Page 1: Red Hat Enterprise Linux
Red Hat Enterprise Linux 4 System Administration Guide For Red Hat Enterprise Linux 4...
Page 2 System Administration Guide Red Hat Enterprise Linux 4 System Administration Guide For Red Hat Enterprise Linux 4 Edition 2 Copyright © 2008 Red Hat, Inc Copyright © 2008 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").
Page 3: Table Of Contents
Introduction xiii 1. Changes To This Manual ....................xiii 2. Document Conventions ....................xiv 2.1. Typographic Conventions ................... xiv 2.2. Pull-quote Conventions ..................xvi 2.3. Notes and Warnings ..................xvi 3. More to Come ......................xvii 3.1. Send in Your Feedback ..................xvii I.
Page 4 System Administration Guide 3.2.1. Command Line Configuration ..............53 3.3. Adding PXE Hosts ....................53 3.3.1. Command Line Configuration ..............55 3.4. Adding a Custom Boot Message ................. 55 3.5. Performing the PXE Installation ................55 4. Diskless Environments 4.1. Configuring the NFS Server ................57 4.2.
Page 5 10.2. Creating the RAID Devices and Mount Points ............ 97 11. Swap Space 11.1. What is Swap Space? ..................103 11.2. Adding Swap Space ..................103 11.2.1. Extending Swap on an LVM2 Logical Volume ........104 11.2.2. Creating an LVM2 Logical Volume for Swap .......... 104 11.2.3.
Page 6 System Administration Guide 15.1. RPM Design Goals ..................131 15.2. Using RPM ..................... 132 15.2.1. Finding RPM Packages ................ 132 15.2.2. Installing ....................132 15.2.3. Uninstalling ..................134 15.2.4. Upgrading .................... 135 15.2.5. Freshening ..................136 15.2.6. Querying ....................136 15.2.7.
Page 7 18.5.1. Postrouting and IP Masquerading ............184 18.5.2. Prerouting .................... 184 18.5.3. DMZs and IPTables ................185 18.6. Malicious Software and Spoofed IP Addresses ..........185 18.7. IPTables and Connection Tracking ..............186 18.8. IPv6 ....................... 186 18.9. Additional Resources ..................187 18.9.1.
Page 8 System Administration Guide 22.1. Why Use Samba? ..................213 22.2. Configuring a Samba Server ................213 22.2.1. Graphical Configuration ................ 213 22.2.2. Command Line Configuration ..............218 22.2.3. Encrypted Passwords ................218 22.2.4. Starting and Stopping the Server ............220 22.3.
Page 9 25.11.1. Useful Websites ................. 263 25.11.2. Related Books ................... 263 26. Authentication Configuration 26.1. User Information ..................... 265 26.2. Authentication ....................267 26.3. Command Line Version ................... 268 V. System Configuration 27. Console Access 27.1. Disabling Shutdown Via Ctrl+Alt+Del ............273 27.2.
Page 10 System Administration Guide 33.3. Adding a Samba (SMB) Printer ............... 310 33.4. Adding a JetDirect Printer ................312 33.5. Selecting the Printer Model and Finishing ............312 33.5.1. Confirming Printer Configuration ............313 33.6. Printing a Test Page ..................313 33.7.
Page 11 37.3.1. Installed Documentation ............... 339 37.3.2. Useful Websites ................... 340 38. Mail Transport Agent (MTA) Configuration VI. System Monitoring 39. Gathering System Information 39.1. System Processes ..................345 39.2. Memory Usage ....................347 39.3. File Systems ....................348 39.4. Hardware ....................... 349 39.5.
Page 13: Introduction
Introduction Welcome to the System Administrators Guide. The System Administrators Guide contains information on how to customize your Red Hat Enterprise Linux system to fit your needs. If you are looking for a step-by-step, task-oriented guide for configuring and customizing your system, this is the manual for you. This manual discusses many intermediate topics such as the following: •...
Page 14: Document Conventions
Introduction An Updated OProfile Chapter The OProfile chapter has been revised and reorganized to include updated information in regards to the 2.6 kernel. Special thanks to Will Cohen for his hard work in helping to complete this chapter. An Updated X Window System Chapter The X Window System chapter has been revised to include information on the X11R6.8 release developed by the X.Org team.
Page 15 Typographic Conventions If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in mono-spaced bold. For example: File-related classes include filesystem for file systems, file for files, and dir for directories.
Page 16: Pull-Quote Conventions
Introduction When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a server-pool. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called Multi-Processing Modules (MPMs).
Page 17: More To Come
If you find an error in the System Administrators Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla (http:// bugzilla.redhat.com/bugzilla/) against the component rh-sag. Be sure to mention the manual's identifier: rh-sag By mentioning this manual's identifier, we know exactly which version of the guide you have.
Page 18 xviii...
Page 19: Installation-Related Information
Part I. Installation-Related Information The Installation Guide discusses the installation of Red Hat Enterprise Linux and some basic post- installation troubleshooting. However, advanced installation options are covered in this manual. This part provides instructions for kickstart (an automated installation technique) and all related tools. Use this part in conjunction with the Installation Guide to perform any of these advanced installation tasks.
Page 21: Kickstart Installations
Chapter 1. Kickstart Installations 1.1. What are Kickstart Installations? Many system administrators would prefer to use an automated installation method to install Red Hat Enterprise Linux on their machines. To answer this need, Red Hat, Inc created the kickstart installation method.
Page 22: Kickstart Options
Chapter 1. Kickstart Installations • Items that are not required can be omitted. • Omitting any required item results in the installation program prompting the user for an answer to the related item, just as the user would be prompted during a typical installation. Once the answer is given, the installation continues unattended (unless it finds another missing item).
Page 23 Kickstart Options ignoredisk --drives=drive1,drive2,... where driveN is one of sda, sdb,..., hda,... etc. autostep (optional) Similar to interactive except it goes to the next screen for you. It is used mostly for debugging. auth or authconfig (required) Sets up the authentication options for the system. It is similar to the authconfig command, which can be run after the install.
Page 24 Chapter 1. Kickstart Installations --enablekrb5 Use Kerberos 5 for authenticating users. Kerberos itself does not know about home directories, UIDs, or shells. If you enable Kerberos, you must make users' accounts known to this workstation by enabling LDAP, NIS, or Hesiod or by using the /usr/sbin/useradd command to make their accounts known to this workstation.
Page 25 Kickstart Options --enablesmbauth Enables authentication of users against an SMB server (typically a Samba or Windows server). SMB authentication support does not know about home directories, UIDs, or shells. If you enable SMB, you must make users' accounts known to the workstation by enabling LDAP, NIS, or Hesiod or by using the /usr/sbin/useradd command to make their accounts known to the workstation.
Page 26 Chapter 1. Kickstart Installations clearpart (optional) Removes partitions from the system, prior to creation of new partitions. By default, no partitions are removed. Note If the clearpart command is used, then the --onpart command cannot be used on a logical partition. --all Erases all partitions from the system.
Page 27 Kickstart Options --opts= Mount options to use for mounting the NFS export. Any options that can be specified in / etc/fstab for an NFS mount are allowed. The options are listed in the nfs(5) man page. Multiple options are separated with a comma. driverdisk (optional) Driver diskettes can be used during kickstart installations.
Page 28 Install from a Red Hat installation tree on a local drive, which must be either vfat or ext2. • --partition= Partition to install from (such as, sdb2). • --dir= Directory containing the RedHat directory of the installation tree. For example:...
Page 29 Install from the NFS server specified. • --server= Server from which to install (hostname or IP). • --dir= Directory containing the RedHat directory of the installation tree. For example: nfs --server=nfsserver.example.com --dir=/tmp/install-tree Install from an installation tree on a remote server via FTP or HTTP.
Page 30 Chapter 1. Kickstart Installations lang (required) Sets the language to use during installation. For example, to set the language to English, the kickstart file should contain the following line: lang en_US The file /usr/share/system-config-language/locale-list provides a list of the valid language codes in the first column of each line and is part of the system-config-language package.
Page 31 Kickstart Options mouse (required) Configures the mouse for the system, both in GUI and text modes. Options are: --device= Device the mouse is on (such as --device=ttyS0). --emulthree If present, simultaneous clicks on the left and right mouse buttons are recognized as the middle mouse button by the X Window System.
Page 32 Chapter 1. Kickstart Installations The static method requires that you enter all the required networking information in the kickstart file. As the name implies, this information is static and are used during and after the installation. The line for static networking is more complex, as you must include all network configuration information on one line.
Page 33 Kickstart Options If more than one Red Hat Enterprise Linux installation exists on the system on different partitions, the installation program prompts the user and asks which installation to upgrade. Warning All partitions created are formatted as part of the installation process unless -- noformat and --onpart are used.
Page 34 Chapter 1. Kickstart Installations --onpart= or --usepart= Put the partition on the already existing device. For example: partition /home --onpart=hda1 puts /home on /dev/hda1, which must already exist. --ondisk= or --ondrive= Forces the partition to be created on a particular disk. For example, --ondisk=sdb puts the partition on the second SCSI disk on the system.
Page 35 Kickstart Options raid (optional) Assembles a software RAID device. This command is of the form: raid <mntpoint> --level=<level> --device=<mddevice><partitions*> <mntpoint> Location where the RAID file system is mounted. If it is /, the RAID level must be 1 unless a boot partition (/boot) is present. If a boot partition is present, the /boot partition must be level 1 and the root (/) partition can be any of the available types.
Page 36 Chapter 1. Kickstart Installations raid /usr --level=5 --device=md1 raid.11 raid.12 raid.13 Section 1.4.1, “Advanced Partitioning Example”. For a detailed example of raid in action, refer to reboot (optional) Reboot after the installation is successfully completed (no arguments). Normally during a manual installation, anaconda displays a message and waits for the user to press a key before rebooting.
Page 37 Kickstart Options The shutdown option is roughly equivalent to the shutdown command. For other completion methods, refer to the halt, poweroff, and reboot kickstart options. skipx (optional) If present, X is not configured on the installed system. text (optional) Perform the kickstart installation in text mode. Kickstart installations are performed in graphical mode by default.
Page 38 Chapter 1. Kickstart Installations --vsync= Specifies the vertical sync frequency of the monitor. --defaultdesktop= Specify either GNOME or KDE to set the default desktop (assumes that GNOME Desktop Environment and/or KDE Desktop Environment has been installed through %packages). --startxonboot Use a graphical login on the installed system. --resolution= Specify the default resolution for the X Window System on the installed system.
Page 39: Advanced Partitioning Example
Packages can be specified by group or by individual package name. The installation program defines several groups that contain related packages. Refer to the RedHat/base/comps.xml file on the first Red Hat Enterprise Linux CD-ROM for a list of groups. Each group has an id, user visibility value, name, description, and package list.
Page 40: Pre-Installation Script
Chapter 1. Kickstart Installations In most cases, it is only necessary to list the desired groups and not individual packages. Note that the Core and Base groups are always selected by default, so it is not necessary to specify them in the %packages section.
Page 41: Example
Example Note Note that the pre-install script is not run in the change root environment. --interpreter /usr/bin/python Allows you to specify a different scripting language, such as Python. Replace /usr/bin/python with the scripting language of your choice. 1.6.1. Example Here is an example %pre section: %pre #!/bin/sh hds=""...
Page 42: Post-Installation Script
Chapter 1. Kickstart Installations %include /tmp/part-include The partitioning commands selected in the script are used. Note The pre-installation script section of kickstart cannot manage multiple install trees or source media. This information must be included for each created ks.cfg file, as the pre- installation script occurs during the second stage of the installation process.
Page 43: Making The Kickstart File Available
Making the Kickstart File Available /sbin/chkconfig --level 345 telnet off /sbin/chkconfig --level 345 finger off /sbin/chkconfig --level 345 lpd off /sbin/chkconfig --level 345 httpd on Run a script named runme from an NFS share: mkdir /mnt/temp mount -o nolock 10.10.0.2:/usr/new-machines /mnt/temp open -s -w -- /mnt/ temp/runme umount /mnt/temp Note NFS file locking is not supported while in kickstart mode, therefore -o nolock is required...
Page 44: Making The Kickstart File Available On The Network
Here is an example of a line from the dhcpd.conf file for the DHCP server: filename"/usr/new-machine/kickstart/"; next-server blarg.redhat.com; Note that you should replace the value after filename with the name of the kickstart file (or the directory in which the kickstart file resides) and the value after next-server with the NFS server name.
Page 45: Making The Installation Tree Available
Making the Installation Tree Available 1.9. Making the Installation Tree Available The kickstart installation must access an installation tree. An installation tree is a copy of the binary Red Hat Enterprise Linux CD-ROMs with the same directory structure. If you are performing a CD-based installation, insert the Red Hat Enterprise Linux CD-ROM #1 into the computer before starting the kickstart installation.
Page 46 Chapter 1. Kickstart Installations ks=http://<server>/<path> The installation program looks for the kickstart file on the HTTP server <server>, as file <path>. The installation program uses DHCP to configure the Ethernet card. For example, if your HTTP server is server.example.com and the kickstart file is in the HTTP directory /mydir/ks.cfg, the correct boot command would be ks=http://server.example.com/mydir/ks.cfg.
Page 47: Kickstart Configurator
Chapter 2. Kickstart Configurator Kickstart Configurator allows you to create or modify a kickstart file using a graphical user interface, so that you do not have to remember the correct syntax of the file. To use Kickstart Configurator, you must be running the X Window System. To start Kickstart Configurator, select Applications (the main menu on the panel) =>...
Page 48 Chapter 2. Kickstart Configurator Select the system keyboard type from the Keyboard menu. Choose the mouse for the system from the Mouse menu. If No Mouse is selected, no mouse is configured. If Probe for Mouse is selected, the installation program tries to automatically detect the mouse.
Page 49: Installation Method
NFS server, enter a fully-qualified domain name or IP address. For the NFS directory, enter the name of the NFS directory that contains the RedHat directory of the installation tree. For example, if the NFS server contains the directory /mirrors/redhat/i386/RedHat/, enter / mirrors/redhat/i386/ for the NFS directory.
Page 50: Boot Loader Options
IP address. For the HTTP directory, enter the name of the HTTP directory that contains the RedHat directory. For example, if the HTTP server contains the directory /mirrors/redhat/i386/RedHat/, enter /mirrors/redhat/i386/ for the HTTP directory.
Page 51: Partition Information
Partition Information You must choose where to install the boot loader (the Master Boot Record or the first sector of the / boot partition). Install the boot loader on the MBR if you plan to use it as your boot loader. To pass any special parameters to the kernel to be used when the system boots, enter them in the Kernel parameters text field.
Page 52: Creating Partitions
Chapter 2. Kickstart Configurator Select whether or not to clear the Master Boot Record (MBR). Choose to remove all existing partitions, remove all existing Linux partitions, or preserve existing partitions. To initialize the disk label to the default for the architecture of the system (for example, msdos for x86 and gpt for Itanium), select Initialize the disk label if you are installing on a brand new hard drive.
Page 53 Creating Partitions Figure 2.5. Creating Partitions To edit an existing partition, select the partition from the list and click the Edit button. The same Partition Options window appears as when you chose to add a partition as shown in Figure 2.5, “Creating Partitions”, except it reflects the values for the selected partition.
Page 54 Chapter 2. Kickstart Configurator 3. Configure the partitions as previously described, except select Software RAID as the file system type. Also, you must specify a hard drive on which to make the partition or specify an existing partition to use. Figure 2.6.
Page 55 Creating Partitions Figure 2.7. Creating a Software RAID Device 4. Click OK to add the device to the list.
Page 56: Network Configuration
Chapter 2. Kickstart Configurator 2.5. Network Configuration Figure 2.8. Network Configuration If the system to be installed via kickstart does not have an Ethernet card, do not configure one on the Network Configuration page. Networking is only required if you choose a networking-based installation method (NFS, FTP, or HTTP).
Page 57: Authentication
Authentication 2.6. Authentication Figure 2.9. Authentication In the Authentication section, select whether to use shadow passwords and MD5 encryption for user passwords. These options are highly recommended and chosen by default. The Authentication Configuration options allow you to configure the following methods of authentication: •...
Page 58: Firewall Configuration
Chapter 2. Kickstart Configurator These methods are not enabled by default. To enable one or more of these methods, click the appropriate tab, click the checkbox next to Enable, and enter the appropriate information for the Chapter 26, Authentication Configuration authentication method.
Page 59: Selinux Configuration
SELinux Configuration If a service is selected in the Trusted services list, connections for the service are accepted and processed by the system. In the Other ports text field, list any additional ports that should be opened for remote access. Use the following format: port:protocol.
Page 60: Video Card
Chapter 2. Kickstart Configurator Figure 2.11. X Configuration - General If you are installing both the GNOME and KDE desktops, you must choose which desktop should be the default. If only one desktop is to be installed, be sure to choose it. Once the system is installed, users can choose which desktop they want to be their default.
Page 61: Monitor
Monitor Alternatively, you can select the video card from the list on the Video Card tab as shown in Figure 2.12, “X Configuration - Video Card”. Specify the amount of video RAM the selected video card has from the Video Card RAM pulldown menu. These values are used by the installation program to configure the X Window System.
Page 62 Chapter 2. Kickstart Configurator Figure 2.13. X Configuration - Monitor Probe for monitor is selected by default. Accept this default to have the installation program probe for the monitor during installation. Probing works for most modern monitors. If this option is selected and the installation program cannot successfully probe the monitor, the installation program stops at the monitor configuration screen.
Page 63: Package Selection
Package Selection 2.9. Package Selection Figure 2.14. Package Selection The Package Selection window allows you to choose which package groups to install. There are also options available to resolve and ignore package dependencies automatically. Currently, Kickstart Configurator does not allow you to select individual packages. To install individual packages, modify the %packages section of the kickstart file after you save it.
Page 64: Pre-Installation Script
Chapter 2. Kickstart Configurator 2.10. Pre-Installation Script Figure 2.15. Pre-Installation Script You can add commands to run on the system immediately after the kickstart file has been parsed and before the installation begins. If you have configured the network in the kickstart file, the network is enabled before this section is processed.
Page 65: Post-Installation Script
Post-Installation Script 2.11. Post-Installation Script Figure 2.16. Post-Installation Script You can also add commands to execute on the system after the installation is completed. If the network is properly configured in the kickstart file, the network is enabled, and the script can include commands to access resources on the network.
Page 66: Chroot Environment
Chapter 2. Kickstart Configurator Section 1.7.1, “Examples”. More examples can be found in 2.11.1. Chroot Environment To run the post-installation script outside of the chroot environment, click the checkbox next to this option on the top of the Post-Installation window. This is equivalent to using the --nochroot option in the %post section.
Page 67 Saving the File Figure 2.17. Preview To save the kickstart file, click the Save to File button in the preview window. To save the file without previewing it, select File => Save File or press Ctrl+S. A dialog box appears. Select where to save the file.
Page 69: Pxe Network Installations
Chapter 3. PXE Network Installations Red Hat Enterprise Linux allows for installation over a network using the NFS, FTP, or HTTP protocols. A network installation can be started from a boot CD-ROM, a bootable flash memory drive, or by using the askmethod boot option with the Red Hat Enterprise Linux CD #1. Alternatively, if the system to be installed contains a network interface card (NIC) with Pre-Execution Environment (PXE) support, it can be configured to boot from files on another networked system rather than local media such as a CD-ROM.
Page 70 • Location — Provide the directory shared by the network server. If FTP or HTTP was selected, the directory must be relative to the default directory for the FTP server or the document root for the HTTP server. For all network installations, the directory provided must contain the RedHat/ directory of the installation tree.
Page 71: Command Line Configuration
Command Line Configuration 3.2.1. Command Line Configuration If the network server is not running X, the pxeos command line utility, which is part of the system- config-netboot package, can be used to configure the tftp server files : pxeos -a -i "<description>" -p <NFS|HTTP|FTP> -D 0 -s client.example.com \ -L <net-location> - k <kernel>...
Page 72 Chapter 3. PXE Network Installations Figure 3.2. Add Hosts The next step is to configure which hosts are allowed to connect to the PXE boot server. For the Section 3.3.1, “Command Line Configuration”. command line version of this step, refer to To add hosts, click the New button.
Page 73: Command Line Configuration
Command Line Configuration • Kickstart File — The location of a kickstart file to use, such as http://server.example.com/ kickstart/ks.cfg. This file can be created with the Kickstart Configurator. Refer to Chapter 2, Kickstart Configurator for details. Ignore the Snapshot name and Ethernet options. They are only used for diskless environments. For Chapter 4, Diskless Environments more information on configuring a diskless environment, refer to details.
Page 75: Diskless Environments
Chapter 4. Diskless Environments Some networks require multiple systems with the same configuration. They also require that these systems be easy to reboot, upgrade, and manage. One solution is to use a diskless environment in which most of the operating system, which can be read-only, is shared from a central server between the clients.
Page 76: Finish Configuring The Diskless Environment
Chapter 4. Diskless Environments /diskless/i386/RHEL4-AS/root/ *(ro,sync,no_root_squash) /diskless/i386/RHEL4-AS/snapshot/ *(rw,sync,no_root_squash) Section 21.3.2, “Hostname Formats”. Make Replace * with one of the hostname formats discussed in the hostname declaration as specific as possible, so unwanted systems can not access the NFS mount. If the NFS service is not running, start it: service nfs start If the NFS service is already running, reload the configuration file: service nfs reload...
Page 77: Booting The Hosts
Booting the Hosts Section 4.2, “Finish Configuring the Diskless Environment”, a window After completing the steps in appears to allow hosts to be added for the diskless environment. Click the New button. In the dialog Figure 4.1, “Add Diskless Host”, provide the following information: shown in •...
Page 79: Basic System Recovery
Chapter 5. Basic System Recovery When things go wrong, there are ways to fix problems. However, these methods require that you understand the system well. This chapter describes how to boot into rescue mode, single-user mode, and emergency mode, where you can use your own knowledge to repair the system. 5.1.
Page 80 Chapter 5. Basic System Recovery As the name implies, rescue mode is provided to rescue you from something. During normal operation, your Red Hat Enterprise Linux system uses files located on your system's hard drive to do everything — run programs, store your files, and more. However, there may be times when you are unable to get Red Hat Enterprise Linux running completely enough to access files on your system's hard drive.
Page 81 Booting into Rescue Mode Once you have your system in rescue mode, a prompt appears on VC (virtual console) 1 and VC 2 (use the Ctrl-Alt-F1 key combination to access VC 1 and Ctrl-Alt-F2 to access VC 2): sh-3.00b# If you selected Continue to mount your partitions automatically and they were mounted successfully, you are in single-user mode.
Page 82: Reinstalling The Boot Loader
Chapter 5. Basic System Recovery • dump and restore for users with tape drives • parted and fdisk for managing partitions • rpm for installing or upgrading software • joe for editing configuration files Note If you try to start other popular editors such as emacs, pico, or vi, the joe editor is started.
Page 83: Booting Into Emergency Mode
Booting into Emergency Mode 3. Go to the end of the line and type single as a separate word (press the Spacebar and then type single). Press Enter to exit edit mode. 5.4. Booting into Emergency Mode In emergency mode, you are booted into the most minimal environment possible. The root file system is mounted read-only and almost nothing is set up.
Page 85: File Systems
Part II. File Systems File system refers to the files and directories stored on a computer. A file system can have different formats called file system types. These formats determine how the information is stored as files and directories. Some file system types store redundant copies of the data, while some file system types make hard drive access faster.
Page 87: The Ext3 File System
Chapter 6. The ext3 File System The default file system is the journaling ext3 file system. 6.1. Features of ext3 The ext3 file system is essentially an enhanced version of the ext2 file system. These improvements provide the following advantages: Availability After an unexpected power failure or system crash (also called an unclean system shutdown), each mounted ext2 file system on the machine must be checked for consistency by the e2fsck...
Page 88: Converting To An Ext3 File System
Chapter 6. The ext3 File System 2. Format the partition with the ext3 file system using mkfs. 3. Label the partition using e2label. 4. Create the mount point. 5. Add the partition to the /etc/fstab file. 6.3. Converting to an ext3 File System The tune2fs program can add a journal to an existing ext2 file system without altering the data already on the partition.
Page 89: Reverting To An Ext2 File System
Reverting to an ext2 File System 6.4. Reverting to an ext2 File System Because ext3 is relatively new, some disk utilities do not yet support it. For example, you may need to shrink a partition with resize2fs, which does not yet support ext3. In this situation, it may be necessary to temporarily revert a file system to ext2.
Page 91: Logical Volume Manager (Lvm)
Chapter 7. Logical Volume Manager (LVM) 7.1. What is LVM? LVM is a method of allocating hard drive space into logical volumes that can be easily resized instead of partitions. With LVM, a hard drive or set of hard drives is allocated to one or more physical volumes. A physical volume cannot span over more than one drive.
Page 92: What Is Lvm2
Chapter 7. Logical Volume Manager (LVM) Figure 7.2. Logical Volumes On the other hand, if a system is partitioned with the ext3 file system, the hard drive is divided into partitions of defined sizes. If a partition becomes full, it is not easy to expand the size of the partition. Even if the partition is moved to another hard drive, the original hard drive space has to be reallocated as a different partition or not used.
Page 93 Useful Websites http://tldp.org/HOWTO/LVM-HOWTO/ — LVM HOWTO from the Linux Documentation Project. •...
Page 95: Lvm Configuration
Chapter 8. LVM Configuration LVM can be configured during the graphical installation process, the text-based installation process, or during a kickstart installation. You can use the utilities from the lvm package to create your own LVM configuration post-installation, but these instructions focus on using Disk Druid during installation to complete this task.
Page 96: Manual Lvm Partitioning
Chapter 8. LVM Configuration Figure 8.1. Automatic LVM Configuration With Two SCSI Drives Note If enabling quotas are of interest to you, it may be best to modify the automatic configuration to include other mount points, such as /home/ or /var/, so that each file system has its own independent quota configuration limits.
Page 97: Creating The /Boot/ Partition
Creating the /boot/ Partition On the Disk Partitioning Setup screen, select Manually partition with Disk Druid. 8.2.1. Creating the /boot/ Partition Figure 8.2, In a typical situation, the disk drives are new, or formatted clean. The following figure, “Two Blank Drives, Ready For Configuration”, shows both drives as raw devices with no partitioning configured.
Page 98 Chapter 8. LVM Configuration 7. Select Force to be a primary partition to make the partition be a primary partition. A primary partition is one of the first four partitions on the hard drive. If unselected, the partition is created as a logical partition.
Page 99: Creating The Lvm Physical Volumes
Creating the LVM Physical Volumes Figure 8.4. The /boot/ Partition Displayed 8.2.2. Creating the LVM Physical Volumes Once the boot partition is created, the remainder of all disk space can be allocated to LVM partitions. The first step in creating a successful LVM implementation is the creation of the physical volume(s). 1.
Page 100 Chapter 8. LVM Configuration Figure 8.5. Creating a Physical Volume 3. You cannot enter a mount point yet (you can once you have created all your physical volumes and then all volume groups). 4. A physical volume must be constrained to one drive. For Allowable Drives, select the drive on which the physical volume are created.
Page 101: Creating The Lvm Volume Groups
Creating the LVM Volume Groups Figure 8.6. Two Physical Volumes Created 8.2.3. Creating the LVM Volume Groups Once all the physical volumes are created, the volume groups can be created: 1. Click the LVM button to collect the physical volumes into volume groups. A volume group is basically a collection of physical volumes.
Page 102: Creating The Lvm Logical Volumes
Chapter 8. LVM Configuration Figure 8.7. Creating an LVM Volume Group 2. Change the Volume Group Name if desired. 3. All logical volumes inside the volume group must be allocated in physical extent units. By default, the physical extent is set to 32 MB; thus, logical volume sizes must be divisible by 32 MBs. If you enter a size that is not a unit of 32 MBs, the installation program automatically selects the closest size in units of 32 MBs.
Page 103 Creating the LVM Logical Volumes Figure 8.8. Creating a Logical Volume Repeat these steps for each volume group you want to create. You may want to leave some free space in the logical volume group so you can expand the logical volumes later. The default automatic configuration does not do this, but this manual configuration example does —...
Page 104 Chapter 8. LVM Configuration Figure 8.9. Pending Logical Volumes Click OK to apply the volume group and all associated logical volumes. The following figure shows the final manual configuration:...
Page 105 Creating the LVM Logical Volumes Figure 8.10. Final Manual Configuration...
Page 107: Redundant Array Of Independent Disks (Raid)
Chapter 9. Redundant Array of Independent Disks (RAID) 9.1. What is RAID? The basic idea behind RAID is to combine multiple small, inexpensive disk drives into an array to accomplish performance or redundancy goals not attainable with one large and expensive drive. This array of drives appears to the computer as a single logical storage unit or drive.
Page 108: Software Raid
Chapter 9. Redundant Array of Independent Disks (RAID) 9.3.2. Software RAID Software RAID implements the various RAID levels in the kernel disk (block device) code. It offers the cheapest possible solution, as expensive disk controller cards or hot-swap chassis are not required. Software RAID also works with cheaper IDE disks as well as SCSI disks.
Page 109 RAID Levels and Linear Support option allowed in Red Hat Enterprise Linux RAID installations. The storage capacity of Hardware RAID level 4 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of Software RAID level 4 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.
Page 111: Software Raid Configuration
Chapter 10. Software RAID Configuration Software RAID can be configured during the graphical installation process, the text-based installation process, or during a kickstart installation. This chapter discusses how to configure software RAID during installation, using the Disk Druid interface. Chapter 9, Redundant Array of Independent Disks (RAID) Read first to learn about RAID, the differences between hardware and software RAID, and the differences between RAID 0, 1, and 5.
Page 112 Chapter 10. Software RAID Configuration Figure 10.1. Two Blank Drives, Ready For Configuration 1. In Disk Druid, choose RAID to enter the software RAID creation screen. 2. Choose Create a software RAID partition to create a RAID partition as shown in Figure 10.2, “RAID Partition Options”.
Page 113 Creating the RAID Partitions Figure 10.2. RAID Partition Options 3. A software RAID partition must be constrained to one drive. For Allowable Drives, select the drive on which RAID is to be created. If you have multiple drives, all drives are selected, and you must deselect all but one drive.
Page 114 Chapter 10. Software RAID Configuration Figure 10.3. Adding a RAID Partition 4. Enter the size that you want the partition to be. 5. Select Fixed size to make the partition the specified size, select Fill all space up to (MB) and enter a size in MBs to give range for the partition size, or select Fill to maximum allowable size to make it grow to fill all available space on the hard disk.
Page 115: Creating The Raid Devices And Mount Points
Creating the RAID Devices and Mount Points Figure 10.4. RAID 1 Partitions Ready, Pre-Device and Mount Point Creation 10.2. Creating the RAID Devices and Mount Points Once you have all of your partitions created as software RAID partitions, the following steps create the RAID device and mount point: 1.
Page 116 Chapter 10. Software RAID Configuration Figure 10.5. RAID Options Figure 10.6, “Making a RAID Device and Assigning a Mount Point” 3. Next, appears, where you can make a RAID device and assign a mount point.
Page 117 Creating the RAID Devices and Mount Points Figure 10.6. Making a RAID Device and Assigning a Mount Point 4. Enter a mount point. 5. Choose the file system type for the partition. At this point you can either configure a dynamic LVM file system or a traditional static ext2/ext3 file system.
Page 118 Chapter 10. Software RAID Configuration Figure 10.7. The /boot/ Mount Error 8. The RAID partitions created appear in the RAID Members list. Select which of these partitions should be used to create the RAID device. 9. If configuring RAID 1 or RAID 5, specify the number of spare partitions. If a software RAID partition fails, the spare is automatically used as a replacement.
Page 119 Creating the RAID Devices and Mount Points Figure 10.8. Final Sample RAID Configuration Figure 10.9, “Final Sample RAID With LVM Configuration” The figure as shown in is an example of a RAID and LVM configuration.
Page 120 Chapter 10. Software RAID Configuration Figure 10.9. Final Sample RAID With LVM Configuration You can continue with your installation process. Refer to the Installation Guide for further instructions.
Page 121: Swap Space
Chapter 11. Swap Space 11.1. What is Swap Space? Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM.
Page 122: Extending Swap On An Lvm2 Logical Volume
Chapter 11. Swap Space 11.2.1. Extending Swap on an LVM2 Logical Volume To extend an LVM2 swap logical volume (assuming /dev/VolGroup00/LogVol01 is the volume you want to extend): 1. Disable swapping for the associated logical volume: # swapoff -v /dev/VolGroup00/LogVol01 2.
Page 123: Creating A Swap File
Creating a Swap File 11.2.3. Creating a Swap File To add a swap file: 1. Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536. 2.
Page 124: Removing An Lvm2 Logical Volume For Swap
Chapter 11. Swap Space 3. Format the new swap space: # mkswap /dev/VolGroup00/LogVol01 4. Enable the extended logical volume: # swapon -va 5. Test that the logical volume has been reduced properly: # cat /proc/swaps # free 11.3.2. Removing an LVM2 Logical Volume for Swap The swap logical volume cannot be in use (no system locks or processes on the volume).
Page 125: Moving Swap Space
Moving Swap Space # rm /swapfile 11.4. Moving Swap Space To move swap space from one location to another, follow the steps for removing swap space, and then follow the steps for adding swap space.
Page 127: Managing Disk Storage
Chapter 12. Managing Disk Storage Introduction to different methods..12.1. Standard Partitions using parted Many users need to view the existing partition table, change the size of the partitions, remove partitions, or add partitions from free space or additional hard drives. The utility parted allows users to perform these tasks.
Page 128: Viewing The Partition Table
Chapter 12. Managing Disk Storage Command Description Display the partition table print Quit parted quit Rescue a lost partition from start-mb to end- rescuestart-mbend-mb Resize the partition from start-mb to end-mb resize minor-numstart-mbend-mb Remove the partition rm minor-num Select a different device to configure select device Set the flag on a partition;...
Page 129: Creating A Partition
Creating a Partition To select a different device without having to restart parted, use the select command followed by the device name such as /dev/sda. Then, you can view its partition table or configure it. 12.1.2. Creating a Partition Warning Do not attempt to create a partition on a device that is in use.
Page 130 Chapter 12. Managing Disk Storage After creating the partition, use the print command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it.
Page 131: Removing A Partition
Removing a Partition mount /work 12.1.3. Removing a Partition Warning Do not attempt to remove a partition on a device that is in use. Before removing a partition, boot into rescue mode (or unmount any partitions on the device and turn off any swap space on the device).
Page 132: Lvm Partition Management
Chapter 12. Managing Disk Storage parted /dev/sda View the current partition table to determine the minor number of the partition to resize as well as the start and end points for the partition: print Warning The used space of the partition to resize must not be larger than the new size. To resize the partition, use the resize command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes.
Page 133 LVM Partition Management Command Description Display information about logical volumes List all logical volumes in all volume groups lvscan Change attributes of physical volume(s) pvchange Initialize physical volume(s) for use by LVM pvcreate Display the on-disk metadata for physical pvdata volume(s) Display various attributes of physical volume(s) pvdisplay...
Page 135: Implementing Disk Quotas
Chapter 13. Implementing Disk Quotas Disk space can be restricted by implementing disk quotas which alert a system administrator before a user consumes too much disk space or a partition becomes full. Disk quotas can be configured for individual users as well as user groups. This kind of flexibility makes it possible to give each user a small quota to handle "personal"...
Page 136: Remounting The File Systems
Chapter 13. Implementing Disk Quotas installation default created partition) can be used for setting quota policies in the /etc/ fstab file. 13.1.2. Remounting the File Systems After adding the usrquota and/or grpquota options, remount each file system whose fstab entry has been modified.
Page 137: Assigning Quotas Per User
Assigning Quotas per User After quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as / home. 13.1.4. Assigning Quotas per User The last step is assigning the disk quotas with the edquota command. To configure the quota for a user, as root in a shell prompt, execute the command: edquota username Perform this step for each user who needs a quota.
Page 138: Assigning Quotas Per Group
Chapter 13. Implementing Disk Quotas 13.1.5. Assigning Quotas per Group Quotas can also be assigned on a per-group basis. For example, to set a group quota for the devel group (the group must exist prior to setting the group quota), use the command: edquota -g devel This command displays the existing quota for the group in the text editor: Disk quotas for group devel (gid 505):...
Page 139: Reporting On Disk Quotas
Reporting on Disk Quotas If neither the -u or -g options are specified, only the user quotas are disabled. If only -g is specified, only group quotas are disabled. To enable quotas again, use the quotaon command with the same options. For example, to enable user and group quotas for all file systems, use the following command: quotaon -vaug To enable quotas for a specific file system, such as /home, use the following command:...
Page 140: Additional Resources
• The quotacheck, edquota, repquota, quota, quotaon, and quotaoff man pages 13.3.2. Related Books • Introduction to System Administration ; Red Hat, Inc — Available at http://www.redhat.com/ docs/ and on the Documentation CD, this manual contains background information on storage...
Page 141: Access Control Lists
Chapter 14. Access Control Lists Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
Page 142: Setting Default Acls
Chapter 14. Access Control Lists 1. Per user 2. Per group 3. Via the effective rights mask 4. For users not in the user group for the file The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory: setfacl -m <rules><files>...
Page 143: Retrieving Acls
Retrieving ACLs For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it): setfacl -m d:o:rx /share 14.4. Retrieving ACLs To determine the existing ACLs for a file or directory, use the getfacl command: getfacl <filename>...
Page 144: Compatibility With Older Systems
Chapter 14. Access Control Lists Option Description Creates an archive file. Do not extract the files; use in conjunction with -x to show what extracting the files does. Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name.
Page 145: Useful Websites
Useful Websites • setfacl man page — Explains how to set file access control lists • star man page — Explains more about the star utility and its many options 14.7.2. Useful Websites http://acl.bestbits.at/ • — Website for ACLs...
Page 147: Package Management
Part III. Package Management All software on a Red Hat Enterprise Linux system is divided into RPM packages which can be installed, upgraded, or removed. This part describes how to manage the RPM packages on a Red Hat Enterprise Linux system using graphical and command line tools.
Page 149: Package Management With Rpm
Chapter 15. Package Management with RPM The RPM Package Manager (RPM) is an open packaging system, available for anyone to use, which runs on Red Hat Enterprise Linux as well as other Linux and UNIX systems. Red Hat, Inc encourages other vendors to use RPM for their own products.
Page 150: Using Rpm
RPM packages built by Red Hat, Inc, they can be found at the following locations: • The Red Hat Enterprise Linux CD-ROMs http://www.redhat.com/apps/support/errata/ • The Red Hat Errata Page available at http://www.redhat.com/download/mirror.html • A Red Hat FTP Mirror Site available at Chapter 16, Red Hat Network •...
Page 151 Installing error: V3 DSA signature: BAD, key ID 0352860f If it is a new, header-only, signature, an error message such as the following is displayed: error: Header V3 DSA signature: BAD, key ID 0352860f If you do not have the appropriate key installed to verify the signature, the message contains the word NOKEY such as: warning: V3 DSA signature: NOKEY, key ID 0352860f Section 15.3, “Checking a Package's Signature”...
Page 152: Uninstalling
You need the rpmdb-redhat package installed to use this option. rpm -q --redhatprovides bar.so.2 If the package that contains bar.so.2 is in the installed database from the rpmdb-redhat package, the name of the package is displayed: bar-2.0.20-3.i386.rpm To force the installation anyway (which is not recommended since the package may not run correctly), use the --nodeps option.
Page 153: Upgrading
Upgrading You can encounter a dependency error when uninstalling a package if another installed package depends on the one you are trying to remove. For example: error: Failed dependencies: foo is needed by (installed) bar-2.0.20-3.i386.rpm To cause RPM to ignore this error and uninstall the package anyway, which may break the package depending on it, use the --nodeps option.
Page 154: Freshening
Chapter 15. Package Management with RPM 15.2.5. Freshening Freshening a package is similar to upgrading one. Type the following command at a shell prompt: rpm -Fvh foo-1.2-1.i386.rpm RPM's freshen option checks the versions of the packages specified on the command line against the versions of packages that have already been installed on your system.
Page 155: Verifying
Verifying • -l displays the list of files that the package contains. • -s displays the state of all the files in the package. • -d displays a list of files marked as documentation (man pages, info pages, READMEs, etc.). •...
Page 156: Checking A Package's Signature
Chapter 15. Package Management with RPM • U — user • G — group • M — mode (includes permissions and file type) • ? — unreadable file If you see any output, use your best judgment to determine if you should remove or reinstall the package, or fix the problem in another way.
Page 157: Verifying Signature Of Packages
Verifying Signature of Packages rpm -qi gpg-pubkey-db42a60e-37ea5438 15.3.2. Verifying Signature of Packages To check the GnuPG signature of an RPM file after importing the builder's GnuPG key, use the following command (replace <rpm-file> with filename of the RPM package): rpm -K <rpm-file> If all goes well, the following message is displayed: md5 gpg OK.
Page 158 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon.
Page 159: Additional Resources
• man rpm — The RPM man page gives more detail about RPM parameters than the rpm --help command. 15.5.2. Useful Websites http://www.rpm.org/ • — The RPM website. http://www.redhat.com/mailman/listinfo/rpm-list/ • — The RPM mailing list is archived here. To subscribe, send mail to with the word subscribe in the rpm-list-request@redhat.com subject line.
Page 161: Red Hat Network
All Security Alerts, Bug Fix Alerts, and Enhancement Alerts (collectively known as Errata Alerts) can be downloaded directly from Red Hat using the Package Updater standalone application or through the RHN website available at https://rhn.redhat.com/. Figure 16.1. Your RHN Red Hat Network saves you time because you receive email when updated packages are released.
Page 162 Chapter 16. Red Hat Network Figure 16.2. Relevant Errata • Automatic email notifications — Receive an email notification when an Errata Alert is issued for your system(s) • Scheduled Errata Updates — Schedule delivery of Errata Updates • Package installation — Schedule package installation on one or more systems with the click of a button •...
Page 163 After activating your product, register it with Red Hat Network to receive Errata Updates. The registration process gathers information about the system that is required to notify you of updates. For example, a list of packages installed on the system is compiled so you are only notified about updates that are relevant to your system.
Page 164 Chapter 16. Red Hat Network http://www.redhat.com/docs/manuals/RHNetwork/ Red Hat Enterprise Linux includes a convenient panel icon that displays visible alerts when there is an update for your Red Hat Enterprise Linux system. This panel icon is not present if no updates are available.
Page 165: Network-Related Configuration
Part IV. Network- Related Configuration After explaining how to configure the network, this part discusses topics related to networking such as how to allow remote logins, share files and directories over the network, and set up a Web server.
Page 167: Network Configuration
Chapter 17. Network Configuration To communicate with each other, computers must have a network connection. This is accomplished by having the operating system recognize an interface card (such as Ethernet, ISDN modem, or token ring) and configuring the interface to connect to the network. The Network Administration Tool can be used to configure the following types of network interfaces: •...
Page 168: Overview
Chapter 17. Network Configuration Figure 17.1. Network Administration Tool Use the Red Hat Hardware Compatibility List (http://hardware.redhat.com/hcl/) to determine if Red Hat Enterprise Linux supports your hardware device. 17.1. Overview To configure a network connection with the Network Administration Tool, perform the following steps: 1.
Page 169: Establishing An Ethernet Connection
Establishing an Ethernet Connection This chapter discusses each of these steps for each type of network connection. 17.2. Establishing an Ethernet Connection To establish an Ethernet connection, you need a network interface card (NIC), a network cable (usually a CAT5 cable), and a network to connect to. Different networks are configured to use different network speeds;...
Page 170 Chapter 17. Network Configuration Figure 17.2. Ethernet Settings Figure 17.3, “Ethernet After configuring the Ethernet device, it appears in the device list as shown in Device”.
Page 171 Establishing an Ethernet Connection Figure 17.3. Ethernet Device Be sure to select File => Save to save the changes. After adding the Ethernet device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured to start at boot time by default.
Page 172: Establishing An Isdn Connection
Chapter 17. Network Configuration 17.3. Establishing an ISDN Connection An ISDN connection is an Internet connection established with a ISDN modem card through a special phone line installed by the phone company. ISDN connections are popular in Europe. To add an ISDN connection, follow these steps: 1.
Page 173: Establishing A Modem Connection
Establishing a Modem Connection After adding the ISDN device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured not to start at boot time by default.
Page 174 Chapter 17. Network Configuration 2. Click the New button on the toolbar. 3. Select Modem connection from the Device Type list, and click Forward. 4. If there is a modem already configured in the hardware list (on the Hardware tab), the Network Administration Tool assumes you want to use it to establish a modem connection.
Page 175: Establishing An Xdsl Connection
Establishing an xDSL Connection Figure 17.7. Modem Device Be sure to select File => Save to save the changes. After adding the modem device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured not to start at boot time by default.
Page 176 Chapter 17. Network Configuration Some DSL providers require that the system is configured to obtain an IP address through DHCP with an Ethernet card. Some DSL providers require you to configure a PPPoE (Point-to-Point Protocol over Ethernet) connection with an Ethernet card. Ask your DSL provider which method to use. Section 17.2, “Establishing an Ethernet Connection”...
Page 177 Establishing an xDSL Connection Figure 17.8. xDSL Settings 5. If the Select Ethernet Adapter window appears, select the manufacturer and model of the Ethernet card. Select the device name. If this is the system's first Ethernet card, select eth0 as the device name; if this is the second Ethernet card, select eth1 (and so on). The Network Administration Tool also allows you to configure the resources for the NIC.
Page 178: Establishing A Token Ring Connection
Chapter 17. Network Configuration Figure 17.9. xDSL Device Be sure to select File => Save to save the changes. After adding the xDSL connection, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured not to start at boot time by default.
Page 179 Establishing a Token Ring Connection For more information on using token rings under Linux, refer to the Linux Token Ring Project website available at http://www.linuxtr.net/. To add a token ring connection, follow these steps: 1. Click the Devices tab. 2. Click the New button on the toolbar. 3.
Page 180 Chapter 17. Network Configuration 6. On the Configure Network Settings page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname. Click Forward to continue. 7.
Page 181: Establishing A Wireless Connection
Establishing a Wireless Connection 17.7. Establishing a Wireless Connection Wireless Ethernet devices are becoming increasingly popular. The configuration is similar to the Ethernet configuration except that it allows you to configure settings such as the SSID and key for the wireless device.
Page 182 Chapter 17. Network Configuration Figure 17.12. Wireless Settings 7. On the Configure Network Settings page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname.
Page 183: Managing Dns Settings
Managing DNS Settings Figure 17.13. Wireless Device Be sure to select File => Save to save the changes. After adding the wireless device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, you can configure the device to activate at boot time. When the device is added, it is not activated immediately, as seen by its Inactive status.
Page 184: Managing Hosts
Chapter 17. Network Configuration Figure 17.14. DNS Configuration Note The name servers section does not configure the system to be a name server. Instead, it configures which name servers to use when resolving IP addresses to hostnames and vice-versa. Warning If the hostname is changed and system-config-network is started on the local host, you may not be able to start another X11 application.
Page 185 Managing Hosts When your system tries to resolve a hostname to an IP address or tries to determine the hostname for an IP address, it refers to the /etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration).
Page 186: Working With Profiles
Chapter 17. Network Configuration To change lookup order, edit the /etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first.
Page 187 Working with Profiles Figure 17.16. Office Profile Notice that the Home profile as shown in activates the eth0_home Figure 17.17, “Home Profile” logical device, which is associated with eth0.
Page 188 Chapter 17. Network Configuration Figure 17.17. Home Profile You can also configure eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
Page 189: Device Aliases
Device Aliases kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \ netprofile=<profilename> \ rhgb quiet initrd /initrd-2.6.9-5.EL.img To switch profiles after the system has booted, go to Applications (the main menu on the panel) => System Tools => Network Device Control (or type the command system-control-network) to select a profile and activate it.
Page 190 Chapter 17. Network Configuration Figure 17.18. Network Device Alias Example Select the alias and click the Activate button to activate the alias. If you have configured multiple profiles, select which profiles in which to include it. To verify that the alias has been activated, use the command /sbin/ifconfig. The output should show the device and the device alias with different IP addresses: eth0 Link encap:Ethernet...
Page 191: Saving And Restoring The Network Configuration
Saving and Restoring the Network Configuration UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb) 17.12. Saving and Restoring the Network Configuration The command line version of Network Administration Tool can be used to save the system's network configuration to a file.
Page 193: Firewalls
Chapter 18. Firewalls Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several tools to assist administrators and security engineers with network-level access control issues.
Page 194: Netfilter And Iptables
Chapter 18. Firewalls Method Description Advantages Disadvantages clients to a proxy machine, applications and protocols restricted (most proxies which then makes those function outside of the LAN work with TCP-connected requests to the Internet on · Some proxy servers can services only) behalf of the local client.
Page 195: Security Level Configuration Tool
Security Level Configuration Tool 18.2.1. Security Level Configuration Tool During the Firewall Configuration screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports. After installation, you can change this preference by using the Security Level Configuration Tool.
Page 196: Enabling And Disabling The Firewall
Chapter 18. Firewalls 18.2.2. Enabling and Disabling the Firewall Select one of the following options for the firewall: • Disabled — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
Page 197: Other Ports
Other Ports or IMAP, or if you use a tool such as fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam. NFS4 The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems.
Page 198: Using Iptables
Chapter 18. Firewalls the ipchains and iptables services should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands: [root@myServer ~] # service ipchains stop [root@myServer ~] # chkconfig --level 345 ipchains off 18.3.
Page 199: Saving And Restoring Iptables Rules
Saving and Restoring IPTables Rules Each iptables chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall. The default policy for a chain can be either DROP or ACCEPT. Security-minded administrators typically implement a default policy of DROP, and only allow specific packets on a case-by-case basis.
Page 200: Forward And Nat Rules
Chapter 18. Firewalls [root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT This allows users to browse websites that communicate using the standard port 80. To allow access to secure websites (for example, https://www.example.com/), you also need to provide access to port 443, as follows: [root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT Important...
Page 201 FORWARD and NAT Rules Administrators must, therefore, find alternative ways to share access to Internet services without giving public IP addresses to every node on the LAN. Using private IP addresses is the most common way of allowing all nodes on a LAN to properly access internal and external network services. Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route the packets to the intended LAN node.
Page 202: Postrouting And Ip Masquerading
Chapter 18. Firewalls [root@myServer ~ ] # sysctl -p /etc/sysctl.conf 18.5.1. Postrouting and IP Masquerading Accepting forwarded packets via the firewall's internal IP device allows LAN nodes to communicate with each other; however they still cannot communicate externally to the Internet. To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall's external device (in this case, eth0):...
Page 203: Dmzs And Iptables
DMZs and IPTables 18.5.3. DMZs and IPTables You can create iptables rules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ). A DMZ is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
Page 204: Iptables And Connection Tracking
Chapter 18. Firewalls Note There is a distinction between the DROP and REJECT targets when dealing with appended rules. The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.
Page 205: Additional Resources
Additional Resources http:// For more information about IPv6 networking, refer to the IPv6 Information Page at www.ipv6.org/. 18.9. Additional Resources There are several aspects to firewalls and the Linux Netfilter subsystem that could not be covered in this chapter. For more information, refer to the following resources. 18.9.1.
Page 207: Controlling Access To Services
Chapter 19. Controlling Access to Services Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
Page 208: Tcp Wrappers
Chapter 19. Controlling Access to Services • 1 — Single-user mode • 2 — Not used (user-definable) • 3 — Full multi-user mode • 4 — Not used (user-definable) • 5 — Full multi-user mode (with an X-based login screen) •...
Page 209: Services Configuration Tool
Services Configuration Tool The configuration file for xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable an xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled.
Page 210 Chapter 19. Controlling Access to Services Figure 19.1. Services Configuration Tool The Services Configuration Tool displays the current runlevel as well as the runlevel you are currently editing. To edit a different runlevel, select Edit Runlevel from the pulldown menu and select Section 19.1, “Runlevels”...
Page 211: Ntsysv
ntsysv If you enable/disable an xinetd service by checking or unchecking the checkbox next to the service name, you must select File => Save Changes from the pulldown menu to restart xinetd and immediately enable/disable the xinetd service that you changed. xinetd is also configured to remember the setting.
Page 212: Chkconfig
Chapter 19. Controlling Access to Services the Tab key. A * signifies that a service is set to on. Pressing the F1 key displays a short description of the selected service. Warning Services managed by xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately.
Page 213: Installed Documentation
Installed Documentation 19.6.1. Installed Documentation • The man pages for ntsysv, chkconfig, xinetd, and xinetd.conf. • man 5 hosts_access — The man page for the format of host access control files (in section 5 of the man pages). 19.6.2. Useful Websites http://www.xinetd.org •...
Page 215: Openssh
Chapter 20. OpenSSH OpenSSH is a free, open source implementation of the SSH (S ecure SH ell) protocols. It replaces telnet, ftp, rlogin, rsh, and rcp with secure, encrypted network connectivity tools. OpenSSH supports versions 1.3, 1.5, and 2 of the SSH protocol. Since OpenSSH version 2.9, the default protocol is version 2, which uses RSA keys as the default.
Page 216: Configuring An Openssh Client
Chapter 20. OpenSSH 20.3. Configuring an OpenSSH Client To connect to an OpenSSH server from a client machine, you must have the openssh-clients and openssh packages installed on the client machine. 20.3.1. Using the ssh Command The ssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
Page 217: Using The Sftp Command
Using the sftp Command The general syntax to transfer a local file to a remote system is as follows: scp <localfile>username@tohostname:<remotefile> The <localfile> specifies the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname- maillog.
Page 218 Chapter 20. OpenSSH Red Hat Enterprise Linux 4 uses SSH Protocol 2 and RSA keys by default. If you reinstall and want to save your generated key pair, backup the .ssh directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
Page 219 Generating Key Pairs A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of a single word.
Page 220 Chapter 20. OpenSSH Section 20.3.4.4, “Configuring ssh-agent with GNOME”. If 4. If you are running GNOME, skip to Section 20.3.4.5, “Configuring you are not running GNOME, skip to ssh-agent”. 20.3.4.4. Configuring ssh-agent with GNOME The ssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection.
Page 221: Additional Resources
Additional Resources 3. When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window. 20.4. Additional Resources The OpenSSH and OpenSSL projects are in constant development, and the most up-to-date information for them is available from their websites.
Page 223: Network File System (Nfs)
Chapter 21. Network File System (NFS) Network File System (NFS) is a way to share files between machines on a network as if the files were located on the client's local hard drive. Red Hat Enterprise Linux can be both an NFS server and an NFS client, which means that it can export file systems to other systems and mount file systems exported from other machines.
Page 224: Mounting Nfs File Systems Using Autofs
Chapter 21. Network File System (NFS) 21.2.2. Mounting NFS File Systems using autofs A third option for mounting an NFS share is the use of the autofs service. Autofs uses the automount daemon to manage your mount points by only mounting them dynamically when they are accessed. Autofs consults the master map configuration file /etc/auto.master to determine which mount points are defined.
Page 225: Using Tcp
Using TCP 21.2.3. Using TCP The default transport protocol for NFSv4 is TCP; however, the Red Hat Enterprise Linux 4 kernel includes support for NFS over UDP. To use NFS over UDP, include the -o udp option to mount when mounting the NFS-exported file system on the client system. There are three ways to configure an NFS file system export.
Page 226: Exporting Nfs File Systems
Chapter 21. Network File System (NFS) Chapter 14, Access Control For more information about mounting NFS file systems with ACLs, refer to Lists. 21.3. Exporting NFS File Systems Sharing or serving files from an NFS server is known as exporting the directories. The NFS Server Configuration Tool can be used to configure a system as an NFS server.
Page 227 Exporting NFS File Systems Figure 21.2. Add Share The General Options tab allows the following options to be configured: • Allow connections from port 1024 and higher — Services started on port numbers less than 1024 must be started as root. Select this option to allow the NFS service to be started by a user other than root.
Page 228: Command Line Configuration
Chapter 21. Network File System (NFS) • Specify local user ID for anonymous users — If Treat all client users as anonymous users is selected, this option lets you specify a user ID for the anonymous user. This option corresponds to anonuid.
Page 229: Hostname Formats
Hostname Formats is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines: /misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync) The first line grants users from speedy.example.com read-write access and denies all other users.
Page 230: Additional Resources
Chapter 21. Network File System (NFS) /sbin/chkconfig --level 345 nfs on You can also use chkconfig, ntsysv or the Services Configuration Tool to configure which Chapter 19, Controlling Access to Services services start at boot time. Refer to for details. 21.4.
Page 231: Samba
Chapter 22. Samba Samba uses the SMB protocol to share files and printers across a network connection. Operating systems that support this protocol include Microsoft Windows, OS/2, and Linux. The Red Hat Enterprise Linux 4 kernel contains Access Control List (ACL) support for ext3 file systems.
Page 232 Chapter 22. Samba Figure 22.1. Samba Server Configuration Tool Note The Samba Server Configuration Tool does not display shared printers or the default stanza that allows users to view their own home directories on the Samba server. 22.2.1.1. Configuring Server Settings The first step in configuring a Samba server is to configure the basic settings for the server and a few security options.
Page 233 Graphical Configuration Figure 22.3. Configuring Security Server Settings The Security tab contains the following options: • Authentication Mode — This corresponds to the security option. Select one of the following types of authentication. • ADS — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm.
Page 234 Chapter 22. Samba • Share — Samba users do not have to enter a username and password combination on a per Samba server basis. They are not prompted for a username and password until they try to connect to a specific shared directory from a Samba server. •...
Page 235 Graphical Configuration To add a Samba user, select Preferences => Samba Users from the pulldown menu, and click the Add User button. In the Create New Samba User window select a Unix Username from the list of existing users on the local system. If the user has a different username on a Windows machine and needs to log into the Samba server from the Windows machine, specify that Windows username in the Windows Username field.
Page 236: Command Line Configuration
Chapter 22. Samba • Basic Permissions — Whether users should only be able to read the files in the shared directory or whether they should be able to read and write to the shared directory. On the Access tab, select whether to allow only specified users to access the share or whether to allow all Samba users to access the share.
Page 237 Encrypted Passwords To configure Samba to use encrypted passwords, follow these steps: 1. Create a separate password file for Samba. To create one based on your existing /etc/passwd file, at a shell prompt, type the following command: cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd If the system uses NIS, type the following command: ypcat passwd | mksmbpasswd.sh >...
Page 238: Starting And Stopping The Server
Chapter 22. Samba password he uses to log in to the Red Hat Enterprise Linux system as well as the password he must provide to connect to a Samba share are changed. To enable this feature, add the following line to /etc/pam.d/system-auth below the pam_cracklib.so invocation: password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass 22.2.4.
Page 239 Connecting to a Samba Share Figure 22.6. SMB Workgroups in Nautilus Double-click one of the workgroup icons to view a list of computers within the workgroup.
Page 240: Command Line
Chapter 22. Samba Figure 22.7. SMB Machines in Nautilus Figure 22.7, “SMB Machines in Nautilus”, there is an icon for each machine As you can see from within the workgroup. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them.
Page 241: Mounting The Share
Mounting the Share with your username. If the -U switch is not used, the username of the current user is passed to the Samba server. To exit smbclient, type exit at the smb:\> prompt. 22.3.2. Mounting the Share Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system.
Page 243: Dynamic Host Configuration Protocol (Dhcp)
Chapter 23. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is a network protocol for automatically assigning TCP/ IP information to client machines. Each DHCP client connects to the centrally-located DHCP server which returns that client's network configuration, including the IP address, gateway, and DNS servers. 23.1.
Page 244 Chapter 23. Dynamic Host Configuration Protocol (DHCP) To use the recommended mode, add the following line to the top of the configuration file: ddns-update-style interim; Refer to the dhcpd.conf man page for details about the different modes. There are two types of statements in the configuration file: •...
Page 245 The name of the shared-network should be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment. shared-network name { option domain-name "test.redhat.com"; option domain-name-servers ns1.redhat.com, ns2.redhat.com; option routers 192.168.0.254; more parameters for EXAMPLE shared-network subnet 192.168.1.0 netmask 255.255.252.0 { parameters for subnet range 192.168.1.1 192.168.1.254;...
Page 246: Lease Database
Chapter 23. Dynamic Host Configuration Protocol (DHCP) time, and network configuration values for the clients. This example assigns IP addresses in the range 192.168.1.10 and 192.168.1.100 to client systems. default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option domain-name-servers 192.168.1.1, 192.168.1.2;...
Page 247: Starting And Stopping The Server
Starting and Stopping the Server The lease database is recreated from time to time so that it is not too large. First, all known leases are saved in a temporary lease database. The dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
Page 248: Dhcp Relay Agent
Be sure to check the Hardware Compatibility List available at http://hardware.redhat.com/hcl/. If the network card is not configured by the installation program or Kudzu and you know which kernel module to load for it, refer Chapter 37, Kernel Modules for details on loading kernel modules.
Page 249: Additional Resources
Additional Resources DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes A configuration file is needed for each device to be configured to use DHCP. Other options for the network script include: • DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address.
Page 250 Chapter 23. Dynamic Host Configuration Protocol (DHCP) • dhcrelay man page — Explains the DHCP Relay Agent and its configuration options. • /usr/share/doc/dhcp-<version>/ — Contains sample files, README files, and release notes for the specific version of the DHCP service.
Page 251: Apache Http Server Configuration
Chapter 24. Apache HTTP Server Configuration Red Hat Enterprise Linux provides version 2.0 of the Apache HTTP Server. If you want to migrate an existing configuration file by hand, refer to the migration guide at /usr/share/doc/httpd-<ver>/ migration.html or the Reference Guide for details. If you configured the Apache HTTP Server with the HTTP Configuration Tool in previous versions of Red Hat Enterprise Linux and then performed an upgrade, you can use the HTTP Configuration Tool to migrate the configuration file to the new format for version 2.0.
Page 252: Basic Settings
Chapter 24. Apache HTTP Server Configuration 24.1. Basic Settings Use the Main tab to configure the basic server settings. Figure 24.1. Basic Settings Enter a fully qualified domain name that you have the right to use in the Server Name text area. This option corresponds to the directive in httpd.conf.
Page 253: Default Settings
Default Settings Click the Add button to define additional ports on which to accept requests. A window as shown in appears. Either choose the Listen to all addresses option to Figure 24.2, “Available Addresses” listen to all IP addresses on the defined port or specify a particular IP address over which the server accepts connections in the Address field.
Page 254 Chapter 24. Apache HTTP Server Configuration Figure 24.3. Site Configuration The entries listed in the Directory Page Search List define the directive. The DirectoryIndex DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
Page 255: Logging
Logging Use the Error Code section to configure Apache HTTP Server to redirect the client to a local or external URL in the event of a problem or error. This option corresponds to the ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column.
Page 256 Chapter 24. Apache HTTP Server Configuration Figure 24.4. Logging You can configure a custom log format by checking Use custom logging facilities and entering a custom log string in the Custom Log String field. This configures the directive. Refer to LogFormat http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#formats for details on the format of this...
Page 257: Environment Variables
Environment Variables Use the Log Level menu to set the verbosity of the error messages in the error logs. It can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info or debug. This option corresponds to the directive.
Page 258 Chapter 24. Apache HTTP Server Configuration Figure 24.5. Environment Variables To remove an environment variable so that the value is not passed to CGI scripts and SSI pages, use the Unset for CGI Scripts section. Click Add in the Unset for CGI Scripts section, and enter the name of the environment variable to unset.
Page 259: Directories
Directories 24.2.4. Directories Use the Directories page in the Performance tab to configure options for specific directories. This corresponds to the directive. <Directory> Figure 24.6. Directories Click the Edit button in the top right-hand corner to configure the Default Directory Options for all directories that are not specified in the Directory list below it.
Page 260 Chapter 24. Apache HTTP Server Configuration • FollowSymLinks — Allow symbolic links to be followed. • Includes — Allow server-side includes. • IncludesNOEXEC — Allow server-side includes, but disable the #exec and #include commands in CGI scripts. • Indexes — Display a formatted list of the directory's contents, if no DirectoryIndex (such as index.html) exists in the requested directory.
Page 261: Virtual Hosts Settings
Virtual Hosts Settings Figure 24.7. Directory Settings If you check the Let .htaccess files override directory options, the configuration directives in the .htaccess file take precedence. 24.3. Virtual Hosts Settings Virtual hosts allow you to run different servers for different IP addresses, different host names, or different ports on the same machine.
Page 262: Adding And Editing A Virtual Host
Chapter 24. Apache HTTP Server Configuration Figure 24.8. Virtual Hosts http://httpd.apache.org/docs-2.0/vhosts/ and the Apache HTTP Server documentation on your machine provide more information about virtual hosts. 24.3.1. Adding and Editing a Virtual Host To add a virtual host, click the Virtual Hosts tab and then click the Add button. You can also edit a virtual host by selecting it and clicking the Edit button.
Page 263 Adding and Editing a Virtual Host In the Host Information section, choose Default Virtual Host, IP based Virtual Host, or Name based Virtual Host. Default Virtual Host You should only configure one default virtual host (remember that there is one setup by default). The default virtual host settings are used when the requested IP address is not explicitly listed in another virtual host.
Page 264 Chapter 24. Apache HTTP Server Configuration Figure 24.9. SSL Support If an Apache HTTP Server is not configured with SSL support, communications between an Apache HTTP Server and its clients are not encrypted. This is appropriate for websites without personal or confidential information.
Page 265: Server Settings
Server Settings Chapter 25, Apache website. For details on purchasing a CA-approved digital certificate, refer to the HTTP Secure Server Configuration. 24.3.1.3. Additional Virtual Host Options The Site Configuration, Environment Variables, and Directories options for the virtual hosts are the same directives that you set when you clicked the Edit Default Settings button, except the Section 24.2, options set here are for the individual virtual hosts that you are configuring.
Page 266: Performance Tuning
Chapter 24. Apache HTTP Server Configuration The PID File value corresponds to the directive. This directive sets the file in which the PidFile server records its process ID (pid). This file should only be readable by root. In most cases, it should be left to the default value.
Page 267 Performance Tuning Figure 24.11. Performance Tuning Set Max Number of Connections to the maximum number of simultaneous client requests that the server can handle. For each connection, a child httpd process is created. After this maximum number of processes is reached, no one else can connect to the Web server until a child server process is freed.
Page 268: Saving Your Settings
Chapter 24. Apache HTTP Server Configuration If you uncheck the Allow Persistent Connections option, the directive is set to false. KeepAlive If you check it, the directive is set to true, and the directive is KeepAlive KeepAliveTimeout set to the number that is selected as the Timeout for next Connection value. This directive sets the number of seconds your server waits for a subsequent request, after a request has been served, before it closes the connection.
Page 269: Related Books
Related Books 24.7.3. Related Books • Apache: The Definitive Guide by Ben Laurie and Peter Laurie; O'Reilly & Associates, Inc. • Reference Guide ; Red Hat, Inc — This companion manual includes instructions for migrating from Apache HTTP Server version 1.3 to Apache HTTP Server version 2.0 manually, more details about the Apache HTTP Server directives, and instructions for adding modules to the Apache HTTP Server.
Page 271: Apache Http Secure Server Configuration
Chapter 25. Apache HTTP Secure Server Configuration 25.1. Introduction This chapter provides basic information on the Apache HTTP Server with the mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this chapter as the secure Web server or just as the secure server. The mod_ssl module is a security module for the Apache HTTP Server.
Page 272 Chapter 25. Apache HTTP Secure Server Configuration httpd-devel The httpd-devel package contains the Apache HTTP Server include files, header files, and the APXS utility. You need all of these if you intend to load any extra modules, other than the modules provided with this product.
Page 273: An Overview Of Certificates And Security
An Overview of Certificates and Security Note Newer implementations of various daemons now provide their services natively over SSL, such as dovecot or OpenLDAP's slapd server, which may be more desirable than using stunnel. For example, use of stunnel only provides wrapping of protocols, while the native support in OpenLDAP's slapd can also handle in-band upgrades for using encryption in response to a StartTLS client request.
Page 274: Using Pre-Existing Keys And Certificates
Chapter 25. Apache HTTP Secure Server Configuration A secure server uses a certificate to identify itself to Web browsers. You can generate your own certificate (called a "self-signed" certificate), or you can get a certificate from a CA. A certificate from a reputable CA guarantees that a website is associated with a particular company or organization.
Page 275: Types Of Certificates
Types of Certificates mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ssl.key/server.key mv /etc/httpd/conf/ httpsd.crt /etc/httpd/conf/ssl.crt/server.crt Then, start your secure server with the command: /sbin/service httpd start You are prompted to enter your passphrase. After you type it in and press Enter, the server starts. 25.5. Types of Certificates If you installed your secure server from the RPM package provided by Red Hat, a random key and a test certificate are generated and put into the appropriate directories.
Page 276: Generating A Key
Chapter 25. Apache HTTP Secure Server Configuration on your past experiences, on the experiences of your friends or colleagues, or purely on monetary factors. Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them.
Page 277: Generating A Certificate Request To Send To A Ca
Generating a Certificate Request to Send to a CA Use the following command to create your key: /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key Then, use the following command to make sure the permissions are set correctly for the file: chmod go-rwx /etc/httpd/conf/ssl.key/server.key After you use the above commands to create your key, you do not need to use a passphrase to start your secure server.
Page 278 Chapter 25. Apache HTTP Secure Server Configuration -out /etc/httpd/conf/ssl.csr/server.csr Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase: Type in the passphrase that you chose when you were generating your key unless you don't need to. Next, your system displays some instructions and then ask for a series of responses from you. Your inputs are incorporated into the certificate request.
Page 279: Creating A Self-Signed Certificate
Creating a Self-Signed Certificate • Do not use either of the extra attributes (A challenge password and An optional company name). To continue without entering these fields, just press Enter to accept the blank default for both inputs. The file /etc/httpd/conf/ssl.csr/server.csr is created when you have finished entering your information.
Page 280: Testing The Certificate
Chapter 25. Apache HTTP Secure Server Configuration After you provide the correct information, a self-signed certificate is created in /etc/httpd/conf/ ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command: /sbin/service httpd restart 25.9. Testing The Certificate To test the test certificate installed by default, either a CA-signed certificate, or a self-signed certificate, point your Web browser to the following home page (replacing server.example.com with your domain name):...
Page 281: Additional Resources
Additional Resources number in the URL. The following URL example attempts to connect to a non-secure server listening on port 12331: http://server.example.com:12331 25.11. Additional Resources Section 24.7, “Additional Resources” Refer to for more information about the Apache HTTP Server. 25.11.1. Useful Websites http://www.modssl.org/ •...
Page 283: Authentication Configuration
Chapter 26. Authentication Configuration When a user logs in to a Red Hat Enterprise Linux system, the username and password combination must be verified, or authenticated, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.
Page 284 Chapter 26. Authentication Configuration Figure 26.1. User Information The following list explains what each option configures: • Enable NIS Support — Select this option to configure the system as an NIS client which connects to an NIS server for user and password authentication. Click the Configure NIS button to specify the NIS domain and NIS server.
Page 285: Authentication
Authentication 26.2. Authentication The Authentication tab allows for the configuration of network authentication methods. To enable an option, click the empty checkbox beside it. To disable an option, click the checkbox beside it to clear the checkbox. Figure 26.2. Authentication The following explains what each option configures: •...
Page 286: Command Line Version
Chapter 26. Authentication Configuration • Use Shadow Passwords — Select this option to store passwords in shadow password format in the /etc/shadow file instead of /etc/passwd. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system. The shadow-utils package must be installed for this option to work.
Page 287 Command Line Version Option Description Disable LDAP for authentication --disableldapauth Specify LDAP server --ldapserver=<server> Specify LDAP base DN --ldapbasedn=<dn> Enable Kerberos --enablekrb5 Disable Kerberos --disablekrb5 Specify Kerberos KDC --krb5kdc=<kdc> Specify Kerberos administration server --krb5adminserver=<server> Specify Kerberos realm --krb5realm=<realm> Enable use of DNS to find Kerberos --enablekrb5kdcdns KDCs Disable use of DNS to find Kerberos...
Page 288 Chapter 26. Authentication Configuration Option Description Directory that winbind users have as --winbindtemplatehomedir=</home/%D/%U> their home Group that winbind users have as their --winbindtemplateprimarygroup=<nobody> primary group Shell that winbind users have as their --winbindtemplateshell=</bin/false> default login shell Configures winbind to assume --enablewinbindusedefaultdomain that users with no domain in their usernames are domain users...
Page 289: System Configuration
Part V. System Configuration Part of a system administrator's job is configuring the system for various tasks, types of users, and hardware configurations. This section explains how to configure a Red Hat Enterprise Linux system.
Page 291: Console Access
Chapter 27. Console Access When normal (non-root) users log into a computer locally, they are given two types of special permissions: 1. They can run certain programs that they would not otherwise be able to run 2. They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files.
Page 292: Disabling Console Program Access
Chapter 27. Console Access shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead. For more information on shutdown.allow, refer to the shutdown man page. 27.2.
Page 293: Enabling Console Access For Other Applications
Enabling Console Access for Other Applications <scanner>=/dev/scanner /dev/usb/scanner* (Of course, make sure that /dev/scanner is really your scanner and not, say, your hard drive.) That is the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to: <console>...
Page 294: The Floppy Group
Chapter 27. Console Access use pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again. This module is included in the pam package. To enable this feature, the PAM configuration file in etc/ pam.d/ must include the following lines: auth sufficient /lib/security/pam_timestamp.so session optional /lib/security/pam_timestamp.so...
Page 295: Date And Time Configuration
Chapter 28. Date and Time Configuration The Time and Date Properties Tool allows the user to change the system date and time, to configure the time zone used by the system, and to setup the Network Time Protocol (NTP) daemon to synchronize the system clock with a time server.
Page 296 Chapter 28. Date and Time Configuration Figure 28.1. Time and Date Properties To change the date, use the arrows to the left and right of the month to change the month, use the arrows to the left and right of the year to change the year, and click on the day of the week to change the day of the week.
Page 297: Network Time Protocol (Ntp) Properties
Network Time Protocol (NTP) Properties 28.2. Network Time Protocol (NTP) Properties Figure 28.2, “NTP Properties”, the second tabbed window that appears is for configuring As shown in NTP. Figure 28.2. NTP Properties The Network Time Protocol (NTP) daemon synchronizes the system clock with a remote time server or time source.
Page 298: Time Zone Configuration
Chapter 28. Date and Time Configuration Clicking the OK button applies any changes made to the date and time, the NTP daemon settings, and the time zone settings. It also exits the program. 28.3. Time Zone Configuration Figure 28.3, “Timezone Properties”, the third tabbed window that appears is for As shown in configuring the system time zone.
Page 299 Time Zone Configuration Figure 28.3. Timezone Properties If your system clock is set to use UTC, select the System clock uses UTC option. UTC stands for the Universal Time, Coordinated, also known as Greenwich Mean Time (GMT). Other time zones are determined by adding or subtracting from the UTC time.
Page 301: Keyboard Configuration
Chapter 29. Keyboard Configuration The installation program allows users to configure a keyboard layout for their systems. To configure a different keyboard layout after installation, use the Keyboard Configuration Tool. To start the Keyboard Configuration Tool, select Applications (the main menu on the panel) =>...
Page 303: Mouse Configuration
Chapter 30. Mouse Configuration The installation program allows users to select the type of mouse connected to the system. To configure a different mouse type for the system, use the Mouse Configuration Tool. To start the Mouse Configuration Tool, type the command system-config-mouse at a shell prompt (for example, in an XTerm or GNOME terminal).
Page 305: Window System Configuration
Chapter 31. X Window System Configuration During installation, the system's monitor, video card, and display settings are configured. To change any of these settings after installation, use the X Configuration Tool. To start the X Configuration Tool, go to Applications (the main menu on the panel) => Administration =>...
Page 306: Display Hardware Settings
Chapter 31. X Window System Configuration Figure 31.1. Display Settings 31.2. Display Hardware Settings When the X Configuration Tool is started, it probes the monitor and video card. If the hardware is probed properly, the information for it is shown on the Hardware tab as shown in Figure 31.2, “Display Hardware Settings”.
Page 307: Dual Head Display Settings
Dual Head Display Settings Figure 31.2. Display Hardware Settings To change the monitor type or any of its settings, click the corresponding Configure button. To change the video card type or any of its settings, click the Configure button beside its settings. 31.3.
Page 308 Chapter 31. X Window System Configuration Figure 31.3. Dual Head Display Settings To enable use of Dual head, check the Use dual head checkbox. To configure the second monitor type, click the corresponding Configure button. You can also configure the other Dual head settings by using the corresponding drop-down list. For the Desktop layout option, selecting Spanning Desktops allows both monitors to use an enlarged usable workspace.
Page 309: Users And Groups
Chapter 32. Users and Groups The control of users and groups is a core element of Red Hat Enterprise Linux system administration. Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common purpose.
Page 310: Adding A New User
Chapter 32. Users and Groups To sort the users or groups, click on the column name. The users or groups are sorted according to the value of that column. Red Hat Enterprise Linux reserves user IDs below 500 for system users. By default, User Manager does not display system users.
Page 311: Modifying User Properties
Modifying User Properties Figure 32.2. New User To configure more advanced user properties, such as password expiration, modify the user's Section 32.1.2, “Modifying User Properties” properties after adding the user. Refer to for more information. 32.1.2. Modifying User Properties To view the properties of an existing user, click on the Users tab, select the user from the user list, and click Properties from the menu (or choose File =>...
Page 312: Adding A New Group
Chapter 32. Users and Groups Figure 32.3. User Properties The User Properties window is divided into multiple tabbed pages: • User Data — Shows the basic user information configured when you added the user. Use this tab to change the user's full name, password, home directory, or login shell. •...
Page 313: Modifying Group Properties
Modifying Group Properties Figure 32.4. New Group Click OK to create the group. The new group appears in the group list. 32.1.4. Modifying Group Properties To view the properties of an existing group, select the group from the group list and click Properties from the menu (or choose File =>...
Page 314: User And Group Management Tools
Chapter 32. Users and Groups 32.2. User and Group Management Tools Managing users and groups can be a tedious task; this is why Red Hat Enterprise Linux provides tools and conventions to make them easier to manage. The easiest way to manage users and groups is through the graphical application, User Manager (system-config-users).
Page 315: Adding A Group
Adding a Group Option Description the password expires. If -1 is specified, the account is not be disabled after the password expires. Group name or group number for the user's default group. The group -g <group-name> must exist prior to being specified here. List of additional (other than default) group names or group numbers, -G <group-list>...
Page 316 Chapter 32. Users and Groups Option Description Specifies the minimum number of days between which the user must -m <days> change passwords. If the value is 0, the password does not expire. Specifies the maximum number of days for which the password is -M <days>...
Page 317 Password Aging 3. Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password. Warning Do not use the passwd command to set the password as it disables the immediate password expiration just configured.
Page 318: Explaining The Process
Chapter 32. Users and Groups 32.2.5. Explaining the Process The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled: 1. A new line for juan is created in /etc/passwd. The line has the following characteristics: •...
Page 319: Standard Users
Standard Users • All other fields are blank. 5. A directory for user juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
Page 320: Standard Groups
Chapter 32. Users and Groups User Home Directory Shell postfix /var/spool/postfix /sbin/nologin mailman /var/mailman /sbin/nologin named /var/named /bin/false amanda var/lib/amanda/ /bin/bash postgres /var/lib/pgsql /bin/bash exim /var/spool/exim /sbin/nologin sshd /var/empty/sshd /sbin/nologin rpcuser /var/lib/nfs /sbin/nologin nsfnobody 65534 65534 /var/lib/nfs /sbin/nologin /usr/share/pvm3 /bin/bash apache /var/www /sbin/nologin...
Page 321 Standard Groups Group Members disk root daemon, lp kmem wheel root mail mail, postfix, exim news news uucp uucp games gopher lock nobody users utmp floppy vcsa dbus canna nscd postdrop postfix mailman exim named postgres sshd rpcuser nfsnobody 65534 apache...
Page 322: User Private Groups
Chapter 32. Users and Groups Group Members mysql webalizer mailnull smmsp squid ldap netdump pcap quaggavt quagga radvd slocate dovecot radiusd Table 32.5. Standard Groups 32.5. User Private Groups Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage.
Page 323: Shadow Passwords
Shadow Passwords directory very simple because any files a user creates within the directory are owned by the group which owns the directory. Let us say, for example, that a group of people need to work on files in the /usr/share/emacs/ site-lisp/ directory.
Page 324: Additional Resources
Chapter 32. Users and Groups The following is a list of commands which do not work without first enabling shadow passwords: • chage • gpasswd • /usr/sbin/usermod -e or -f options • /usr/sbin/useradd -e or -f options 32.7. Additional Resources For more information about users and groups, and tools to manage them, refer to the following resources.
Page 325: Printer Configuration
Chapter 33. Printer Configuration Printer Configuration Tool allows users to configure a printer. This tool helps maintain the printer configuration file, print spool directories, print filters, and printer classes. Red Hat Enterprise Linux 4 uses the Common Unix Printing System (CUPS). If a system was upgraded from a previous Red Hat Enterprise Linux version that used CUPS, the upgrade process preserves the configured queues.
Page 326: Adding A Local Printer
Chapter 33. Printer Configuration Important If you add a new print queue or modify an existing one, you must apply the changes for them to take effect. Clicking the Apply button prompts the printer daemon to restart with the changes you have configured.
Page 327: Adding An Ipp Printer
Adding an IPP Printer Figure 33.3. Adding a Local Printer Section 33.5, “Selecting the Printer Model and Finishing” Next, select the printer type. Refer to details. 33.2. Adding an IPP Printer An IPP printer is a printer attached to a different system on the same TCP/IP network. The system this printer is attached to may either be running CUPS or simply configured to use IPP.
Page 328: Adding A Samba (Smb) Printer
Chapter 33. Printer Configuration Figure 33.4. Adding an IPP Printer Click Forward to continue. Section 33.5, “Selecting the Printer Model and Finishing” Next, select the printer type. Refer to details. 33.3. Adding a Samba (SMB) Printer You can add a Samba (SMB) based printer share by clicking the New Printer button in the main Printer Configuration Tool window to display the window in Figure 33.2, “Adding a Printer”.
Page 329 Adding a Samba (SMB) Printer Figure 33.5. Adding a SMB Printer Figure 33.5, “Adding a SMB Printer”, available SMB shares are automatically detected As shown in and listed in the Share column. Click the arrow ( ) beside a Workgroup to expand it. From the expanded list, select a printer.
Page 330: Adding A Jetdirect Printer
Chapter 33. Printer Configuration 33.4. Adding a JetDirect Printer To add a JetDirect or AppSocket connected printer share, click the New Printer button in the main Printer Configuration Tool window to display the window in Figure 33.2, “Adding a Printer”. Enter a unique name for the printer in the Printer Name field.
Page 331: Confirming Printer Configuration
Confirming Printer Configuration Figure 33.7, “Selecting a Printer Model”. Refer to Figure 33.7. Selecting a Printer Model After choosing an option, click Forward to continue. Figure 33.7, “Selecting a Printer Model” appears. You now have to choose the corresponding model and driver for the printer. The recommended printed driver is automatically selected based on the printer model you chose.
Page 332: Modifying Existing Printers
Chapter 33. Printer Configuration 33.7. Modifying Existing Printers To delete an existing printer, select the printer and click the Delete button on the toolbar. The printer is removed from the printer list once you confirm deletion of the printer configuration. To set the default printer, select the printer from the printer list and click the Make Default Printer button in the Settings tab.
Page 333: Managing Print Jobs
Managing Print Jobs • Media Source — set to Automatic by default. Change this option to use paper from a different tray. • Media Type — Allows you to change paper type. Options include: Plain, thick, bond, and transparency. • Resolution — Configure the quality and detail of the printout (default is 300 dots per inch (dpi). •...
Page 334: Installed Documentation
Chapter 33. Printer Configuration 33.9.1. Installed Documentation • map lpr — The manual page for the lpr command that allows you to print files from the command line. • man lprm — The manual page for the command line utility to remove print jobs from the print queue.
Page 335: Automated Tasks
Chapter 34. Automated Tasks In Linux, tasks can be configured to run automatically within a specified period of time, on a specified date, or when the system load average is below a specified number. Red Hat Enterprise Linux is pre-configured to run important system tasks to keep the system updated. For example, the slocate database used by the locate command is updated daily.
Page 336 Chapter 34. Automated Tasks • day — any integer from 1 to 31 (must be a valid day if a month is specified) • month — any integer from 1 to 12 (or the short name of the month such as jan or feb) •...
Page 337: Controlling Access To Cron
Controlling Access to Cron The cron daemon checks the /etc/crontab file, the /etc/cron.d/ directory, and the /var/ spool/cron/ directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed. 34.1.2.
Page 338: Configuring Batch Jobs
Chapter 34. Automated Tasks • MMDDYY, MM/DD/YY, or MM.DD.YY formats — For example, 011502 for the 15th day of January in the year 2002. • now + time — time is in minutes, hours, days, or weeks. For example, now + 5 days specifies that the command should be executed at the same time five days from now.
Page 339: Additional Command Line Options
Additional Command Line Options 34.2.4. Additional Command Line Options Additional command line options for at and batch include: Option Description Read the commands or shell script from a file instead of specifying them at the prompt. Send email to the user when the job has been completed. Display the time that the job is executed.
Page 341: Log Files
Chapter 35. Log Files Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks. Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized log in attempts to the system.
Page 342 Chapter 35. Log Files Figure 35.1. Log Viewer By default, the currently viewable log file is refreshed every 30 seconds. To change the refresh rate, select Edit => Preferences from the pulldown menu. The window shown in Figure 35.2, “Log File Locations”...
Page 343: Adding A Log File
Adding a Log File Figure 35.2. Log File Locations 35.3. Adding a Log File To add a log file to the list, select Edit => Preferences, and click the Add button in the Log Files tab.
Page 344: Examining Log Files
Chapter 35. Log Files Figure 35.3. Adding a Log File Provide a name, description, and the location of the log file to add. After clicking OK, the file is immediately added to the viewing area, if the file exists. 35.4. Examining Log Files Log Viewer can be configured to display an alert icon beside lines that contain key alert words and a warning icon beside lines that contain key warning words.
Page 345 Examining Log Files Figure 35.4. Alerts To add warning words, select Edit => Preferences from the pull-down menu, and click on the Warnings tab. Click the Add button to add a warning word. To delete a warning word, select the word from the list, and click Delete.
Page 346 Chapter 35. Log Files Figure 35.5. Warning...
Page 347: Manually Upgrading The Kernel
Chapter 36. Manually Upgrading the Kernel The Red Hat Enterprise Linux kernel is custom built by the Red Hat kernel team to ensure its integrity and compatibility with supported hardware. Before Red Hat releases a kernel, it must first pass a rigorous set of quality assurance tests.
Page 348: Preparing To Upgrade
The kernel-source package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network. This *.src.rpm must then be rebuilt locally using the rpmbuild command. Refer to the latest distribution Release Notes, including https://www.redhat.com/docs/manuals/enterprise/ all updates, at for more information on obtaining and installing the kernel source package.
Page 349: Downloading The Upgraded Kernel
Downloading the Upgraded Kernel For example, to create a boot diskette, login as root, and type the following command at a shell prompt: /sbin/mkbootdisk `uname -r` Refer to the mkbootdisk man page for more options. Creating bootable media via CD-Rs, CD-RWs, and USB flash drives are also supported given the system BIOS also supports it.
Page 350: Performing The Upgrade
Chapter 36. Manually Upgrading the Kernel • Security Errata — Go to the following location for information on security errata, including kernel upgrades that fix security issues: http://www.redhat.com/apps/support/errata/ • Via Quarterly Updates — Refer to the following location for details: http://www.redhat.com/apps/support/errata/rhlas_errata_policy.html •...
Page 351: Verifying The Initial Ram Disk Image
Verifying the Initial RAM Disk Image 36.5. Verifying the Initial RAM Disk Image If the system uses the ext3 file system, a SCSI controller, or uses labels to reference partitions in /etc/fstab, an initial RAM disk is needed. The initial RAM disk allows a modular kernel to have access to modules that it might need to boot from before the kernel has access to the device where the modules normally reside.
Page 352: Itanium Systems
36.6.2. Itanium Systems Itanium systems use ELILO as the boot loader, which uses /boot/efi/EFI/redhat/elilo.conf as the configuration file. Confirm that this file contains an image section with the same version as the kernel package just installed:...
Page 353: Ibm Eserver Iseries Systems
IBM eServer iSeries Systems [defaultboot] default=old target=/boot/ [linux] image=/boot/vmlinuz-2.6.9-5.EL ramdisk=/boot/initrd-2.6.9-5.EL.img parameters="root=LABEL=/" [old] image=/boot/vmlinuz-2.6.9-1.906_EL ramdisk=/boot/initrd-2.6.9-1.906_EL.img parameters="root=LABEL=/" Notice that the default is not set to the new kernel. To configure z/IPL to boot the new kernel by default change the value of the default variable to the name of the section that contains the new kernel. The first line of each section contains the name in brackets.
Page 354 Chapter 36. Manually Upgrading the Kernel image=/vmlinux--2.6.9-5.EL label=old read-only initrd=/initrd--2.6.9-5.EL.img append="root=LABEL=/" image=/vmlinux-2.6.9-5.EL label=linux read-only initrd=/initrd-2.6.9-5.EL.img append="root=LABEL=/" Notice that the default is not set to the new kernel. The kernel in the first image is booted by default. To change the default kernel to boot either move its image stanza so that it is the first one listed or add the directive default and set it to the label of the image stanza that contains the new kernel.
Page 355: Kernel Modules
Chapter 37. Kernel Modules The Linux kernel has a modular design. At boot time, only a minimal resident kernel is loaded into memory. Thereafter, whenever a user requests a feature that is not present in the resident kernel, a kernel module, sometimes referred to as a driver, is dynamically loaded into memory. During installation, the hardware on the system is probed.
Page 356 Chapter 37. Kernel Modules button 6481 battery 8901 4805 4033 ipv6 232833 ohci_hcd 21713 e100 39493 4673 1 e100 floppy 58481 33377 dm_snapshot 17029 dm_zero 2369 dm_mirror 22957 ext3 116809 71257 1 ext3 dm_mod 54741 6 dm_snapshot,dm_zero,dm_mirror 46173 aic7xxx 148121 sd_mod 17217 scsi_mod...
Page 357: Persistent Module Loading
Persistent Module Loading For example, the command /sbin/rmmod e100 unloads the e100 kernel module. Another useful kernel module utility is modinfo. Use the command /sbin/modinfo to display information about a kernel module. The general syntax is: /sbin/modinfo [options]<module> Options include -d, which displays a brief description of the module, and -p, which lists the parameters the module supports.
Page 358: Useful Websites
Chapter 37. Kernel Modules • /usr/share/doc/kernel-doc-<version>/Documentation/kbuild/modules.txt — how to compile and use kernel modules. 37.3.2. Useful Websites http://www.redhat.com/mirrors/LDP/HOWTO/Module-HOWTO/index.html — Linux Loadable Kernel • Module HOWTO from the Linux Documentation Project.
Page 359: Mail Transport Agent (Mta) Configuration
Chapter 38. Mail Transport Agent (MTA) Configuration A Mail Transport Agent (MTA) is essential for sending email. A Mail User Agent (MUA) such as Evolution, Mozilla Mail, Thunderbird, and Mutt, is used to read and compose email. When a user sends an email from an MUA, the message is handed off to the MTA, which sends the message through a series of MTAs until it reaches its destination.
Page 360 Chapter 38. Mail Transport Agent (MTA) Configuration Figure 38.1. Mail Transport Agent Switcher If you select OK to change the MTA, the selected mail daemon is enabled to start at boot time, and the unselected mail daemons are disabled so that they do not start at boot time. The selected mail daemon is started, and any other mail daemon is stopped;...
Page 361: System Monitoring
Part VI. System Monitoring System administrators also monitor system performance. Red Hat Enterprise Linux contains tools to assist administrators with these tasks.
Page 363: Gathering System Information
Chapter 39. Gathering System Information Before you learn how to configure your system, you should learn how to gather essential system information. For example, you should know how to find the amount of free memory, the amount of available hard drive space, how your hard drive is partitioned, and what processes are running. This chapter discusses how to retrieve this type of information from your Red Hat Enterprise Linux system using simple commands and a few simple programs.
Page 364 Chapter 39. Gathering System Information Table 39.1, “Interactive top commands” contains useful interactive commands that you can use with top. For more information, refer to the top(1) manual page. Command Description Immediately refresh the display Space Display a help screen Kill a process.
Page 365: Memory Usage
Memory Usage • View the files opened by the selected process. To stop a process, select it and click End Process. Alternatively you can also stop a process by selecting it, clicking Edit on your menu and selecting Stop Process. To sort the information by a specific column, click on the name of the column.
Page 366: File Systems
Chapter 39. Gathering System Information Swap: 1310712 1310712 The command free -m shows the same information in megabytes, which are easier to read. total used free shared buffers cached Mem: -/+ buffers/cache: Swap: 1279 1279 If you prefer a graphical interface for free, you can use the GNOME System Monitor. To start it from the desktop, go to System =>...
Page 367: Hardware
Hardware Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 11675568 6272120 4810348 57% / /dev/sda1 100691 9281 86211 10% /boot none 322856 322856 0% /dev/shm By default, this utility shows the partition size in 1 kilobyte blocks and the amount of used and available disk space in kilobytes.
Page 368 Chapter 39. Gathering System Information Figure 39.4. Hardware Browser The Device Manager application can also be used to display your system hardware. This application can be started by selecting System (the main menu on the panel) => Administration => Hardware like the Hardware Browser.
Page 369: Additional Resources
Additional Resources The lspci is also useful to determine the network card in your system if you do not know the manufacturer or model number. 39.5. Additional Resources To learn more about gathering system information, refer to the following resources. 39.5.1.
Page 371: Oprofile
Chapter 40. OProfile OProfile is a low overhead, system-wide performance monitoring tool. It uses the performance monitoring hardware on the processor to retrieve information about the kernel and executables on the system, such as when memory is referenced, the number of L2 cache requests, and the number of hardware interrupts received.
Page 372: Configuring Oprofile
Chapter 40. OProfile Command Description Converts sample database files from a foreign binary format to the op_import native format for the system. Only use this option when analyzing a sample database from a different architecture. Creates annotated source for an executable if the application was opannotate Section 40.5.3, “Using compiled with debugging symbols.
Page 373: Setting Events To Monitor
Setting Events to Monitor Setting whether samples should be collected within the kernel only changes what data is collected, not how or where the collected data is stored. To generate different sample files for the kernel and Section 40.2.3, “Separating Kernel and User-space Profiles”.
Page 374: Sampling Rate
Chapter 40. OProfile Processor Default Event for Counter Description Itanium 2 CPU_CYCLES CPU Cycles TIMER_INT (none) Sample for each timer interrupt ppc64/power4 CYCLES Processor Cycles ppc64/power5 CYCLES Processor Cycles ppc64/970 CYCLES Processor Cycles Table 40.3. Default Events The number of events that can be monitored at one time is determined by the number of counters for the processor.
Page 375: Separating Kernel And User-Space Profiles
Separating Kernel and User-space Profiles Warning Be extremely careful when setting sampling rates. Sampling too frequently can overload the system, causing the system to appear as if it is frozen or causing the system to actually freeze. 40.2.2.2. Unit Masks If the cpu_type is not timer, unit masks may also be required to further define the event.
Page 376: Starting And Stopping Oprofile
Chapter 40. OProfile If --separate=library is used, the sample file name includes the name of the executable as well as the name of the library. 40.3. Starting and Stopping OProfile To start monitoring the system with OProfile, execute the following command as root: opcontrol --start Output similar to the following is displayed: Using log file /var/lib/oprofile/oprofiled.log...
Page 377: Using Opreport
Using opreport \{root\}/bin/bash/\{dep\}/\{root\}/bin/bash/CPU_CLK_UNHALTED.100000 The following tools are available to profile the sample data once it has been collected: • opreport • opannotate Use these tools, along with the binaries profiled, to generate reports that can be further analyzed. Warning The executable being profiled must be used with these tools to analyze the data. If it must change after the data is collected, backup the executable used to create the samples as well as the sample files.
Page 378: Using Opreport On A Single Executable
Chapter 40. OProfile 0.0038 libwnck-1.so.4.9.0 Each executable is listed on its own line. The first column is the number of samples recorded for the executable. The second column is the percentage of samples relative to the total number of samples. The third column is the name of the executable.
Page 379: Using Opannotate
Using opannotate -i <symbol-name> List sample data specific to a symbol name. For example, the following output is from the command opreport -l -i __gconv_transform_utf8_internal /lib/tls/ libc-<version>.so: samples symbol name 100.000 __gconv_transform_utf8_internal The first line is a summary for the symbol/executable combination. The first column is the number of samples for the memory symbol.
Page 380: Understanding /Dev/Oprofile
Chapter 40. OProfile opannotate --search-dirs <src-dir> --source <executable> The directory containing the source code and the executable to be analyzed must be specified. Refer to the opannotate man page for a list of additional command line options. 40.6. Understanding /dev/oprofile/ The /dev/oprofile/ directory contains the file system for OProfile.
Page 381: Graphical Interface
Graphical Interface 40.8. Graphical Interface Some OProfile preferences can be set with a graphical interface. To start it, execute the oprof_start command as root at a shell prompt. After changing any of the options, save them by clicking the Save and quit button. The preferences are written to /root/.oprofile/daemonrc, and the application exits.
Page 382 Chapter 40. OProfile Figure 40.1. OProfile Setup...
Page 383 Graphical Interface On the right side of the tab, select the Profile kernel option to count events in kernel mode for the Section 40.2.3, “Separating Kernel and User-space Profiles”. currently selected event, as discussed in If this option is unselected, no samples are collected for the kernel. Select the Profile user binaries option to count events in user mode for the currently selected Section 40.2.3, “Separating Kernel and User-space Profiles”.
Page 384 Chapter 40. OProfile Figure 40.2. OProfile Configuration If the Verbose option is selected, the oprofiled daemon log includes more information. If Per-application kernel samples files is selected, OProfile generates per-application profiles for Section 40.2.3, “Separating Kernel and User-space the kernel and kernel modules as discussed in...
Page 385: Additional Resources
Additional Resources Profiles”. This is equivalent to the opcontrol --separate=kernel command. If Per-application shared libs samples files is selected, OProfile generates per-application profiles for libraries. This is equivalent to the opcontrol --separate=library command. Section 40.5, “Analyzing the Data”, click To force data to be written to samples files as discussed in the Flush profiler data button.
Page 387: Appendix
Part VII. Appendix...
Page 389: Revision History
Appendix A. Revision History Revision 1.0 Thu Sep 18 2008 Don Domingo ddomingo@redhat.com migrated to new automated build system...
Page 391: Index
Index MD5 passwords, 268 shadow passwords, 268 SMB support, 268 Symbols Winbind, 268 command line version, 268 /dev/oprofile/, 362 user information, 265 /dev/shm, 349 cache, 266 /etc/auto.master, 206 Hesiod, 266 /etc/exports, 210 LDAP, 266 /etc/fstab, 70, 205 NIS, 266 /etc/fstab file Winbind, 266 enabling disk quotas with, 117 autofs, 206...
Page 392 Index shutdown, disabling, 273 NFS configuration, 57 CUPS, 307 overview, 57 display settings for X, 287 DMZ (see Demilitarized Zone) date configuration, 277 documentation dateconfig (see Time and Date Properties Tool) finding installed, 139 Demilitarized Zone, 185 DSA keys devel package, 254 generating, 200 df, 348 DSOs...
Page 393 policies, 180 Group, 248 stateful, 186 HostnameLookups, 239 types, 175 KeepAlive, 250 Firewalls KeepAliveTimeout, 250 iptables, 176 Listen, 234 floppy group, use of, 276 LogFormat, 238 free, 347 LogLevel, 239 ftp, 197 MaxClients, 249 MaxKeepAliveRequests, 249 Options, 236 ServerAdmin, 234 getfacl, 125 ServerName, 234 GNOME System Monitor, 346...
Page 394 Index using, 180 kickstart file ISDN connection (see network configuration) %include, 21 %post, 24 %pre, 22 auth, 5 Kerberos, 267 authconfig, 5 kernel autopart, 4 downloading, 331 autostep, 5 large memory support, 329 bootloader, 7 modules, 337 CD-ROM-based, 25 multiple processor support, 329 clearpart, 8 upgrading, 329 cmdline, 8...
Page 395 what it looks like, 3 logical volume group, 73 xconfig, 19 physical extent, 84 zerombr, 20 physical volume, 73, 81 kickstart installations, 3 volume groups, 83 CD-ROM-based, 25 with kickstart, 12 diskette-based, 25 file format, 3 LVM tools and utilities, 114 file locations, 25 LVM2 flash-based, 25...
Page 396 Index device aliases, 171 DHCP, 151 O'Reilly & Associates, Inc., 251 Ethernet connection, 151 O'Reilly &Associates, Inc., 212 activating, 153 opannotate (see OProfile) ISDN connection, 154 opcontrol (see OProfile) activating, 155 OpenLDAP, 266, 267 logical network devices, 168 openldap-clients, 266 managing /etc/hosts, 166 OpenSSH, 197 managing DNS Settings, 165...
Page 397 op_help, 356 aging, 297 overview of tools, 353 forcing expiration of, 297 reading data, 358 passwords saving data, 358 shadow, 305 starting, 358 PCI devices unit mask, 357 listing, 350 oprofiled (see OProfile) physical extent, 84 oprof_start, 363 physical volume, 73, 81 op_help, 356 pixels, 287 postfix, 341...
Page 398 Index installing, 132 md5sum, 138 quotacheck, 118 preserving configuration files, 135 quotacheck command querying, 136 checking quota accuracy with, 121 querying for file list, 140 quotaoff, 120 querying uninstalled packages, 140 quotaon, 121 tips, 139 uninstalling, 134 upgrading, 135 RAID, 89 using, 132 configuring software RAID during installation, verifying, 137...
Page 399 creation of request, 259 star, 125 moving it after an upgrade, 256 striping pre-existing, 256 RAID fundamentals, 89 self-signed, 261 swap space, 103 test vs. signed vs. self-signed, 257 creating, 103 testing, 262 expanding, 103 connecting to, 262 explanation of, 103 explanation of security, 255 file installing, 253...
Page 400 Index system-config-printer (see printer configuration) useradd command system-config-selinux (see Security Level user account creation using, 296 Configuration Tool) users (see user configuration) system-config-time (see Time and Date /etc/passwd, 301 Properties Tool) additional resources, 306 system-config-users (see user configuration and installed documentation, 306 group configuration) introducing, 291 system-logviewer (see Log Viewer)

Red Hat ENTERPRISE LINUX 4 System Administration Manual

Quick Links

Red Hat Enterprise Linux 4

Related Manuals for Red Hat ENTERPRISE LINUX 4

Summary of Contents for Red Hat ENTERPRISE LINUX 4