Page 1 SUSE Linux Enterprise Server www.novell.com Installation and Administration May 08, 2008...
Page 2 The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell...
Page 3: Table Of Contents
Contents About This Guide Part I Deployment 1 Planning for SUSE Linux Enterprise Considerations for Deployment of a SUSE Linux Enterprise ..Deployment of SUSE Linux Enterprise ....Running SUSE Linux Enterprise .
Page 4 3.13 Performing the Installation ..... 3.14 Configuration of the Installed System ....3.15 Graphical Login .
Page 5 8.14 SaX2 ......8.15 Troubleshooting ......8.16 For More Information .
Page 6 14.7 Mounting an OCFS2 Volume ....14.8 Additional Information ..... . 1 5 Access Control Lists in Linux 15.1 Traditional File Permissions .
Page 7 Part III System 1 9 32-Bit and 64-Bit Applications in a 64-Bit System Environment 19.1 Runtime Support ......19.2 Software Development .
Page 8 2 4 Dynamic Kernel Device Management with udev 24.1 The /dev Directory ..... . . 24.2 Kernel uevents and udev ..... 24.3 Drivers, Kernel Modules, and Devices .
Page 9 Part IV Services 3 0 Basic Networking 30.1 IP Addresses and Routing ..... 30.2 IPv6—The Next Generation Internet ....30.3 Name Resolution .
Page 10 3 5 Using NIS 35.1 Configuring NIS Servers ..... . 35.2 Configuring NIS Clients ..... . 3 6 LDAP—A Directory Service 36.1 LDAP versus NIS .
Page 11 4 0 The Apache HTTP Server 40.1 Quick Start ......40.2 Configuring Apache ..... . . 40.3 Starting and Stopping Apache .
Page 12 4 8 Confining Privileges with AppArmor 48.1 Installing Novell AppArmor ....48.2 Enabling and Disabling Novell AppArmor ....
Page 13 Part VI Troubleshooting 5 0 Help and Documentation 50.1 Using the SUSE Help Center ....50.2 Man Pages ......50.3 Info Pages .
Page 15: About This Guide
About This Guide This guide is intended for use by professional network and system administrators during the actual planning, deployment, configuration, and operation of SUSE Linux Enter- prise®. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.
Page 16: Documentation Updates
Security This edition of SUSE Linux Enterprise includes several security-related features. It ships with Novell® AppArmor, which enables you to protect your applications by restricting privileges. Secure login, firewalling, and file system encryption are covered as well. Troubleshooting SUSE Linux Enterprise includes a wealth of applications, tools, and documentation should you need them in case of trouble.
Page 17 Novell AppArmor Administration Guide An in-depth administration guide to Novell AppArmor that introduces application confinement for heightened security in your environment. Storage Administration Guide An introduction to managing various types of storage devices on SUSE Linux En- terprise. Heartbeat Guide An in-depth administration guide to setting up high availability scenarios with Heartbeat.
Page 18 4 Documentation Conventions The following typographical conventions are used in this manual: • /etc/passwd: filenames and directory names • placeholder: replace placeholder with the actual value • PATH: the environment variable PATH • ls, --help: commands, options, and parameters • user: users or groups •...
Page 19: Part I Deployment
Part I. Deployment...
Page 21: Planning For Suse Linux Enterprise
Runs many virtual machines on a single server, each with its own instance of an operating system. For more information about this technology, see the virtualization manual on http://www.novell.com/documentation/sles10/index .html. YaST Several new configuration options have been developed for YaST. These are nor- mally described in the chapters about the technology involved.
Page 22 • Microsoft Active Directory • OpenLDAP Novell AppArmor Harden your System with the Novell AppArmor technology. This service is de- scribed in depth in Novell AppArmor Administration Guide (↑Novell AppArmor Administration Guide). iSCSI iSCSI provides an easy and reasonably inexpensive solution for connecting Linux computers to central storage systems.
Page 23: Considerations For Deployment Of A Suse Linux Enterprise
Find the registration and patch support database at http://www.novell .com/suselinuxportal. • Do you need help for your local installation? Novell provides training, support, and consulting for all topics around SUSE Linux Enterprise. Find more information about this at http://www.novell.com/products/ linuxenterpriseserver/.
Page 24: Running Suse Linux Enterprise
Strategies (page 7) for more information. When using the Xen virtualization technolo- gies, network root file systems or network storage solutions like iSCSI should be con- sidered. See also Chapter 12, Mass Storage over IP Networks—iSCSI (page 271). SUSE Linux Enterprise provides you with a broad variety of services. Find an overview of the documentation in this book in About This Guide (page xv).
Page 25: Deployment Strategies
Deployment Strategies There are several different ways to deploy SUSE® Linux Enterprise. Choose from various approaches ranging from a local installation using physical media or a network installation server to a mass deployment using a remote-controlled, highly-customized, and automated installation technique. Select the method that best matches your require- ments.
Page 26 Table 2.1 Installing from the SUSE Linux Enterprise Media Installation Source SUSE Linux Enterprise media kit Tasks Requiring Manual Inter- • Inserting the installation media action • Booting the installation target • Changing media • Determining the YaST installation scope •...
Page 27: Deploying Up To 100 Workstations
Table 2.3 Installing from a Network Server Installation Source Network installation server holding the SUSE Linux Enterprise installation media Tasks Requiring Manual • Inserting the boot disk Interaction • Providing boot options • Booting the installation target • Determining the YaST installation scope •...
Page 28 Simple Remote Installation via VNC—Dynamic Network Configuration (page 11) Consider this approach in a small to medium scenario with dynamic network setup through DHCP. A network, network installation server, and VNC viewer application are required. Remote Installation via VNC—PXE Boot and Wake on LAN (page 12) Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets.
Page 29 Table 2.4 Simple Remote Installation via VNC—Static Network Configuration Installation Source Network Preparations • Setting up an installation source • Booting from the installation media Control and Monitoring Remote: VNC Best Suited For small to medium scenarios with varying hardware Drawbacks •...
Page 30 Details Section 4.1.2, “Simple Remote Installation via VNC—Dynamic Network Configuration” (page 49) Table 2.6 Remote Installation via VNC—PXE Boot and Wake on LAN Installation Source Network Preparations • Setting up the installation source • Configuring DHCP, TFTP, PXE boot, and WOL •...
Page 31 • Low bandwidth connections to target Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.4, “Simple Remote Installation via SSH—Static Network Configuration” (page 52) Table 2.8 Remote Installation via SSH—Dynamic Network Configuration Installation Source Network Preparations...
Page 32 • Configuring DHCP, TFTP, PXE boot, and WOL • Booting from the network Control and Monitoring Remote: SSH Best Suited For • Small to medium scenarios with varying hardware • Completely remote installs; cross-site deployment • Low bandwidth connections to target Drawbacks Each machine must be set up individually Details...
Page 33 Best Suited For • Large scenarios • Identical hardware • No access to system (network boot) Drawbacks Applies only to machines with identical hardware Details Section 5.1, “Simple Mass Installation” (page 85) Table 2.11 Rule-Based Autoinstallation Installation Source Preferably network Preparations •...
Page 34: Deploying More Than 100 Workstations
Details Section 5.2, “Rule-Based Autoinstallation” (page 97) 2.3 Deploying More than 100 Workstations Most of the considerations brought up for medium installation scenarios in Section 2.1, “Deploying up to 10 Workstations” (page 7) still hold true for large scale deployments. However, with a growing number of installation targets, the benefits of a fully automated installation method outweigh its disadvantages.
Page 35: Installation With Yast
Installation with YaST After your hardware has been prepared for the installation of SUSE Linux Enterprise® as described in the Architecture-Specific Information manual and after the connection with the installation system has been established, you are presented with the interface of SUSE Linux Enterprise's system assistant YaST.
Page 36: Ibm System Z: System Start-Up For Installation
3.2 IBM System z: System Start-Up for Installation For IBM System z platforms, the system is initialized (IPL) as described in the Archi- tecture-Specific Information manual. SUSE Linux Enterprise does not show a splash screen on these systems. During the installation, load the kernel, initrd, and parmfile manually.
Page 37 Table 3.1 Boot Options Boot Option Description DVD/CD-ROM This is the easiest boot option. This option can be used if the system has a local CD/DVD-ROM drive that is supported by Linux. Floppy The images for generating boot floppies are located on CD/DVD 1 in the /boot directory.
Page 38: The Installation Workflow
The installation program retrieves the location of the network installation source using OpenSLP and configures the network connection with DHCP. If the DHCP network configuration fails, you are prompted to enter the appropriate parameters manually. The installation then proceeds as described below. 3.3.4 Installing from a Network Source without SLP If your network setup does not support OpenSLP for the retrieval of network installation...
Page 39 Installation The normal installation mode. All modern hardware functions are enabled. All modern hardware functions are enabled. Installation—ACPI Disabled If the normal installation fails, this might be due to the system hardware not sup- porting ACPI (advanced configuration and power interface). If this seems to be the case, use this option to install without ACPI support.
Page 40 F2 Language Select the display language for the installation. The default language is English. F3 Video Mode Select various graphical display modes for the installation. Select Text Mode if the graphical installation causes problems. F4 Source Normally, the installation is performed from the inserted installation medium. Here, select other sources, like FTP or NFS servers.
Page 41 smturl URL of the SMT server. The URL has a fixed format https://FQN/center/regsvc/ FQN has to be full qualified hostname of the SMT server. Example: smturl=https://smt.example.com/center/regsvc/ smtcert Location of the SMT server's certificate. Specify one of the following locations: Remote location (http, https or ftp) from which the certificate can be download- ed.
Page 42: Language
smtcert has been entered, you will be prompted for a local path to the certifi- cate. In case smtcert is not specified, it will default to http://FQN/smt.crt with FQN being the name of the SMT server. 3.6 Language YaST and SUSE Linux Enterprise in general can be configured to use different languages according to your needs.
Page 43 Figure 3.1 IBM System z: Selecting a DASD Now specify the DASDs to use for the installation by selecting the corresponding entries in the list then clicking Select or Deselect. After that, activate and make the DASDs available for the installation by selecting Perform Action > Activate. See Figure 3.2, “IBM System z: Activating a DASD”...
Page 44 Figure 3.3 IBM System z: Overview of Available ZFCP Disks To use ZFCP disks for the SUSE Linux Enterprise installation, select Configure ZFCP Disks in the selection dialog. This opens a dialog with a list of the ZFCP disks available on the system.
Page 45: Media Check
After adding the disks, reread the partition table. Return to the installation proposal screen and choose Partitioning then select Reread Partition Table. This reads the new partition table and resets any previously entered information. 3.8 Media Check The media check dialog appears only if you install from media created from downloaded ISOs.
Page 46: Installation Mode
3.10 Installation Mode After a system analysis where YaST tries to find other installed systems or an already existing SUSE Linux Enterprise system on your machine, YaST displays the installation modes available: New installation Select this option to start a new installation from scratch. Update an existing system Select this option to update to a newer version.
Page 47: Clock And Time Zone
are available, such as CD, FTP, or a local directory. After adding the add-on media, you may need to agree to additional license agreements for third-party products. 3.11 Clock and Time Zone In this dialog, select your region and time zone from the lists. During installation, both are preselected according to the selected installation language.
Page 48: Keyboard Layout
Figure 3.4 Installation Settings TIP: Resetting the changes to default values You can reset all changes to the defaults by clicking Change > Reset to Defaults. YaST then shows the original proposal again. 3.12.1 Overview The options that sometimes need manual intervention in common installation situations are presented in the Overview tab.
Page 49 ►zseries: On the IBM System z platforms, the installation is performed from a remote terminal. The host as such has no keyboard or mouse locally connected to it. ◄ Partitioning In most cases, YaST proposes a reasonable partitioning scheme that can be accepted without change.
Page 50 Figure 3.5 Installing and Removing Software with the YaST Software Manager You can also install additional software packages or remove software packages from your system at any time later. For more information, refer to Section 8.3.1, “Installing and Removing Software” (page 132).
Page 51 3.12.2 Expert If you are an advanced user and want to configure booting or change the time zone or default runlevel, select the Expert tab. It shows the following additional entries not contained on the Overview tab: System This dialog presents all the hardware information YaST could obtain about your computer.
Page 52: Performing The Installation
3.13 Performing the Installation After making all installation settings, click Accept in the suggestion window to begin the installation. Confirm with Install. Some software may require a license confirmation. If your software selection includes such software, license confirmation dialogs are displayed.
Page 53: Installed System
3.13.2 IBM System z: Connecting to the Installed System After IPLing the installed system, establish a connection with it to complete the instal- lation. The steps involved in this vary depending on the type of connection used at the outset. Using VNC to Connect A message in the 3270 terminal asks you to connect to the Linux system using a VNC client.
Page 54: Configuration Of The Installed System
When the connection is established, execute the command /usr/lib/YaST2/startup/YaST2.ssh. yast does not suffice in this case. YaST then starts to complete the installation of the remaining packages and create an initial system configuration. 3.14 Configuration of the Installed System The system is installed now but not configured for use. No users, hardware, or services are configured, yet.
Page 55: Network Configuration
SUSE Linux Enterprise can use the DES, MD5, or Blowfish encryption algorithms for passwords. The default encryption type is Blowfish. To change the encryption type, click Expert Options > Encryption Type and select the new type. The root can be changed any time later in the installed system. To do so run YaST and start Security and Users >...
Page 56 Token Ring). The YaST dialog simply displays the interface with its settings as already configured. Just confirm this dialog to continue. By default, Traditional Method without NetworkManager Applet is enabled. If desired, you can also use NetworkManager to manage all your network devices. However, the traditional method is the preferred option for server solutions.
Page 57: Novell Customer Center
These steps can be performed any time after the system has been initially configured. 3.14.4 Novell Customer Center Configuration To get technical support and product updates, first register and activate your product. Novell Customer Center Configuration provides assistance for doing so. Installation with YaST...
Page 58: Online Update
.com/support/products/linuxenterpriseserver/. 3.14.5 Online Update If the Novell Customer Center Configuration was successful, select whether to perform a YaST online update. If there are any patched packages available on the servers, download and install them now to fix known bugs or security issues. Directives on how to perform an online update in the installed system are available at Section 8.3.5, “YaST...
Page 59: Network Services
3.14.6 Network Services Having configured the network, a dialog opens in which to enable and configure two important network services: a certificate authority and an OpenLDAP server. If preferred, you can skip this configuration proposal for now. After the installation is finished, configure and start the same services with the help of YaST.
Page 60 Find details about LDAP and its configuration with YaST in Chapter 36, LDAP—A Directory Service (page 663). TIP: Resetting the Service Configuration to Defaults Restore the defaults by clicking Change > Reset to Defaults. This discards any changes made. 3.14.7 Users If network access was configured successfully during the previous steps of the installa- tion, you can now choose from several user management options.
Page 61: Release Notes
Windows Domain SMB authentication is often used in mixed Linux and Windows networks. Detailed information is available in Section 37.6, “Samba Server in the Network with Active Directory” (page 709). NOTE: Content of the Authentication Menu If you use the custom package selection and one or more authentication methods are missing from the menu, the required packages probably are not installed.
Page 62: Graphical Login
You can skip any peripheral devices and configure them later, as described in Section 8.4, “Hardware” (page 146) . To skip the configuration, select Skip Configuration and click Next. However, you should configure the graphics card right away. Although the display settings as configured by YaST should be generally acceptable, most users have very strong preferences as far as resolution, color depth, and other graphics features are concerned.
Page 63 login on your screen in which to enter a username and password to log in to the system. If automatic login is activated, the desktop starts automatically. Installation with YaST...
Page 65: Remote Installation
Remote Installation SUSE Linux Enterprise® can be installed in several different ways. As well as the usual media installation covered in Chapter 3, Installation with YaST (page 17), you can choose from various network-based approaches or even take a completely hands- off approach to the installation of SUSE Linux Enterprise.
Page 66 IMPORTANT The configuration of the X Window System is not part of any remote installation process. After the installation has finished, log in to the target system as root, enter telinit 3, and start SaX2 to configure the graphics hardware. 4.1.1 Simple Remote Installation via VNC—Static Network Configuration This type of installation still requires some degree of physical access to the target system...
Page 67 2 Boot the target system using the first CD or DVD of the SUSE Linux Enterprise media kit. 3 When the boot screen of the target system appears, use the boot options prompt to set the appropriate VNC options and the address of the installation source. This is described in detail in Section 4.4, “Booting the Target System for Instal- lation”...
Page 68 • Controlling system with working network connection and VNC viewer software or Java-enabled browser (Firefox, Konqueror, Internet Explorer, or Opera) • Physical boot medium (CD, DVD, or custom boot disk) for booting the target system • Running DHCP server providing IP addresses To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server...
Page 69 4.1.3 Remote Installation via VNC—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. User interaction is only needed for the actual installation. This approach is suitable for cross-site deployments. To perform this type of installation, make sure that the following requirements are met: •...
Page 70 5 Initiate the boot process of the target system using Wake on LAN. This is de- scribed in Section 4.3.7, “Wake on LAN” (page 75). 6 On the controlling workstation, open a VNC viewing application or Web browser and connect to the target system as described in Section 4.5.1, “VNC Installation”...
Page 71 To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 56). Choose an NFS, HTTP, or FTP network server. For an SMB installation source, refer to Section 4.2.5, “Managing an SMB Installation Source”...
Page 72 For this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection • Target system with working network connection • Controlling system with working network connection and working SSH client software •...
Page 73 4.1.6 Remote Installation via SSH—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. To perform this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection •...
Page 74: Setting Up The Server Holding The Installation Sources
6 On the controlling workstation, start an SSH client and connect to the target system as described in Section 4.5.2, “SSH Installation” (page 83). 7 Perform the installation as described in Chapter 3, Installation with YaST (page 17). Reconnect to the target system after it reboots for the final part of the installation.
Page 75 3 Select the server type (HTTP, FTP, or NFS). The selected server service is started automatically every time the system starts. If a service of the selected type is already running on your system and you want to configure it manually for the server, deactivate the automatic configuration of the server service with Do Not Configure Any Network Services.
Page 76 Consider announcing your installation source via OpenSLP if your network setup supports this option. This saves you from entering the network in- stallation path on every target machine. The target systems are just booted using the SLP boot option and find the network installation source without any further configuration.
Page 77 To create a directory holding the installation data, proceed as follows: 1 Log in as root. 2 Create a directory that should later hold all installation data and change into this directory. For example: mkdir install/product/productversion cd install/product/productversion Replace product with an abbreviation of the product name and productversion with a string that contains the product name and version.
Page 78 5 Select Add Host and enter the hostnames of the machines to which to export the installation data. Instead of specifying hostnames here, you could also use wild cards, ranges of network addresses, or just the domain name of your network. Enter the appropriate export options or leave the default, which works fine in most setups.
Page 79 3 Create a configuration file called install.suse.nfs.reg containing the following lines: # Register the NFS Installation Server service:install.suse:nfs://$HOSTNAME/path_to_instsource/CD1,en,65535 description=NFS Installation Source Replace path_to_instsource with the actual path to the installation source on your server. 4 Save this configuration file and start the OpenSLP daemon with rcslpd start. For more information about OpenSLP, refer to the package documentation located under /usr/share/doc/packages/openslp/ or refer to Chapter 31, SLP Services...
Page 80 2d Mount the contents of the installation repository into the change root envi- ronment of the FTP server: mount --bind path_to_instsource /srv/ftp/instsource Replace path_to_instsource and instsource with values matching your setup. If you need to make this permanent, add it to /etc/fstab. 2e Start vsftpd with vsftpd.
Page 81 2 Configure the HTTP server to distribute the contents of your installation directory: 2a Install the Web server Apache as described in Section 40.1.2, “Installation” (page 742). 2b Enter the root directory of the HTTP server (/srv/www/htdocs) and create a subdirectory that will hold the installation sources: mkdir instsource Replace instsource with the product name.
Page 82 3b Save this configuration file and start the OpenSLP daemon using rcslpd restart. 4.2.5 Managing an SMB Installation Source Using SMB, you can import the installation sources from a Microsoft Windows server and start your Linux deployment even with no Linux machine around. To set up an exported Windows Share holding your SUSE Linux Enterprise installation sources, proceed as follows: 1 Log in to your Windows machine.
Page 83 4.2.6 Using ISO Images of the Installation Media on the Server Instead of copying physical media into your server directory manually, you can also mount the ISO images of the installation media into your installation server and use them as installation source. To set up an HTTP, NFS or FTP server that uses ISO images instead of media copies, proceed as follows: 1 Download the ISO images and save them to the machine to use as the installation server.
Page 84: Preparing The Boot Of The Target System
4.3 Preparing the Boot of the Target System This section covers the configuration tasks needed in complex boot scenarios. It contains ready-to-apply configuration examples for DHCP, PXE boot, TFTP, and Wake on LAN. 4.3.1 Setting Up a DHCP Server There are two ways to set up a DHCP server. For SUSE Linux Enterprise Server 9 and higher, YaST provides a graphical interface to the process.
Page 85 8 Add another option (next-server) and set its value to the address of the TFTP server. 9 Select OK and Finish to complete the DHCP server configuration. To configure DHCP to provide a static IP address to a specific host, enter the Expert Settings of the DHCP server configuration module (Step 4 (page 66)) and add a new...
Page 86: Setting Up A Tftp Server
group { # PXE related stuff # "next server" defines the tftp server that will be used next server ip_tftp_server: # "filename" specifies the pxelinux image on the tftp server # the server runs in chroot under /srv/tftpboot filename "pxelinux.0"; host test { hardware ethernet mac_address;...
Page 87 5 Click Browse to browse for the boot image directory. The default directory /tftpboot is created and selected automatically. 6 Click Finish to apply your settings and start the server. Setting Up a TFTP Server Manually 1 Log in as root and install the packages tftp and xinetd. 2 If unavailable, create /srv/tftpboot and /srv/tftpboot/pxelinux .cfg directories.
Page 88 4.3.3 Using PXE Boot Some technical background information as well as PXE's complete specifications are available in the Preboot Execution Environment (PXE) Specification (http://www .pix.net/software/pxeboot/archive/pxespec.pdf). 1 Change to the directory of your installation repository and copy the linux, initrd, message, and memtest files to the /srv/tftpboot directory by entering the following: cp -a boot/loader/linux boot/loader/initrd boot/loader/message boot/loader/memtest /srv/tftpboot...
Page 89 netdevice=interface This entry defines the client's network interface that must be used for the network installation. It is only necessary if the client is equipped with several network cards and must be adapted accordingly. In case of a single network card, this entry can be omitted.
Page 90 label apic kernel linux append initrd=initrd ramdisk_size=65536 apic insmod=e100 \ install=nfs://ip_instserver/path_instsource/product/CD1 # manual label manual kernel linux append initrd=initrd ramdisk_size=65536 manual=1 # rescue label rescue kernel linux append initrd=initrd ramdisk_size=65536 rescue=1 memory test label memtest kernel memtest # hard disk label harddisk localboot 0 implicit...
Page 91 If no configuration file is present or no DEFAULT entry is present in the configu- ration file, the default is the kernel name “linux” with no options. APPEND options... Add one or more options to the kernel command line. These are added for both automatic and manual boots.
Page 92 LOCALBOOT type On PXELINUX, specifying LOCALBOOT 0 instead of a KERNEL option means invoking this particular label and causes a local disk boot instead of a kernel boot. Argument Description Perform a normal boot Perform a local boot with the Universal Network Driver Interface (UNDI) driver still resident in memory Perform a local boot with the entire PXE...
Page 93: Wake On Lan
F10 can be also entered as F0 . Note that there is currently no way to bind filenames to F11 and F12 . 4.3.5 Preparing the Target System for PXE Boot Prepare the system's BIOS for PXE boot by including the PXE option in the BIOS boot order.
Page 94: Booting The Target System For Installation
Users of SUSE Linux Enterprise Server 9 and higher can use a YaST module called WOL to easily configure Wake on LAN. Users of other versions of SUSE Linux-based operating systems can use a command line tool. 4.3.8 Wake on LAN with YaST 1 Log in as root.
Page 95 4.4.1 Using the Default Boot Options The boot options are described in detail in Chapter 3, Installation with YaST (page 17). Generally, just selecting Installation starts the installation boot process. If problems occur, use Installation—ACPI Disabled or Installation—Safe Settings. For more information about troubleshooting the installation process, refer to Section 51.2, “Installation Problems”...
Page 96 Purpose Available Options Default Value Select the installation • CD-ROM or DVD CD-ROM or DVD source • SLP • FTP • HTTP • NFS • SMB • Hard Disk Apply driver update Driver None disk 4.4.3 Using Custom Boot Options Using the appropriate set of boot options helps facilitate your installation procedure.
Page 97 Table 4.2 Installation (Boot) Scenarios Used in This Chapter Installation Scenario Parameters Needed Boot Options for Booting Chapter 3, Installation None: system boots au- None needed with YaST (page 17) tomatically Section 4.1.1, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb):///path...
Page 98 Installation Scenario Parameters Needed Boot Options for Booting Section 4.1.4, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb):///path SSH—Static Network • Network device _to_instmedia Configuration” (page 52) • IP address • netdevice=some • Netmask _netdevice (only need- •...
Page 99: Monitoring The Installation Process
TIP: More Information about linuxrc Boot Options Find more information about the linuxrc boot options used for booting a Linux system in /usr/share/doc/packages/linuxrc/linuxrc.html. 4.5 Monitoring the Installation Process There are several options for remotely monitoring the installation process. If the proper boot options have been specified while booting for installation, either VNC or SSH can be used to control the installation and system configuration from a remote workstation.
Page 100 1 Start the KDE file and Web browser Konqueror. 2 Enter service://yast.installation.suse in the location bar. The target system then appears as an icon in the Konqueror screen. Clicking this icon launches the KDE VNC viewer in which to perform the installation. Alternatively, run your VNC viewer software with the IP address provided and add :1 at the end of the IP address for the display the installation is running on.
Page 101 1 Launch your preferred Web browser. 2 Enter the following at the address prompt: http://ip_address_of_target:5801 3 Enter your VNC password when prompted to do so. The browser window now displays the YaST screens as in a normal local installation. 4.5.2 SSH Installation Using SSH, you can remotely control the installation of your Linux machine using any SSH client software.
Page 102 4 When prompted for the password, enter the password that has been set with the SSH boot option. After you have successfully authenticated, a command line prompt for the installation target appears. 5 Enter yast to launch the installation program. A window opens showing the normal YaST screens as described in Chapter 3, Installation with YaST (page 17).
Page 103: Automated Installation
Automated Installation AutoYaST allows you to install SUSE® Linux Enterprise on a large number of machines in parallel. The AutoYaST technology offers great flexibility to adjust deployments to heterogeneous hardware. This chapter tells you how to prepare a simple automated in- stallation and lay out an advanced scenario involving different hardware types and in- stallation purposes.
Page 104 4 Determine and set up the boot scenario for autoinstallation as described in Sec- tion 5.1.4, “Setting Up the Boot Scenario” (page 91). 5 Pass the command line to the installation routines by adding the parameters manually or by creating an info file as described in Section 5.1.5, “Creating File”...
Page 105 3 Select Tools > Create Reference Control File to prepare AutoYaST to mirror the current system configuration into an AutoYaST profile. 4 As well as the default resources, like boot loader, partitioning, and software se- lection, you can add various other aspects of your system to the profile by checking the items in the list in Create a Reference Control File.
Page 106 Figure 5.1 Editing an AutoYaST Profile with the AutoYaST Front-End 5.1.2 Distributing the Profile and Determining the autoyast Parameter The AutoYaST profile can be distributed in several different ways. Depending on the protocol used to distribute the profile data, different AutoYaST parameters are used to make the profile location known to the installation routines on the client.
Page 107 Profile Lo- Parameter Description cation Device Makes the installation routines look for autoyast=device:// the control file on a storage device. Only /path the device name is needed—/dev/sda1 is wrong, use sda1 instead. Floppy Makes the installation routines look for autoyast=floppy:// the control file on a floppy in the floppy /path drive.
Page 108 AutoYaST includes a feature that allows binding certain profiles to the client's MAC address. Without having to alter the autoyast= parameter, you can have the same setup install several different instances using different profiles. To use this, proceed as follows: 1 Create separate profiles with the MAC address of the client as the filename and put them on the HTTP server that holds your AutoYaST profiles.
Page 109 5.1.3 Providing the Installation Data The installation data can be provided by means of the product CDs or DVDs or using a network installation source. If the product CDs are used as the installation source, physical access to the client to install is needed, because the boot process needs to be initiated manually and the CDs need to be changed.
Page 110 default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ The same example for autoinstallation looks like this: default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ \ autoyast=nfs://192.168.0.23/profiles/autoinst.xml Replace the example IP addresses and paths with the data used in your setup. Preparing to Boot from CD-ROM There are several ways in which booting from CD-ROM can come into play in Auto- YaST installations.
Page 111 Access to the boot prompt of the system to install where you manually enter the autoyast= parameter Boot and Install from SUSE Linux Enterprise Media, Get the Profile from a Floppy Use this approach if an entirely network-based installation scenario would not work.
Page 112 The following parameters are commonly used for linuxrc. For more information, refer to the AutoYaST package documentation under /usr/share/doc/packages/ autoyast. IMPORTANT: Separating Parameters and Values When passing parameters to linuxrc at the boot prompt, use = to separate parameter and value. When using an info file, separate parameter and value with :.
Page 113 If your autoinstallation scenario involves client configuration via DCHP and a network installation source and you want to monitor the installation process using VNC, your info would look like this: autoyast:profile_source install:install_source vnc:1 vncpassword:some_password If you prefer a static network setup at installation time, your info file would look like the following: autoyast:profile_source \ install:install_source \...
Page 114 vnc: 1 vncpassword: test autoyast: file:///info # end_linuxrc_conf # Do not remove the above comment ]]> </info_file> </init> ..</install> ..linuxrc loads the profile containing the boot parameters instead of the traditional info file. The install: parameter points to the location of the installation sources. vnc and vncpassword indicate the use of VNC for installation monitoring.
Page 115: Rule-Based Autoinstallation
5.2 Rule-Based Autoinstallation The following sections introduce the basic concept of rule-based installation using AutoYaST and provide an example scenario that enables you to create your own custom autoinstallation setup. 5.2.1 Understanding Rule-Based Autoinstallation Rule-based AutoYaST installation allows you to cope with heterogeneous hardware environments: •...
Page 116 • Create custom rules by running shell scripts and passing their output to the Auto- YaST framework. The number of custom rules is limited to five. NOTE For more information about rule creation and usage with AutoYaST, refer to the package's documentation under /usr/share/doc/packages/ autoyast2/html/index.html, Chapter Rules and Classes.
Page 117 5.2.2 Example Scenario for Rule-Based Autoinstallation To get a basic understanding of how rules are created, think of the following example, depicted in Figure 5.2, “AutoYaST Rules” (page 100). One run of AutoYaST installs the following setup: A Print Server This machine just needs a minimal installation without a desktop environment and a limited set of software packages.
Page 118 Figure 5.2 AutoYaST Rules AutoYaST Directory Enigineering Department Computers rules.xml File Rule 1 Eng. Profile Rule 2 Rule 3 Sales Profile Sales Department Laptops Merge Process Print Server Profile Print Server In a first step, use one of the methods outlined in Section 5.1.1, “Creating an AutoYaST Profile”...
Page 119 In the second step, create rules to distinguish the three hardware types from one another and to tell AutoYaST which profile to use. Use an algorithm similar to the following to set up the rules: 1. Does the machine have an IP of 192.168.27.11? Then make it the print server. 2.
Page 120: For More Information
<operator>and</operator> </rule> <rule> <haspcmcia> <match>0</match> <match_type>exact</match_type> </haspcmcia> <result> <profile>engineering.xml</profile> <continue config:type="boolean">false</continue> </result> </rule> </rules> </autoinstall> When distributing the rules file, make sure that the rules directory resides under the profiles directory specified in the autoyast=protocol:serverip/ profiles/ URL. AutoYaST looks for a rules subdirectory containing a file named rules.xml first then loads and merges the profiles specified in the rules file.
Page 121: Deploying Customized Preinstallations
Deploying Customized Preinstallations Rolling out customized preinstallations of SUSE Linux Enterprise to a large number of identical machines spares you from installing each one of them separately and provides a standardized installation experience for the end users. With YaST firstboot, create customized preinstallation images and determine the workflow for the final personal- ization steps that involve end user interaction.
Page 122: Preparing The Master Machine
6.1 Preparing the Master Machine To prepare a master machine for a firstboot workflow, proceed as follows: 1 Insert the installation media into the master machine. 2 Boot the machine. 3 Perform a normal installation including all necessary configuration steps and wait for the installed machine to boot.
Page 123 • Customizing messages to the user as described in Section 6.2.1, “Customizing YaST Messages” (page 105). • Customizing licenses and license actions as described in Section 6.2.2, “Customizing the License Action” (page 106). • Customizing the release notes to display as described in Section 6.2.3, “Customizing the Release Notes”...
Page 124 2a Set FIRSTBOOT_WELCOME_DIR to the directory path where you want to store the files containing the welcome message and the localized versions, for example: FIRSTBOOT_WELCOME_DIR="/usr/share/firstboot/" 2b If your welcome message has filenames other than welcome.txt and welcome_locale.txt (where locale matches the ISO 639 language codes such as “cs”...
Page 125 6.2.3 Customizing the Release Notes Depending on whether you have changed the instance of SUSE Linux Enterprise you are deploying with firstboot, you probably need to educate the end users about important aspects of their new operating system. A standard installation uses release notes, dis- played during one of the final stages of the installation, to provide important information to the users.
Page 126 • User Authentication Method • User Management • Hardware Configuration • Finish Setup This standard layout of a firstboot installation workflow is not mandatory. You can enable or disable certain components or hook your own modules into the workflow. To modify the firstboot workflow, manually edit the firstboot configuration file /etc/ YaST2/firstboot.xml.
Page 127 The stage of the installation process at which this proposal is invoked. Do not make any changes here. For a firstboot installation, this must be set to firstboot. The label to be displayed on the proposal. The container for all modules that are part of the proposal screen. One or more modules that are part of the proposal screen.
Page 128 archs Specify the hardware architectures on which this workflow should be used. Example 6.3 Configuring the List of Workflow Components <modules config:type="list"> <module> <label>Language</label> <enabled config:type="boolean">false</enabled> <name>firstboot_language</name> </module> <modules> The container for all components of the workflow. The module definition. The label displayed with the module.
Page 129 3 Apply your changes and close the configuration file. You can always change the workflow of the configuration steps when the default does not meet your needs. Enable or disable certain modules in the workflow or add your own custom ones. To toggle the status of a module in the firstboot workflow, proceed as follows: 1 Open the /etc/YaST2/firstboot.xml configuration file.
Page 130: Cloning The Master Installation
TIP: For More Information For more information about YaST development, refer to http://developer .novell.com/wiki/index.php/YaST. 6.2.5 Configuring Additional Scripts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed. To add additional scripts to the firstboot sequence, proceed as...
Page 131: Personalizing The Installation
6.4 Personalizing the Installation As soon as the cloned disk image is booted, firstboot starts and the installation proceeds exactly as laid out in Section 6.2.4, “Customizing the Workflow” (page 107). Only the components included in the firstboot workflow configuration are started. Any other installation steps are skipped.
Page 133: Advanced Disk Setup
Advanced Disk Setup Sophisticated system configurations require particular disk setups. All common parti- tioning tasks can be done with YaST. To get persistent device naming with block devices, use the block devices below /dev/disk/by-id/. Logical Volume Management (LVM) is a disk partitioning scheme that is designed to be much more flexible than the physical partitioning used in standard setups.
Page 134 7.1.1 The Logical Volume Manager The Logical Volume Manager (LVM) enables flexible distribution of hard disk space over several file systems. It was developed because sometimes the need to change the segmentation of hard disk space arises only after the initial partitioning during installation has already been done.
Page 135 between different logical volumes need not be aligned with any partition border. See the border between LV 1 and LV 2 in this example. LVM features: • Several hard disks or partitions can be combined in a large logical volume. •...
Page 136: Creating Volume Groups
7.1.2 LVM Configuration with YaST The YaST LVM configuration can be reached from the YaST Expert Partitioner (see Section 8.5.7, “Using the YaST Partitioner” (page 155)). This partitioning tool enables you to edit and delete existing partitions and create new ones that should be used with LVM.
Page 137 Configuring Physical Volumes Once a volume group has been created, the following dialog lists all partitions with either the “Linux LVM” or “Linux native” type. No swap or DOS partitions are shown. If a partition is already assigned to a volume group, the name of the volume group is shown in the list.
Page 138 Configuring Logical Volumes After the volume group has been filled with physical volumes, define the logical volumes the operating system should use in the next dialog. Set the current volume group in a selection box to the upper left. Next to it, the free space in the current volume group is shown.
Page 139 If, for example, only two physical volumes are available, a logical volume with three stripes is impossible. WARNING: Striping YaST has no chance at this point to verify the correctness of your entries con- cerning striping. Any mistake made here is apparent only later when the LVM is implemented on disk.
Page 140 partitioning. It shows the existing physical volumes and logical volumes in two lists and you can manage your LVM system using the methods already described. 7.1.3 Storage Management with EVMS The Enterprise Volume Management System 2 (EVMS2) is a rich, extensible volume manager with built-in cluster awareness.
Page 141: Soft Raid Configuration
Disks This is the lowest level of device. All devices that may be accessed as a physical disk are treated as disks. Segments Segments consist of partitions and other memory regions on a disk, such as the master boot record (MBR). Containers These are the counterparts of volume groups in LVM.
Page 142: Raid Levels
larger number of hard disks in a more effective way than the IDE protocol and is more suitable for parallel processing of commands. There are some RAID controllers that support IDE or SATA hard disks. Soft RAID provides the advantages of RAID systems without the additional cost of hardware RAID controllers.
Page 143 RAID 2 and RAID 3 These are not typical RAID implementations. Level 2 stripes data at the bit level rather than the block level. Level 3 provides byte-level striping with a dedicated parity disk and cannot service simultaneous multiple requests. Both levels are only rarely used.
Page 144 optimize the performance of RAID 0. After creating all the partitions to use with RAID, click RAID > Create RAID to start the RAID configuration. In the next dialog, choose between RAID levels 0, 1, and 5 (see Section 7.2.1, “RAID Levels”...
Page 145: Troubleshooting
Figure 7.7 File System Settings As with conventional partitioning, set the file system to use as well as encryption and the mount point for the RAID volume. Checking Persistent Superblock ensures that the RAID partitions are recognized as such when booting. After completing the confi- guration with Finish, see the /dev/md0 device and others indicated with RAID in the expert partitioner.
Page 146 • http://www.novell.com/documentation/sles10/stor_evms/ data/bookinfo.html • /usr/share/doc/packages/mdadm/Software-RAID.HOWTO.html • http://en.tldp.org/HOWTO/Software-RAID-HOWTO.html Linux RAID mailing lists are also available, such as http://marc.theaimsgroup .com/?l=linux-raid&r=1&w=2. Installation and Administration...
Page 147: System Configuration With Yast
System Configuration with YaST In SUSE Linux Enterprise, YaST handles both the installation and configuration of your system. This chapter describes the configuration of system components (hardware), network access, and security settings, and administration of users. Find a short introduc- tion to the text-based YaST interface in Section 8.12, “YaST in Text Mode”...
Page 148: Yast Language
To start YaST in text mode on another system, use ssh root@<system-to-configure> to open the connection. Then start YaST with yast. To save time, the individual YaST modules can be started directly. To start a module, enter yast2 module_name. View a list of all module names available on your system with yast2 -l or yast2 --list.
Page 149 The left frame of most modules displays the help text, which offers suggestions for configuration and explains the required entries. To get help in modules without a help frame, press F1 or choose Help. After selecting the desired settings, complete the pro- cedure by pressing Accept on the last page of the configuration dialog.
Page 150: Software
8.3 Software 8.3.1 Installing and Removing Software To install, uninstall, and update software on your machine, use Software > Software Management. This opens a package manager dialog as shown in Figure 8.2, “YaST Package Manager” (page 132). Figure 8.2 YaST Package Manager In SUSE®...
Page 151: Installing Packages
uation, some of the possible status flags may not be available for selection. For example, a package that has not yet been installed cannot be set to “Delete.” View the available status flags with Help > Symbols. The font color used for various packages in the individual package window provides additional information.
Page 152 Click the status box at the beginning of a line to install or uninstall this pattern. Select a status directly by right-clicking the pattern and using the context menu. From the in- dividual package overview to the right, which displays the packages included in the current pattern, select and deselect individual packages.
Page 153 Installing Source Packages A package containing the source files for the program is usually available. The sources are not needed for running the program, but you may want to install the sources to compile a custom version of the program. To install sources for selected program, mark the check box in the Source column.
Page 154: Installation Summary
Searching for Packages, Applications, and Files To find a specific package, use the Search filter. Enter a search string and click Search. By specifying various search criteria, you can restrict the search to display a few or even only one package. You can also define special search patterns using wild cards and regular expressions in Search Mode.
Page 155: Disk Usage
Information about Packages Get information about the selected package with the tabs in the bottom right frame. If another version of the package is available, you get information about both versions. The Description tab with the description of the selected package is automatically active. To view information about package size, version, installation media, and other technical details, select Technical Data.
Page 156 If you click Check, located under the information window, the package manager checks if the current package selection results in any unresolved package dependencies or conflicts. In the event of unresolved dependencies, the required additional packages are selected automatically. For package conflicts, the package manager opens a dialog that shows the conflict and offers various options for solving the problem.
Page 157 Package Groups. TIP: Creating Custom Add-On Products Create your own add-on products with YaST Add-On Creator. Read about the YaST add-on creator at http://developer.novell.com/wiki/index .php/Creating_Add-On_Media_with_YaST. Find technical background information at http://developer.novell.com/wiki/index.php/ Creating_Add-Ons.
Page 158: Yast Online Update
To get technical support and product updates, your system must be registered and acti- vated. If you skipped the registration during installation, register with the help of the Novell Customer Center Configuration module from Software. This dialog is the same as that described in Section 3.14.4, “Novell Customer Center Configuration”...
Page 159: Definition Of Terms
To install updates and improvements with YaST, run Software > Online Update. All new patches (except the optional ones) that are currently available for your system are already marked for installation. Clicking Accept automatically installs these patches. After the installation has completed, confirm with Finish. Your system is now up-to- date.
Page 160 Figure 8.4 YaST Online Update The patch display lists the available patches for SUSE Linux Enterprise. The patches are sorted by security relevance. The color of the patch name, as well as a pop-up window under the mouse cursor, indicate the security status of the patch: Security (red), Recommended (blue), or Optional (black).
Page 161: Automatic Online Update
If you install an up-to-date package from a catalog other than the update catalog, the requirements of a patch for this package may be fulfilled with this installation. In this case a check mark is displayed in front of the patch summary. The patch will be visible in the list until you mark it for installation.
Page 162: Updating The System
8.3.7 Updating from a Patch CD NOTE On s390 systems, the Patch CD update option is not available. The Patch CD Update module from the Software section installs patches from CD, not from an FTP server. The advantage lies in a much faster update with CD. After the patch CD is inserted, all patches on the CD are displayed in the dialog.
Page 163 Additionally, you can use Delete Outdated Packages to remove packages that do not exist in the new version. By default, this option is preselected to prevent outdated packages from unnecessarily occupying hard disk space. Packages Click Packages to start the package manager and select or deselect individual packages for update.
Page 164: Hardware
In most cases, YaST replaces old versions with new ones without problems. A backup of the existing system should be performed prior to updating to ensure that existing configurations are not lost during the update. Conflicts can then be resolved manually after the update has finished.
Page 165 IMPORTANT: Model Designations If your model is not included in the device list, try a model with a similar des- ignation. However, in some cases the model must match exactly, because sim- ilar designations do not always indicate compatibility. 8.4.1 Infrared Device Configure an infrared device with Hardware >...
Page 166 WARNING: Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system. Incorrect settings can prevent the system from booting. 8.4.5 Hardware Information Display detected hardware and technical data using Hardware > Hardware Information. Click any node of the tree for more information about a device.
Page 167 YaST To add a DASD to an installed system, use the YaST DASD module (Hardware > DASD). In the first screen, select the disks to make available to your Linux instal- lation and click Perform Action. Select Activate then leave the dialog with Next. Command Line Issue the following command: dasd_configure 0.0.0150 1 0...
Page 168 8.4.9 Joystick Configure a joystick connected to the sound card with Hardware > Joystick. Select your joystick type in the list provided. If your joystick is not listed, select Generic Analog Joystick. After selecting your joystick, make sure that it is connected then click Test to test the functionality.
Page 169 To configure your mouse for the text environment, use YaST in text mode. After entering text mode and selecting Hardware > Mouse Model, use the keyboard arrow keys to choose your mouse from the provided list. Then click Accept to save the settings and exit the module.
Page 170 2 In Sound Card Configuration, choose the configuration level in the first setup screen: Quick automatic setup You are not required to go through any of the further configuration steps and no sound test is performed. The sound card is configured automatically. Normal setup Adjust the output volume and play a test sound.
Page 171: System
asound.conf and the ALSA configuration data is appended to the end of the files /etc/modprobe.d/sound and /etc/sysconfig/hardware. 8.5 System This group of modules is designed to help you manage your system. All modules in this group are system-related and serve as valuable tools for ensuring that your system runs properly and your data is managed efficiently.
Page 172 WARNING: System Restoration Because this module normally installs, replaces, or uninstalls many packages and files, use it only if you have experience with backups. Otherwise you may lose data. 8.5.3 Boot Loader Configuration To configure booting for systems installed on your computer, use the System > Boot Loader module.
Page 173: Using The Yast Partitioner
8.5.7 Using the YaST Partitioner With the expert partitioner, shown in Figure 8.6, “The YaST Partitioner” (page 155), manually modify the partitioning of one or several hard disks. Partitions can be added, deleted, resized, and edited. Also access the soft RAID, EVMS, and LVM configuration from this YaST module.
Page 174 All existing or suggested partitions on all connected hard disks are displayed in the list of the YaST Expert Partitioner dialog. Entire hard disks are listed as devices without numbers, such as /dev/hda or /dev/sda (or /dev/dasda). Partitions are listed as parts of these devices, such as /dev/hda1 or /dev/sda1 (or /dev/dasda1, respectively).
Page 175: Creating A Partition
number of logical partitions is 15 on SCSI, SATA, and Firewire disks and 63 on (E)IDE disks. It does not matter which types of partitions are used for Linux. Primary and log- ical partitions both work fine. TIP: Hard Disks with a GPT Disk Label For architectures using the GPT disk label, the number of primary partitions is not restricted.
Page 176 Editing a Partition When you create a new partition or modify an existing partition, set various parameters. For new partitions, suitable parameters are set by YaST and usually do not require any modification. To edit your partition setup manually, proceed as follows: 1 Select the partition.
Page 177 Mount Point Specify the directory at which the partition should be mounted in the file system tree. Select from various YaST proposals or enter any other name. 3 Select OK > Apply to activate the partition. Expert Options Expert opens a menu containing the following commands: Reread Partition Table Rereads the partitioning from disk.
Page 178 Example 8.1 /etc/fstab: Partition Data /dev/sda1 /data1 auto noauto,user 0 0 /dev/sda5 /data2 auto noauto,user 0 0 /dev/sda6 /data3 auto noauto,user 0 0 The partitions, regardless of whether they are Linux or FAT partitions, are specified with the options noauto and user. This allows any user to mount or unmount these partitions as needed.
Page 179: Pci Device Drivers
8.5.8 PCI Device Drivers TIP: IBM System z: Continuing For IBM System z, continue with Section 8.5.12, “System Services (Runlevel)” (page 162). Each kernel driver contains a list of device IDs of all devices it supports. If a new device is not in any driver's database, the device is treated as unsupported, even if it can be used with an existing driver.
Page 180: Power Management
To edit a PCI ID, select the device driver from the list and click Edit. Edit the information and click OK to save your changes. To delete an ID, select the driver and click Delete. The ID immediately disappears from the list. When finished, click OK. 8.5.9 Power Management The System >...
Page 181: Language Selection
8.5.13 /etc/sysconfig Editor The directory /etc/sysconfig contains the files with the most important settings for SUSE Linux Enterprise. Use System > /etc/sysconfig Editor to modify the values and save them to the individual configuration files. Generally, manual editing is not necessary, because the files are automatically adapted when a package is installed or a service is configured.
Page 182: Network Devices
Figure 8.8 Setting the Language Select the main language to use for your system in Primary Language. To adjust the keyboard or time zone to this setting, enable Adapt Keyboard Layout or Adapt Time Zone. Set how locale variables are set for the root user with Details. Also use Details to set the primary language to a dialect not available in the main list.
Page 183: Network Services
select it from the list then click Edit. If your device has not been detected, click Add and select it manually. To edit an existing device, select it then click Edit. For more detailed information, see Section 30.4, “Configuring a Network Connection with YaST” (page 560).
Page 184: Mail Server
No Connection If you do not have access to the Internet and are not located in a network, you cannot send or receive e-mail. Activate virus scanning for your incoming and outgoing e-mail with AMaViS by select- ing that option. The package is installed automatically as soon as you activate the mail filtering feature.
Page 185 Fetching Mail Configures mail pick-up from external mail accounts over various protocols. Mail Server Domains This determines for which domains the mail server should be responsible. At least one master domain must be configured if the server should not run as a null client used exclusively for sending mail without receiving any.
Page 186 name and domain name. If the provider has been configured correctly for DSL, modem, or ISDN access, the list of name servers contains the entries that were ex- tracted automatically from the provider data. If you are located in a local network, you might receive your hostname via DHCP, in which case you should not modify the name.
Page 187 to users. In NFS Server, you can configure your host as an NFS server and determine the directories to export for general use by the network users. All users with the appropriate permissions can mount these directories in their own file trees. A de- scription of the YaST module and background information about NFS are provided Chapter 38, Sharing File Systems with NFS (page 715).
Page 188 WARNING: Configuring Network Services (xinetd) The composition and adjustment of network services on a system is a complex procedure that requires a comprehensive understanding of the concept of Linux services. The default settings are usually sufficient. Proxy Configure Internet proxy client settings in Proxy. Click Enable Proxy then enter the desired proxy settings.
Page 189 Samba Server In a heterogeneous network consisting of Linux and Windows hosts, Samba controls the communication between the two worlds. Information about Samba and the configuration of servers is provided in Chapter 37, Samba (page 699). SLP Server With service location protocol (SLP), you can configure clients in your network without knowledge of server names and services that these servers provide.
Page 190: Apparmor
8.8 AppArmor Novell AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify which files each program may read, write, and execute. To enable or disable Novell AppArmor on your system, use AppArmor Control Panel.
Page 191: Adding Users
Adding Users To add a new user, proceed as follows: 1 Click Add. 2 Enter the necessary data for User Data. If you do not need to adjust any more detailed settings for this new user, proceed to Step 5 (page 173).
Page 192 3 Adjust the settings under User Data, Details, and Password Settings. 4 Save the user account configuration by clicking Accept. Managing Encrypted Home Directories You can create an encrypted home directory as part of the user account creation. To create an encrypted home directory for a user, proceed as follows: 1 Click Add.
Page 193: Auto Login
Auto Login WARNING: Using Auto Login Using the auto login feature on any system that can be physically accessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use the auto login functionality.
Page 194 Disabling User Login To create a system user that should not be able to log in to the system but under whose identity several system-related tasks should be managed, disable the user login when creating the user account. Proceed as follows: 1 Click Add.
Page 195 To change the password expiration policy for an existing user, proceed as follows: 1 Select the user from the list and click Edit. 2 Adjust the values in Password Settings. 3 Apply your settings with Accept. You can limit the lifetime of any user account by specifying a date of expiration for this particular account.
Page 196: Group Management
Several other security-related default settings can be changed using the Local Security module. Refer to Section 8.9.3, “Local Security” (page 179) for information. Changing the Password Encryption NOTE Changes in password encryption apply only to local users. SUSE Linux Enterprise can use DES, MD5, or Blowfish for password encryption. The default password encryption method is Blowfish.
Page 197 Click Expert Options for advanced group management. Find more about these options Section 8.9.1, “User Management” (page 172). 8.9.3 Local Security To apply a set of security settings to your entire system, use Security and Users > Local Security. These settings include security for booting, login, passwords, user creation, and file permissions.
Page 198: Certificate Management
over the network, enable Allow Remote Graphical Login. Because this access possibility represents a potential security risk, it is inactive by default. User Addition Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as pos- sible.
Page 199: Virtualization
The hardware for the different systems is provided virtually. Virtualization YaST modules provide configuration for the Xen virtualization system. For more information about this technology, see the virtualization manual on http://www.novell.com/ documentation/sles10/index.html.. The following modules are available in the Virtualization section: Installing Hypervisor and Tools Before you start using Xen, install a kernel with Xen support and related tools.
Page 200: Miscellaneous
8.11 Miscellaneous The YaST Control Center has several modules that cannot easily be classified into the first six module groups. They can be used for things like viewing log files and installing drivers from a vendor CD. 8.11.1 Custom Installation CD Creation With Miscellaneous >...
Page 201: System Log
8.11.5 Release Notes The release notes are an important source about installation, update, configuration, and technical issues. The release notes are continuously updated and published through online update. Use Miscellaneous > Release Notes to view the release notes. 8.11.6 Start-Up Log View information concerning the start-up of the computer in Miscellaneous >...
Page 202 /proc/iomem This displays the status of input/output memory. /proc/ioports This shows which I/O ports are in use at the moment. /proc/meminfo This displays memory status. /proc/modules This displays the individual modules. /proc/mounts This displays devices currently mounted. /proc/partitions This shows the partitioning of all hard disks. /proc/version This displays the current version of Linux.
Page 203: Yast In Text Mode
8.12 YaST in Text Mode This section is intended for system administrators and experts who do not run an X server on their systems and depend on the text-based installation tool. It provides basic information about starting and operating YaST in text mode. When YaST is started in text mode, the YaST Control Center appears first.
Page 204: Navigation In Modules
Press Enter to start the desired module. Various buttons or selection fields in the module contain a letter with a different color (yellow by default). Use Alt + yellow_letter to select a button directly instead of navigating there with Tab . Exit the YaST Control Center by pressing Alt + Q or by selecting Quit and pressing Enter .
Page 205: Restriction Of Key Combinations
Figure 8.10 The Software Installation Module 8.12.2 Restriction of Key Combinations If your window manager uses global Alt combinations, the Alt combinations in YaST might not work. Keys like Alt or Shift can also be occupied by the settings of the termi- nal.
Page 206: Managing Yast From The Command Line
8.13 Managing YaST from the Command Line When a task only needs to be done once, the graphical or ncurses interface is usually the best solution. If a task needs to be done repeatedly, it might be easier to use the YaST command line interface.
Page 207: Managing Users
GenProf, LogProf, SD_AddProfile, SD_DeleteProfile, SD_EditProfile, SD_Report, and subdomain These modules control or configure AppArmor. AppArmor has its own command line tools. 8.13.1 Managing Users The YaST commands for user management, unlike traditional commands, considers the configured authentication method and default user management settings of your system when creating, modifying, or removing users.
Page 208 Example 8.3 Removing Multiple Users #!/bin/bash # the home will be not deleted # to delete homes, use option delete_home for i in `cat /tmp/users.txt`; yast users delete username=$i done 8.13.2 Configuring the Network and Firewall Network and firewall configuration commands are often wanted in scripts. Use yast lan for network configuration and yast firewall.
Page 209: Sax2
8.14 SaX2 Configure the graphical environment of your system with Hardware > Graphics Card and Monitor. This opens the SUSE Advanced X11 Configuration interface (SaX2), where you can configure devices such as your mouse, keyboard, or display devices. This interface can also accessed from the GNOME main menu with Computer > More Applications >...
Page 210 TIP: Autodetecting New Display Hardware If you change your display hardware after installation, use sax2 -r on the command line to cause SaX2 to detect your hardware. You must be root to run SaX2 from the command line. Graphics Card It is not possible to change the graphics card because only known models are supported and these are detected automatically.
Page 211 Resolution and Color Depth The resolution and color depth can be chosen directly from two lists in the middle of the dialog. The resolution you select here marks the highest resolution to use. All common resolutions down to 640x480 are also added to the configuration automatically. Depending on the graphical desktop used, you can switch to any of these later without the need for reconfiguration.
Page 212: Testing The Configuration
detected screens, arranging all screens in a row from left to right. In the Arrangement part of the dialog, determine the way the monitors are arranged by selecting one of the sequence buttons. Click OK to close the dialog. TIP: Using a Beamer with Laptop Computers To connect a beamer to a laptop computer, activate dual head mode.
Page 213 devices operated by the same driver are shown as one mouse. Activate or deactivate the currently selected mouse with the check box at the top of the dialog. Below the check box, see the current settings for that mouse. Normally, the mouse is detected automatically, but you can change it manually if the automatic detection fails.
Page 214 without the need for reconfiguration. After you click OK, the changes are applied im- mediately. 8.14.4 Tablet Properties Use this dialog to configure a graphics tablet attached to your system. Click the Graphics Tablet tab to select vendor and model from the lists. Currently, only a limited number of graphics tablets is supported.
Page 215: Troubleshooting
8.16 For More Information More information about YaST can be found on the following Web sites and directories: • /usr/share/doc/packages/yast2—Local YaST development documen- tation • http://www.opensuse.org/YaST_Development—The YaST project page in the openSUSE wiki • http://forge.novell.com/modules/xfmod/project/ ?yast—Another YaST project page System Configuration with YaST...
Page 217: Managing Software With Zenworks
ZENworks package management tools use a ZENworks Linux Management server to download packages and updates. If no ZENworks Linux Management server is available in your local network, your system can get updates from the Novell Customer Center, which is described in Section 3.14.4, “Novell Customer Center Configuration”...
Page 218: Update From The Command Line With Rug
-s, --no-services Do not load initial services. -r, --no-remote Do not start remote services. ZMD configuration is stored in /etc/zmd/zmd.conf. You can change the configu- ration manually or with rug. The URL for the ZENworks service that zmd uses at initial start-up and a registration key are stored in /var/lib/zmd.
Page 219 In case of an access denial to the update catalog you will see a warning message with a recommendation to visit the Novell Customer Center and check your subscription. The Novell Customer Center is available at http://www.novell...
Page 220 9.1.4 rug User Management One the main advantages of rug is its user management. Normally, only root can update or install new packages. With rug, you can assign the right to update the system to other users and restrict them, for example, to only updating without the possibility to remove software.
Page 221: Scheduling Updates
To change the current privileges of a user, use rug ue username and replace the username by the name of the desired user. You get a list with the rights of the selected user. The edit command is interactive. Use plus (+) or minus (-) to add or remove the user's privileges and press Enter .
Page 222: Managing Packages With The Zen Tools
9.1.7 For More Information For more information about updating from the command line, enter rug --help or see the rug(1) man page. The --help option is also available for all rug commands. If, for example, you need help for rug update, enter rug update --help. 9.2 Managing Packages with the ZEN Tools The ZEN tools serve as graphical front-ends for the ZENworks Management Daemon...
Page 223 In case of an access denial to the update catalog you will see a warning message with a recommendation to visit the Novell Customer Center and check your subscription. The Novell Customer Center is available at http://www.novell...
Page 224: Installing Software
Figure 9.1 Selecting the Software Updates 9.2.3 Installing Software To install software packages, start Install Software from the menu or run zen-installer. The interface is almost identical to Software Updater (see Sec- tion 9.2.2, “Obtaining and Installing Software Updates” (page 204)). The only difference is a search panel you can use to search for packages or to filter the list.
Page 225 complete products), Patterns (see Section “Installing and Removing Patterns” (page 133) for details on patterns), Packages, and Patches. Mark the check box of a list entry that should be removed then press Remove to start the package uninstallation. If other packages depend on the ones marked by you, these are also removed.
Page 226 With Mount, embed a directory mounted on your machine. This is useful, for ex- ample, in a network that regularly mirrors the Novell YUM server and exports its content to the local network. To add the directory, provide the full path to the direc- tory in Service URI.
Page 227: For More Information
Refer to the rug man page for an explanation of the settings. 9.3 For More Information Find more information about ZENworks Linux Management and ZMD at http:// www.novell.com/products/zenworks/linuxmanagement/index.html. Managing Software with ZENworks...
Page 229: 0 Updating Suse Linux Enterprise
Updating SUSE Linux Enterprise SUSE® Linux Enterprise provides the option of updating an existing system to the new version without completely reinstalling it. No new installation is needed. Old data, such as home directories and system configuration, is kept intact. During the life cycle of the product, you can apply Service Packs to increase system security and correct software defects.
Page 230: Possible Problems
applies to files stored in /etc as well as some of the directories and files in /var and /opt. You may also want to write the user data in /home (the HOME directories) to a backup medium. Back up this data as root. Only root has read permission for all local files.
Page 231 10.1.3 Updating with YaST Following the preparation procedure outlined in Section 10.1.1, “Preparations” (page 211), you can now update your system: 1 Optionally, prepare an installation server. For background information, see Sec- tion 4.2.1, “Setting Up an Installation Server Using YaST” (page 56).
Page 232: Installing Service Packs
10.2 Installing Service Packs Use Service Packs to update a SUSE Linux Enterprise installation. There are several different ways in which you can apply a Service Pack. You can either update the existing installation or start a whole new installation using the Service Pack media. Possible scenarios for updating the system and setting up a central network installation source are described here.
Page 233: Network Installation
Installing a SUSE Linux Enterprise Service Pack is very similar to installing the original SUSE Linux Enterprise media. As with the original installation, you can choose to install from a local CD or DVD drive or from a central network installation source. Installing from a Local CD or DVD Drive Before starting a new installation of a SUSE Linux Enterprise SP, ensure that all of the Service Pack installation media (CDs or DVD) are available.
Page 234 1 Insert the SUSE Linux Enterprise SP CD 1 or DVD 1 and boot your machine. A boot screen similar to the original installation of SUSE Linux Enterprise 10 is displayed. 2 Select Installation to boot the SP kernel then use F3 to select a type of network installation source (FTP, HTTP, NFS, or SMB).
Page 235 7 Continue as usual with the installation (entering a password for root, completing the network configuration, testing your Internet connection, activating the Online Update service, selecting the user authentication method, and entering a username and password). For detailed instructions for installing SUSE Linux Enterprise, see Chapter 3, Installation with YaST (page 17).
Page 236 • The system must be online throughout the entire update process, because this process requires access to the Novell Customer Center. • If your setup involves third party software or add-on software, test this procedure on another machine to make sure that the dependencies are not broken by the update.
Page 237 Figure 10.2 Update to Service Pack 2 NOTE During update migration using YaST Online Update, the ZMD stack is updated and the ZMD daemon is restarted, too. Therefore, it is advisable to avoid using any other software management tools such as rug, zen-updater, zen-installer and zen-remover.
Page 238 3 The Patch Download and Installation dialog tracks the progress log. When Total Progress reaches 100%, click Close. The Online Update will then restart auto- matically. 4 Once restarted, press Accept to apply all available updates together with a new kernel.
Page 239 Figure 10.3 Apply SLE10 SP2 Maintenance Stack Update 1 In a running SUSE Linux Enterprise system, start the zen-updater by clicking the updater icon at the bottom. TIP: Waking up ZMD If you see the ZMD not running message, check in a terminal as root with rczmd status whether ZMD is alive.
Page 240 4 In the restarted Software Updater, page down and select the optional move-to-sles10-sp2 patch and apply it. If you do not select it, your system will stay at the SP1 feature level and you will get bug fixes and security updates only for a limited time (six month after the availibility of SP2).
Page 241 SUSE Linux Enterprise GA to SP1 and SP2 NOTE The following steps are only relevant, if your system is still running at the GA patch level. Figure 10.4 Update to Service Pack 1 1 In a running SUSE Linux Enterprise system (GA), select Computer > YaST > Software >...
Page 242: Software Changes From Version 9 To Version 10
3 The Patch Download and Installation dialog tracks the progress log of the migra- tion patch installation. When Total Progress reaches 100%, click Finish. 4 Run the online update a second time. Once done, in the Patch Download and Installation click Close. During this second run YaST installs the kernel and all the other software.
Page 243 10.3.1 Multiple Kernels It is possible to install multiple kernels side by side. This feature is meant to allow ad- ministrators to upgrade from one kernel to another by installing the new kernel, verifying that the new kernel works as expected, then uninstalling the old kernel. While YaST does not yet support this feature, kernels can easily be installed and uninstalled from the shell using rpm -i package.rpm.
Page 244 10.3.3 Console Number Change and Serial Devices As of 2.6.10, serial devices on ia64 are named based on the order of ACPI and PCI enumeration. The first device in the ACPI name space (if any) becomes /dev/ttyS0, the second becomes /dev/ttyS1, etc., and PCI devices are named sequentially starting after the ACPI devices.
Page 245 10.3.6 Apache 2 Replaced with Apache 2.2 The Apache Web server (version 2) has been replaced with version 2.2. For Apache version 2.2, Chapter 40, The Apache HTTP Server (page 741) was completely reworked. In addition, find generic upgrade information at http://httpd.apache.org/ and the description of new features at docs/2.2/upgrading.html...
Page 246 10.3.8 Hotplug Events Handled by the udev Daemon Hotplug events are now completely handled by the udev daemon (udevd). The event multiplexer system in /etc/hotplug.d and /etc/dev.d is no longer used. Instead, udevd calls all hotplug helper tools directly according to its rules. Udev rules and helper tools are provided by udev and various other packages.
Page 247 size and download time at the expense of higher CPU load for reassembling the final package. See /usr/share/doc/packages/deltarpm/README for technical details. 10.3.12 Print System Configuration At the end of the installation (proposal dialog), the ports needed for the print system must be open in the firewall configuration.
Page 248 10.3.14 X.Org Configuration File The configuration tool SaX2 writes the X.Org configuration settings into /etc/X11/ xorg.conf. During an installation from scratch, no compatibility link from XF86Config to xorg.conf is created. 10.3.15 XView and OpenLook Support Dropped The packages xview, xview-devel, xview-devel-examples, olvwm, and xtoolpl were dropped.
Page 249 Table 10.4 Wrapper /usr/X11R6/bin/OOo-calc /usr/bin/oocalc /usr/X11R6/bin/OOo-draw /usr/bin/oodraw /usr/X11R6/bin/OOo-impress /usr/bin/ooimpress /usr/X11R6/bin/OOo-math /usr/bin/oomath /usr/X11R6/bin/OOo-padmin /usr/sbin/oopadmin – /usr/X11R6/bin/OOo-setup /usr/X11R6/bin/OOo-template /usr/bin/oofromtemplate /usr/X11R6/bin/OOo-web /usr/bin/ooweb /usr/X11R6/bin/OOo-writer /usr/bin/oowriter /usr/X11R6/bin/OOo /usr/bin/ooffice /usr/X11R6/bin/OOo-wrapper /usr/bin/ooo-wrapper The wrapper now supports the option --icons-set for switching between KDE and GNOME icons. The following options are no longer supported: --default-configuration, --gui, --java-path, --skip-check, --lang (the language is now determined by means of locales), --messages-in-window, and --quiet.
Page 250 10.3.18 Sound Mixer kmix The sound mixer kmix is preset as the default. For high-end hardware, there are other mixers, like QAMix. KAMix, envy24control (only ICE1712), or hdspmixer (only RME Hammerfall). 10.3.19 DVD Burning In the past, a patch was applied to the cdrecord binary from the cdrecord package to support burning DVDs.
Page 251 10.3.23 PAM Configuration New Configuration Files (containing comments for more information) common-auth Default PAM configuration for auth section common-account Default PAM configuration for account section common-password Default PAM configuration for password changing common-session Default PAM configuration for session management You should include these default configuration files from within your application-spe- cific configuration file, because it is easier to modify and maintain one file instead of the approximately forty files that used to exist on the system.
Page 252 10.3.24 Becoming the Superuser Using su By default, calling su to become root does not set the PATH for root. Either call su - to start a login shell with the complete environment for root or set ALWAYS_SET_PATH to yes in /etc/default/su if you want to change the default behavior of su.
Page 253 • suspend to disk (ACPI S4, APM suspend) • suspend to ram (ACPI S3, APM suspend) • standby (ACPI S1, APM standby) 10.3.26 Powersave Configuration Variables Names of the powersave configuration variables are changed for consistency, but the sysconfig files are still the same. Find more information in Section 28.5.1, “Configuring the powersave Package”...
Page 254 10.3.29 NTP-Related Files Renamed For reasons of compatibility with LSB (Linux Standard Base), most configuration files and the init script were renamed from xntp to ntp. The new filenames are: • /etc/slp.reg.d/ntp.reg • /etc/init.d/ntp • /etc/logrotate.d/ntp • /usr/sbin/rcntp • /etc/sysconfig/ntp 10.3.30 File System Change Notification for GNOME Applications For proper functionality, GNOME applications depend on file system change notification...
Page 255 10.3.32 Firefox 1.5: The URL Open Command With Firefox 1.5, the method for applications to open a Firefox instance or window has changed. The new method was already partly available in former versions where the behavior was implemented in the wrapper script. If your application does not use mozilla-xremote-client or firefox -remote, you do not need to change anything.
Page 257: Part Ii Administration
Part II. Administration...
Page 259: 1 Openwbem
OpenWBEM Novell® has embraced the open standard strategies of Web-Based Enterprise Manage- ment (WBEM) proposed by the Distributed Management Task Force (DMTF) [http://www.dmtf.org/home]. Implementing these strategies can substantially reduce the level of complexity associated with managing disparate systems in your network.
Page 260 WBEM project [http://openwbem.org]. The Web-Based Enterprise Management software selection includes a set of packages that contain basic Novell providers, including some sample providers, and a base set of accompanying Novell schemas. As Novell moves forward with OpenWBEM and development of specific providers, it will provide tools that offer the following important features: •...
Page 261: Setting Up Openwbem
DMTF and its technologies, you can visit the DMTF Web site [http://www.dmtf.org]. openwbem-base-providers: This package contains a Novell Linux instrumentation of base operating system components such as computer, system, operating system, and processes for the OpenWBEM CIMOM.
Page 262 • Section 11.1.2, “Ensuring Secure Access” (page 244) • Section 11.1.3, “Setting Up Logging” (page 247) 11.1.1 Starting, Stopping, or Checking Status for owcimomd When Web-Based Enterprise Management software is installed, the daemon, owcimomd, is started by default. The following table explains how to start, stop, and check status for owcimomd.
Page 263 /etc/openwbem/servercert.pem If you want to generate a new certificate, use the following command. Running this command replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one. As root in a console shell, enter...
Page 264 Internet be- tween servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configura- tion file. In order for the OpenWBEM CIMOM to communicate with the...
Page 265 Authentication The following authentication settings are set and enabled as the default for OpenWBEM in SUSE Linux Enterprise Server. You can change any of the default settings. See Section 11.2.1, “Changing the Authen- tication Configuration” (page 248). • http_server.allow_local_authentication = true •...
Page 266: Changing The Openwbem Cimom Configuration
11.2 Changing the OpenWBEM CIMOM Configuration When OpenWBEM CIMOM (owcimomd) starts, it reads it run-time configuration from the openwbem.conf file. The openwbem.conffile is located in the /etc/ openwbem directory. Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the default setting.
Page 267 See the following settings: • Section “http_server.allow_local_authentication ” (page 249) • Section “http_server.digest_password_file ” (page 250) • Section “http_server.ssl_client_verification ” (page 250) • Section “http_server.ssl_trust_store ” (page 251) • Section “http_server.use_digest” (page 252) • Section “owcimomd.ACL_superuser” (page 253) • Section “owcimomd.allow_anonymous” (page 253) •...
Page 268 Option Description false Disables local authentication. Example http_server.allow_local_authentication = true http_server.digest_password_file Purpose Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled. Syntax http_server.digest_password_file = path_filename The following is the default path and filename for the digest password file: /etc/openwbem/digest_auth.passwd Example http_server.digest_password_file =...
Page 269 Syntax: http_server.ssl_client_verification = option Option Description autoupdate Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authenti- cation are added to a trust store so that subsequent client connec- tions with the same certificate do not require HTTP authentica- tion.
Page 270 /etc/openwbem/truststore Example http_server.ssl_trust_store = /etc/openwbem/truststore http_server.use_digest Purpose Directs the HTTP server to use Digest authentication, which bypasses the Basic authen- tication mechanism. To use digest, you must set up the digest password file using owdigestgenpass. Digest doesn’t use the authentication module specified by the owcimomd.authentica- tion_module configuration setting.
Page 271 owcimomd.ACL_superuser Purpose Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the owcimomd. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.
Page 272 Option Description This disables authentication. No username or password is required to access owcimomd data. Example owcimomd.allowed_anonymous = false owcimomd.allowed_users Purpose Specifies a list of users who are allowed to access owcimomd data. Syntax owcimomd.allowed_users = option Option Description Specifies one or more users who are allowed to access the owci- username momd data.
Page 273 owcimomd.authentication_module Purpose Specifies the authentication module that is used by owcimomd. This setting should be an absolute path to the shared library containing the authentication module. Syntax owcimomd.authentication_module = path_filename The following is the default path and filename for the authentication modules: /usr/lib/openwbem/authentication/libpamauthentication.so Example owcimomd.authentication_module =...
Page 274 11.2.2 Changing the Certificate Configuration The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS communications. The .pem files are located in the following default location: /etc/openwbem/servercert.pem /etc/openwbem/serverkey.pem Syntax...
Page 275 11.2.3 Changing the Port Configuration The http_server.http_port and server.https_port settings specify the port number that owcimomd listens on for all HTTP and HTTPS communications. Syntax http_server.http_port = option http_server.https_port = option Option Description Specify the specific port for HTTP or HTTPS com- Specific_port_number munications.
Page 276 11.2.4 Changing the Default Logging Configuration The following log settings in the owcimomd.conf file let you specify where and how much logging occurs, the type of errors logged, and the log size, filename, and format: • Section “log.main.categories” (page 258) •...
Page 277 Option Description Specifies the categories to be logged using a space delimited category_name list. The categories used in owcimomd are: • DEBUG • ERROR • FATAL • INFO For more information about these options, see Section “log.main.level” (page 263). If specified in this option, the predefined categories are not treated as levels, but as independent categories.
Page 278 Syntax log.main.components = option Option Description Specifies the components to be logged (such as owcimomd) component_name using a space-delimited list. Providers can use their own components. Specifies that all components are logged. This is the default setting. Example log.main.components = owcimomd nssd log.main.format Purpose Specifies the format (text mixed with printf() style conversion specifiers) of the log...
Page 279 Option Specifies Can be followed by a date format specifier enclosed between braces. For example, %d{%H:%M:%S} or %d{%d %b %Y %H:%M:%S}. If no date format specifier is given, then ISO 8601 format is assumed. The only addition is %Q, which is the number of milliseconds. For more information about the date format specifiers, see the documentation for the strftime() function found in the <ctime>...
Page 280 Option Specifies Line feed \x<hexDigits> Character represented in hexadecimal It is possible to change the minimum field width, the maximum field width, and justifi- cation. The optional format modifier is placed between the percent sign (%) and the conversion character. The first optional format modifier is the left justification flag, which is the minus (-) character.
Page 281 <log4j:locationInfo class="" method="" file="%F" line="%L"/></log4j:event>" The following is the default: log.main.format = [%t]%m log.main.level Purpose Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the specified level. Syntax log.main.level = option Option Description DEBUG Logs all Debug, Info, Error, and Fatal error messages.
Page 282 log.main.location Purpose Specifies the location of the log file owcimomd uses when the log.main.type setting option specifies that logging is sent to a file. Syntax log.main.location = path_filename Example log.main.location = /system/cimom/var/owcimomd.log log.main.max_backup_index Purpose Specifies the amount of backup logs that are kept before the oldest is erased. Syntax log.main.backup_index = option Option...
Page 283 log.main.max_file_size Purpose Specifies the maximum size (in KB) that the owcimomd log can grow to. Syntax log.main.max_file_size = option Option Description Limits the log to a certain size in KB. unsigned _integer_in_KB Lets the log grow to an unlimited size. This is the default setting.
Page 284 Option Description null Disables logging. syslog Sends all messages to the syslog interface. This is the default setting. Example log.main.type = syslog 11.2.5 Configuring Debug Logging If owcimomd is run in debug mode, then the debug log is active with the following settings: •...
Page 285 Table 11.3 Additional Color Codes for the log.debug.format Command Color Codes \x1b[1;31;40m dark red \x1b[0;31;40m green \x1b[1;32;40m dark green \x1b[0;32;40m yellow \x1b[1;33;40m dark yellow \x1b[0;33;40m blue \x1b[1;34;40m dark blue \x1b[0;34;40m purple \x1b[1;35;40m dark purple \x1b[0;35;40m cyan \x1b[1;36;40m dark cyan \x1b[0;36;40m white \x1b[1;37;40m dark white...
Page 286: For More Information
owcimomd.additional_logs = logname Separate multiple lognames spaces. Syntax owcimomd.additional_logs = logname For each log, the following settings apply: • log.log_name.categories • log.log_name.components • log.log_name.format • log.log_name.level • log.log_name.location • log.log_name.max_backup_index • log.log_name.max_file_size Example owcimomd.additional_logs = errorlog1 errorlog2 errorlog3 11.3 For More Information For more information about OpenWBEM, see the following information: •...
Page 287 • A Novell Cool Solutions Article: An Introduction to WBEM and OpenWBEM in SUSE Linux [http://www.novell.com/coolsolutions/feature/ 14625.html] • OpenWBEM Web site [http://www.openwbem.org] • DMTF Web site [http://www.dmtf.org] OpenWBEM...
Page 289: 2 Mass Storage Over Ip Networks-Iscsi
Mass Storage over IP Networks—iSCSI One of the central tasks in computer centers and when operating servers is providing hard disk capacity for server systems. Fiber channel is often used for this purpose in the mainframe sector. So far, UNIX computers and the majority of servers are not connected to central storage solutions.
Page 290 12.1.1 Creating iSCSI Targets with YaST The iSCSI target configuration exports existing block devices or file system images to iSCSI initiators. First create the needed block devices with YaST or create file system images. For an overview of partitioning, see Section 8.5.7, “Using the YaST Partitioner”...
Page 291 It always starts with iqn. yyyy-mm is the format of the date when this target is ac- tivated. Find more about naming conventions in RFC 3722 (see http://www .ietf.org/rfc/rfc3722.txt). Identifier The Identifier is freely selectable. It should follow some scheme to make the whole system more structured.
Page 292 iSNS for Linux Overview (page 281). Note that the access control for the iSNS discovery is not supported. Just keep iSNSAccessControl no. All direct iSCSI authentication may be done in two directions. The iSCSI target can require the iSCSI initiator to authenticate with the IncomingUser, which can be added multiple times.
Page 293 cat /proc/net/iet/session tid:1 name:iqn.2006-02.com.example.iserv:system-v3 sid:562949957419520 initiator:iqn.2005-11.de.suse:cn=rome.example.com,01.9ff842f5645 cid:0 ip:192.168.178.42 state:active hd:none dd:none sid:281474980708864 initiator:iqn.2006-02.de.suse:01.6f7259c88b70 cid:0 ip:192.168.178.72 state:active hd:none dd:none 12.1.3 Configuring Online Targets with ietadm When changes to the iSCSI target configuration are necessary, you always must restart the target to activate changes that are done in the configuration file. Unfortunately, all active sessions are interrupted in this process.
Page 294 cat /proc/net/iet/session tid:1 name:iqn.2006-03.com.example.iserv:system sid:281474980708864 initiator:iqn.1996-04.com.example:01.82725735af5 cid:0 ip:192.168.178.72 state:active hd:none dd:none To delete the session with the session ID 281474980708864, use the command ietadm --op delete --tid=1 --sid=281474980708864 --cid=0. Be aware that this makes the device unaccessible on the client system and processes accessing this device are likely to hang.
Page 295: Configuring Iscsi Initiator
to the configuration file /etc/ietd.conf. Depending on the usage of iSCSI in your network, this may lead to severe problems. There are several more options available for the command ietadm. Find an overview with ietadm -h. The abbreviations there are target ID (tid), session ID (sid), and connection ID (cid).
Page 296 The virtual iSCSI device is now available. Find the actual device with lsscsi: lsscsi [1:0:0:0] disk VIRTUAL-DISK /dev/sda 12.2.2 Setting Up the iSCSI Initiator Manually Both the discovery and the configuration of iSCSI connections require a running iscsid. When running the discovery the first time, the internal database of the iSCSI initiator is created in the directory /var/lib/open-iscsi.
Page 297 12.2.3 The iSCSI Client Databases All information that was discovered by the iSCSI initiator is stored in two database files that reside in /var/lib/open-iscsi. There is one database for the discovery of targets and one for the discovered nodes. When accessing a database, you first must select if you want to get your data from the discovery or from the node database.
Page 298 Important pages for more information about open-iscsi are: • http://www.open-iscsi.org/ • http://www.open-iscsi.org/cgi-bin/wiki.pl • http://www.novell.com/coolsolutions/appnote/15394.html There is also some online documentation available. See the manual pages of iscsiadm, iscsid, ietd.conf, and ietd and the example configuration file /etc/iscsid .conf.
Page 299: 3 Isns For Linux Overview
iSNS for Linux Overview Storage area networks (SANs) can contain many disk drives that are dispersed across complex networks. This can make device discovery and device ownership difficult. iSCSI initiators must be able to identify storage resources in the SAN and determine whether they have access to them.
Page 300 lishing discovery relationships. This lets you control and simplify the number of targets and initiators that must be discovered. Figure 13.1 iSNS Discovery Domains and Discovery Domain Sets Both, iSCSI targets and iSCSI initiators use iSNS clients to initiate transactions with iSNS servers using the iSNS protocol.
Page 301: Isns For Linux Installation And Setup
Suppose you have a company that has 100 iSCSI initiators and 100 iSCSI targets. De- pending on your configuration, all iSCSI initiators could potentially try to discover and connect to any of the 100 iSCSI targets. This could create a discovery and connection nightmare.
Page 302 1 Start YaST and under Network Services, select iSNS Server. 2 With the Service tab selected, specify the IP address of your iSNS server, then click Save Address. 3 In the Service Start section of the screen, select When Booting. You can also choose to start the iSNS server manually.
Page 303 1 Start YaST and under Network Services, select iSNS Server. 2 Click the Discovery Domains Sets tab, then click the Create Discovery Domain Set button. You can also select an existing discovery domain set and click the Delete button to remove that discovery domain set. 3 Specify the name of the discovery domain set you are creating, then click OK.
Page 304: For More Information
An iSCSI node can belong to more than one discovery domain. 13.3.4 Adding Discovery Domains to a Discovery Domain Set 1 Start YaST and under Network Services, select iSNS Server. 2 Click the Discovery Domains Set tab. 3 Select Create Discovery Domain Set to add a new set to the list of discovery domain sets.
Page 305: 4 Oracle Cluster File System
Oracle Cluster File System 2 Oracle Cluster File System 2 (OCFS2) is a general-purpose journaling file system that is fully integrated in the Linux 2.6 kernel and later. OCFS2 allows you to store applica- tion binary files, data files, and databases on devices in a SAN. All nodes in a cluster have concurrent read and write access to the file system.
Page 306 • An application’s files are available to all nodes in the cluster. Users simply install it once on an OCFS2 volume in the cluster. • All nodes can concurrently read and write directly to storage via the standard file system interface, enabling easy management of applications that run across a cluster. •...
Page 307: O2Cb Cluster Service
14.1 O2CB Cluster Service The O2CB cluster service is a set of modules and in-memory file systems that are re- quired to manage OCFS2 services and volumes. You can enable these modules to be loaded and mounted during system boot. For instructions, see Section 14.6.2, “Config- uring OCFS2 Services”...
Page 308: In-Memory File Systems
The OC2B cluster service communicates the node status via a disk heartbeat. The heartbeat system file resides on the Storage Area Network (SAN), where it is available to all nodes in the cluster. The block assignments in the file correspond sequentially to each node’s slot assignment.
Page 309: Management Utilities And Commands
14.4 Management Utilities and Commands OCFS2 stores node-specific parameter files on the node. The cluster configuration file ( /etc/ocfs2/cluster.conf) resides on each node assigned to the cluster. The ocfs2console utility is a GTK GUI-based interface for managing the configu- ration of the OCFS2 services in the cluster. Use this utility to set up and save the /etc/ ocfs2/cluster.conf file to all member nodes of the cluster.
Page 310 OCFS2 Utili- Description ocfs2cdsl Creates a context-dependent symbolic link (CDSL) for a specified filename (file or directory) for a node. A CDSL filename has its own image for a specific node, but has a common name in the OCFS2. tune.ocfs2 Changes OCFS2 file system parameters, including the volume label, number of node slots, journal size for all node slots, and volume size.
Page 311: Ocfs2 Packages
Command Description /etc/init.d/o2cb stop If the cluster is set up to load on boot, stops the cluster named ocfs2 by offlining the cluster and unloading the ocfs2 O2CB modules and in-memory file systems 14.5 OCFS2 Packages The OCFS2 kernel module ( ocfs2) is installed automatically in SUSE Linux Enterprise Server 10 and later.
Page 312 • Initialize, carve, or configure RAIDs (Redundant Array of Independent Disks) on the SAN disks, as needed, to prepare the devices you plan to use for your OCFS2 volumes. Leave the devices as free space. We recommend that you store application files and data files on different OCFS2 volumes, but it is only mandatory to do so if your application volumes and data volumes have different requirements for mounting.
Page 313 4c At the Cluster to start on boot (Enter “none” to clear) [ocfs2] prompt, enter none. This choice presumes that you are setting up OCFS2 for the first time or resetting the service. You specify a cluster name in the next step when you set up the /etc/ocfs2/cluster .conf file.
Page 314 6 If you need to restart the OCFS2 cluster for the changes to take effect, enter the following lines, waiting in between for the process to return a status of OK. /etc/init.d/o2cb stop /etc/init.d/o2cb start 14.6.3 Creating an OCFS2 Volume Creating an OCFS2 file system and adding new nodes to the cluster should be performed on only one of the nodes in the cluster.
Page 315 OCFS2 Pa- Description and Recommendation rameter Volume la- A descriptive name for the volume to make it uniquely identifi- able when it is mounted on different nodes. Use the tunefs.ocfs2 utility to modify the label as needed. Cluster size Cluster size is the smallest unit of space allocated to a file to hold the data.
Page 316: Mounting An Ocfs2 Volume
OCFS2 Pa- Description and Recommendation rameter Options are 512 bytes (not recommended), 1 KB, 2 KB, or 4 KB (recommended for most volumes). Block size cannot be modified after the volume is formatted. 14.7 Mounting an OCFS2 Volume 1 Open a terminal window and log in as the root user. 2 If the O2CB cluster service is offline, start it by entering the following command, then wait for the process to return a status of OK.
Page 317: Additional Information
TIP: Adding New Nodes When new nodes try to connect to the cluster, they are not allowed to join because the nodes have not added them to their connection list. To solve this issue, manually go to each node and issue the following com- mand to update the respective connection list: o2cb_ctl -H -n ocfs2 -t cluster -a online=yes For information about mounting an OCFS2 volume using any of these methods,...
Page 319: 5 Access Control Lists In Linux
Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
Page 320 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.
Page 321: Advantages Of Acls
15.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.
Page 322: Handling Acls
default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
Page 323 Table 15.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 15.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 15.4.1 ACL Entries and File Mode Permission Bits Figure 15.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
Page 324 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 15.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
Page 325 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
Page 326 mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.
Page 327 The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permis- sions, because they are filtered according to the mask entry. The original permissions can be restored at any time with chmod g+w mydir.
Page 328 The option -d of the setfacl command prompts setfacl to perform the fol- lowing modifications (option -m) in the default ACL. Take a closer look at the result of this command: getfacl mydir # file: mydir # owner: tux # group: project3 user::rwx user:geeko:rwx group::r-x...
Page 329 default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory. The access ACL of mysubdir is an exact reflection of the default ACL of mydir. The default ACL that this directory will hand down to its subordinate objects is also the same.
Page 330: Acl Support In Applications
access is handled in accordance with the entry that best suits the process. Permissions do not accumulate. Things are more complicated if a process belongs to more than one group and would potentially suit several group entries. An entry is randomly selected from the suitable entries with the required permissions.
Page 331: 6 Rpm-The Package Manager
RPM—the Package Manager RPM (RPM Package Manager) is used for managing software packages. Its main commands are rpm and rpmbuild. The powerful RPM database can be queried by the users, system administrators, and package builders for detailed information about the installed software. Essentially, rpm has five modes: installing, uninstalling, or updating software packages;...
Page 332: Verifying Package Authenticity
16.1 Verifying Package Authenticity RPM packages have a GnuPG signature. The key including the fingerprint is: 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig package-1.2.3.rpm can be used to verify the signature of an RPM package to determine whether it really originates from SUSE or from another trustworthy facility.
Page 333: Rpm And Patches
• If a configuration file was changed by the system administrator before the update, rpm saves the changed file with the extension .rpmorig or .rpmsave (backup file) and installs the version from the new package, but only if the originally installed file and the newer version are different.
Page 334 result in large amounts of data. However the SUSE RPM offers a feature enabling the installation of patches in packages. The most important considerations are demonstrated using pine as an example: Is the patch RPM suitable for my system? To check this, first query the installed version of the package. For pine, this can be done with rpm -q pine pine-4.44-188...
Page 335: Delta Rpm Packages
Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa. If only one patch is installed in a new system (as in this example), the list appears as follows: rpm -qPa pine-4.44-224...
Page 336: Rpm Queries
applydeltarpm new.delta.rpm new.rpm To derive it from the old RPM without accessing the file system, use the -r option: applydeltarpm -r old.rpm new.delta.rpm new.rpm See /usr/share/doc/packages/deltarpm/README" for technical details. 16.5 RPM Queries With the -q option, rpm initiates queries, making it possible to inspect an RPM archive (by adding the option -p) and also to query the RPM database of installed packages.
Page 337 For example, the command rpm -q -i wget displays the information shown in Example 16.1, “rpm -q -i wget” (page 319). Example 16.1 rpm -q -i wget Name : wget Relocations: (not relocatable) Version : 1.9.1 Vendor: SUSE LINUX AG, Nuernberg, Germany Release : 50...
Page 338 The command rpm -q --changelog rpm displays a detailed list of change infor- mation about a specific package, sorted by date. This example shows information about the package rpm. With the help of the installed RPM database, verification checks can be made. Initiate these with -V, -y, or --verify.
Page 339: Installing And Compiling Source Packages
by the variable MAX_RPMDB_BACKUPS (default: 5) in /etc/sysconfig/backup. The size of a single backup is approximately 1 MB for 1 GB in /usr. 16.6 Installing and Compiling Source Packages All source packages carry a .src.rpm extension (source RPM). Source packages can be copied from the installation medium to the hard disk and unpacked with YaST.
Page 340 When you install a source package with YaST, all the necessary components are installed in /usr/src/packages: the sources and the adjustments in SOURCES and the relevant .spec file in SPECS. WARNING Do not experiment with system components (glibc, rpm, sysvinit, etc.), because this endangers the operability of your system.
Page 341: Compiling Rpm Packages With Build
Do the same as -bb, but with the additional creation of the source RPM. If the compilation was successful, the binary should be in /usr/src/packages/ SRPMS. --short-circuit Skip some steps. The binary RPM created can now be installed with rpm -i or, preferably, with rpm -U.
Page 342: Tools For Rpm Archives And The Rpm Database
16.8 Tools for RPM Archives and the RPM Database Midnight Commander (mc) can display the contents of RPM archives and copy parts of them. It represents archives as virtual file systems, offering all usual menu options of Midnight Commander. Display the HEADER with F3 . View the archive structure with the cursor keys and Enter .
Page 343: 7 System Monitoring Utilities
System Monitoring Utilities A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. For each of the commands introduced, examples of the relevant outputs are presented.
Page 344: Debugging
17.1 Debugging 17.1.1 Specifying the Required Library: ldd Use the command ldd to find out which libraries would load the dynamic executable specified as argument. tux@mercury:~> ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/librt.so.1 (0xb7f97000) libacl.so.1 => /lib/libacl.so.1 (0xb7f91000) libc.so.6 => /lib/libc.so.6 (0xb7e79000) libpthread.so.0 =>...
Page 345 17.1.3 System Calls of a Program Run: strace The utility strace enables you to trace all the system calls of a process currently running. Enter the command in the normal way, adding strace at the beginning of the line: tux@mercury:~> strace ls execve("/bin/ls", ["ls"], [/* 61 vars */]) = 0 uname({sys="Linux", node="mercury", ...}) = 0 brk(0)
Page 346: Files And File Systems
17.2 Files and File Systems 17.2.1 Determine the File Type: file The command file determines the type of a file or a list of files by checking /etc/ magic. tux@mercury:~> file /usr/bin/file /usr/bin/file: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), \ for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped The parameter -f list specifies a file with a list of filenames to examine.
Page 347 Obtain information about total usage of the file systems with the command df. The parameter -h (or --human-readable) transforms the output into a form understand- able for common users. tux@mercury:~> df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 3.2G 6.9G 32% /...
Page 348: Hardware Information
17.2.4 File Properties: stat The command stat displays file properties: tux@mercury:~> stat /etc/profile File: `/etc/profile' Size: 8080 Blocks: 16 IO Block: 4096 regular file Device: 806h/2054d Inode: 64942 Links: 1 Access: (0644/-rw-r--r--) Uid: ( root) Gid: ( root) Access: 2007-07-16 23:28:18.000000000 +0200 Modify: 2006-09-19 14:45:01.000000000 +0200 Change: 2006-12-05 14:54:55.000000000 +0100 The parameter --filesystem produces details of the properties of the file system...
Page 349 Controller (rev 01) 00:1f.3 SMBus: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) \ SMBus Controller (rev 01) 00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM \ (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01) 01:00.0 VGA compatible controller: Matrox Graphics, Inc. G400/G450 (rev 85) 02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM) \ Ethernet Controller (rev 81) Using -v results in a more detailed listing: mercury:~ # lspci...
Page 350 17.3.3 Information about a SCSI Device: scsiinfo The command scsiinfo lists information about a SCSI device. With the option -l, list all SCSI devices known to the system (similar information is obtained via the command lsscsi). The following is the output of scsiinfo -i /dev/sda, which gives information about a hard disk.
Page 351: Networking
# netstat -t -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Pro 0 mercury:33513 www.novell.com:www-http ESTABLISHED 6862/fi 352 mercury:ssh mercury2.:trc-netpoll ESTABLISHED 19422/s 0 localhost:ssh localhost:17828 ESTABLISHED - In the following, statistics for the TCP protocol are displayed: tux@mercury:~>...
Page 352: The /Proc File System
26786 segments send out 54 segments retransmited 0 bad segments received. 6 resets sent [...] TCPAbortOnLinger: 0 TCPAbortFailed: 0 TCPMemoryPressures: 0 17.5 The /proc File System The /proc file system is a pseudo file system in which the kernel reserves important information in the form of virtual files.
Page 353 Some of the important files and their contents are: /proc/devices Available devices /proc/modules Kernel modules loaded /proc/cmdline Kernel command line /proc/meminfo Detailed information about memory usage /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt.
Page 354 The address assignment of executables and libraries is contained in the maps file: tux@mercury:~> cat /proc/self/maps 08048000-0804c000 r-xp 00000000 03:03 17753 /bin/cat 0804c000-0804d000 rw-p 00004000 03:03 17753 /bin/cat 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap] b7d27000-b7d5a000 r--p 00000000 03:03 11867 /usr/lib/locale/en_GB.utf8/ b7d5a000-b7e32000 r--p 00000000 03:03 11868 /usr/lib/locale/en_GB.utf8/ b7e32000-b7e33000 rw-p b7e32000 00:00 0...
Page 355: Processes
0 rtc irq 82: 178717720 0 PCI-MSI 0 acpi irq169: 44352794 nvidia irq 12: irq233: 8209068 0 PCI-MSI To see all the information, use the parameter -a. The parameter -nN produces updates of the information every N seconds. In this case, terminate the program by pressing Q . By default, the cumulative values are displayed.
Page 356: Memory Usage
To list all processes with user and command line information, use ps axu: tux@mercury:~> ps axu USER PID %CPU %MEM RSS TTY STAT START TIME COMMAND root 272 ? 12:59 0:01 init [5] root 12:59 0:00 [ksoftirqd root S< 12:59 0:00 [events [...] 4047...
Page 357 17.6.3 Process Tree: pstree The command pstree produces a list of processes in the form of a tree: tux@mercury:~> pstree init-+-NetworkManagerD |-acpid |-3*[automount] |-cron |-cupsd |-2*[dbus-daemon] |-dbus-launch |-dcopserver |-dhcpcd |-events/0 |-gpg-agent |-hald-+-hald-addon-acpi `-hald-addon-stor |-kded |-kdeinit-+-kdesu---su---kdesu_stub---yast2---y2controlcenter |-kio_file |-klauncher |-konqueror |-konsole-+-bash---su---bash `-bash `-kwin |-kdesktop---kdesktop_lock---xmatrix |-kdesud...
Page 358 tux@mercury:~> top -n 1 top - 17:06:28 up 2:10, 5 users, load average: 0.00, 0.00, 0.00 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 5.5% us, 0.8% sy, 0.8% ni, 91.9% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 515584k total,...
Page 359: System Information
17.7 System Information 17.7.1 System Activity Information: sar To use sar, sadc (system activity data collector) needs to be running. Check its status or start it with rcsysstat {start|status}. sar can generate extensive reports on almost all important system activities, among them CPU, memory, IRQ usage, IO, or networking.
Page 360 Following termination of the less process, which was running on another terminal, the file system can successfully be unmounted. 17.7.4 Kernel Ring Buffer: dmesg The Linux kernel keeps certain messages in a ring buffer. To view these messages, enter the command dmesg: $ dmesg [...] end_request: I/O error, dev fd0, sector 0...
Page 361 bash 5552 tux 2375 11663 /usr/lib/locale/en_GB. bash 5552 tux 11736 /usr/lib/locale/en_GB. bash 5552 tux 11831 /usr/lib/locale/en_GB. bash 5552 tux 11862 /usr/lib/locale/en_GB. bash 5552 tux 11839 /usr/lib/locale/en_GB. bash 5552 tux 11664 /usr/lib/locale/en_GB. bash 5552 tux 11735 /usr/lib/locale/en_GB. bash 5552 tux 11866 /usr/lib/locale/en_GB. bash 5552 tux 21544...
Page 362 42013K total, Other: 206K total, All: 42219K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 3e00000 18161K 18175K NOVELL: SU 4600000 1 1182 4566K 4600K amaroK - S 1600000 3811K 3816K KDE Deskto 3400000 2816K...
Page 363: User Information
3200000 EMACS 2200000 SUSEWatche 4400000 36K 16489 kdesu 1a00000 KMix 3800000 24K 22242 knotify 1e00000 624B KPowersave 3600000 11K 22236 konqueror 2000000 klipper 3000000 888B KDE Wallet 17.8 User Information 17.8.1 Who Is Doing What: w With the command w, find out who is logged onto the system and what each user is doing.
Page 365: 8 Working With The Shell
Working with the Shell When booting your Linux system, you are usually directed to a graphical user interface that guides you through the login process and the following interactions with the system. Although graphical user interfaces have become very important and user-friendly, using them is not the only way to communicate with your system.
Page 366: Getting Started With The Bash Shell
18.1 Getting Started with the Bash Shell In Linux, you can use the command line parallel to the graphical user interface and easily switch between them. To start a terminal window from the graphical user interface in KDE, click the Konsole icon in the panel. In GNOME, click the GNOME Terminal icon in the panel.
Page 367 IMPORTANT: No News Is Good News The shell is not verbose: in contrast to some graphical user interfaces, it usually does not provide confirmation messages when commands have been executed. Messages only appear in case of problems or errors. Also keep this in mind for commands to delete objects. Before entering a command like rm for removing a file, you should know if you really want to get rid of the object: it will be deleted irretrievably, without enquiry.
Page 368: Getting Help
and are prefixed with a hyphen. The ls -l command shows the contents of the same directory in full detail (long listing format): Figure 18.3 The ls -l Command On the left of each object name, information about the object is shown in several columns.
Page 369 18.1.2 Linux Directory Structure Because the shell does not offer a graphical overview of directories and files like the tree view in a file manager, it is useful to have some basic knowlegde of the default directory structure in a Linux system. You can think of directories as electronic folders in which files, programs, and subdirectories are stored.
Page 370 Table 18.1 Overview of a Standard Directory Tree Root directory, starting point of the directory tree Personal directories of users /home Device files that represent hardware components /dev Important files for system configuration /etc Boot scripts /etc/init.d Programs needed early in the boot process (/bin) and /bin, /sbin for the administrator (/sbin) All application programs and local, distribution-indepen-...
Page 371 18.1.3 Working with Directories and Files To address a certain file or directory, you must specify the path leading to that directory or file. There are two ways to specify a path: • The entire (absolute) path from the root directory to the respective file •...
Page 372 1b In your home directory, enter mkdir /tmp/test. mkdir stands for “make directory”. This command creates a new directory named test in the /tmp directory. In this case, use an absolute path to create the directory. 1c To check what happened, now enter ls -l /tmp. The new directory test should appear in the list of contents of the /tmp directory.
Page 373 18.1.4 Useful Features of the Shell Entering commands in Bash can include a lot of typing. In the following, get to know some features of the Bash that can make your work a lot easier and save a lot of typing. History and Completion By default, Bash “remembers”...
Page 374 [set] Matches one of the characters from the group specified inside the square brackets, which is represented here by the string set. As part of set you can also specify character classes using the syntax [:class:], where a class is one of alnum, alpha, ascii, etc.
Page 375 The program less got its name from the the precept that less is more and can also be used to view the output of commands in a convenient way. To see how this works, read Section “Redirection and Pipes” (page 357). Redirection and Pipes Normally, the standard output in the shell is your screen or the console window and the standard input is the keyboard.
Page 376 18.1.5 Archives and Data Compression Now that you have already created a number of files and directories, consider the subject of archives and data compression. Suppose you want to have the entire test directory packed in one file that you can save on a USB stick as a backup copy or send by e-mail. To do so, use the command tar (for tape archiver).
Page 377: Users And Access Permissions
For file compression, the obvious choice is gzip or, for a even better compression ratio, bzip2. Just enter gzip testarchive.tar (or bzip2 testarchive.tar, but gzip is used in this example). With ls, now see that the file testarchive.tar is no longer there and that the file testarchive.tar.gz has been created instead. This file is much smaller and therefore much better suited for transfer via e-mail or storage on a USB stick.
Page 378 format hard disks, the threat from the Trojan horse effect or from accidentally entering destructive commands can be significantly reduced. 18.2.1 File System Permissions Basically, every file in a Linux file system belongs to a user and a group. Both of these proprietary groups and all others can be authorized to write, read, or execute these files.
Page 379 The next three blocks follow a standard pattern. The first three characters refer to whether the file is readable (r) or not (–). A w in the middle portion symbolizes that the corresponding object can be edited and a hyphen (–) means it is not possible to write to the file.
Page 380 1. Users concerned • u (user)—owner of the file • g (group)—group that owns the file • o (others)—additional users (if no parameter is given, the changes apply to all categories) 2. A character for deletion (–), setting (=), or insertion (+) 3.
Page 381: Important Linux Commands
chgrp changes the group ownership of the file. However, the owner of the file must be a member of the new group. In this way, the user tux from Example 18.1, “Sample Output Showing File Permissions” (page 360) can switch the group owning the file ProjectData to project4 with the command chgrp project4 ProjectData, as long as he is a member of this new group.
Page 382 Detailed list Displays hidden files cp [options] source target Copies source to target. Waits for confirmation, if necessary, before an existing target is overwritten Copies recursively (includes subdirectories) mv [options] source target Copies source to target then deletes the original source. Creates a backup copy of the source before moving Waits for confirmation, if necessary, before an existing targetfile is overwritten...
Page 383 Creates a symbolic link cd [options] [directory] Changes the current directory. cd without any parameters changes to the user's home directory. mkdir [options] directory Creates a new directory. rmdir [options] directory Deletes the specified directory if it is already empty. chown [options] username[:[group]] files Transfers ownership of a file to the user with the specified username.
Page 384 The access type is controlled by the following options: Read Write Execute—executing files or changing to the directory Setuid bit—the application or program is started as if it were started by the owner of the file As an alternative, a numeric code can be used. The four digits of this code are composed of the sum of the values 4, 2, and 1—the decimal result of a binary mask.
Page 385 Creates a new tar archive Adds files to an existing archive Outputs the contents of an archive Adds files, but only if they are newer than the files already contained in the archive Unpacks files from an archive (extraction) Packs the resulting archive with gzip Compresses the resulting archive with bzip2 Lists files processed The archive files created by tar end with .tar.
Page 386 place it in the background by appending an ampersand (&), so you can immediately continue working on the same command line (updatedb &). This command usually runs as a daily cron job (see cron.daily). find [options] With find, search for a file in a given directory. The first argument specifies the directory in which to start the search.
Page 387: File Systems
Only displays the names of the respective files, but not the text lines Additionally displays the numbers of the lines in which it found a hit Only lists the files in which searchstring does not occur diff [options] file1 file2 The diff command compares the contents of any two files.
Page 388: System Commands
umount [options] mountpoint This command unmounts a mounted drive from the file system. To prevent data loss, run this command before taking a removable data medium from its drive. Normally, only root is allowed to run the commands mount and umount. To enable other users to run these commands, edit the /etc/fstab file to specify the option user for the respective drive.
Page 389 free [options] The command free displays information about RAM and swap space usage, showing the total and the used amount in both categories. See Section 22.1.6, “The free Command” (page 428) for more information. Output in bytes Output in kilobytes Output in megabytes date [options] This simple program displays the current system time.
Page 390 Sends a KILL signal instead of a TERM signal, bringing the specified process to an end in almost all cases killall [options] processname This command is similar to kill, but uses the process name (instead of the process ID) as an argument, killing all processes with that name. Network ping [options] hostname or IP address The ping command is the standard tool for testing the basic functionality of TCP/IP...
Page 391 WARNING Do not use telnet over a network on which third parties can “eavesdrop.” Particularly on the Internet, use encrypted transfer methods, such as ssh, to avoid the risk of malicious misuse of a password (see the man page for ssh).
Page 392: The Vi Editor
18.4 The vi Editor Text editors are still used for many system administration tasks as well as for program- ming. In the world of Unix, vi stands out as an editor that offers comfortable editing functions and is more ergonomic than many editors with mouse support. 18.4.1 Operating Modes NOTE: Display of Keys In the following, find several commands that you can enter in vi by just pressing...
Page 393 It is not possible to switch directly from insert mode to extended mode without first switching to command mode. vi, like other editors, has its own procedure for terminating the program. You cannot terminate vi while in insert mode. First, exit insert mode by pressing Esc . Subsequently, you have two options: 1.
Page 394 A selection of important commands is shown in Table 18.2, “Simple Commands of the vi Editor” (page 376) This list is far from complete. More complete lists are available in the documentation found in Section 18.4.3, “For More Information” (page 377) Table 18.2 Simple Commands of the vi Editor Change to command mode...
Page 395 Shift + J Join the following line with the current one Repeat the last command 18.4.3 For More Information vi supports a wide range of commands. It enables the use of macros, shortcuts, named buffers, and many other useful features. A detailed description of the various options would exceed the scope of this manual.
Page 397: Part Iii System
Part III. System...
Page 399: 9 32-Bit And 64-Bit Applications In A 64-Bit System Environment
32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE Linux Enterprise® is available for several 64-bit platforms. This does not neces- sarily mean that all the applications included have already been ported to 64-bit plat- forms. SUSE Linux Enterprise supports the use of 32-bit applications in a 64-bit system environment.
Page 400: Runtime Support
19.1 Runtime Support IMPORTANT: Conflicts between Application Versions If an application is available both for 32-bit and 64-bit environments, parallel installation of both versions is bound to lead to problems. In such cases, decide on one of the two versions and install and use this. To be executed correctly, every application requires a range of libraries.
Page 401: Software Development
19.2 Software Development All 64-bit architectures support the development of 64-bit objects. The level of support for 32-bit compiling depends on the architecture. These are the various implementation options for the tool chain from GCC (GNU Compiler Collection) and binutils, which include the assembler as and the linker ld: Biarch Compiler Both 32-bit and 64-bit objects can be generated with a biarch development tool...
Page 402: Software Compilation On Biarch Platforms
19.3 Software Compilation on Biarch Platforms To develop binaries for the other architecture on a biarch architecture, the respective libraries for the second architecture must additionally be installed. These packages are called rpmname-32bit or rpmname-x86 (for ia64) if the second architecture is a 32-bit architecture or rpmname-64bit if the second architecture is a 64-bit architec- ture.
Page 403 When using s390 as second architecture, you have to use -m31 instead of -m32, because this is a 31 bit system. 1 Use the 32-bit compiler: CC="gcc -m32" 2 Instruct the linker to process 32-bit objects (always use gcc as the linker front- end): LD="gcc -m32"...
Page 404: Kernel Specifications
Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.
Page 405: 0 Booting And Configuring A Linux System
Booting and Configuring a Linux System Booting a Linux system involves various different components. The hardware itself is initialized by the BIOS, which starts the kernel by means of a boot loader. After this point, the boot process with init and the runlevels is completely controlled by the oper- ating system.
Page 406 remaining part of the boot process. Therefore, the first 512 bytes on the first hard disk are referred to as the Master Boot Record (MBR). The boot loader then passes control to the actual operating system, in this case, the Linux kernel. More information about GRUB, the Linux boot loader, can be found in Chapter 21, The Boot Loader...
Page 407 memory. initramfs must always provide an executable named init that should execute the actual init program on the root file system for the boot process to proceed. Before the root file system can be mounted and the operating system can be started, the kernel needs the corresponding drivers to access the device on which the root file system is located.
Page 408 Loading Kernel Modules Depending on your hardware configuration, special drivers may be needed to access the hardware components of your computer (especially your hard drive). To access the root file system, the kernel needs to load the proper file system drivers. Providing Block Special Files For each loaded module, the kernel generates device events.
Page 409: The Init Process
process are written to INITRD_MODULES in /etc/sysconfig/kernel. These names are used to generate a custom initramfs that is needed to boot the system. If the modules are not needed for boot but for coldplug, the modules are written to /etc/sysconfig/hardware/hwconfig-*. All devices that are described with configuration files in this directory are initialized in the boot process.
Page 410 the line initdefault. Usually this is 3 or 5. See Table 20.1, “Available Runlevels” (page 392). As an alternative, the runlevel can be specified at boot time (by adding the runlevel number at the boot prompt, for instance). Any parameters that are not directly evaluated by the kernel itself are passed to init.
Page 411 telinit 3 All essential programs and services (including network) are started and regular users are allowed to log in and work with the system without a graphical environ- ment. telinit 5 The graphical environment is enabled. Usually a display manager like XDM, GDM, or KDM is started.
Page 412 2. init checks the current runlevel (runlevel) and determines it should start /etc/ init.d/rc with the new runlevel as a parameter. 3. Now rc calls the stop scripts of the current runlevel for which there is no start script in the new runlevel. In this example, these are all the scripts that reside in /etc/init.d/rc3.d (old runlevel was 3) and start with a K.
Page 413 start and stop. The scripts also understand the restart, reload, force-reload, and status options. These different options are explained in ble 20.2, “Possible init Script Options” (page 395). Scripts that are run directly by init do not have these links. They are run independently from the runlevel when needed. Table 20.2 Possible init Script Options Option...
Page 414 is booted for the first time after an update or an installation, the initial system con- figuration is started. The blogd daemon is a service started by boot and rc before any other one. It is stopped after the actions triggered by these scripts (running a number of subscripts, for example, making block special files available) are completed.
Page 415 WARNING: Faulty init Scripts May Halt Your System Faulty init scripts may hang your machine. Edit such scripts with great care and, if possible, subject them to heavy testing in the multiuser environment. Find some useful information about init scripts in Section 20.2.1, “Runlevels”...
Page 416: Configuring System Services
a graphical tool to create such links, use the runlevel editor provided by YaST, as de- scribed in Section 20.2.3, “Configuring System Services (Runlevel) with YaST” (page 398). If a script already present in /etc/init.d/ should be integrated into the existing runlevel scheme, create the links in the runlevel directories right away with insserv or by enabling the corresponding service in the runlevel editor of YaST.
Page 417 Figure 20.1 System Services (Runlevel) For detailed control over the runlevels in which a service is started or stopped or to change the default runlevel, first select Expert Mode. The current default runlevel or “initdefault” (the runlevel into which the system boots by default) is displayed at the top.
Page 418: System Configuration Via /Etc/Sysconfig
WARNING: Faulty Runlevel Settings May Damage Your System Faulty runlevel settings may render a system unusable. Before applying your changes, make absolutely sure that you know their consequences. 20.3 System Configuration via /etc/sysconfig The main configuration of SUSE Linux Enterprise is controlled by the configuration files in /etc/sysconfig.
Page 419 Figure 20.2 System Configuration Using the sysconfig Editor The YaST sysconfig dialog is split into three parts. The left part of the dialog shows a tree view of all configurable variables. When you select a variable, the right part displays both the current selection and the current setting of this variable.
Page 420 2 Bring the system into single user mode (runlevel 1) with init 1. 3 Change the configuration files as needed with an editor of your choice. If you do not use YaST to change the configuration files in /etc/sysconfig, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation marks.
Page 421: 1 The Boot Loader
The Boot Loader This chapter describes how to configure GRUB, the boot loader used in SUSE Linux Enterprise®. A special YaST module is available for performing all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.
Page 422: Selecting A Boot Loader
Boot Sectors Boot sectors are the first sectors of hard disk partitions with the exception of the extended partition, which merely serves as a “container” for other partitions. These boot sectors have 512 bytes of space for code used to boot an operating system in- stalled in the respective partition.
Page 423 access file systems of supported BIOS disk devices (floppy disks or hard disks, CD drives, and DVD drives detected by the BIOS). Therefore, changes to the GRUB con- figuration file (menu.lst) do not require a reinstallation of the boot manager. When the system is booted, GRUB reloads the menu file with the valid paths and partition data of the kernel or the initial RAM disk (initrd) and locates these files.
Page 424 21.2.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
Page 425 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
Page 426 the file device.map, which can be edited if necessary. Information about the file device.map is available in Section 21.2.2, “The File device.map” (page 411). A complete GRUB path consists of a device name written in parentheses and the path to the file in the file system in the specified partition. The path begins with a slash. For example, the bootable kernel could be specified as follows on a system with a single IDE hard disk containing Linux in its first partition: (hd0,0)/boot/vmlinuz...
Page 427 color white/blue black/light-gray Color scheme: white (foreground), blue (background), black (selection), and light gray (background of the selection). The color scheme has no effect on the splash screen, only on the customizable GRUB menu that you can access by exiting the splash screen with Esc .
Page 428 Editing Menu Entries during the Boot Procedure In the graphical boot menu, select the operating system to boot with the arrow keys. If you select a Linux system, you can enter additional boot parameters at the boot prompt. To edit individual menu entries directly, press Esc to exit the splash screen and get to the GRUB text-based menu then press E .
Page 429 21.2.2 The File device.map The file device.map maps GRUB and BIOS device names to Linux device names. In a mixed system containing IDE and SCSI hard disks, GRUB must try to determine the boot sequence by a special procedure, because GRUB may not have access to the BIOS information on the boot sequence.
Page 430 21.2.3 The File /etc/grub.conf The third most important GRUB configuration file after menu.lst and device.map is /etc/grub.conf. This file contains the commands, parameters, and options the GRUB shell needs for installing the boot loader correctly: root (hd0,4) install /grub/stage1 (hd0,3) /grub/stage2 0x8000 (hd0,4)/grub/menu.lst quit Meaning of the individual entries: root (hd0,4)
Page 431 As the user root, proceed as follows to set a boot password: 1 At the root prompt, encrypt the password using grub-md5-crypt: # grub-md5-crypt Password: **** Retype password: **** Encrypted: $1$lS2dv/$JOYcdxIn7CJk9xShzzJVw/ 2 Paste the encrypted string into the global section of the file menu.lst: gfxmenu (hd0,4)/message color white/blue black/light-gray default 0...
Page 432: Configuring The Boot Loader With Yast
21.3 Configuring the Boot Loader with YaST The easiest way to configure the boot loader in your SUSE Linux Enterprise system is to use the YaST module. In the YaST Control Center, select System > Boot Loader. As Figure 21.1, “Boot Loader Settings” (page 414), this shows the current boot loader configuration of your system and allows you to make changes.
Page 433 Section 21.2, “Booting with GRUB” (page 404) for details). You can also delete the existing configuration and Start from Scratch or let YaST Propose a New Configuration. It is also possible to write the configuration to disk or reread the configuration from the disk.
Page 434 During the conversion, the old GRUB configuration is saved to disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion. This action is available only on an installed system. NOTE: Custom Boot Loader To use a boot loader other than GRUB or LILO, select Do Not Install Any Boot Loader.
Page 435: Security Settings
21.3.3 Default System To change the system that is booted by default, proceed as follows: Procedure 21.3 Setting the Default System 1 Open the Section Management tab. 2 Select the desired entry from the list. 3 Click Set as Default. 4 Click Finish to activate these changes.
Page 436: Uninstalling The Linux Boot Loader
Procedure 21.5 Setting a Boot Loader Password 1 Open the Boot Loader Installation tab. 2 Click Boot Loader Options. 3 Set your password in Password for the Menu Interface. 4 Click OK. 5 Click Finish to save the changes. 21.4 Uninstalling the Linux Boot Loader YaST can be used to uninstall the Linux boot loader and restore the MBR to the state it had prior to the installation of Linux.
Page 437: The Graphical Suse Screen
2 Create a subdirectory for GRUB: mkdir -p iso/boot/grub 3 Copy the kernel, the files stage2_eltorito, initrd, menu.lst, and message to iso/boot/: cp /boot/vmlinuz iso/boot/ cp /boot/initrd iso/boot/ cp /boot/message iso/boot/ cp /usr/lib/grub/stage2_eltorito iso/boot/grub cp /boot/grub/menu.lst iso/boot/grub 4 Adjust the path entries in iso/boot/grub/menu.lst to make them point to a CD-ROM device.
Page 438: Troubleshooting
This section lists some of the problems frequently encountered when booting with GRUB and a short description of possible solutions. Some of the problems are covered in articles in the Knowledge base at http://support.novell.com/. Use the search dialog to search for keywords like GRUB, boot, and boot loader.
Page 439 about the installation, configuration, and maintenance of LILO is available in the Support Database under the keyword LILO. GRUB also returns this error message if Linux was installed on an additional hard disk that is not registered in the BIOS. stage1 of the boot loader is found and loaded correctly, but stage2 is not found.
Page 440: For More Information
Extensive information about GRUB is available at http://www.gnu.org/ software/grub/. Also refer to the grub info page. You can also search for the keyword “GRUB” in the Technical Information Search at http://www.novell to get information about special issues. .com/support Installation and Administration...
Page 441: 2 Special System Features
Special System Features This chapter starts with information about various software packages, the virtual con- soles, and the keyboard layout. We talk about software components like bash, cron, and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
Page 442 2. ~/.profile 3. /etc/bash.bashrc 4. ~/.bashrc Make custom settings in ~/.profile or ~/.bashrc. To ensure the correct process- ing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel after an update.
Page 443 run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily, or other periodic maintenance scripts at custom times, remove the time stamp files regularly using /etc/crontab entries (see Example 22.2, “/etc/crontab: Remove Time Stamp Files”...
Page 444 Example 22.3 Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d...
Page 445 22.1.5 The ulimit Command With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed. ulimit is especially useful for limiting the memory available for applications. With this, an application can be prevented from using too much memory on its own, which could bring the system to a standstill.
Page 446 IMPORTANT Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. 22.1.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used.
Page 447 22.1.8 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. info is GNU's hypertext system. Read an introduction to this system by entering info info.
Page 448: Virtual Consoles
The components of Emacs are divided into several packages: • The base package emacs. • emacs-x11 (usually installed): the program with X11 support. • emacs-nox: the program without X11 support. • emacs-info: online documentation in info format. • emacs-el: the uncompiled library files in Emacs Lisp. These are not required at runtime.
Page 449: Language And Country-Specific Settings
/etc/termcap /usr/lib/terminfo/x/xterm /usr/share/X11/app-defaults/XTerm /usr/share/emacs/VERSION/site-lisp/term/*.el These changes only affect applications that use terminfo entries or whose configu- ration files are changed directly (vi, less, etc.). Applications not shipped with the system should be adapted to these defaults. Under X, the compose key (multikey) can be accessed using Ctrl + Shift (right). Also see the corresponding entry in /etc/X11/Xmodmap.
Page 450 RC_LC_MESSAGES, RC_LC_CTYPE, RC_LC_COLLATE, RC_LC_TIME, RC_LC_NUMERIC, RC_LC_MONETARY These variables are passed to the shell without the RC_ prefix and represent the listed categories. The shell profiles concerned are listed below. The current setting can be shown with the command locale. RC_LC_ALL This variable, if set, overwrites the values of the variables already mentioned.
Page 451 localedef -i en_US -f UTF-8 en_US.UTF-8 LANG=en_US.UTF-8 This is the default setting if American English is selected during installation. If you selected another language, that language is enabled but still with UTF-8 as the character encoding. LANG=en_US.ISO-8859-1 This sets the language to English, country to United States, and the character set to ISO-8859-1.
Page 452 22.4.3 Settings for Language Support Files in the category Messages are, as a rule, only stored in the corresponding language directory (like en) to have a fallback. If you set LANG to en_US and the message file in /usr/share/locale/en_US/LC_MESSAGES does not exist, it falls back to /usr/share/locale/en/LC_MESSAGES.
Page 453 • Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, currently at http:// www.cl.cam.ac.uk/~mgk25/unicode.html. • Unicode-Howto, by Bruno Haible: /usr/share/doc/howto/en/html/ Unicode-HOWTO.html. Special System Features...
Page 455: 3 Printer Operation
Printer Operation SUSE Linux Enterprise® supports printing with many types of printers, including remote network printers. Printers can be configured with YaST or manually. Both graphical and command line utilities are available for starting and managing print jobs. If your printer does not work as expected, refer to Section 23.9, “Troubleshooting”...
Page 456 print system can convert PostScript jobs to the respective printer language with the help of Ghostscript. This processing stage is referred to as interpreting. The best- known languages are PCL, which is mostly used by HP printers and their clones, and ESC/P, which is used by Epson printers.
Page 457: The Workflow Of The Printing System
23.1 The Workflow of the Printing System The user creates a print job. The print job consists of the data to print plus information for the spooler, such as the name of the printer or the name of the printer queue, and, optionally, information for the filter, such as printer-specific options.
Page 458: Installing The Software
these platforms, printing is only possible over the network. The cabling for network printers must be installed according to the instructions of the printer manufacturer. ◄ WARNING: Changing Cable Connections in a Running System When connecting the printer to the machine, do not forget that only USB de- vices can be plugged in or unplugged during operation.
Page 459: Setting Up A Printer
23.4 Setting Up a Printer YaST can be used to configure a local printer that is directly connected to your machine (normally with USB or parallel port) or to set up printing over the network. It is also possible to add PPD (PostScript Printer Description) files for your printer with YaST. 23.4.1 Configuring Local Printers If an unconfigured local printer is detected, YaST starts automatically to configure it.
Page 460 printer detection. If more than one printer is connected to the machine or more than one queue is configured for a printer, you can mark the active entry as the default. CUPS Expert Settings and Change IPP Listen are advanced configuration options— refer to Chapter 23, Printer Operation (page 437) for details.
Page 461 which language your printer understands). If this does not work, refer to Section “Adding PPD Files with YaST” (page 444) for another possible solution. 7 The Configuration screen lists a summary of the printer setup. This dialog is also shown when editing an existing printer configuration from the start screen of this YaST module.
Page 462 • With State and banner settings you can, for example, deactivate the printer by changing its state and specify whether a page with a Starting Banner or Ending Banner is printed before or after each job (the default is not to print them).
Page 463: Network Printers
23.4.2 Configuring Network Printers with YaST Network printers are not detected automatically. They must be configured manually using the YaST printer module. Depending on your network setup, you can print to a print server (CUPS, LPD, SMB, or IPX) or directly to a network printer (preferably via TCP).
Page 464 socket Socket refers to a connection in which the data is sent to an Internet socket without first performing a data handshake. Some of the socket port numbers that are com- monly used are 9100 or 35. The device URI (uniform resource identifier) syntax is socket://IP.of.the.printer:port, for example, socket://192.168.2.202:9100/.
Page 465 23.5.1 Configuring CUPS with Command Line Tools Apart from setting CUPS options with YaST when configuring a network printer, CUPS can be configured with command line tools like lpadmin and lpoptions. You need a device URI consisting of a back-end, such as USB, and parameters, like /dev/usb/ lp0.
Page 466: Graphical Printing Interfaces
The activated default option is identified by a preceding asterisk (*). 2 Change the option with lpadmin: lpadmin -p queue -o Resolution=600dpi 3 Check the new setting: lpoptions -p queue -l Resolution/Output Resolution: 150dpi 300dpi *600dpi When a normal user runs lpoptions, the settings are written to ~/.lpoptions. However, root settings are written to /etc/cups/lpoptions.
Page 467: Special Features In Suse Linux Enterprise
23.8 Special Features in SUSE Linux Enterprise A number of CUPS features have been adapted for SUSE Linux Enterprise. Some of the most important changes are covered here. 23.8.1 CUPS and Firewall After having performed a default installation of SUSE Linux Enterprise, SuSEfirewall2 is active and the external network devices are configured to be in the External Zone which blocks incoming traffic.
Page 468 23.8.2 Changes in the CUPS Print Service Generalized Functionality for BrowseAllow and BrowseDeny The access permissions set for BrowseAllow and BrowseDeny apply to all kinds of packages sent to cupsd. The default settings in /etc/cups/cupsd.conf are as follows: BrowseAllow @LOCAL BrowseDeny All <Location />...
Page 469 tection with the vendors and models in all PPD files available in /usr/share/cups/ model on the system. For this purpose, the YaST printer configuration generates a database from the vendor and model information extracted from the PPD files. When you select a printer from the list of vendors and models, receive the PPD files matching the vendor and model.
Page 470 Gimp-Print PPD Files in the cups-drivers-stp Package Instead of foomatic-rip, the CUPS filter rastertoprinter from Gimp-Print can be used for many non-PostScript printers. This filter and suitable Gimp-Print PPD files are available in the cups-drivers-stp package. The Gimp-Print PPD files are located in /usr/share/cups/model/stp/ and have the entries *NickName: ...
Page 471: Troubleshooting
printer is too slow because its processor is too weak. Furthermore, the printer may not support PostScript by default, for example, because PostScript support is only available as an optional module. If a PPD file from the manufacturer-PPDs package is suitable for a PostScript printer, but YaST cannot configure it for these reasons, select the respective printer model manually in YaST.
Page 472 printers that support a standard printer language do not depend on a special print system version or a special hardware platform. Instead of spending time trying to make a proprietary Linux driver work, it may be more cost-effective to purchase a supported printer. This would solve the driver problem once and for all, eliminating the need to install and configure special driver software and obtain driver updates that may be required due to new developments in the print system.
Page 473 If the printer cannot be addressed on the parallel port despite these settings, enter the I/O address explicitly in accordance with the setting in the BIOS in the form 0x378 in /etc/modprobe.conf. If there are two parallel ports that are set to the I/O ad- dresses 378 and 278 (hexadecimal), enter these in the form 0x378,0x278.
Page 474 Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on host: netcat -z host 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
Page 475 The following command can be used to test if a TCP connection can be established to cupsd (port 631) on host: netcat -z host 631 && echo ok || echo failed If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems.
Page 476 -p from_port-to_port IP-address. This may take some time. For further information, refer to the man page of nmap. Enter a command like echo -en "\rHello\r\f" | netcat -w 1 IP-address port cat file | netcat -w 1 IP-address port to send character strings or files directly to the respective port to test if the printer can be addressed on this port.
Page 477 the client cupsd regards the print job as completed as soon as it has been forwarded to the server cupsd. To delete the print job on the server, use a command such as lpstat -h cups.example.com -o to determine the job number on the server, provided the server has not already completed the print job (that is, sent it completely to the printer).
Page 478 4 Reset the printer completely by switching it off for some time. Then insert the paper and turn on the printer. 23.9.9 Debugging the CUPS Print System Use the following generic procedure to locate problems in the CUPS print system: 1 Set LogLevel debug in /etc/cups/cupsd.conf.
Page 479: 4 Dynamic Kernel Device Management With Udev
Dynamic Kernel Device Management with udev Since version 2.6, the kernel is capable of adding or removing almost any device in the running system. Changes in device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and discovered.
Page 480: Kernel Uevents And Udev
24.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties. Every time a device is added or removed, the kernel sends a uevent to notify udev of the change.
Page 481: Booting And Initial Device Setup
aliases provided by the modules. If a matching entry is found, that module is loaded. All this is triggered by udev and happens automatically. 24.4 Booting and Initial Device Setup All device events happening during the boot process before the udev daemon is running are lost, because the infrastructure to handle these events lives on the root file system and is not available at that time.
Page 482: Influencing Kernel Device Event Handling With Udev Rules
The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers. The timing is printed in microseconds. The time between UEVENT and UDEV is the time udev took to process this event or the udev daemon has delayed its execution to synchronize this event with related and already running events.
Page 483: Persistent Device Naming
Every line in the rules file contains at least one key value pair. There are two kinds of keys, match and assignment keys. If all match keys match their values, the rule is applied and the assignment keys are assigned the specified value. A matching rule may specify the name of the device node, add symlinks pointing to the node, or run a specified program as part of the event handling.
Page 484: The Replaced Hotplug Package
24.8 The Replaced hotplug Package The formerly used hotplug package is entirely replaced by udev and the udev-related kernel infrastructure. The following parts of the former hotplug infrastructure have been made obsolete or had their functionality taken over by udev: /etc/hotplug/*.agent No longer needed or moved to /lib/udev /etc/hotplug/*.rc...
Page 485: For More Information
/lib/udev/* Helper programs called from udev rules 24.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules, and other important configuration is- sues. udevinfo udevinfo can be used to query device information from the udev database. udevd Information about the udev event managing daemon.
Page 487: 5 File Systems In Linux
File Systems in Linux SUSE Linux Enterprise® ships with a number of different file systems, including Rei- serFS, Ext2, Ext3, and XFS, from which to choose at installation time. Each file system has its own advantages and disadvantages that can make it more suited to a scenario. To meet the requirements of high-performance clustering scenarios, SUSE Linux En- terprise Server includes OCFS2 (Oracle Cluster File System 2).
Page 488: Major File Systems In Linux
it obsoletes the lengthy search process that checks the entire file system at system start-up. Instead, only the journal is replayed. 25.2 Major File Systems in Linux Unlike two or three years ago, choosing a file system for a Linux system is no longer a matter of a few seconds (Ext2 or ReiserFS?).
Page 489 directly in the B tree leaf nodes instead of being stored elsewhere and just main- taining a pointer to the actual disk location. In addition to that, storage is not allo- cated in chunks of 1 or 4 KB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes.
Page 490 +found). In contrast to journaling file systems, e2fsck analyzes the entire file system and not just the recently modified bits of metadata. This takes significantly longer than checking the log data of a journaling file system. Depending on file system size, this procedure can take half an hour or more. Therefore, it is not desir- able to choose Ext2 for any server that needs high availability.
Page 491 Ext3 in the data=journal mode offers maximum security (data integrity), but can slow down the system because both metadata and data are journaled. A rela- tively new approach is to use the data=ordered mode, which ensures both data and metadata integrity, but uses journaling only for metadata. The file system driver collects all data blocks that correspond to one metadata update.
Page 492 25.2.5 XFS Originally intended as the file system for their IRIX OS, SGI started XFS development in the early 1990s. The idea behind XFS was to create a high-performance 64-bit jour- naling file system to meet the extreme computing challenges of today. XFS is very good at manipulating large files and performs well on high-end hardware.
Page 493 25.2.6 Oracle Cluster File System 2 OCFS2 is a journaling file system that has been tailor-made for clustering setups. In contrast to a standard single-node file system like Ext3, OCFS2 is capable of managing several nodes. OCFS2 allows spreading a file system across shared storage, such as a SAN or multipath setup.
Page 494: Some Other Supported File Systems
DOS, is today used by msdos various operating systems. File system for mounting Novell volumes over networks. ncpfs Network File System: Here, data can be stored on any machine in a network and access may be granted via a network.
Page 495: Large File Support In Linux
UNIX on MSDOS: Applied on top of a normal fat file system, umsdos achieves UNIX functionality (permissions, links, long filenames) by creating special files. Virtual FAT: Extension of the fat file system (supports long vfat filenames). Windows NT file system, read-only. ntfs 25.4 Large File Support in Linux Originally, Linux supported a maximum file size of 2 GB.
Page 496: For More Information
File System File Size (Bytes) File System Size (Bytes) (8 EB) (8 EB) NFSv2 (client side) (2 GB) (8 EB) NFSv3 (client side) (8 EB) (8 EB) IMPORTANT: Linux Kernel Limits Table 25.2, “Maximum Sizes of File Systems (On-Disk Format)” (page 477) de- scribes the limitations regarding the on-disk format.
Page 497 A comprehensive multipart tutorial about Linux file systems can be found at IBM de- veloperWorks: http://www-106.ibm.com/developerworks/library/ l-fs.html. A very in-depth comparison of file systems (not only Linux file systems) is available from the Wikipedia project http://en.wikipedia.org/wiki/ Comparison_of_file_systems#Comparison. File Systems in Linux...
Page 499: 6 The X Window System
The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). This chapter describes the setup and optimization of the X Window System environment, and provides background information about the use of fonts in SUSE Linux Enterprise®.
Page 500 WARNING: Faulty X Configurations can Damage Your Hardware Be very careful when configuring your X Window System. Never start the X Window System until the configuration is finished. A misconfigured system can cause irreparable damage to your hardware (this applies especially to fixed- frequency monitors).
Page 501 Table 26.1 Sections in /etc/X11/xorg.conf Type Meaning The paths used for fonts and the RGB color table. Files General switches for the server behavior. ServerFlags A list of modules the server should load. Module Input devices, like keyboards and special input devices (touch- InputDevice pads, joysticks, etc.), are configured in this section.
Page 502 Type Meaning of the virtual screen (Virtual), the ViewPort, and the Modes used with this screen. The layout of a single or multihead configuration. This section ServerLayout binds the input devices InputDevice and the display devices Screen. Provides information for the Direct Rendering Infrastructure (DRI).
Page 503 Example 26.1 Screen Section of the File /etc/X11/xorg.conf Section "Screen" DefaultDepth SubSection "Display" Depth Modes "1152x864" "1024x768" "800x600" Virtual 1152x864 EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection SubSection "Display" Depth Modes "640x480" EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection Device "Device[0]"...
Page 504 The last line of the Display subsection with Depth 16 refers to the size of the virtual screen. The maximum possible size of a virtual screen depends on the amount of memory installed on the graphics card and the desired color depth, not on the maximum resolution of the monitor.
Page 505 in decimal form, but lspci displays these in hexadecimal form. The value of BusID is automatically detected by SaX2. The value of Driver is automatically set by SaX2 and specifies which driver to use for your graphics card. If the card is a Matrox Millennium, the driver module is called mga.
Page 506: Installing And Configuring Fonts
WARNING Unless you have in-depth knowledge of monitor and graphics card functions, do not change the modelines, because this could severely damage your monitor. Those who try to develop their own monitor descriptions should be very familiar with the documentation in /usr/X11R6/lib/X11/doc/ (the package xorg-x11-doc must be installed).
Page 507 /etc/fonts/suse-font-dirs.conf is automatically generated to pull in fonts that ship with (mostly third party) applications like OpenOffice.org, Java or Adobe Acrobat Reader. Some typical entries of /etc/fonts/suse-font-dirs.conf would look like the following: <dir>/usr/lib/ooo-2.0/share/fonts</dir> <dir>/usr/lib/ooo-2.0/share/fonts/truetype</dir> <dir>/usr/lib/jvm/java-1.5.0-sun-1.5.0_update10/jre/lib/fonts</dir> <dir>/usr/X11R6/lib/Acrobat7/Resource/Font</dir> <dir>/usr/X11R6/lib/Acrobat7/Resource/Font/PFM</dir> To install additional fonts systemwide, manually copy the font files to a suitable direc- tory (as root), such as /usr/share/fonts/truetype.
Page 508 The X11 core font system has a few inherent weaknesses. It is outdated and can no longer be extended in a meaningful way. Although it must be retained for reasons of backward compatibility, the more modern Xft and fontconfig system should be used if at all possible.
Page 509 languages. Direct access to the font files is very useful for embedding fonts for printing to make sure that the printout looks the same as the screen output. In SUSE Linux Enterprise, the two desktop environments KDE and GNOME, Mozilla, and many other applications already use Xft by default.
Page 510 to disable antialiasing for specific fonts. By default, most applications use the font names sans-serif (or the equivalent sans), serif, or monospace. These are not real fonts but only aliases that are re- solved to a suitable font, depending on the language setting. Users can easily add rules to ~/.fonts.conf to resolve these aliases to their favorite fonts: <alias>...
Page 511 FreeMonoOblique.ttf: FreeMono:style=Oblique:weight=80 FreeMono.ttf: FreeMono:style=Medium:weight=80 FreeSans.ttf: FreeSans:style=Medium:weight=80 FreeSerifBold.ttf: FreeSerif:style=Bold:weight=200 FreeSansBoldOblique.ttf: FreeSans:style=BoldOblique:weight=200 FreeMonoBold.ttf: FreeMono:style=Bold:weight=200 Important parameters that can be queried with fc-list: Table 26.2 Parameters of fc-list Parameter Meaning and Possible Values Name of the font family, for example, FreeSans. family The manufacturer of the font, for example, urw. foundry The font style, such as Medium, Regular, Bold, style...
Page 512: For More Information
26.3 For More Information Install the packages xorg-x11-doc and howtoenh to get more in-depth information on X11. More information on the X11 development can be found on the project's home page at http://www.x.org. Installation and Administration...
Page 513: 7 Authentication With Pam
Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
Page 514: Structure Of A Pam Configuration File
27.1 Structure of a PAM Configuration File Each line in a PAM configuration file contains a maximum of four columns: <Type of module> <Control flag> <Module path> <Options> PAM modules are processed as stacks. Different types of modules have different pur- poses, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings.
Page 515: The Pam Configuration Of Sshd
modules with the same flag are processed before the user receives a message about the failure of the authentication attempt. requisite Modules having this flag must also be processed successfully, in much the same way as a module with the required flag. However, in case of failure a module with this flag gives immediate feedback to the user and no further modules are processed.
Page 516 Example 27.1 PAM Configuration for sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname The typical PAM configuration of an application (sshd, in this case) contains four include statements referring to the configuration files of four module types: common-auth, common-account, common-password, and common-session.
Page 517 modules is not successful, the entire module stack is still processed and only then is sshd notified about the negative result. As soon as all modules of the auth type have been successfully processed, another include statement is processed, in this case, that in Example 27.3, “Default Configuration for the account Section”...
Page 518: Configuration Of Pam Modules
.conf. The pam_limits module loads the file /etc/security/limits.conf, which may define limits on the use of certain system resources. The session modules are called a second time when the user logs out. 27.3 Configuration of PAM Modules Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security.
Page 519 27.3.2 pam_env.conf This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set.
Page 520: For More Information
Example 27.8 pam_pwcheck.conf password: nullok 27.3.4 limits.conf System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.
Page 521: 8 Power Management
Power Management Power management is especially important on laptop computers, but is also useful on other systems. Two technologies are available: APM (advanced power management) and ACPI (advanced configuration and power interface). In addition to these, it is also possible to control CPU frequency scaling to save power or decrease noise. These options can be configured manually or using a special YaST module.
Page 522: Power Saving Functions
28.1 Power Saving Functions Power saving functions are not only significant for the mobile use of laptops, but also for desktop systems. The main functions and their use in the power management systems APM and ACPI are: Standby This operating mode turns off the display. On some computers, the processor per- formance is throttled.
Page 523: Apm
with the duration of the sleep periods. Other components, like PCI devices that can be put into a special power saving mode, can be deactivated with ACPI (at least theoretically) or permanently disabled in the BIOS setup. Processor Speed Control In connection with the CPU, energy can be saved in three different ways: frequency and voltage scaling (also known as PowerNow! or Speedstep), throttling, and putting the processor to sleep (C states).
Page 524 on or off Enable or disable APM support. (no-)allow-ints Allow interrupts during the execution of BIOS functions. (no-)broken-psr The “GetPowerStatus” function of the BIOS does not work properly. (no-)realmode-power-off Reset processor to real mode prior to shutdown. (no-)debug Log APM events in system log. (no-)power-off Power system off after shutdown.
Page 525: Acpi
28.3 ACPI ACPI (advanced configuration and power interface) was designed to enable the operating system to set up and control the individual hardware components. ACPI supersedes both PnP and APM. It delivers information about the battery, AC adapter, temperature, fan, and system events, like “close lid” or “battery low.” The BIOS provides tables containing information about the individual components and hardware access methods.
Page 526 /proc/acpi/info General information about ACPI. /proc/acpi/alarm Here, specify when the system should wake from a sleep state. Currently, this feature is not fully supported. /proc/acpi/sleep Provides information about possible sleep states. /proc/acpi/event All events are reported here and processed by the Powersave daemon (powersaved).
Page 527 and the hardware (or the BIOS) overwrite this setting when the system gets too warm. /proc/acpi/processor/* A separate subdirectory is kept for each CPU included in your system. /proc/acpi/processor/*/info Information about the energy saving options of the processor. /proc/acpi/processor/*/power Information about the current processor state. An asterisk next to C2 indicates that the processor is idle.
Page 528 /proc/acpi/thermal_zone/*/cooling_mode Select the cooling method controlled by ACPI. Choose from passive (less perfor- mance, economical) or active cooling mode (full performance, fan noise). /proc/acpi/thermal_zone/*/trip_points Enables the determination of temperature limits for triggering specific actions, like passive or active cooling, suspension (hot), or a shutdown (critical). The possible actions are defined in the DSDT (device-dependent).
Page 529 cation. Therefore, there are different kernel governors that can be set below /sys/ devices/system/cpu/cpu*/cpufreq/. userspace governor If the userspace governor is set, the kernel gives the control of CPU frequency scaling to a userspace application, usually a daemon. In SUSE Linux Enterprise distributions, this daemon is the powersaved package.
Page 530 only be applied if no other device modifies the contents of the main memory via bus master activity. Some drivers prevent the use of C3. The current state is dis- played in /proc/acpi/processor/*/power. Frequency scaling and throttling are only relevant if the processor is busy, because the most economic C state is applied anyway when the processor is idle.
Page 531 The first thing to do when problems are encountered is to update the BIOS. If the computer does not boot at all, one of the following boot parameters may be helpful: pci=noacpi Do not use ACPI for configuring the PCI devices. acpi=ht Only perform a simple resource configuration.
Page 532: Rest For The Hard Disk
For More Information Additional documentation and help on ACPI: • (detailed ACPI HOWTO, http://www.cpqlinux.com/acpi-howto.html contains DSDT patches) • (ACPI http://www.intel.com/technology/iapc/acpi/faq.htm FAQ @Intel) • (the ACPI4Linux project at Sourceforge) http://acpi.sourceforge.net/ • (DSDT patches by Bruno Ducrot) http://www.poupinou.org/acpi/ 28.4 Rest for the Hard Disk In Linux, the hard disk can be put to sleep entirely if it is not needed or it can be run in a more economic or quieter mode.
Page 533: The Powersave Package
in the RAM. This buffer is monitored by the kernel update daemon (kupdated). When the data reaches a certain age limit or when the buffer is filled to a certain degree, the buffer content is flushed to the hard disk. The buffer size is dynamic and depends on the size of the memory and the system load.
Page 534 packages, except acpid that acts as a multiplexer for ACPI events, should not be run concurrently with the powersave daemon. Even if your system does not contain all the hardware elements listed above, use the powersave daemon for controlling the power saving function. Because ACPI and APM are mutually exclusive, you can only use one of these systems on your computer.
Page 535 • do_standby • notify • screen_saver • reread_cpu_capabilities throttle slows down the processor by the value defined in MAX_THROTTLING. This value depends on the current scheme. dethrottle sets the processor to full performance. suspend_to_disk, suspend_to_ram, and standby trigger the system event for a sleep mode. These three actions are generally responsible for triggering the sleep mode, but they should always be associated with specific system events.
Page 536 The actions for the event of a sleep button could be modified as in EVENT_BUTTON_SLEEP="notify suspend_to_disk". In this case, the user is informed about the suspend by a pop-up window in X or a message on the console. Subsequently, the event EVENT_GLOBAL_SUSPEND2DISK is generated, resulting in the execution of the mentioned actions and a secure system suspend mode.
Page 537 28.5.2 Configuring APM and ACPI Suspend and Standby There are three basic ACPI sleep modes and two APM sleep modes: Suspend to Disk (ACPI S4, APM suspend) Saves the entire memory content to the hard disk. The computer is switched off completely and does not consume any power.
Page 538 EVENT_GLOBAL_RESUME_SUSPEND2DISK= "restore_after_suspend_to_disk" EVENT_GLOBAL_RESUME_SUSPEND2RAM= "restore_after_suspend_to_ram" EVENT_GLOBAL_RESUME_STANDBY= "restore_after_standby" Custom Battery States In the file /etc/sysconfig/powersave/battery, define three battery charge levels (in percent) that trigger system alerts or specific actions when they are reached. BATTERY_WARNING=12 BATTERY_LOW=7 BATTERY_CRITICAL=2 The actions or scripts to execute when the charge levels drop under the specified limits are defined in the configuration file /etc/sysconfig/powersave/events.
Page 539 The schemes are stored in files in /etc/sysconfig/powersave. The filenames are in the format scheme_name-of-the-scheme. The example refers to two schemes: scheme_performance and scheme_powersave. performance, powersave, presentation, and acoustic are preconfigured. Existing schemes can be edited, created, deleted, or associated with different power supply states with the help of the YaST power management module described in Section 28.6, “The YaST Power Management Module”...
Page 540 28.5.4 Troubleshooting All error messages and alerts are logged in the file /var/log/messages. If you cannot find the needed information, increase the verbosity of the messages of powersave using DEBUG in the file /etc/sysconfig/powersave/common. Increase the value of the variable to 7 or even 15 and restart the daemon. The more detailed error messages in /var/log/messages should help you to find the error.
Page 541 CPU Frequency Does Not Work Refer to the kernel sources (kernel-source) to see if your processor is supported. You may need a special kernel module or module option to activate CPU frequency control. This information is available in /usr/src/linux/Documentation/ cpu-freq/*. If a special module or module option is needed, configure it in the file /etc/sysconfig/powersave/cpufreq by means of the variables CPUFREQD_MODULE and CPUFREQD_MODULE_OPTS.
Page 542: The Yast Power Management Module
28.5.5 For More Information • /usr/share/doc/packages/powersave—Local Powersave daemon documentation • http://powersave.sourceforge.net—Most recent Powersave daemon documentation • http://www.opensuse.org/Projects_Powersave—Project page in the openSUSE wiki 28.6 The YaST Power Management Module The YaST power management module can configure all power management settings already described. When started from the YaST Control Center with System > Power Management, the first dialog of the module opens (see Figure 28.1, “Scheme Selection”...
Page 543 In this dialog, select the schemes to use for battery operation and AC operation. To add or modify the schemes, click Edit Schemes, which opens an overview of the existing schemes like that shown in Figure 28.2, “Overview of Existing Schemes” (page 525).
Page 544 Figure 28.3 Configuring a Scheme First, enter a suitable name and description for the new or edited scheme. Determine if and how the CPU performance should be controlled for this scheme. Decide if and to what extent frequency scaling and throttling should be used and whether processes with low priority (niced processes) should be ignored when adjusting the CPU frequency.
Page 545 Figure 28.4 Battery Charge Level The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: Warning Capacity, Low Capacity, and Critical Capacity. Specific actions are triggered when the charge level drops under these limits.
Page 546 Figure 28.5 ACPI Settings Access the dialog for configuring the ACPI buttons using ACPI Settings. It is shown Figure 28.5, “ACPI Settings” (page 528). The settings for the ACPI buttons determine how the system should respond to certain switches. Configure the system response to pressing the power button, pressing the sleep button, and closing the laptop lid.
Page 547: 9 Wireless Communication
Wireless Communication Wireless LAN can be used to establish communication between your SUSE Linux Enterprise® machines. This chapter introduces the principles of wireless networking and the basic configuration for wireless networking. 29.1 Wireless LAN Wireless LANs have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards.
Page 548 Table 29.1 Overview of Various WLAN Standards Name Band (GHz) Maximum Trans- Note mission Rate (Mbit/s) 802.11 Outdated; virtually no end devices available 802.11b Widespread 802.11a Less common 802.11g Backward-compatible with Additionally, there are proprietary standards, like the 802.11b variation of Texas Instru- ments with a maximum transmission rate of 22 Mbit/s (sometimes referred to as 802.11b+).
Page 549 • Texas Instruments ACX100, ACX111 • ZyDAS zd1201 A number of older cards that are rarely used and no longer available are also supported. An extensive list of WLAN cards and the chips they use is available at the Web site of AbsoluteValue Systems at http://www.linux-wlan.org/docs/wlan _adapters.html.gz.
Page 550 However, because WEP has proven to be insecure (see Section “Security” (page 538)), the WLAN industry (joined under the name Wi-Fi Alliance) has defined a new extension called WPA, which is supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i standard (also referred to as WPA2, because WPA is based on a draft version 802.11i) includes WPA and some other authentication and encryption methods.
Page 551 terprises. In private networks, it is scarcely used. For this reason, WPA-EAP is sometimes referred to as WPA “Enterprise”. WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol).
Page 552: Configuration With Yast
CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard. 29.1.3 Configuration with YaST To configure your wireless network card, start the YaST Network Card module.
Page 553 Network Name (ESSID) All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card automatically selects an access point, which may not be the one you intended to use. Authentication Mode Select a suitable authentication method for your network: Open, Shared Key, WPA- PSK, or WPA-EAP.
Page 554 cording to the length previously specified. ASCII requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For Hexadecimal, enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation. WPA-PSK To enter a key for WPA-PSK, select the input method Passphrase or Hexadecimal.
Page 555 system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates. Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. 29.1.4 Utilities hostap (package hostap) is used to run a WLAN card as an access point.
Page 556 Security If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption.
Page 557 to use WPA, read /usr/share/doc/packages/wireless-tools/README .prism2. WPA support is quite new in SUSE Linux Enterprise and still under development. Thus, YaST does not support the configuration of all WPA authentication methods. Not all wireless LAN cards and drivers support WPA. Some cards need a firmware update to enable WPA.
Page 559: Part Iv Services
Part IV. Services...
Page 561: 0 Basic Networking
Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol, TCP/IP, has various services and special features, which are discussed here. Network access using a network card, modem, or other device can be configured with YaST.
Page 562 Table 30.1 Several Protocols in the TCP/IP Protocol Family Protocol Description Transmission Control Protocol: A connection-oriented secure protocol. The data to transmit is first sent by the application as a stream of data then converted by the operating system to the appropriate format. The data arrives at the respective application on the destination host in the original data stream format in which it was initially sent.
Page 563 Figure 30.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
Page 564: Ip Addresses And Routing
located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 30.2 TCP/IP Ethernet Packet Usage Data (maximum 1460 bytes) TCP (Layer 4) Protocol Header (approx. 20 bytes) IP (Layer 3) Protocol Header (approx. 20 bytes) Ethernet (Layer 2) Protocol Header (approx.
Page 565 30.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 30.1, “Writing IP Addresses” (page 547). Example 30.1 Writing IP Addresses IP Address (binary): 11000000 10101000 00000000 00010100 IP Address (decimal):...
Page 566 Example 30.2 Linking IP Addresses to the Netmask IP address (192.168.0.20): 11000000 10101000 00000000 00010100 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 --------------------------------------------------------------- Result of the link: 11000000 10101000 00000000 00000000 In the decimal system: 192. 168. IP address (213.95.15.200): 11010101 10111111 00001111 11001000 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 ---------------------------------------------------------------...
Page 567: Ipv6-The Next Generation Internet
Address Type Description ample therefore results in 192.168.0.255. This address cannot be assigned to any hosts. Local Host The address 127.0.0.1 is assigned to the “loopback device” on each host. A connection can be set up to your own machine with this address.
Page 568 .cern.ch) invented the WWW in 1990, the number of Internet hosts has grown from a few thousand to about a hundred million. As mentioned, an IPv4 address consists of only 32 bits. Also, quite a few IP addresses are lost—they cannot be used due to the way in which networks are organized. The number of addresses available in your subnet is two to the power of the number of bits, minus two.
Page 569 Autoconfiguration IPv6 makes the network “plug and play” capable, which means that a newly set up system integrates into the (local) network without any manual configuration. The new host uses its automatic configuration mechanism to derive its own address from the information made available by the neighboring routers, relying on a pro- tocol called the neighbor discovery (ND) protocol.
Page 570 or each host individually through unicasting). Which hosts are addressed as a group may depend on the concrete application. There are some predefined groups to ad- dress all name servers (the all name servers multicast group), for example, or all routers (the all routers multicast group).
Page 571 An IPv6 address is made up of eight four-digit fields, each representing 16 bits, written in hexadecimal notation. They are also separated by colons (:). Any leading zero bytes within a given field may be dropped, but zeros within the field or at its end may not. Another convention is that more than four consecutive zero bytes may be collapsed into a double colon.
Page 572 Prefix (hex) Definition 2 or 3 as the first Aggregatable global unicast addresses. As is the case with IPv4, an interface can be assigned to form part of a certain subnetwork. digit Currently, there are the following address spaces: 2001::/16 (production quality address space) and 2002::/16 (6to4 address space).
Page 573 On top of this basic structure, IPv6 distinguishes between five different types of unicast addresses: :: (unspecified) This address is used by the host as its source address when the interface is initialized for the first time—when the address cannot yet be determined by other means. ::1 (loopback) The address of the loopback device.
Page 574 matically using the MAC and a known prefix with the result that all hosts on the local network can be reached as soon as IPv6 is enabled (using the link-local address). With the MAC forming part of it, any IP address used in the world is unique. The only variable parts of the address are those specifying the site topology and the public topology, de- pending on the actual network in which the host is currently operating.
Page 575 However, the configuration and maintenance of static tunnels is often too labor-intensive to use them for daily communication needs. Therefore, IPv6 provides for three different methods of dynamic tunneling: 6over4 IPv6 packets are automatically encapsulated as IPv4 packets and sent over an IPv4 network capable of multicasting.
Page 576: Name Resolution
tions which prefix to use for the IPv6 addresses and which routers. Alternatively, use zebra for automatic configuration of both addresses and routing. Consult the ifup(8) man page to get information about how to set up various types of tunnels using the /etc/sysconfig/network files. 30.2.5 For More Information The above overview does not cover the topic of IPv6 comprehensively.
Page 577 Consider a complete name, such as earth.example.com, written in the format hostname.domain. A full name, referred to as a fully qualified domain name (FQDN), consists of a hostname and a domain name (example.com). The latter also includes the top level domain or TLD (com). TLD assignment has become quite confusing for historical reasons.
Page 578: Configuring A Network Connection With Yast
NOTE: MDNS and .local Domain Names The .local top level domain is treated as link-local domain by the resolver. DNS requests are send as multicast DNS requests instead of normal DNS re- quests. If you already use the .local domain in your nameserver configuration, you must switch this option off in /etc/host.conf.
Page 579 30.4.1 Configuring the Network Card with YaST To configure your network wired or wireless card in YaST, select Network Devices > Network Card. After starting the module, YaST displays a general network configuration dialog. Choose whether to use YaST or NetworkManager to manage all your network devices.
Page 580 Figure 30.3 Configuring a Network Card Changing the Configuration of a Network Card To change the configuration of a network card, select a card from the list of the detected cards in the YaST network card configuration module and click Edit. The Network Address Setup dialog appears in which to adjust the card configuration using the Address and General tabs.
Page 581 DHCP should also be used for a DSL line with no static IP assigned by the ISP. If you decide to use DHCP, configure the details in DHCP Client Options. Find this dialog from the Address tab by selecting Advanced > DHCP Options. Specify whether the DHCP server should always honor broadcast requests and any identifier to use.
Page 582 5 Click OK. 6 Click OK again. 7 Click Next. 8 To activate the configuration, click Finish. Configuring Hostname and DNS If you did not change the network configuration during installation and the wired card was available, a hostname was automatically generated for your computer and DHCP was activated.
Page 583 Configuring Routing To make your machine communicate with other machines and other networks, routing information must be given to make network traffic take the correct path. If DHCP is used, this information is automatically provided. If a static setup is used, this data must be added manually.
Page 584 Starting the Device If you use the traditional method with ifup, you can configure your device to start during boot, on cable connection, on card detection, manually, or never. To change device start-up, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
Page 585 from the internal network and from the Internet, but cannot access the internal network. External Zone The firewall is run on this interface and fully protects it against other (pre- sumably hostile) network traffic. This is the default option. 4 Click Next. 5 Activate the configuration by clicking Finish.
Page 586 If you selected Wireless as the device type of the interface, configure the wireless connection in the next dialog. Detailed information about wireless device confi- guration is available in Section 29.1, “Wireless LAN” (page 529). 5 In the General tab, set the Firewall Zone and Device Activation. With User Controlled, grant connection control to ordinary users.
Page 587 Figure 30.4 Modem Configuration If behind a private branch exchange (PBX), you may need to enter a dial prefix. This is often a zero. Consult the instructions that came with the PBX to find out. Also select whether to use tone or pulse dialing, whether the speaker should be on, and whether the modem should wait until it detects a dial tone.
Page 588 In the last dialog, specify additional connection options: Dial on Demand If you enable dial on demand, set at least one name server. Modify DNS when Connected This option is enabled by default, with the effect that the name server address is updated each time you connect to the Internet.
Page 589 30.4.3 ISDN TIP: IBM System z: ISDN The configuration of this type of hardware is not supported on IBM System z platforms. Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, click Add and manually select it. Multiple interfaces are possible, but several ISPs can be configured for one interface.
Page 590 you to load the ISDN driver as root with the command rcisdn start. On Hotplug, used for PCMCIA or USB devices, loads the driver after the device is plugged in. When finished with these settings, select OK. In the next dialog, specify the interface type for your ISDN card and add ISPs to an existing interface.
Page 591 1. Smaller private branch exchanges (PBX) built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them. Use one of the internal numbers as your MSN. You should be able to use at least one of the exchange's MSNs that have been enabled for direct outward dialing.
Page 592 still need to provide a placeholder address like 192.168.22.99. If your ISP does not support dynamic DNS, specify the name server IP addresses of the ISP. If desired, specify a time-out for the connection—the period of network inactivity (in seconds) after which the connection should be automatically terminated.
Page 593 To configure your DSL device, select the DSL module from the YaST Network Devices section. This YaST module consists of several dialogs in which to set the parameters of DSL links based on one of the following protocols: • PPP over Ethernet (PPPoE) •...
Page 594 Figure 30.7 DSL Configuration To begin the DSL configuration (see Figure 30.7, “DSL Configuration” (page 576)), first select the PPP mode and the ethernet card to which the DSL modem is connected (in most cases, this is eth0). Then use Device Activation to specify whether the DSL link should be established during the boot process.
Page 595 The configuration of T-DSL is very similar to the DSL setup. Just select T-Online as your provider and YaST opens the T-DSL configuration dialog. In this dialog, provide some additional information required for T-DSL—the line ID, the T-Online number, the user code, and your password. All of these should be included in the information you received after subscribing to T-DSL.
Page 596 Choose the Device Settings that fit your devices (usually this would be Compatibility mode). Specify both your IP address and the IP address of the remote partner. If needed, adjust the MTU size with Advanced > Detailed Settings. Leave the network configuration with Next and Finish.
Page 597: Managing Network Connections With Networkmanager
30.5 Managing Network Connections with NetworkManager NetworkManager is the ideal solution for a mobile workstation. With NetworkManager, you do not need to worry about reconfiguring network interfaces and switching between networks when your location changes. NetworkManager can automatically connect to known WLAN networks.
Page 598 the network configuration with YaST in Section 30.4, “Configuring a Network Connec- tion with YaST” (page 560) and Section 29.1, “Wireless LAN” (page 529). Configure supported wireless cards directly in NetworkManager. To configure NetworkManager, use NetworkManager applets. KDE and GNOME each have their own applets for NetworkManager.
Page 599: Configuring A Network Connection Manually
30.5.2 For More Information Find more information about NetworkManager on the following Web sites and directo- ries: • http://www.gnome.org/projects/NetworkManager/—NetworkMan- ager project page • http://en.opensuse.org/Projects/KNetworkManager—Network- Manager KNetworkManager project page 30.6 Configuring a Network Connection Manually Manual configuration of the network software should always be the last alternative. Using YaST is recommended.
Page 600 with which they are associated. Because the former mapping of drivers to interface name required static interface names, this mapping can no longer take place in /etc/ modprobe.conf. In the new concept, alias entries in this file would cause undesirable side effects.
Page 601 external, internal, or dmz. Make sure that the same interface name is not used twice. Allowed characters in interface names are restricted to [a-zA-Z0-9]. A persistent name can only be assigned to an interface immediately after its regis- tration, which means that the driver of the network card must be reloaded or hwup device description must be executed.
Page 602: Configuration Files
Configura- Command Function tion Stage Interface getcfg can be used to query the inter- getcfg face name associated with a configuration name or a hardware description. More information is available in the manual page of getcfg. Interface The if* scripts start existing network if{up,down,status} interfaces or return the status of the specified interface.
Page 603 ►zseries: IBM System z do not support USB. The names of the interface files and network aliases contain System z-specific elements like qeth. ◄ /etc/sysconfig/network/{config,dhcp ,wireless} The file config contains general settings for the behavior of ifup, ifdown, and ifstatus. dhcp contains settings for DHCP and wireless for wireless LAN cards.
Page 604 An (optional) fifth column can be used to specify the type of a route. Columns that are not needed should contain a minus sign - to ensure that the parser correctly interprets the command. For details, refer to the routes(5) man page. /etc/resolv.conf The domain to which the host belongs is specified in this file (keyword search).
Page 605 YaST uses the command modify_resolvconf check to find out whether resolv .conf has been modified and subsequently warns the user that changes will be lost after restoring the file. Apart from this, YaST does not rely on modify_resolvconf, which means that the impact of changing resolv.conf through YaST is the same as that of any manual change.
Page 606 current glibc programs, refer to the settings in /etc/nsswitch.conf. A parameter must always stand alone in its own line. Comments are preceded by a # sign. Table 30.6, “Parameters for /etc/host.conf” (page 588) shows the parameters available. A sample /etc/host.conf is shown in Example 30.8, “...
Page 607 /etc/nsswitch.conf The introduction of the GNU C Library 2.0 was accompanied by the introduction of the Name Service Switch (NSS). Refer to the nsswitch.conf(5) man page and The GNU C Library Reference Manual for details. The order for queries is defined in the file /etc/nsswitch.conf. A sample nsswitch.conf is shown in Example 30.9, “/etc/nsswitch.conf”...
Page 608 For hostnames and IP addresses, used by gethostbyname hosts and similar functions. Valid host and user lists in the network for the purpose of netgroup controlling access permissions; see the netgroup(5) man page. Network names and addresses, used by getnetent. networks User passwords, used by getpwent;...
Page 609 /etc/nscd.conf This file is used to configure nscd (name service cache daemon). See the nscd(8) and nscd.conf(5) man pages. By default, the system entries of passwd and groups are cached by nscd. This is important for the performance of directory services, like NIS and LDAP, because otherwise the network connection needs to be used for every access to names or groups.
Page 610 link This object represents a network device. address This object represents the IP address of device. neighbour This object represents a ARP or NDISC cache entry. route This object represents the routing table entry. rule This object represents a rule in the routing policy database. maddress This object represents a multicast address.
Page 611 To display all devices, use ip link ls. To display the running interfaces only, use ip link ls up. To print interface statistics for a device, enter ip -s link ls device_name. To view addresses of your devices, enter ip addr. In the output of the ip addr, also find information about MAC addresses of your devices.
Page 612 The default interval between two packets is one second. To change the interval, ping provides option -i. For example to increase ping interval to ten seconds, enter ping -i 10 192.168.0. In a system with multiple network devices, it is sometimes useful to send the ping through a specific interface address.
Page 613 Example 30.11 Output of the ifconfig Command eth0 Link encap:Ethernet HWaddr 00:08:74:98:ED:51 inet6 addr: fe80::208:74ff:fe98:ed51/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:634735 errors:0 dropped:0 overruns:4 frame:0 TX packets:154779 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:162531992 (155.0 Mb) TX bytes:49575995 (47.2 Mb) Interrupt:11 Base address:0xec80 Link encap:Local Loopback inet addr:127.0.0.1...
Page 614 Example 30.12 Output of the route -n Command route -n Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.20.0.0 255.255.248.0 0 eth0 link-local 255.255.0.0 0 eth0 loopback 255.0.0.0 0 lo default styx.exam.com 0.0.0.0 0 eth0 For more options and information about using route, enter route -h or see the route (8) man page.
Page 615: Smpppd As Dial-Up Assistant
Starts the NIS server. /etc/init.d/ypserv Starts the NIS client. /etc/init.d/ypbind 30.7 smpppd as Dial-up Assistant Some home users do not have a dedicated line connecting them to the Internet. Instead, they use dial-up connections. Depending on the dial-up method (ISDN or DSL), the connection is controlled by ipppd or pppd.
Page 616 bind-address = ip address If a host has several IP addresses, use this parameter to determine at which IP ad- dress smpppd should accept connections. The default is to listen at all addresses. host-range = min ip max ip The parameter host-range defines a network range. Hosts whose IP addresses are within this range are granted access to smpppd.
Page 617 server = server Here, specify the host on which smpppd runs. password = password Insert the password selected for smpppd. If smpppd is active, you can now try to access it, for example, with cinternet --verbose --interface-list. If you experience difficulties at this point, refer to the smpppd-c.conf(5) and cinternet(8) man pages.
Page 619: 1 Slp Services In The Network
SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.
Page 620: Slp Front-Ends In Suse Linux Enterprise
rcslpd start as root to start it and rcslpd stop to stop it. Perform a restart or status check with restart or status. If slpd should be active by default, enable slpd in YaST System > System Services (Runlevel) or run the insserv slpd command once as root.
Page 621: Providing Services With Slp
31.4 Providing Services with SLP Many applications in SUSE Linux Enterprise already have integrated SLP support through the use of the libslp library. If a service has not been compiled with SLP support, use one of the following methods to make it available with SLP: Static Registration with /etc/slp.reg.d Create a separate registration file for each new service.
Page 622: For More Information
Static Registration with /etc/slp.reg The only difference from the procedure with /etc/slp.reg.d is the grouping of all services within a central file. Dynamic Registration with slptool If a service should be registered for SLP from proprietary scripts, use the slptool command line front-end.
Page 623: 2 Time Synchronization With Ntp
Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
Page 624 firewall-protected system, the advanced configuration can open the required ports in SuSEfirewall2. 32.1.1 Quick NTP Client Configuration The quick NTP client configuration (Network Services > NTP Configuration) consists of two dialogs. Set the start mode of xntpd and the server to query in the first dialog. To start xntpd automatically when the system is booted, click During Boot.
Page 625 dialog, test the availability of the selected server with Test and quit the dialog with Finish. 32.1.2 Advanced NTP Client Configuration The advanced configuration of an NTP client can be accessed under Advanced Confi- guration from the main dialog of the NTP Configuration module, shown in Figure 32.1, “YaST: Configuring an NTP Client”...
Page 626 The servers and other time sources for the client to query are listed in the lower part. Modify this list as needed with Add, Edit, and Delete. Display Log provides the possi- bility to view the log files of your client. Click Add to add a new source of time information.
Page 627: Configuring Xntp In The Network
32.2 Configuring xntp in the Network The easiest way to use a time server in the network is to set server parameters. For ex- ample, if a time server called ntp.example.com is reachable from the network, add its name to the file /etc/ntp.conf by adding the following line: server ntp.example.com To add more time servers, insert additional lines with the keyword server.
Page 628 127.127.t.u. Here, t stands for the type of the clock and determines which driver is used and u for the unit, which determines the interface used. Normally, the individual drivers have special parameters that describe configuration details. The file /usr/share/doc/packages/xntp-doc/drivers/driverNN .html (where NN is the number of the driver) provides information about the particular type of clock.
Page 629: 3 The Domain Name System
The Domain Name System DNS (domain name system) is needed to resolve the domain names and hostnames into IP addresses. In this way, the IP address 192.168.0.1 is assigned to the hostname earth, for example. Before setting up your own name server, read the general information about DNS in Section 30.3, “Name Resolution”...
Page 630: Configuration With Yast
(not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone. Forwarder Forwarders are DNS servers to which your DNS server should send queries it cannot answer. Record The record is information about name and IP address. Supported records and their syntax are described in BIND documentation.
Page 631 1 When starting the module for the first time, the Forwarder Settings dialog, shown Figure 33.1, “DNS Server Installation: Forwarder Settings” (page 613), opens. In it, decide whether the PPP daemon should provide a list of forwarders on dial- up via DSL or ISDN (PPP Daemon Sets Forwarders) or whether you want to supply your own list (Set Forwarders Manually).
Page 632 Figure 33.2 DNS Server Installation: DNS Zones 3 In the final dialog, you can open the DNS port in the firewall by clicking Open Port in Firewall. Then decide whether or not the DNS server should be started (On or Off). You can also activate LDAP support. See Figure 33.3, “DNS Server Installation: Finish Wizard”...
Page 633 Figure 33.3 DNS Server Installation: Finish Wizard 33.2.2 Expert Configuration After starting the module, YaST opens a window displaying several configuration op- tions. Completing it results in a DNS server configuration with the basic functions in place: Starting the DNS Server Under Service Start, define whether the DNS server should be started when the system boots (during booting the system) or manually.
Page 634 DNS Server: Basic Options In this section, set basic server options. From the Option menu, select the desired item then specify the value in the corresponding entry field. Include the new entry by selecting Add. Logging To set what the DNS server should log and how, select Logging. Under Log Type, specify where the DNS server should write the log data.
Page 635 Using ACLs Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under Name, specify an IP address (with or without netmask) under Value in the following fashion: { 10.10/16; } The syntax of the configuration file requires that the address ends with a semicolon and is put into curly braces.
Page 636 Figure 33.5 DNS Server: Slave Zone Editor Adding a Master Zone To add a master zone, select DNS Zones, choose the zone type Master, write the name of the new zone, and click Add. Editing a Master Zone To edit a master zone, select DNS Zones, choose the zone type Master, select the master zone from the table, and click Edit.
Page 637 Figure 33.6 DNS Server: Zone Editor (Basic) Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under Name Server to Add then confirm with Add.
Page 638 Figure 33.7 DNS Server: Zone Editor (NS Records) Zone Editor (MX Records) To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting Add. See Fig- ure 33.8, “DNS Server: Zone Editor (MX Records)”...
Page 639 Figure 33.8 DNS Server: Zone Editor (MX Records) Zone Editor (SOA) This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 33.6, “File /var/lib/named/world.zone” (page 629). Changing SOA records is not supported for dynamic zones managed via LDAP.
Page 640: Starting The Name Server Bind
Figure 33.9 DNS Server: Zone Editor (SOA) Zone Editor (Records) This dialog manages name resolution. In Record Key, enter the hostname then select its type. A-Record represents the main entry. The value for this should be an IP address. CNAME is an alias. Use the types NS and MX for detailed or partial records that expand on the information provided in the NS Records and MX Records tabs.
Page 641 a proper DNS. A simple example of this is included in the documentation in /usr/ share/doc/packages/bind/config. TIP: Automatic Adaptation of the Name Server Information Depending on the type of Internet connection or the network connection, the name server information can automatically be adapted to the current conditions. To do this, set the variable MODIFY_NAMED_CONF_DYNAMICALLY in the file /etc/sysconfig/network/config to yes.
Page 642: The Configuration File /Etc/Named.conf
The options entry is followed by entries for the zone, localhost, and 0.0.127.in-addr.arpa. The type hint entry under “.” should always be present. The corresponding files do not need to be modified and should work as they are. Also make sure that each entry is closed with a “;” and that the curly braces are in the correct places.
Page 643 Example 33.2 A Basic /etc/named.conf options { directory "/var/lib/named"; forwarders { 10.0.0.1; }; notify no; zone "localhost" in { type master; file "localhost.zone"; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; zone "." in { type hint; file "root.hint"; 33.4.1 Important Configuration Options directory "filename";...
Page 644 127.0.0.1 to permit requests from the local host. If you omit this entry entirely, all interfaces are used by default. listen-on-v6 port 53 {any; }; Tells BIND on which port it should listen for IPv6 client requests. The only alter- native to any is none.
Page 645 notify no; no prevents other name servers from being informed when changes are made to the zone data or when the name server is restarted. 33.4.2 Logging What, how, and where logging takes place can be extensively configured in BIND. Normally, the default settings should be sufficient.
Page 646: Zone Files
The zone options: type master; By specifying master, tell BIND that the zone is handled by the local name server. This assumes that a zone file has been created in the correct format. type slave; This zone is transferred from another name server. It must be used together with masters.
Page 647 TIP: Using the Dot in Zone Files The . has an important meaning in the zone files. If hostnames are given without a final ., the zone is appended. Complete hostnames specified with a full domain name must end with a . to avoid having the domain added to it again.
Page 648 • After IN SOA is the name of the name server in charge as master for this zone. The name is expanded from gateway to gateway.world.cosmos, because it does not end with a .. • An e-mail address of the person in charge of this name server follows. Because the @ sign already has a special meaning, .
Page 649 Line 10: The MX record specifies the mail server that accepts, processes, and forwards e- mails for the domain world.cosmos. In this example, this is the host sun.world.cosmos. The number in front of the hostname is the preference value. If there are multiple MX entries, the mail server with the smallest value is taken first and, if mail delivery to this server fails, an attempt is made with the next higher value.
Page 650 The pseudodomain in-addr.arpa is used for the reverse lookup of IP addresses into hostnames. It is appended to the network part of the address in reverse notation. So 192.168.1 is resolved into 1.168.192.in-addr.arpa. See Example 33.7, “Reverse Lookup” (page 632). Example 33.7 Reverse Lookup $TTL 2D 1.168.192.in-addr.arpa.
Page 651: Dynamic Update Of Zone Data
the . at the end. Appending the zone to this (without the .in-addr.arpa) results in the complete IP address in reverse order. Normally, zone transfers between different versions of BIND should be possible without any problem. 33.6 Dynamic Update of Zone Data The term dynamic update refers to operations by which entries in the zone files of a master server are added, changed, or deleted.
Page 652 The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files. To use it for transactions, the second file (Khost1-host2.+157+34265.key) must be transferred to the remote host, preferably in a secure way (using scp, for exam- ple). On the remote server, the key must be included in the file /etc/named.conf to enable a secure communication between host1 and host2: key host1-host2.
Page 653: Dns Security
33.8 DNS Security DNSSEC, or DNS security, is described in RFC 2535. The tools available for DNSSEC are discussed in the BIND Manual. A zone considered secure must have one or several zone keys associated with it. These are generated with dnssec-keygen, just like the host keys. The DSA encryption algorithm is currently used to generate these keys.
Page 655: 4 Dhcp
DHCP The purpose of the dynamic host configuration protocol (DHCP) is to assign network settings centrally from a server rather than configuring them locally on each and every workstation. A host configured to use DHCP does not have control over its own static address.
Page 656: Configuring A Dhcp Server With Yast
uring numerous workstations. Also it is much easier to integrate machines, particularly new machines, into the network, because they can be given an IP address from the pool. Retrieving the appropriate network settings from a DHCP server is especially useful in the case of laptops regularly used in different networks.
Page 657 Interfaces to open the firewall for this interface. See Figure 34.1, “DHCP Server: Card Selection” (page 639). Figure 34.1 DHCP Server: Card Selection Global Settings Use the check box to determine whether your DHCP settings should be automati- cally stored by an LDAP server. In the entry fields, provide the network specifics for all clients the DHCP server should manage.
Page 658 Figure 34.2 DHCP Server: Global Settings Dynamic DHCP In this step, configure how dynamic IP addresses should be assigned to clients. To do so, specify an IP range from which the server can assign addresses to DHCP clients. All these addresses must be covered by the same netmask. Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease.
Page 659 Figure 34.3 DHCP Server: Dynamic DHCP Finishing the Configuration and Setting the Start Mode After the third part of the configuration wizard, a last dialog is shown in which you can define how the DHCP server should be started. Here, specify whether to start the DHCP server automatically when the system is booted or manually when needed (for example, for test purposes).
Page 660 Figure 34.4 DHCP Server: Start-Up Host Management Instead of using dynamic DHCP in the way described in the preceding sections, you can also configure the server to assign addresses in quasi-static fashion. To do so, use the entry fields provided in the lower part to specify a list of the clients to manage in this way.
Page 661 Figure 34.5 DHCP Server: Host Management 34.1.2 Expert Configuration In addition to the configuration method discussed earlier, there is also an expert confi- guration mode that allows you to tweak the DHCP server setup in every detail. Start the expert configuration by selecting Expert Settings in the tree view in the left part of the dialog.
Page 662 Figure 34.6 DHCP Server: Chroot Jail and Declarations Selecting the Declaration Type The Global Options of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types Subnet, Host, Shared Network, Group, Pool of Addresses, and Class.
Page 663 Figure 34.7 DHCP Server: Selecting a Declaration Type Subnet Configuration This dialog allows you specify a new subnet with its IP address and netmask. In the middle part of the dialog, modify the DHCP server start options for the selected subnet using Add, Edit, and Delete.
Page 664 Figure 34.8 DHCP Server: Configuring Subnets TSIG Key Management If you chose to configure dynamic DNS in the previous dialog, you can now con- figure the key management for a secure zone transfer. Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS (see Fig- ure 34.10, “DHCP Server: Interface Configuration for Dynamic DNS”...
Page 665 Figure 34.9 DHCP Server: TSIG Configuration Dynamic DNS: Interface Configuration You can now activate dynamic DNS for the subnet by selecting Enable Dynamic DNS for This Subnet. After doing so, use the drop-down list to choose the TSIG keys for forward and reverse zones, making sure that keys are the same for the DNS and the DHCP server.
Page 666 Figure 34.10 DHCP Server: Interface Configuration for Dynamic DNS Network Interface Configuration To define the interfaces where the DHCP server should listen and to adjust the firewall configuration, select Advanced > Interface Configuration from the expert configuration dialog. From the list of interfaces displayed, select one or more that should be attended by the the DHCP server.
Page 667: Dhcp Software Packages
Figure 34.11 DHCP Server: Network Interface and Firewall After completing all configuration steps, close the dialog with Ok. The server is now started with its new configuration. 34.2 DHCP Software Packages Both a DHCP server and DHCP clients are available for SUSE Linux Enterprise. The DHCP server available is dhcpd (published by the Internet Software Consortium).
Page 668: The Dhcp Server Dhcpd
34.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd.conf. By changing the parameters and values in this file, a system administrator can influence the program's behavior in numerous ways.
Page 669 before setting up DHCP. That name server should also define a hostname for each dynamic address and vice versa. To learn how to configure your own name server, read Chapter 33, The Domain Name System (page 611). • The line option broadcast-address defines the broadcast address the re- questing client should use.
Page 670 there were not enough addresses available and the server needed to redistribute them among clients. To identify a client configured with a static address, dhcpd uses the hardware address, which is a globally unique, fixed numerical code consisting of six octet pairs for the identification of all network devices (for example, 00:00:45:12:EE:F4).
Page 671: For More Information
Control the server's behavior regarding this feature by means of entries in the file /etc/ sysconfig/dhcpd. To run dhcpd without the chroot environment, set the variable DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to “no”. To enable dhcpd to resolve hostnames even from within the chroot environment, some other configuration files must be copied as well: •...
Page 673: 5 Using Nis
Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
Page 674 and set up slave servers in the subnets as described in Section 35.1.2, “Configuring a NIS Slave Server” (page 660). 35.1.1 Configuring a NIS Master Server To configure a NIS master server for your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and set up NIS Master Server.
Page 675 Enter the NIS domain name. 3b Define whether the host should also be a NIS client, enabling users to log in and access data from the NIS server, by selecting This host is also a NIS client. Select Changing of passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd).
Page 676 3e Leave this dialog with Next or click Other global settings to make additional settings. Other global settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes so the files (/etc/passwd, /etc/shadow, and /etc/group) are used to build the user database.
Page 677 Figure 35.4 NIS Server Maps Setup 7 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 127.0.0.0...
Page 678 Figure 35.5 Setting Request Permissions for a NIS Server 8 Click Finish to save changes and exit the setup. 35.1.2 Configuring a NIS Slave Server To configure additional NIS slave servers in your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 Select Install and set up NIS Slave Server and click Next.
Page 679: Configuring Nis Clients
3c Set This host is also a NIS client if you want to enable user logins on this server. 3d Adapt the firewall settings with Open Ports in Firewall. 3e Click Next. 4 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button.
Page 680 In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
Page 681: 6 Ldap-A Directory Service
LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
Page 682: Ldap Versus Nis
• Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a con- ventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures ad- ministered in accounting.
Page 683: Structure Of An Ldap Directory Tree
• Mail routing (postfix, sendmail) • Address books for mail clients, like Mozilla, Evolution, and Outlook • Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
Page 684 leaf These objects sit at the end of a branch and have no subordinate objects. Examples are person, InetOrgPerson, or groupofNames. The top of the directory hierarchy has a root element root. This can contain c (country), dc (domain component), or o (organization) as subordinate elements. The relations within an LDAP directory tree become more evident in the following example, shown Figure 36.1, “Structure of an LDAP Directory”...
Page 685 is, however, possible to create custom schemes or to use multiple schemes complement- ing each other if this is required by the environment in which the LDAP server should operate. Table 36.1, “Commonly Used Object Classes and Attributes” (page 667) offers a small overview of the object classes from core.schema and inetorgperson.schema used in the example, including required attributes and valid attribute values.
Page 686 Example 36.1 Excerpt from schema.core #1 attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName') DESC 'RFC2256: organizational unit this object belongs to' SUP name ) #4 objectclass ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou #8 MAY (userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber...
Page 687: Server Configuration With Slapd.conf
36.3 Server Configuration with slapd.conf Your installed system contains a complete configuration file for your LDAP server at /etc/openldap/slapd.conf. The single entries are briefly described here and necessary adjustments are explained. Entries prefixed with a hash (#) are inactive. This comment character must be removed to activate them.
Page 688 Example 36.4 slapd.conf: Access Control # Sample Access Control Allow read access of root DSE # Allow self write access Allow authenticated users read access Allow anonymous users to authenticate # access to dn="" by * read access to * by self write by users read by anonymous auth # if no access controls are present, the default is:...
Page 689 • what is a placeholder for the object or attribute to which access is granted. Individ- ual directory branches can be protected explicitly with separate rules. It is also possible to process regions of the directory tree with one rule by using regular ex- pressions.
Page 690 Scope of Access To objects for comparison access compare For the employment of search filters search Read access read Write access write slapd compares the access right requested by the client with those granted in slapd.conf. The client is granted access if the rules allow a higher or equal right than the requested one.
Page 691 Apart from the possibility to administer access permissions with the central server configuration file (slapd.conf), there is access control information (ACI). ACI allows storage of the access information for individual objects within the LDAP tree. This type of access control is not yet common and is still considered experimental by the devel- opers.
Page 692 rootdn determines who owns administrator rights to this server. The user declared here does not need to have an LDAP entry or exist as regular user. rootpw sets the administrator password. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd. The directory directive indicates the directory in the file system where the database directories are stored on the server.
Page 693: Data Handling In The Ldap Directory
The YaST runlevel editor, described in Section 20.2.3, “Configuring System Services (Runlevel) with YaST” (page 398), can be used to have the server started and stopped automatically on boot and halt of the system. It is also possible to create the correspond- ing links to the start and stop scripts with the insserv command from a command prompt as described in Section 20.2.2, “Init Scripts”...
Page 694 Example 36.7 Example for an LDIF File # The Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example dc: example # The organizational unit development (devel) dn: ou=devel,dc=example,dc=com objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=example,dc=com objectClass: organizationalUnit ou: doc # The organizational unit internal IT (it)
Page 695 Example 36.8 ldapadd with example.ldif ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com" adding new entry "ou=it,dc=example,dc=com" The user data of individuals can be prepared in separate LDIF files. Example 36.9, “LDIF Data for Tux”...
Page 696 Example 36.10 Modified LDIF File tux.ldif # coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10 Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below: 1 Start ldapmodify and enter your password: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W...
Page 697: Configuring An Ldap Server With Yast
The -b option determines the search base—the section of the tree within which the search should be performed. In the current case, this is dc=example,dc=com. To perform a more finely-grained search in specific subsections of the LDAP directory (for example, only within the devel department), pass this section to ldapsearch with -b.
Page 698 Figure 36.2 YaST LDAP Server Configuration To set up an LDAP server for user account data, proceed as follows: 1 Log in as root. 2 Start YaST and select Network Services > LDAP Server. 3 Set LDAP to be started at system boot. 4 If the LDAP server should announce its services via SLP, check Register at an SLP Daemon.
Page 699 2 With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect the logging options according to your needs. The more options are enabled, the larger your log files grow.
Page 700 To configure the databases managed by your LDAP server, proceed as follows: 1 Select the Databases item in the left part of the dialog. 2 Click Add Database to add the new database. 3 Enter the requested data: Base DN Enter the base DN of your LDAP server.
Page 701 WARNING: Locked Accounts in Security Sensitive Environments Do not use the Disclose Account Locked Status option if your environ- ment is sensitive to security issues, because the “Locked Account” error message provides security sensitive information that can be exploited by a potential attacker. 4d Enter the DN of the default policy object.
Page 702: Configuring An Ldap Client With Yast
3b Determine the time between a password expiration warning and the actual password expiration. 3c Set the number of grace uses of an expired password before the password expires entirely. 4 Configure the lockout policies: 4a Enable password locking. 4b Determine the number of bind failures that trigger a password lock. 4c Determine the duration of the password lock.
Page 703 36.6.1 Standard Procedure Background knowledge of the processes acting in the background of a client machine helps you understand how the YaST LDAP client module works. If LDAP is activated for network authentication or the YaST module is called, the packages pam_ldap and nss_ldap are installed and the two corresponding configuration files are adapted.
Page 704: Basic Configuration
with the command getent passwd. The returned set should contain a survey of the local users of your system as well as all users stored on the LDAP server. To prevent regular users managed through LDAP from logging in to the server with ssh or login, the files /etc/passwd and /etc/group each need to include an additional line.
Page 705 Figure 36.3 YaST: Configuration of the LDAP Client To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows: 1 Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Page 706 6 Select Start Automounter to mount remote directories on your client, such as a remotely managed /home. 7 Select Create Home Directory on Login to have a user's home automatically created on the first user login. 8 Click Finish to apply your settings. Figure 36.4 YaST: Advanced Configuration To modify data on the server as administrator, click Advanced Configuration.
Page 707 by crypt are used. For details on this and other options, refer to the pam_ldap man page. 1c Specify the LDAP group to use with Group Member Attribute. The default value for this is member. 2 In Administration Settings, adjust the following settings: 2a Set the base for storing your user management data via Configuration Base 2b Enter the appropriate value for Administrator DN.
Page 708 Configuring the YaST Group and User Administration Modules Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory.
Page 709 2 Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.
Page 710 Figure 36.6 YaST: Configuration of an Object Template Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template. The default values for an attribute can be created from other attributes by using a variable instead of an absolute value.
Page 711: Configuring Ldap Users And Groups In Yast
36.7 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous. 1 Access the YaST user administration with Security &...
Page 712 Figure 36.7 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
Page 713: Browsing The Ldap Directory Tree
36.8 Browsing the LDAP Directory Tree To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser: 1 Log in as root. 2 Start YaST > Network Services > LDAP Browser. 3 Enter the address of the LDAP server, the AdministratorDN, and the password for the RootDN of this server if you need both to read and write the data stored on the server.
Page 714: For More Information
4 To view any of the entries in detail, select it in the LDAP Tree view and open the Entry Data tab. All attributes and values associated with this entry are displayed. Figure 36.9 Browsing the Entry Data 5 To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the RootDN password when prompted.
Page 715 OpenLDAP Faq-O-Matic A very rich question and answer collection concerning installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/ cache/1.html. Quick Start Guide Brief step-by-step instructions for installing your first LDAP server. Find it at or on http://www.openldap.org/doc/admin22/quickstart.html an installed system in /usr/share/doc/packages/openldap2/ admin-guide/quickstart.html.
Page 717: 7 Samba
Samba Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the confi- guration file.
Page 718 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.
Page 719: Starting And Stopping Samba
37.2 Starting and Stopping Samba You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 37.3.1, “Configuring a Samba Server with YaST” (page 701).
Page 720: Starting The Server
Advanced Samba Configuration with YaST During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration. After editing your configuration, click Finish to close the configuration. Starting the Server In the Start Up tab, configure the start of the Samba server.
Page 721: Configuring The Server Manually
Using LDAP In the tab LDAP Settings, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection. To set expert LDAP settings or use default values, click Advanced Settings. Find more information about LDAP configuration in Chapter 36, LDAP—A Directory Service...
Page 722 workgroup = TUX-NET This line assigns the Samba server to a workgroup. Replace TUX-NET with an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to any other machine in the network.
Page 723 Shares The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients. [cdrom] To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
Page 724 Example 37.2 homes Share [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750 [homes] As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives.
Page 725: Configuring Clients
Security Levels To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions: Share Level Security (security = share) A password is firmly assigned to a share. Everyone who knows this password has access to that share.
Page 726: Samba As Login Server
selected with the mouse. If you activate Also Use SMB Information for Linux Authenti- cation, the user authentication runs over the Samba server. After completing all settings, click Finish to finish the configuration. 37.4.2 Windows 9x and ME Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default.
Page 727: Samba Server In The Network With Active Directory
version 3, this is now the default). In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name. Create the domain account for the computers, re- quired by the Windows NT domain concept, with the following commands: Example 37.4 Setting Up a Machine Account useradd hostname\$...
Page 728 Join an existing AD domain during installation or by later activating SMB user authen- tication with YaST in the installed system. Domain join during installation is covered Section 3.14.7, “Users” (page 42). To join an AD domain in a running system, proceed as follows: 1 Log in as root and start YaST.
Page 729: Migrating A Windows Nt Server To Samba
Figure 37.2 Providing Administrator Credentials Your server is now set up to pull in all authentication data from the Active Direc- tory domain controller. 37.7 Migrating a Windows NT Server to Samba Apart from the Samba and LDAP configuration, the migration of a Windows NT server to a SUSE Linux Enterprise Server Samba server consists of two basic steps.
Page 730 37.7.2 Preparing the Samba Server Before you start migration, configure your Samba server. Find configuration of profile, netlogon, and home shares in the Shares tab of the YaST Samba Server module. To do the default value, select the share and click Edit. To add LDAP configuration for your Samba server and the credentials of the LDAP administrator, use the LDAP Settings tab of the YaST Samba Server module.
Page 731: For More Information
37.7.4 Migrating the Windows Accounts Procedure 37.2 The Account Migration Process 1 Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. Samba must not be running. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd net rpc vampire -S NT4PDC -U administrator%passwd pdbedit -L 2 Assign each of the UNIX groups to NT groups:...
Page 732 The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. You can find Samba HOWTO Collection in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf after installing the package samba-doc. Find detailed information about LDAP and migration from Windows NT or 2000 in /usr/share/doc/packages/samba/examples/LDAP/ smbldap-tools-*/doc, where * is your smbldap-tools version.
Page 733: 8 Sharing File Systems With Nfs
Sharing File Systems with NFS Distributing and sharing file systems over a network is a common task in corporate environments. NFS is a proven system that also works together with the yellow pages protocol NIS. For a more secure protocol that works together with LDAP and may also be kerberized, check NFSv4.
Page 734: Importing File Systems With Yast
NFS server software is not part of the default installation. To install the NFS server software, start YaST and select Software > Software Management. Now choose Filter > Patterns and select Misc. Server or use the Search option and search for NFS Server.
Page 735: Importing File Systems Manually
Figure 38.1 NFS Client Configuration with YaST 38.3 Importing File Systems Manually File systems can also be imported manually from an NFS server. The prerequisite for this is a running RPC port mapper, which can be started by entering rcportmap start as root.
Page 736 38.3.1 Importing NFSv4 File Systems The idmapd service must be up and running on the client to do an NFSv4 import. Start the idmapd service from the command prompt with rcidmapd start. Use rcidmapd status to check the status of idmapd. The idmapd services stores its parameters in the /etc/idmapd.conf file.
Page 737: Exporting File Systems With Yast
Activate the settings with rcautofs start. For this example, /nfsmounts/ localdata, the /data directory of server1, is then mounted with NFS and /nfsmounts/nfs4mount from server2 is mounted with NFSv4. If the /etc/auto.master file is edited while the service autofs is running, the au- tomounter must be restarted for the changes to take effect.
Page 738 Figure 38.2 NFS Server Configuration Tool Next, activate Start NFS Server and enter the NFSv4 domain name. Click Enable GSS Security if you need secure access to the server. A prerequisite for this is to have Kerberos installed in your domain and both the server and the clients are kerberized.
Page 739 Figure 38.3 Configuring an NFS Server with YaST IMPORTANT: Automatic Firewall Configuration If a firewall is active on your system (SuSEfirewall2), YaST adapts its configuration for the NFS server by enabling the nfs service when Open Ports in Firewall is selected.
Page 740 Click Next. The dialog that follows has two sections. The upper half consists of two columns named Directories and Bind mount targets. Directories is a directly editable column that lists the directories to export. For a fixed set of clients, there are two types of directories that can be exported—direc- tories that act as pseudo root file systems and those that are bound to some subdirectory of the pseudo file system.
Page 741 to configure the directory as pseudo root. If this directory should be bound to another directory under an already configured pseudo root, make sure that a target bind path is given in the option list with bind=/target/path. For example, suppose that the directory /exports is chosen as the pseudo root direc- tory for all the clients that can access the server.
Page 742 Figure 38.5 Exporting Directories with NFSv2 and v3 38.4.3 Coexisting v3 and v4 Exports Both NFSv3 and NFSv4 exports can coexist on a server. After enabling the support for NFSv4 in the initial configuration dialog, those exports for which fsid=0 and bind=/target/path are not included in the option list are considered v3 exports.
Page 743: Exporting File Systems Manually
38.5 Exporting File Systems Manually The configuration files for the NFS export service are /etc/exports and /etc/ sysconfig/nfs. In addition to these files, /etc/idmapd.conf is needed for the NFSv4 server configuration. To start or restart the services, run the commands rcnfsserver restart and rcidmapd restart.
Page 744 binds to an existing subdirectory (/export/data) of the pseudo file system /export. The pseudo file system is the top level directory under which all file systems that need to be NFSv4 exported take their places. For a client or set of clients, there can only be one directory on the server configured as the pseudo root for export.
Page 745 Do not change these parameters unless you are sure of what you are doing. For further reference, read the man page of idmapd and idmapd.conf; man idmapd, man idmapd.conf . Starting and Stopping Services After changing /etc/exports or /etc/sysconfig/nfs, start or restart the NFS server service with rcnfsserver restart.
Page 746: Nfs With Kerberos
38.6 NFS with Kerberos To use Kerberos authentication for NFS, GSS security must be enabled. To do so, select Enable GSS Security in the initial YaST dialog. Additionally complete the following steps: • Make sure that both the server and the client are in the same Kerberos domain. This means that they access the same KDC (Key Distribution Center) server and share their krb5.keytab file (the default location on any machine is /etc/krb5 .keytab).
Page 747: 9 File Synchronization
File Synchronization Today, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files and subsequently have the latest version of the data available on all computers.
Page 748 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
Page 749: Determining Factors For Selecting A Program
39.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 39.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data. In the first model, all clients synchronize their files with a central server. The server must be accessible by all clients at least occasionally.
Page 750 There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts. To be on safe side, a versioning system like RCS can be additionally employed. 39.2.5 Selecting and Adding Files In CVS, new directories and files must be added explicitly using the command cvs add.
Page 751 39.2.9 User Friendliness rsync is rather easy to use and is also suitable for newcomers. CVS is somewhat more difficult to operate. Users should understand the interaction between the repository and local data. Changes to the data should first be merged locally with the repository. This is done with the command cvs update.
Page 752: Introduction To Cvs
rsync File Sel. Sel./file, dir. Dir. History Hard Disk Space Difficulty Attacks + (ssh) +(ssh) Data Loss 39.3 Introduction to CVS CVS is suitable for synchronization purposes if individual files are edited frequently and are stored in a file format, such as ASCII text or program source text. The use of CVS for synchronizing data in other formats, such as JPEG files, is possible, but leads to large amounts of data, because all variants of a file are stored permanently on the CVS server.
Page 753 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client exclusively to contain files to manage with CVS (the directory can also be empty).
Page 754 Start the synchronization with the server with cvs update. Update individual files or directories as in cvs update file1 directory1. To see the difference between the current files and the versions stored on the server, use the command cvs diff or cvs diff file1 directory1.
Page 755: Introduction To Rsync
• CVS: http://www.cvshome.org • Rsync: http://www.gnu.org/manual 39.4 Introduction to rsync rsync is useful when large amounts of data need to be transmitted regularly while not changing too much. This is, for example, often the case when creating backups. Another application concerns staging servers. These are servers that store complete directory trees of Web servers that are regularly mirrored onto a Web server in a DMZ.
Page 756 gid = nobody uid = nobody read only = true use chroot = no transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log [FTP] path = /srv/ftp comment = An Example Then start rsyncd with rcrsyncd start. rsyncd can also be started automatically during the boot process.
Page 757 A technical reference about the operating principles of rsync is featured in /usr/share/doc/packages/rsync/tech_report.ps. Find the latest news about rsync on the project Web site at http://rsync.samba.org/. If you want Subversion or other tools, download the the SDK. Find it at http:// developer.novell.com/wiki/index.php/SUSE_LINUX_SDK. File Synchronization...
Page 759: 0 The Apache Http Server
The Apache HTTP Server With a share of more than 70%, the Apache HTTP Server (Apache) is the world's most widely-used Web server according to the Survey from http://www.netcraft .com/. Apache, developed by the Apache Software Foundation (http://www .apache.org/), is available for most operating systems. SUSE® Linux Enterprise Server includes Apache version 2.2.
Page 760 2. The machine's exact system time is maintained by synchronizing with a time server. This is necessary because parts of the HTTP protocol depend on the correct time. See Chapter 32, Time Synchronization with NTP (page 605) to learn more about this topic.
Page 761: Configuring Apache
If you have not received error messages when starting Apache, the Web server should be running now. Start a browser and open http://localhost/. You should see an Apache test page starting with “If you can see this, it means that the installation of the Apache Web server software on this system was successful.”...
Page 762 /etc/sysconfig/apache2 /etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general- purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.
Page 763 Apache Configuration Files in /etc/apache2/ charset.conv Specifies which character sets to use for different languages. Do not edit. conf.d/*.conf Configuration files added by other modules. These configuration files can be in- cluded into your virtual host configuration where needed. See vhosts.d/vhost .template for examples.
Page 764 mod_*.conf Configuration files for the modules that are installed by default. Refer to Sec- tion 40.4, “Installing, Activating, and Configuring Modules” (page 759) for details. Note that configuration files for optional modules reside in the directory conf.d. server-tuning.conf Contains configuration directives for the different MPMs (see Section 40.4.4, “Multiprocessing Modules”...
Page 765 Virtual hosts can be configured via YaST (see Section “Virtual Hosts” (page 754)) or by manually editing a configuration file. By default, Apache in SUSE Linux Enterprise Server is prepared for one configuration file per virtual host in /etc/apache2/ vhosts.d/. All files in this directory with the extension .conf are automatically included to the configuration.
Page 766 The wild card * can be used for both the IP address and the port number to receive re- quests on all interfaces. IPv6 addresses must be enclosed in square brackets. Example 40.1 Variations of Name-Based VirtualHost Entries # NameVirtualHost IP-address[:Port] NameVirtualHost 192.168.3.100:80 NameVirtualHost 192.168.3.100 NameVirtualHost *:80...
Page 767 IP-Based Virtual Hosts This alternative virtual host configuration requires the setup of multiple IPs for a ma- chine. One instance of Apache hosts several domains, each of which is assigned a dif- ferent IP. The physical server must have one IP address for each IP-based virtual host. If the machine does not have multiple network cards, virtual network interfaces (IP aliasing) can also be used.
Page 768 DocumentRoot Path to the directory from which Apache should serve files for this host. For secu- rity reasons, access to the entire file system is forbidden by default, so you must explicitly unlock this directory within a Directory container. ServerAdmin E-mail address of the server administrator.
Page 769 40.2.2 Configuring Apache with YaST To configure your Web server with YaST, start YaST and select Network Services > HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make just a few basic decisions concerning administration of the server.
Page 770 Default Host This option pertains to the default Web server. As explained in Section “Virtual Host Configuration” (page 746), Apache can serve multiple virtual hosts from a single phys- ical machine. The first declared virtual host in the configuration file is commonly referred to as the default host.
Page 771 The default SUSE Linux Enterprise Alias /icons points to /usr/share/ apache2/icons for the Apache icons displayed in the directory index view. ScriptAlias Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.
Page 772: Virtual Hosts
Virtual Hosts In this step, the wizard displays a list of already configured virtual hosts (see Section “Virtual Host Configuration” (page 746)). If you have not made manual changes prior to starting the YaST HTTP wizard, no virtual host is present. To add a host, click Add to open a dialog in which to enter basic information about the host.
Page 773: Http Server Configuration
Figure 40.2 HTTP Server Wizard: Summary HTTP Server Configuration The HTTP Server Configuration dialog also lets you make even more adjustments to the configuration than the wizard (which only runs if you configure your Web server for the first time). It consists of four tabs described in the following. No configuration option you change here is effective immediately—you always must confirm your changes with Finish to make them effective.
Page 774: Server Modules
also restart or reload the Web server (see Section 40.3, “Starting and Stopping Apache” (page 757) for details). These commands are effective immediately. Figure 40.3 HTTP Server Configuration: Listen Ports and Addresses Server Modules You can change the status (enabled or disabled) of Apache2 modules by clicking Toggle Status.
Page 775: Starting And Stopping Apache
Figure 40.4 HTTP Server Configuration: Server Modules Main Host or Hosts These dialogs are identical to the ones already described. Refer to Section “Default Host” (page 752) and Section “Virtual Hosts” (page 754). 40.3 Starting and Stopping Apache If configured with YaST (see Section 40.2.2, “Configuring Apache with YaST”...
Page 776 startssl Starts Apache with SSL support if it is not already running. For more information about SSL support, refer to Section 40.6, “Setting Up a Secure Web Server with SSL” (page 769). stop Stops Apache by terminating the parent process. restart Stops then restarts Apache.
Page 777: Installing, Activating, And Configuring Modules
TIP: Additional Flags If you specify additional flags to the rcapache2, these are passed through to the Web server. 40.4 Installing, Activating, and Configuring Modules The Apache software is built in a modular fashion: all functionality except some core tasks is handled by modules. This has progressed so far that even HTTP is processed by a module (http_core).
Page 778: Module Installation
40.4.1 Module Installation If you have followed the default way of installing Apache (described in Section 40.1.2, “Installation” (page 742)), it is installed with all base and extension modules, the multi- processing module Prefork MPM, and the external modules mod_php5 and mod_python. You can install additional external modules by starting YaST and choosing Software >...
Page 779 mod_actions Provides methods to execute a script whenever a certain MIME type (such as application/pdf), a file with a specific extension (like .rpm), or a certain request method (such as GET) is requested. This module is enabled by default. mod_alias Provides Alias and Redirect directives with which you can map a URl to a specific directory (Alias) or redirect a requested URL to another location.
Page 780 .html by default). It also provides an automatic redirect to the correct URl when a directory request does not contain a trailing slash. This module is enabled by de- fault. mod_env Controls the environment that is passed to CGI scripts or SSI pages. Environment variables can be set or unset or passed from the shell that invoked the httpd process.
Page 781 mod_setenvif Sets environment variables based on details of the client's request, such as the browser string the client sends, or the client's IP address. This module is enabled by default. mod_speling mod_speling attempts to automatically correct typographical errors in URLs, such as capitalization errors.
Page 782 Find a list of all external modules shipped with SUSE Linux Enterprise Server here. Find the module's documentation in the listed directory. mod-apparmor Adds support to Apache to provide Novell AppArmor confinement to individual CGI scripts handled by modules like mod_php5 and mod_perl. Installation and Administration...
Page 783 Package Name: apache2-mod_apparmor More Information: Novell AppArmor Administration Guide (↑Novell AppArmor Administration Guide) mod_perl mod_perl enables you to run Perl scripts in an embedded interpreter. The persistent interpreter embedded in the server avoids the overhead of starting an external inter- preter and the penalty of Perl start-up time.
Page 784: Getting Cgi Scripts To Work
The apxs2 binaries are located under /usr/sbin: • /usr/sbin/apxs2—suitable for building an extension module that works with any MPM. The installation location is /usr/lib/apache2. • /usr/sbin/apxs2-prefork—suitable for prefork MPM modules. The instal- lation location is /usr/lib/apache2-prefork. • /usr/sbin/apxs2-worker—suitable for worker MPM modules. apxs2 installs modules so they can be used for all MPMs.
Page 785 40.5.1 Apache Configuration In SUSE Linux Enterprise Server, the execution of CGI scripts is only allowed in the directory /srv/www/cgi-bin/. This location is already configured to execute CGI scripts. If you have created a virtual host configuration (see Section “Virtual Host Configuration”...
Page 786 directory of your virtual host (/srv/www/www.example.com/cgi-bin/) and name it test.cgi. Files accessible by the Web server should be owned by to the user root (see Sec- tion 40.7, “Avoiding Security Problems” (page 774) for additional information). Because the Web server runs with a different user, the CGI scripts must be world-executable and world-readable.
Page 787: Setting Up A Secure Web Server With Ssl
40.6 Setting Up a Secure Web Server with SSL Whenever sensitive data, such as credit card information, is transferred between Web server and client, it would be desirable to have a secure, encrypted connection with authentication. mod_ssl provides strong encryption using the secure sockets layer (SSL) and transport layer security (TLS) protocols for HTTP communication between a client and the Web server.
Page 788 TIP: For More Information To learn more about concepts and definitions of SSL/TSL, refer to http:// httpd.apache.org/docs/2.2/ssl/ssl_intro.html. Creating a “Dummy” Certificate Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the following files: • /etc/apache2/ssl.crt/ca.crt •...
Page 789 Choose RSA ( R , the default), because some older browsers have problems with DSA. 2 Generating RSA private key for CA (1024 bit) No interaction needed. 3 Generating X.509 certificate signing request for CA Create the CA's distinguished name here. This requires you to answer a few questions, such as country name or organization name.
Page 790 8 Encrypting RSA private key of CA with a pass phrase for security It is strongly recommended to encrypt the private key of the CA with a password, so choose Y and enter a password. 9 Encrypting RSA private key of SERVER with a pass phrase for security Encrypting the server key with a password requires you to enter this password every time you start the Web server.
Page 791 Getting an Officially Signed Certificate There are a number of official certificate authorities that sign your certificates. The certificate is signed by a trustworthy third party, so can be fully trusted. Publicly oper- ating secure Web servers usually have got an officially signed certificate. The best-known official CAs are Thawte (http://www.thawte.com/) or Verisign (http://www.verisign.com).
Page 792: Avoiding Security Problems
To use SSL, it must be activated in the global server configuration. Open /etc/ sysconfig/apache2 in an editor and search for APACHE_MODULES. Add “ssl” to the list of modules if it is not already present (mod_ssl is activated by default). Next, search for APACHE_SERVER_FLAGS and add “SSL”.
Page 793 If there are vulnerabilities found in the Apache software, a security advisory will be issued by SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied soon as possible. The SUSE security announcements are available from the following locations: • Web Page http://www.novell.com/linux/security/ securitysupport.html • Mailing List http://en.opensuse.org/Communicate #Mailinglists •...
Page 794: Troubleshooting
40.7.4 CGI Scripts Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server adminis- trator trusts—allowing users to run their own scripts is generally not a good idea.
Page 795: For More Information
starting or stopping the Web server. Avoid doing this and use the rcapache2 script instead. rcapache2 even provides tips and hints for solving configuration errors. Second, the importance of log files cannot be overemphasized. In case of both fatal and nonfatal errors, the Apache log files, mainly the error log file, are the places to look for causes.
Page 796 40.9.1 Apache 2.2 For a list of new features in Apache 2.2, refer to http://httpd.apache.org/ docs/2.2/new_features_2_2.html. Information about upgrading from version 2.0 to 2.2 is available at http://httpd.apache.org/docs-2.2/upgrading .html. 40.9.2 Apache Modules More information about external Apache modules from Section 40.4.5, “External Modules”...
Page 797 40.9.4 Miscellaneous Sources If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the Technical Information Search at http://www.novell.com/support. The history of Apache is provided at http://httpd.apache.org/ABOUT _APACHE.html. This page also explains why the server is called Apache.
Page 799: 1 The Proxy Server Squid
The Proxy Server Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It may be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent for the end user.
Page 800: Some Facts About Proxy Caches
41.1 Some Facts about Proxy Caches As a proxy cache, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long. 41.1.1 Squid and Security It is possible to use Squid together with a firewall to secure internal networks from the outside using a proxy cache.
Page 801: System Requirements
HIT code if the object was detected or a MISS if it was not. If multiple HIT responses were found, the proxy server decides from which server to download, depending on factors such as which cache sent the fastest answer or which one is closer. If no satis- factory responses are received, the request is sent to the parent cache.
Page 802: Hard Disks
41.2.1 Hard Disks Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks, this parameter is described as random seek time, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk tend to be rather small, the seek time of the hard disk is more important than its data throughput.
Page 803: Starting Squid
It is very important to have sufficient memory for the Squid process, because system performance is dramatically reduced if it must be swapped to disk. The cachemgr.cgi tool can be used for the cache memory management. This tool is introduced in Sec- tion 41.6, “cachemgr.cgi”...
Page 804 so, consider that Squid is made completely accessible to anyone by this action. Therefore, define ACLs that control access to the proxy. More information about this is available Section 41.4.2, “Options for Access Controls” (page 790). After modifying the configuration file /etc/squid/squid.conf, Squid must reload the configuration file.
Page 805: The Configuration File /Etc/Squid/Squid.conf
Dynamic DNS Normally, with dynamic DNS, the DNS server is set by the provider during the establishment of the Internet connection and the local file /etc/resolv.conf is adjusted automatically. This behavior is controlled in the file /etc/ sysconfig/network/config with the sysconfig variable MODIFY_RESOLV_CONF_DYNAMICALLY, which is set to "yes".
Page 806 end of the line. The given values almost always correlate with the default values, so removing the comment signs without changing any of the parameters actually has little effect in most cases. If possible, leave the sample as it is and insert the options along with the modified parameters in the line below.
Page 807 cache_dir ufs /var/cache/squid/ 100 16 256 The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. The ufs parameter should be left alone.
Page 808 overwritten. The default value is 0 because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a cron job set in the configuration file /etc/logrotate/squid. append_domain <domain> With append_domain, specify which domain to append automatically when none is given.
Page 809 acl <acl_name> <type> <data> An ACL requires at least three specifications to define it. The name <acl_name> can be chosen arbitrarily. For <type>, select from a variety of different options, which can be found in the ACCESS CONTROLS section in the /etc/squid/ squid.conf file.
Page 810 and the last http_access deny all redirect_program /usr/bin/squidGuard With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
Page 811: Configuring A Transparent Proxy
41.5 Configuring a Transparent Proxy The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required ob- jects, whether they are in its cache or not. When working in a network, several situations may arise: •...
Page 812 41.5.2 Firewall Configuration with SuSEfirewall2 Now redirect all incoming requests via the firewall with help of a port forwarding rule to the Squid port. To do this, use the enclosed tool SuSEfirewall2, described in Sec- tion 43.4.1, “Configuring the Firewall with YaST” (page 825).
Page 813 Example 41.1 Firewall Configuration: Option 15 # 15.) # Which accesses to services should be redirected to a local port # on the firewall machine? # This can be used to force all internal users to surf via your # Squid proxy, or transparently redirect incoming Web traffic to # a secure Web server.
Page 814: Cachemgr.cgi
41.6 cachemgr.cgi The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the memory usage of a running Squid process. It is also a more convenient way to manage the cache and view statistics without logging the server. 41.6.1 Setup First, a running Web server on your system is required.
Page 815 These rules assume that the Web server and Squid are running on the same machine. If the communication between the cache manager and Squid originates at the Web server on another computer, include an extra ACL as in Example 41.2, “Access Rules” (page 797).
Page 816: Squidguard
41.7 squidGuard This section is not intended to explain an extensive configuration of squidGuard, only to introduce it and give some advice for using it. For more in-depth configuration issues, refer to the squidGuard Web site at http://www.squidguard.org. squidGuard is a free (GPL), flexible, and fast filter, redirector, and access controller plug-in for Squid.
Page 817: Cache Report Generation With Calamaris
Next, create a dummy “access denied” page or a more or less complex CGI page to redirect Squid if the client requests a blacklisted Web site. Using Apache is strongly recommended. Now, configure Squid to use squidGuard. Use the following entry in the /etc/squid/ squid.conf file: redirect_program /usr/bin/squidGuard Another option called redirect_children configures the number of “redirect”...
Page 818: For More Information
include a message or logo in report header More information about the various options can be found in the program's manual page with man calamaris. A typical example is: cat access.log.2 access.log.1 access.log | calamaris -a -w \ > /usr/local/httpd/htdocs/Squid/squidreport.html This puts the report in the directory of the Web server.
Page 819: Part V Security
Part V. Security...
Page 821: 2 Managing X.509 Certification
Managing X.509 Certification An increasing number of authentication mechanisms are based on cryptographic proce- dures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are used for communication and can also be found, for example, on company ID cards.
Page 822 Private Key The private key must be kept safely by the key owner. Accidental publication of the private key compromises the key pair and renders it useless. Public Key The key owner circulates the public key for use by third parties. 42.1.1 Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation.
Page 823 42.1.2 X.509 Certificates An X.509 certificate is a data structure with several fixed fields and, optionally, addi- tional extensions. The fixed fields mainly contain the name of the key owner, the public key, and the data relating to the issuing CA (name and signature). For security reasons, a certificate should only have a limited period of validity, so a field is also provided for this date.
Page 824 Field Content Extensions Optional additional information, such as “KeyUsage” or “BasicConstraints” 42.1.3 Blocking X.509 Certificates If a certificate becomes untrustworthy before it has expired, it must be blocked imme- diately. This can be needed if, for example, the private key has accidentally been made public.
Page 825 Field Content List of revoked certificates Every entry contains the serial number of the certificate, the time of revocation, and optional extensions (CRL entry extensions) Extensions Optional CRL extensions 42.1.4 Repository for Certificates and CRLs The certificates and CRLs for a CA must be made publicly accessible using a repository. Because the signature protects the certificates and CRLs from being forged, the repos- itory itself does not need to be secured in a special way.
Page 826: Yast Modules For Ca Management
42.2 YaST Modules for CA Management YaST provides two modules for basic CA management. The primary management tasks with these modules are explained here. 42.2.1 Creating a Root CA The first step when setting up a PKI is to create a root CA. Do the following: 1 Start YaST and go to Security and Users >...
Page 827 CA Name Enter the technical name of the CA. Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
Page 828 In general, it is best not to allow user certificates to be issued by the root CA. It is better to create at least one sub-CA and create the user certificates from there. This has the advantage that the root CA can be kept isolated and secure, for example, on an isolated computer on secure premises.
Page 829 Figure 42.2 YaST CA Module—Using a CA 4 Click Advanced and select Create SubCA. This opens the same dialog as for creating a root CA. 5 Proceed as described in Section 42.2.1, “Creating a Root CA” (page 808). 6 Select the tab Certificates. Reset compromised or otherwise unwanted sub-CAs here using Revoke.
Page 830 the e-mail address of the recipient (the public key owner) to be included in the certificate. In the case of server and client certificates, the hostname of the server must be entered in the Common Name field. The default validity period for certificates is 365 days. To create client and server certificates, do the following: 1 Start YaST and open the CA module.
Page 831 To revoke compromised or otherwise unwanted certificates, do the following: 1 Start YaST and open the CA module. 2 Select the required CA and click Enter CA. 3 Enter the password if entering a CA the first time. YaST displays the CA key information in the Description tab.
Page 832 3 Click Advanced > Edit Defaults. 4 Choose the type the settings to change. The dialog for changing the defaults, shown in Figure 42.4, “YaST CA Module—Extended Settings” (page 814), then opens. Figure 42.4 YaST CA Module—Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical.
Page 833 42.2.5 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use, they must first be revoked. The procedure for this is explained in Section 42.2.2, “Creating or Revoking a Sub-CA” (page 810) (for sub-CAs) and Section 42.2.3, “Creating or Revoking User Certificates”...
Page 834 must be entered manually. You must always enter several passwords (see Table 42.3, “Passwords during LDAP Export” (page 816)). Table 42.3 Passwords during LDAP Export Password Meaning LDAP Password Authorizes the user to make entries in the LDAP tree. Certificate Password Authorizes the user to export the certificate.
Page 835 42.2.7 Exporting CA Objects as a File If you have set up a repository on the computer for administering CAs, you can use this option to create the CA objects directly as a file at the correct location. Different output formats are available, such as PEM, DER, and PKCS12.
Page 836 The general server certificate is stored in /etc/ssl/servercerts and can be used there by any CA-supported service. When this certificate expires, it can easily be replaced using the same mechanisms. To get things functioning with the replaced certificate, restart the participating services. If you select Import here, you can select the source in the file system.
Page 837: 3 Masquerading And Firewalls
Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
Page 838 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).
Page 839 Figure 43.1 iptables: A Packet's Possible Paths PREROUTING incoming packet mangle INPUT mangle Routing filter FORWARD Processes mangle in the local system filter OUTPUT Routing mangle filter POSTROUTING mangle outgoing packet These tables contain several predefined chains to match packets: Masquerading and Firewalls...
Page 840: Masquerading Basics
PREROUTING This chain is applied to incoming packets. INPUT This chain is applied to packets destined for the system's internal processes. FORWARD This chain is applied to packets that are only routed through the system. OUTPUT This chain is applied to packets originating from the system itself. POSTROUTING This chain is applied to all outgoing packets.
Page 841 hosts in the local network connected to the network card (such as eth0) of the router, they can send any packets not destined for the local network to their default gateway or router. IMPORTANT: Using the Correct Network Mask When configuring your network, make sure both the broadcast address and the netmask are the same for all local hosts.
Page 842: Firewalling Basics
43.3 Firewalling Basics Firewall is probably the term most widely used to describe a mechanism that provides and manages a link between networks while also controlling the data flow between them. Strictly speaking, the mechanism described in this section is called a packet filter. A packet filter regulates the data flow according to certain criteria, such as protocols, ports, and IP addresses.
Page 843 External Zone Given that there is no way to control what is happening on the external network, the host needs to be protected from it. In most cases, the external network is the Internet, but it could be another insecure network, such as a WLAN. Internal Zone This refers to the private network, in most cases the LAN.
Page 844 for activating additional services and ports. The YaST firewall configuration module can be used to activate, deactivate, or reconfigure the firewall. The YaST dialogs for the graphical configuration can be accessed from the YaST Control Center. Select Security and Users > Firewall. The configuration is divided into seven sections that can be accessed directly from the tree structure on the left side.
Page 845: Configuring Manually
The logging of broadcasts that are not accepted can be enabled here. This may be problematic, because Windows hosts use broadcasts to know about each other and so generate many packets that are not accepted. IPsec Support Configure whether the IPsec service should be available to the external network in this dialog.
Page 846 FW_DEV_INT (firewall, masquerading) The device linked to the internal, private network (such as eth0). Leave this blank if there is no internal network and the firewall protects only the host on which it runs. FW_ROUTE (firewall, masquerading) If you need the masquerading function, set this to yes. Your internal hosts will not be visible to the outside, because their private network addresses (e.g., 192.168.x.x) are ignored by Internet routers.
Page 847: For More Information
FW_SERVICES_INT_TCP (firewall) With this variable, define the services available for the internal network. The nota- tion is the same as for FW_SERVICES_EXT_TCP, but the settings are applied to the internal network. The variable only needs to be set if FW_PROTECT_FROM_INT is set to yes. FW_SERVICES_INT_UDP (firewall) See FW_SERVICES_INT_TCP.
Page 849: 4 Ssh: Secure Network Operations
SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.
Page 850: The Ssh Program
44.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
Page 851: Sftp-Secure File Transfer
scp also provides a recursive copying feature for entire directories. The command scp -r src/ sun:backup/ copies the entire contents of the directory src includ- ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically.
Page 852: Ssh Authentication Mechanisms
For the communication between SSH server and SSH client, OpenSSH supports ver- sions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE.
Page 853 that is also easy to use. Because it is meant to replace rsh and rlogin, SSH must also be able to provide an authentication method appropriate for daily use. SSH accomplishes this by way of another key pair, which is generated by the user. The SSH package provides a helper program for this: ssh-keygen.
Page 854: X, Authentication, And Forwarding Mechanisms
44.7 X, Authentication, and Forwarding Mechanisms Beyond the previously described security-related improvements, SSH also simplifies the use of remote X applications. If you run ssh with the option -X, the DISPLAY variable is automatically set on the remote machine and all X output is exported to the remote machine over the existing SSH connection.
Page 855: 5 Network Authentication-Kerberos
Network Authentication—Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
Page 856 credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.
Page 857: How Kerberos Works
replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator. He could then try to resend it (replay) to impersonate you.
Page 858 • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used. This private key is only known to Kerberos and the client, because it is derived from your user password.
Page 859 45.2.3 Mutual Authentication Kerberos authentication can be used in both directions. It is not only a question of the client being the one it claims to be. The server should also be able to authenticate itself to the client requesting its service. Therefore, it sends some kind of authenticator itself. It adds one to the checksum it received in the client's authenticator and encrypts it with the session key, which is shared between it and the client.
Page 860: Users' View Of Kerberos
• The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.
Page 861: For More Information
• rsh, rcp, rshd • ftp, ftpd • ksu You no longer have to enter your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure that the encrypted contents of the tickets are adjusted to the new situation.
Page 863: 6 Installing And Administering Kerberos
Installing and Administering Kerberos This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 45, Network Authentication—Kerberos (page 837)). 46.1 Choosing the Kerberos Realms The domain of a Kerberos installation is called a realm and is identified by a name, such as FOOBAR.COM or simply ACCOUNTING.
Page 864: Setting Up The Kdc Hardware
For the sake of simplicity, assume you are setting up just one realm for your entire or- ganization. For the remainder of this section, the realm name EXAMPLE.COM is used in all examples. 46.2 Setting Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center, or KDC for short.
Page 865: Clock Synchronization
6 Disable all user accounts except root's account by editing /etc/shadow and replacing the hashed passwords with * or ! characters. 46.3 Clock Synchronization To use Kerberos successfully, make sure that all system clocks within your organization are synchronized within a certain range. This is important because Kerberos protects against replayed credentials.
Page 866 1 Install the RPMs On a machine designated as the KDC, install special soft- ware packages. See Section 46.4.1, “Installing the RPMs” (page 848) for details. 2 Adjust the Configuration Files The configuration files /etc/krb5.conf and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your scenario.
Page 867: Installing And Administering Kerberos
When you make tape backups of the Kerberos database (/var/lib/kerberos/ krb5kdc/principal), do not back up the stash file (which is in /var/lib/ kerberos/krb5kdc/.k5.EXAMPLE.COM). Otherwise, everyone able to read the tape could also decrypt the database. Therefore, it is also a good idea to keep a copy of the pass phrase in a safe or some other secure location, because you need it to restore your database from backup tape after a crash.
Page 868: Manually Configuring Kerberos Clients
Next, create another principal named newbie/admin by typing ank newbie/admin at the kadmin prompt. The admin suffixed to your username is a role. Later, use this role when administering the Kerberos database. A user can have several roles for dif- ferent purposes.
Page 869 46.5.1 Static Configuration One way to configure Kerberos is to edit the configuration file /etc/krb5.conf. The file installed by default contains various sample entries. Erase all of these entries before starting. krb5.conf is made up of several sections, each introduced by the section name included in brackets like [this].
Page 870 The name of an SRV record, as far as Kerberos is concerned, is always in the format _service._proto.realm, where realm is the Kerberos realm. Domain names in DNS are case insensitive, so case-sensitive Kerberos realms would break when using this configuration method. _service is a service name (different names are used when trying to contact the KDC or the password service, for example).
Page 871: Configuring A Kerberos Client With Yast
46.5.3 Adjusting the Clock Skew The clock skew is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock. Usually, the clock skew is set to 300 seconds (five min- utes). This means a ticket can have a time stamp somewhere between five minutes ago and five minutes in the future from the server's point of view.
Page 872 Figure 46.1 YaST: Basic Configuration of a Kerberos Client To configure ticket-related options in the Advanced Settings dialog, choose from the following options: • Specify the Default Ticket Lifetime and the Default Renewable Lifetime in days, hours, or minutes (using the units of measurement d, h, and m, with no blank space between the value and the unit).
Page 873: Remote Kerberos Administration
• Use Clock Skew to set a value for the allowable difference between the time stamps and your host's system time. • To keep the system time in sync with an NTP server, you can also set up the host as an NTP client by selecting NTP Configuration, which opens the YaST NTP client dialog that is described in Section 32.1, “Configuring an NTP Client with...
Page 874 newbie/admin Replace the username newbie with your own. Restart kadmind for the change to take effect. 46.7.1 Using kadmin for Remote Administration You should now be able to perform Kerberos administration tasks remotely using the kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting to the kadmin server: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.
Page 875: Creating Kerberos Host Principals
kadmin: modify_principal -maxlife "8 hours" newbie Principal "newbie@EXAMPLE.COM" modified. kadmin: getprinc joe Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 08:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:59:49 CET 2005 (newbie/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never]...
Page 876 Kerberos can decrypt the ticket. It would be quite inconvenient for the system adminis- trator if he had to obtain new tickets for the SSH daemon every eight hours or so. Instead, the key required to decrypt the initial ticket for the host principal is extracted by the administrator from the KDC once and stored in a local file called the keytab.
Page 877: Enabling Pam Support For Kerberos
46.9 Enabling PAM Support for Kerberos SUSE Linux Enterprise® comes with a PAM module named pam_krb5, which supports Kerberos login and password update. This module can be used by applications, such as console login, su, and graphical login applications like KDM, where the user presents a password and would like the authenticating application to obtain an initial Kerberos ticket on his behalf.
Page 878: Configuring Ssh For Kerberos Authentication
46.10 Configuring SSH for Kerberos Authentication OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In ver- sion 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services API.
Page 879: Using Ldap And Kerberos
46.11 Using LDAP and Kerberos When using Kerberos, one way to distribute the user information (such as user ID, groups,and home directory) in your local network is to use LDAP. This requires a strong authentication mechanism that prevents packet spoofing and other attacks. One solution is to use Kerberos for LDAP communication, too.
Page 880 A third, and maybe the best solution, is to tell OpenLDAP to use a special keytab file. To do this, start kadmin, and enter the following command after you have added the principal ldap/earth.example.com: ktadd -k /etc/openldap/ldap.keytab ldap/earth.example.com@EXAMPLE.COM Then, on the shell, run: chown ldap.ldap /etc/openldap/ldap.keytab chmod 600 /etc/openldap/ldap.keytab To tell OpenLDAP to use a different keytab file, change the following variable in...
Page 881 As you can see, ldapsearch prints a message that it started GSSAPI authentication. The next message is very cryptic, but it shows that the security strength factor (SSF for short) is 56 (The value 56 is somewhat arbitrary. Most likely it was chosen because this is the number of bits in a DES encryption key).
Page 882 authz-regexp uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com To understand how this works, you need to know that when SASL authenticates a user, OpenLDAP forms a distinguished name from the name given to it by SASL (such as joe) and the name of the SASL flavor (GSSAPI). The result would be uid=joe,cn=GSSAPI,cn=auth.
Page 883: 7 Encrypting Partitions And Files
Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system.
Page 884: Setting Up An Encrypted File System With Yast
mounted and the contents are made available to the user. Refer to Section 47.2, “Using Encrypted Home Directories” (page 869) for more information. Encrypting Single ASCII Text Files If you only have a small number of ASCII text files that hold sensitive or confiden- tial data, you can encrypt them individually and protect them with a password using the vi editor.
Page 885 47.1.1 Creating an Encrypted Partition during Installation WARNING: Password Input Make sure to memorize the password for your encrypted partitions well. Without that password you cannot access or restore the encrypted data. The YaST expert dialog for partitioning offers the options needed for creating an en- crypted partition.
Page 886 password when prompted for it. After you are done with working on this partition, un- mount it with umount name_of_partition to protect it from access by other users. When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation.
Page 887: Using Encrypted Home Directories
The advantage of encrypted container files over encrypted partitions is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions. 47.1.4 Encrypting the Content of Removable Media YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk.
Page 888: Using Vi To Encrypt Single Ascii Text Files
LOGIN.key The image key, protected with the user's login password. On login the home directory automatically gets decrypted. Internally, it is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you have to add this module to the respective Chapter 27, Au- configuration file in /etc/pam.d/.
Page 889: 8 Confining Privileges With Apparmor
Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.
Page 890: Installing Novell Apparmor
Guide. 48.1 Installing Novell AppArmor Novell AppArmor is installed and running by default on any installation of SUSE Linux Enterprise® regardless of what patterns are installed. The packages listed below are needed for a fully functional instance of AppArmor •...
Page 891 Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.
Page 892: Getting Started With Profiling Applications
48.3 Getting Started with Profiling Applications Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 48.3.1, “Choosing the Applications to Profile”...
Page 893: Building And Modifying Profiles
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
Page 894 Outline the basic profile by running YaST > Novell AppArmor > Add Profile Wizard and specifying the complete path of the application to profile. A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing but does not yet restrict 2 Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Page 895 For more information about profile building and modification, refer to Chap- ter 2, Profile Components and Syntax (↑Novell AppArmor Administration Guide), Chapter 3, Building and Managing Profiles with YaST (↑Novell AppArmor Ad- ministration Guide), and Chapter 4, Building Profiles from the Command Line (↑Novell AppArmor Administration Guide).
Page 896 48.3.3 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.
Page 897: Updating Your Profiles
Delete unneeded reports or add new ones. TIP: For More Information For more information about configuring event notification in Novell AppArmor, refer to Section “Configuring Security Event Notification” (Chapter 6, Managing Profiled Applications, ↑Novell AppArmor Administration Guide). Find more in- formation about report configuration in Section “Configuring Reports”...
Page 898 TIP: For More Information For more information about updating your profiles from the system logs, refer to Section “Updating Profiles from Log Entries” (Chapter 3, Building and Man- aging Profiles with YaST, ↑Novell AppArmor Administration Guide). Installation and Administration...
Page 899: 9 Security And Confidentiality
Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
Page 900: Local Security And Network Security
49.1 Local Security and Network Security There are several ways of accessing data: • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) •...
Page 901 Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
Page 902: File Permissions
In the seventies, it was argued that this method would be more secure than others due to the relative slowness of the algorithm used, which took a few seconds to encrypt just one password. In the meantime, however, PCs have become powerful enough to do several hundred thousand or even millions of encryptions per second.
Page 903 The permissions of all files included in the SUSE Linux Enterprise distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits. Ex- perienced and security-conscious system administrators always use the -l option with the command ls to get an extensive file list, which allows them to detect any incorrect file permissions immediately.
Page 904 is written beyond the end of that buffer area, which, under certain circumstances, makes it possible for a program to execute program sequences influenced by the user (and not by the programmer), rather than just processing user data. A bug of this kind may have serious consequences, especially if the program is being executed with special privileges (see Section 49.1.4, “File Permissions”...
Page 905: Network Security
them. Viruses are a typical sign that the administrator or the user lacks the required se- curity awareness, putting at risk even a system that should be highly secure by its very design. Viruses should not be confused with worms, which belong to the world of networks entirely.
Page 906 In the case of cookie-based access control, a character string is generated that is only known to the X server and to the legitimate user, just like an ID card of some kind. This cookie (the word goes back not to ordinary cookies, but to Chinese fortune cookies, which contain an epigram) is stored on login in the file .Xauthority in the user's home directory and is available to any X client wanting to use the X server to display a window.
Page 907: Denial Of Service
exploit these newly-found security holes—are often posted on the security mailing lists. They can be used to target the vulnerability without knowing the details of the code. Over the years, experience has shown that the availability of exploit codes has contribut- ed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software.
Page 908 not secured against hijacking through encryption, which only perform a simple authen- tication procedure upon establishing the connection, makes it easier for attackers. Spoofing is an attack where packets are modified to contain counterfeit source data, usually the IP address. Most active forms of attack rely on sending out such fake packets—something that, on a Linux machine, can only be done by the superuser (root).
Page 909: Some General Security Tips And Tricks
49.2 Some General Security Tips and Tricks To handle security competently, it is important to keep up with new developments and stay informed about the latest security issues. One very good way to protect your systems against problems of all kinds is to get and install the updated packages recommended by security announcements as quickly as possible.
Page 910 • Change the /etc/permissions file to optimize the permissions of files crucial to your system's security. If you remove the setuid bit from a program, it might well be that it cannot do its job anymore in the intended way. On the other hand, consider that, in most cases, the program will also have ceased to be a potential security risk.
Page 911: Using The Central Security Reporting Address
SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 This key is also available for download from http://www.novell.com/linux/ security/securitysupport.html. Security and Confidentiality...
Page 913: Part Vi Troubleshooting
Part VI. Troubleshooting...
Page 915: 0 Help And Documentation
Help and Documentation SUSE Linux Enterprise® comes with various sources of information and documentation. The SUSE Help Center provides central access to the most important documentation resources on your system in searchable form. These resources include online help for installed applications, manual pages, info pages, databases on hardware and software topics, and all manuals delivered with your product.
Page 916 configuration of the search function in the Search tab are presented in Section 50.1.2, “The Search Function” (page 899). The Contents tab presents a tree view of all available and currently installed information sources. Click the book icons to open and browse the individual categories.
Page 917: The Search Function
50.1.1 Contents The SUSE Help Center provides access to useful information from various sources. It contains special documentation for SUSE Linux Enterprise (Start-Up, KDE User Guide, GNOME User Guide, and Reference), all available information sources for your workstation environment, online help for the installed programs, and help texts for other applications.
Page 918 Figure 50.3 Generating a Search Index To limit the search base and the hit list as precisely as possible, use the three drop-down menus to determine the number of displayed hits and the selection area of sources to search. The following options are available for determining the selection area: Default A predefined selection of sources is searched.
Page 919: Man
50.2 Man Pages Man pages are an essential part of any Linux system. They explain the usage of a command and all available options and parameters. Man pages are sorted in categories as shown in Table 50.1, “Man Pages—Categories and Descriptions” (page 901) (taken from the man page for man itself).
Page 920: Info
Another possibility to display a man page is to use Konqueror. Start Konqueror and type, for example, man:/ls. If there are different categories for a command, Konqueror displays them as links. 50.3 Info Pages Info pages are another important source of information on your system. Usually they are more verbose than man pages.
Page 921: Wikipedia: The Free Online Encyclopedia
50.5 Wikipedia: The Free Online Encyclopedia Wikipedia is “a multilingual encyclopedia designed to be read and edited by anyone” (see http://en.wikipedia.org). The content of Wikipedia is created by its users and is published under a free license (GFDL). Any visitors can edit articles, which gives the danger of vandalism, but this does not repel visitors.
Page 922: Package Documentation
50.7 Package Documentation If you install a package in your system, a directory /usr/share/doc/ packages/packagename is created. You can find files from the package maintainer as well as additional information from SUSE. Sometimes there are also examples, configuration files, additional scripts, or other things available. Usually you can find the following files, but they are not standard and sometimes not all files are available.
Page 923: Usenet
50.8 Usenet Created in 1979 before the rise of the Internet, Usenet is one of the oldest computer networks and still in active use. The format and transmission of Usenet articles is very similar to e-mail, but is developed for a many-to-many communication. Usenet is organized into seven topical categories: comp.* for computer-related discus- sions, misc.* for miscellaneous topics, news.* for newsgroup-related matters, rec.* for recreation and entertainment, sci.* for science-related discussions, soc.*...
Page 924 concentrates on standardizing Web technologies. W3C promotes the dissemination of open, license-free, and manufacturer-independent specifications, such as HTML, XHTML, and XML. These Web standards are developed in a four-stage process in working groups and are presented to the public as W3C recommendations (REC). http://www.oasis-open.org OASIS (Organization for the Advancement of Structured Information Standards) is an international consortium specializing in the development of standards for Web...
Page 925 The association brings together manufacturers, consumers, trade professionals, service companies, scientists and others who have an interest in the establishment of standards. The standards are subject to a fee and can be ordered using the DIN home page. Help and Documentation...
Page 927: 1 Common Problems And Their Solutions
Common Problems and Their Solutions This chapter offers a range of common problems that can arise with an intention of covering as many of the various types of potential problems as possible. That way, even if your precise situation is not listed here, there might be one similar enough to offer hints as to the solution.
Page 928 Table 51.1 Log Files Log File Description Messages from the kernel during the boot process. /var/log/boot.msg Messages from the mail system. /var/log/mail.* Ongoing messages from the kernel and system log /var/log/messages daemon when running. Log file from NetworkManager to collect problems /var/log/ with network connectivity NetworkManager...
Page 929 Table 51.2 System Information File Description This displays processor information, including its /proc/cpuinfo type, make, model, and performance. This shows which DMA channels are currently being /proc/dma used. This shows which interrupts are in use and how /proc/interrupts many of each have been in use. This displays the status of I/O (input/output) memo- /proc/iomem This shows which I/O ports are in use at the moment.
Page 930: Installation Problems
51.2 Installation Problems Installation problems are situations when a machine fails to install. It may fail entirely or it may not be able to start the graphical installer. This section highlights some of the typical problems you might run into and offers possible solutions or workarounds for this kind of situations.
Page 931 Booting from a Floppy Disk Create a boot floppy and boot from floppy disk instead of CD or DVD. Using an External Boot Device If it is supported by the machine's BIOS and the installation kernel, boot for instal- lation from external CD or DVD drives. Network Boot via PXE If a machines lacks a CD or DVD drive, but provides a working ethernet connection, perform a completely network-based installation.
Page 932 verbose 1 in syslinux.cfg for the boot loader to display which action is currently being per- formed. If the machine does not boot from the floppy disk, you may need to change the boot sequence in the BIOS to A,C,CDROM. External Boot Devices Most CD-ROM drives are supported.
Page 933 appears, look for a line, usually below the counter or somewhere at the bottom, men- tioning the key to press to access the BIOS setup. Usually the key to press is Del , F1 , or Esc . Press this key until the BIOS setup screen appears. Procedure 51.1 Changing the BIOS Boot Sequence 1 Enter the BIOS using the proper key as announced by the boot routines and wait for the BIOS screen to appear.
Page 934 7 Exit this screen and confirm with Yes to boot the computer. Regardless of what language and keyboard layout your final installation will be using, most BIOS configurations use the US keyboard layout as depicted in the following figure: Figure 51.1 US Keyboard Layout 51.2.5 Fails to Boot Some hardware types, mainly fairly old or very recent ones, fail to install.
Page 935 If this fails, proceed as above, but choose Installation--Safe Settings instead. This option disables ACPI and DMA support. Most hardware should boot with this option. If both of these options fail, use the boot options prompt to pass any additional param- eters needed to support this type of hardware to the installation kernel.
Page 936 notsc Disable the time stamp counter. This option can be used to work around timing problems on your systems. It is a new feature, if you see regressions on your ma- chine, especially time related or even total hangs, this option is worth a try. nohz=off Disable the nohz feature.
Page 937 To perform an installation in text mode, proceed as follows: 1 Boot for installation. 2 Press F3 and select Text Mode. 3 Select Installation and proceed with the installation as described in Chapter 3, Installation with YaST (page 17). To perform a VNC installation, proceed as follows: 1 Boot for installation.
Page 938: Boot Problems
If you use any kind of VNC viewer on your preferred operating system, enter the IP address and password when prompted to do so. A window opens, displaying the installation dialogs. Proceed with the installation as usual. 51.2.7 Only Minimalistic Boot Screen Started You inserted the first CD or DVD into the drive, the BIOS routines are finished, but the system does not start with the graphical boot screen.
Page 939 51.3.1 Fails to Load the GRUB Boot Loader If the hardware is functioning properly, it is possible that the boot loader has become corrupted and Linux cannot start on the machine. In this case, it is necessary to reinstall the boot loader. To reinstall the boot loader, proceed as follows: 1 Insert the installation media into the drive.
Page 940 51.3.2 No Graphical Login If the machine comes up, but does not boot into the graphical login manager, anticipate problems either with the choice of the default runlevel or the configuration of the X Window System. To check the runlevel configuration, log in as the root user and check whether the machine is configured to boot into runlevel 5 (graphical desktop).
Page 941: Login Problems
51.4 Login Problems Login problems are those where your machine does, in fact, boot to the expected wel- come screen or login prompt, but refuses to accept the username and password or accepts them but then does not behave properly (fails to start the graphic desktop, produces errors, drops to a command line, etc.).
Page 942 In all cases that do not involve external network problems, the solution is to reboot the system into single-user mode and repair the configuration before booting again into operating mode and attempting to log in again. To boot into single-user mode: 1 Reboot the system.
Page 943 2 Log in as root and check /var/log/messages for error messages of the login process and of PAM. 3 Try to log in from a console (using Ctrl + Alt + F1 ). If this is successful, the blame cannot be put on PAM, because it is possible to authenticate this user on this machine.
Page 944 • The machine has changed hostnames, for whatever reason, and the user does not have permission to log in to that host. • The machine cannot reach the authentication server or directory server that contains that user's information. • There might be problems with the X Window System authenticating this particular user, especially if the user's home has been used with another Linux distribution prior to installing the current one.
Page 945 startx -- :1 This should bring up a graphical screen and your desktop. If it does not, check the log files of the X Window System (/var/log/Xorg.displaynumber .log) or the log file for your desktop applications (.xsession-errors in the user's home directory) for any irregularities. 8 If the desktop could not start because of corrupt configuration files, proceed with Section 51.4.3, “Login Successful but GNOME Desktop Fails ”...
Page 946 6 Recover your individual application configuration data (including the Evolution e-mail client data) by copying the ~/.gconf-ORIG-RECOVER/apps/ direc- tory back into the new ~/.gconf directory as follows: cp -a .gconf-ORIG-RECOVER/apps .gconf/ If this causes the login problems, attempt to recover only the critical application data and reconfigure the remainder of the applications.
Page 947: Network Problems
3 Move the KDE configuration directory and the .skel files to a temporary loca- tion: mv .kde .kde-ORIG-RECOVER mv .skel .skel-ORIG-RECOVER 4 Log out. 5 Log in again. 6 After the desktop has started successfully, copy the user's own configurations back into place: cp -a .kde-ORIG-RECOVER/share .kde/share IMPORTANT...
Page 948 2 If using a wireless connection, check whether the wireless link can be established by other machines. If this is not the case, contact the wireless network's adminis- trator. 3 Once you have checked your basic network connectivity, try to find out which service is not responding.
Page 949 LDAP (User Management) If your SUSE Linux Enterprise system relied on an LDAP server to provide the user data, users would not be able to log in to this machine if the LDAP service was down. Kerberos (Authentication) Authentication would not work and login to any machine would fail. CUPS (Network Printing) Users would not be able to print.
Page 950 network hardware is faulty. Refer to Step 4c (page 933) for information about this. 4b Use host hostname to check whether the hostname of the server you are trying to connect to is properly translated into an IP address and vice versa.
Page 951 mation. For detailed information about DNS, refer to Chapter 33, The Domain Name System (page 611). If you have made sure that the DNS configuration of your host and the DNS server are correct, proceed with checking the configuration of your network and network device. 4c If your system cannot establish a connection to a network server and you have excluded name service problems from the list of possible culprits, check the configuration of your network card.
Page 952: Data Problems
2 Restart the NetworkManager: rcnetwork restart -o nm 3 Open a web page, for example, as normal http://www.opensuse.org user to see, if you can connect. 4 Collect any information about the state of NetworkManager in /var/log/ NetworkManager. For more information about NetworkManager, refer to Section 30.5, “Managing Network Connections with NetworkManager”...
Page 953 the IP address or name of the server and the directory that should hold your archive. 2d Determine the archive type and click Next. 2e Determine the backup options to use, such as whether files not belonging to any package should be backed up and whether a list of files should be dis- played prior to creating the archive.
Page 954 51.6.2 Restoring a System Backup Use the YaST System Restoration module to restore the system configuration from a backup. Restore the entire backup or select specific components that were corrupted and need to be reset to their old state. 1 Start YaST > System > System Restoration. 2 Enter the location of the backup file.
Page 955 Using YaST System Repair Before launching the YaST System Repair module, determine in which mode to run it to best fit your needs. Depending on the severeness and cause of your system failure and your expertise, there are three different modes to choose from: Automatic Repair If your system failed due to an unknown cause and you basically do not know which part of the system is to blame for the failure, use Automatic Repair.
Page 956 3 At the boot screen, select Installation. 4 Select the language and click Next. 5 Confirm the license agreement and click Next. 6 In System Analysis, select Other > Repair Installed System. 7 Select Automatic Repair. YaST now launches an extensive analysis of the installed system. The progress of the procedure is displayed at the bottom of the screen with two progress bars.
Page 957 Swap Partitions The swap partitions of the installed system are detected, tested, and offered for activation where applicable. The offer should be accepted for the sake of a higher system repair speed. File Systems All detected file systems are subjected to a file system–specific check. Entries in the File /etc/fstab The entries in the file are checked for completeness and consistency.
Page 958 3 At the boot screen, select Installation. 4 Select the language and click Next. 5 Confirm the license agreement and click Next. 6 In System Analysis, select Other > Repair Installed System. 7 Select Customized Repair. Choosing Customized Repair shows a list of test runs that are all marked for ex- ecution at first.
Page 959 2 In System Analysis, select Other > Repair Installed System. 3 Select Expert Tools and choose one or more repair options. 4 After the repair process has been terminated successfully, click OK and Finish and remove the installation media. The system automatically reboots. Expert tools provides the following options to repair your faulty system: Install New Boot Loader This starts the YaST boot loader configuration module.
Page 960 Using the Rescue System SUSE Linux Enterprise contains a rescue system. The rescue system is a small Linux system that can be loaded into a RAM disk and mounted as root file system, allowing you to access your Linux partitions from the outside. Using the rescue system, you can recover or modify any important aspect of your system: •...
Page 961 2 Boot the system using “Wake on LAN”, as described in Section 4.3.7, “Wake on LAN” (page 75). 3 Enter root at the Rescue: prompt. A password is not required. Once you have entered the rescue system, you can make use of the virtual consoles that can be reached with Alt + F1 to Alt + F6 .
Page 962 5 Unmount the root file system from the rescue system: umount /mnt 6 Reboot the machine. Repairing and Checking File Systems Generally, file systems cannot be repaired on a running system. If you encounter serious problems, you may not even be able to mount your root file system and the system boot may end with a kernel panic.
Page 963 4 Finally, mount the remaining partitions from the installed system: mount -a 5 Now you have access to the installed system. Before rebooting the system, un- mount the partitions with umount -a and leave the “change root” environment with exit. WARNING: Limitations Although you have full access to the files and applications of the installed sys- tem, there are some limitations.
Page 964: Ibm System Z: Using Initrd As A Rescue System
Apply fixes to the device mapping (device.map) or the location of the root partition and configuration files, if necessary. 3 Reinstall the boot loader using the following command sequence: grub --batch < /etc/grub.conf 4 Unmount the partitions, log out from the “change root” environment, and reboot the system: umount -a exit...
Page 965 First, IPL the SUSE Linux Enterprise Server for IBM System z installation system as described in the Architecture-Specific Information manual. A list of choices for the network adapter to use is then presented. Select Start Installation or System then Start Rescue System to start the rescue system. Depending on the installation environment, you now must specify the parameters for the network adapter and the installation source.
Page 966 0.0.4000 is the channel to which the adapter is attached and 1 stands for acti- vate (a 0 here would deactivate the adapter). 2 After the adapter is activated, a disk can be configured. Do this with the following command: zfcp_disk_configure 0.0.4000 1234567887654321 8765432100000000 0.0.4000 is the previously-used channel ID, 1234567887654321 is the WWPN (World wide Port Number), and 8765432100000000 is the LUN...
Page 967 Example 51.1 Output of the Mount Command SuSE Instsys suse:/ # mount shmfs on /newroot type shm (rw,nr_inodes=10240) devpts on /dev/pts type devpts (rw) virtual-proc-filesystem on /proc type proc (rw) /dev/dasda2 on /mnt type reiserfs (rw) 51.7.4 Changing to the Mounted File System For the zipl command to read the configuration file from the root device of the installed system and not from the rescue system, change the root device to the installed system with the chroot command:...
Page 968 51.7.6 Exiting the Rescue System To exit the rescue system, first leave the shell opened by the chroot command with exit. To prevent any loss of data, flush all unwritten buffers to disk with the sync command. Now change to the root directory of the rescue system and unmount the root device of SUSE Linux Enterprise Server for IBM System z installation.
Page 969: Index
quick start, 741 Index security, 774 Squid, 796 SSL, 769-774 Symbols configure Apache with SSL, 773 64-bit Linux, 381 creating an SSL certificate, 769 kernel specifications, 386 starting, 757 runtime support, 382 stopping, 757 software development, 383 troubleshooting, 776 authentication Kerberos, 227 access permissions (see permissions) PAM, 495-502...
Page 970 initrd, 389 gzip, 359, 366 log, 183 halt, 373 bzip2, 359 help, 350 ifconfig, 594 ip, 591 kadmin, 849 cards kill, 371 graphics, 487 killall, 372 network, 560-561 kinit, 856 sound, 151 ktadd, 858 cat, 368 ldapadd, 676 cd, 365 ldapdelete, 679 ldapmodify, 678 booting from, 914...
Page 971 ssh-keygen, 834 openldap, 861 su, 373 pam_unix2.conf, 685, 859 tar, 358, 366 passwd, 212 telnet, 372 permissions, 892 top, 371 powersave, 507 umount, 370 powersave.conf, 234 updatedb, 367 profile, 423, 427, 433 configuration files, 584 resolv.conf, 428, 586, 623, 785 .bashrc, 424, 427 routes, 585 .emacs, 429...
Page 972 hard disks core files, 427 DMA, 148 cp, 364 hardware, 146-153 cpuspeed, 515 IPv6, 557 cron, 424 ISDN, 164, 571 CVS, 730, 734-737 languages, 163 mail servers, 166 modems, 164, 568 date, 371 monitor, 191 deltarpm, 317 network cards, 164 df, 370 networks, 164-172, 561 DHCP, 167, 637-653...
Page 973 terminology, 611 file systems, 469-479 top level domain, 559 ACLs, 301-312 troubleshooting, 623 changing, 158 zones cryptofs, 865 files, 628 encrypting, 865 documentation (see help) Ext2, 471-472 domain name system (see DNS) Ext3, 472-473 LFS, 477 sharing files, 699 limitations, 477 drives OCFS2, 287-299, 475 mounting, 369...
Page 974 fonts, 489 hardware TrueType, 488 DASD, 148 X11 core, 489 graphics cards, 191 Xft, 490 hard disk controllers, 147 free, 371 information, 148, 912 ISDN, 571 monitor, 191 ZFCP, 149 GNOME help, 897-900 shell, 348 books, 903 graphics FAQs, 902 cards guides, 903 drivers, 487...
Page 975 packages, 314 KDC, 846-850 YaST, with, 17-45 administering, 855 internationalization, 431 nsswitch.conf, 846 Internet starting, 850 cinternet, 598 keytab, 858 dial-up, 597-599 LDAP and, 861-864 DSL, 574 master key, 848 ISDN, 571 PAM support, 859 KInternet, 598 principals, 838 qinternet, 598 creating, 849 smpppd, 597-599 host, 857...
Page 976 access control, 672 boot.msg, 183, 507 ACLs, 670 messages, 183, 623, 829 adding data, 675 Squid, 786, 789, 795 administering groups, 693 logging administering users, 693 login attempts, 179 configuring Logical Volume Manager (see LVM) YaST, 679 logrotate, 425 deleting data, 679 LPAR installation directory tree, 665 IPL, 34...
Page 977 Network File System (see NFS) Network Information Service (see NIS) OpenLDAP (see LDAP) NetworkManager, 579 OpenSSH (see SSH) networks, 543 OpenWBEM, 241-269 authentication OS/2 Kerberos, 837-843 sharing files, 699 base network address, 548 broadcast address, 548 configuration files, 584-591 package management configuring, 164-172, 560-577, 581-597 zmd, 199 IPv6, 557...
Page 978 PCI device network, 455 drivers, 161 Samba, 700 permissions, 359 troubleshooting ACLs, 301-312 network, 455 changing, 361, 365 xpp, 448 directories, 361 private branch exchange, 572 file permissions, 426 processes, 371 file systems, 360 killing, 371 files, 360 overview, 371 viewing, 361 protocols ping, 372, 593...
Page 979 static, 585 shares, 700, 705 RPM, 313-324 SMB, 699 database starting, 701 rebuilding, 315, 321 stopping, 701 deltarpm, 317 swat, 703 dependencies, 314 TCP/IP and, 699 patches, 315 SaX2 queries, 318 display device, 192 rpmnew, 314 display settings, 191 rpmorig, 314 dual head, 193 rpmsave, 314 graphics card, 192...
Page 980 attacks, 889-890 compiling, 321 booting, 882, 884 installing, 132-139 bugs and, 885, 888 removing, 132-139 configuring, 172-181 sound DNS, 890 configuring in YaST, 151 engineering, 882 mixers, 232 firewalls, 181, 819 source intrusion detection, 232 compiling, 321 local, 883-887 spm, 321 network, 887-890 Squid, 781 passwords, 883-884...
Page 981 daemon, 833 key pairs, 833, 835 ulimit, 427 scp, 832 options, 427 sftp, 833 umount, 370 ssh, 832 uninstalling ssh-agent, 835-836 GRUB, 418 ssh-keygen, 835 Linux, 418 sshd, 833 updatedb, 367 X and, 836 updating su, 373 online, 140-143 support query, 909 command line, 200 SUSE books, 903 passwd and group, 212...
Page 982 drivers, 487 InputDevice, 483 dual head, 193 Modeline, 485 font systems, 489 modelines, 483 fonts, 488 Modes, 483, 485 graphics card, 192 modules, 483 graphics tablet, 196 Monitor, 483, 485 help, 488 ServerFlags, 483 keyboard settings, 195 mouse settings, 194 multihead, 194 YaST resolution and color depth, 193...
Page 983 163, 400 network configuration, 37, 164-172 system security, 179 NFS clients, 168 system start-up, 18 NFS server, 168 T-DSL, 577 NIS clients, 661 text mode, 185-187 Novell AppArmor, 172 time zone, 29, 163 Novell Customer Center, 140 updating, 144, 213...
Page 984 user management, 172 virtualization, 181 hypervisor, 181 installing, 181 X.509 certification, 803 certificates, 811 changing default values, 813 creating CRLs, 815 exporting CA objects as a file, 817 exporting CA objects to LDAP, 815 importing general server certificates, root CA, 808 sub-CA, 810 ZFCP, 149 YP (see NIS)

This manual is also suitable for:

Suse linux enterprise server 10

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 08-05-2008 Installation Manual

About this Guide

Part I Deployment

1 Planning for SUSE Linux Enterprise

2 Deployment Strategies

3 Installation with Yast

4 Remote Installation

5 Automated Installation

6 Deploying Customized Preinstallations

7 Advanced Disk Setup

8 System Configuration with Yast

9 Managing Software with Zenworks

10 Updatingsuselinuxenterprise

Part II Administration

1 Openwbem

2 Mass Storage over IP Networks-Iscsi

3 Isns for Linux Overview

4 Oracle Cluster File System

5 Access Control Lists in Linux

6 RPM-The Package Manager

7 System Monitoring Utilities

8 Working with the Shell

Part III System

9 32-Bit and 64-Bit Applications in a 64-Bit System Environment

20 Booting and Configuring a Linux System

1 The Boot Loader

2 Special System Features

3 Printer Operation

4 Dynamic Kernel Device Management with Udev

5 File Systems in Linux

6 The X Window System

7 Authentication with PAM

8 Power Management

9 Wireless Communication

Part IV Services

30 Basic Networking

1 SLP Services in the Network

2 Time Synchronization with NTP

3 The Domain Name System

4 Dhcp

5 Using NIS

6 LDAP-A Directory Service

7 Samba

Quick Links

Troubleshooting

Related Manuals for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 08-05-2008

Summary of Contents for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 08-05-2008