2. ServerFlag s 3 5.3.1.3. ServerLayo ut
550 551
3 5.3.1.4. Files
552
3 5.3.1.5. Mo d ule
552
3 5.3.1.6 . Inp utDevic e
553
3 5.3.1.7. Mo nito r 3 5.3.1.8 . Devic e
553 554
3 5.3.1.9 . Sc reen
555
3 5.3.1.10 . DRI
556
3 5.4. Fo nts
556
3 5.4.1. Fo ntc o nfig 3 5.4.1.1. Ad d ing Fo nts to Fo ntc o nfig
557 557
3 5.4.2. Co re X Fo nt Sys tem
558
3 5.4.2.1. xfs Co nfig uratio n 3 5.4.2.2. Ad d ing Fo nts to xfs
558 559
3 5.5. Runlevels and X
56 0
3 5.5.1. Runlevel 3 3 5.5.2. Runlevel 5
56 0 56 0
3 5.6 . Ad d itio nal Res o urc es
56 1
3 5.6 .1. Ins talled Do c umentatio n
56 1
3 5.6 .2. Us eful Web s ites
56 2
. .hapt C . . . .er . .36 . . .. X. .Window . . . . . . . Syst . . . . em . . . Configurat . . . . . . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 . . 3. . . . . . . . . .
14
3 6 .1. Dis p lay Setting s
56 3
3 6 .2. Dis p lay Hard ware Setting s
56 4
3 6 .3. Dual Head Dis p lay Setting s
56 4
T able of Cont ent s 3 6 .3. Dual Head Dis p lay Setting s
56 4
. .hapt C . . . .er . .37 . . .. Users . . . . . .and . . . .G.roups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 . . 6. . . . . . . . . . 3 7.1. Us er and G ro up Co nfig uratio n 56 6 3 7.1.1. Ad d ing a New Us er
56 7
3 7.1.2. Mo d ifying Us er Pro p erties
56 9
3 7.1.3. Ad d ing a New G ro up
570
7.1.4. Mo d ifying G ro up Pro p erties 3 3 7.2. Us er and G ro up Manag ement To o ls
571 571
3 7.2.1. Co mmand Line Co nfig uratio n
572
3 7.2.2. Ad d ing a Us er
572
3 7.2.3. Ad d ing a G ro up
573
3 7.2.4. Pas s wo rd Ag ing 3 7.2.5. Exp laining the Pro c es s
573 575
3 7.3. Stand ard Us ers
576
3 7.4. Stand ard G ro up s
577
3 7.5. Us er Private G ro up s
579
7.5.1. G ro up Direc to ries 3 3 7.6 . Shad o w Pas s wo rd s
579 58 0
3 7.7. Ad d itio nal Res o urc es
58 0
3 7.7.1. Ins talled Do c umentatio n
58 1
. .hapt C . . . .er . .38 . . .. Print . . . . er . . .Configurat . . . . . . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 . . 2. . . . . . . . . . 3 8 .1. Ad d ing a Lo c al Printer 3 8 .2. Ad d ing an IPP Printer
58 3 58 5
3 8 .3. Ad d ing a Samb a (SMB) Printer
58 6
3 8 .4. Ad d ing a JetDirec t Printer
58 8
3 8 .5. Selec ting the Printer Mo d el and Finis hing
58 9
3 8 .5.1. Co nfirming Printer Co nfig uratio n 3 8 .6 . Printing a Tes t Pag e
59 0 59 0
3 8 .7. Mo d ifying Exis ting Printers
59 0
3 8 .7.1. The Setting s Tab
59 0
3 8 .7.2. The Po lic ies Tab
59 1
3 8 .7.3. The Ac c es s Co ntro l Tab 3 8 .7.4. The Printer and Jo b O p tio ns Tab
59 2 59 3
3 8 .8 . Manag ing Print Jo b s 3 8 .9 . Ad d itio nal Res o urc es
59 4 59 5
3 8 .9 .1. Ins talled Do c umentatio n
59 6
3 8 .9 .2. Us eful Web s ites
59 6
. .hapt C . . . .er . .39 . . .. Aut . . . omat . . . . .ed ..T . .asks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 . . 7. . . . . . . . . . 3 9 .1. Cro n
59 7
3 9 .1.1. Co nfig uring Cro n Jo b s
59 7
3 9 .1.2. Co ntro lling Ac c es s to Cro n
59 9
9 .1.3. Starting and Sto p p ing the Servic e 3 3 9 .2. At and Batc h
59 9 59 9
3 9 .2.1. Co nfig uring At Jo b s
59 9
3 9 .2.2. Co nfig uring Batc h Jo b s
600
3 9 .2.3. Viewing Pend ing Jo b s
601
3 9 .2.4. Ad d itio nal Co mmand Line O p tio ns 3 9 .2.5. Co ntro lling Ac c es s to At and Batc h
601 601
3 9 .2.6 . Starting and Sto p p ing the Servic e
601
3 9 .3. Ad d itio nal Res o urc es 3 9 .3.1. Ins talled Do c umentatio n
601 601
15
Deployment G uide . .hapt C . . . .er . .4. 0. .. Log . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 0. 3. . . . . . . . . . 4 0 .1. Lo c ating Lo g Files
603
4 0 .2. Viewing Lo g Files
603
4 0 .3. Ad d ing a Lo g File
606
4 0 .4. Mo nito ring Lo g Files
607
. .art P . . .V.. .Syst . . . .em . . .Monit . . . . .oring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.1. 1. . . . . . . . . . . .hapt C . . . .er . .4. 1. .. Syst . . . . emT . . . . ap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.1. 2. . . . . . . . . . 4 1.1. Intro d uc tio n
6 12
4 1.2. Imp lementatio n 4 1.3. Us ing Sys temTap
6 12 6 13
4 1.3.1. Trac ing
6 13
4 1.3.1.1. Where to Pro b e
6 13
4 1.3.1.2. What to Print
6 14
. .hapt C . . . .er . .4. 2. .. G . .at . .hering . . . . . .Syst . . . .em . . .Informat . . . . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 1. 5. . . . . . . . . . 4 2.1. Sys tem Pro c es s es 6 15 4 2.2. Memo ry Us ag e
6 17
4 2.3. File Sys tems
6 19
4 2.4. Hard ware
6 21
4 2.5. Ad d itio nal Res o urc es 4 2.5.1. Ins talled Do c umentatio n
6 24 6 24
. .hapt C . . . .er . .4. 3. . .O . .Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 2. 5. . . . . . . . . . 4 3.1. O verview o f To o ls
6 25
4 3.2. Co nfig uring O Pro file 4 3.2.1. Sp ec ifying the Kernel
6 26 6 26
4 3.2.2. Setting Events to Mo nito r
6 27
4 3.2.2.1. Samp ling Rate
6 28
4 3.2.2.2. Unit Mas ks
6 28
4 3.2.3. Sep arating Kernel and Us er-s p ac e Pro files 4 3.3. Starting and Sto p p ing O Pro file
6 29 6 29
4 3.4. Saving Data
6 30
4 3.5. Analyz ing the Data
6 30
4 3.5.1. Us ing o p rep o rt
6 31
4 3.5.2. Us ing o p rep o rt o n a Sing le Exec utab le
6 32
4 3.5.3. G etting mo re d etailed o utp ut o n the mo d ules 4 3.5.4. Us ing o p anno tate
6 33 6 34
4 3.6 . Und ers tand ing /d ev/o p ro file/
6 35
4 3.7. Examp le Us ag e
6 35
4 3.8 . G rap hic al Interfac e
6 35
4 3.9 . Ad d itio nal Res o urc es 4 3.9 .1. Ins talled Do c s
6 37 6 38
4 3.9 .2. Us eful Web s ites
6 38
. .art P . . .VI. . . Kernel . . . . . . and . . . . Driver . . . . . .Configurat . . . . . . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 39 ........... . .hapt C . . . .er . .4. 4. .. Manually . . . . . . . . .Upgrading . . . . . . . . . t. he . . .Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.4. 0. . . . . . . . . . 4 4.1. O verview o f Kernel Pac kag es 6 40
16
4 4.2. Prep aring to Up g rad e
6 41
4 4.3. Do wnlo ad ing the Up g rad ed Kernel
6 42
4 4.4. Perfo rming the Up g rad e
6 43
4 4.5. Verifying the Initial RAM Dis k Imag e 4 4.6 . Verifying the Bo o t Lo ad er
6 43 6 43
T able of Cont ent s
4 4.6 .1. x8 6 Sys tems
6 44
4 4.6 .1.1. G RUB
6 44
4 4.6 .2. Itanium Sys tems
6 44
4 4.6 .3. IBM S/39 0 and IBM Sys tem z Sys tems 4 4.6 .4. IBM eServer iSeries Sys tems
6 45 6 45
4 4.6 .5. IBM eServer p Series Sys tems
6 45
. .hapt C . . . .er . .4. 5. . .G . .eneral . . . . . Paramet . . . . . . . .ers . . .and . . . .Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.4. 7. . . . . . . . . . 4 5.1. Kernel Mo d ule Utilities 4 5.2. Pers is tent Mo d ule Lo ad ing
6 47 6 49
4 5.3. Sp ec ifying Mo d ule Parameters
6 50
4 5.4. Sto rag e p arameters
6 50
4 5.5. Ethernet Parameters
6 56
4 5.5.1. The Channel Bo nd ing Mo d ule
664
5.5.1.1. b o nd ing Mo d ule Direc tives 4 4 5.6 . Ad d itio nal Res o urc es
664 6 70
4 5.6 .1. Ins talled Do c umentatio n
6 70
4 5.6 .2. Us eful Web s ites
6 71
. .hapt C . . . .er . .4. 6. .. T . .he . . kdump . . . . . . .Crash . . . . . Recovery . . . . . . . . .Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.7. 2. . . . . . . . . . 4 6 .1. Ins talling the kd ump Servic e 6 72 4 6 .2. Co nfig uring the kd ump Servic e 4 6 .2.1. Co nfig uring kd ump at Firs t Bo o t 4 6 .2.1.1. Enab ling the Servic e 6 .2.1.2. Co nfig uring the Memo ry Us ag e 4 4 6 .2.2. Us ing the Kernel Dump Co nfig uratio n Utility
6 72 6 72 6 73 6 73 6 73
4 6 .2.2.1. Enab ling the Servic e
6 74
4 6 .2.2.2. Co nfig uring the Memo ry Us ag e
6 75
4 6 .2.2.3. Co nfig uring the Targ et Typ e
6 75
4 6 .2.2.4. Co nfig uring the Co re Co llec to r 4 6 .2.2.5. Chang ing the Default Ac tio n
6 75 6 76
4 6 .2.3. Co nfig uring kd ump o n the Co mmand Line
6 76
4 6 .2.3.1. Co nfig uring the Memo ry Us ag e
6 76
4 6 .2.3.2. Co nfig uring the Targ et Typ e
6 77
4 6 .2.3.3. Co nfig uring the Co re Co llec to r
6 77
4 6 .2.3.4. Chang ing the Default Ac tio n 4 6 .2.3.5. Enab ling the Servic e
6 78 6 78
4 6 .2.4. Tes ting the Co nfig uratio n 4 6 .3. Analyz ing the Co re Dump
6 79 6 79
4 6 .3.1. Dis p laying the Mes s ag e Buffer
681
4 6 .3.2. Dis p laying a Bac ktrac e 4 6 .3.3. Dis p laying a Pro c es s Status
681 682
4 6 .3.4. Dis p laying Virtual Memo ry Info rmatio n
682
4 6 .3.5. Dis p laying O p en Files
683
4 6 .4. Ad d itio nal Res o urc es 4 6 .4.1. Ins talled Do c umentatio n 4 6 .4.2. Us eful Web s ites
683 683 684
. .art P . . .VII. . . .Securit . . . . . . y. .And . . . .Aut . . .hent . . . .icat . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 8. 5. . . . . . . . . . . .hapt C . . . .er . .4. 7. .. Securit . . . . . . .y. O . .verview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.8. 6. . . . . . . . . . 4 7.1. Intro d uc tio n to Sec urity 4 7.1.1. What is Co mp uter Sec urity?
686 686
4 7.1.1.1. Ho w d id Co mp uter Sec urity Co me ab o ut?
686
4 7.1.1.2. Sec urity To d ay
686
17
Deployment G uide 4 7.1.1.2. Sec urity To d ay
686
4 7.1.1.3. Stand ard iz ing Sec urity
687
4 7.1.2. Sec urity Co ntro ls 4 7.1.2.1. Phys ic al Co ntro ls
687 688
4 7.1.2.2. Tec hnic al Co ntro ls
688
4 7.1.2.3. Ad minis trative Co ntro ls
688
4 7.1.3. Co nc lus io n 4 7.2. Vulnerab ility As s es s ment 4 7.2.1. Thinking Like the Enemy
688 689 689
4 7.2.2. Defining As s es s ment and Tes ting
690
4 7.2.2.1. Es tab lis hing a Metho d o lo g y
691
4 7.2.3. Evaluating the To o ls
691
4 7.2.3.1. Sc anning Ho s ts with Nmap 4 7.2.3.1.1. Us ing Nmap
691 692
4 7.2.3.2. Nes s us
692
4 7.2.3.3. Nikto
693
4 7.2.3.4. VLAD the Sc anner
693
4 7.2.3.5. Antic ip ating Yo ur Future Need s 4 7.3. Attac kers and Vulnerab ilities 4 7.3.1. A Q uic k His to ry o f Hac kers 4 7.3.1.1. Shad es o f G ray
693 693 693 694
4 7.3.2. Threats to Netwo rk Sec urity
694
4 7.3.2.1. Ins ec ure Arc hitec tures
694
4 7.3.2.1.1. Bro ad c as t Netwo rks 4 7.3.2.1.2. Centraliz ed Servers 4 7.3.3. Threats to Server Sec urity 4 7.3.3.1. Unus ed Servic es and O p en Po rts
694 695 695 695
4 7.3.3.2. Unp atc hed Servic es
695
4 7.3.3.3. Inattentive Ad minis tratio n 4 7.3.3.4. Inherently Ins ec ure Servic es
696 696
4 7.3.4. Threats to Wo rks tatio n and Ho me PC Sec urity
696
4 7.3.4.1. Bad Pas s wo rd s
697
4 7.3.4.2. Vulnerab le Client Ap p lic atio ns
697
4 7.4. Co mmo n Exp lo its and Attac ks 4 7.5. Sec urity Up d ates 4 7.5.1. Up d ating Pac kag es
697 70 1 70 2
4 7.5.1.1. Us ing Auto matic Up d ates with RHN Clas s ic
70 2
4 7.5.1.2. Us ing the Red Hat Errata Web s ite
70 3
4 7.5.1.3. Verifying Sig ned Pac kag es 4 7.5.1.4. Ins talling Sig ned Pac kag es
70 3 70 4
4 7.5.1.5. Ap p lying the Chang es
70 5
. .hapt C . . . .er . .4. 8. .. Securing . . . . . . . . .Your . . . . Net . . . work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7.0. 8. . . . . . . . . . 4 8 .1. Wo rks tatio n Sec urity 4 8 .1.1. Evaluating Wo rks tatio n Sec urity 4 8 .1.2. BIO S and Bo o t Lo ad er Sec urity 4 8 .1.2.1. BIO S Pas s wo rd s 4 8 .1.2.1.1. Sec uring No n-x8 6 Platfo rms 4 8 .1.2.2. Bo o t Lo ad er Pas s wo rd s 4 8 .1.2.2.1. Pas s wo rd Pro tec ting G RUB 4 8 .1.3. Pas s wo rd Sec urity 4 8 .1.3.1. Creating Stro ng Pas s wo rd s 4 8 .1.3.1.1. Sec ure Pas s wo rd Creatio n Metho d o lo g y 4 8 .1.3.2. Creating Us er Pas s wo rd s Within an O rg aniz atio n
18
70 8 70 8 70 8 70 8 70 9 70 9 70 9 710 711 712 713
T able of Cont ent s 4 8 .1.3.2. Creating Us er Pas s wo rd s Within an O rg aniz atio n 4 8 .1.3.2.1. Fo rc ing Stro ng Pas s wo rd s 4 8 .1.3.2.2. Pas s wo rd Ag ing 4 8 .1.4. Ad minis trative Co ntro ls
713 713 714 715
4 8 .1.4.1. Allo wing Ro o t Ac c es s
716
4 8 .1.4.2. Dis allo wing Ro o t Ac c es s
716
4 8 .1.4.3. Limiting Ro o t Ac c es s 4 8 .1.4.3.1. The s u Co mmand
719 719
4 8 .1.4.3.2. The s ud o Co mmand 4 8 .1.5. Availab le Netwo rk Servic es
721 722
4 8 .1.5.1. Ris ks To Servic es
722
4 8 .1.5.2. Id entifying and Co nfig uring Servic es 4 8 .1.5.3. Ins ec ure Servic es
723 724
4 8 .1.6 . Pers o nal Firewalls 4 8 .1.7. Sec urity Enhanc ed Co mmunic atio n To o ls 4 8 .2. Server Sec urity 4 8 .2.1. Sec uring Servic es With TCP Wrap p ers and xinetd 4 8 .2.1.1. Enhanc ing Sec urity With TCP Wrap p ers
725 725 726 726 726
4 8 .2.1.1.1. TCP Wrap p ers and Co nnec tio n Banners
727
4 8 .2.1.1.2. TCP Wrap p ers and Attac k Warning s
727
4 8 .2.1.1.3. TCP Wrap p ers and Enhanc ed Lo g g ing
727
4 8 .2.1.2. Enhanc ing Sec urity With xinetd 4 8 .2.1.2.1. Setting a Trap 4 8 .2.1.2.2. Co ntro lling Server Res o urc es 4 8 .2.2. Sec uring Po rtmap
728 728 729 729
4 8 .2.2.1. Pro tec t p o rtmap With TCP Wrap p ers
729
4 8 .2.2.2. Pro tec t p o rtmap With ip tab les
729
4 8 .2.3. Sec uring NIS 4 8 .2.3.1. Carefully Plan the Netwo rk
730 730
4 8 .2.3.2. Us e a Pas s wo rd -like NIS Do main Name and Ho s tname
731
4 8 .2.3.3. Ed it the /var/yp /s ec urenets File
731
4 8 .2.3.4. As s ig n Static Po rts and Us e ip tab les Rules
731
4 8 .2.3.5. Us e Kerb ero s Authentic atio n 4 8 .2.4. Sec uring NFS
732 732
4 8 .2.4.1. Carefully Plan the Netwo rk
732
4 8 .2.4.2. Beware o f Syntax Erro rs
733
4 8 .2.4.3. Do No t Us e the no _ro o t_s q uas h O p tio n
733
4 8 .2.5. Sec uring the Ap ac he HTTP Server 4 8 .2.5.1. Fo llo wSymLinks
733 733
4 8 .2.5.2. The Ind exes Direc tive
733
4 8 .2.5.3. The Us erDir Direc tive
733
4 8 .2.5.4. Do No t Remo ve the Inc lud es No Exec Direc tive
734
4 8 .2.5.5. Res tric t Permis s io ns fo r Exec utab le Direc to ries 4 8 .2.6 . Sec uring FTP
734 734
4 8 .2.6 .1. FTP G reeting Banner
734
4 8 .2.6 .2. Ano nymo us Ac c es s
735
4 8 .2.6 .2.1. Ano nymo us Up lo ad
736
4 8 .2.6 .3. Us er Ac c o unts 4 8 .2.6 .3.1. Res tric ting Us er Ac c o unts
736 736
4 8 .2.6 .4. Us e TCP Wrap p ers To Co ntro l Ac c es s
737
4 8 .2.7. Sec uring Send mail
737
4 8 .2.7.1. Limiting a Denial o f Servic e Attac k
737
4 8 .2.7.2. NFS and Send mail 4 8 .2.7.3. Mail-o nly Us ers
737 737
19
Deployment G uide 4 8 .2.7.3. Mail-o nly Us ers 4 8 .2.8 . Verifying Whic h Po rts Are Lis tening 4 8 .3. Sing le Sig n-o n (SSO ) 4 8 .3.1. Intro d uc tio n
739 739
4 8 .3.1.1. Sup p o rted Ap p lic atio ns
739
4 8 .3.1.2. Sup p o rted Authentic atio n Mec hanis ms 4 8 .3.1.3. Sup p o rted Smart Card s
740 740
4 8 .3.1.4. Ad vantag es o f Red Hat Enterp ris e Linux Sing le Sig n-o n
740
4 8 .3.2. G etting Started with yo ur new Smart Card 4 8 .3.2.1. Tro ub les ho o ting 4 8 .3.3. Ho w Smart Card Enro llment Wo rks 4 8 .3.4. Ho w Smart Card Lo g in Wo rks 4 8 .3.5. Co nfig uring Firefo x to us e Kerb ero s fo r SSO 4 8 .3.5.1. Tro ub les ho o ting 4 8 .4. Plug g ab le Authentic atio n Mo d ules (PAM)
740 742 742 743 744 746 746
4 8 .4.1. Ad vantag es o f PAM 4 8 .4.2. PAM Co nfig uratio n Files
747 747
4 8 .4.2.1. PAM Servic e Files
747
4 8 .4.3. PAM Co nfig uratio n File Fo rmat
747
4 8 .4.3.1. Mo d ule Interfac e
747
4 8 .4.3.1.1. Stac king Mo d ule Interfac es 4 8 .4.3.2. Co ntro l Flag
748 749
4 8 .4.3.3. Mo d ule Name
749
4 8 .4.3.4. Mo d ule Arg uments
749
4 8 .4.4. Samp le PAM Co nfig uratio n Files
750
4 8 .4.5. Creating PAM Mo d ules 4 8 .4.6 . PAM and Ad minis trative Cred ential Cac hing
751 751
4 8 .4.6 .1. Remo ving the Times tamp File
752
4 8 .4.6 .2. Co mmo n p am_times tamp Direc tives
753
4 8 .4.7. PAM and Devic e O wners hip 4 8 .4.7.1. Devic e O wners hip 4 8 .4.7.2. Ap p lic atio n Ac c es s 4 8 .4.8 . Ad d itio nal Res o urc es
753 753 754 754
4 8 .4.8 .1. Ins talled Do c umentatio n
754
4 8 .4.8 .2. Us eful Web s ites
755
4 8 .5. TCP Wrap p ers and xinetd
755
4 8 .5.1. TCP Wrap p ers 4 8 .5.1.1. Ad vantag es o f TCP Wrap p ers
756 757
4 8 .5.2. TCP Wrap p ers Co nfig uratio n Files
757
4 8 .5.2.1. Fo rmatting Ac c es s Rules
20
737 738
758
4 8 .5.2.1.1. Wild c ard s
759
4 8 .5.2.1.2. Patterns 4 8 .5.2.1.3. Po rtmap and TCP Wrap p ers
76 0 76 1
4 8 .5.2.1.4. O p erato rs
76 1
4 8 .5.2.2. O p tio n Field s
76 2
4 8 .5.2.2.1. Lo g g ing
76 2
4 8 .5.2.2.2. Ac c es s Co ntro l 4 8 .5.2.2.3. Shell Co mmand s
76 2 76 2
4 8 .5.2.2.4. Exp ans io ns
76 3
4 8 .5.3. xinetd
76 4
4 8 .5.4. xinetd Co nfig uratio n Files
76 4
4 8 .5.4.1. The /etc /xinetd .c o nf File 4 8 .5.4.2. The /etc /xinetd .d / Direc to ry
76 4 76 5
4 8 .5.4.3. Altering xinetd Co nfig uratio n Files
76 6
T able of Cont ent s 4 8 .5.4.3. Altering xinetd Co nfig uratio n Files
76 6
4 8 .5.4.3.1. Lo g g ing O p tio ns
76 6
4 8 .5.4.3.2. Ac c es s Co ntro l O p tio ns
76 7
4 8 .5.4.3.3. Bind ing and Red irec tio n O p tio ns 4 8 .5.4.3.4. Res o urc e Manag ement O p tio ns
76 8 76 9
4 8 .5.5. Ad d itio nal Res o urc es
770
4 8 .5.5.1. Ins talled Do c umentatio n
770
4 8 .5.5.2. Us eful Web s ites
770
4 8 .5.5.3. Related Bo o ks 4 8 .6 . Kerb ero s
770 770
4 8 .6 .1. What is Kerb ero s ?
771
4 8 .6 .1.1. Ad vantag es o f Kerb ero s
771
4 8 .6 .1.2. Dis ad vantag es o f Kerb ero s
771
4 8 .6 .2. Kerb ero s Termino lo g y
772
4 8 .6 .3. Ho w Kerb ero s Wo rks 4 8 .6 .4. Kerb ero s and PAM
774 775
4 8 .6 .5. Co nfig uring a Kerb ero s 5 Server
775
4 8 .6 .6 . Co nfig uring a Kerb ero s 5 Client
777
4 8 .6 .7. Do main-to -Realm Map p ing
778
4 8 .6 .8 . Setting Up Sec o nd ary KDCs 4 8 .6 .9 . Setting Up Cro s s Realm Authentic atio n
779 78 0
4 8 .6 .10 . Ad d itio nal Res o urc es
78 4
4 8 .6 .10 .1. Ins talled Do c umentatio n
78 4
4 8 .6 .10 .2. Us eful Web s ites
78 5
4 8 .7. Virtual Private Netwo rks (VPNs ) 4 8 .7.1. Ho w Do es a VPN Wo rk?
78 5 78 6
4 8 .7.2. VPNs and Red Hat Enterp ris e Linux
78 6
4 8 .7.3. IPs ec
78 6
4 8 .7.4. Creating an IPs ec Co nnec tio n
78 6
4 8 .7.5. IPs ec Ins tallatio n 4 8 .7.6 . IPs ec Ho s t-to -Ho s t Co nfig uratio n
78 7 78 7
4 8 .7.6 .1. Ho s t-to -Ho s t Co nnec tio n
78 7
4 8 .7.6 .2. Manual IPs ec Ho s t-to -Ho s t Co nfig uratio n
79 0
4 8 .7.6 .2.1. The Rac o o n Co nfig uratio n File
79 2
4 8 .7.7. IPs ec Netwo rk-to -Netwo rk Co nfig uratio n 4 8 .7.7.1. Netwo rk-to -Netwo rk (VPN) Co nnec tio n
79 3 79 4
4 8 .7.7.2. Manual IPs ec Netwo rk-to -Netwo rk Co nfig uratio n 4 8 .7.8 . Starting and Sto p p ing an IPs ec Co nnec tio n 4 8 .8 . Firewalls
79 7 800 800
4 8 .8 .1. Netfilter and IPTab les 4 8 .8 .1.1. IPTab les O verview
802 802
4 8 .8 .2. Bas ic Firewall Co nfig uratio n
802
4 8 .8 .2.1. Sec urity Level Co nfig uratio n To o l
803
4 8 .8 .2.2. Enab ling and Dis ab ling the Firewall
804
4 8 .8 .2.3. Trus ted Servic es
804
4 8 .8 .2.4. O ther Po rts 4 8 .8 .2.5. Saving the Setting s
805 805
4 8 .8 .2.6 . Ac tivating the IPTab les Servic e
805
4 8 .8 .3. Us ing IPTab les
806
4 8 .8 .3.1. IPTab les Co mmand Syntax
806
4 8 .8 .3.2. Bas ic Firewall Po lic ies 4 8 .8 .3.3. Saving and Res to ring IPTab les Rules
806 807
4 8 .8 .4. Co mmo n IPTab les Filtering
807
4 8 .8 .5. FO RWARD and NAT Rules
808
21
Deployment G uide 4 8 .8 .5. FO RWARD and NAT Rules
808
4 8 .8 .5.1. Po s tro uting and IP Mas q uerad ing
809
4 8 .8 .5.2. Prero uting 4 8 .8 .5.3. DMZs and IPTab les
8 10 8 10
4 8 .8 .6 . Malic io us So ftware and Sp o o fed IP Ad d res s es
8 11
4 8 .8 .7. IPTab les and Co nnec tio n Trac king
8 11
4 8 .8 .8 . IPv6
8 12
4 8 .8 .9 . Ad d itio nal Res o urc es 4 8 .8 .9 .1. Ins talled Do c umentatio n
8 12 8 12
4 8 .8 .9 .2. Us eful Web s ites
8 12
4 8 .8 .9 .3. Related Do c umentatio n
8 13
4 8 .9 . IPTab les
8 13
4 8 .9 .1. Pac ket Filtering 4 8 .9 .2. Differenc es Between IPTab les and IPChains
8 13 8 15
4 8 .9 .3. Co mmand O p tio ns fo r IPTab les
8 15
4 8 .9 .3.1. Struc ture o f IPTab les Co mmand O p tio ns
8 16
4 8 .9 .3.2. Co mmand O p tio ns
8 16
4 8 .9 .3.3. IPTab les Parameter O p tio ns 4 8 .9 .3.4. IPTab les Matc h O p tio ns
8 18 8 19
4 8 .9 .3.4.1. TCP Pro to c o l
8 19
4 8 .9 .3.4.2. UDP Pro to c o l
8 20
4 8 .9 .3.4.3. ICMP Pro to c o l
8 21
4 8 .9 .3.4.4. Ad d itio nal Matc h O p tio n Mo d ules
8 21
4 8 .9 .3.5. Targ et O p tio ns 4 8 .9 .3.6 . Lis ting O p tio ns
8 22 8 23
4 8 .9 .4. Saving IPTab les Rules
8 24
4 8 .9 .5. IPTab les Co ntro l Sc rip ts 4 8 .9 .5.1. IPTab les Co ntro l Sc rip ts Co nfig uratio n File
8 25 8 26
4 8 .9 .6 . IPTab les and IPv6
8 27
4 8 .9 .7. Ad d itio nal Res o urc es
8 27
4 8 .9 .7.1. Ins talled Do c umentatio n 4 8 .9 .7.2. Us eful Web s ites
8 27 8 27
. .hapt C . . . .er . .4. 9. .. Securit . . . . . . .y. and . . . .SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.2. 9. . . . . . . . . . 4 9 .1. Ac c es s Co ntro l Mec hanis ms (ACMs ) 4 9 .1.1. Dis c retio nary Ac c es s Co ntro l (DAC)
8 29
4 9 .1.2. Ac c es s Co ntro l Lis ts (ACLs )
8 29
4 9 .1.3. Mand ato ry Ac c es s Co ntro l (MAC)
8 29
4 9 .1.4. Ro le-b as ed Ac c es s Co ntro l (RBAC)
8 29
4 9 .1.5. Multi-Level Sec urity (MLS)
8 29
4 9 .1.6 . Multi-Categ o ry Sec urity (MCS)
8 30
4 9 .2. Intro d uc tio n to SELinux 4 9 .2.1. SELinux O verview 4 9 .2.2. Files Related to SELinux
8 30 8 30 8 31
4 9 .2.2.1. The SELinux Ps eud o -File Sys tem
8 31
4 9 .2.2.2. SELinux Co nfig uratio n Files
8 32
4 9 .2.2.2.1. The /etc /s ys c o nfig /s elinux Co nfig uratio n File
8 32
4 9 .2.2.2.2. The /etc /s elinux/ Direc to ry
8 34
4 9 .2.2.3. SELinux Utilities
8 34
4 9 .2.3. Ad d itio nal Res o urc es
8 35
4 9 .2.3.1. Ins talled Do c umentatio n
22
8 29
8 35
9 .2.3.2. Us eful Web s ites 4 4 9 .3. Brief Bac kg ro und and His to ry o f SELinux
8 35 8 35
4 9 .4. Multi-Categ o ry Sec urity (MCS)
8 36
T able of Cont ent s 4 9 .4. Multi-Categ o ry Sec urity (MCS) 4 9 .4.1. Intro d uc tio n 4 9 .4.1.1. What is Multi-Categ o ry Sec urity?
8 36 8 36 8 36
4 9 .4.2. Ap p lic atio ns fo r Multi-Categ o ry Sec urity
8 36
4 9 .4.3. SELinux Sec urity Co ntexts
8 37
4 9 .5. G etting Started with Multi-Categ o ry Sec urity (MCS)
8 37
4 9 .5.1. Intro d uc tio n
8 37
4 9 .5.2. Co mp aring SELinux and Stand ard Linux Us er Id entities
8 38
4 9 .5.3. Co nfig uring Categ o ries
8 39
4 9 .5.4. As s ig ning Categ o ries to Us ers 4 9 .5.5. As s ig ning Categ o ries to Files
8 40 8 41
4 9 .6 . Multi-Level Sec urity (MLS) 4 9 .6 .1. Why Multi-Level?
8 42 8 42
4 9 .6 .1.1. The Bell-La Pad ula Mo d el (BLP)
8 43
4 9 .6 .1.2. MLS and Sys tem Privileg es
8 44
4 9 .6 .2. Sec urity Levels , O b jec ts and Sub jec ts
8 44
4 9 .6 .3. MLS Po lic y
8 45
4 9 .6 .4. Enab ling MLS in SELinux
8 45
4 9 .6 .5. LSPP Certific atio n
8 47
4 9 .7. SELinux Po lic y O verview 4 9 .7.1. What is the SELinux Po lic y? 4 9 .7.1.1. SELinux Typ es 4 9 .7.1.1.1. Us ing Po lic y Rules to Define Typ e Ac c es s 4 9 .7.1.2. SELinux and Mand ato ry Ac c es s Co ntro l
8 47 8 48 8 48 8 48 8 48
4 9 .7.2. Where is the Po lic y?
8 49
4 9 .7.2.1. Binary Tree Files
8 49
4 9 .7.2.2. So urc e Tree Files
8 50
4 9 .7.3. The Ro le o f Po lic y in the Bo o t Pro c es s
8 50
4 9 .7.4. O b jec t Clas s es and Permis s io ns
8 51
4 9 .8 . Targ eted Po lic y O verview 4 9 .8 .1. What is the Targ eted Po lic y?
8 52 8 52
4 9 .8 .2. Files and Direc to ries o f the Targ eted Po lic y
8 52
4 9 .8 .3. Und ers tand ing the Us ers and Ro les in the Targ eted Po lic y
8 53
. .hapt C . . . .er . .50 . . .. Working . . . . . . . .Wit ..h . . SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. 55 ........... 5 0 .1. End Us er Co ntro l o f SELinux
8 55
5 0 .1.1. Mo ving and Co p ying Files
8 55
5 0 .1.2. Chec king the Sec urity Co ntext o f a Pro c es s , Us er, o r File O b jec t
8 56
5 0 .1.3. Relab eling a File o r Direc to ry
8 57
5 0 .1.4. Creating Arc hives That Retain Sec urity Co ntexts
860
5 0 .2. Ad minis trato r Co ntro l o f SELinux 5 0 .2.1. Viewing the Status o f SELinux
862 862
5 0 .2.2. Relab eling a File Sys tem
863
5 0 .2.3. Manag ing NFS Ho me Direc to ries
864
5 0 .2.4. G ranting Ac c es s to a Direc to ry o r a Tree
864
5 0 .2.5. Bac king Up and Res to ring the Sys tem
865
5 0 .2.6 . Enab ling o r Dis ab ling Enfo rc ement
865
5 0 .2.7. Enab le o r Dis ab le SELinux
867
5 0 .2.8 . Chang ing the Po lic y
868
5 0 .2.9 . Sp ec ifying the Sec urity Co ntext o f Entire File Sys tems
869
5 0 .2.10 . Chang ing the Sec urity Categ o ry o f a File o r Us er 5 0 .2.11. Running a Co mmand in a Sp ec ific Sec urity Co ntext
8 70 8 70
5 0 .2.12. Us eful Co mmand s fo r Sc rip ts
8 70
5 0 .2.13. Chang ing to a Different Ro le
8 71
23
Deployment G uide 5 0 .2.13. Chang ing to a Different Ro le
8 71
5 0 .2.14. When to Reb o o t
8 71
5 0 .3. Analys t Co ntro l o f SELinux
8 71
5 0 .3.1. Enab ling Kernel Aud iting
8 71
5 0 .3.2. Dump ing and Viewing Lo g s
8 72
. .hapt C . . . .er . .51 . . .. Cust . . . . omiz . . . . ing . . . .SELinux . . . . . . . Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 7. 3. . . . . . . . . . 5 1.1. Intro d uc tio n
8 73
5 1.1.1. Mo d ular Po lic y 5 1.1.1.1. Lis ting Po lic y Mo d ules
8 73 8 73
5 1.2. Build ing a Lo c al Po lic y Mo d ule
8 74
5 1.2.1. Us ing aud it2allo w to Build a Lo c al Po lic y Mo d ule
8 74
5 1.2.2. Analyz ing the Typ e Enfo rc ement (TE) File
8 74
5 1.2.3. Lo ad ing the Po lic y Pac kag e
8 75
. .hapt C . . . .er . .52 . . .. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.7. 6. . . . . . . . . . . .art P . . .VIII. . . . Red . . . . Hat . . . .T. raining . . . . . . .And . . . .Cert . . . .ificat . . . . ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.7. 8. . . . . . . . . . . .hapt C . . . .er . .53. . . .Red . . . .Hat . . . .T.raining . . . . . . .and . . . Cert . . . . ificat . . . . .ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.7. 9. . . . . . . . . . 5 3.1. Three Ways to Train 8 79 5 3.2. Mic ro s o ft Certified Pro fes s io nal Res o urc e Center
8 79
. .hapt C . . . .er . .54 . . .. Cert . . . .ificat . . . . ion . . . .T.racks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.8. 0. . . . . . . . . . 5 4.1. Free Pre-as s es s ment tes ts
880
. .hapt C . . . .er . .55. . . .RH0 . . . .33: . . .Red . . . .Hat . . . Linux . . . . . .Essent . . . . . .ials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.8. 1. . . . . . . . . . 5 5.1. Co urs e Des c rip tio n
881
5 5.1.1. Prereq uis ites
881
5 5.1.2. G o al
881
5 5.1.3. Aud ienc e 5 5.1.4. Co urs e O b jec tives
881 881
5 5.1.5. Fo llo w-o n Co urs es
881
. .hapt C . . . .er . .56 . . .. RH0 . . . .35: . . .Red . . . .Hat . . . .Linux . . . . .Essent . . . . . . ials . . . .for . . .Windows . . . . . . . .Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 8. 3. . . . . . . . . . 5 6 .1. Co urs e Des c rip tio n
883
5 6 .1.1. Prereq uis ites
883
5 6 .1.2. G o al
883
5 6 .1.3. Aud ienc e
883
5 6 .1.4. Co urs e O b jec tives
883
5 6 .1.5. Fo llo w-o n Co urs es
883
. .hapt C . . . .er . .57 . . .. RH1 . . . .33: . . .Red . . . .Hat . . . .Linux . . . . .Syst . . . .em . . .Administ . . . . . . . .rat . . ion . . . .and . . . Red . . . . Hat . . . . Cert . . . .ified . . . . T. echnician ....................... (RHCT ) Cert ificat ion 885 5 7.1. Co urs e Des c rip tio n
885
5 7.1.1. Prereq uis ites
885
5 7.1.2. G o al
885
5 7.1.3. Aud ienc e
885
5 7.1.4. Co urs e O b jec tives 5 7.1.5. Fo llo w-o n Co urs es
885 886
. .hapt C . . . .er . .58 . . .. RH2 . . . .0. 2. .RHCT . . . . . EXAM . . . . . .-. T . .he . . fast . . . .est . . . growing . . . . . . . .credent . . . . . . .ial . . in . . all . . .of . . Linux. . . . . . . . . . . . . . . . . . .8.8. 7. . . . . . . . . . 5 8 .1. Co urs e Des c rip tio n
887
5 8 .1.1. Prereq uis ites
887
. .hapt C . . . .er . .59 . . .. RH2 . . . .53 . . Red . . . . Hat . . . . Linux . . . . . Net . . . .working . . . . . . .and . . . .Securit . . . . . . y. .Administ . . . . . . . rat . . .ion . . . . . . . . . . . . . . . . . . . .8.8. 8. . . . . . . . . .
24
5 9 .1. Co urs e Des c rip tio n
888
5 9 .1.1. Prereq uis ites
888
T able of Cont ent s 5 9 .1.1. Prereq uis ites
888
5 9 .1.2. G o al
888
5 9 .1.3. Aud ienc e 5 9 .1.4. Co urs e O b jec tives
888 888
5 9 .1.5. Fo llo w-o n Co urs es
888
. .hapt C . . . .er . .6. 0. .. RH30 . . . . . 0. :. RHCE . . . . . .Rapid . . . . . t. rack . . . . course . . . . . . .(and . . . . RHCE . . . . . .exam) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 0. . . . . . . . . . 6 0 .1. Co urs e Des c rip tio n
890
6 0 .1.1. Prereq uis ites
890
6 0 .1.2. G o al
890
6 0 .1.3. Aud ienc e
890
6 0 .1.4. Co urs e O b jec tives
890
6 0 .1.5. Fo llo w-o n Co urs es
890
. .hapt C . . . .er . .6. 1. .. RH30 . . . . . 2. .RHCE . . . . . EXAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 1. . . . . . . . . . 6 1.1. Co urs e Des c rip tio n
891
6 1.1.1. Prereq uis ites
891
6 1.1.2. Co ntent
891
. .hapt C . . . .er . .6. 2. .. RHS333: . . . . . . . . RED . . . . HAT . . . . .ent . . .erprise . . . . . . securit . . . . . . y: . . net . . . work . . . . .services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 2. . . . . . . . . . 6 2.1. Co urs e Des c rip tio n
892
6 2.1.1. Prereq uis ites
892
6 2.1.2. G o al
892
6 2.1.3. Aud ienc e 6 2.1.4. Co urs e O b jec tives
892 892
6 2.1.5. Fo llo w-o n Co urs es
893
. .hapt C . . . .er . .6. 3. . . RH4 . . . .0. 1. :. Red . . . . Hat . . . .Ent . . . erprise . . . . . . .Deployment . . . . . . . . . . .and . . . .syst . . . ems . . . . management . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 4. . . . . . . . . . 6 3.1. Co urs e Des c rip tio n
894
6 3.1.1. Prereq uis ites
894
6 3.1.2. G o al
894
6 3.1.3. Aud ienc e
894
6 3.1.4. Co urs e O b jec tives
894
6 3.1.5. Fo llo w-o n Co urs es
895
. .hapt C . . . .er . .6. 4. .. RH4 . . . . 2. 3: . . Red . . . . Hat . . . .Ent . . . erprise . . . . . . .Direct . . . . .ory . . . services . . . . . . . .and . . . .aut . . .hent . . . .icat . . . ion . . . . . . . . . . . . . . . . .8.9. 6. . . . . . . . . . 6 4.1. Co urs e Des c rip tio n
896
6 4.1.1. Prereq uis ites
896
6 4.1.2. G o al
896
6 4.1.3. Aud ienc e
896
6 4.1.4. Co urs e O b jec tives
896
6 4.1.5. Fo llo w-o n Co urs es
896
. .hapt C . . . .er . .6. 5. . . SELinux . . . . . . . .Courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 8. . . . . . . . . . 6 5.1. RHS427: Intro d uc tio n to SELinux and Red Hat Targ eted Po lic y 6 5.1.1. Aud ienc e 6 5.1.2. Co urs e Summary 6 5.2. RHS429 : Red Hat Enterp ris e SELinux Po lic y Ad minis tratio n
898 898 898 898
. .hapt C . . . .er . .6. 6. .. RH4 . . . . 36 . . :. Red . . . . Hat . . . .Ent . . . erprise . . . . . . .st. orage . . . . . .management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8.9. 9. . . . . . . . . . 6 6 .1. Co urs e Des c rip tio n
899
6 6 .1.1. Prereq uis ites
899
6 6 .1.2. G o al
899
6 6 .1.3. Aud ienc e
899
6 6 .1.4. Co urs e O b jec tives
899
6 6 .1.5. Fo llo w-o n Co urs es
900
25
Deployment G uide 6 6 .1.5. Fo llo w-o n Co urs es
900
. .hapt C . . . .er . .6. 7. .. RH4 . . . . 4. 2. :. Red . . . . Hat . . . . Ent . . . erprise . . . . . . .syst . . . .em . . .monit . . . . .oring . . . . .and . . . .performance . . . . . . . . . . . t. uning . . . . . . . . . . . . . .9.0. 1. . . . . . . . . . 6 7.1. Co urs e Des c rip tio n
901
6 7.1.1. Prereq uis ites
901
6 7.1.2. G o al
901
6 7.1.3. Aud ienc e
901
6 7.1.4. Co urs e O b jec tives
901
6 7.1.5. Fo llo w-o n Co urs es
902
. .hapt C . . . .er . .6. 8. .. Red . . . . Hat . . . .Ent . . . erprise . . . . . . .Linux . . . . .Developer . . . . . . . . . Courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 0. 3. . . . . . . . . . 6 8 .1. RHD143: Red Hat Linux Pro g ramming Es s entials 6 8 .2. RHD221 Red Hat Linux Devic e Drivers
903 903
6 8 .3. RHD236 Red Hat Linux Kernel Internals
903
6 8 .4. RHD256 Red Hat Linux Ap p lic atio n Develo p ment and Po rting
903
. .hapt C . . . .er . .6. 9. .. JBoss . . . . . . Courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9.0. 4. . . . . . . . . . 6 9 .1. RHD16 1 JBo s s and EJB3 fo r Java 6 9 .1.1. Prereq uis ites 6 9 .2. RHD16 3 JBo s s fo r Web Develo p ers 6 9 .2.1. Prereq uis ites 6 9 .3. RHD16 7: JBO SS - HIBERNATE ESSENTIALS 6 9 .3.1. Prereq uis ites 6 9 .3.2. Co urs e Summary 6 9 .4. RHD26 7: JBO SS - ADVANCED HIBERNATE 6 9 .4.1. Prereq uis ites 6 9 .5. RHD26 1:JBO SS fo r ad vanc ed J2EE d evelo p ers 6 9 .5.1. Prereq uis ites 6 9 .6 . RH336 : JBO SS fo r Ad minis trato rs
904 904 904 904 905 905 905 905 905 906 906 907
6 9 .6 .1. Prereq uis ites
907
6 9 .6 .2. Co urs e Summary
907
6 9 .7. RHD439 : JBo s s Clus tering
907
9 .7.1. Prereq uis ites 6 6 9 .8 . RHD449 : JBo s s jBPM
907 908
6 9 .8 .1. Des c rip tio n
908
6 9 .8 .2. Prereq uis ites
908
6 9 .9 . RHD451 JBo s s Rules 6 9 .9 .1. Prereq uis ites
908 909
. .ppendix A . . . . . . . A. . . Revision . . . . . . . . .Hist . . . ory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9.1. 0. . . . . . . . . . . .ppendix A . . . . . . . B. . . .Colophon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 1. 3. . . . . . . . . .
26
Int roduct ion
Introduction Welcome to the Red Hat Enterprise Linux Deployment Guide. The Red Hat Enterprise Linux D eployment Guide contains information on how to customize your Red Hat Enterprise Linux system to fit your needs. If you are looking for a comprehensive, task-oriented guide for configuring and customizing your system, this is the manual for you. This manual discusses many intermediate topics such as the following: Setting up a network interface card (NIC) Configuring a Virtual Private Network (VPN) Configuring Samba shares Managing your software with RPM D etermining information about your system Upgrading your kernel This manual is divided into the following main categories: File systems Package management Network-related configuration System configuration System monitoring Kernel and D river Configuration Security and Authentication Red Hat Training and Certification This guide assumes you have a basic understanding of your Red Hat Enterprise Linux system. If you need help installing Red Hat Enterprise Linux, refer to the Red Hat Enterprise Linux Installation Guide.
1. Document Convent ions In this manual, certain words are represented in different fonts, typefaces, sizes, and weights. This highlighting is systematic; different words are represented in the same style to indicate their inclusion in a specific category. The types of words that are represented this way include the following: co mmand Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word or phrase on the command line and press Enter to invoke a command. Sometimes a command contains words that would be displayed in a different style on their own (such as file names). In these cases, they are considered to be part of the command, so the entire phrase is displayed as a command. For example:
27
Deployment G uide
Use the cat testfi l e command to view the contents of a file, named testfi l e, in the current working directory. fi l e name File names, directory names, paths, and RPM package names are represented this way. This style indicates that a particular file or directory exists with that name on your system. Examples: The . bashrc file in your home directory contains bash shell definitions and aliases for your own use. The /etc/fstab file contains information about different system devices and file systems. Install the webal i zer RPM if you want to use a Web server log file analysis program. ap p licat io n This style indicates that the program is an end-user application (as opposed to system software). For example: Use Mo z illa to browse the Web. key A key on the keyboard is shown in this style. For example: To use T ab completion to list particular files in a directory, type l s, then a character, and finally the T ab key. Your terminal displays the list of files in the working directory that begin with that character. key+ co mbi nati o n A combination of keystrokes is represented in this way. For example: The C trl +Al t+Backspace key combination exits your graphical session and returns you to the graphical login screen or the console. text fo und o n a G UI i nterface A title, word, or phrase found on a GUI interface screen or window is shown in this style. Text shown in this style indicates a particular GUI screen or an element on a GUI screen (such as text associated with a checkbox or field). Example: Select the R eq ui re P asswo rd checkbox if you would like your screensaver to require a password before stopping. t o p level o f a men u o n a G U I screen o r win d o w A word in this style indicates that the word is the top level of a pulldown menu. If you click on the word on the GUI screen, the rest of the menu should appear. For example: Under File on a GNOME terminal, the N ew T ab option allows you to open multiple shell prompts in the same window. Instructions to type in a sequence of commands from a GUI menu look like the following example: Go to Ap p licat io n s (the main menu on the panel) > Pro g rammin g > Emacs T ext Ed it o r to start the Emacs text editor.
28
Int roduct ion
butto n o n a G UI screen o r wi nd o w This style indicates that the text can be found on a clickable button on a GUI screen. For example: Click on the Back button to return to the webpage you last viewed. co mputer o utput Text in this style indicates text displayed to a shell prompt such as error messages and responses to commands. For example: The l s command displays the contents of a directory. For example: Desktop about.html Mail backupfiles
logs mail
paulwesterberg.png reports
The output returned in response to the command (in this case, the contents of the directory) is shown in this style. pro mpt A prompt, which is a computer's way of signifying that it is ready for you to input something, is shown in this style. Examples: $ # [stephen@ maturi n stephen]$ l eo pard l o g i n: user i nput Text that the user types, either on the command line or into a text box on a GUI screen, is displayed in this style. In the following example, text is displayed in this style: To boot your system into the text based installation program, you must type in the text command at the bo o t: prompt. Text used in examples that is meant to be replaced with data provided by the user is displayed in this style. In the following example, is displayed in this style: The directory for the kernel source is /usr/src/kernel s//, where is the version and type of kernel installed on this system. Additionally, we use several different strategies to draw your attention to certain pieces of information. In order of urgency, these items are marked as a note, tip, important, caution, or warning. For example:
Note Remember that Linux is case sensitive. In other words, a rose is not a ROSE is not a rOsE.
29
Deployment G uide
T ip The directory /usr/share/d o c/ contains additional documentation for packages installed on your system.
Important If you modify the D HCP configuration file, the changes do not take effect until you restart the D HCP daemon.
Caution D o not perform routine tasks as root — use a regular user account unless you need to use the root account for system administration tasks.
Warning Be careful to remove only the necessary partitions. Removing other partitions could result in data loss or a corrupted system environment.
2. Send in Your Feedback If you find an error in the Red Hat Enterprise Linux Deployment Guide, or if you have thought of a way to make this manual better, we would like to hear from you! Submit a report in Bugzilla (http: //bug zi l l a. red hat. co m/bug zi l l a/) against the component D epl o yment_G ui d e. If you have a suggestion for improving the documentation, try to be as specific as possible. If you have found an error, include the section number and some of the surrounding text so we can find it easily.
30
P art I. File Syst ems
Part I. File Systems File system refers to the files and directories stored on a computer. A file system can have different formats called file system types. These formats determine how the information is stored as files and directories. Some file system types store redundant copies of the data, while some file system types make hard drive access faster. This part discusses the ext3, swap, RAID , and LVM file system types. It also discusses the parted utility to manage partitions and access control lists (ACLs) to customize file permissions.
31
Deployment G uide
Chapter 1. File System Structure 1.1. Why Share a Common St ruct ure? The file system structure is the most basic level of organization in an operating system. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it organizes files on storage devices. Providing a common file system structure ensures users and programs are able to access and write files. File systems break files down into two logical categories: Shareable vs. unshareable files Variable vs. static files Shareable files are those that can be accessed locally and by remote hosts; unshareable files are only available locally. Variable files, such as documents, can be changed at any time; static files, such as binaries, do not change without an action from the system administrator. The reason for looking at files in this manner is to help correlate the function of the file with the permissions assigned to the directories which hold them. The way in which the operating system and its users interact with a given file determines the directory in which it is placed, whether that directory is mounted with read-only or read/write permissions, and the level of access each user has to that file. The top level of this organization is crucial. Access to the underlying directories can be restricted or security problems could manifest themselves if, from the top level down, it does not adhere to a rigid structure.
1.2. Overview of File Syst em Hierarchy St andard (FHS) Red Hat Enterprise Linux uses the Filesystem Hierarchy Standard (FHS) file system structure, which defines the names, locations, and permissions for many file types and directories. The FHS document is the authoritative reference to any FHS-compliant file system, but the standard leaves many areas undefined or extensible. This section is an overview of the standard and a description of the parts of the file system not covered by the standard. Compliance with the standard means many things, but the two most important are compatibility with other compliant systems and the ability to mount a /usr/ partition as read-only. This second point is important because the directory contains common executables and should not be changed by users. Also, since the /usr/ directory is mounted as read-only, it can be mounted from the CD -ROM or from another machine via a read-only NFS mount.
1.2.1. FHS Organiz at ion The directories and files noted here are a small subset of those specified by the FHS document. Refer to the latest FHS document for the most complete information. The complete standard is available online at http://www.pathname.com/fhs/.
1 .2 .1 .1 . T he /bo o t/ Dire ct o ry The /bo o t/ directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly.
32
Chapt er 1 . File Syst em St ruct ure
Warning D o not remove the /bo o t/ directory. D oing so renders the system unbootable.
1 .2 .1 .2 . T he /d ev/ Dire ct o ry The /d ev/ directory contains device nodes that either represent devices that are attached to the system or virtual devices that are provided by the kernel. These device nodes are essential for the system to function properly. The ud ev daemon takes care of creating and removing all these device nodes in /d ev/. D evices in the /d ev directory and subdirectories are either character (providing only a serial stream of input/output) or block (accessible randomly). Character devices include mouse, keyboard, modem while block devices include hard disk, floppy drive etc. If you have GNOME or KD E installed in your system, devices such as external drives or cds are automatically detected when connected (e.g via usb) or inserted (e.g via CD or D VD drive) and a popup window displaying the contents is automatically displayed. Files in the /d ev directory are essential for the system to function properly. T ab le 1.1. Examp les o f co mmo n f iles in t h e /d ev File
D escrip t io n
/dev/hda /dev/hdb /dev/tty0 /dev/tty1 /dev/sda
The master device on primary ID E channel. The slave device on primary ID E channel. The first virtual console. The second virtual console. The first device on primary SCSI or SATA channel. The first parallel port.
/dev/lp0
1 .2 .1 .3. T he /etc/ Dire ct o ry The /etc/ directory is reserved for configuration files that are local to the machine. No binaries are to be placed in /etc/. Any binaries that were once located in /etc/ should be placed into /sbi n/ or /bi n/. Examples of directories in /etc are the X11/ and skel /: /etc |- X11/ |- skel/ The /etc/X11/ directory is for X Window System configuration files, such as xo rg . co nf. The /etc/skel / directory is for " skeleton" user files, which are used to populate a home directory when a user is first created. Applications also store their configuration files in this directory and may reference them when they are executed.
1 .2 .1 .4 . T he /l i b/ Dire ct o ry The /l i b/ directory should contain only those libraries needed to execute the binaries in /bi n/ and /sbi n/. These shared library images are particularly important for booting the system and executing commands within the root file system.
33
Deployment G uide
1 .2 .1 .5 . T he /med i a/ Dire ct o ry The /med i a/ directory contains subdirectories used as mount points for removable media such as usb storage media, D VD s, CD -ROMs, and Z ip disks.
1 .2 .1 .6 . T he /mnt/ Dire ct o ry The /mnt/ directory is reserved for temporarily mounted file systems, such as NFS file system mounts. For all removable media, please use the /med i a/ directory. Automatically detected removable media will be mounted in the /med i a directory.
Note The /mnt directory must not be used by installation programs.
1 .2 .1 .7 . T he /o pt/ Dire ct o ry The /o pt/ directory provides storage for most application software packages. A package placing files in the /o pt/ directory creates a directory bearing the same name as the package. This directory, in turn, holds files that otherwise would be scattered throughout the file system, giving the system administrator an easy way to determine the role of each file within a particular package. For example, if sampl e is the name of a particular software package located within the /o pt/ directory, then all of its files are placed in directories inside the /o pt/sampl e/ directory, such as /o pt/sampl e/bi n/ for binaries and /o pt/sampl e/man/ for manual pages. Packages that encompass many different sub-packages, data files, extra fonts, clipart etc are also located in the /o pt/ directory, giving that large package a way to organize itself. In this way, our sampl e package may have different tools that each go in their own sub-directories, such as /o pt/sampl e/to o l 1/ and /o pt/sampl e/to o l 2/, each of which can have their own bi n/, man/, and other similar directories.
1 .2 .1 .8 . T he /pro c/ Dire ct o ry The /pro c/ directory contains special files that either extract information from or send information to the kernel. Examples include system memory, cpu information, hardware configuration etc. D ue to the great variety of data available within /pro c/ and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, refer to Chapter 5, The proc File System.
1 .2 .1 .9 . T he /sbi n/ Dire ct o ry The /sbi n/ directory stores executables used by the root user. The executables in /sbi n/ are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says: /sbi n contains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in /bi n. Programs executed after /usr/ is known to be mounted (when there are no problems) are generally placed into /usr/sbi n. Locally-installed system administration programs should be placed into /usr/l o cal /sbi n.
34
Chapt er 1 . File Syst em St ruct ure
At a minimum, the following programs should be in /sbi n/: arp, cl o ck, hal t, i ni t, fsck. *, g rub, i fco nfi g , mi ng etty, mkfs. *, mkswap, rebo o t, ro ute, shutd o wn, swapo ff, swapo n
1 .2 .1 .1 0 . T he /srv/ Dire ct o ry The /srv/ directory contains site-specific data served by your system running Red Hat Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. D ata that only pertains to a specific user should go in the /ho me/ directory.
1 .2 .1 .1 1 . T he /sys/ Dire ct o ry The /sys/ directory utilizes the new sysfs virtual file system specific to the 2.6 kernel. With the increased support for hot plug hardware devices in the 2.6 kernel, the /sys/ directory contains information similarly held in /pro c/, but displays a hierarchical view of specific device information in regards to hot plug devices.
1 .2 .1 .1 2 . T he /usr/ Dire ct o ry The /usr/ directory is for files that can be shared across multiple machines. The /usr/ directory is often on its own partition and is mounted read-only. At a minimum, the following directories should be subdirectories of /usr/: /usr ||||||||||||-
bin/ etc/ games/ include/ kerberos/ lib/ libexec/ local/ sbin/ share/ src/ tmp -> ../var/tmp/
Under the /usr/ directory, the bi n/ subdirectory contains executables, etc/ contains system-wide configuration files, g ames is for games, i ncl ud e/ contains C header files, kerbero s/ contains binaries and other Kerberos-related files, and l i b/ contains object files and libraries that are not designed to be directly utilized by users or shell scripts. The l i bexec/ directory contains small helper programs called by other programs, sbi n/ is for system administration binaries (those that do not belong in the /sbi n/ directory), share/ contains files that are not architecture-specific, src/ is for source code.
1 .2 .1 .1 3. T he /usr/l o cal / Dire ct o ry
35
Deployment G uide
The FHS says: The /usr/l o cal hierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in /usr. The /usr/l o cal / directory is similar in structure to the /usr/ directory. It has the following subdirectories, which are similar in purpose to those in the /usr/ directory: /usr/local |- bin/ |- etc/ |- games/ |- include/ |- lib/ |- libexec/ |- sbin/ |- share/ |- src/ In Red Hat Enterprise Linux, the intended use for the /usr/l o cal / directory is slightly different from that specified by the FHS. The FHS says that /usr/l o cal / should be where software that is to remain safe from system software upgrades is stored. Since software upgrades can be performed safely with RPM Package Manager (RPM), it is not necessary to protect files by putting them in /usr/l o cal /. Instead, the /usr/l o cal / directory is used for software that is local to the machine. For instance, if the /usr/ directory is mounted as a read-only NFS share from a remote host, it is still possible to install a package or program under the /usr/l o cal / directory.
1 .2 .1 .1 4 . T he /var/ Dire ct o ry Since the FHS requires Linux to mount /usr/ as read-only, any programs that write log files or need spo o l / or l o ck/ directories should write them to the /var/ directory. The FHS states /var/ is for: ...variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files. Below are some of the directories found within the /var/ directory: /var |||||||||||||||-
36
account/ arpwatch/ cache/ crash/ db/ empty/ ftp/ gdm/ kerberos/ lib/ local/ lock/ log/ mail -> spool/mail/ mailman/
Chapt er 1 . File Syst em St ruct ure
|||||+-
||||-
named/ nis/ opt/ preserve/ run/ spool/ |- at/ |- clientmqueue/ |- cron/ |- cups/ |- exim/ |- lpd/ |- mail/ |- mailman/ |- mqueue/ |- news/ |- postfix/ |- repackage/ |- rwho/ |- samba/ |- squid/ |- squirrelmail/ |- up2date/ |- uucp |- uucppublic/ |- vbox/ tmp/ tux/ www/ yp/
System log files, such as messag es and l astl o g , go in the /var/l o g / directory. The /var/l i b/rpm/ directory contains RPM system databases. Lock files go in the /var/l o ck/ directory, usually in directories for the program using the file. The /var/spo o l / directory has subdirectories for programs in which data files are stored.
1.3. Special File Locat ions Under Red Hat Ent erprise Linux Red Hat Enterprise Linux extends the FHS structure slightly to accommodate special files. Most files pertaining to RPM are kept in the /var/l i b/rpm/ directory. For more information on RPM, refer to the chapter Chapter 12, Package Management with RPM. The /var/cache/yum/ directory contains files used by the Packag e U p d at er, including RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about R ed H at N et wo rk, refer to Chapter 15, Registering a System and Managing Subscriptions. Another location specific to Red Hat Enterprise Linux is the /etc/sysco nfi g / directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. Refer to Chapter 32, The sysconfig Directory for more information about what is within this directory and the role these files play in the boot process.
37
Deployment G uide
Chapter 2. Using the
mo unt
Command
On Linux, UNIX, and similar operating systems, file systems on different partitions and removable devices like CD s, D VD s, or USB flash drives can be attached to a certain point (that is, the mount point) in the directory tree, and detached again. To attach or detach a file system, you can use the mo unt or umo unt command respectively. This chapter describes the basic usage of these commands, and covers some advanced topics such as moving a mount point or creating shared subtrees.
2.1. List ing Current ly Mount ed File Syst ems To display all currently attached file systems, run the mo unt command with no additional arguments: mo unt This command displays the list of known mount points. Each line provides important information about the device name, the file system type, the directory in which it is mounted, and relevant mount options in the following form: device on directory type type (options) By default, the output includes various virtual file systems such as sysfs, tmpfs, and others. To display only the devices with a certain file system type, supply the -t option on the command line: mo unt -t type For a list of common file system types, refer to Table 2.1, “ Common File System Types” . For an example on how to use the mo unt command to list the mounted file systems, see Example 2.1, “ Listing Currently Mounted ext3 File Systems” .
Examp le 2.1. List in g C u rren t ly Mo u n t ed ext3 File Syst ems Usually, both / and /bo o t partitions are formatted to use ext3. To display only the mount points that use this file system, type the following at a shell prompt: ~]$ mo unt -t ext3 /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) /dev/vda1 on /boot type ext3 (rw)
2.2. Mount ing a File Syst em To attach a certain file system, use the mo unt command in the following form: mo unt [option…] device directory When the mo unt command is run, it reads the content of the /etc/fstab configuration file to see if the given file system is listed. This file contains a list of device names and the directory in which the selected file systems should be mounted, as well as the file system type and mount options. Because of this, when you are mounting a file system that is specified in this file, you can use one of the following variants of the command:
38
Chapt er 2 . Using t he mount Command
mo unt [option…] directory mo unt [option…] device Note that unless you are logged in as ro o t, you must have permissions to mount the file system (see Section 2.2.2, “ Specifying the Mount Options” ).
2.2.1. Specifying t he File Syst em T ype In most cases, mo unt detects the file system automatically. However, there are certain file systems, such as NFS (Network File System) or C IFS (Common Internet File System), that are not recognized, and need to be specified manually. To specify the file system type, use the mo unt command in the following form: mo unt -t type device directory Table 2.1, “ Common File System Types” provides a list of common file system types that can be used with the mo unt command. For a complete list of all available file system types, consult the relevant manual page as referred to in Section 2.4.1, “ Installed D ocumentation” . T ab le 2.1. C o mmo n File Syst em T yp es T yp e
D escrip t io n
ext2 ext3 ext4 i so 9 6 6 0
The ext2 file system. The ext3 file system. The ext4 file system. The ISO 9 6 6 0 file system. It is commonly used by optical media, typically CD s. The JFS file system created by IBM. The NFS file system. It is commonly used to access files over the network. The NFSv4 file system. It is commonly used to access files over the network. The NT FS file system. It is commonly used on machines that are running the Windows operating system. The UD F file system. It is commonly used by optical media, typically D VD s. The FAT file system. It is commonly used on machines that are running the Windows operating system, and on certain digital media such as USB flash drives or floppy disks.
jfs nfs nfs4 ntfs ud f vfat
See Example 2.2, “ Mounting a USB Flash D rive” for an example usage.
Examp le 2.2. Mo u n t in g a U SB Flash D rive Older USB flash drives often use the FAT file system. Assuming that such drive uses the /d ev/sd c1 device and that the /med i a/fl ashd i sk/ directory exists, you can mount it to this directory by typing the following at a shell prompt as ro o t: ~]# mo unt -t vfat /d ev/sd c1 /med i a/fl ashd i sk
2.2.2. Specifying t he Mount Opt ions To specify additional mount options, use the command in the following form:
39
Deployment G uide
mo unt -o options When supplying multiple options, do not insert a space after a comma, or mo unt will incorrectly interpret the values following spaces as additional parameters. Table 2.2, “ Common Mount Options” provides a list of common mount options. For a complete list of all available options, consult the relevant manual page as referred to in Section 2.4.1, “ Installed D ocumentation” . T ab le 2.2. C o mmo n Mo u n t O p t io n s O p t io n
D escrip t io n
async auto
Allows the asynchronous input/output operations on the file system. Allows the file system to be mounted automatically using the mo unt -a command. Provides an alias for async,auto ,d ev,exec,no user,rw,sui d . Allows the execution of binary files on the particular file system. Mounts an image as a loop device. D isallows the automatic mount of the file system using the mo unt -a command. D isallows the execution of binary files on the particular file system. D isallows an ordinary user (that is, other than ro o t) to mount and unmount the file system. Remounts the file system in case it is already mounted. Mounts the file system for reading only. Mounts the file system for both reading and writing. Allows an ordinary user (that is, other than ro o t) to mount and unmount the file system.
d efaul ts exec loop no auto no exec no user remo unt ro rw user
See Example 2.3, “ Mounting an ISO Image” for an example usage.
Examp le 2.3. Mo u n t in g an ISO Imag e An ISO image (or a disk image in general) can be mounted by using the loop device. Assuming that the ISO image of the Fedora 14 installation disc is present in the current working directory and that the /med i a/cd ro m/ directory exists, you can mount the image to this directory by running the following command as ro o t: ~]# mo unt -o ro ,l o o p Fed o ra-14 -x86 _6 4 -Li ve-D eskto p. i so /med i a/cd ro m Note that ISO 9660 is by design a read-only file system.
2.2.3. Sharing Mount s Occasionally, certain system administration tasks require access to the same file system from more than one place in the directory tree (for example, when preparing a chroot environment). To address such requirements, the mo unt command implements the --bi nd option that provides a means for duplicating certain mounts. Its usage is as follows: mo unt --bi nd old_directory new_directory
40
Chapt er 2 . Using t he mount Command
Although the above command allows a user to access the file system from both places, it does not apply on the file systems that are mounted within the original directory. To include these mounts as well, type: mo unt --rbi nd old_directory new_directory Additionally, to provide as much flexibility as possible, Red Hat Enterprise Linux 5.10 implements the functionality known as shared subtrees. This feature allows you to use the following four mount types: Sh ared Mo u n t A shared mount allows you to create an exact replica of a given mount point. When a shared mount is created, any mount within the original mount point is reflected in it, and vice versa. To create a shared mount, type the following at a shell prompt: mo unt --make-shared mount_point Alternatively, you can change the mount type for the selected mount point and all mount points under it: mo unt --make-rshared mount_point See Example 2.4, “ Creating a Shared Mount Point” for an example usage.
Examp le 2.4 . C reat in g a Sh ared Mo u n t Po in t There are two places where other file systems are commonly mounted: the /med i a directory for removable media, and the /mnt directory for temporarily mounted file systems. By using a shared mount, you can make these two directories share the same content. To do so, as ro o t, mark the /med i a directory as “ shared” : ~]# mo unt --bi nd /med i a /med i a ~]# mo unt --make-shared /med i a Then create its duplicate in /mnt by using the following command: ~]# mo unt --bi nd /med i a /mnt You can now verify that a mount within /med i a also appears in /mnt. For example, if you have non-empty media in your CD -ROM drive and the /med i a/cd ro m/ directory exists, run the following commands: ~]# mo unt /d ev/cd ro m /med i a/cd ro m ~]# l s /med i a/cd ro m EFI GPL isolinux LiveOS ~]# l s /mnt/cd ro m EFI GPL isolinux LiveOS Similarly, you can verify that any file system mounted in the /mnt directory is reflected in /med i a. For instance, if you have a non-empty USB flash drive that uses the /d ev/sd c1 device plugged in and the /mnt/fl ashd i sk/ directory is present, type: ~]# mo unt /d ev/sd c1 /mnt/fl ashd i sk
41
Deployment G uide
~]# l s en-US ~]# l s en-US
/med i a/fl ashd i sk publican.cfg /mnt/fl ashd i sk publican.cfg
Slave Mo u n t A slave mount allows you to create a limited duplicate of a given mount point. When a slave mount is created, any mount within the original mount point is reflected in it, but no mount within a slave mount is reflected in its original. To create a slave mount, type the following at a shell prompt: mo unt --make-sl ave mount_point Alternatively, you can change the mount type for the selected mount point and all mount points under it: mo unt --make-rsl ave mount_point See Example 2.5, “ Creating a Slave Mount Point” for an example usage.
Examp le 2.5. C reat in g a Slave Mo u n t Po in t Imagine you want the content of the /med i a directory to appear in /mnt as well, but you do not want any mounts in the /mnt directory to be reflected in /med i a. To do so, as ro o t, first mark the /med i a directory as “ shared” : ~]# mo unt --bi nd /med i a /med i a ~]# mo unt --make-shared /med i a Then create its duplicate in /mnt, but mark it as “ slave” : ~]# mo unt --bi nd /med i a /mnt ~]# mo unt --make-sl ave /mnt You can now verify that a mount within /med i a also appears in /mnt. For example, if you have non-empty media in your CD -ROM drive and the /med i a/cd ro m/ directory exists, run the following commands: ~]# mo unt /d ev/cd ro m /med i a/cd ro m ~]# l s /med i a/cd ro m EFI GPL isolinux LiveOS ~]# l s /mnt/cd ro m EFI GPL isolinux LiveOS You can also verify that file systems mounted in the /mnt directory are not reflected in /med i a. For instance, if you have a non-empty USB flash drive that uses the /d ev/sd c1 device plugged in and the /mnt/fl ashd i sk/ directory is present, type: : ~]# mo unt /d ev/sd c1 /mnt/fl ashd i sk ~]# l s /med i a/fl ashd i sk ~]# l s /mnt/fl ashd i sk en-US publican.cfg
42
Chapt er 2 . Using t he mount Command
Privat e Mo u n t A private mount allows you to create an ordinary mount. When a private mount is created, no subsequent mounts within the original mount point are reflected in it, and no mount within a private mount is reflected in its original. To create a private mount, type the following at a shell prompt: mo unt --make-pri vate mount_point Alternatively, you can change the mount type for the selected mount point and all mount points under it: mo unt --make-rpri vate mount_point See Example 2.6, “ Creating a Private Mount Point” for an example usage.
Examp le 2.6 . C reat in g a Privat e Mo u n t Po in t Taking into account the scenario in Example 2.4, “ Creating a Shared Mount Point” , assume that you have previously created a shared mount point by using the following commands as ro o t: ~]# mo unt --bi nd /med i a /med i a ~]# mo unt --make-shared /med i a ~]# mo unt --bi nd /med i a /mnt To mark the /mnt directory as “ private” , type: ~]# mo unt --make-pri vate /mnt You can now verify that none of the mounts within /med i a appears in /mnt. For example, if you have non-empty media in your CD -ROM drive and the /med i a/cd ro m/ directory exists, run the following commands: ~]# mo unt /d ev/cd ro m /med i a/cd ro m ~]# l s /med i a/cd ro m EFI GPL isolinux LiveOS ~]# l s /mnt/cd ro m ~]# You can also verify that file systems mounted in the /mnt directory are not reflected in /med i a. For instance, if you have a non-empty USB flash drive that uses the /d ev/sd c1 device plugged in and the /mnt/fl ashd i sk/ directory is present, type: ~]# mo unt /d ev/sd c1 /mnt/fl ashd i sk ~]# l s /med i a/fl ashd i sk ~]# l s /mnt/fl ashd i sk en-US publican.cfg U n b in d ab le Mo u n t An unbindable mount allows you to prevent a given mount point from being duplicated whatsoever. To create an unbindable mount, type the following at a shell prompt:
43
Deployment G uide
mo unt --make-unbi nd abl e mount_point Alternatively, you can change the mount type for the selected mount point and all mount points under it: mo unt --make-runbi nd abl e mount_point See Example 2.7, “ Creating an Unbindable Mount Point” for an example usage.
Examp le 2.7. C reat in g an U n b in d ab le Mo u n t Po in t To prevent the /med i a directory from being shared, as ro o t, type the following at a shell prompt: ~]# mo unt --bi nd /med i a /med i a ~]# mo unt --make-unbi nd abl e /med i a This way, any subsequent attempt to make a duplicate of this mount will fail with an error: ~]# mo unt --bi nd /med i a /mnt mount: wrong fs type, bad option, bad superblock on /media/, missing code page or other error In some cases useful info is found in syslog - try dmesg | tail or so
2.2.4 . Moving a Mount Point To change the directory in which a file system is mounted, use the following command: mo unt --mo ve old_directory new_directory See Example 2.8, “ Moving an Existing NFS Mount Point” for an example usage.
Examp le 2.8. Mo vin g an Exist in g N FS Mo u n t Po in t Imagine that you have an NFS storage that contains user directories. Assuming that this storage is already mounted in /mnt/userd i rs/, as ro o t, you can move this mount point to /ho me by using the following command: ~]# mo unt --mo ve /mnt/userd i rs /ho me To verify the mount point has been moved, list the content of both directories: ~]# l s /mnt/userd i rs ~]# l s /ho me jill joe
2.3. Unmount ing a File Syst em 44
Chapt er 2 . Using t he mount Command
2.3. Unmount ing a File Syst em To detach a previously mounted file system, use either of the following variants of the umo unt command: umo unt directory umo unt device Note that unless you are logged in as ro o t, you must have permissions to unmount the file system (see Section 2.2.2, “ Specifying the Mount Options” ). See Example 2.9, “ Unmounting a CD ” for an example usage.
Important: Make Sure the File System Is Not in Use When a file system is in use (for example, when a process is reading a file on this file system), running the umo unt command will fail with an error. To determine which processes are accessing the file system, use the fuser command in the following form: fuser -m directory For example, to list the processes that are accessing a file system mounted to the /med i a/cd ro m/ directory, type: ~]$ fuser -m /med i a/cd ro m /media/cdrom: 1793
2013
2022
2435 10532c 10672c
Examp le 2.9 . U n mo u n t in g a C D To unmount a CD that was previously mounted to the /med i a/cd ro m/ directory, type the following at a shell prompt: ~]$ umo unt /med i a/cd ro m
2.4 . Addit ional Resources The following resources provide an in-depth documentation on the subject.
2.4 .1. Inst alled Document at ion man 8 mo unt — The manual page for the mo unt command that provides a full documentation on its usage. man 8 umo unt — The manual page for the umo unt command that provides a full documentation on its usage. man 5 fstab — The manual page providing a thorough description of the /etc/fstab file format.
45
Deployment G uide
2.4 .2. Useful Websit es Shared subtrees — An LWN article covering the concept of shared subtrees. sharedsubtree.txt — Extensive documentation that is shipped with the shared subtrees patches.
46
Chapt er 3. T he ext 3 File Syst em
Chapter 3. The ext3 File System The default file system is the journaling ext3 file system.
3.1. Feat ures of ext 3 The ext3 file system is essentially an enhanced version of the ext2 file system. These improvements provide the following advantages: Availab ilit y After an unexpected power failure or system crash (also called an unclean system shutdown), each mounted ext2 file system on the machine must be checked for consistency by the e2fsck program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. D uring this time, any data on the volumes is unreachable. The journaling provided by the ext3 file system means that this sort of file system check is no longer necessary after an unclean system shutdown. The only time a consistency check occurs using ext3 is in certain rare hardware failure cases, such as hard drive failures. The time to recover an ext3 file system after an unclean system shutdown does not depend on the size of the file system or the number of files; rather, it depends on the size of the journal used to maintain consistency. The default journal size takes about a second to recover, depending on the speed of the hardware. D at a In t eg rit y The ext3 file system prevents loss of data integrity in the event that an unclean system shutdown occurs. The ext3 file system allows you to choose the type and level of protection that your data receives. By default, the ext3 volumes are configured to keep a high level of data consistency with regard to the state of the file system. Sp eed D espite writing some data more than once, ext3 has a higher throughput in most cases than ext2 because ext3's journaling optimizes hard drive head motion. You can choose from three journaling modes to optimize speed, but doing so means trade-offs in regards to data integrity if the system was to fail. Easy T ran sit io n It is easy to migrate from ext2 to ext3 and gain the benefits of a robust journaling file system without reformatting. Refer to Section 3.3, “ Converting to an ext3 File System” for more on how to perform this task. The following sections walk you through the steps for creating and tuning ext3 partitions. For ext2 partitions, skip the partitioning and formatting sections below and go directly to Section 3.3, “ Converting to an ext3 File System” .
3.2. Creat ing an ext 3 File Syst em After installation, it is sometimes necessary to create a new ext3 file system. For example, if you add a new disk drive to the system, you may want to partition the drive and use the ext3 file system. The steps for creating an ext3 file system are as follows:
47
Deployment G uide
1. Format the partition with the ext3 file system using mkfs. 2. Label the partition using e2l abel .
3.3. Convert ing t o an ext 3 File Syst em The tune2fs allows you to convert an ext2 filesystem to ext3.
Note Always use the e2fsck utility to check your filesystem before and after using tune2fs. A default installation of Red Hat Enterprise Linux uses ext3 for all file systems. To convert an ext2 filesystem to ext3, log in as root and type the following command in a terminal: tune2fs -j where contains the ext2 filesystem you wish to convert. A valid block device could be one of two types of entries: A mapped device — A logical volume in a volume group, for example, /d ev/mapper/Vo l G ro up0 0 -Lo g Vo l 0 2. A static device — A traditional storage volume, for example, /d ev/hdbX, where hdb is a storage device name and X is the partition number. Issue the d f command to display mounted file systems. For the remainder of this section, the sample commands use the following value for the block device: /dev/mapper/VolGroup00-LogVol02 You must recreate the initrd image so that it will contain the ext3 kernel module. To create this, run the mki ni trd program. For information on using the mki ni trd command, type man mki ni trd . Also, make sure your GRUB configuration loads the i ni trd . If you fail to make this change, the system still boots, but the file system is mounted as ext2 instead of ext3.
3.4 . Revert ing t o an ext 2 File Syst em If you wish to revert a partition from ext3 to ext2 for any reason, you must first unmount the partition by logging in as root and typing, umo unt /dev/mapper/VolGroup00-LogVol02 Next, change the file system type to ext2 by typing the following command as root: tune2fs -O ^has_jo urnal /dev/mapper/VolGroup00-LogVol02 Check the partition for errors by typing the following command as root:
48
Chapt er 3. T he ext 3 File Syst em
e2fsck -y /dev/mapper/VolGroup00-LogVol02 Then mount the partition again as ext2 file system by typing: mo unt -t ext2 /dev/mapper/VolGroup00-LogVol02 /mount/point In the above command, replace /mount/point with the mount point of the partition. Next, remove the . jo urnal file at the root level of the partition by changing to the directory where it is mounted and typing: rm -f . jo urnal You now have an ext2 partition. If you want to permanently change the partition to ext2, remember to update the /etc/fstab file.
49
Deployment G uide
Chapter 4. The ext4 File System 4 .1. Feat ures of ext 4 The ext4 file system is a scalable extension of the ext3 file system, which is the default file system of Red Hat Enterprise Linux 5. The ext4 file system can support files and file systems of up to 16 terabytes in size. It also supports an unlimited number of sub-directories (the ext3 file system only supports up to 32,000), though once the link count exceeds 65,000 it resets to 1 and is no longer increased. The following are the most important features of ext4: Main Feat u res The ext4 file system uses extents (as opposed to the traditional block mapping scheme used by ext2 and ext3), which improves performance when using large files and reduces metadata overhead for large files. In addition, ext4 also labels unallocated block groups and inode table sections accordingly, which allows them to be skipped during a file system check. This makes for quicker file system checks, which becomes more beneficial as the file system grows in size. Allo cat io n Feat u res The ext4 file system features the following allocation schemes: Persistent pre-allocation D elayed allocation Multi-block allocation Stripe-aware allocation Because of delayed allocation and other performance optimizations, ext4's behavior of writing files to disk is different from ext3. In ext4, a program's writes to the file system are not guaranteed to be on-disk unless the program issues an fsync() call afterwards. By default, ext3 automatically forces newly created files to disk almost immediately even without fsync(). This behavior hid bugs in programs that did not use fsync() to ensure that written data was on-disk. The ext4 file system, on the other hand, often waits several seconds to write out changes to disk, allowing it to combine and reorder writes for better disk performance than ext3.
Warning Unlike ext3, the ext4 file system does not force data to disk on transaction commit. As such, it takes longer for buffered writes to be flushed to disk. As with any file system, use data integrity calls such as fsync() to ensure that data is written to permanent storage. O t h er ext 4 Feat u res The ext4 file system also supports the following: Extended attributes (xattr), which allows the system to associate several additional name/value pairs per file.
50
Chapt er 4 . T he ext 4 File Syst em
Quota journaling, which avoids the need for lengthy quota consistency checks after a crash.
Note The only supported journaling mode in ext4 is d ata= o rd ered (default). Subsecond timestamps, which allow to specify inode timestamp fields in nanosecond resolution.
4 .2. Managing an ext 4 File Syst em In order to manage ext4 file systems on Red Hat Eterprise Linux 5, it is necessary to install the e4fsprogs package. You can use the Yum utility to install the package: ~]# yum i nstal l e4 fspro g s The e4fsprogs package contains renamed static binaries from the equivalent upstream e2fsprogs release. This has been done to ensure stability of the e2fsprogs core utilities with all the changes for ext4 included. The most important of these utilities are: mke4 fs — A utility used to create an ext4 file system. mkfs. ext4 — Another command used to create an ext4 file system. e4 fsck — A utility used to repair inconsistencies of an ext4 file system. tune4 fs — A utility used to modify ext4 file system attributes. resi ze4 fs — A utility used to resize an ext4 file system. e4 l abel — A utility used to display or modify the label of the ext4 file system. d umpe4 fs — A utility used to display the super block and blocks group information for the ext4 file system. d ebug e4 fs — An interactive file system debugger, used to examine ext4 file systems, manually repair corrupted file systems and create test cases for e4 fsck. The following sections walk you through the steps for creating and tuning ext4 partitions.
4 .3. Creat ing an ext 4 File Syst em After installation, it is sometimes necessary to create a new ext4 file system. For example, if you add a new disk drive to the system, you may want to partition the drive and use the ext4 file system. The default options are optimal for most usage scenarios but if you need to set your ext4 file system in a specific way, see manual pages for the mke4 fs and mkfs. ext4 commands for available options. Also, you may want to examine and modify the configuration file of mke4 fs, /etc/mke4 fs. co nf, if you plan to create ext4 file systems more often. The steps for creating an ext4 file system are as follows: 1. Format the partition with the ext4 file system using the mkfs. ext4 or mke4 fs command:
51
Deployment G uide
~]# mkfs. ext4 block_device ~]# mke4 fs -t ext4 block_device where block_device is a partition which will contain the ext4 filesystem you wish to create. 2. Label the partition using the e4 l abel command. ~]# e4 l abel new-l abel 3. Create a mount point and mount the new file system to that mount point: ~]# mkd i r /mount/point ~]# mo unt block_device /mount/point A valid block device could be one of two types of entries: A mapped device — A logical volume in a volume group, for example, /d ev/mapper/Vo l G ro up0 0 -Lo g Vo l 0 2. A static device — A traditional storage volume, for example, /d ev/hdbX, where hdb is a storage device name and X is the partition number. For striped block devices (for example RAID 5 arrays), the stripe geometry can be specified at the time of file system creation. Using proper stripe geometry greatly enhances performance of an ext4 file system. When creating file systems on lvm or md volumes, mkfs. ext4 chooses an optimal geometry. This may also be true on some hardware RAID s which export geometry information to the operating system. To specify stripe geometry, use the -E option of mkfs. ext4 (that is, extended file system options) with the following sub-options: st rid e= value Specifies the RAID chunk size. st rip e- wid t h = value Specifies the number of data disks in a RAID device, or the number of stripe units in the stripe. For both sub-options, value must be specified in file system block units. For example, to create a file system with a 64k stride (that is, 16 x 4096) on a 4k-block file system, use the following command: ~]# mkfs. ext4 -E stri d e= 16 ,stri pe-wi d th= 6 4 block_device For more information about creating file systems, refer to man mkfs. ext4 .
4 .4 . Mount ing an ext 4 File Syst em An ext4 file system can be mounted with no extra options, same as any other file system: ~]# mo unt block_device /mount/point
52
Chapt er 4 . T he ext 4 File Syst em
The default mount options are optimal for most users. Options, such as acl , no acl , d ata, q uo ta, no q uo ta, user_xattr, no user_xattr, and many others that were already used with the ext2 and ext3 file systems, are backward compatible and have the same usage and functionality. Also, with the ext4 file system, several new ext4-specific mount options have been added, for example: b arrier / n o b arrier By default, ext4 uses write barriers to ensure file system integrity even when power is lost to a device with write caches enabled. For devices without write caches, or with battery-backed write caches, you disable barriers using the no barri er option: ~]# mo unt -o no barri er block_device /mount/point st rip e= value This option allows you to specify the number of file system blocks allocated for a single file operation. For RAID 5 this number should be equal the RAID chunk size multiplied by the number of disks. jo u rn al_io p rio = value This option allows you to set priority of I/O operations submitted during a commit operation. The option can have a value from 7 to 0 (0 is the highest priority), and is set to 3 by default, which is slightly higher priority than the default I/O priority. D efault mount options can be also set in the file system superblock using the tune4 fs utility. For example, the following command sets the file system on the /d ev/mapper/Vo l G ro up0 0 Lo g Vo l 0 2 device to be mounted by default with debugging disabled and user-specified extended attributes and Posix access control lists enabled: ~]# tune4 fs -o ^d ebug ,user_xattr,acl /d ev/mapper/Vo l G ro up0 0 -Lo g Vo l 0 2 For more information on this topic, refer to the tune4 fs(8) manual page. An ext3 file system can also be mounted as ext4 without changing the format, allowing it to be mounted as ext3 again in the future. To do so, run the following command on a block device that contains an ext3 file system: ~]# mo unt -t ext4 block_device /mount/point D oing so will only allow the ext3 file system to use ext4-specific features that do not require a file format conversion. These features include d el ayed al l o cati o n and mul ti -bl o ck al l o cati o n, and exclude features such as extent mappi ng .
Warning Using the ext4 driver to mount an ext3 file system has not been fully tested on Red Hat Enterprise Linux 5. Therefore, this action is not supported because Red Hat cannot guarantee consistent performance and predictable behavior for ext3 file systems in this way. For more information on mount options for the ext4 file system, see Section 2.2.2, “ Specifying the Mount Options” and the mo unt(8) manual page.
53
Deployment G uide
Note If you want to enable persistent mounting of the file system, remember to update the /etc/fstab file accordingly. For example: /dev/mapper/VolGroup00-LogVol02
/test
ext4
defaults
0 0
4 .5. Resiz ing an ext 4 File Syst em Before growing an ext4 file system, ensure that the underlying block device is of an appropriate size to hold the file system later. Use the appropriate resizing methods for the affected block device. When grown, the ext4 filesystem can be mounted. When shrunk, the ext4 file system has to be unmounted. You can resize an ext4 file system using the resi ze4 fs command: ~]# resi ze4 fs block_devicenew_size When resizing an ext4 file system, the resi ze2fs utility reads the size in units of file system block size, unless a suffix indicating a specific unit is used. The following suffixes indicate specific units: s — 512 byte sectors K — kilobytes M — megabytes G — gigabytes The si ze parameter is optional (and often redundant) when expanding. The resi ze4 fs automatically expands to fill all available space of the container, usually a logical volume or partition. For more information about resizing an ext4 file system, refer to the resi ze4 fs(8) manual page.
54
Chapt er 5. T he proc File Syst em
Chapter 5. The
pro c
File System
The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The /pro c/ directory — also called the pro c file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system. Within the /pro c/ directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the /pro c/ directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
5.1. A Virt ual File Syst em Under Linux, all data are stored as files. Most users are familiar with the two primary types of files: text and binary. But the /pro c/ directory contains another type of file called a virtual file. It is for this reason that /pro c/ is often referred to as a virtual file system. These virtual files have unique qualities. Most of them are listed as zero bytes in size and yet when one is viewed, it can contain a large amount of information. In addition, most of the time and date settings on virtual files reflect the current time and date, indicative of the fact they are constantly updated. Virtual files such as /pro c/i nterrupts, /pro c/memi nfo , /pro c/mo unts, and /pro c/parti ti o ns provide an up-to-the-moment glimpse of the system's hardware. Others, like the /pro c/fi l esystems file and the /pro c/sys/ directory provide system configuration information and interfaces. For organizational purposes, files containing information on a similar topic are grouped into virtual directories and sub-directories. For instance, /pro c/i d e/ contains information for all physical ID E devices. Likewise, process directories contain information about each running process on the system.
5.1.1. Viewing Virt ual Files By using the cat, mo re, or l ess commands on files within the /pro c/ directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type cat /pro c/cpui nfo to receive output similar to the following: processor : 0 vendor_id : AuthenticAMD cpu family : 5 model : 9 model name : AMD-K6(tm) 3D+ Processor stepping : 1 cpu MHz : 400.919 cache size : 256 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes
55
Deployment G uide
cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr bogomips : 799.53 When viewing different virtual files in the /pro c/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include l spci , apm, free, and to p.
Note Some of the virtual files in the /pro c/ directory are readable only by the root user.
5.1.2. Changing Virt ual Files As a general rule, most virtual files within the /pro c/ directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the /pro c/sys/ subdirectory. To change the value of a virtual file, use the echo command and a greater than symbol (>) to redirect the new value to the file. For example, to change the hostname on the fly, type: echo www.example.com > /pro c/sys/kernel /ho stname Other files act as binary or Boolean switches. Typing cat /pro c/sys/net/i pv4 /i p_fo rward returns either a 0 or a 1. A 0 indicates that the kernel is not forwarding network packets. Using the echo command to change the value of the i p_fo rward file to 1 immediately turns packet forwarding on.
T ip Another command used to alter settings in the /pro c/sys/ subdirectory is /sbi n/sysctl . For more information on this command, refer to Section 5.4, “ Using the sysctl Command” For a listing of some of the kernel configuration files available in the /pro c/sys/ subdirectory, refer to Section 5.3.9, “ /pro c/sys/ ” .
5.1.3. Rest rict ing Access t o Process Direct ories On multi-user systems, it is often useful to secure the process directories stored in /pro c/ so that they can be viewed only by the ro o t user. You can restrict the access to these directories with the use of the hi d epi d option. To change the file system parameters, you can use the mo unt command with the -o remo unt option. As ro o t, type: mo unt -o remo unt,hi d epi d =value /pro c Here, value passed to hi d epi d is one of:
56
Chapt er 5. T he proc File Syst em
0 (default) — every user can read all world-readable files stored in a process directory. 1 — users can access only their own process directories. This protects the sensitive files like cmd l i ne, sched , or status from access by non-root users. This setting does not affect the actual file permissions. 2 — process files are invisible to non-root users. The existence of a process can be learned by other means, but its effective UID and GID is hidden. Hiding these ID s complicates an intruder's task of gathering information about running processes.
Examp le 5.1. R est rict in g access t o p ro cess d irect o ries To make process files accessible only to the ro o t user, type: ~]# mo unt -o remo unt,hi d epi d =1 /pro c With hi d epi d =1, a non-root user cannot access the contents of process directories. An attempt to do so fails with the following message: ~]$ l s /pro c/1/ ls: /proc/1/: Operation not permitted With hi d epi d =2 enabled, process directories are made invisible to non-root users: ~]$ l s /pro c/1/ ls: /proc/1/: No such file or directory
Also, you can specify a user group that will have access to process files even when hi d epi d is set to 1 or 2. To do this, use the g i d option. As ro o t, type: mo unt -o remo unt,hi d epi d =value,g i d =gid /pro c Replace gid with the specific group id. For members of selected group, the process files will act as if hi d epi d was set to 0. However, users which are not supposed to monitor the tasks in the whole system should not be added to the group. For more information on managing users and groups see Chapter 37, Users and Groups.
5.2. T op-level Files wit hin t he
pro c
File Syst em
Below is a list of some of the more useful virtual files in the top-level of the /pro c/ directory.
Note In most cases, the content of the files listed in this section are not the same as those installed on your machine. This is because much of the information is specific to the hardware on which Red Hat Enterprise Linux is running for this documentation effort.
5.2.1. /pro c/apm
57
Deployment G uide
This file provides information about the state of the Advanced Power Management (APM) system and is used by the apm command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following: 1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ? Running the apm -v command on such a system results in output similar to the following: APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery For systems which do not use a battery as a power source, apm is able do little more than put the machine in standby mode. The apm command is much more useful on laptops. For example, the following output is from the command cat /pro c/apm on a laptop while plugged into a power outlet: 1.16 1.2 0x03 0x01 0x03 0x09 100% -1 ? When the same laptop is unplugged from its power source for a few minutes, the content of the apm file changes to something like the following: 1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min The apm -v command now yields more useful data, such as the following: APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52)
5.2.2. /pro c/bud d yi nfo This file is used primarily for diagnosing memory fragmentation issues. Using the buddy algorithm, each column represents the number of pages of a certain order (a certain size) that are available at any given time. For example, for zone D MA (direct memory access), there are 90 of 2^(0*PAGE_SIZ E) chunks of memory. Similarly, there are 6 of 2^(1*PAGE_SIZ E) chunks, and 2 of 2^(2*PAGE_SIZ E) chunks of memory available. The D MA row references the first 16 MB on a system, the Hi g hMem row references all memory greater than 4 GB on a system, and the No rmal row references all memory in between. The following is an example of the output typical of /pro c/bud d yi nfo : Node 0, zone Node 0, zone Node 0, zone
DMA Normal HighMem
90 1650 2
6 310 0
2 5 0
1 0 1
1 0 1
5.2.3. /pro c/cmd l i ne This file shows the parameters passed to the kernel at the time it is started. A sample /pro c/cmd l i ne file looks like the following: ro root=/dev/VolGroup00/LogVol00 rhgb quiet 3 This output tells us the following:
58
... ... ...
Chapt er 5. T he proc File Syst em
ro The root device is mounted read-only at boot time. The presence of ro on the kernel boot line overrides any instances of rw. ro o t = /d ev/Vo lG ro u p 00/Lo g Vo l00 This tells us on which disk device or, in this case, on which logical volume, the root filesystem image is located. With our sample /pro c/cmd l i ne output, the root filesystem image is located on the first logical volume (Lo g Vo l 0 0 ) of the first LVM volume group (Vo l G ro up0 0 ). On a system not using Logical Volume Management, the root file system might be located on /d ev/sd a1 or /d ev/sd a2, meaning on either the first or second partition of the first SCSI or SATA disk drive, depending on whether we have a separate (preceding) boot or swap partition on that drive. For more information on LVM used in Red Hat Enterprise Linux, refer to http://www.tldp.org/HOWTO/LVM-HOWTO/index.html. rh g b A short lowercase acronym that stands for Red Hat Graphical Boot, providing " rhgb" on the kernel command line signals that graphical booting is supported, assuming that /etc/i ni ttab shows that the default runlevel is set to 5 with a line like this: id:5:initdefault: q u iet Indicates that all verbose kernel messages except those which are extremely serious should be suppressed at boot time.
5.2.4 . /pro c/cpui nfo This virtual file identifies the type of processor used by your system. The following is an example of the output typical of /pro c/cpui nfo : processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Xeon(TM) CPU 2.40GHz stepping : 7 cpu MHz : 2392.371 cache size : 512 KB physical id : 0 siblings : 2 runqueue : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2
59
Deployment G uide
wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips : 4771.02
cmov
pro cesso r — Provides each processor with an identifying number. On systems that have one processor, only a 0 is present. cpu fami l y — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of " 86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386. Because some RPM packages are compiled for each of these particular architectures, this value also helps users determine which packages to install. mo d el name — D isplays the common name of the processor, including its project name. cpu MHz — Shows the precise speed in megahertz for the processor to the thousandths decimal place. cache si ze — D isplays the amount of level 2 memory cache available to the processor. si bl i ng s — D isplays the number of sibling CPUs on the same physical CPU for architectures which use hyper-threading. fl ag s — D efines a number of different qualities about the processor, such as the presence of a floating point unit (FPU) and the ability to process MMX instructions.
5.2.5. /pro c/crypto This file lists all installed cryptographic ciphers used by the Linux kernel, including additional details for each. A sample /pro c/crypto file looks like the following: name module type blocksize digestsize name module type blocksize digestsize
: : : : : : : : : :
sha1 kernel digest 64 20 md5 md5 digest 64 16
5.2.6. /pro c/d evi ces This file displays the various character and block devices currently configured (not including devices whose modules are not loaded). Below is a sample output from this file: Character devices: 1 mem 4 /dev/vc/0 4 tty 4 ttyS 5 /dev/tty 5 /dev/console
60
Chapt er 5. T he proc File Syst em
5 /dev/ptmx 7 vcs 10 misc 13 input 29 fb 36 netlink 128 ptm 136 pts 180 usb Block devices: 1 ramdisk 3 ide0 9 md 22 ide1 253 device-mapper 254 mdp The output from /pro c/d evi ces includes the major number and name of the device, and is broken into two major sections: C haracter d evi ces and Bl o ck d evi ces. Character devices are similar to block devices, except for two basic differences: 1. Character devices do not require buffering. Block devices have a buffer available, allowing them to order requests before addressing them. This is important for devices designed to store information — such as hard drives — because the ability to order the information before writing it to the device allows it to be placed in a more efficient order. 2. Character devices send data with no preconfigured size. Block devices can send and receive information in blocks of a size configured per device. For more information about devices refer to the following installed documentation: /usr/share/doc/kernel-doc-/Documentation/devices.txt
5.2.7. /pro c/d ma This file contains a list of the registered ISA D MA channels in use. A sample /pro c/d ma files looks like the following: 4: cascade
5.2.8. /pro c/execd o mai ns This file lists the execution domains currently supported by the Linux kernel, along with the range of personalities they support. 0-0
Linux
[kernel]
Think of execution domains as the " personality" for an operating system. Because other binary formats, such as Solaris, UnixWare, and FreeBSD , can be used with Linux, programmers can change the way the operating system treats system calls from these binaries by changing the personality of the task. Except for the P ER _LINUX execution domain, different personalities can be implemented as dynamically loadable modules.
61
Deployment G uide
5.2.9. /pro c/fb This file contains a list of frame buffer devices, with the frame buffer device number and the driver that controls it. Typical output of /pro c/fb for systems which contain frame buffer devices looks similar to the following: 0 VESA VGA
5.2.10. /pro c/fi l esystems This file displays a list of the file system types currently supported by the kernel. Sample output from a generic /pro c/fi l esystems file looks similar to the following: nodev sysfs nodev rootfs nodev bdev nodev proc nodev sockfs nodev binfmt_misc nodev usbfs nodev usbdevfs nodev futexfs nodev tmpfs nodev pipefs nodev eventpollfs nodev devpts ext2 nodev ramfs nodev hugetlbfs iso9660 nodev mqueue ext3 nodev rpc_pipefs nodev autofs The first column signifies whether the file system is mounted on a block device. Those beginning with no d ev are not mounted on a device. The second column lists the names of the file systems supported. The mo unt command cycles through the file systems listed here when one is not specified as an argument.
5.2.11. /pro c/i nterrupts This file records the number of interrupts per IRQ on the x86 architecture. A standard /pro c/i nterrupts looks similar to the following: CPU0 0: 80448940 1: 174412 2: 0 8: 1 10: 410964 12: 60330
62
XT-PIC timer XT-PIC keyboard XT-PIC cascade XT-PIC rtc XT-PIC eth0 XT-PIC PS/2 Mouse
Chapt er 5. T he proc File Syst em
14: 15: NMI: ERR:
1314121 5195422 0 0
XT-PIC XT-PIC
ide0 ide1
For a multi-processor machine, this file may look slightly different: CPU0 CPU1 0: 1366814704 0 1: 128 340 2: 0 0 8: 0 1 12: 5323 5793 13: 1 0 16: 11184294 15940594 Ethernet 20: 8450043 11120093 30: 10432 10722 31: 23 22 NMI: 0 ERR: 0
XT-PIC timer IO-APIC-edge keyboard XT-PIC cascade IO-APIC-edge rtc IO-APIC-edge PS/2 Mouse XT-PIC fpu IO-APIC-level Intel EtherExpress Pro 10/100 IO-APIC-level IO-APIC-level IO-APIC-level
megaraid aic7xxx aic7xxx
The first column refers to the IRQ number. Each CPU in the system has its own column and its own number of interrupts per IRQ. The next column reports the type of interrupt, and the last column contains the name of the device that is located at that IRQ. Each of the types of interrupts seen in this file, which are architecture-specific, mean something different. For x86 machines, the following values are common: XT -P IC — This is the old AT computer interrupts. IO -AP IC -ed g e — The voltage signal on this interrupt transitions from low to high, creating an edge, where the interrupt occurs and is only signaled once. This kind of interrupt, as well as the IO -AP IC -l evel interrupt, are only seen on systems with processors from the 586 family and higher. IO -AP IC -l evel — Generates interrupts when its voltage signal is high until the signal is low again.
5.2.12. /pro c/i o mem This file shows you the current map of the system's memory for each physical device: 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-07ffffff : System RAM 00100000-00291ba8 : Kernel code 00291ba9-002e09cb : Kernel data e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01 e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP e5000000-e57fffff : Matrox Graphics, Inc. MGA G200 AGP e8000000-e8ffffff : PCI Bus #01
63
Deployment G uide
e8000000-e8ffffff : Matrox Graphics, Inc. MGA G200 AGP ea000000-ea00007f : Digital Equipment Corporation DECchip 21140 [FasterNet] ea000000-ea00007f : tulip ffff0000-ffffffff : reserved The first column displays the memory registers used by each of the different types of memory. The second column lists the kind of memory located within those registers and displays which memory registers are used by the kernel within the system RAM or, if the network interface card has multiple Ethernet ports, the memory registers assigned for each port.
5.2.13. /pro c/i o po rts The output of /pro c/i o po rts provides a list of currently registered port regions used for input or output communication with a device. This file can be quite long. The following is a partial listing: 0000-001f : 0020-003f : 0040-005f : 0060-006f : 0070-007f : 0080-008f : 00a0-00bf : 00c0-00df : 00f0-00ff : 0170-0177 : 01f0-01f7 : 02f8-02ff : 0376-0376 : 03c0-03df : 03f6-03f6 : 03f8-03ff : 0cf8-0cff : d000-dfff : e000-e00f : e000-e007 : e008-e00f : e800-e87f : e800-e87f :
dma1 pic1 timer keyboard rtc dma page reg pic2 dma2 fpu ide1 ide0 serial(auto) ide1 vga+ ide0 serial(auto) PCI conf1 PCI Bus #01 VIA Technologies, Inc. Bus Master IDE ide0 ide1 Digital Equipment Corporation DECchip 21140 [FasterNet] tulip
The first column gives the I/O port address range reserved for the device listed in the second column.
5.2.14 . /pro c/kco re This file represents the physical memory of the system and is stored in the core file format. Unlike most /pro c/ files, kco re displays a size. This value is given in bytes and is equal to the size of the physical memory (RAM) used plus 4 KB. The contents of this file are designed to be examined by a debugger, such as g d b, and is not human readable.
64
Chapt er 5. T he proc File Syst em
Caution D o not view the /pro c/kco re virtual file. The contents of the file scramble text output on the terminal. If this file is accidentally viewed, press C trl +C to stop the process and then type reset to bring back the command line prompt.
5.2.15. /pro c/kmsg This file is used to hold messages generated by the kernel. These messages are then picked up by other programs, such as /sbi n/kl o g d or /bi n/d mesg .
5.2.16. /pro c/l o ad avg This file provides a look at the load average in regard to both the CPU and IO over time, as well as additional data used by upti me and other commands. A sample /pro c/l o ad avg file looks similar to the following: 0.20 0.18 0.12 1/80 11206 The first three columns measure CPU and IO utilization of the last one, five, and 15 minute periods. The fourth column shows the number of currently running processes and the total number of processes. The last column displays the last process ID used. In addition, load average also refers to the number of processes ready to run (i.e. in the run queue, waiting for a CPU share.
5.2.17. /pro c/l o cks This file displays the files currently locked by the kernel. The contents of this file contain internal kernel debugging data and can vary tremendously, depending on the use of the system. A sample /pro c/l o cks file for a lightly loaded system looks similar to the following: 1: 2: 3: 4: 5: 6: 7:
POSIX FLOCK POSIX POSIX POSIX POSIX POSIX
ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY
WRITE WRITE WRITE WRITE WRITE WRITE WRITE
3568 3517 3452 3443 3326 3175 3056
fd:00:2531452 fd:00:2531448 fd:00:2531442 fd:00:2531440 fd:00:2531430 fd:00:2531425 fd:00:2548663
0 0 0 0 0 0 0
EOF EOF EOF EOF EOF EOF EOF
Each lock has its own line which starts with a unique number. The second column refers to the class of lock used, with FLO C K signifying the older-style UNIX file locks from a fl o ck system call and P O SIX representing the newer POSIX locks from the l o ckf system call. The third column can have two values: AD VISO R Y or MAND AT O R Y . AD VISO R Y means that the lock does not prevent other people from accessing the data; it only prevents other attempts to lock it. MAND AT O R Y means that no other access to the data is permitted while the lock is held. The fourth column reveals whether the lock is allowing the holder R EAD or WR IT E access to the file. The fifth column shows the ID of the process holding the lock. The sixth column shows the ID of the file being locked, in the format of MAJOR-DEVICE: MINOR-DEVICE: INODE-NUMBER . The seventh and eighth column shows the start and end of the file's locked region.
65
Deployment G uide
5.2.18. /pro c/md stat This file contains the current information for multiple-disk, RAID configurations. If the system does not contain such a configuration, then /pro c/md stat looks similar to the following: Personalities :
read_ahead not set unused devices:
This file remains in the same state as seen above unless a software RAID or md device is present. In that case, view /pro c/md stat to find the current status of md X RAID devices. The /pro c/md stat file below shows a system with its md 0 configured as a RAID 1 device, while it is currently re-syncing the disks: Personalities : [linear] [raid1] read_ahead 1024 sectors md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU] unused devices:
5.2.19. /pro c/memi nfo This is one of the more commonly used files in the /pro c/ directory, as it reports a large amount of valuable information about the systems RAM usage. The following sample /pro c/memi nfo virtual file is from a system with 256 MB of RAM and 512 MB of swap space: MemTotal: 255908 kB MemFree: 69936 kB Buffers: 15812 kB Cached: 115124 kB SwapCached: 0 kB Active: 92700 kB Inactive: 63792 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255908 kB LowFree: 69936 kB SwapTotal: 524280 kB SwapFree: 524280 kB Dirty: 4 kB Writeback: 0 kB Mapped: 42236 kB Slab: 25912 kB Committed_AS: 118680 kB PageTables: 1236 kB VmallocTotal: 3874808 kB VmallocUsed: 1416 kB VmallocChunk: 3872908 kB HugePages_Total: 0 HugePages_Free: 0 Hugepagesize: 4096 kB Much of the information here is used by the free, to p, and ps commands. In fact, the output of the free command is similar in appearance to the contents and structure of /pro c/memi nfo . But by looking directly at /pro c/memi nfo , more details are revealed:
66
Chapt er 5. T he proc File Syst em
MemT o tal — Total amount of physical RAM, in kilobytes. MemFree — The amount of physical RAM, in kilobytes, left unused by the system. Buffers — The amount of physical RAM, in kilobytes, used for file buffers. C ached — The amount of physical RAM, in kilobytes, used as cache memory. SwapC ached — The amount of swap, in kilobytes, used as cache memory. Acti ve — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes. Inacti ve — The total amount of buffer or page cache memory, in kilobytes, that are free and available. This is memory that has not been recently used and can be reclaimed for other purposes. Hi g hT o tal and Hi g hFree — The total and free amount of memory, in kilobytes, that is not directly mapped into kernel space. The Hi g hT o tal value can vary based on the type of kernel used. Lo wT o tal and Lo wFree — The total and free amount of memory, in kilobytes, that is directly mapped into kernel space. The Lo wT o tal value can vary based on the type of kernel used. SwapT o tal — The total amount of swap available, in kilobytes. SwapFree — The total amount of swap free, in kilobytes. D i rty — The total amount of memory, in kilobytes, waiting to be written back to the disk. Wri teback — The total amount of memory, in kilobytes, actively being written back to the disk. Mapped — The total amount of memory, in kilobytes, which have been used to map devices, files, or libraries using the mmap command. Sl ab — The total amount of memory, in kilobytes, used by the kernel to cache data structures for its own use. C o mmi tted _AS — The total amount of memory, in kilobytes, estimated to complete the workload. This value represents the worst case scenario value, and also includes swap memory. P ag eT abl es — The total amount of memory, in kilobytes, dedicated to the lowest page table level. VMal l o cT o tal — The total amount of memory, in kilobytes, of total allocated virtual address space. VMal l o cUsed — The total amount of memory, in kilobytes, of used virtual address space. VMal l o cC hunk — The largest contiguous block of memory, in kilobytes, of available virtual address space. Hug eP ag es_T o tal — The total number of hugepages for the system. The number is derived by dividing Hug epag esi ze by the megabytes set aside for hugepages specified in /pro c/sys/vm/hug etl b_po o l . This statistic only appears on the x86, Itanium, and AMD64 architectures. Hug eP ag es_Free — The total number of hugepages available for the system. This statistic only appears on the x86, Itanium, and AMD64 architectures.
67
Deployment G uide
Hug epag esi ze — The size for each hugepages unit in kilobytes. By default, the value is 4096 KB on uniprocessor kernels for 32 bit architectures. For SMP, hugemem kernels, and AMD 64, the default is 2048 KB. For Itanium architectures, the default is 262144 KB. This statistic only appears on the x86, Itanium, and AMD64 architectures.
5.2.20. /pro c/mi sc This file lists miscellaneous drivers registered on the miscellaneous major device, which is device number 10: 63 device-mapper 175 agpgart 135 rtc 134 apm_bios The first column is the minor number of each device, while the second column shows the driver in use.
5.2.21. /pro c/mo d ul es This file displays a list of all modules loaded into the kernel. Its contents vary based on the configuration and use of your system, but it should be organized in a similar manner to this sample /pro c/mo d ul es file output:
Note This example has been reformatted into a readable format. Most of this information can also be viewed via the /sbi n/l smo d command.
nfs lockd nls_utf8 vfat fat autofs4 sunrpc 3c59x uhci_hcd md5 ipv6 ext3 jbd dm_mod
170109 0 51593 1 nfs, 1729 0 12097 0 38881 1 vfat, 20293 2 140453 3 nfs,lockd, 33257 0 28377 0 3777 1 211845 16 92585 2 65625 1 ext3, 46677 3 -
Live 0x129b0000 Live 0x128b0000 Live 0x12830000 Live 0x12823000 Live 0x1287b000 Live 0x1284f000 Live 0x12954000 Live 0x12871000 Live 0x12869000 Live 0x1282c000 Live 0x128de000 Live 0x12886000 Live 0x12857000 Live 0x12833000
The first column contains the name of the module. The second column refers to the memory size of the module, in bytes. The third column lists how many instances of the module are currently loaded. A value of zero represents an unloaded module. The fourth column states if the module depends upon another module to be present in order to function, and lists those other modules. The fifth column lists what load state the module is in: Li ve, Lo ad i ng , or Unl o ad i ng are the only possible values.
68
Chapt er 5. T he proc File Syst em
The sixth column lists the current kernel memory offset for the loaded module. This information can be useful for debugging purposes, or for profiling tools such as o pro fi l e.
5.2.22. /pro c/mo unts This file provides a list of all mounts in use by the system: rootfs / rootfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 none /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0 The output found here is similar to the contents of /etc/mtab, except that /pro c/mo unt is more upto-date. The first column specifies the device that is mounted, the second column reveals the mount point, and the third column tells the file system type, and the fourth column tells you if it is mounted readonly (ro ) or read-write (rw). The fifth and sixth columns are dummy values designed to match the format used in /etc/mtab.
5.2.23. /pro c/mtrr This file refers to the current Memory Type Range Registers (MTRRs) in use with the system. If the system architecture supports MTRRs, then the /pro c/mtrr file may look similar to the following: reg00: base=0x00000000 ( 0MB), size= 256MB: write-back, count=1 reg01: base=0xe8000000 (3712MB), size= 32MB: write-combining, count=1 MTRRs are used with the Intel P6 family of processors (Pentium II and higher) and control processor access to memory ranges. When using a video card on a PCI or AGP bus, a properly configured /pro c/mtrr file can increase performance more than 150% . Most of the time, this value is properly configured by default. More information on manually configuring this file can be found locally at the following location: /usr/share/doc/kernel-doc-/Documentation/mtrr.txt
5.2.24 . /pro c/parti ti o ns This file contains partition block allocation information. A sampling of this file from a basic system looks similar to the following: major minor #blocks name 3 0 19531250 hda
69
Deployment G uide
3 3 253 253
1 2 0 1
104391 19422585 22708224 524288
hda1 hda2 dm-0 dm-1
Most of the information here is of little importance to the user, except for the following columns: majo r — The major number of the device with this partition. The major number in the /pro c/parti ti o ns, (3), corresponds with the block device i d e0 , in /pro c/d evi ces. mi no r — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition. #bl o cks — Lists the number of physical disk blocks contained in a particular partition. name — The name of the partition.
5.2.25. /pro c/pci This file contains a full listing of every PCI device on the system. D epending on the number of PCI devices, /pro c/pci can be rather long. A sampling of this file from a basic system looks similar to the following: Bus 0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff]. Bus 0, device 1, function 0: PCI bridge: Intel Corporation 440BX/ZX 82443BX/ZX AGP bridge (rev 3). Master Capable. Latency=64. Min Gnt=128. Bus 0, device 4, function 0: ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 2). Bus 0, device 4, function 1: IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 1). Master Capable. Latency=32. I/O at 0xd800 [0xd80f]. Bus 0, device 4, function 2: USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 1). IRQ 5. Master Capable. Latency=32. I/O at 0xd400 [0xd41f]. Bus 0, device 4, function 3: Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 2). IRQ 9. Bus 0, device 9, function 0: Ethernet controller: Lite-On Communications Inc LNE100TX (rev 33). IRQ 5. Master Capable. Latency=32. I/O at 0xd000 [0xd0ff]. Bus 0, device 12, function 0: VGA compatible controller: S3 Inc. ViRGE/DX or /GX (rev 1). IRQ 11. Master Capable. Latency=32. Min Gnt=4.Max Lat=255. This output shows a list of all PCI devices, sorted in the order of bus, device, and function. Beyond providing the name and version of the device, this list also gives detailed IRQ information so an administrator can quickly look for conflicts.
70
Chapt er 5. T he proc File Syst em
T ip To get a more readable version of this information, type: l spci -vb
5.2.26. /pro c/sl abi nfo This file gives full information about memory usage on the slab level. Linux kernels greater than version 2.2 use slab pools to manage memory above the page level. Commonly used objects have their own slab pools. Instead of parsing the highly verbose /pro c/sl abi nfo file manually, the /usr/bi n/sl abto p program displays kernel slab cache information in real time. This program allows for custom configurations, including column sorting and screen refreshing. A sample screen shot of /usr/bi n/sl abto p usually looks like the following example: Active / Total Objects (% used) Active / Total Slabs (% used) Active / Total Caches (% used) Active / Total Size (% used) Minimum / Average / Maximum Object OBJS ACTIVE USE OBJ SIZE 44814 43159 96% 0.62K 7469 36900 34614 93% 0.05K 492 35213 33124 94% 0.16K 1531 7364 6463 87% 0.27K 526 2585 1781 68% 0.08K 55 2263 2116 93% 0.12K 73 1904 1125 59% 0.03K 16 1666 768 46% 0.03K 14 1512 1482 98% 0.44K 168 1464 1040 71% 0.06K 24 1320 820 62% 0.19K 66 678 587 86% 0.02K 3 678 587 86% 0.02K 3 576 574 99% 0.47K 72 528 514 97% 0.50K 66 492 372 75% 0.09K 12 465 314 67% 0.25K 31 452 331 73% 0.02K 2 420 420 100% 0.19K 21 305 256 83% 0.06K 5 290 4 1% 0.01K 1 264 264 100% 4.00K 264 260 256 98% 0.19K 13 260 256 98% 0.75K 52
: : : : :
133629 / 147300 (90.7%) 11492 / 11493 (100.0%) 77 / 121 (63.6%) 41739.83K / 44081.89K (94.7%) 0.01K / 0.30K / 128.00K SLABS OBJ/SLAB CACHE SIZE NAME 6 29876K ext3_inode_cache 75 1968K buffer_head 23 6124K dentry_cache 14 2104K radix_tree_node 47 220K vm_area_struct 31 292K size-128 119 64K size-32 119 56K anon_vma 9 672K inode_cache 61 96K size-64 20 264K filp 226 12K dm_io 226 12K dm_tio 8 288K proc_inode_cache 8 264K size-512 41 48K bio 15 124K size-256 226 8K biovec-1 20 84K skbuff_head_cache 61 20K biovec-4 290 4K revoke_table 1 1056K size-4096 20 52K biovec-16 5 208K biovec-64
Some of the more commonly used statistics in /pro c/sl abi nfo that are included into /usr/bi n/sl abto p include:
71
Deployment G uide
O BJS — The total number of objects (memory blocks), including those in use (allocated), and some spares not in use. AC T IVE — The number of objects (memory blocks) that are in use (allocated). USE — Percentage of total objects that are active. ((ACTIVE/OBJS)(100)) O BJ SIZE — The size of the objects. SLABS — The total number of slabs. O BJ/SLAB — The number of objects that fit into a slab. C AC HE SIZE — The cache size of the slab. NAME — The name of the slab. For more information on the /usr/bi n/sl abto p program, refer to the sl abto p man page.
5.2.27. /pro c/stat This file keeps track of a variety of different statistics about the system since it was last restarted. The contents of /pro c/stat, which can be quite long, usually begins like the following example: cpu 259246 7001 60190 34250993 137517 772 0 cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433 ctxt 12547729 btime 1093631447 processes 130523 procs_running 1 procs_blocked 0 preempt 5651840 cpu 209841 1554 21720 118519346 72939 154 27168 cpu0 42536 798 4841 14790880 14778 124 3117 cpu1 24184 569 3875 14794524 30209 29 3130 cpu2 28616 11 2182 14818198 4020 1 3493 cpu3 35350 6 2942 14811519 3045 0 3659 cpu4 18209 135 2263 14820076 12465 0 3373 cpu5 20795 35 1866 14825701 4508 0 3615 cpu6 21607 0 2201 14827053 2325 0 3334 cpu7 18544 0 1550 14831395 1589 0 3447 intr 15239682 14857833 6 0 6 6 0 5 0 1 0 0 0 29 0 2 0 0 0 0 0 0 0 94982 0 286812 ctxt 4209609 btime 1078711415 processes 21905 procs_running 1 procs_blocked 0 Some of the more commonly used statistics include: cpu — Measures the number of jiffies (1/100 of a second for x86 systems) that the system has been in user mode, user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively. The IRQ (hardirq) is the direct response to a hardware event. The IRQ takes minimal work for queuing the " heavy" work up for the softirq to execute. The softirq runs at a
72
Chapt er 5. T he proc File Syst em
lower priority than the IRQ and therefore may be interrupted more frequently. The total for all CPUs is given at the top, while each individual CPU is listed below with its own statistics. The following example is a 4-way Intel Pentium Xeon configuration with multi-threading enabled, therefore showing four physical processors and four virtual processors totaling eight processors. pag e — The number of memory pages the system has written in and out to disk. swap — The number of swap pages the system has brought in and out. i ntr — The number of interrupts the system has experienced. bti me — The boot time, measured in the number of seconds since January 1, 1970, otherwise known as the epoch.
5.2.28. /pro c/swaps This file measures swap space and its utilization. For a system with only one swap partition, the output of /pro c/swaps may look similar to the following: Filename /dev/mapper/VolGroup00-LogVol01
Type partition
Size 524280
Used 0
Priority -1
While some of this information can be found in other files in the /pro c/ directory, /pro c/swaps provides a snapshot of every swap file name, the type of swap space, the total size, and the amount of space in use (in kilobytes). The priority column is useful when multiple swap files are in use. The lower the priority, the more likely the swap file is to be used.
5.2.29. /pro c/sysrq -tri g g er Using the echo command to write to this file, a remote root user can execute most System Request Key commands remotely as if at the local terminal. To echo values to this file, the /pro c/sys/kernel /sysrq must be set to a value other than 0 . For more information about the System Request Key, refer to Section 5.3.9.3, “ /pro c/sys/kernel / ” . Although it is possible to write to this file, it cannot be read, even by the root user.
5.2.30. /pro c/upti me This file contains information detailing how long the system has been on since its last restart. The output of /pro c/upti me is quite minimal: 350735.47 234388.90 The first number is the total number of seconds the system has been up. The second number is how much of that time the machine has spent idle, in seconds.
5.2.31. /pro c/versi o n This file specifies the version of the Linux kernel and g cc in use, as well as the version of Red Hat Enterprise Linux installed on the system: Linux version 2.6.8-1.523 (user@ foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004
73
Deployment G uide
This information is used for a variety of purposes, including the version data presented when a user logs in.
5.3. Direct ories wit hin /pro c/ Common groups of information concerning the kernel are grouped into directories and subdirectories within the /pro c/ directory.
5.3.1. Process Direct ories Every /pro c/ directory contains a number of directories with numerical names. A listing of them may be similar to the following: dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x
3 3 3 3 3 3 3 3
root root xfs daemon root apache rpc rpcuser
root root xfs daemon root apache rpc rpcuser
0 0 0 0 0 0 0 0
Feb Feb Feb Feb Feb Feb Feb Feb
13 13 13 13 13 13 13 13
01:28 01:28 01:28 01:28 01:28 01:28 01:28 01:28
1 1010 1087 1123 11307 13660 637 666
These directories are called process directories, as they are named after a program's process ID and contain information specific to that process. The owner and group of each process directory is set to the user running the process. When the process is terminated, its /pro c/ process directory vanishes. Each process directory contains the following files: cmd l i ne — Contains the command issued when starting the process. cwd — A symbolic link to the current working directory for the process. envi ro n — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters. exe — A symbolic link to the executable of this process. fd — A directory containing all of the file descriptors for a particular process. These are given in numbered links: total 0 lrwx-----lrwx-----lrwx-----lrwx-----lrwx-----[7774817] lrwx-----lrwx-----[7774829] lrwx------
74
1 1 1 1 1
root root root root root
root root root root root
64 64 64 64 64
May May May May May
8 8 8 8 8
11:31 11:31 11:31 11:31 11:31
0 1 2 3 4
-> -> -> -> ->
/dev/null /dev/null /dev/null /dev/ptmx socket:
1 root 1 root
root root
64 May 64 May
8 11:31 5 -> /dev/ptmx 8 11:31 6 -> socket:
1 root
root
64 May
8 11:31 7 -> /dev/ptmx
Chapt er 5. T he proc File Syst em
maps — A list of memory maps to the various executables and library files associated with this process. This file can be rather long, depending upon the complexity of the process, but sample output from the sshd process begins like the following: 08048000-08086000 08086000-08088000 08088000-08095000 40000000-40013000 40013000-40014000 40031000-40038000 40038000-40039000 40039000-4003a000 4003a000-4003c000 4003c000-4003d000
r-xp rw-p rwxp r-xp rw-p r-xp rw-p rw-p r-xp rw-p
00000000 03:03 391479 /usr/sbin/sshd 0003e000 03:03 391479 /usr/sbin/sshd 00000000 00:00 0 0000000 03:03 293205 /lib/ld-2.2.5.so 00013000 03:03 293205 /lib/ld-2.2.5.so 00000000 03:03 293282 /lib/libpam.so.0.75 00006000 03:03 293282 /lib/libpam.so.0.75 00000000 00:00 0 00000000 03:03 293218 /lib/libdl-2.2.5.so 00001000 03:03 293218 /lib/libdl-2.2.5.so
mem — The memory held by the process. This file cannot be read by the user. ro o t — A link to the root directory of the process. stat — The status of the process. statm — The status of the memory in use by the process. Below is a sample /pro c/statm file: 263 210 210 5 0 205 0 The seven columns relate to different memory statistics for the process. From left to right, they report the following aspects of the memory used: Total program size, in kilobytes. Size of memory portions, in kilobytes. Number of pages that are shared. Number of pages that are code. Number of pages of data/stack. Number of library pages. Number of dirty pages. status — The status of the process in a more readable form than stat or statm. Sample output for sshd looks similar to the following: Name: sshd State: S (sleeping) Tgid: 797 Pid: 797 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: VmSize: 3072 kB VmLck: 0 kB VmRSS: 840 kB
75
Deployment G uide
VmData: VmStk: VmExe: VmLib: SigPnd: SigBlk: SigIgn: SigCgt: CapInh: CapPrm: CapEff:
104 kB 12 kB 300 kB 2528 kB 0000000000000000 0000000000000000 8000000000001000 0000000000014005 0000000000000000 00000000fffffeff 00000000fffffeff
The information in this output includes the process name and ID , the state (such as S (sl eepi ng ) or R (runni ng )), user/group ID running the process, and detailed data regarding memory usage.
5 .3.1 .1 . /pro c/sel f/ The /pro c/sel f/ directory is a link to the currently running process. This allows a process to look at itself without having to know its process ID . Within a shell environment, a listing of the /pro c/sel f/ directory produces the same contents as listing the process directory for that process.
5.3.2. /pro c/bus/ This directory contains information specific to the various buses available on the system. For example, on a standard system containing PCI and USB buses, current data on each of these buses is available within a subdirectory within /pro c/bus/ by the same name, such as /pro c/bus/pci /. The subdirectories and files available within /pro c/bus/ vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as 0 0 1, which contain binary files. For example, the /pro c/bus/usb/ subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them. The following is a sample listing of a /pro c/bus/usb/ directory: total 0 dr-xr-xr-x -r--r--r-1 root -r--r--r-1 root
1 root root root
root 0 May 0 May
0 May 3 16:25 001 3 16:25 devices 3 16:25 drivers
The /pro c/bus/usb/0 0 1/ directory contains all devices on the first USB bus and the d evi ces file identifies the USB root hub on the motherboard. The following is a example of a /pro c/bus/usb/d evi ces file: T: B: D: P: S:
76
Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0 Ver= 1.00 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 Vendor=0000 ProdID=0000 Rev= 0.00 Product=USB UHCI Root Hub
Chapt er 5. T he proc File Syst em
S: C:* I: E:
SerialNumber=d400 #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=255ms
5.3.3. /pro c/d ri ver/ This directory contains information for specific drivers in use by the kernel. A common file found here is rtc which provides output from the driver for the system's Real Time Clock (RTC), the device that keeps the time while the system is switched off. Sample output from /pro c/d ri ver/rtc looks like the following: rtc_time rtc_date rtc_epoch alarm DST_enable BCD 24hr square_wave alarm_IRQ update_IRQ periodic_IRQ periodic_freq batt_status
: : : : : : : : : : : : :
16:21:00 2004-08-31 1900 21:16:27 no yes yes no no no no 1024 okay
For more information about the RTC, refer to the following installed documentation: /usr/share/d o c/kernel -d o c-/D o cumentati o n/rtc. txt.
5.3.4 . /pro c/fs This directory shows which file systems are exported. If running an NFS server, typing cat /pro c/fs/nfsd /expo rts displays the file systems being shared and the permissions granted for those file systems. For more on file system sharing with NFS, refer to Chapter 21, Network File System (NFS).
5.3.5. /pro c/i d e/ This directory contains information about ID E devices on the system. Each ID E channel is represented as a separate directory, such as /pro c/i d e/i d e0 and /pro c/i d e/i d e1. In addition, a d ri vers file is available, providing the version number of the various drivers used on the ID E channels: ide-floppy version 0.99. newide ide-cdrom version 4.61 ide-disk version 1.18 Many chipsets also provide a file in this directory with additional data concerning the drives connected through the channels. For example, a generic Intel PIIX4 Ultra 33 chipset produces the /pro c/i d e/pi i x file which reveals whether D MA or UD MA is enabled for the devices on the ID E channels:
77
Deployment G uide
Intel PIIX4 Ultra 33 Chipset. ------------- Primary Channel ---------------- Secondary Channel -----------enabled enabled ------------- drive0 --------- drive1 -------- drive0 ---------- drive1 -----DMA enabled: yes no yes no UDMA enabled: yes no no no UDMA enabled: 2 X X X UDMA DMA PIO Navigating into the directory for an ID E channel, such as i d e0 , provides additional information. The channel file provides the channel number, while the mo d el identifies the bus type for the channel (such as pci ).
5 .3.5 .1 . De vice Dire ct o rie s Within each ID E channel directory is a device directory. The name of the device directory corresponds to the drive letter in the /d ev/ directory. For instance, the first ID E drive on i d e0 would be hd a.
Note There is a symbolic link to each of these device directories in the /pro c/i d e/ directory. Each device directory contains a collection of information and statistics. The contents of these directories vary according to the type of device connected. Some of the more useful files common to many devices include: cache — The device cache. capaci ty — The capacity of the device, in 512 byte blocks. d ri ver — The driver and version used to control the device. g eo metry — The physical and logical geometry of the device. med i a — The type of device, such as a d i sk. mo d el — The model name or number of the device. setti ng s — A collection of current device parameters. This file usually contains quite a bit of useful, technical information. A sample setti ng s file for a standard ID E hard disk looks similar to the following: name ---acoustic address bios_cyl bios_head bios_sect bswap current_speed
78
value ----0 0 38752 16 63 0 68
min --0 0 0 0 0 0 0
max --254 2 65535 255 63 1 70
mode ---rw rw rw rw rw r rw
Chapt er 5. T he proc File Syst em
failures init_speed io_32bit keepsettings lun max_failures multcount nice1 nowerr number pio_mode unmaskirq using_dma wcache
0 68 0 0 0 1 16 1 0 0 write-only 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0
65535 70 3 1 7 65535 16 1 1 3 255 1 1 1
rw rw rw rw rw rw rw rw rw rw w rw rw rw
5.3.6. /pro c/i rq / This directory is used to set IRQ to CPU affinity, which allows the system to connect a particular IRQ to only one CPU. Alternatively, it can exclude a CPU from handling any IRQs. Each IRQ has its own directory, allowing for the individual configuration of each IRQ. The /pro c/i rq /pro f_cpu_mask file is a bitmask that contains the default values for the smp_affi ni ty file in the IRQ directory. The values in smp_affi ni ty specify which CPUs handle that particular IRQ. For more information about the /pro c/i rq / directory, refer to the following installed documentation: /usr/share/doc/kernel-doc-/Documentation/filesystems/proc.txt
5.3.7. /pro c/net/ This directory provides a comprehensive look at various networking parameters and statistics. Each directory and virtual file within this directory describes aspects of the system's network configuration. Below is a partial list of the /pro c/net/ directory: arp — Lists the kernel's ARP table. This file is particularly useful for connecting a hardware address to an IP address on a system. atm/ directory — The files within this directory contain Asynchronous Transfer Mode (ATM) settings and statistics. This directory is primarily used with ATM networking and AD SL cards. d ev — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more. d ev_mcast — Lists Layer2 multicast groups on which each device is listening. i g mp — Lists the IP multicast addresses which this system joined. i p_co nntrack — Lists tracked network connections for machines that are forwarding IP connections. i p_tabl es_names — Lists the types of i ptabl es in use. This file is only present if i ptabl es is active on the system and contains one or more of the following values: fi l ter, mang l e, or nat.
79
Deployment G uide
i p_mr_cache — Lists the multicast routing cache. i p_mr_vi f — Lists multicast virtual interfaces. netstat — Contains a broad yet detailed collection of networking statistics, including TCP timeouts, SYN cookies sent and received, and much more. psched — Lists global packet scheduler parameters. raw — Lists raw device statistics. ro ute — Lists the kernel's routing table. rt_cache — Contains the current routing cache. snmp — List of Simple Network Management Protocol (SNMP) data for various networking protocols in use. so ckstat — Provides socket statistics. tcp — Contains detailed TCP socket information. tr_ri f — Lists the token ring RIF routing table. ud p — Contains detailed UD P socket information. uni x — Lists UNIX domain sockets currently in use. wi rel ess — Lists wireless interface data.
5.3.8. /pro c/scsi / This directory is analogous to the /pro c/i d e/ directory, but it is for connected SCSI devices. The primary file in this directory is /pro c/scsi /scsi , which contains a list of every recognized SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available. For example, if a system contains a SCSI CD -ROM, a tape drive, a hard drive, and a RAID controller, this file looks similar to the following: Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 06 Lun: 00 Vendor: ARCHIVE Model: Python 04106-XXX Rev: 7350 Type: Sequential-Access
80
Chapt er 5. T he proc File Syst em
ANSI SCSI revision: 02 Host: scsi2 Channel: 00 Id: 06 Lun: 00 Vendor: DELL Model: 1x6 U2W SCSI BP Rev: 5.35 Type: Processor ANSI SCSI revision: 02 Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: MegaRAID Model: LD0 RAID5 34556R Rev: 1.01 Type: Direct-Access ANSI SCSI revision: 02 Each SCSI driver used by the system has its own directory within /pro c/scsi /, which contains files specific to each SCSI controller using that driver. From the previous example, ai c7xxx/ and meg arai d / directories are present, since two drivers are in use. The files in each of the directories typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver. Each controller can report a different type and amount of information. The Adaptec AIC7880 Ultra SCSI host adapter's file in this example system produces the following output: Adaptec AIC7xxx driver version: 5.1.20/3.2.4 Compile Options: TCQ Enabled By Default : Disabled AIC7XXX_PROC_STATS : Enabled AIC7XXX_RESET_DELAY : 5 Adapter Configuration: SCSI Adapter: Adaptec AIC-7880 Ultra SCSI host adapter Ultra Narrow Controller PCI MMAPed I/O Base: 0xfcffe000 Adapter SEEPROM Config: SEEPROM found and used. Adaptec SCSI BIOS: Enabled IRQ: 30 SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255 Interrupts: 33726 BIOS Control Word: 0x18a6 Adapter Control Word: 0x1c5f Extended Translation: Enabled Disconnect Enable Flags: 0x00ff Ultra Enable Flags: 0x0020 Tag Queue Enable Flags: 0x0000 Ordered Queue Tag Flags: 0x0000 Default Tag Queue Depth: 8 Tagged Queue By Device array for aic7xxx host instance 1: {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255} Actual queue depth per device for aic7xxx host instance 1: {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1} Statistics:
81
Deployment G uide
(scsi1:0:5:0) Device using Narrow/Sync transfers at 20.0 MByte/sec, offset 15 Transinfo settings: current(12/15/0/0), goal(12/15/0/0), user(12/15/0/0) Total transfers 0 (0 reads and 0 writes) < 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+ Reads: 0 0 0 0 0 0 0 0 Writes: 0 0 0 0 0 0 0 0 (scsi1:0:6:0) Device using Narrow/Sync transfers at 10.0 MByte/sec, offset 15 Transinfo settings: current(25/15/0/0), goal(12/15/0/0), user(12/15/0/0) Total transfers 132 (0 reads and 132 writes) < 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+ Reads: 0 0 0 0 0 0 0 0 Writes: 0 0 0 1 131 0 0 0 This output reveals the transfer speed to the SCSI devices connected to the controller based on channel ID , as well as detailed statistics concerning the amount and sizes of files read or written by that device. For example, this controller is communicating with the CD -ROM at 20 megabytes per second, while the tape drive is only communicating at 10 megabytes per second.
5.3.9. /pro c/sys/ The /pro c/sys/ directory is different from others in /pro c/ because it not only provides information about the system but also allows the system administrator to immediately enable and disable kernel features.
Caution Use caution when changing settings on a production system using the various files in the /pro c/sys/ directory. Changing the wrong setting may render the kernel unstable, requiring a system reboot. For this reason, be sure the options are valid for that file before attempting to change any value in /pro c/sys/.
A good way to determine if a particular file can be configured, or if it is only designed to provide information, is to list it with the -l option at the shell prompt. If the file is writable, it may be used to configure the kernel. For example, a partial listing of /pro c/sys/fs looks like the following: -r--r--r--rw-r--r--r--r--r--rw-r--r--r--r--r--
1 1 1 1 1
root root root root root
root root root root root
0 0 0 0 0
May May May May May
10 10 10 10 10
16:14 16:14 16:14 16:14 16:14
dentry-state dir-notify-enable dquot-nr file-max file-nr
In this listing, the files d i r-no ti fy-enabl e and fi l e-max can be written to and, therefore, can be used to configure the kernel. The other files only provide feedback on current settings. Changing a value within a /pro c/sys/ file is done by echoing the new value into the file. For example, to enable the System Request Key on a running kernel, type the command:
82
Chapt er 5. T he proc File Syst em
echo 1 > /pro c/sys/kernel /sysrq This changes the value for sysrq from 0 (off) to 1 (on). A few /pro c/sys/ configuration files contain more than one value. To correctly send new values to them, place a space character between each value passed with the echo command, such as is done in this example: echo 4 2 4 5 > /pro c/sys/kernel /acct
Note Any configuration changes made using the echo command disappear when the system is restarted. To make configuration changes take effect after the system is rebooted, refer to Section 5.4, “ Using the sysctl Command” . The /pro c/sys/ directory contains several subdirectories controlling different aspects of a running kernel.
5 .3.9 .1 . /pro c/sys/d ev/ This directory provides parameters for particular devices on the system. Most systems have at least two directories, cd ro m/ and rai d /. Customized kernels can have other directories, such as parpo rt/, which provides the ability to share one parallel port between multiple device drivers. The cd ro m/ directory contains a file called i nfo , which reveals a number of important CD -ROM parameters: CD-ROM information, Id: drive name: drive speed: drive # of slots: Can close tray: Can open tray: Can lock tray: Can change speed: Can select disk: Can read multisession: Can read MCN: Reports media changed: Can play audio: Can write CD-R: Can write CD-RW: Can read DVD: Can write DVD-R: Can write DVD-RAM: Can read MRW: Can write MRW: Can write RAM:
cdrom.c 3.20 2003/12/17 hdc 48 1 1 1 1 1 0 1 1 1 1 0 0 0 0 0 0 0 0
This file can be quickly scanned to discover the qualities of an unknown CD -ROM. If multiple CD ROMs are available on a system, each device is given its own column of information.
83
Deployment G uide
Various files in /pro c/sys/d ev/cd ro m, such as auto cl o se and checkmed i a, can be used to control the system's CD -ROM. Use the echo command to enable or disable these features. If RAID support is compiled into the kernel, a /pro c/sys/d ev/rai d / directory becomes available with at least two files in it: speed _l i mi t_mi n and speed _l i mi t_max. These settings determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks.
5 .3.9 .2 . /pro c/sys/fs/ This directory contains an array of options and information concerning various aspects of the file system, including quota, file handle, inode, and dentry information. The bi nfmt_mi sc/ directory is used to provide kernel support for miscellaneous binary formats. The important files in /pro c/sys/fs/ include: d entry-state — Provides the status of the directory cache. The file looks similar to the following: 57411 52939 45 0 0 0 The first number reveals the total number of directory cache entries, while the second number displays the number of unused entries. The third number tells the number of seconds between when a directory has been freed and when it can be reclaimed, and the fourth measures the pages currently requested by the system. The last two numbers are not used and display only zeros. d q uo t-nr — Lists the maximum number of cached disk quota entries. fi l e-max — Lists the maximum number of file handles that the kernel allocates. Raising the value in this file can resolve errors caused by a lack of available file handles. fi l e-nr — Lists the number of allocated file handles, used file handles, and the maximum number of file handles. o verfl o wg i d and o verfl o wui d — D efines the fixed group ID and user ID , respectively, for use with file systems that only support 16-bit group and user ID s. super-max — Controls the maximum number of superblocks available. super-nr — D isplays the current number of superblocks in use.
5 .3.9 .3. /pro c/sys/kernel / This directory contains a variety of different configuration files that directly affect the operation of the kernel. Some of the most important files include: acct — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following: 4 2 30 The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended. The third value sets the interval, in seconds, that the kernel polls the file system to see if logging should be suspended or resumed.
84
Chapt er 5. T he proc File Syst em
cap-bo und — Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process. For a valid list of values for this virtual file, refer to the following installed documentation: /l i b/mo d ul es//bui l d /i ncl ud e/l i nux/capabi l i ty. h. ctrl -al t-d el — Controls whether C trl +Al t+D el ete gracefully restarts the computer using i ni t (0 ) or forces an immediate reboot without syncing the dirty buffers to disk (1). d o mai nname — Configures the system domain name, such as exampl e. co m. exec-shi el d — Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks. There are two possible values for this virtual file: 0 — D isables Exec Shield. 1 — Enables Exec Shield. This is the default value.
Important If a system is running security-sensitive applications that were started while Exec Shield was disabled, these applications must be restarted when Exec Shield is enabled in order for Exec Shield to take effect. exec-shi el d -rand o mi ze — Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address. There are two possible values for this virtual file: 0 — D isables randomization of Exec Shield. This may be useful for application debugging purposes. 1 — Enables randomization of Exec Shield. This is the default value. Note: The exec-shi el d file must also be set to 1 for exec-shi el d -rand o mi ze to be effective. ho stname — Configures the system hostname, such as www. exampl e. co m. ho tpl ug — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of /sbi n/ho tpl ug should not be changed unless testing a new program to fulfill this role. mo d pro be — Sets the location of the program used to load kernel modules. The default value is /sbi n/mo d pro be which means kmo d calls it to load the module when a kernel thread calls kmo d . msg max — Sets the maximum size of any message sent from one process to another and is set to 819 2 bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in msg max would increase RAM requirements for the system. msg mnb — Sets the maximum number of bytes in a single message queue. The default is 16 384 .
85
Deployment G uide
msg mni — Sets the maximum number of message queue identifiers. The default is 16 . o srel ease — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling. o stype — D isplays the type of operating system. By default, this file is set to Li nux, and this value can only be changed by changing the kernel source and recompiling. o verfl o wg i d and o verfl o wui d — D efines the fixed group ID and user ID , respectively, for use with system calls on architectures that only support 16-bit group and user ID s. pani c — D efines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to 0 , which disables automatic rebooting after a panic. pri ntk — This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order: 0 — Kernel emergency. The system is unusable. 1 — Kernel alert. Action must be taken immediately. 2 — Condition of the kernel is considered critical. 3 — General kernel error condition. 4 — General kernel warning condition. 5 — Kernel notice of a normal but significant condition. 6 — Kernel informational message. 7 — Kernel debug-level messages. Four values are found in the pri ntk file: 6
4
1
7
Each of these values defines a different rule for dealing with error messages. The first value, called the console loglevel, defines the lowest priority of messages printed to the console. (Note that, the lower the priority, the higher the loglevel number.) The second value sets the default loglevel for messages without an explicit loglevel attached to them. The third value sets the lowest possible loglevel configuration for the console loglevel. The last value sets the default value for the console loglevel. rand o m/ directory — Lists a number of values related to generating random numbers for the kernel. rtsi g -max — Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is 10 24 . rtsi g -nr — Lists the current number of POSIX real-time signals queued by the kernel. sem — Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process. shmal l — Sets the total amount of shared memory pages that can be used at one time, systemwide. By default, this value is 20 9 7152.
86
Chapt er 5. T he proc File Syst em
shmmax — Sets the largest shared memory segment size allowed by the kernel. By default, this value is 33554 4 32. However, the kernel supports much larger values than this. shmmni — Sets the maximum number of shared memory segments for the whole system. By default, this value is 4 0 9 6 . sysrq — Activates the System Request Key, if this value is set to anything other than zero (0 ), the default. The System Request Key allows immediate input to the kernel through simple key combinations. For example, the System Request Key can be used to immediately shut down or restart a system, sync all mounted file systems, or dump important information to the console. To initiate a System Request Key, type Al t+SysR q + . Replace with one of the following system request codes: r — D isables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Al t, C trl , or Shi ft for all keys). k — Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from i ni t and not a Trojan copy designed to capture usernames and passwords. b — Reboots the kernel without first unmounting file systems or syncing disks attached to the system. c — Crashes the system without first unmounting file systems or syncing disks attached to the system. o — Shuts off the system. s — Attempts to sync disks attached to the system. u — Attempts to unmount and remount all file systems as read-only. p — Outputs all flags and registers to the console. t — Outputs a list of processes to the console. m — Outputs memory statistics to the console. 0 through 9 — Sets the log level for the console. e — Kills all processes except i ni t using SIGTERM. i — Kills all processes except i ni t using SIGKILL. l — Kills all processes using SIGKILL (including i ni t). The system is unusable after issuing this System Request Key code. h — D isplays help text. This feature is most beneficial when using a development kernel or when experiencing system freezes.
87
Deployment G uide
Caution The System Request Key feature is considered a security risk because an unattended console provides an attacker with access to the system. For this reason, it is turned off by default. Refer to /usr/share/d o c/kernel -d o c-/D o cumentati o n/sysrq . txt for more information about the System Request Key. sysrq -key — D efines the key code for the System Request Key (84 is the default). sysrq -sti cky — D efines whether the System Request Key is a chorded key combination. The accepted values are as follows: 0 — Al t+SysR q and the system request code must be pressed simultaneously. This is the default value. 1 — Al t+SysR q must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in /pro c/sys/kernel /sysrq -ti mer elapses. sysrq -ti mer — Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is 10 . tai nted — Indicates whether a non-GPL module is loaded. 0 — No non-GPL modules are loaded. 1 — At least one module without a GPL license (including modules with no license) is loaded. 2 — At least one module was force-loaded with the command i nsmo d -f. thread s-max — Sets the maximum number of threads to be used by the kernel, with a default value of 20 4 8. versi o n — D isplays the date and time the kernel was last compiled. The first field in this file, such as #3, relates to the number of times a kernel was built from the source base.
5 .3.9 .4 . /pro c/sys/net/ This directory contains subdirectories concerning various networking topics. Various configurations at the time of kernel compilation make different directories available here, such as ethernet/, i pv4 /, i px/, and i pv6 /. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system. Given the wide variety of possible networking options available with Linux, only the most common /pro c/sys/net/ directories are discussed. The /pro c/sys/net/co re/ directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are: messag e_burst — Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is 50 . messag e_co st — Sets a cost on every warning message. The higher the value of this file (default of 5), the more likely the warning message is ignored. This setting is used to mitigate D oS attacks.
88
Chapt er 5. T he proc File Syst em
The idea of a D oS attack is to bombard the targeted system with requests that generate errors and fill up disk partitions with log files or require all of the system's resources to handle the error logging. The settings in messag e_burst and messag e_co st are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging. netd ev_max_backl o g — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is 30 0 . o ptmem_max — Configures the maximum ancillary buffer size allowed per socket. rmem_d efaul t — Sets the receive socket buffer default size in bytes. rmem_max — Sets the receive socket buffer maximum size in bytes. wmem_d efaul t — Sets the send socket buffer default size in bytes. wmem_max — Sets the send socket buffer maximum size in bytes. The /pro c/sys/net/i pv4 / directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
Caution An erroneous change to these files may affect remote connectivity to the system. The following is a list of some of the more important files within the /pro c/sys/net/i pv4 / directory: i cmp_d estunreach_rate, i cmp_echo repl y_rate, i cmp_parampro b_rate, and i cmp_ti meexeed _rate — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of 0 removes any delay and is not a good idea. i cmp_echo _i g no re_al l and i cmp_echo _i g no re_bro ad casts — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of 0 allows the kernel to respond, while a value of 1 ignores the packets. i p_d efaul t_ttl — Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance. i p_fo rward — Permits interfaces on the system to forward packets to one other. By default, this file is set to 0 . Setting this file to 1 enables network packet forwarding. i p_l o cal _po rt_rang e — Specifies the range of ports to be used by TCP or UD P when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000. tcp_syn_retri es — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection. tcp_retri es1 — Sets the number of permitted re-transmissions attempting to answer an incoming connection. D efault of 3. tcp_retri es2 — Sets the number of permitted re-transmissions of TCP packets. D efault of 15.
89
Deployment G uide
The file called /usr/share/d o c/kernel -d o c-/D o cumentati o n/netwo rki ng / i psysctl . txt contains a complete list of files and options available in the /pro c/sys/net/i pv4 / directory. A number of other directories exist within the /pro c/sys/net/i pv4 / directory and each covers a different aspect of the network stack. The /pro c/sys/net/i pv4 /co nf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /pro c/sys/net/i pv4 /co nf/d efaul t/ subdirectory) and settings that override all special configurations (in the /pro c/sys/net/i pv4 /co nf/al l / subdirectory). The /pro c/sys/net/i pv4 /nei g h/ directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away. Routing over IPV4 also has its own directory, /pro c/sys/net/i pv4 /ro ute/. Unlike co nf/ and nei g h/, the /pro c/sys/net/i pv4 /ro ute/ directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as max_si ze, max_d el ay, and mi n_d el ay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the fl ush file. Additional information about these directories and the possible values for their configuration files can be found in: /usr/share/doc/kernel-doc-/Documentation/filesystems/proc.txt
5 .3.9 .5 . /pro c/sys/vm/ This directory facilitates the configuration of the Linux kernel's virtual memory (VM) subsystem. The kernel makes extensive and intelligent use of virtual memory, which is commonly referred to as swap space. The following files are commonly found in the /pro c/sys/vm/ directory: bl o ck_d ump — Configures block I/O debugging when enabled. All read/write and block dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation. All output when bl o ck_d ump is enabled can be retrieved via d mesg . The default value is 0 .
T ip If bl o ck_d ump is enabled at the same time as kernel debugging, it is prudent to stop the kl o g d daemon, as it generates erroneous disk activity caused by bl o ck_d ump. d i rty_backg ro und _rati o — Starts background writeback of dirty data at this percentage of total memory, via a pdflush daemon. The default value is 10 . d i rty_expi re_centi secs — D efines when dirty in-memory data is old enough to be eligible for writeout. D ata which has been dirty in-memory for longer than this interval is written out next time a pdflush daemon wakes up. The default value is 30 0 0 , expressed in hundredths of a second.
90
Chapt er 5. T he proc File Syst em
d i rty_rati o — Starts active writeback of dirty data at this percentage of total memory for the generator of dirty data, via pdflush. The default value is 4 0 . d i rty_wri teback_centi secs — D efines the interval between pdflush daemon wakeups, which periodically writes dirty in-memory data out to disk. The default value is 50 0 , expressed in hundredths of a second. l apto p_mo d e — Minimizes the number of times that a hard disk needs to spin up by keeping the disk spun down for as long as possible, therefore conserving battery power on laptops. This increases efficiency by combining all future I/O processes together, reducing the frequency of spin ups. The default value is 0 , but is automatically enabled in case a battery on a laptop is used. This value is controlled automatically by the acpid daemon once a user is notified battery power is enabled. No user modifications or interactions are necessary if the laptop supports the ACPI (Advanced Configuration and Power Interface) specification. For more information, refer to the following installed documentation: /usr/share/d o c/kernel -d o c-/D o cumentati o n/l apto p-mo d e. txt l o wer_zo ne_pro tecti o n — D etermines how aggressive the kernel is in defending lower memory allocation zones. This is effective when utilized with machines configured with hi g hmem memory space enabled. The default value is 0 , no protection at all. All other integer values are in megabytes, and l o wmem memory is therefore protected from being allocated by users. For more information, refer to the following installed documentation: /usr/share/d o c/kernel -d o c-/D o cumentati o n/fi l esystems/pro c. txt max_map_co unt — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 6 5536 is appropriate. mi n_free_kbytes — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free. The VM uses this number to compute a pag es_mi n value for each l o wmem zone in the system. The default value is in respect to the total memory on the machine. nr_hug epag es — Indicates the current number of configured hug etl b pages in the kernel. For more information, refer to the following installed documentation: /usr/share/d o c/kernel -d o c-/D o cumentati o n/vm/hug etl bpag e. txt nr_pd fl ush_thread s — Indicates the number of pdflush daemons that are currently running. This file is read-only, and should not be changed by the user. Under heavy I/O loads, the default value of two is increased by the kernel. o verco mmi t_memo ry — Configures the conditions under which a large memory request is accepted or denied. The following three modes are available: 0 — The kernel performs heuristic memory over commit handling by estimating the amount of memory available and failing requests that are blatantly invalid. Unfortunately, since memory is allocated using a heuristic rather than a precise algorithm, this setting can sometimes allow available memory on the system to be overloaded. This is the default setting. 1 — The kernel performs no memory over commit handling. Under this setting, the potential for memory overload is increased, but so is performance for memory intensive tasks (such as those executed by some scientific software).
91
Deployment G uide
2 — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in /pro c/sys/vm/o verco mmi t_rati o . This setting is best for those who desire less risk of memory overcommitment.
Note This setting is only recommended for systems with swap areas larger than physical memory. o verco mmi t_rati o — Specifies the percentage of physical RAM considered when /pro c/sys/vm/o verco mmi t_memo ry is set to 2. The default value is 50 . pag e-cl uster — Sets the number of pages read in a single attempt. The default value of 3, which actually relates to 16 pages, is appropriate for most systems. swappi ness — D etermines how much a machine should swap. The higher the value, the more swapping occurs. The default value, as a percentage, is set to 6 0 . All kernel-based documentation can be found in the following locally installed location: /usr/share/d o c/kernel -d o c-/D o cumentati o n/, which contains additional information.
5.3.10. /pro c/sysvi pc/ This directory contains information about System V IPC resources. The files in this directory relate to System V IPC calls for messages (msg ), semaphores (sem), and shared memory (shm).
5.3.11. /pro c/tty/ This directory contains information about the available and currently used tty devices on the system. Originally called teletype devices, any character-based data terminals are called tty devices. In Linux, there are three different kinds of tty devices. Serial devices are used with serial connections, such as over a modem or using a serial cable. Virtual terminals create the common console connection, such as the virtual consoles available when pressing Al t+ at the system console. Pseudo terminals create a two-way communication that is used by some higher level applications, such as XFree86. The d ri vers file is a list of the current tty devices in use, as in the following example: serial serial pty_slave pty_master pty_slave pty_master /dev/vc/0 /dev/ptmx /dev/console /dev/tty unknown
/dev/cua /dev/ttyS /dev/pts /dev/ptm /dev/ttyp /dev/pty /dev/vc/0 /dev/ptmx /dev/console /dev/tty /dev/vc/%d
5 4 136 128 3 2 4 5 5 5 4
64-127 64-127 0-255 0-255 0-255 0-255 0 2 1 0 1-63
serial:callout serial pty:slave pty:master pty:slave pty:master system:vtmaster system system:console system:/dev/tty console
The /pro c/tty/d ri ver/seri al file lists the usage statistics and status of each of the serial tty lines.
92
Chapt er 5. T he proc File Syst em
In order for tty devices to be used as network devices, the Linux kernel enforces line discipline on the device. This allows the driver to place a specific type of header with every block of data transmitted over the device, making it possible for the remote end of the connection to a block of data as just one in a stream of data blocks. SLIP and PPP are common line disciplines, and each are commonly used to connect systems to one other over a serial link. Registered line disciplines are stored in the l d i scs file, and more detailed information is available within the l d i sc/ directory.
5.3.12. /pro c/
/ Out of Memory (OOM) refers to a computing state where all available memory, including swap space, has been allocated. When this situation occurs, it will cause the system to panic and stop functioning as expected. There is a switch that controls OOM behavior in /pro c/sys/vm/pani c_o n_o o m. When set to 1 the kernel will panic on OOM. A setting of 0 instructs the kernel to call a function named o o m_ki l l er on an OOM. Usually, o o m_ki l l er can kill rogue processes and the system will survive. The easiest way to change this is to echo the new value to /pro c/sys/vm/pani c_o n_o o m. ~]# cat /pro c/sys/vm/pani c_o n_o o m 1 ~]# echo 0 > /pro c/sys/vm/pani c_o n_o o m ~]# cat /pro c/sys/vm/pani c_o n_o o m 0 It is also possible to prioritize which processes get killed by adjusting the o o m_ki l l er score. In /pro c/
/ there are two tools labelled o o m_ad j and o o m_sco re. Valid scores for o o m_ad j are in the range -16 to +15. To see the current o o m_ki l l er score, view the o o m_sco re for the process. o o m_ki l l er will kill processes with the highest scores first. This example adjusts the oom_score of a process with a PID of 12465 to make it less likely that o o m_ki l l er will kill it. ~]# cat /pro c/124 6 5/o o m_sco re 79872 ~]# echo -5 > /pro c/124 6 5/o o m_ad j ~]# cat /pro c/124 6 5/o o m_sco re 78 There is also a special value of -17, which disables o o m_ki l l er for that process. In the example below, o o m_sco re returns a value of 0, indicating that this process would not be killed. ~]# cat /pro c/124 6 5/o o m_sco re 78 ~]# echo -17 > /pro c/124 6 5/o o m_ad j ~]# cat /pro c/124 6 5/o o m_sco re 0 A function called bad ness() is used to determine the actual score for each process. This is done by adding up 'points' for each examined process. The process scoring is done in the following way: 1. The basis of each process's score is its memory size. 2. The memory size of any of the process's children (not including a kernel thread) is also added to the score where is the number of seconds to wait for link negotiation before configuring the device. MAC AD D R = where is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should n o t be used in conjunction with HWAD D R . MAST ER = where is the channel bonding interface to which the Ethernet interface is linked. This directive is used in conjunction with the SLAVE directive. Refer to Section 16.2.3, “ Channel Bonding Interfaces” for more information about channel bonding interfaces. NET MASK= where is the netmask value. NET WO R K= where is the network address. This directive is deprecated, as the value is calculated automatically with i pcal c.[email protected] . Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the sftp man page for a list of these commands. To read the man page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher. block rather than a . The caching functionality of the old mo d _pro xy has been split out into the following three modules: mo d _cache mo d _d i sk_cache mo d _mem_cache These generally use directives similar to the older versions of the mo d _pro xy module, but it is advisable to verify each directive before migrating any cache settings. For more on this topic, refer to the following documentation on the Apache Software Foundation's website: http://httpd.apache.org/docs-2.0/mod/mod_proxy.html 25.2.2.4 .4 . T h e mo d _i ncl ud e Mo d u le The mo d _i ncl ud e module is now implemented as a filter and is therefore enabled differently. Refer to Section 25.2.2.4, “ Modules and Apache HTTP Server 2.0” for more about filters. For example, the following is a sample Apache HTTP Server 1.3 directive: AddType text/html .shtml AddHandler server-parsed .shtml To migrate this setting to Apache HTTP Server 2.0, use the following structure: AddType text/html .shtml Ad d O utputFi l ter INC LUD ES .shtml
and
tags create a container which encloses a group of configuration directives meant to apply only to the proxy server. Many directives which are allowed within a container may also be used within container.
stanza. Set the P ro xyR eq uests directive to O n, and set which domains are allowed access to the server in the Al l o w fro m directive of the
stanza.[email protected] ). In this configuration, users with a second principal with an instance of admin (for example, joe/[email protected] ) are able to wield full power over the realm's Kerberos database. After kad mi nd has been started on the server, any user can access its services by running kad mi n on any of the clients or servers in the realm. However, only users listed in the kad m5. acl file can modify the database in any way, except for changing their own passwords.
