1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION...
  6. Installation manual

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
Table of Contents

Advertisement

Quick Links

Download this manual
SUSE Linux Enterprise
Server
10
August 04, 2006
Installation and Administration
www.novell.com

Advertisement

Table of Contents
loading

Related Manuals for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006

Summary of Contents for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006

  • Page 1 SUSE Linux Enterprise Server www.novell.com Installation and Administration August 04, 2006...
  • Page 2 Novell, the Novell logo, the N logo and SUSE are registered trademarks of Novell, Inc. in the United States and other countries. * Linux is a registered trademark of Linus Torvalds. All other third party...

  • Page 3: Table Of Contents

    Contents About This Guide Part I Deployment 1 Planning for SUSE Linux Enterprise Considerations for Deployment of a SUSE Linux Enterprise Server ..Deployment of SUSE Linux Enterprise Server ... . . Running SUSE Linux Enterprise Server .
  • Page 4 4 Remote Installation Installation Scenarios for Remote Installation ... . . Setting Up the Server Holding the Installation Sources ..Preparing the Boot of the Target System ....Booting the Target System for Installation .
  • Page 5 Part II Administration 9 OpenWBEM Setting Up OpenWBEM ..... . Changing the OpenWBEM CIMOM Configuration ... For More Information .
  • Page 6 1 5 Access Control Lists in Linux 15.1 Traditional File Permissions ....15.2 Advantages of ACLs ..... . . 15.3 Definitions .
  • Page 7 19.3 Software Compilation on Biarch Platforms ....19.4 Kernel Specifications ..... . . 2 0 Booting and Configuring a Linux System 20.1 The Linux Boot Process .
  • Page 8 24.6 Special Features in SUSE Linux Enterprise ....24.7 Troubleshooting ......2 5 Dynamic Kernel Device Management with udev 25.1 The /dev Directory .
  • Page 9 3 0 Wireless Communication 30.1 Wireless LAN ......Part IV Services 3 1 Basic Networking 31.1 IP Addresses and Routing .
  • Page 10 35.2 DHCP Software Packages ..... 35.3 The DHCP Server dhcpd ..... 35.4 For More Information .
  • Page 11 40.6 Introduction to rsync ..... . . 40.7 Introduction to mailsync ..... 4 1 The Apache HTTP Server 41.1 Quick Start .
  • Page 12 4 9 Confining Privileges with AppArmor 49.1 Installing Novell AppArmor ....49.2 Enabling and Disabling Novell AppArmor ....
  • Page 13 50.2 Some General Security Tips and Tricks ....50.3 Using the Central Security Reporting Address ... . Part VI Troubleshooting 5 1 Help and Documentation 51.1...

  • Page 15: About This Guide

    About This Guide This guide is intended for use by professional network and system administrators during the actual planning, deployment, configuration, and operation of SUSE® Linux Enter- prise. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.

  • Page 16: Documentation Updates

    Security This edition of SUSE Linux Enterprise includes several security-related features. It ships with Novell® AppArmor, which enables you to protect your applications by restricting privileges. Secure login, firewalling, and file system encryption are covered as well. Troubleshooting SUSE Linux Enterprise includes a wealth of applications, tools, and documentation should you need them in case of trouble.
  • Page 17 An in-depth introduction to networking using NetworkManager. Novell AppArmor 2.0 Administration Guide An in-depth administration guide to Novell AppArmor that introduces you to ap- plication confinement for heightened security in your environment. Many chapters in this manual contain links to additional documentation resources. This includes additional documentation that is available on the system as well as documen- tation available on the Internet.
  • Page 18 • File, File → Save As: menu items, buttons • ►amd64 em64t ipf: This paragraph is only relevant for the specified architectures. The arrows mark the beginning and the end of the text block.◄ ►ipseries s390 zseries: This paragraph is only relevant for the specified architec- tures.

  • Page 19: Part I Deployment

    Part I. Deployment...

  • Page 21: Planning For Suse Linux Enterprise

    Planning for SUSE Linux Enterprise The implementation of an operating system either in an existing IT environment or as a completely new rollout must be carefully prepared. With SUSE Linux Enterprise Server 10, get a variety of new features. It is impossible to describe all the new features here.
  • Page 22 • OpenLDAP Novell AppArmor Harden your System with the Novell AppArmor technology. This service is de- scribed in depth in Novell AppArmor 2.0 Administration Guide (↑Novell AppArmor 2.0 Administration Guide). iSCSI iSCSI provides an easy and reasonably inexpensive solution for connecting Linux computers to central storage systems.

  • Page 23: Considerations For Deployment Of A Suse Linux Enterprise Server

    Find the registration and patch support database at http://www.novell .com/suselinuxportal. • Do you need help for your local installation? Novell provides training, support, and consulting for all topics around SUSE Linux Enterprise Server. Find more in- formation about this at http://www.novell.com/products/...

  • Page 24: Running Suse Linux Enterprise Server

    Strategies (page 25) for more information. When using the Xen virtualization technolo- gies, network root file systems or network storage solutions like iSCSI should be con- sidered. See also Chapter 11, Mass Storage over IP Networks—iSCSI (page 259). SUSE Linux Enterprise Server provides you with a broad variety of services. Find an overview of the documentation in this book in About This Guide (page xv).

  • Page 25: Deployment Strategies

    Deployment Strategies There are several different ways to deploy SUSE® Linux Enterprise. Choose from various approaches ranging from a local installation using physical media or a network installation server to a mass deployment using a remote-controlled, highly-customized, and automated installation technique. Select the method that best matches your require- ments.
  • Page 26 Table 2.1 Installing from the SUSE Linux Enterprise Media Installation Source SUSE Linux Enterprise media kit Tasks Requiring Manual Inter- • Inserting the installation media action • Booting the installation target • Changing media • Determining the YaST installation scope •...

  • Page 27: Deploying Up To 100 Workstations

    Table 2.3 Installing from a Network Server Installation Source Network installation server holding the SUSE Linux Enterprise installation media Tasks Requiring Manual • Inserting the boot disk Interaction • Providing boot options • Booting the installation target • Determining the YaST installation scope •...
  • Page 28 Simple Remote Installation via VNC—Dynamic Network Configuration (page 29) Consider this approach in a small to medium scenario with dynamic network setup through DHCP. A network, network installation server, and VNC viewer application are required. Remote Installation via VNC—PXE Boot and Wake on LAN (page 30) Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets.
  • Page 29 Table 2.4 Simple Remote Installation via VNC—Static Network Configuration Installation Source Network Preparations • Setting up an installation source • Booting from the installation media Control and Monitoring Remote: VNC Best Suited For small to medium scenarios with varying hardware Drawbacks •...
  • Page 30 Details Section 4.1.2, “Simple Remote Installation via VNC—Dynamic Network Configuration” (page 71) Table 2.6 Remote Installation via VNC—PXE Boot and Wake on LAN Installation Source Network Preparations • Setting up the installation source • Configuring DHCP, TFTP, PXE boot, and WOL •...
  • Page 31 • Low bandwidth connections to target Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.4, “Simple Remote Installation via SSH—Static Network Configuration” (page 74) Table 2.8 Remote Installation via SSH—Dynamic Network Configuration Installation Source Network Preparations...
  • Page 32 • Configuring DHCP, TFTP, PXE boot, and WOL • Booting from the network Control and Monitoring Remote: SSH Best Suited For • Small to medium scenarios with varying hardware • Completely remote installs; cross-site deployment • Low bandwidth connections to target Drawbacks Each machine must be set up individually Details...
  • Page 33 Best Suited For • Large scenarios • Identical hardware • No access to system (network boot) Drawbacks Applies only to machines with identical hardware Details Section 5.1, “Simple Mass Installation” (page 105) Table 2.11 Rule-Based Autoinstallation Installation Source Preferably network Preparations •...

  • Page 34: Deploying More Than 100 Workstations

    Details Section 5.2, “Rule-Based Autoinstallation” (page 116) 2.3 Deploying More than 100 Workstations Most of the considerations brought up for medium installation scenarios in Section 2.1, “Deploying up to 10 Workstations” (page 25) still hold true for large scale deployments. However, with a growing number of installation targets, the benefits of a fully automated installation method outweigh its disadvantages.

  • Page 35: Installation With Yast

    Installation with YaST After your hardware has been prepared for the installation of SUSE Linux Enterprise Server as described in the Architecture-Specific Information manual and after the con- nection with the installation system has been established, you are presented with the interface of SUSE Linux Enterprise's system assistant YaST.

  • Page 36: System Start-Up For Installation

    3.2 System Start-Up for Installation Insert the first SUSE Linux Enterprise CD or the DVD into the drive. Then reboot the computer to start the installation program from the medium in the drive. 3.2.1 Boot Options Boot options other than CD or DVD exist and can be used if problems arise booting from CD or DVD.
  • Page 37 during the installation. The installation procedure is basically the same, no matter which installation source or method you prefer. Installing from the SUSE Linux Enterprise Media Install from physical boot media (your SUSE Linux Enterprise media kit) as follows: 1 Insert the media into your CD or DVD drive. 2 Reboot the system.

  • Page 38: The Boot Screen

    1 Set up an installation server as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 78). 2 Insert the first CD or DVD of the media kit into the corresponding drive then reboot the machine. 3 At the boot screen, select Installation and use the boot options prompt to pass additional information, such as: •...
  • Page 39 Installation—ACPI Disabled If the normal installation fails, this might be due to the system hardware not sup- porting ACPI (advanced configuration and power interface). If this seems to be the case, use this option to install without ACPI support. Installation—Safe Settings Boots the system with the DMA mode (for CD-ROM drives) and power management functions disabled.

  • Page 40: Language Selection

    The actual installation of SUSE Linux Enterprise begins at this point. All YaST screens have a common layout. All buttons, entry fields, and lists can be accessed with the mouse or the keyboard. If your mouse pointer does not move, the mouse has not been detected automatically.
  • Page 41 Figure 3.1 IBM System z: Selecting a DASD Now specify the DASDs to use for the installation by selecting the corresponding entries in the list then clicking Select or Deselect. After that, activate and make the DASDs available for the installation by selecting Perform Action → Activate (see Figure 3.2, “IBM System z: Activating a DASD”...

  • Page 42: License Agreement

    Figure 3.3 IBM System z: Overview of Available ZFCP Disks To use ZFCP disks for the SUSE Linux Enterprise Server installation, select Configure ZFCP Disks in the selection dialog. This opens a dialog with a list of the ZFCP disks available on the system.

  • Page 43: System Analysis

    3.7 System Analysis Select New installation or Update an existing system. Updating is only possible if a SUSE Linux Enterprise system is already installed. When a SUSE Linux Enterprise system is already installed, use Other to access two advanced options: boot the installed system with Boot installed system or, if the installed system fails to boot, you can try to fix the problem with Repair installed system.
  • Page 44 Figure 3.4 Installation Settings 3.9.1 Partitioning In most cases, YaST proposes a reasonable partitioning scheme that can be accepted without change. YaST can also be used to customize the partitioning. This section de- scribes the necessary steps. Partition Types TIP: IBM System z: Hard Disks On the IBM System z platforms, SUSE Linux Enterprise Server supports SCSI hard disks as well as DASDs (direct access storage devices).

  • Page 45: Required Disk Space

    A primary partition simply consists of a continuous range of cylinders (physical disk areas) assigned to a particular operating system. With primary partitions only, you would be limited to four partitions per hard disk, because more do not fit in the partition table.
  • Page 46 The partitions to create depend on the available space. The following are some basic partitioning guidelines: Up to 4 GB: One partition for the swap space and one root partition (/). In this case, the root partition must allow for those directories that often reside on their own partitions if more space is available.
  • Page 47 The next step is to determine whether the entire disk should be used (Use Entire Hard Disk) or whether to use any existing partitions (if available) for the installation. If a Windows operating system was found on the disk, you are asked whether to delete or resize the partition.
  • Page 48 Figure 3.5 Possible Options for Windows Partitions If you select Delete Windows Completely, the Windows partition is marked for deletion and the space is used for the installation of SUSE Linux Enterprise. WARNING: Deleting Windows If you delete Windows, all data will be lost beyond recovery as soon as the formatting starts.
  • Page 49 many small parts scattered all over the FAT partition. Also, the entire swap file would need to be moved during the resizing, which makes the process rather slow. It is therefore useful to disable these Windows optimizations for the time being and reenable them after the resizing has been completed.
  • Page 50 The first bar graph shows how much disk space is currently occupied by Windows and how much space is still available. The second bar graph shows how the space would be distributed after the resizing, according to YaST's current proposal. See Figure 3.6, “Resizing the Windows Partition”...
  • Page 51 Figure 3.7 Installing and Removing Software with the YaST Package Manager Changing the Installation Scope If you have specific software needs, modify the current selection with the package manager, which greatly eases this task. The package manager offers various filter criteria to simplify selection from the numerous packages in SUSE Linux Enterprise.
  • Page 52 listing all the possible status settings. To learn more about them, read the detailed de- scription of this module in Section 7.3.1, “Installing and Removing Software” (page 139). Other Filters Click the filter selection box to view the other possible filters. The selection according to Package Groups can also be used for the installation.

  • Page 53: Keyboard Layout

    Adapt your keyboard and time zone settings to the selected primary language by selecting those options, if desired. Optionally, use Details to set the language for the user root. There are three options: ctype only The value of the variable LC_CTYPE in the file /etc/sysconfig/language is adopted for the user root.
  • Page 54 Select the keyboard layout from the list. By default, the layout corresponds to the se- lected language. After changing the layout, test the characters that are special to the selected language layout to make sure that the selection is correct. To set special options regarding keyboard behavior, click Expert Settings.

  • Page 55: Performing The Installation

    3.9.8 Time Zone In this dialog, change your region and time zone by selecting them from the lists. Choose between Local Time and UTC (GMT) under Hardware Clock Set To. The selection depends on how the BIOS hardware clock is set on your machine. If it is set to GMT, which corresponds to UTC, your system can rely on SUSE Linux Enterprise to switch from standard time to daylight saving time and back automatically.

  • Page 56: Installed System

    SET LOADDEV PORT 50050763 00C590A9 LUN 50010000 00000000 Finally, initiate the IPL: IPL 151 CLEAR 3.9.11 IBM System z: Connecting to the Installed System After IPLing the installed system, establish a connection with it to complete the instal- lation. The steps involved in this vary depending on the type of connection used at the outset.

  • Page 57: Configuration

    A message in the 3270 terminal asks you to connect to the Linux system with an SSH client. This message is easily missed, however, because it is mixed with kernel messages and because the terminal process might quit before you become aware of the message. Now perform the following steps to complete the installation: 1 Use SSH to log into the Linux system as root.

  • Page 58: Root Password

    3.10.2 root Password root is the name of the superuser, the administrator of the system. Unlike regular users, which may or may not have permission to do certain things on the system, root has unlimited power to do anything: change the system configuration, install programs, and set up new hardware.
  • Page 59 NOTE: Network Devices and Update If you skip the network device configuration, your system will be offline and unable to retrieve any available updates or include them in the installation. As well as device configuration, configure network accessibility–related settings: Firewall Configuration When you connect to a network, a firewall is started automatically on the configured interface.

  • Page 60: Online Update

    3.10.4 Customer Center To get technical support and product updates, first register and activate your product. Novell Customer Center Configuration provides assistance for doing so. If you are offline or want to skip this step, select Configure Later. In Include for Convenience, select whether to obtain some of the necessary information from your system.
  • Page 61 Figure 3.8 Proposed Setup for Network Services CA Management The purpose of a CA (certificate authority) is to guarantee a trust relationship among all network services communicating with each other. If you decide that you do not want to establish a CA, secure server communications with SSL and TLS, but separately for each individual service.

  • Page 62: User Authentication

    Like the general network configuration, you can skip this configuration proposal for now. After the installation is finished, you can still configure and start the same services with the help of YaST. 3.10.7 Users This step has two parts. In the first part, choose the user authentication method. The second part depends on the selected authentication method.
  • Page 63 Creating Local User Accounts Linux is an operating system that allows several users to work on the same system at the same time. Each user needs a user account to log in to the system. By having user accounts, the system gains a lot in terms of security. For instance, regular users cannot change or delete files needed for the system to work properly.
  • Page 64 To provide effective security, a password should be between five and eight characters long. The maximum length for a password is 128 characters. However, if no special security modules are loaded, only the first eight characters are used to discern the password.
  • Page 65 dress. Choose the appropriate base DN from the search results given by YaST. If TLS or SSL protected communication with the server is required, select LDAP TLS/SSL. If the LDAP server still uses LDAPv2, explicitly enable the use of this protocol version by selecting LDAP Version 2.

  • Page 66: Release Notes

    user logging in to the domain from your local machine. Click Finish to apply your set- tings and provide the necessary credentials. 3.10.8 Cleanup This step does not require any user interaction. The installation program launches the SuSEconfig script to write the system configuration. Depending on the CPU and the amount of memory, this process can take some time.

  • Page 67: Graphical Login

    3.10.11 Completing Installation After a successful installation, YaST shows the Installation Completed dialog. In this dialog, select whether to clone your newly installed system for AutoYaST. To clone your system, select Clone This System for AutoYaST. The profile of the current system is stored in /root/autoyast.xml.

  • Page 69: Remote Installation

    Remote Installation SUSE® Linux Enterprise can be installed in several different ways. As well as the usual CD or DVD installation covered in Chapter 3, Installation with YaST (page 35), you can choose from various network-based approaches or even take a completely hands-off approach to the installation of SUSE Linux Enterprise.
  • Page 70 IMPORTANT The configuration of the X Window System is not part of any remote installation process. After the installation has finished, log in to the target system as root, enter telinit 3, and start SaX2 to configure the graphics hardware as de- scribed in Section 27.1, “X11 Setup with SaX2”...
  • Page 71 2 Boot the target system using the first CD or DVD of the SUSE Linux Enterprise media kit. 3 When the boot screen of the target system appears, use the boot options prompt to set the appropriate VNC options and the address of the installation source. This is described in detail in Section 4.4, “Booting the Target System for Instal- lation”...
  • Page 72 • Controlling system with working network connection and VNC viewer software or Java-enabled browser (Firefox, Konqueror, Internet Explorer, or Opera) • Physical boot medium (CD, DVD, or custom boot disk) for booting the target system • Running DHCP server providing IP addresses To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server...
  • Page 73 4.1.3 Remote Installation via VNC—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. User interaction is only needed for the actual installation. This approach is suitable for cross-site deployments. To perform this type of installation, make sure that the following requirements are met: •...
  • Page 74 5 Initiate the boot process of the target system using Wake on LAN. This is de- scribed in Section 4.3.7, “Wake on LAN” (page 96). 6 On the controlling workstation, open a VNC viewing application or Web browser and connect to the target system as described in Section 4.5.1, “VNC Installation”...
  • Page 75 To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 78). Choose an NFS, HTTP, or FTP network server. For an SMB installation source, refer to Section 4.2.5, “Managing an SMB Installation Source”...
  • Page 76 • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection • Target system with working network connection • Controlling system with working network connection and working SSH client software • Physical boot medium (CD or DVD) for booting the target system •...
  • Page 77 4.1.6 Remote Installation via SSH—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. To perform this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection •...

  • Page 78: Setting Up The Server Holding The Installation Sources

    6 On the controlling workstation, start an SSH client and connect to the target system as described in Section 4.5.2, “SSH Installation” (page 103). 7 Perform the installation as described in Chapter 3, Installation with YaST (page 35). Reconnect to the target system after it reboots for the final part of the installation.
  • Page 79 4 Select the server type (HTTP, FTP, or NFS). The selected server service is started automatically every time the system starts. If a service of the selected type is already running on your system and you want to configure it manually for the server, deactivate the automatic configuration of the server service with Do Not Configure Any Network Services.
  • Page 80 7 Upload the installation data. The most lengthy step in configuring an installation server is copying the actual installation CDs. Insert the media in the sequence requested by YaST and wait for the copying procedure to end. When the sources have been fully copied, return to the overview of existing information sources and close the configuration by selecting Finish.
  • Page 81 Replace product with an abbreviation of the product name and productversion with a string that contains the product name and version. 3 For each CD contained in the media kit execute the following commands: a Copy the entire content of the installation CD into the installation server directory: cp -a /media/path_to_your_CD-ROM_drive .
  • Page 82 If you prefer manually exporting the installation sources via NFS instead of using the YaST NFS Server module, proceed as follows: 1 Log in as root. 2 Open the file /etc/exports and enter the following line: /productversion *(ro,root_squash,sync) This exports the directory /productversion to any host that is part of this network or to any host that can connect to this server.
  • Page 83 For more information about OpenSLP, refer to the package documentation located under /usr/share/doc/packages/openslp/ or refer to Chapter 32, SLP Services in the Network (page 619). 4.2.3 Setting Up an FTP Installation Source Manually Creating an FTP installation source is very similar to creating an NFS installation source. FTP installation sources can be announced over the network using OpenSLP as well.
  • Page 84 e Start pure-ftpd with pure-ftpd &. 3 Announce the installation source via OpenSLP, if this is supported by your net- work setup: a Create a configuration file called install.suse.ftp.reg under /etc/ slp/reg.d/ that contains the following lines: # Register the FTP Installation Server service:install.suse:ftp://$HOSTNAME/srv/ftp/instsource/CD1,en,65535 description=FTP Installation Source Replace instsource with the actual name to the installation source direc-...
  • Page 85 c Create a symbolic link from the location of the installation sources to the root directory of the Web server (/srv/www/htdocs): ln -s /path_instsource /srv/www/htdocs/instsource d Modify the configuration file of the HTTP server (/etc/apache2/ default-server.conf) to make it follow symbolic links. Replace the following line: Options None with...

  • Page 86: Preparing The Boot Of The Target System

    1 Log in to your Windows machine. 2 Start Explorer and create a new folder that will hold the entire installation tree and name it INSTALL, for example. 3 Export this share according the procedure outlined in your Windows documenta- tion.

  • Page 87: Setting Up A Dhcp Server

    4.3.1 Setting Up a DHCP Server There are two ways to set up a DHCP server. For SUSE Linux Enterprise Server 9 and higher, YaST provides a graphical interface to the process. Users of any other SUSE Linux-based products and non-SUSE Linux users should manually edit the configuration files or use the front-end provided by their operating system vendors.
  • Page 88 Setting Up a DHCP Server Manually All the DHCP server needs to do, apart from providing automatic address allocation to your network clients, is to announce the IP address of the TFTP server and the file that should be pulled in by the installation routines on the target machine. 1 Log in as root to the machine hosting the DHCP server.

  • Page 89: Setting Up A Tftp Server

    The host statement introduces the hostname of the installation target. To bind the hostname and IP address to a specific host, you must know and specify the system's hardware (MAC) address. Replace all the variables used in this example with the actual values that match your environment.
  • Page 90 2 If unavailable, create /srv/tftpboot and /srv/tftpboot/pxelinux .cfg directories. 3 Add the appropriate files needed for the boot image as described in Section 4.3.3, “Using PXE Boot” (page 90). 4 Modify the configuration of xinetd located under /etc/xinetd.d/ to make sure that the TFTP server is started on boot: a If it does not exist, create a file called tftp under this directory with touch tftp.
  • Page 91 3 Copy the /usr/share/syslinux/pxelinux.0 file to the /srv/ tftpboot directory by entering the following: cp -a /usr/share/syslinux/pxelinux.0 /srv/tftpboot 4 Change to the directory of your installation repository and copy the isolinux .cfg file to /srv/tftpboot/pxelinux.cfg/default by entering the following: cp -a boot/loader/isolinux.cfg /srv/tftpboot/pxelinux.cfg/default 5 Edit the /srv/tftpboot/pxelinux.cfg/default file and remove the lines beginning with gfxboot, readinfo, and framebuffer.
  • Page 92 entry. An overview of parameters and some examples are given in Section 4.4, “Booting the Target System for Installation” (page 97). An example /srv/tftpboot/pxelinux.cfg/default file follows. Adjust the protocol prefix for the installation source to match your network setup and specify your preferred method of connecting to the installer by adding the vnc and vncpassword or the ssh and sshpassword options to the install entry.
  • Page 93 display message prompt timeout Replace ip_instserver and path_instsource with the values used in your setup. The following section serves as a short reference to the PXELINUX options used in this setup. Find more information about the options available in the documen- tation of the syslinux package located under /usr/share/doc/ packages/syslinux/.
  • Page 94 title mytitle kernel my_kernel my_kernel_options initrd myinitrd PXELINUX uses the following syntax: label mylabel kernel mykernel append myoptions Labels are mangled as if they were filenames and they must be unique after man- gling. For example, the two labels “v2.1.30” and “v2.1.31” would not be distin- guishable under PXELINUX because both mangle to the same DOS filename.
  • Page 95 TIMEOUT time-out Indicates how long to wait at the boot prompt until booting automatically, in units of 1/10 second. The time-out is canceled as soon as the user types anything on the keyboard, assuming the user will complete the command begun. A time-out of zero disables the time-out completely (this is also the default).

  • Page 96: Wake On Lan

    4.3.6 Preparing the Target System for Wake on LAN Wake on LAN (WOL) requires the appropriate BIOS option to be enabled prior to the installation. Also, note down the MAC address of the target system. This data is needed to initiate Wake on LAN. 4.3.7 Wake on LAN Wake on LAN allows a machine to be turned on by a special network packet containing the machine's MAC address.

  • Page 97: Booting The Target System For Installation

    4.3.9 Manual Wake on LAN 1 Log in as root. 2 Start YaST → Software Management and install the package netdiag. 3 Open a terminal and enter the following command as root to wake the target: ether-wake mac_of_target Replace mac_of_target with the actual MAC address of the target. 4.4 Booting the Target System for Installation Basically, there are two different ways to customize the boot process for installation...
  • Page 98 See the table below for a complete set of the options available. Table 4.1 F Keys During Installation Purpose Available Options Default Value Provide help None None Select the installation All supported languages English language Change screen resolu- • Text mode •...
  • Page 99 4.4.3 Using Custom Boot Options Using the appropriate set of boot options helps facilitate your installation procedure. Many parameters can also be configured later using the linuxrc routines, but using the boot options is easier. In some automated setups, the boot options can be provided with initrd or an info file.
  • Page 100 Installation Scenario Parameters Needed Boot Options for Booting Section 4.1.2, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb)://path_to VNC—Dynamic Net- • VNC enablement _instmedia work Configuration” • VNC password • vnc=1 (page 71) • vncpassword=some _password Section 4.1.3, “Remote •...

  • Page 101: Monitoring The Installation Process

    Installation Scenario Parameters Needed Boot Options for Booting • sshpassword=some _password Section 4.1.6, “Remote • Location of the in- Not applicable; process man- Installation via stallation server aged through PXE and DHCP SSH—PXE Boot and • Location of the Wake on LAN” TFTP server (page 77) •...
  • Page 102 Preparing for VNC Installation All you need to do on the installation target to prepare for a VNC installation is to provide the appropriate boot options at the initial boot for installation (see Section 4.4.3, “Using Custom Boot Options” (page 99)). The target system boots into a text-based environment and waits for a VNC client to connect to the installation program.
  • Page 103 1 Start the VNC viewer. 2 Enter the IP address and display number of the installation target as provided by the SLP browser or the installation program itself: ip_address:display_number A window opens on your desktop displaying the YaST screens as in a normal local installation.
  • Page 104 Connecting to the Installation Program 1 Retrieve the installation target's IP address. If you have physical access to the target machine, just take the IP address the installation routine provides at the console after the initial boot. Otherwise take the IP address that has been assigned to this particular host in the DHCP server configuration.

  • Page 105: Automated Installation

    Automated Installation AutoYaST allows you to install SUSE® Linux Enterprise on a large number of machines in parallel. The AutoYaST technology offers great flexibility to adjust deployments to heterogeneous hardware. This chapter tells you how to prepare a simple automated in- stallation and lay out an advanced scenario involving different hardware types and in- stallation purposes.
  • Page 106 4 Determine and set up the boot scenario for autoinstallation as described in Sec- tion 5.1.4, “Setting Up the Boot Scenario” (page 111). 5 Pass the command line to the installation routines by adding the parameters manually or by creating an info file as described in Section 5.1.5, “Creating File”...
  • Page 107 3 Select Tools → Create Reference Control File to prepare AutoYaST to mirror the current system configuration into an AutoYaST profile. 4 As well as the default resources, like boot loader, partitioning, and software se- lection, you can add various other aspects of your system to the profile by checking the items in the list in Create a Reference Control File.
  • Page 108 Figure 5.1 Editing an AutoYaST Profile with the AutoYaST Front-End 5.1.2 Distributing the Profile and Determining the autoyast Parameter The AutoYaST profile can be distributed in several different ways. Depending on the protocol used to distribute the profile data, different AutoYaST parameters are used to make the profile location known to the installation routines on the client.
  • Page 109 Profile Lo- Parameter Description cation Device Makes the installation routines look for autoyast=device:// the control file on a storage device. Only path the device name is needed—/dev/sda1 is wrong, use sda1 instead. Floppy Makes the installation routines look for autoyast=floppy:// the control file on a floppy in the floppy path drive.
  • Page 110 2 Omit the exact path including the filename when creating the autoyast= pa- rameter, for example: autoyast=http://192.0.2.91/ 3 Start the autoinstallation. YaST tries to determine the location of the profile in the following way: YaST searches for the profile using its own IP address in uppercase hexadecimal, for example, 192.0.2.91 is C000025B.
  • Page 111 Server Using YaST” (page 78). Use an info file to pass the server's location to the installation routines. 5.1.4 Setting Up the Boot Scenario The client can be booted in several different ways: Network Boot As for a normal remote installation, autoinstallation can be initiated with Wake on LAN and PXE, the boot image and control file can be pulled in via TFTP, and the installation sources from any network installation server.
  • Page 112 install=http://192.168.0.22/install/suse-enterprise/ \ autoyast=nfs://192.168.0.23/profiles/autoyast.xml Replace the example IP addresses and paths with the data used in your setup. Preparing to Boot from CD-ROM There are several ways in which booting from CD-ROM can come into play in Auto- YaST installations. Choose from the following scenarios: Boot from SUSE Linux Enterprise Media, Get the Profile over the Network Use this approach if a totally network-based scenario is not possible (for example, if your hardware does not support PXE) and you have physical access to system...
  • Page 113 • A floppy holding both the profile and the info file Access to the boot prompt of the target to enter the autoyast= parameter Boot and Install from Custom Media, Get the Profile from the Media If you just need to install a limited number of software packages and the number of targets is relatively low, creating your own custom CD holding both the installa- tion data and the profile itself might prove a good idea, especially if no network is available in your setup.
  • Page 114 Keyword Value The network device to use for network setup (for netdevice BOOTP/DHCP requests). Only needed if several network devices are available. When empty, the client sends a BOOTP request. Otherwise hostip the client is configured using the specified data. Netmask.
  • Page 115 netmask:some_netmask \ gateway:some_gateway The \ indicate that the line breaks have only been added for the sake of readability. All options must be entered as one continuous string. The info data can be made available to linuxrc in various different ways: •...

  • Page 116: Rule-Based Autoinstallation

    linuxrc loads the profile containing the boot parameters instead of the traditional info file. The install: parameter points to the location of the installation sources. vnc and vncpassword indicate the use of VNC for installation monitoring. The autoyast parameter tells linuxrc to treat info as an AutoYaST profile. 5.1.6 Initiating and Monitoring the Autoinstallation After you have provided all the infrastructure mentioned above (profile, installation...
  • Page 117 5.2.1 Understanding Rule-Based Autoinstallation Rule-based AutoYaST installation allows you to cope with heterogeneous hardware environments: • Does your site contain hardware of different vendors? • Are the machines on your site of different hardware configuration (for example, using different devices or using different memory and disk sizes)? •...
  • Page 118 To prepare for a rule-based AutoYaST mass installation, proceed as follows: 1 Create several AutoYaST profiles that contain the installation details needed for your heterogeneous setup as described in Section 5.1.1, “Creating an AutoYaST Profile” (page 106). 2 Define rules to match the system attributes of your hardware setup as shown in Section 5.2.2, “Example Scenario for Rule-Based Autoinstallation”...
  • Page 119 Workstations in the Engineering Department These machines need a desktop environment and a broad set of development soft- ware. Laptops in the Sales Department These machines need a desktop environment and a limited set of specialized appli- cations, such as office and calendaring software. Automated Installation...
  • Page 120 Figure 5.2 AutoYaST Rules AutoYaST Directory Enigineering Department Computers rules.xml File Rule 1 Eng. Profile Rule 2 Rule 3 Sales Profile Sales Department Laptops Merge Process Print Server Profile Print Server Installation and Administration...
  • Page 121 In a first step, use one of the methods outlined in Section 5.1.1, “Creating an AutoYaST Profile” (page 106) to create profiles for each use case. In this example, you would create print.xml, engineering.xml, and sales.xml. In the second step, create rules to distinguish the three hardware types from one another and to tell AutoYaST which profile to use.

  • Page 122: For More Information

    <result> <profile>sales.xml</profile> <continue config:type="boolean">false</continue> </result> <operator>and</operator> </rule> <rule> <haspcmcia> <match>0</match> <match_type>exact</match_type> </haspcmcia> <result> <profile>engineering.xml</profile> <continue config:type="boolean">false</continue> </result> </rule> </rules> </autoinstall> When distributing the rules file, make sure that the rules directory resides under the profiles directory specified in the autoyast=protocol: serverip/profiles/ URL.

  • Page 123: Advanced Disk Setup

    Advanced Disk Setup Sophisticated system configurations require particular disk setups. To get persistent device naming with SCSI devices, use a specific start-up script or udev. Logical Volume Management (LVM) is a disk partitioning scheme that is designed to be much more flexible than the physical partitioning used in standard setups.
  • Page 124 6.1.1 The Logical Volume Manager The Logical Volume Manager (LVM) enables flexible distribution of hard disk space over several file systems. It was developed because sometimes the need to change the segmentation of hard disk space arises only after the initial partitioning during installation has already been done.
  • Page 125 VG 2 contains the remaining two partitions from DISK 2. In LVM, the physical disk partitions that are incorporated in a volume group are called physical volumes (PVs). Within the volume groups, four logical volumes (LV 1 through LV 4) have been defined, which can be used by the operating system via the associated mount points.

  • Page 126: Creating Volume Groups

    Instead of LVM 2, you can use EVMS (Enterprise Volume Management System), which offers a uniform interface for logical volumes and RAID volumes. Like LVM 2, EVMS makes use of the device mapper in kernel 2.6. 6.1.2 LVM Configuration with YaST The YaST LVM configuration can be reached from the YaST Expert Partitioner (see Section 7.5.8, “Partitioner”...
  • Page 127 Configuring Physical Volumes Once a volume group has been created, the following dialog lists all partitions with either the “Linux LVM” or “Linux native” type. No swap or DOS partitions are shown. If a partition is already assigned to a volume group, the name of the volume group is shown in the list.
  • Page 128 Configuring Logical Volumes After the volume group has been filled with physical volumes, define the logical volumes the operating system should use in the next dialog. Set the current volume group in a selection box to the upper left. Next to it, the free space in the current volume group is shown.
  • Page 129 If, for example, only two physical volumes are available, a logical volume with three stripes is impossible. WARNING: Striping YaST has no chance at this point to verify the correctness of your entries con- cerning striping. Any mistake made here is apparent only later when the LVM is implemented on disk.
  • Page 130 partitioning. It shows the existing physical volumes and logical volumes in two lists and you can manage your LVM system using the methods already described. 6.1.3 Storage Management with EVMS The Enterprise Volume Management System 2 (EVMS2) is a rich, extensible volume manager with built-in cluster awareness.

  • Page 131: Soft Raid Configuration

    Disks This is the lowest level of device. All devices that may be accessed as a physical disk are treated as disks. Segments Segments consist of partitions and other memory regions on a disk, such as the master boot record (MBR). Containers These are the counterparts of volume groups in LVM.

  • Page 132: Raid Levels

    without the additional cost of hardware RAID controllers. However, this requires some CPU time and has memory requirements that make it unsuitable for real high perfor- mance computers. 6.2.1 RAID Levels SUSE® Linux Enterprise offers the option of combining several hard disks into one soft RAID system with the help of YaST—a very reasonable alternative to hardware RAID.
  • Page 133 parity disk and cannot service simultaneous multiple requests. Both levels are only rarely used. RAID 4 Level 4 provides block-level striping just like Level 0 combined with a dedicated parity disk. In the case of a data disk failure, the parity data is used to create a re- placement disk.
  • Page 134 In the next dialog, choose between RAID levels 0, 1, and 5 (see Section 6.2.1, “RAID Levels” (page 132) for details). After Next is clicked, the following dialog lists all parti- tions with either the “Linux RAID” or “Linux native” type (see Figure 6.6, “RAID Partitions”...

  • Page 135: Troubleshooting

    Figure 6.7 File System Settings As with conventional partitioning, set the file system to use as well as encryption and the mount point for the RAID volume. Checking Persistent Superblock ensures that the RAID partitions are recognized as such when booting. After completing the confi- guration with Finish, see the /dev/md0 device and others indicated with RAID in the expert partitioner.
  • Page 136 6.2.4 For More Information Configuration instructions and more details for soft RAID can be found in the HOWTOs • /usr/share/doc/packages/raidtools/Software-RAID.HOWTO .html • http://en.tldp.org/HOWTO/Software-RAID-HOWTO.html Linux RAID mailing lists are also available, such as http://marc.theaimsgroup .com/?l=linux-raid&r=1&w=2. Installation and Administration...

  • Page 137: System Configuration With Yast

    System Configuration with YaST In SUSE Linux Enterprise Server, YaST handles both the installation and configuration of your system. This chapter describes the configuration of system components (hard- ware), network access, and security settings, and administration of users. Find a short introduction to the text-based YaST interface in Section 7.11, “YaST in Text Mode”...

  • Page 138: Yast Language

    To start YaST in text mode on another system, use ssh root@<system-to-configure> to open the connection. Then start YaST with yast. To save time, the individual YaST modules can be started directly. To start a module, enter yast2 module_name. View a list of all module names available on your system with yast2 -l or yast2 --list.

  • Page 139: Software

    The left frame of most modules displays the help text, which offers suggestions for configuration and explains the required entries. To get help in modules without a help frame, press or choose Help. After selecting the desired settings, complete the pro- cedure by pressing Accept on the last page of the configuration dialog.
  • Page 140 Figure 7.2 YaST Package Manager In SUSE® Linux Enterprise, software is available in the form of RPM packages. Nor- mally, a package contains everything needed for a program: the program itself, the configuration files, and all documentation. A list of individual packages is displayed to the right in the individual package window.

  • Page 141: Installing Packages

    perfect, but should be sufficient to indicate problematic packages. If necessary, check the version numbers. Installing Packages To install packages, select packages for installation and click Accept. Selected packages should have the Install status icon. The package manager automatically checks the de- pendencies and selects any other required packages (resolution of dependencies).
  • Page 142 NOTE Because language-specific packages may depend on other packages, the package manager may select additional packages for installation. Packages and Installation Sources If you want to find only packages from the specific source, use the Installation Sources filter. In the default configuration, this filter shows a list of all packages from the selected source.
  • Page 143 Reinstalling Packages If you find damaged files that belong to package or you want to reinstall the original version of a package from your installation media, reinstall the package. To reinstall packages, select packages for reinstallation and click Accept. Selected packages should have the Update status.

  • Page 144: Disk Usage

    Installation Summary After selecting the packages for installation, update, or deletion, view the installation summary with Installation Summary. It shows how packages will be affected when you click Accept. Use the check boxes to the left to filter the packages to view in the indi- vidual package window.
  • Page 145 When the package manager starts, it examines the system and displays installed pack- ages. When you select to install and remove packages, the package manager automati- cally checks the dependencies and selects any other required packages (resolution of dependencies). If you select or deselect conflicting packages, the package manager in- dicates this and submits suggestions for solving the problem (resolution of conflicts).
  • Page 146 Figure 7.3 Conflict Management of the Package Manager Installing -devel Packages The package manager provides functions for quick and easy installation of devel and debug packages. To install all devel packages for your installed system, choose Extras → Install All Matching — -devel Packages. To install all debug packages for your in- stalled system, choose Extras →...
  • Page 147 SUSE Software Development Kit includes multiple Perl packages that are not included in the SUSE Linux Enterprise. For detailed information, refer to http://developer.novell.com/ndk/ susesdk.htm. Use the YaST add-on installer and package manager to install SUSE Software Development Kit 10.
  • Page 148 this list. Sources can be CDs, DVDs, or network sources, such as NFS and FTP servers. Even directories on the local hard disk can be selected as the installation medium. See the detailed YaST help text for more details. All registered sources have an activation status in the first column of the list. Enable or disable individual installation sources by clicking Activate or Deactivate.

  • Page 149: Automatic Online Update

    7.3.5 Automatic Online Update Software → Online Update Setup allows you to schedule automatic online updates. First enable automatic online update by activating Enable Automatic Update then set the time of the update. If you want to have full control over installed patches, you can schedule only the download of patches and install patches manually later.
  • Page 150 Update with Installation of New Software and Features Based on the Selection To update the entire system to the latest versions of software, select one of the predefined selections. These selections ensure that packages that did not exist pre- viously are also installed. Only Update Installed Packages This option merely updates packages that already exist on the system.
  • Page 151 Important Information about Updates The system update is a very complex procedure. For each program package, YaST must first check which version is installed on the computer then determine what needs to be done to replace the old version with the new version correctly. YaST also tries to adopt any personal settings of the installed packages.

  • Page 152: Hardware

    URL field of a browser on a different computer. TIP: Technical Support Find more information about the technical support at http://www.novell .com/support/products/linuxenterpriseserver/. 7.4 Hardware New hardware must first be installed or connected as directed by the vendor. Turn on external devices and start the appropriate YaST module.
  • Page 153 detected by YaST and the technical data is displayed. If the automatic detection fails, YaST offers a list of devices (model, vendor, etc.) from which to select the suitable device. Consult the documentation enclosed with your hardware for more information. IMPORTANT: Model Designations If your model is not included in the device list, try a model with a similar des- ignation.

  • Page 154: Hardware Information

    WARNING: Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system. Incorrect settings can prevent the system from booting. 7.4.5 Hardware Information Display detected hardware and technical data using Hardware → Hardware Information. Click any node of the tree for more information about a device.
  • Page 155 7.4.7 Joystick Configure a joystick connected to the sound card with Hardware → Joystick. Select your joystick type in the list provided. If your joystick is not listed, select Generic Analog Joystick. After selecting your joystick, make sure that it is connected then click Test to test the functionality.
  • Page 156 To configure your mouse for the text environment, use YaST in text mode. After entering text mode and selecting Hardware → Mouse Model, use the keyboard arrow keys to choose your mouse from the provided list. Then click Accept to save the settings and exit the module.
  • Page 157 3 In Sound Card Volume, test your sound configuration and make adjustments to the volume. You should start at about ten percent to avoid damage to your speakers or hearing. A test sound should be audible when you click Test. If you cannot hear anything, increase the volume.

  • Page 158: System

    7.4.12 IBM System z: ZFCP To add further FCP-attached SCSI devices to the installed system, use the YaST ZFCP module (Hardware → ZFCP). Select Add to add an additional device. Select the Channel Number (adapter) from the list and specify both WWPN and FCP-LUN. Finalize the setup by selecting Next and Close.
  • Page 159 7.5.2 Restoration With System → System Restoration, restore your system from a backup archive created with System Backup. First, specify where the archives are located (removable media, local hard disks, or network file systems). Click Next to view the description and contents of the individual archives and select what to restore from the archives.
  • Page 160 Rescue Floppy This disk contains a special environment that allows you to perform maintenance tasks in your installed system, such as checking and repairing the file system and updating the boot loader. To start the rescue system, boot with the standard boot disks then select Manual Installation →...
  • Page 161 7.5.7 EVMS The enterprise volume management system (EVMS) is, like LVM, a tool for custom partitioning and grouping of hard disks into virtual volumes. It is flexible, extensible, and can be tailored using a plug-in model to individual needs of various volume man- agement systems.
  • Page 162 Figure 7.4 The YaST Partitioner TIP: IBM System z: Device Names IBM System z recognize only DASD and SCSI hard disks. IDE hard disks are not supported. This is why these devices appear in the partition table as dasda or sda for the first recognized device.

  • Page 163: Creating A Partition

    Creating a Partition Select Create. If several hard disks are connected, a selection dialog appears in which to select a hard disk for the new partition. Then specify the partition type (primary or extended). Create up to four primary partitions or up to three primary partitions and one extended partition.
  • Page 164 Encrypt File System If you activate the encryption, all data is written to the hard disk in encrypted form. This increases the security of sensitive data, but slightly reduces the system speed, because the encryption takes some time. More information about the encryption of file systems is provided in Chapter 48, Encrypting Partitions and Files...
  • Page 165 data. This file contains all partitions in the system with their properties, such as the file system, mount point, and user permissions. Example 7.1 /etc/fstab: Partition Data /dev/sda1 /data1 auto noauto,user 0 0 /dev/sda5 /data2 auto noauto,user 0 0 /dev/sda6 /data3 auto noauto,user 0 0...

  • Page 166: Pci Device Drivers

    7.5.9 PCI Device Drivers TIP: IBM System z: Continuing For IBM System z, continue with Section 7.5.13, “System Services (Runlevel)” (page 167). Each kernel driver contains a list of device IDs of all devices it supports. If a new device is not in any driver's database, the device is treated as unsupported, even if it can be used with an existing driver.

  • Page 167: Power Management

    To edit a PCI ID, select the device driver from the list and click Edit. Edit the information and click OK to save your changes. To delete an ID, select the driver and click Delete. The ID immediately disappears from the list. When finished, click OK. 7.5.10 Power Management The System →...
  • Page 168 7.5.14 /etc/sysconfig Editor The directory /etc/sysconfig contains the files with the most important settings for SUSE Linux Enterprise. Use System → /etc/sysconfig Editor to modify the values and save them to the individual configuration files. Generally, manual editing is not necessary, because the files are automatically adapted when a package is installed or a service is configured.

  • Page 169: Network Devices

    Figure 7.6 Setting the Language Select the main language to use for your system in Primary Language. To adjust the keyboard or time zone to this setting, enable Adapt Keyboard Layout or Adapt Time Zone. Set how locale variables are set for the root user with Details. Also use Details to set the primary language to a dialect not available in the main list.

  • Page 170: Network Services

    select it from the list then click Edit. If your device has not been detected, click Add and select it manually. To edit an existing device, select it then click Edit. For more detailed information, see Section 31.4, “Configuring a Network Connection with YaST” (page 578).

  • Page 171: Mail Server

    No Connection If you do not have access to the Internet and are not located in a network, you cannot send or receive e-mail. Activate virus scanning for your incoming and outgoing e-mail with AMaViS by select- ing that option. The package is installed automatically as soon as you activate the mail filtering feature.
  • Page 172 Fetching Mail Configures mail pick-up from external mail accounts over various protocols. Mail Server Domains This determines for which domains the mail server should be responsible. At least one master domain must be configured if the server should not run as a null client used exclusively for sending mail without receiving any.
  • Page 173 name and domain name. If the provider has been configured correctly for DSL, modem, or ISDN access, the list of name servers contains the entries that were ex- tracted automatically from the provider data. If you are located in a local network, you might receive your hostname via DHCP, in which case you should not modify the name.
  • Page 174 NFS Server With NFS, run a file server that all members of your network can access. This file server can be used to make certain applications, files, and storage space available to users. In NFS Server, you can configure your host as an NFS server and determine the directories to export for general use by the network users.
  • Page 175 WARNING: Configuring Network Services (xinetd) The composition and adjustment of network services on a system is a complex procedure that requires a comprehensive understanding of the concept of Linux services. The default settings are usually sufficient. Proxy Configure Internet proxy client settings in Proxy. Click Enable Proxy then enter the desired proxy settings.

  • Page 176: Apparmor

    7.8 AppArmor Novell AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify which files each program may read, write, and execute. To enable or disable Novell AppArmor on your system, use AppArmor Control Panel.

  • Page 177: Security And Users

    Novell AppArmor 2.0 Administration Guide (↑Novell AppArmor 2.0 Ad- ministration Guide). 7.9 Security and Users A basic aspect of Linux is its multiuser capability. Consequently, several users can work independently on the same Linux system. Each user has a user account identified by a login name and a personal password for logging in to the system.

  • Page 178: Group Management

    overview. Click Write Changes Now to save all changes without exiting the configuration module. 7.9.2 Group Management To create and edit groups, select Security and Users → Group Management or click Groups in the user administration module. Both dialogs have the same functionality, allowing you to create, edit, or delete groups.
  • Page 179 Boot Settings Set how the key combination should be interpreted by selecting Ctrl the desired action. Normally, this combination, when entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization.

  • Page 180: Certificate Management

    database (locatedb) in which the location of each file on your computer is stored. If you select Nobody, any user can find only the paths in the database that can be seen by any other (unprivileged) user. If root is selected, all local files are indexed, because the user root, as superuser, may access all directories.

  • Page 181: Miscellaneous

    7.10 Miscellaneous The YaST Control Center has several modules that cannot easily be classified into the first six module groups. They can be used for things like viewing log files and installing drivers from a vendor CD. 7.10.1 Custom Installation CD Creation With Miscellaneous →...

  • Page 182: System Log

    7.10.5 Support Query Miscellaneous → Support Query offers the possibility to collect all system information needed by the support team to find your problem so you can get help to solve it as soon is possible. Regarding your query, select the problem category in the following window. When all information is gathered, attach it to your support request.
  • Page 183 /proc/cpuinfo This displays processor information, including its type, make, model, and perfor- mance. /proc/dma This shows which DMA channels are currently being used. /proc/interrupts This shows which interrupts are in use and how many of each have been in use. /proc/iomem This displays the status of input/output memory.

  • Page 184: Yast In Text Mode

    7.10.9 Vendor Driver CD Install device drivers from a Linux driver CD that contains drivers for SUSE Linux Enterprise with Miscellaneous → Vendor Driver CD. When installing SUSE Linux Enterprise from scratch, use this YaST module to load the required drivers from the vendor CD after the installation.

  • Page 185: Navigation In Modules

    the desired module. Keep the arrow keys pressed to scroll through the list of available modules. When a module is selected, the module title appears with a colored background and a brief description is displayed in the bottom frame. Press to start the desired module.

  • Page 186: Restriction Of Key Combinations

    because the different modules offer different buttons (Details, Info, Add, Delete, etc.). Use for OK, Next, and Finish. Press to access the YaST help, which shows the functions mapped to the individual F keys. Figure 7.8 The Software Installation Module 7.11.2 Restriction of Key Combinations If your window manager uses global combinations, the...

  • Page 187: Update From The Command Line

    Restriction of Function Keys The F keys are also used for functions. Certain function keys might be occupied by the terminal and may not be available for YaST. However, the key combi- nations and function keys should always be fully available on a pure text console. 7.11.3 Starting the Individual Modules To save time, the individual YaST modules can be started directly.
  • Page 188 Table 7.1 rug Commands Command Function List the catalogs Add a service Register a service Subscribe to a catalog refresh Refresh the lists of patches 7.12.1 rug User Management One of the biggest advantages of rug is user management. Normally only root can update or install new packages.

  • Page 189: Scheduling Updates

    view This allows the user to see which software is installed on the machine and which software is in available channels. The option is relevant only to remote users, local users are normally permitted to view installed and available packages. superuser Permits all rug commands except user management and settings, which must be done locally.

  • Page 190: Sax2

    but the computer is behind a proxy server. Before downloading updates, send your username and password to the proxy server. To do so, use the commands: rug set proxy-url url_path rug set proxy-username name rug set proxy-password password Replace url_path with the name of your proxy server. Replace name with your username.
  • Page 191 Figure 7.9 Card and Monitor Properties TIP: Autodetecting New Display Hardware If you change your display hardware after installation, use sax2 -r on the command line to cause SaX2 to detect your hardware. You must be root to run SaX2 from the command line. Graphics Card It is not possible to change the graphics card because only known models are supported and these are detected automatically.
  • Page 192 Monitor To change the current settings for the monitor, click Change next to the monitor. A new dialog opens in which to adjust various monitor-specific settings. This dialog has several tabs for various aspects of monitor operation. Select the first tab to manually select the vendor and model of the display device in two lists.
  • Page 193 The tabs in the row at the top of the dialog each correspond to a graphics card in your system. Select the card to configure and set its multihead options in the dialog below. In the upper part of the multihead dialog, click Change to configure the additional screen.

  • Page 194: Testing The Configuration

    graphics cards are referred to as multihead. SaX2 automatically detects multiple graphics cards in the system and prepares the configuration accordingly. By default, SaX2 configures a standard layout that follows the sequence of the detected graphics cards, arranging all screens in a row from left to right. The additional Arrangement tab allows for changing this layout manually.
  • Page 195 Emulate Wheel with Mouse Button If your mouse does not have a scroll wheel but you want to use similar functional- ity, you can assign an additional button for this. Select the button to use. While pressing this button, any movement of the mouse is translated into scroll wheel commands.

  • Page 196: Troubleshooting

    When you are satisfied with the settings, click OK to confirm your changes. 7.13.5 Touchscreen Properties Use this dialog to configure touchscreens attached to your system. If you have more than one touchscreen installed, each device is shown in a separate dialog reachable by a tab.

  • Page 197: For More Information

    7.15 For More Information More information about YaST can be found on the following Web sites and directories: • /usr/share/doc/packages/yast2—Local YaST development documen- tation • http://www.opensuse.org/YaST_Development—The YaST project page in the openSUSE wiki • http://forge.novell.com/modules/xfmod/project/ ?yast—Another YaST project page System Configuration with YaST...

  • Page 199: Updating Suse Linux Enterprise

    Updating SUSE Linux Enterprise SUSE® Linux Enterprise provides the option of updating an existing system to the new version without completely reinstalling it. No new installation is needed. Old data such as home directories and system configuration, is kept intact. During the life cycle of the product, you can apply Service Packs to increase system security and correct software defects.

  • Page 200: Possible Problems

    Before starting your update, make note of the root partition. The command df / lists the device name of the root partition. In Example 8.1, “List with df -h” (page 200), the root partition to write down is /dev/hda3 (mounted as /). Example 8.1 List with df -h Filesystem Size...

  • Page 201: Installing Service Packs

    2 Boot the system as for the installation, described in Section 3.2, “System Start- Up for Installation” (page 36). In YaST, choose a language and select Update in the Installation Mode dialog. Do not select New Installation. 3 YaST determines whether there are multiple root partitions. If there is only one, continue with the next step.
  • Page 202 8.2.1 Setting Up a Network Installation Source for Service Pack Media As with the initial installation of SUSE Linux Enterprise, it is much more efficient having a central installation source on your network to serve all clients rather than in- stalling all of them separately using a set of physical media.
  • Page 203 4 Copy the contents of each SP installation medium to its own subdirectory. Once done the directory hierarchy is as follows: /install/sle/SLE-10-arch/CD1 /CD2 /CD3 /CD4 /install/sle/SLE-10-SP-x-arch/CD1 /CD2 /CD3 5 In SLE-10-arch/CD1, create a file called add_on_products. The contents of add_on_products determines which Service Pack should be added to your SUSE Linux Enterprise 10 as an add-on product.
  • Page 204 Installing from a Local CD or DVD Drive Before starting a new installation of a SUSE Linux Enterprise SP, ensure that the fol- lowing prerequisite items are available: • The original SUSE Linux Enterprise installation media (CDs or DVD) • All of the Service Pack installation media (CDs or DVD) There are two ways to install an SUSE Linux Enterprise SP system from scratch: either boot from the original installation medium and register the Service Pack as an add-on product as outlined in...

  • Page 205: Network Installation

    5 Click Yes, Install to start the installation. 6 Insert the appropriate media when prompted. Both the SP media and the original product media are required, depending on the software installed. 7 Continue as usual with the installation (entering a password for root, completing the network configuration, testing your Internet connection, activating the ZEN- works®...
  • Page 206 4 Select the appropriate installation server from those offered or use the boot options prompt to provide the type of installation source and its actual location as in Section “Installing from a Network Server” (page 37). YaST starts. 5 Accept the license agreement then select a language, default desktop, and other installation settings.
  • Page 207 6 Click Yes, Install to start the installation. 7 Continue as usual with the installation (entering a password for root, completing the network configuration, testing your Internet connection, activating the Online Update service, selecting the user authentication method, and entering a username and password).

  • Page 208: Software Changes From Version 9 To Version 10

    8.3 Software Changes from Version 9 to Version 10 The individual aspects changed from version 9 to version 10 are outlined in the following in detail. This summary indicates, for example, whether basic settings have been com- pletely reconfigured, whether configuration files have been moved to other places, or whether common applications have been significantly changed.
  • Page 209 The following kernel module package was changed internally: • km_wlan—Various drivers for wireless LAN cards. The madwifi driver for Atheros WLAN cards from km_wlan was removed. For technical reasons, it was necessary to drop support for Ralink WLAN cards. The following modules were not part of the distribution and will not be added in the future: •...
  • Page 210 8.3.5 Stricter tar Syntax The tar usage syntax is stricter now. The tar options must come before the file or directory specifications. Appending options, like --atime-preserve or --numeric-owner, after the file or directory specification makes tar fail. Check your backup scripts. Commands such as the following no longer work: tar czf etc.tar.gz /etc --atime-preserve See the tar info pages for more information.
  • Page 211 It is not possible to copy the server-related (kdc and kadmind) data. After the system update, the old heimdal database is still available under /var/heimdal. MIT kerberos maintains the database under /var/lib/kerberos/krb5kdc. For more informa- tion, see Chapter 46, Network Authentication—Kerberos (page 845) and Chapter 47, Installing and Administering Kerberos...
  • Page 212 would lead to error messages while browsing the Web and delays while displaying Web pages. 8.3.11 Online Update and Delta Packages Online Update now supports a special kind of RPM package that only stores the binary difference from a given base package. This technique significantly reduces the package size and download time at the expense of higher CPU load for reassembling the final package.
  • Page 213 Table 8.3 Log Files in /var/log XFree86 X.Org XFree86.0.log Xorg.0.log XFree86.0.log.old Xorg.0.log.old In the course of the change to X.Org, the packages were renamed from XFree86* to xorg-x11*. 8.3.14 X.Org Configuration File The configuration tool SaX2 writes the X.Org configuration settings into /etc/X11/ xorg.conf.
  • Page 214 8.3.17 OpenOffice.org (OOo) Directories OOo is now installed in /usr/lib/ooo-2.0 instead of /opt/OpenOffice .org. The default directory for user settings is now ~/.ooo-2.0 instead of ~/ OpenOffice.org1.1. Wrapper There are some new wrappers for starting the OOo components. The new names are shown in Table 8.4, “Wrapper”...
  • Page 215 --default-configuration, --gui, --java-path, --skip-check, --lang (the language is now determined by means of locales), --messages-in-window, and --quiet. KDE and GNOME Support KDE and GNOME extensions are available in the OpenOffice_org-kde and OpenOffice_org-gnome packages. 8.3.18 Sound Mixer kmix The sound mixer kmix is preset as the default. For high-end hardware, there are other mixers, like QAMix.
  • Page 216 8.3.21 JFS: Not Supported Anymore Due to technical problems with JFS, it is no longer supported. The kernel file system driver is still there, but YaST does not offer partitioning with JFS. 8.3.22 AIDE as a Tripwire Replacement As an intrusion detection system, use AIDE (package name aide), which is released under the GPL.
  • Page 217 #password required pam_make.so /var/yp session required pam_unix2.so you can change it to: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session 8.3.24 Becoming the Superuser Using su By default, calling su to become root does not set the PATH for root. Either call su - to start a login shell with the complete environment for root or set ALWAYS_SET_PATH to yes in /etc/default/su if you want to change the default behavior of su.
  • Page 218 /etc/powersave.conf has become obsolete. Existing variables have been moved to the files listed in Table 8.5, “Split Configuration Files in /etc/sysconfig/powersave” (page 217). If you changed the “event” variables in /etc/powersave.conf, these must now be adapted in /etc/sysconfig/powersave/events. The names of sleep states have changed from: •...
  • Page 219 8.3.28 Setting Up D-BUS for Interprocess Communication in .xinitrc Many applications now rely on D-BUS for interprocess communication (IPC). Calling dbus-launch starts dbus-daemon. The systemwide /etc/X11/xinit/ xinitrc uses dbus-launch to start the window manager. If you have a local ~/.xinitrc file, you must change it accordingly. Otherwise ap- plications like f-spot, banshee, tomboy, or Network Manager banshee might fail.
  • Page 220 FAM daemon. For remote file systems, run FAM on both the server and client and open the firewall for RPC calls by FAM. GNOME (gnome-vfs2 and libgda) contains a wrapper that picks gamin or fam to provide file system change notification: •...

  • Page 221: Part Ii Administration

    Part II. Administration...

  • Page 223: Openwbem

    OpenWBEM Novell® has embraced the open standard strategies of Web-Based Enterprise Manage- ment (WBEM) proposed by the Distributed Management Task Force (DTMF) [http://www.dmtf.org/home]. Implementing these strategies can substantially reduce the level of complexity associated with managing disparate systems in your network.
  • Page 224 WBEM project [http://openwbem.org]. The Web-Based Enterprise Management software selection includes a set of packages that contain basic Novell providers, including some sample providers, and a base set of accompanying Novell schemas. As Novell moves forward with OpenWBEM and development of specific providers, it will provide tools that offer the following important features: •...

  • Page 225: Setting Up Openwbem

    DMTF and its technologies, you can visit the DMTF Web site [http:// www.dmtf.org]. • openwbem-base-providers: This package contains a Novell Linux instrumen- tation of base operating system components such as computer, system, operating system, and processes for the OpenWBEM CIMOM. • openwbem-smash-providers:...
  • Page 226 • Section 9.1.3, “Setting Up Logging” (page 229) 9.1.1 Starting, Stopping, or Checking Status for owcimomd When Web-Based Enterprise Management software is installed, the daemon, owcimomd, is started by default. The following table explains how to start, stop, and check status for owcimomd.
  • Page 227 /etc/openwbem/servercert.pem If you want to generate a new certificate, use the following command. Running this command replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one. As root in a console shell, enter sh/etc/openwbem/owgencert.
  • Page 228 Internet be- tween servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configura- tion file. In order for the OpenWBEM CIMOM to communicate with the...
  • Page 229 Authentication The following authentication settings are set and enabled as the default for OpenWBEM in SUSE Linux Enterprise Server. You can change any of the default settings. See Section 9.2.1, “Changing the Authenti- cation Configuration” (page 230). • http_server.allow_local_authentication = true •...

  • Page 230: Changing The Openwbem Cimom Configuration

    9.2 Changing the OpenWBEM CIMOM Configuration When OpenWBEM CIMOM (owcimomd) starts, it reads it run-time configuration from the openwbem.conf file. The openwbem.conffile is located in the /etc/ openwbem directory. Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the default setting.
  • Page 231 See the following settings: • Section “http_server.allow_local_authentication ” (page 231) • Section “http_server.digest_password_file ” (page 232) • Section “http_server.ssl_client_verification ” (page 232) • Section “http_server.ssl_trust_store ” (page 233) • Section “http_server.use_digest” (page 234) • Section “owcimomd.ACL_superuser” (page 235) • Section “owcimomd.allow_anonymous” (page 235) •...
  • Page 232 Option Description false Disables local authentication. Example http_server.allow_local_authentication = true http_server.digest_password_file Purpose Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled. Syntax http_server.digest_password_file = path_filename The following is the default path and filename for the digest password file: /etc/openwbem/digest_auth.passwd Example http_server.digest_password_file =...
  • Page 233 Syntax: http_server.ssl_client_verification = option Option Description autoupdate Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authenti- cation are added to a trust store so that subsequent client connec- tions with the same certificate do not require HTTP authentica- tion.
  • Page 234 /etc/openwbem/truststore Example http_server.ssl_trust_store = /etc/openwbem/truststore http_server.use_digest Purpose Directs the HTTP server to use Digest authentication, which bypasses the Basic authen- tication mechanism. To use digest, you must set up the digest password file using owdigestgenpass. Digest doesn’t use the authentication module specified by the owcimomd.authentica- tion_module configuration setting.
  • Page 235 owcimomd.ACL_superuser Purpose Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the owcimomd. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.
  • Page 236 Option Description This disables authentication. No username or password is required to access owcimomd data. Example owcimomd.allowed_anonymous = false owcimomd.allowed_users Purpose Specifies a list of users who are allowed to access owcimomd data. Syntax owcimomd.allowed_users = option Option Description Specifies one or more users who are allowed to access the owci- username momd data.
  • Page 237 owcimomd.authentication_module Purpose Specifies the authentication module that is used by owcimomd. This setting should be an absolute path to the shared library containing the authentication module. Syntax owcimomd.authentication_module = path_filename The following is the default path and filename for the authentication modules: /usr/lib/openwbem/authentication/libpamauthentication.so Example owcimomd.authentication_module =...
  • Page 238 9.2.2 Changing the Certificate Configuration The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS communications. The .pem files are located in the following default location: /etc/openwbem/servercert.pem /etc/openwbem/serverkey.pem Syntax...
  • Page 239 Syntax http_server.http_port = option http_server.https_port = option Option Description Specify the specific port for HTTP or HTTPS com- Specific_port_number munications. For HTTP, the default port is 5988. For HTTPS, the default port is 5989. Disables HTTP or HTTPS connections (for example, if you only want to support HTTPS connections).
  • Page 240 • Section “log.main.components” (page 241) • Section “log.main.format” (page 242) • Section “log.main.level” (page 245) • Section “log.main.location” (page 245) • Section “log.main.max_backup_index” (page 246) • Section “log.main.max_file_size” (page 246) • Section “log.main.type” (page 247) If you want to set up debug logging, see Section 9.2.5, “Configuring Debug Logging”...
  • Page 241 Option Description • FATAL • INFO For more information about these options, see Section “log.main.level” (page 245). If specified in this option, the predefined categories are not treated as levels, but as independent categories. No default is available; and if a category is not set, no categories are logged and the log.main.level setting is used.
  • Page 242 Option Description Specifies that all components are logged. This is the default setting. Example log.main.components = owcimomd nssd log.main.format Purpose Specifies the format (text mixed with printf() style conversion specifiers) of the log messages. Syntax log.main.format = conversion_specifier Option Specifies Component (such as owcimomd) Date Can be followed by a date format specifier enclosed between...
  • Page 243 Option Specifies For more information about the date format specifiers, see the documentation for the strftime() function found in the <ctime> header. Message as XML CDATA. This includes the “<![CDATA[“ and ending “]]>” Filename Filename and line number. For example, file.cpp(100) Line number Method name where the logging request was issued (only works on C++ compilers which support __PRETTY_FUNCTION__...
  • Page 244 Option Specifies \x<hexDigits> Character represented in hexadecimal It is possible to change the minimum field width, the maximum field width, and justifi- cation. The optional format modifier is placed between the percent sign (%) and the conversion character. The first optional format modifier is the left justification flag, which is the minus (-) character.
  • Page 245 log.main.level Purpose Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the specified level. Syntax log.main.level = option Option Description DEBUG Logs all Debug, Info, Error, and Fatal error messages. ERROR Logs all Error and Fatal error messages. This is the default setting.
  • Page 246 Example log.main.location = /system/cimom/var/owcimomd.log log.main.max_backup_index Purpose Specifies the amount of backup logs that are kept before the oldest is erased. Syntax log.main.backup_index = option Option Description Specifies the number of backup logs kept. unsigned_integer_above_0 The default setting is 1 log file. No backup logs are made and the log is trun- cated when it reaches the maximum file size.
  • Page 247 Option Description Limits the log to a certain size in KB. unsigned _integer_in_KB Lets the log grow to an unlimited size. This is the default setting. Example log.main.max_file_size = 0 log.main.type Purpose Specifies the type of main log owcimomd uses. Syntax log.main.type = option Option...
  • Page 248 9.2.5 Configuring Debug Logging If owcimomd is run in debug mode, then the debug log is active with the following settings: • log.debug.categories = * • log.debug.components = * • log.debug.format = [%t] %m • log.debug.level = * • log.debug.type = stderr Debug Log with Color If you want a color version of the debug log, use the following ASCII escape codes: log.debug.format =...
  • Page 249 Color Codes dark yellow \x1b[0;33;40m blue \x1b[1;34;40m dark blue \x1b[0;34;40m purple \x1b[1;35;40m dark purple \x1b[0;35;40m cyan \x1b[1;36;40m dark cyan \x1b[0;36;40m white \x1b[1;37;40m dark white \x1b[0;37;40m gray \x1b[0;37;40m reset color \x1b[0;37;40m 9.2.6 Configuring Additional Logs If you want to create additional logs, list the log names under this setting: owcimomd.additional_logs = logname Separate multiple lognames spaces.

  • Page 250: For More Information

    For more information about OpenWBEM, see the following information: • Documents in usr/share/doc/packages/openwbem on the local server filesystem: • readme • openwbem-faq.html • A Novell Cool Solutions Article: An Introduction to WBEM and OpenWBEM in SUSE Linux [http://www.novell.com/coolsolutions/feature/ 14625.html] • OpenWBEM Web site [http://www.openwbem.org] •...

  • Page 251: 0 Multipath Io

    Multipath IO Linux multipathing provides IO failover and path load sharing for multipathed block devices. The multipath IO support in SUSE® Linux Enterprise Server is based on the Device Mapper multipath module of the Linux kernel and the multipath-tools userspace package. Device mapping multipath IO features automatic configuration of the subsystem for a large variety of setups.

  • Page 252: Supported Hardware

    10.1 Supported Hardware Multipath IO is available on all platforms supported by SUSE Linux Enterprise Server. The following storage subsystems are detected automatically: • 3Pardata VV • Compaq HSV110 / MSA1000 • DDN SAN MultiDirector • DEC HSG80 • EMC CLARiiON CX •...

  • Page 253: System Configuration

    10.2 System Configuration The system must be manually configured to automatically load the device drivers for the controllers to which the multipath IO devices are connected within the INITRD. Therefore add the needed driver module to the variable INITRD_MODULES in the file /etc/sysconfig/kernel.
  • Page 254 3600601607cf30e00184589a37a31d911 [size=127 GB] [features="0"] [hwhandler="1 emc"] \_ round-robin 0 [first] \_ 1:0:1:2 sdav 66:240 [ready ] \_ 0:0:1:2 sdr 65:16 [ready ] \_ round-robin 0 \_ 1:0:0:2 sdag 66:0 [ready ] \_ 0:0:0:2 sdc 8:32 [ready ] Name of the device Size of the device Features of the device Hardware handlers involved...
  • Page 255 To permanently add multipath IO services to the boot sequence, run the following command: insserv boot.multipath multipathd 10.3.3 Querying the Status Querying the multipath IO status outputs the current status of the multipath maps. To query the current MPIO status, run multipath -l. The output is very similar to the one already described in Section 10.2, “System Confi- guration”...

  • Page 256: Using The Devices

    10.3.5 Managing IO in Error Situations In certain scenarios where the driver, the host bus adapter, or the fabric experiences errors leading to loss of all paths, all IO should be queued instead of being propagated upwards. This can be achieved with the following setting in /etc/multipath.conf. defaults { default_features "1 queue_if_no_path"...

  • Page 257: Using Mdadm

    10.4.2 Using LVM2 To make LVM2 recognize the MPIO devices as possible physical volumes, you must modify /etc/lvm/lvm.conf. It is important to modify it in a way that it does not scan and use the physical paths, but only accesses the multipath IO storage through the multipath IO layer.

  • Page 259: 1 Mass Storage Over Ip Networks-Iscsi

    Mass Storage over IP Networks—iSCSI One of the central tasks in computer centers and when operating servers is providing hard disk capacity for server systems. Fiber channel is often used for this purpose in the mainframe sector. So far, UNIX computers and the majority of servers are not connected to central storage solutions.
  • Page 260 11.1.1 Creating iSCSI Targets with YaST The iSCSI target configuration exports existing block devices or file system images to iSCSI initiators. First create the needed block devices with YaST or create file system images. For an overview of partitioning, see Section 7.5.8, “Partitioner”...
  • Page 261 Identifier The Identifier is freely selectable. It should follow some scheme to make the whole system more structured. It is possible to assign several LUNs to a target. However, this is not supported with YaST. Therefore, this should always be the number 0. Path Add the path to the block device or file system image to export.
  • Page 262 In the Target line, yyyy-mm is the date when this target is activated, and identifier is freely selectable. Find more about naming conventions in RFC 3722 (see http:// www.ietf.org/rfc/rfc3722.txt). Three different block devices are exported in this example. The first one is a logical volume (see also Section 6.1, “LVM Configu- ration”...
  • Page 263 To create a new iSCSI target with a LUN, first update your configuration file. The ad- ditional entry could be: Target iqn.2006-02.com.example.iserv:system2 Lun 0 Path=/dev/mapper/system-swap2 IncomingUser joe secret To set up this configuration manually, proceed as follows: 1 Create a new target with the command ietadm --op new --tid=2 --params Name=iqn.2006-02.com.example.iserv:system2.

  • Page 264: Configuring Iscsi Initiator

    DefaultTime2Retain=20 MaxOutstandingR2T=1 DataPDUInOrder=Yes DataSequenceInOrder=Yes ErrorRecoveryLevel=0 HeaderDigest=None DataDigest=None OFMarker=No IFMarker=No OFMarkInt=Reject IFMarkInt=Reject All of these parameters may be changed easily. For example, if you want to change the maximum number of connections to two, use ietadm --op update --tid=1 --params=MaxConnections=2. In the file /etc/ietd.conf, the associated line should look like MaxConnections 2.
  • Page 265 11.2.1 Using YaST for the iSCSI Initiator Configuration The configuration is divided into three tabs. The Service tab may be used to enable the iSCSI initiator at boot time. The Connected Targets tab gives an overview of the cur- rently connected iSCSI targets. Like the Discovered Targets tab, it gives the option to add new targets to the system.
  • Page 266 discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = <username> discovery.sendtargets.auth.password = <password> The discovery stores all received values in an internal persistent database. In addition, it displays all detected targets. Run this discovery with the command iscsiadm -m discovery --type=st --portal=<targetip>. The output should look like: [bd0ac2] 149.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems For each target defined on the iSCSI target, one line appears.
  • Page 267 The record ID in this example is bd0ac2. This ID is needed for all actions that relate to this special data set. To examine the content of the data record with the ID bd0c2, use the following command: iscsiadm -m node --record=bd0ac2 node.name = iqn.2006-02.com.example.iserv:systems node.transport_name = tcp node.tpgt = 1...
  • Page 268 • http://www.open-iscsi.org/cgi-bin/wiki.pl • http://www.novell.com/coolsolutions/appnote/15394.html There is also some online documentation available. See the manual pages of iscsiadm, iscsid, ietd.conf, and ietd and the example configuration file /etc/iscsid .conf. Installation and Administration...

  • Page 269: 2 High Availability Under Linux

    In every case, it involves weighing risks and costs. Different requirements and solutions may be appropriate, depending on the application scenario. Your Novell partner will be happy to advise you. 12.1 Important Terms...
  • Page 270 SPOF Single Point of Failure: Component of a system whose failure impairs the function- ing of the whole system. Failover Another similar system component automatically takes over the function of a failed component. Cold Standby The alternative hardware is on cold standby. The failover must be performed manually, so the failure will be clearly apparent.

  • Page 271: A Sample Minimum Scenario

    12.2 A Sample Minimum Scenario The procedures within a two-node cluster when one node fails and the various types of standby systems that can take over as necessary are outlined below (see Figure 12.1, “A Simple High Availability Cluster” (page 271)). Figure 12.1 A Simple High Availability Cluster Primary Secondary...

  • Page 272: Components Of A High Availability Solution

    12.3 Components of a High Availability Solution A high availability solution consists of several different components: General Infrastructure When designing a high availability solution, it should generallxy be remembered that even the installation of all key servers at a single location can be a potential SPOF if this location is hit by disaster or power failures.

  • Page 273: The Software Side Of High Availability

    Applications All important data and applications that form the outer face of your systems must be arranged in such a way that they will not prevent a restart. If an application does not release its lock files after a crash, this prevents the relevant process from restarting.
  • Page 274 12.4.2 RAID RAID (redundant array of independent disks) brings together several hard disk partitions to form a large virtual hard disk. RAID can be used to optimize the performance and data security of your system. RAID levels 1 and 5 offer protection against the failure of a disk because the data is recorded on several disks at the same time.

  • Page 275: Clustering

    12.5 Clustering 12.5.1 Cluster Alias The cluster alias is a technology that allows several nodes to be configured with a shared IP address, while also permitting TCP/IP connections to be established at this address. Inbound TCP/IP connections are automatically distributed. Unlike the Linux virtual server, a dedicated load balancer is not required.

  • Page 276: For More Information

    12.6 For More Information 12.6.1 HA in General and Heartbeat The primary source for information about high availability under Linux is the home page of the Linux-HA project (http://linux-ha.org). This contains a wide range of tips and links to documentation, reports, and scenarios. For information in print about high availability see Blueprints in High Availability: Marcus, Evan &...
  • Page 277 12.6.4 Clustering The Linux Clustering Information Center home page offers further information about clustering at http://www.lcic.org/. The home page for the Linux Virtual Server project is http://www.linuxvirtualserver.org/. Find information about the Oracle cluster file system on the project home page at and detailed documentation under http://oss.oracle.com/projects/ocfs/ http://oss.oracle.com/projects/ocfs/documentation/.

  • Page 279: 3 Installing A Heartbeat 2 Cluster Using Yast

    Installing a Heartbeat 2 Cluster Using YaST Heartbeat 2 is now part of SUSE® Linux Enterprise 10. A Heartbeat 2 cluster can be installed and configured using the YaST setup tool. During the Heartbeat 2 installation, you are prompted for information that is necessary for Heartbeat 2 to function properly. This section contains information to help you install and configure a Heartbeat 2 cluster.

  • Page 280: Software Requirements

    • The shared disk system is properly set up and functional according to the manufac- turer’s instructions. • Novell recommends that the disks contained in the shared disk system are configured to use mirroring or RAID to add fault tolerance to the shared disk system.
  • Page 281 2 On the Node Configuration screen, add a node to the cluster by specifying the node name of the node you want to add, then click Add. Repeat this process for each node you want to add to the cluster, then click Next. You can find node names for servers by entering uname -n on each node.
  • Page 282 5 After specifying a heartbeat medium, click Add to add that medium type to Heartbeat. 6 On the STONITH Configuration screen, enter or select the name of the node in the Host from field, choose the STONITH T ype, specify any necessary parame- ters, then click Add.

  • Page 283: Additional Information

    13.5 Additional Information For additional information on high availability on Linux and Heartbeat including con- figuring cluster resources and managing and customizing a Heartbeat cluster, see The High-Availability Linux Project [http://www.linux-ha.org]. Installing a Heartbeat 2 Cluster Using YaST...

  • Page 285: 4 Oracle Cluster File System

    Oracle Cluster File System 2 • Section 14.1, “Overview of OCFS2” (page 285) • Section 14.2, “Creating an OCFS2 Volume” (page 292) • Section 14.3, “Mounting an OCFS2 Volume” (page 296) • Section 14.4, “Additional Information” (page 297) 14.1 Overview of OCFS2 Oracle Cluster File System 2 (OCFS2) is a general-purpose journaling file system that is fully integrated in the Linux 2.6 kernel and later.
  • Page 286 • Oracle RAC and other databases • General applications and workloads • XEN image store in a cluster XEN virtual machines and virtual servers can be stored on OCFS2 volumes that are mounted by cluster servers to provide quick and easy portability of XEN virtual machines between servers.

  • Page 287: O2Cb Cluster Service

    • Operation as a shared-root file system • Support for multiple-block sizes (each volume can have a different block size) up to 4 KB, for a maximum volume size of 16 TB • Support for up to 255 cluster nodes •...

  • Page 288: Disk Heartbeat

    Service Description DLMFS User space interface to the kernel space DLM. For de- tails, see Section 14.1.4, “In-Memory File Systems” (page 288). 14.1.3 Disk Heartbeat OCFS2 requires the nodes to be alive on the network. The O2CB cluster service sends regular keepalive packets to ensure that they are.

  • Page 289: Management Utilities And Commands

    Table 14.2 In-Memory File Systems Used by OCFS2 In-Memory File Description Mount System Point configfs Communicates the list of nodes in the cluster to /config the in-kernel node manager, and communicates the resource used for the heartbeat to the in-kernel heartbeat thread ocfs2_dlmfs Communicates locking and unlocking for cluster-...
  • Page 290 OCFS2 Utility Description mkfs.ocfs2 Creates an OCFS2 file system on a device, usually a partition on a shared physical or logical disk. This tool requires the O2CB cluster service to be up. mounted.ocfs2 Detects and lists all OCFS2 volumes on a clustered system. Detects and lists all nodes on the system that have mounted an OCFS2 device or lists all OCFS2 devices.

  • Page 291: Ocfs2 Packages

    Command Description /etc/init.d/o2cb unload Unloads the O2CB modules and in-memory file sys- tems /etc/init.d/o2cb start ocfs2 If the cluster is set up to load on boot, starts the cluster named ocfs2 by loading o2cb and onlining the cluster At least one node in the cluster must be active for the cluster to be online.

  • Page 292: Creating An Ocfs2 Volume

    14.2 Creating an OCFS2 Volume Follow the procedures in this section to configure your system to use OCFS2 and to create OCFS2 volumes. 14.2.1 Prerequisites Before you begin, do the following: • Initialize, carve, or configure RAIDs on the SAN disks, as needed, to prepare the devices you plan to use for your OCFS2 volumes.
  • Page 293 3 If the ocfs2 service is not already enabled, enter chkconfig --add ocfs2 4 Configure the o2cb cluster service driver to load on boot. a Enter /etc/init.d/o2cb configure b At the Load O2CB driver on boot (y/n) [n] prompt, enter (yes) to enable load on boot.
  • Page 294 If cluster.conf is not present, the console will create one with a default cluster name of ocfs2. Modify the cluster name as desired. c In the Node Configuration dialog box, click Add to open the Add Node dialog box. d In the Add Node dialog box, specify the unique name of your primary node, a unique IP address (such as 192.168.1.1), and the port number (optional, default is 7777), then click OK.
  • Page 295 The OCFS2 cluster must be online, because the format operation must first ensure that the volume is not mounted on any node in the cluster. 3 Create and format the volume using one of the following methods: • In EVMSGUI, go to the Volumes page, select Make a file system → OCFS2, then specify the configuration settings.

  • Page 296: Mounting An Ocfs2 Volume

    OCFS2 Pa- Description and Recommendation rameter (such as x86, x86-64, and ia64) and big-endian architectures (such as ppc64 and s390x). Node-specific files are referred to as local files. A node slot number is appended to the local file. For example: journal:0000 belongs to whatever node is assigned to slot number 0.

  • Page 297: Additional Information

    • In the ocfs2console, select a device in the Available Devices list, click Mount, specify the directory mount point and mount options (optional), then click OK. • Mount the volume from the command line, using the mount command. • Mount the volume from the /etc/fstab file on system boot. Mounting an OCFS2 volume takes about 5 seconds, depending on how long it takes for the heartbeat thread to stabilize.

  • Page 299: Access Control Lists In Linux

    Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
  • Page 300 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.

  • Page 301: Advantages Of Acls

    15.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.

  • Page 302: Handling Acls

    default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
  • Page 303 Table 15.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 15.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 15.4.1 ACL Entries and File Mode Permission Bits Figure 15.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
  • Page 304 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 15.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
  • Page 305 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
  • Page 306 mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.
  • Page 307 The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permis- sions, because they are filtered according to the mask entry. The original permissions can be restored at any time with chmod g+w mydir.
  • Page 308 The option -d of the setfacl command prompts setfacl to perform the following modifications (option -m) in the default ACL. Take a closer look at the result of this command: getfacl mydir # file: mydir # owner: tux # group: project3 user::rwx user:geeko:rwx group::r-x...
  • Page 309 default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory. The access ACL of mysubdir is an exact reflection of the default ACL of mydir. The default ACL that this directory will hand down to its subordinate objects is also the same. Use touch to create a file in the mydir directory, for example, touch mydir/myfile.

  • Page 310: Acl Support In Applications

    access is handled in accordance with the entry that best suits the process. Permissions do not accumulate. Things are more complicated if a process belongs to more than one group and would potentially suit several group entries. An entry is randomly selected from the suitable entries with the required permissions.
  • Page 311 RPM—the Package Manager In SUSE® Linux, RPM (RPM Package Manager) is used for managing software packages. Its main commands are rpm and rpmbuild. The powerful RPM database can be queried by the users, system administrators, and package builders for detailed information about the installed software.

  • Page 312: Verifying Package Authenticity

    16.1 Verifying Package Authenticity SUSE Linux Enterprise RPM packages have a GnuPG signature. The key including the fingerprint is: 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig package-1.2.3.rpm can be used to verify the signature of an RPM package to determine whether it really originates from SUSE or from another trustworthy facility.

  • Page 313: Rpm And Patches

    • If a configuration file was changed by the system administrator before the update, rpm saves the changed file with the extension .rpmorig or .rpmsave (backup file) and installs the version from the new package, but only if the originally installed file and the newer version are different.
  • Page 314 result in large amounts of data. However the SUSE RPM offers a feature enabling the installation of patches in packages. The most important considerations are demonstrated using pine as an example: Is the patch RPM suitable for my system? To check this, first query the installed version of the package. For pine, this can be done with rpm -q pine pine-4.44-188...

  • Page 315: Delta Rpm Packages

    Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa. If only one patch is installed in a new system (as in this example), the list appears as follows: rpm -qPa pine-4.44-224...

  • Page 316: Rpm Queries

    applydeltarpm new.delta.rpm new.rpm To derive it from the old RPM without accessing the file system, use the -r option: applydeltarpm -r old.rpm new.delta.rpm new.rpm See /usr/share/doc/packages/deltarpm/README" for technical details. 16.5 RPM Queries With the -q option, rpm initiates queries, making it possible to inspect an RPM archive (by adding the option -p) and also to query the RPM database of installed packages.
  • Page 317 For example, the command rpm -q -i wget displays the information shown in Example 16.1, “rpm -q -i wget” (page 317). Example 16.1 rpm -q -i wget Name : wget Relocations: (not relocatable) Version : 1.9.1 Vendor: SUSE LINUX AG, Nuernberg, Germany Release : 50...
  • Page 318 The command rpm -q --changelog rpm displays a detailed list of change infor- mation about a specific package, sorted by date. This example shows information about the package rpm. With the help of the installed RPM database, verification checks can be made. Initiate these with -V, -y, or --verify.

  • Page 319: Installing And Compiling Source Packages

    by the variable MAX_RPMDB_BACKUPS (default: 5) in /etc/sysconfig/backup. The size of a single backup is approximately 1 MB for 1 GB in /usr. 16.6 Installing and Compiling Source Packages All source packages of SUSE Linux Enterprise carry a .src.rpm extension (source RPM).
  • Page 320 When you install a source package with YaST, all the necessary components are installed in /usr/src/packages: the sources and the adjustments in SOURCES and the relevant .spec file in SPECS. WARNING Do not experiment with system components (glibc, rpm, sysvinit, etc.), because this endangers the operability of your system.

  • Page 321: Compiling Rpm Packages With Build

    Do the same as -bb, but with the additional creation of the source RPM. If the compilation was successful, the binary should be in /usr/src/packages/ SRPMS. --short-circuit Skip some steps. The binary RPM created can now be installed with rpm -i or, preferably, with rpm -U.

  • Page 322: Tools For Rpm Archives And The Rpm Database

    16.8 Tools for RPM Archives and the RPM Database Midnight Commander (mc) can display the contents of RPM archives and copy parts of them. It represents archives as virtual file systems, offering all usual menu options of Midnight Commander. Display the HEADER with .

  • Page 323: System Monitoring Utilities

    System Monitoring Utilities A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. For each of the commands introduced, examples of the relevant outputs are presented.

  • Page 324: Debugging

    17.1 Debugging 17.1.1 Specifying the Required Library: ldd Use the command ldd to find out which libraries would load the dynamic executable specified as argument. tester@linux:~> ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/librt.so.1 (0xb7f97000) libacl.so.1 => /lib/libacl.so.1 (0xb7f91000) libc.so.6 => /lib/libc.so.6 (0xb7e79000) libpthread.so.0 =>...
  • Page 325 ------ ----------- ----------- --------- -------------------- 100.00 19.662715 105717 total 17.1.3 System Calls of a Program Run: strace The utility strace enables you to trace all the system calls of a process currently running. Enter the command in the normal way, adding strace at the beginning of the line: tester@linux:~>...

  • Page 326: Files And File Systems

    17.2 Files and File Systems 17.2.1 Determine the File Type: file The command file determines the type of a file or a list of files by checking /etc/ magic. tester@linux:~> file /usr/bin/file /usr/bin/file: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), \ for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped The parameter -f list specifies a file with a list of filenames to examine.
  • Page 327 udev 252M 104K 252M 1% /dev /dev/hda1 6.6M 7.8M 46% /boot /dev/hda4 1% /local Display the total size of all the files in a given directory and its subdirectories with the command du. The parameter -s suppresses the output of detailed information. -h again transforms the data into a human-readable form: tester@linux:~>...

  • Page 328: Hardware Information

    Device: 303h/771d Inode: 40657 Links: 1 Access: (0644/-rw-r--r--) Uid: ( root) Gid: ( root) Access: 2006-01-06 16:45:43.000000000 +0100 Modify: 2005-11-21 14:54:35.000000000 +0100 Change: 2005-12-19 09:51:04.000000000 +0100 The parameter --filesystem produces details of the properties of the file system in which the specified file is located: tester@linux:~>...
  • Page 329 Using -v results in a more detailed listing: linux:~ # lspci [...] 02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM)\ Ethernet Controller (rev 81) Subsystem: Fujitsu Siemens Computer GmbH: Unknown device 1001 Flags: bus master, medium devsel, latency 66, IRQ 11 Memory at d1000000 (32-bit, non-prefetchable) [size=4K] I/O ports at 3000 [size=64] Capabilities: [dc] Power Management version 2...

  • Page 330: Networking

    command lsscsi). The following is the output of scsiinfo -i /dev/sda, which gives information about a hard disk. The option -a gives even more information. linux:/ # scsiinfo -i /dev/sda Inquiry command --------------- Relative Address Wide bus 32 Wide bus 16 Synchronous neg.
  • Page 331 # netstat -t -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Pro 0 linux:33513 www.novell.com:www-http ESTABLISHED 6862/fi 352 linux:ssh linux2.:trc-netpoll ESTABLISHED 19422/s 0 localhost:ssh localhost:17828 ESTABLISHED - In the following, statistics for the TCP protocol are displayed: tester@linux:~>...

  • Page 332: The /Proc File System

    17.5 The /proc File System The /proc file system is a pseudo file system in which the kernel reserves important information in the form of virtual files. For example, display the CPU type with this command: tester@linux:~> cat /proc/cpuinfo processor vendor_id : AuthenticAMD cpu family...
  • Page 333 /proc/cmdline Kernel command line /proc/meminfo Detailed information about memory usage /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt. Find information about processes currently running in the /proc/NNN directories, where NNN is the process ID (PID) of the relevant process.
  • Page 334 b7e32000-b7e33000 rw-p b7e32000 00:00 0 b7e33000-b7f45000 r-xp 00000000 03:03 8837 /lib/libc-2.3.6.so b7f45000-b7f46000 r--p 00112000 03:03 8837 /lib/libc-2.3.6.so b7f46000-b7f48000 rw-p 00113000 03:03 8837 /lib/libc-2.3.6.so b7f48000-b7f4c000 rw-p b7f48000 00:00 0 b7f52000-b7f53000 r--p 00000000 03:03 11842 /usr/lib/locale/en_GB.utf8/ [...] b7f5b000-b7f61000 r--s 00000000 03:03 9109 /usr/lib/gconv/gconv-module b7f61000-b7f62000 r--p 00000000 03:03 9720 /usr/lib/locale/en_GB.utf8/...

  • Page 335: Processes

    By default, the cumulative values are displayed. The parameter -d produces the differ- ential values. procinfo -dn5 displays the values that have changed in the last five seconds: 17.6 Processes 17.6.1 Interprocess Communication: ipcs The command ipcs produces a list of the IPC resources currently in use: ------ Shared Memory Segments -------- shmid owner...

  • Page 336: Memory Usage

    tester 4072 15996 5160 ? 13:02 0:00 gnome-scre tester 4114 3.7 130988 19172 ? 13:06 0:04 sound-juic tester 4818 4192 1812 pts/0 15:59 0:00 -bash tester 4959 2324 816 pts/0 16:17 0:00 ps axu To check how many sshd processes are running, use the option -p together with the command pidof, which lists the process IDs of the given processes.
  • Page 337 |-dhcpcd |-events/0 |-gpg-agent |-hald-+-hald-addon-acpi `-hald-addon-stor |-kded |-kdeinit-+-kdesu---su---kdesu_stub---yast2---y2controlcenter |-kio_file |-klauncher |-konqueror |-konsole-+-bash---su---bash `-bash `-kwin |-kdesktop---kdesktop_lock---xmatrix |-kdesud |-kdm-+-X `-kdm---startkde---kwrapper [...] The parameter -p adds the process ID to a given name. To have the command lines displayed as well, use the -a parameter: 17.6.4 Processes: top The command top, which stands for "table of processes,"...

  • Page 338: System Information

    839 root 0:00.02 reiserfs/0 923 root 1712 344 S 0:00.67 udevd 1343 root 0:00.00 khubd 1587 root 0:00.00 shpchpd_event 1746 root 0:00.00 w1_control 1752 root 0:00.00 w1_bus_master1 2151 root 1464 416 S 0:00.00 acpid 2165 messageb 3340 1048 792 S 0:00.64 dbus-daemon 2166 root 1840...
  • Page 339 tester@linux:~> free total used free shared buffers cached Mem: 515584 501704 13880 73040 334592 -/+ buffers/cache: 94072 421512 Swap: 658656 658656 The options -b,-k,-m,-g show output in bytes, KB, MB, or GB, respectively. The parameter -d delay ensures that the display is refreshed every delay seconds. For example, free -d 1.5 produces an update every 1.5 seconds.
  • Page 340 Older events are logged in the files /var/log/messages and /var/log/warn. 17.7.5 List of Open Files: lsof To view a list of all the files open for the process with process ID PID, use -p. For example, to view all the files used by the current shell, enter: tester@linux:~>...
  • Page 341 bash 3838 tester 136,0 2 /dev/pts/0 bash 3838 tester 255u 136,0 2 /dev/pts/0 bash 5552 tester 136,5 7 /dev/pts/5 bash 5552 tester 136,5 7 /dev/pts/5 bash 5552 tester 136,5 7 /dev/pts/5 bash 5552 tester 255u 136,5 7 /dev/pts/5 5646 root 1006 /dev/mem lsof 5673...

  • Page 342: User Information

    42013K total, Other: 206K total, All: 42219K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 3e00000 18161K 18175K NOVELL: SU 4600000 1 1182 4566K 4600K amaroK - S 1600000 3811K 3816K KDE Deskto 3400000 2816K...

  • Page 343: Time And Date

    tester@linux:~> w 16:33:03 up 3:33, 2 users, load average: 0.14, 0.06, 0.02 USER LOGIN@ IDLE JCPU PCPU WHAT tester 16:33 ?xdm? 9.42s 0.15s /bin/sh /opt/kde3/bin/startk tester pts/0 15:59 0.00s 0.19s 0.00s w If any users of other systems have logged in remotely, the parameter -f shows the computers from which they have established the connection.

  • Page 345: Working With The Shell

    Working with the Shell When booting your Linux system, you are usually directed to a graphical user interface that guides you through the login process and the following interactions with the system. Although graphical user interfaces have become very important and user-friendly, using them is not the only way to communicate with your system.

  • Page 346: Getting Started With The Bash Shell

    18.1 Getting Started with the Bash Shell In Linux, you can use the command line parallel to the graphical user interface and easily switch between them. To start a terminal window from the graphical user interface in KDE, click the Konsole icon in the panel. In GNOME, click the GNOME Terminal icon in the panel.
  • Page 347 IMPORTANT: No News Is Good News The shell is not verbose: in contrast to some graphical user interfaces, it usually does not provide confirmation messages when commands have been executed. Messages only appear in case of problems or errors. Also keep this in mind for commands to delete objects. Before entering a command like rm for removing a file, you should know if you really want to get rid of the object: it will be deleted irretrievably, without enquiry.

  • Page 348: Getting Help

    and are prefixed with a hyphen. The ls -l command shows the contents of the same directory in full detail (long listing format): Figure 18.3 The ls -l Command On the left of each object name, information about the object is shown in several columns.
  • Page 349 18.1.2 Linux Directory Structure Because the shell does not offer a graphical overview of directories and files like the tree view in a file manager, it is useful to have some basic knowlegde of the default directory structure in a Linux system. You can think of directories as electronic folders in which files, programs, and subdirectories are stored.
  • Page 350 Figure 18.4 Excerpt from a Standard Directory Tree boot home proc root sbin media vmlinuz gnome ld.so linux X11R6 local sbin share Mail test.c xterm howto packages Table 18.1 Overview of a Standard Directory Tree Root directory, starting point of the directory tree Personal directories of users /home Device files that represent hardware components...
  • Page 351 Generally accessible programs (/usr/bin) and reserved /usr/bin, /usr/ for the system administrator ( /usr/sbin) sbin Various documentation files /usr/share/doc Temporary files (do not save files in this directory unless /tmp, /var/tmp you do not need them) Optional software, larger add-on program packages (such /opt as KDE, GNOME, and Netscape) Process file system...
  • Page 352 • To switch to your home directory, enter cd. • Refer to the current directory with a dot (.). This is mainly useful for other com- mands (cp, mv, …). • The next higher level in the tree is represented by two dots (..). For example, to switch to the parent directory of your current directory, enter cd ...
  • Page 353 d Check this by entering ls -l /tmp/test. The file myfile.txt should appear in the list of contents for /tmp/test. To list the contents of home directories of other users, enter ls ~username . In the example directory tree in Figure 18.4, “Excerpt from a Standard Directory Tree”...
  • Page 354 essary. If the filename or path cannot be uniquely identified (because there are several filenames starting with the same letters), the filename or path is only completed up to the point where again several options are possible. You can then obtain a list of them by pressing a second time.
  • Page 355 • Use the set wild card to address all sample files whose last character is a number: ls Testfile[1-9] or, using classes, ls Testfile[[:digit:]]. Of the four types of wild cards, the most inclusive one is the asterisk. It could be used to copy all files contained in one directory to another one or to delete all files with one command.
  • Page 356 Sometimes it is also useful to use a file as the input for a command. For example, with the tr command, you can replace characters redirected from a file and write the result to the standard output, your screen. Suppose you want to replace all characters t of your file.txt from the example above with x and print this to your screen.
  • Page 357 (for file) Choose a filename for the archive file. When creating an archive, this option must always be given as the last one. To pack the test directory with all its files and subdirectories into an archive named testarchive.tar, do the following: 1 Open a shell.

  • Page 358: Users And Access Permissions

    18.1.6 Cleaning Up After this crash course, you should be familiar with the basics of the Linux shell or command line. You may want to clean up your home directory by deleting the various test files and directories using the rm and rmdir commands. In Section 18.3, “Important Linux Commands”...
  • Page 359 File Access The organization of permissions in the file system differs for files and directories. File permission information can be displayed with the command ls -l. The output could appear as in Example 18.1, “Sample Output Showing File Permissions” (page 359). Example 18.1 Sample Output Showing File Permissions -rw-r----- 1 tux project3 14197 Jun 21 15:03 Roadmap...
  • Page 360 Example 18.2 Sample Output Showing Directory Permissions drwxrwxr-x 1 tux project3 35 Jun 21 15:15 ProjectData Example 18.2, “Sample Output Showing Directory Permissions” (page 360), the owner (tux) and the owning group (project3) of the directory ProjectData are easy to recognize. In contrast to the file access permissions from File Access (page 359), the set reading permission (r) means that the contents of the directory can be shown.

  • Page 361: Important Linux Commands

    • x—execute Filename or filenames separated by spaces If, for example, the user tux in Example 18.2, “Sample Output Showing Directory Permissions” (page 360) also wants to grant other users write (w) access to the di- rectory ProjectData, he can do this using the command chmod o+w ProjectData.
  • Page 362 In the man pages, move up and down with . Move between the beginning PgUp PgDn and the end of a document with . End this viewing mode by pressing Home Learn more about the man command itself with man man. In the following overview, the individual command elements are written in different typefaces.
  • Page 363 mv [options] source target Copies source to target then deletes the original source. Creates a backup copy of the source before moving Waits for confirmation, if necessary, before an existing targetfile is overwritten rm [options] files Removes the specified files from the file system. Directories are not removed by rm unless the option -r is used.
  • Page 364 Changes files and directories in all subdirectories chgrp [options] groupname files Transfers the group ownership of a given file to the group with the specified group name. The file owner can only change group ownership if a member of both the current and the new group.
  • Page 365 As an alternative, a numeric code can be used. The four digits of this code are composed of the sum of the values 4, 2, and 1—the decimal result of a binary mask. The first digit sets the set user ID (SUID) (4), the set group ID (2), and the sticky (1) bits.
  • Page 366 Unpacks files from an archive (extraction) Packs the resulting archive with gzip Compresses the resulting archive with bzip2 Lists files processed The archive files created by tar end with .tar. If the tar archive was also com- pressed using gzip, the ending is .tgz or .tar.gz. If it was compressed using bzip2, the ending is .tar.bz2.
  • Page 367 Commands to Access File Contents file [options] [files] With file, detect the contents of the specified files. Tries to look inside compressed files cat [options] files The cat command displays the contents of a file, printing the entire contents to the screen without interruption.

  • Page 368: File Systems

    diff [options] file1 file2 The diff command compares the contents of any two files. The output produced by the program lists all lines that do not match. This is frequently used by program- mers who need only send their program alterations and not the entire source code. Only reports whether the two files differ Produces a “unified”...

  • Page 369: System Commands

    18.3.2 System Commands The following section lists a few of the most important commands needed for retrieving system information and controlling processes and the network. System Information df [options] [directory] The df (disk free) command, when used without any options, displays information about the total disk space, the disk space currently in use, and the free space on all the mounted drives.
  • Page 370 Output in kilobytes Output in megabytes date [options] This simple program displays the current system time. If run as root, it can also be used to change the system time. Details about the program are available in the date(1) man page. Processes top [options] top provides a quick overview of the currently running processes.
  • Page 371 Network ping [options] hostname or IP address The ping command is the standard tool for testing the basic functionality of TCP/IP networks. It sends a small data packet to the destination host, requesting an imme- diate reply. If this works, ping displays a message to that effect, which indicates that the network link is basically functioning.

  • Page 372: The Vi Editor

    Miscellaneous passwd [options] [username] Users may change their own passwords at any time using this command. The ad- ministrator root can use the command to change the password of any user on the system. su [options] [username] The su command makes it possible to log in under a different username from a running session.

  • Page 373: Operating Modes

    18.4.1 Operating Modes NOTE: Display of Keys In the following, find several commands that you can enter in vi by just pressing keys. These appear in uppercase as on a keyboard. If you need to enter a key in uppercase, this is stated explicitly by showing a key combination including key.
  • Page 374 Exit without saving: To terminate the editor without saving the changes, enter – – in command mode. The exclamation mark (!) causes vi to ignore any changes. Save and exit: There are several possibilities to save your changes and terminate the editor.
  • Page 375 Table 18.2 Simple Commands of the vi Editor Change to command mode Change to insert mode (characters appear at the current cursor position) Change to insert mode (characters are inserted after the current cursor position) Change to insert mode (characters are added at the end of the Shift line) Change to replace mode (overwrite the old text)
  • Page 376 18.4.3 For More Information vi supports a wide range of commands. It enables the use of macros, shortcuts, named buffers, and many other useful features. A detailed description of the various options would exceed the scope of this manual. SUSE® Linux Enterprise comes with vim (vi improved), an improved version of vi.

  • Page 377: Part Iii System

    Part III. System...

  • Page 379: Bit And 64-Bit Applications In A 64-Bit System Environment

    32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE® Linux Enterprise is available for several 64-bit platforms. This does not neces- sarily mean that all the applications included have already been ported to 64-bit plat- forms. SUSE Linux Enterprise supports the use of 32-bit applications in a 64-bit system environment.

  • Page 380: Runtime Support

    19.1 Runtime Support IMPORTANT: Conflicts between Application Versions If an application is available both for 32-bit and 64-bit environments, parallel installation of both versions is bound to lead to problems. In such cases, decide on one of the two versions and install and use this. To be executed correctly, every application requires a range of libraries.

  • Page 381: Software Compilation On Biarch Platforms

    options for the tool chain from GCC (GNU Compiler Collection) and Binutils, which include the assembler as and the linker ld: Biarch Compiler Both 32-bit and 64-bit objects can be generated with a biarch development tool chain. The compilation of 64-bit objects is the default on almost all platforms. 32- bit objects can be generated if special flags are used.
  • Page 382 For example, to compile a program that uses libaio on a system whose second archi- tecture is a 32-bit architecture (x86_64 or s390x), you need the following RPMs: libaio-32bit 32-bit runtime package libaio-devel-32bit Headers and libraries for 32-bit development libaio 64-bit runtime package libaio-devel 64-bit development headers and libraries...

  • Page 383: Kernel Specifications

    5 Determine that the libraries are stored in the lib subdirectory: --libdir=/usr/lib 6 Determine that the 32-bit X libraries are used: --x-libraries=/usr/X11R6/lib/ Not all of these variables are needed for every program. Adapt them to the respective program. An example configure call to compile a native 32-bit application on x86_64, ppc64, or s390x could appear as follows: CC="gcc -m32"...
  • Page 384 Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.

  • Page 385: Booting And Configuring A Linux System

    Booting and Configuring a Linux System Booting a Linux system involves various different components. This chapter outlines the underlying principles and highlights the components involved. The concept of runlevels and SUSE's system configuration with sysconfig are also discussed in this chapter. 20.1 The Linux Boot Process The Linux boot process consists of several stages each represented by another compo- nent.
  • Page 386 hard disk are referred to as the Master Boot Record (MBR). The boot loader then passes control to the actual operating system, in this case, the Linux kernel. More information about GRUB, the Linux boot loader, can be found in Chap- ter 21, The Boot Loader (page 401).
  • Page 387 Before the root file system can be mounted and the operating system can be started, the kernel needs the corresponding drivers to access the device on which the root file system is located. These drivers may include special drivers for certain kinds of hard drives or even network drivers to access a network file system.
  • Page 388 your hard drive). To access the final root file system, the kernel needs to load the proper file system drivers. Providing Special Block Files For each loaded module, the kernel generates device events. udev handles these events and generates the needed device special files on a RAM file system in /dev. Without those special files, the file system would not be accessible.

  • Page 389: The Init Process

    Loading the Installation System or Rescue System As soon as the hardware has been properly recognized, the appropriate drivers have been loaded, and udev has created the device special files, init starts the installation system, which contains the actual YaST installer, or the rescue system. Starting YaST Finally, init starts YaST, which starts package installation and system configuration.
  • Page 390 Table 20.1 Available Runlevels Runlevel Description System halt Single user mode; from the boot prompt, only with US keyboard mapping Single user mode Local multiuser mode without remote network (NFS, etc.) Full multiuser mode with network Not used Full multiuser mode with network and X display manag- er—KDM, GDM, or XDM System reboot IMPORTANT: Avoid Runlevel 2 with a Partition Mounted via NFS...
  • Page 391 telinit 3 All essential programs and services (including network) are started and regular users are allowed to log in and work with the system without a graphical environ- ment. telinit 5 The graphical environment is enabled. Usually a display manager like XDM, GDM, or KDM is started.
  • Page 392 init consults its configuration file (/etc/inittab) and determines it should start /etc/init.d/rc with the new runlevel as a parameter. Now rc calls the stop scripts of the current runlevel for which there is no start script in the new runlevel. In this example, these are all the scripts that reside in /etc/init.d/rc3.d (old runlevel was 3) and start with a K.
  • Page 393 start and stop. The scripts also understand the restart, reload, force-reload, and status options. These different options are explained in ble 20.2, “Possible init Script Options” (page 393). Scripts that are run directly by init do not have these links. They are run independently from the runlevel when needed. Table 20.2 Possible init Script Options Option...
  • Page 394 for the first time after an update or an installation, the initial system configuration is started. The blogd daemon is a service started by boot and rc before any other one. It is stopped after the actions triggered by these scripts (running a number of subscripts, for example) are completed.
  • Page 395 WARNING: Faulty init Scripts May Halt Your System Faulty init scripts may hang your machine. Edit such scripts with great care and, if possible, subject them to heavy testing in the multiuser environment. Find some useful information about init scripts in Section 20.2.1, “Runlevels”...

  • Page 396: Configuring System Services

    a graphical tool to create such links, use the runlevel editor provided by YaST, as de- scribed in Section 20.2.3, “Configuring System Services (Runlevel) with YaST” (page 396). If a script already present in /etc/init.d/ should be integrated into the existing runlevel scheme, create the links in the runlevel directories right away with insserv or by enabling the corresponding service in the runlevel editor of YaST.
  • Page 397 Figure 20.1 System Services (Runlevel) For detailed control over the runlevels in which a service is started or stopped or to change the default runlevel, first select Expert Mode. The current default runlevel or “initdefault” (the runlevel into which the system boots by default) is displayed at the top.
  • Page 398 WARNING: Faulty Runlevel Settings May Damage Your System Faulty runlevel settings may render a system unusable. Before applying your changes, make absolutely sure that you know their consequences. 20.3 System Configuration via /etc/sysconfig The main configuration of SUSE Linux Enterprise is controlled by the configuration files in /etc/sysconfig.
  • Page 399 WARNING: Modifying /etc/sysconfig/* Files Can Damage Your Installation Do not modify the /etc/sysconfig files if you lack previous experience and knowledge. It could do considerable damage to your system. The files in /etc/sysconfig include a short comment for each variable to explain what effect they actually have.
  • Page 400 20.3.2 Changing the System Configuration Manually To manually change the system configuration, proceed as follows 1 Become root. 2 Bring the system into single user mode (runlevel 1) with init 1. 3 Change the configuration files as needed with an editor of your choice. If you do not use YaST to change the configuration files in /etc/sysconfig, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation...
  • Page 401 The Boot Loader This chapter describes how to configure GRUB, the boot loader used in SUSE® Linux Enterprise. A special YaST module is available for performing all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.

  • Page 402: Selecting A Boot Loader

    Boot Sectors Boot sectors are the first sectors of hard disk partitions with the exception of the extended partition, which merely serves as a “container” for other partitions. These boot sectors have 512 bytes of space for code used to boot an operating system in- stalled in the respective partition.
  • Page 403 GRUB can access file systems of supported BIOS disk devices (floppy disks or hard disks, CD drives, and DVD drives detected by the BIOS). Therefore, changes to the GRUB configuration file (menu.lst) do not require a reinstallation of the boot man- ager.
  • Page 404 21.2.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
  • Page 405 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
  • Page 406 A complete GRUB path consists of a device name written in parentheses and the path to the file in the file system in the specified partition. The path begins with a slash. For example, the bootable kernel could be specified as follows on a system with a single IDE hard disk containing Linux in its first partition: (hd0,0)/boot/vmlinuz An Example Menu File...
  • Page 407 default 0 The first menu entry title linux is the one to boot by default. timeout 8 After eight seconds without any user input, GRUB automatically boots the default entry. To deactivate automatic boot, delete the timeout line. If you set timeout 0, GRUB boots the default entry immediately.
  • Page 408 the GRUB text-based menu then press . Changes made in this way only apply to the current boot and are not adopted permanently. IMPORTANT: Keyboard Layout during the Boot Procedure The US keyboard layout is the only one available when booting. See Figure 52.1, “US Keyboard Layout”...
  • Page 409 (fd0) /dev/fd0 (hd0) /dev/hda (hd1) /dev/sda Because the order of IDE, SCSI, and other hard disks depends on various factors and Linux is not able to identify the mapping, the sequence in the file device.map can be set manually. If you encounter problems when booting, check if the sequence in this file corresponds to the sequence in the BIOS and use the GRUB prompt to modify it temporarily if necessary.
  • Page 410 (/grub/stage1 (hd0,3)). This is a slightly esoteric configuration, but it is known to work in many cases. stage2 should be loaded to the memory address 0x8000 (/grub/stage2 0x8000). The last entry ((hd0,4)/grub/menu.lst) tells GRUB where to look for the menu file. 21.2.4 Setting a Boot Password Even before the operating system is booted, GRUB enables access to file systems.

  • Page 411: Configuring The Boot Loader With Yast

    initrd (hd0,4)/initrd lock After rebooting the system and selecting the Linux entry from the boot menu, the following error message is displayed: Error 32: Must be authenticated Press to enter the menu. Then press to get a password prompt. After Enter entering the password and pressing , the selected operating system (Linux...
  • Page 412 Use the Section Management tab to edit, change, and delete boot loader sections for the individual operating systems. To add an option, click Add. To change the value of an existing option, select it with the mouse and click Edit. If you do not want to use an existing option at all, select it and click Delete.
  • Page 413 During the conversion, the old GRUB configuration is saved to disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion. This action is available only on an installed system. NOTE: Custom Boot Loader If you want use a boot loader other than GRUB or LILO, select Do Not Install Any Boot Loader.
  • Page 414 2 Click Finish to apply your changes. 21.3.3 Default System To change the system that is booted by default, proceed as follows: Procedure 21.3 Setting the Default System 1 Open the Section Management tab. 2 Select the desired system from the list. 3 Click Set as Default.

  • Page 415: Security Settings

    Set for the boot menu should be displayed permanently without timing out by disabling Continue Booting after a Time-Out. 21.3.5 Security Settings Using this YaST module, you can also set a password to protect booting. This gives you an additional level of security. Procedure 21.5 Setting a Boot Loader Password 1 Open the Boot Loader Installation tab.

  • Page 416: Creating Boot Cds

    5 Click Finish to save the changes. Using this module, you can also replace the master boot record with generic code, which boots the active partition. Click Replace MBR with Gerneric Code in Disk System Area Update. Enable Activate Boot Loader Partition to activate the partition that contains the boot loader.

  • Page 417: The Graphical Suse Screen

    mkdir -p iso/boot/grub 3 Copy the kernel, the files stage2_eltorito, initrd, menu.lst, and /boot/message to iso/boot/: cp /boot/vmlinuz iso/boot/ cp /boot/initrd iso/boot/ cp /boot/message iso/boot/ cp /boot/grub/menu.lst iso/boot/grub 4 Adjust the path entries in iso/boot/menu.lst to make them point to a CD- ROM device.

  • Page 418: Troubleshooting

    Disabling the SUSE screen by default. Add the kernel parameter splash=0 to your boot loader configuration. Chapter 21, The Boot Loader (page 401) provides more information about this. However, if you prefer the text mode, which was the default in earlier versions, set vga=normal. Completely Disabling the SUSE Screen Compile a new kernel and disable the option Use splash screen instead of boot logo in framebuffer support.
  • Page 419 about the installation, configuration, and maintenance of LILO is available in the Support Database under the keyword LILO. GRUB also returns this error message if Linux was installed on an additional hard disk that is not registered in the BIOS. stage1 of the boot loader is found and loaded correctly, but stage2 is not found.

  • Page 420: For More Information

    21.8 For More Information Extensive information about GRUB is available at http://www.gnu.org/ software/grub/. Also refer to the grub info page. You can also search for the keyword “GRUB” in the Support Database at http://portal.suse.de/sdb/ to get information about special issues. en/index.html Installation and Administration...

  • Page 421: Special Features Of Suse Linux Enterprise

    Special Features of SUSE Linux Enterprise This chapter starts with information about various software packages, the virtual con- soles, and the keyboard layout. We talk about software components like bash, cron, and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
  • Page 422 ~/.profile /etc/bash.bashrc ~/.bashrc Custom settings can be made in ~/.profile or in ~/.bashrc. To ensure the correct processing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel following an update.
  • Page 423 run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily, or other periodic maintenance scipts at custom times, re- move the time stamp files regulary using /etc/crontab entries (see Example 22.2, “/etc/crontab: Remove Time Stamp Files”...
  • Page 424 Example 22.3 Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d...
  • Page 425 22.1.5 The Command ulimit With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed. ulimit is especially useful for limiting the memory available for applications. With this, an application can be prevented from using too much memory on its own, which could bring the system to a standstill.
  • Page 426 IMPORTANT Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. 22.1.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used.
  • Page 427 22.1.8 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. info is GNU's hypertext system. Read an introduction to this system by entering info info.

  • Page 428: Virtual Consoles

    The components of Emacs are divided into several packages: • The base package emacs. • emacs-x11 (usually installed): the program with X11 support. • emacs-nox: the program without X11 support. • emacs-info: online documentation in info format. • emacs-el: the uncompiled library files in Emacs Lisp. These are not required at runtime.

  • Page 429: Language And Country-Specific Settings

    /etc/termcap /usr/lib/terminfo/x/xterm /usr/X11R6/lib/X11/app-defaults/XTerm /usr/share/emacs/<VERSION>/site-lisp/term/*.el These changes only affect applications that use terminfo entries or whose configu- ration files are changed directly (vi, less, etc.). Applications not shipped with SUSE® Linux Enterprise should be adapted to these defaults. Under X, the compose key (multikey) can be accessed using (right).
  • Page 430 RC_LC_MESSAGES, RC_LC_CTYPE, RC_LC_COLLATE, RC_LC_TIME, RC_LC_NUMERIC, RC_LC_MONETARY These variables are passed to the shell without the RC_ prefix and represent the listed categories. The shell profiles concerned are listed below. The current setting can be shown with the command locale. RC_LC_ALL This variable, if set, overwrites the values of the variables already mentioned.
  • Page 431 LANG=en_US.UTF-8 This is the default setting if American English is selected during installation. If you selected another language, that language is enabled but still with UTF-8 as the character encoding. LANG=en_US.ISO-8859-1 This sets the language to English, country to United States, and the character set to ISO-8859-1.
  • Page 432 in /usr/share/locale/en_US/LC_MESSAGES does not exist, it falls back to /usr/share/locale/en/LC_MESSAGES. A fallback chain can also be defined, for example, for Breton to French or for Galician to Spanish to Portuguese: LANGUAGE="br_FR:fr_FR" LANGUAGE="gl_ES:es_ES:pt_PT" If desired, use the Norwegian variants Nynorsk and Bokmål instead (with additional fallback to no): LANG="nn_NO"...
  • Page 433 • Unicode-Howto, by Bruno Haible: /usr/share/doc/howto/en/html/ Unicode-HOWTO.html. Special Features of SUSE Linux Enterprise...

  • Page 435: Virtual Machine Server

    (VM Server). A VM Server can host one or more virtual machines (VMs). NOTE This section contains introductory information and basic setup instructions for virtual machine technology. For the most current and comprehensive informa- tion about virtualization, see Novell VM Server Technology [http://www .novell.com/documentation/technology/vm_server]. This section includes: •...

  • Page 436: System Requirements

    • Section 23.8, “Managing Virtual Machines” (page 447) 23.1 System Requirements VM Server Compo- Requirement nent Software Packages VM Server requires the following software packages and their dependencies. • kernel-xen • xen • xen-tools • xen-tools-ioemu (This package is required for hardware- assisted full-virtualization mode.) •...

  • Page 437: Benefits Of Virtual Machines

    VM Server Compo- Requirement nent Operating Systems VM Server can host the following VM-aware operating sys- for Virtual Machines tems in paravirtual mode: • SUSE Linux 10.1 • SUSE Linux Enterprise Server 10 • SUSE Linux Enterprise Desktop 10 With hardware-assisted virtualization, VM Server provides a full virtual environment that can host most popular operating systems.

  • Page 438: Terminology

    • Consolidate servers in the data center. Servers running in the data center are often underutilized. One study showed that data center CPU time averages about 12 percent of capacity. By consolidating several physical servers as VMs running on a virtual machine server, data centers are lowering hardware, maintenance, and electrical costs.

  • Page 439: Virtual Machine Modes

    • Operating systems not optimized for the virtual machine environment are often called shrink-wrapped, out-of-the-box, unmodified, or fully-virtualized guest. 23.4 Virtual Machine Modes The VM Server hosts virtual machines running operating systems in one of two modes: fully virtual or paravirtual. •...
  • Page 440 Figure 23.1 Virtual Machine Server and Device Drivers VM Server VM Server Desktop SUSE Linux Virtual Machine Monitor Physical Computer Hardware Virtual machines are defined and stored on the VM Server. The definitions (called VM definitions) are stored in a configuration file located at /etc/xen/vm/vm_name. The configuration file defines the virtual resources, such as CPU, memory, network card, and block devices, the operating system sees when it is installed and booted on the virtual machine.
  • Page 441 Figure 23.3 VM Device Drivers Paravirtual Machine Fully Virtual Machine Fully Virtual Machine Applications Applications Applications Operating System Operating System Operating System VM Definition VM Definition VM Definition (Xen devices) (emulated devices) (emulated devices) If, for example, a VM’s operating system running in full-virtualization mode needs to save a file on its virtual 20-GB disk drive, the operating system passes its request through the device driver to the VMM.
  • Page 442 VMs can be viewed and managed from the VM Server desktop. Figure 23.5 VM Server Desktop and Three Virtual Machines 23.6 Setting up the Virtual Machine Server This section guides you through the steps to set up and run a VM Server. •...
  • Page 443 23.6.1 Installing Software Packages Software packages can be installed during the SUSE Linux installation or on a computer already running SUSE Linux. For the list of required software packages, see Section 23.1, “System Requirements” (page 436). During Installation of SUSE Linux 1 Begin the SUSE Linux installation.
  • Page 444 23.6.2 Verifying That the GRUB Boot Loader Boots the VM Server When the Xen software packages are installed, the GRUB boot loader is automatically updated to present the VM Server as a boot option. The GRUB boot loader configuration file is usually saved to /boot/grub/menu.lst. You might want to compare your GRUB boot loader configuration file with the sample below to confirm that it was updated to correctly boot VM Server.
  • Page 445 takes the maximum possible memory for its operations. For more information about hypervisor parameters, see the XenSource Web Site [http://www.xensource .com/] . The first module line specifies the directory and filename of the Linux kernel to load. Replace kernel_parameters with the parameters to pass to the kernel. These pa- rameters are the same parameters as those that can be passed to a standard Linux kernel on physical computer hardware.

  • Page 446: Creating Virtual Machines

    • Enter the command rpm -qa | grep xen and make sure that you have installed the software packages listed in Section 23.1, “System Requirements” (page 436). • Make sure the parameters in the GRUB boot loader configuration file are correct. Compare your file to the example given in Section “Sample GRUB Boot Loader File (Typical)”...

  • Page 447: Managing Virtual Machines

    10 (Optional) To customize or verify that definitions were correctly recorded and saved, compare them to definitions in the example files located in /etc/ xen/examples. 11 (Conditional) Depending on the installation method you select, the operating system’s installation program might start. If so, complete the installation pro- gram as prompted.
  • Page 448 Task Command To view the console of an already-running VM xm console vm_name (paravirtual) To change the memory available to a VM (par- xm mem-set vm_name avirtual) MB_Memory To do a normal shutdown of the VM’s operating xm shutdown vm_name system (paravirtual) To do a normal shutdown of the VM’s operating Access the operating system’s...
  • Page 449 NOTE Closing the VNC viewer window does not terminate the VM. Virtual Machine Server...

  • Page 451: Printer Operation

    Printer Operation CUPS is the standard print system in SUSE® Linux Enterprise. CUPS is highly user- oriented. In many cases, it is compatible with LPRng or can be adapted with relatively little effort. LPRng is included in SUSE Linux Enterprise only for reasons of compati- bility.

  • Page 452: Workflow Of The Printing System

    address some functions of extremely new and fancy printers, because the open source developers may still be working on these features. Except for the hpijs drivers developed by HP, there are currently no printer manufacturers who develop Linux drivers and make them available to Linux distributors under an open source license.

  • Page 453: Methods And Protocols For Connecting Printers

    The filter converts the data the user wants to print (ASCII, PostScript, PDF, JPEG, etc.) into printer-specific data (PostScript, PCL, ESC/P, etc.). The features of the printer are described in the PPD files. A PPD file contains printer-specific options with the param- eters needed to enable them on the printer.

  • Page 454: Installing The Software

    24.3 Installing the Software PPD (PostScript printer description) is the computer language that describes the prop- erties, like resolution, and options, such as the availability of a duplex unit. These de- scriptions are required for using various printer options in CUPS. Without a PPD file, the print data would be forwarded to the printer in a “raw”...

  • Page 455: Automatic Configuration

    24.4.1 Local Printers If an unconfigured local printer is detected when you log in, YaST starts for configuring it. This uses the same dialogs as the following description of configuration. To configure the printer, select Hardware → Printer in the YaST control center. This opens the main printer configuration window, where the detected devices are listed in the upper part.
  • Page 456 Hardware Connection (Port) The configuration of the hardware connection depends on whether YaST has been able to find the printer during hardware autodetection. If YaST is able to detect the printer model automatically, it can be assumed that the printer connection works on the hardware level and no settings need to be changed in this respect.

  • Page 457: Network Printers

    Figure 24.1 Selecting the Printer Model Always check whether your settings work as expected by printing the test page. If the output is garbled, for example, with several pages almost empty, you should be able to stop the printer by first removing all paper then stopping the test from YaST.
  • Page 458 standard. Manufacturers then provide drivers for only a few operating systems, elimi- nating difficulties with those systems. Unfortunately, Linux drivers are rarely provided. The current situation is such that you cannot act on the assumption that every protocol works smoothly in Linux. Therefore, you may have to experiment with various options to achieve a functional configuration.
  • Page 459 smb://user:password@workgroup/server/printer, smb://user:password@host/printer, and smb://server/printer. The protocol supported by the printer must be determined before configuration. If the manufacturer does not provide the needed information, the command nmap, which comes with the nmap package, can be used to guess the protocol. nmap checks a host for open ports.
  • Page 460 Do not use -E as the first option. For all CUPS commands, -E as the first argument sets use of an encrypted connection. To enable the printer, -E must be used as shown in the following example: lpadmin -p ps -v parallel:/dev/lp0 -P \ /usr/share/cups/model/Postscript.ppd.gz -E The following example configures a network printer: lpadmin -p ps -v socket://192.168.1.0:9100/ -P \...

  • Page 461: Configuration For Applications

    24.5 Configuration for Applications Applications rely on the existing printer queues in the same way as command line tools do. There is usually no need to reconfigure the printer for a particular application, be- cause you should be able to print from applications using the available queues. To print from the command line, enter lp -d queuename filename, substituting the corresponding names for queuename and filename.
  • Page 462 For every queue on the network server, you can configure a local queue through which to forward all jobs to the corresponding network server (forwarding queue). Usually, this approach is not recommended, because all client machines must be reconfigured whenever the configuration of the network server changes. Print jobs can also be forwarded directly to one network server.
  • Page 463 cupsd Runs as the User lp On start-up, cupsd changes from the user root to the user lp. This provides a much higher level of security, because the CUPS print service does not run with unrestricted permissions, only with the permissions needed for the print service. However, the authentication (the password check) cannot be performed via /etc/ shadow, because lp has no access to /etc/shadow.
  • Page 464 Allow From 127.0.0.2 Allow From @LOCAL </Location> In this way, only LOCAL hosts can access cupsd on a CUPS server. LOCAL hosts are hosts whose IP addresses belong to a non-PPP interface (interfaces whose IFF_POINTOPOINT flags are not set) and whose IP addresses belong to the same network as the CUPS server.
  • Page 465 CUPS PPD Files in the cups Package The generic PPD files in the cups package have been complemented with adapted Foomatic PPD files for PostScript level 1 and level 2 printers: • /usr/share/cups/model/Postscript-level1.ppd.gz • /usr/share/cups/model/Postscript-level2.ppd.gz PPD Files in the cups-drivers Package Normally, the Foomatic printer filter foomatic-rip is used together with Ghostscript for non-PostScript printers.

  • Page 466: Troubleshooting

    • The vendor and model determined during the hardware detection match the vendor and model in a PPD file from the manufacturer-PPDs package. • The PPD file from the manufacturer-PPDs package is the only suitable PPD file for the printer model or a there is a Foomatic PPD file with a *NickName: ...

  • Page 467: Language Support

    24.7.1 Printers without Standard Printer Language Support Printers that do not support any common printer language and can only be addressed with special control sequences are called GDI printers. These printers only work with the operating system versions for which the manufacturer delivers a driver. GDI is a programming interface developed by Microsoft for graphics devices.
  • Page 468 problem spots reported by cupstestppd should be eliminated. If necessary, ask the printer manufacturer for a suitable PPD file. 24.7.3 Parallel Ports The safest approach is to connect the printer directly to the first parallel port and to select the following parallel port settings in the BIOS: •...
  • Page 469 Checking the TCP/IP Network The TCP/IP network and name resolution must be functional. Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on host: netcat -z host 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
  • Page 470 ►zseries: Take into account that IBM System z ethernet devices do not receive broadcasts by default. ◄ The following command can be used to test if a TCP connection can be established to cupsd (port 631) on host: netcat -z host 631 && echo ok || echo failed If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems.
  • Page 471 This output indicates that the printer connected to the print server box can be ad- dressed via TCP socket on port 9100. By default, nmap only checks a number of commonly known ports listed in /usr/share/nmap/nmap-services. To check all possible ports, use the command nmap -p from_port-to_port IP-address.
  • Page 472 from applications and forwards them to the cupsd on the server. When cupsd accepts a print job, it is assigned a new job number. Therefore, the job number on the client host is different from the job number on the server. Because a print job is usually for- warded immediately, it cannot be deleted with the job number on the client host, because the client cupsd regards the print job as completed as soon as it has been forwarded to the server cupsd.
  • Page 473 nate all processes that are still accessing the printer (more precisely: the parallel port). 4 Reset the printer completely by switching it off for some time. Then insert the paper and turn on the printer. 24.7.9 Debugging the CUPS Print System Use the following generic procedure to locate problems in the CUPS print system: 1 Set LogLevel debug in /etc/cups/cupsd.conf.

  • Page 475: Dynamic Kernel Device Management With Udev

    Dynamic Kernel Device Management with udev Since version 2.6, the kernel is capable of adding or removing almost any device in the running system. Changes in device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and discovered.

  • Page 476: Kernel Uevents And Udev

    25.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties. Every time a device is added or removed, the kernel sends a uevent to notify udev of the change.

  • Page 477: Booting And Initial Device Setup

    aliases provided by the modules. If a matching entry is found, that module is loaded. All this is triggered by udev and happens automatically. 25.4 Booting and Initial Device Setup All device events happening during the boot process before the udev daemon is running are lost, because the infrastructure to handle these events lives on the root file system and is not available at that time.

  • Page 478: Influencing Kernel Device Event Handling With Udev Rules

    The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers. The timing is printed in microseconds. The time between UEVENT and UDEV is the time udev took to process this event or the udev daemon has delayed its execution to synchronize this event with related and already running events.

  • Page 479: Persistent Device Naming

    and the assignment keys are assigned the specified value. A matching rule may specify the name of the device node, add symlinks pointing to the node, or run a specified program as part of the event handling. If no matching rule is found, the default device node name is used to create the device node.

  • Page 480: The Replaced Hotplug Package

    25.8 The Replaced hotplug Package The formerly used hotplug package is entirely replaced by udev and the udev-related kernel infrastructure. The following parts of the former hotplug infrastructure have been made obsolete or had their functionality taken over by udev: /etc/hotplug/*.agent No longer needed or moved to /lib/udev /etc/hotplug/*.rc...

  • Page 481: For More Information

    /lib/udev/* Helper programs called from udev rules 25.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules, and other important configuration is- sues. udevinfo udevinfo can be used to query device information from the udev database. udevd Information about the udev event managing daemon.

  • Page 483: File Systems In Linux

    File Systems in Linux Linux supports a number of different file systems. This chapter presents a brief overview of the most popular Linux file systems, elaborating on their design concepts, advantages, and fields of application. Some additional information about LFS (large file support) in Linux is also provided.

  • Page 484: Major File Systems In Linux

    it obsoletes the lengthy search process that checks the entire file system at system start-up. Instead, only the journal is replayed. 26.2 Major File Systems in Linux Unlike two or three years ago, choosing a file system for a Linux system is no longer a matter of a few seconds (Ext2 or ReiserFS?).
  • Page 485 directly in the B tree leaf nodes instead of being stored elsewhere and just main- taining a pointer to the actual disk location. In addition to that, storage is not allo- cated in chunks of 1 or 4 kB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes.
  • Page 486 +found). In contrast to journaling file systems, e2fsck analyzes the entire file system and not just the recently modified bits of metadata. This takes significantly longer than checking the log data of a journaling file system. Depending on file system size, this procedure can take half an hour or more. Therefore, it is not desir- able to choose Ext2 for any server that needs high availability.
  • Page 487 Ext3 in the data=journal mode offers maximum security (data integrity), but can slow down the system because both metadata and data are journaled. A rela- tively new approach is to use the data=ordered mode, which ensures both data and metadata integrity, but uses journaling only for metadata. The file system driver collects all data blocks that correspond to one metadata update.
  • Page 488 26.2.5 Reiser4 Right after kernel 2.6 had been released, the family of journaling file systems was joined by another member: Reiser4. Reiser4 is fundamentally different from its predecessor ReiserFS (version 3.6). It introduces the concept of plug-ins to tweak the file system functionality and a finer grained security concept.
  • Page 489 good at manipulating large files and performs well on high-end hardware. However, even XFS has a drawback. Like ReiserFS, XFS takes great care of metadata integrity, but less of data integrity. A quick review of XFS's key features explains why it may prove a strong competitor for other journaling file systems in high-end computing.
  • Page 490 DOS, is today used by msdos various operating systems. File system for mounting Novell volumes over networks. ncpfs Network File System: Here, data can be stored on any machine in a network and access may be granted via a network.

  • Page 491: Large File Support In Linux

    UNIX on MSDOS: Applied on top of a normal fat file system, umsdos achieves UNIX functionality (permissions, links, long filenames) by creating special files. Virtual FAT: Extension of the fat file system (supports long vfat filenames). Windows NT file system, read-only. ntfs 26.4 Large File Support in Linux Originally, Linux supported a maximum file size of 2 GB.

  • Page 492: For More Information

    File System File Size (Bytes) File System Size (Bytes) (8 EB) (8 EB) NFSv2 (client side) (2 GB) (8 EB) NFSv3 (client side) (8 EB) (8 EB) IMPORTANT: Linux Kernel Limits Table 26.2, “Maximum Sizes of File Systems (On-Disk Format)” (page 491) de- scribes the limitations regarding the on-disk format.
  • Page 493 A comprehensive multipart tutorial about Linux file systems can be found at IBM de- veloperWorks: http://www-106.ibm.com/developerworks/library/ l-fs.html. For a comparison of the different journaling file systems in Linux, look at Juan I. Santos Florido's article at Linuxgazette: http://www.linuxgazette .com/issue55/florido.html. Those interested in an in-depth analysis of LFS in Linux should try Andreas Jaeger's LFS site: http://www.suse.de/~aj/linux _lfs.html.
  • Page 495 The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). This chapter describes the setup and optimization of the X Window System environment, provides background information about the use of fonts in SUSE®...
  • Page 496 is initially configured during installation. To change the settings afterwards, use the respective module from the YaST control center or run SaX2 manually from the com- mand line with the command sax2. The SaX2 main window provides a common inter- face for the individual modules from the YaST control center.

  • Page 497: Optimizing The X Configuration

    Tablet For a description of the graphics tablet configuration, see Section 7.13.4, “Tablet Properties” (page 195). Touchscreen For a description of the touchscreen configuration, see Section 7.13.5, “Touchscreen Properties” (page 196). For a description of the VNC configuration, see Section 7.13.6, “Remote Access Properties”...
  • Page 498 The following sections describe the structure of the configuration file /etc/X11/ xorg.conf. It consists of several sections, each one dealing with a certain aspect of the configuration. Each section starts with the keyword Section <designation> and ends with EndSection. The sections have the form: Section designation entry 1 entry 2...
  • Page 499 Type Meaning you want to connect a fixed frequency monitor. Find details of the meaning of individual number values in the HOWTO files in /usr/share/doc/howto/en/html/ XFree86-Video-Timings-HOWTO. This section defines a specific graphics card. It is referenced by Device its descriptive name. This section puts together a Monitor and a Device to form Screen all the necessary settings for X.Org.
  • Page 500 Example 27.1 Screen Section of the File /etc/X11/xorg.conf Section "Screen" DefaultDepth SubSection "Display" Depth Modes "1152x864" "1024x768" "800x600" Virtual 1152x864 EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection SubSection "Display" Depth Modes "640x480" EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection Device "Device[0]"...
  • Page 501 number pad), switch to the left. This enables you to vary the resolution while X is run- ning. The last line of the Display subsection with Depth 16 refers to the size of the vir- tual screen. The maximum possible size of a virtual screen depends on the amount of memory installed on the graphics card and the desired color depth, not on the maximum resolution of the monitor.
  • Page 502 through the ModulePath defined in the Files section in the drivers subdirectory. In a standard installation, this is the directory /usr/X11R6/lib/modules/ drivers. _drv.o is added to the name, so, in the case of the mga driver, the driver file mga_drv.o is loaded. The behavior of the X server or of the driver can also be influenced through additional options.

  • Page 503: Installing And Configuring Fonts

    configuration section. If this is not possible for some reason, use one of the VESA modes included in the X server. This will function with practically all graphics card and monitor combinations. 27.3 Installing and Configuring Fonts The installation of additional fonts in SUSE Linux Enterprise is very easy. Simply copy the fonts to any directory located in the X11 font path (see Section 27.3.1, “X11 Core Fonts”...
  • Page 504 scalable fonts with glyphs for many languages may take a long time. Unicode fonts are also supported, but their use may be slow and require more memory. The X11 core font system has a few inherent weaknesses. It is outdated and can no longer be extended in a meaningful fashion.
  • Page 505 spective application has access to the actual font files and full control of how the glyphs are rendered. This constitutes the basis for the correct display of text in a number of languages. Direct access to the font files is very useful for embedding fonts for printing to make sure that the printout looks the same as the screen output.
  • Page 506 </edit> </match> to disable antialiasing for specific fonts. By default, most applications use the font names sans-serif (or the equivalent sans), serif, or monospace. These are not real fonts but only aliases that are re- solved to a suitable font, depending on the language setting. Users can easily add rules to ~/.fonts.conf to resolve these aliases to their favorite fonts: <alias>...
  • Page 507 FreeMonoBoldOblique.ttf: FreeMono:style=BoldOblique:weight=200 FreeSerif.ttf: FreeSerif:style=Medium:weight=80 FreeSerifBoldItalic.ttf: FreeSerif:style=BoldItalic:weight=200 FreeSansOblique.ttf: FreeSans:style=Oblique:weight=80 FreeSerifItalic.ttf: FreeSerif:style=Italic:weight=80 FreeMonoOblique.ttf: FreeMono:style=Oblique:weight=80 FreeMono.ttf: FreeMono:style=Medium:weight=80 FreeSans.ttf: FreeSans:style=Medium:weight=80 FreeSerifBold.ttf: FreeSerif:style=Bold:weight=200 FreeSansBoldOblique.ttf: FreeSans:style=BoldOblique:weight=200 FreeMonoBold.ttf: FreeMono:style=Bold:weight=200 Important parameters that can be queried with fc-list: Table 27.2 Parameters of fc-list Parameter Meaning and Possible Values Name of the font family, for example, FreeSans.

  • Page 508: Hardware Support

    Parameter Meaning and Possible Values Font size in pixels. In connection with fc-list, this option pixelsize only makes sense for bitmap fonts. 27.3.3 CID-Keyed Fonts In contrast to the other font types, you cannot simply install CID-keyed fonts in just any directory.
  • Page 509 OpenGL Driver Supported Hardware Matrox G200/G400/G450/G550, Rage 128(Pro)/Radeon (up to 9250) If you are installing with YaST for the first time, 3D acceleration can be activated during installation, provided YaST detects 3D support. For nVidia graphics chips, the nVidia driver must be installed first. To do this, select the nVidia driver patch in YOU (YaST Online Update).
  • Page 510 the instructions of 3Ddiag if you receive failed messages. If everything is correct, you only see done messages on the screen. 27.4.4 OpenGL Test Utilities For testing OpenGL, the program glxgears and games like tuxracer and armagetron (packages have the same names) can be useful. If 3D support has been activated, it should be possible to play these smoothly on a fairly new computer.
  • Page 511 of the graphical user interface (X Window System) does not include 3D hardware ac- celeration configuration. If you experience problems with 3D hardware acceleration, it is recommended to disable 3D support completely. 27.4.7 For More Information For information, refer to the README files in /usr/X11R6/lib/X11/doc. Find more information about nvidia driver installation at http://www.suse.de/ ~sndirsch/nvidia-installer-HOWTO.html.

  • Page 513: Authentication With Pam

    Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.

  • Page 514: Configuration File

    28.1 Structure of a PAM Configuration File Each line in a PAM configuration file contains a maximum of four columns: <Type of module> <Control flag> <Module path> <Options> PAM modules are processed as stacks. Different types of modules have different pur- poses, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings.

  • Page 515: The Pam Configuration Of Sshd

    modules with the same flag are processed before the user receives a message about the failure of the authentication attempt. requisite Modules having this flag must also be processed successfully, in much the same way as a module with the required flag. However, in case of failure a module with this flag gives immediate feedback to the user and no further modules are processed.
  • Page 516 Example 28.1 PAM Configuration for sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname The typical PAM configuration of an application (sshd, in this case) contains four include statements referring to the configuration files of four module types: common-auth, common-account, common-password, and common-session.
  • Page 517 modules is not successful, the entire module stack is still processed and only then is sshd notified about the negative result. As soon as all modules of the auth type have been successfully processed, another include statement is processed, in this case, that in Example 28.3, “Default Configuration for the account Section”...

  • Page 518: Configuration Of Pam Modules

    which may define limits on the use of certain system resources. The session modules are called a second time when user logs out. 28.3 Configuration of PAM Modules Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security.
  • Page 519 VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set. [OVERRIDE=[value]] Values that may be queried and set by pam_env, overriding the default value. A typical example of how pam_env can be used is the adaptation of the DISPLAY variable, which is changed whenever a remote login takes place.

  • Page 520: For More Information

    28.3.4 limits.conf System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.

  • Page 521: Power Management

    Power Management Power management is especially important on laptop computers, but is also useful on other systems. Two technologies are available: APM (advanced power management) and ACPI (advanced configuration and power interface). In addition to these, it is also possible to control CPU frequency scaling to save power or decrease noise. These options can be configured manually or using a special YaST module.

  • Page 522: Power Saving Functions

    29.1 Power Saving Functions Power saving functions are not only significant for the mobile use of laptops, but also for desktop systems. The main functions and their use in the power management systems APM and ACPI are: Standby This operating mode turns off the display. On some computers, the processor per- formance is throttled.
  • Page 523 Shutdown of System Components Switching off the hard disk is the greatest single aspect of the power saving potential of the overall system. Depending on the reliability of the overall system, the hard disk can be put to sleep for some time. However, the risk of losing data increases with the duration of the sleep periods.

  • Page 524: Acpi

    (no-)allow-ints Allow interrupts during the execution of BIOS functions. (no-)broken-psr The “GetPowerStatus” function of the BIOS does not work properly. (no-)realmode-power-off Reset processor to real mode prior to shutdown. (no-)debug Log APM events in system log. (no-)power-off Power system off after shutdown. bounce-interval=n Time in hundredths of a second after a suspend event during which additional suspend events are ignored.
  • Page 525 system executes commands stored in the BIOS, the functionality depends on the BIOS implementation. The tables ACPI can detect and load are reported in /var/log/boot .msg. See Section 29.3.4, “Troubleshooting” (page 530) for more information about troubleshooting ACPI problems. 29.3.1 ACPI in Action If the kernel detects an ACPI BIOS when the system is booted, ACPI is activated auto- matically and APM is deactivated.
  • Page 526 /proc/acpi/event All events are reported here and processed by the Powersave daemon (powersaved). If no daemon accesses this file, events, such as a brief click on the power button or closing the lid, can be read with cat /proc/acpi/event (terminate with Ctrl /proc/acpi/dsdt and /proc/acpi/fadt These files contain the ACPI tables DSDT (differentiated system description table)
  • Page 527 /proc/acpi/processor/*/power Information about the current processor state. An asterisk next to C2 indicates that the processor is idle. This is the most frequent state, as can be seen from the usage value. /proc/acpi/processor/*/throttling Can be used to set the throttling of the processor clock. Usually, throttling is possible in eight levels.
  • Page 528 in this file in this order. For example, the entry echo 90:0:70:0:0 > trip_points sets the temperature for critical to 90 and the temperature for passive to 70 (all temperatures measured in degrees Celsius). /proc/acpi/thermal_zone/*/polling_frequency If the value in temperature is not updated automatically when the temperature changes, toggle the polling mode here.
  • Page 529 hardware or in regard to specific processors or drivers, the userspace implemen- tation is still the only working solution. ondemand governor This is the kernel implementation of a dynamic CPU frequency policy and should work on most systems. As soon as there is a high system load, the CPU frequency is immediately increased.
  • Page 530 such as powersaved, is the best approach. A static setting to a low frequency is useful for battery operation or if you want the computer to be cool or quiet. Throttling should be used as the last resort, for example, to extend the battery operation time despite a high system load.
  • Page 531 acpi=off Disable ACPI. WARNING: Problems Booting without ACPI Some newer machines (especially SMP systems and AMD64 systems) need ACPI for configuring the hardware correctly. On these machines, disabling ACPI can cause problems. Monitor the boot messages of the system with the command dmesg | grep -2i acpi (or all messages, because the problem may not be caused by ACPI) after booting.

  • Page 532: Rest For The Hard Disk

    29.4 Rest for the Hard Disk In Linux, the hard disk can be put to sleep entirely if it is not needed or it can be run in a more economic or quieter mode. On modern laptops, you do not need to switch off the hard disks manually, because they automatically enter an economic operating mode whenever they are not needed.

  • Page 533: The Powersave Package

    Apart from these processes, journaling file systems, like ReiserFS and Ext3, write their metadata independently from bdflush, which also prevents the hard disk from spinning down. To avoid this, a special kernel extension has been developed for mobile devices. See /usr/src/linux/Documentation/laptop-mode.txt for details. Another important factor is the way active programs behave.
  • Page 534 /etc/sysconfig/powersave/common This file contains general settings for the powersave daemon. For example, the amount of debug messages in /var/log/messages can be increased by increas- ing the value of the variable DEBUG. /etc/sysconfig/powersave/events The powersave daemon needs this file for processing system events. An event can be assigned external actions or actions performed by the daemon itself.
  • Page 535 The directory /usr/lib/powersave/scripts contains scripts for processing events: switch_vt Useful if the screen is displaced after a suspend or standby. wm_logout Saves the settings and logs out from GNOME, KDE, or other window managers. wm_shutdown Saves the GNOME or KDE settings and shuts down the system. set_disk_settings Executes the disk settings made in /etc/sysconfig/powersave/disk.
  • Page 536 /etc/sysconfig/powersave/sleep In this file, activate the sleep modes and determine which critical modules should be unloaded and which services should be stopped prior to a suspend or standby event. When the system is resumed, these modules are reloaded and the services are restarted.
  • Page 537 Standby (ACPI S1, APM standby) Switches some devices off (manufacturer-dependent). Make sure that the following default options are set in the file /etc/sysconfig/ powersave/events for the correct processing of suspend, standby, and resume (default settings following the installation of SUSE Linux Enterprise): EVENT_GLOBAL_SUSPEND2DISK= "prepare_suspend_to_disk screen_saver do_suspend_to_disk"...
  • Page 538 increase as soon as the system is connected to the AC power supply. The CPU frequency, the power saving function of IDE, and a number of other parameters can be modified. The actions to execute when the computer is disconnected from or connected to the AC power supply are defined in /etc/sysconfig/powersave/events.
  • Page 539 Further throttling of the CPU performance is possible if the CPU load does not exceed a specified limit for a specified time. Specify the load limit in PROCESSOR_IDLE_LIMIT and the time-out in CPU_IDLE_TIMEOUT. If the CPU load stays below the limit longer than the time-out, the event configured in EVENT_PROCESSOR_IDLE is activated.
  • Page 540 3 Copy the file DSDT.aml to any location (/etc/DSDT.aml is recommended). Edit /etc/sysconfig/kernel and adapt the path to the DSDT file accord- ingly. Start mkinitrd (package mkinitrd). Whenever you install the kernel and use mkinitrd to create an initrd, the modified DSDT is integrated and loaded when the system is booted.

  • Page 541: The Yast Power Management Module

    UNLOAD_MODULES_BEFORE_STANDBY="" SUSPEND2DISK_RESTART_SERVICES="" SUSPEND2RAM_RESTART_SERVICES="" STANDBY_RESTART_SERVICES="" If you use suspend or standby in changing network environments or in connection with remotely mounted file systems, such as Samba and NIS, use automounter to mount them or add the respective services, for example, smbfs or nfs, in the above-mentioned variable.
  • Page 542 Figure 29.1 Scheme Selection In this dialog, select the schemes to use for battery operation and AC operation. To add or modify the schemes, click Edit Schemes, which opens an overview of the existing schemes like that shown in Figure 29.2, “Overview of Existing Schemes” (page 542).
  • Page 543 In the scheme overview, select the scheme to modify then click Edit. To create a new scheme, click Add. The dialog that opens is the same in both cases and is shown in Figure 29.3, “Configuring a Scheme” (page 543). Figure 29.3 Configuring a Scheme First, enter a suitable name and description for the new or edited scheme.
  • Page 544 Figure 29.4 Battery Charge Level The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: Warning Capacity, Low Capacity, and Critical Capacity. Specific actions are triggered when the charge level drops under these limits.
  • Page 545 Figure 29.5 ACPI Settings Access the dialog for configuring the ACPI buttons using ACPI Settings. It is shown Figure 29.5, “ACPI Settings” (page 545). The settings for the ACPI buttons determine how the system should respond to certain switches. Configure the system response to pressing the power button, pressing the sleep button, and closing the laptop lid.

  • Page 547: Wireless Communication

    Wireless Communication Wireless LAN can be used to establish communication between your SUSE® Linux Enterprise machines. This chapter introduces the principles of wireless networking and the basic configuration for wireless networking. 30.1 Wireless LAN Wireless LANs have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards.
  • Page 548 Name Band (GHz) Maximum Trans- Note mission Rate (MBit/s) 802.11g Backward-compatible with Additionally, there are proprietary standards, like the 802.11b variation of Texas Instru- ments with a maximum transmission rate of 22 MBit/s (sometimes referred to as 802.11b+). However, the popularity of cards using this standard is limited. 30.1.1 Hardware 802.11 cards are not supported by SUSE®...
  • Page 549 AbsoluteValue Systems at http://www.linux-wlan.org/docs/wlan _adapters.html.gz. http://wiki.uni-konstanz.de/wiki/bin/ provides an overview of the various WLAN view/Wireless/ListeChipsatz chips. Some cards need a firmware image that must be loaded into the card when the driver is initialized. This is the case with Intersil PrismGT, Atmel, and TI ACX100 and ACX111.
  • Page 550 802.11i standard (also referred to as WPA2, because WPA is based on a draft version 802.11i) includes WPA and some other authentication and encryption methods. Authentication To make sure that only authorized stations can connect, various authentication mecha- nisms are used in managed networks: Open An open system is a system that does not require authentication.
  • Page 551 WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol). In a nutshell, these options work as follows: EAP-TLS TLS authentication relies on the mutual exchange of certificates both for server and client.

  • Page 552: Configuration With Yast

    CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard. 30.1.3 Configuration with YaST To configure your wireless network card, start the YaST Network Card module.
  • Page 553 Network Name (ESSID) All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card automatically selects an access point, which may not be the one you intended to use. Authentication Mode Select a suitable authentication method for your network: Open, Shared Key, WPA- PSK, or WPA-EAP.
  • Page 554 cording to the length previously specified. ASCII requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For Hexadecimal, enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation. WPA-PSK To enter a key for WPA-PSK, select the input method Passphrase or Hexadecimal.
  • Page 555 system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates. Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. 30.1.4 Utilities hostap (package hostap) is used to run a WLAN card as an access point.
  • Page 556 Security If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption.
  • Page 557 to use WPA, read /usr/share/doc/packages/wireless-tools/README .prism2. WPA support is quite new in SUSE Linux Enterprise and still under development. Thus, YaST does not support the configuration of all WPA authentication methods. Not all wireless LAN cards and drivers support WPA. Some cards need a firmware update to enable WPA.

  • Page 559: Part Iv Services

    Part IV. Services...

  • Page 561: Basic Networking

    Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol, TCP/IP, has various services and special features, which are discussed here. Network access using a network card, modem, or other device can be configured with YaST.
  • Page 562 Protocol Description then converted by the operating system to the appropriate format. The data arrives at the respective application on the destination host in the original data stream format in which it was initially sent. TCP deter- mines whether any data has been lost during the transmission and that there is no mix-up.
  • Page 563 Figure 31.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
  • Page 564 located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 31.2 TCP/IP Ethernet Packet Usage Data (maximum 1460 bytes) TCP (Layer 4) Protocol Header (approx. 20 bytes) IP (Layer 3) Protocol Header (approx. 20 bytes) Ethernet (Layer 2) Protocol Header (approx.

  • Page 565: Ip Addresses And Routing

    31.1 IP Addresses and Routing The discussion in this section is limited to IPv4 networks. For information about IPv6 protocol, the successor to IPv4, refer to Section 31.2, “IPv6—The Next Generation Internet” (page 568). 31.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 31.1, “Writing IP Addresses”...
  • Page 566 an IP address belongs to the network. All those bits that are 1 mark the corresponding bit in the IP address as belonging to the network. All bits that are 0 mark bits inside the subnetwork. This means that the more bits are 1, the smaller the subnetwork is. Because the netmask always consists of several successive 1 bits, it is also possible to just count the number of bits in the netmask.
  • Page 567 Address Type Description (page 566) under Result. This address cannot be assigned to any hosts. Broadcast Address This basically says, “Access all hosts in this subnetwork.” To generate this, the netmask is inverted in binary form and linked to the base network address with a logical OR. The above ex- ample therefore results in 192.168.0.255.
  • Page 568 31.2 IPv6—The Next Generation Internet IMPORTANT: IBM System z: IPv6 Support IPv6 is not supported by the CTC and IUCV network connections of the IBM System z hardware. Due to the emergence of the WWW (World Wide Web), the Internet has experienced explosive growth with an increasing number of computers communicating via TCP/IP in the past fifteen years.
  • Page 569 31.2.1 Advantages The most important and most visible improvement brought by the new protocol is the enormous expansion of the available address space. An IPv6 address is made up of 128 bit values instead of the traditional 32 bits. This provides for as many as several quadrillion IP addresses.
  • Page 570 Backward Compatibility Realistically, it would be impossible to switch the entire Internet from IPv4 to IPv6 at one time. Therefore, it is crucial that both protocols are able to coexist not only on the Internet, but also on one system. This is ensured by compatible addresses (IPv4 addresses can easily be translated into IPv6 addresses) and through the use of a number of tunnels.
  • Page 571 Multicast Addresses of this type relate to a group of network interfaces. Packets with such an address are delivered to all destinations that belong to the group. Multicast ad- dresses are mainly used by certain network services to communicate with certain groups of hosts in a well-directed manner.
  • Page 572 Example 31.4 IPv6 Address Specifying the Prefix Length fe80::10:1000:1a4/64 IPv6 knows about several predefined types of prefixes. Some of these are shown in Table 31.4, “Various IPv6 Prefixes” (page 572). Table 31.4 Various IPv6 Prefixes Prefix (hex) Definition IPv4 addresses and IPv4 over IPv6 compatibility addresses. These are used to maintain compatibility with IPv4.
  • Page 573 Site Topology The second part contains routing information about the subnetwork to which to deliver the packet. Interface ID The third part identifies the interface to which to deliver the packet. This also allows for the MAC to form part of the address. Given that the MAC is a globally unique, fixed identifier coded into the device by the hardware maker, the configuration procedure is substantially simplified.
  • Page 574 zero bytes. Addresses of this type are used during automatic configuration to communicate with other hosts belonging to the same subnetwork. site-local Packets with this type of address may be routed to other subnetworks, but not to the wider Internet—they must remain inside the organization's own network. Such addresses are used for intranets and are an equivalent of the private address space defined by IPv4.
  • Page 575 system is guaranteed where there is a dual stack implementation of both protocols. That still leaves the question of how an IPv6 enabled host should communicate with an IPv4 host and how IPv6 packets should be transported by the current networks, which are predominantly IPv4 based.
  • Page 576 IMPORTANT: The 6bone Initiative In the heart of the “old-time” Internet, there is already a globally distributed network of IPv6 subnets that are connected through tunnels. This is the 6bone network (http://www.6bone.net), an IPv6 test environment that may be used by programmers and Internet providers who want to develop and offer IPv6-based services to gain the experience necessary to implement the new protocol.

  • Page 577: Name Resolution

    http://www.6bone.net/ Visit this site if you want to join a tunneled IPv6 network. http://www.ipv6.org/ The starting point for everything about IPv6. RFC 2640 The fundamental RFC about IPv6. IPv6 Essentials A book describing all the important aspects of the topic is IPv6 Essentials by Silvia Hagen (ISBN 0-596-00125-8).
  • Page 578 The top of the hierarchy is occupied by root name servers. These root name servers manage the top level domains and are run by the Network Information Center (NIC). Each root name server knows about the name servers responsible for a given top level domain.
  • Page 579 31.4.1 Configuring the Network Card with YaST To configure your network wired or wireless card in YaST, select Network Devices → Network Card. After starting the module, YaST displays a general network configuration dialog. Choose whether to use YaST or NetworkManager to manage all your network devices.
  • Page 580 Changing the Configuration of a Network Card To change the configuration of a network card, select a card from the list of the detected cards in the YaST network card configuration module and click Edit. The Network Address Setup dialog appears in which to adjust the card configuration using the Address and General tabs.
  • Page 581 Firewall Zone Determine whether your network interface should be protected by a firewall. For details, refer to Section “Configuring the Firewall” (page 584). Device Activation Depending on which applications or scripts you use to control your network devices, set the appropriate start mode. For details, refer to Section “Starting the Device”...
  • Page 582 3 Enter IP Address and Subnet Mask. 4 Click Next. 5 To activate the configuration, click Next again. One network device can have multiple IP addresses, called aliases. To set an alias for your network card, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
  • Page 583 2 In the Address tab, click Hostname and Name Server. 3 To disable DHCP-driven host name configuration, deselect Change Hostname via DHCP. 4 Enter Hostname and, if it is needed, Domain Name. 5 To disable DHCP driven updates of the name server list, deselect Update Name Servers and Search List via DHCP.
  • Page 584 Adding Special Hardware Options Sometimes a module of a network card needs special parameters to work correctly. To set them with YaST, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
  • Page 585 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit. 2 Enter the General tab of the network configuration dialog. 3 Determine the firewall zone to which your interface should be assigned. The following options are available: Firewall Disabled The firewall is not run at all.
  • Page 586 2 Set the Device Type of the interface from the available options, Configuration Name, and Module Name. If the network card is a PCMCIA or USB device, ac- tivate the respective check box and exit this dialog with Next. Otherwise, select your network card model from Select from List.
  • Page 587 In the YaST Control Center, access the modem configuration under Network Devices. If your modem was not automatically detected, open the dialog for manual configuration. In the dialog that opens, enter the interface to which the modem is connected under Modem.
  • Page 588 In the next dialog, select the ISP (Internet service provider). To choose from a predefined list of ISPs operating in your country, select Country. Alternatively, click New to open a dialog in which to provide the data for your ISP. This includes a name for the dial-up connection and ISP as well as the login and password provided by your ISP.
  • Page 589 31.4.3 ISDN TIP: IBM System z: ISDN The configuration of this type of hardware is not supported on IBM System z platforms. Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, manually select it. Multiple interfaces are possible, but several ISPs can be configured for one interface.
  • Page 590 the ISDN driver as root with the command rcisdn start. On Hotplug, used for PCMCIA or USB devices, loads the driver after the device is plugged in. When finished with these settings, select OK. In the next dialog, specify the interface type for your ISDN card and add ISPs to an existing interface.
  • Page 591 Smaller private branch exchanges (PBX) built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them. Use one of the internal numbers as your MSN. You should be able to use at least one of the exchange's MSNs that have been enabled for direct outward dialing.
  • Page 592 server is sent by the ISP each time you connect. For a single workstation, however, you still need to provide a placeholder address like 192.168.22.99. If your ISP does not support dynamic DNS, specify the name server IP addresses of the ISP. If desired, specify a time-out for the connection—the period of network inactivity (in seconds) after which the connection should be automatically terminated.
  • Page 593 To configure your DSL device, select the DSL module from the YaST Network Devices section. This YaST module consists of several dialogs in which to set the parameters of DSL links based on one of the following protocols: • PPP over Ethernet (PPPoE) •...
  • Page 594 Figure 31.7 DSL Configuration To begin the DSL configuration (see Figure 31.7, “DSL Configuration” (page 594)), first select the PPP mode and the ethernet card to which the DSL modem is connected (in most cases, this is eth0). Then use Device Activation to specify whether the DSL link should be established during the boot process.
  • Page 595 The configuration of T-DSL is very similar to the DSL setup. Just select T-Online as your provider and YaST opens the T-DSL configuration dialog. In this dialog, provide some additional information required for T-DSL—the line ID, the T-Online number, the user code, and your password. All of these should be included in the information you received after subscribing to T-DSL.
  • Page 596 figure. Choose the Device Settings that fit your devices (usually this would be Compat- ibility mode). Specify both your IP address and the IP address of the remote partner. If needed, adjust the MTU size with Advanced → Detailed Settings. Leave the network configuration with Next and Finish.

  • Page 597: Managing Network Connections With Networkmanager

    31.5 Managing Network Connections with NetworkManager NetworkManager is the ideal solution for a mobile workstation. With NetworkManager, you do not need to worry about configuring network interfaces and switching between networks when you are moving. NetworkManager can automatically connect to known WLAN networks.
  • Page 598 additional information, like its name, password or encryption key, NetworkManager prompts for it. Both KDE and GNOME have their own applets for NetworkManager. An appropriate applet should start automatically with the desktop environment. The applet is then shown as an icon in the system tray. Functions of both applets are similar, but their in- terfaces are different.
  • Page 599 The GNOME NetworkManager Applet GNOME also has its own applet for NetworkManager. If it is not running, start it with the command nm-applet. When it is running, an icon is shown in the system tray. The appearance of the icon depends on state of the network connection. If you are not sure what the icon means, hold the mouse cursor over it until an explanation appears.

  • Page 600: Configuring A Network Connection Manually

    31.6 Configuring a Network Connection Manually Manual configuration of the network software should always be the last alternative. Using YaST is recommended. However, this background information about the network configuration can also assist your work with YaST. All built-in network cards and hotplug network cards (PCMCIA, USB, some PCI cards) are detected and configured via hotplug.
  • Page 601 To assign a certain network configuration to any card of a certain type (of which only one is inserted at a time) instead of a certain card, select less specific configuration names. For example, bus-pcmcia would be used for all PCMCIA cards. On the other hand, the names can be limited by a preceding interface type.
  • Page 602 ifup requires an existing interface, because it does not initialize the hardware. The initialization of the hardware is handled by the command hwup (executed by hotplug or coldplug). When a device is initialized, ifup is automatically executed for the new interface via hotplug and the interface is set up if the start mode is onboot, hotplug, or auto and the network service was started.

  • Page 603: Configuration Files

    31.6.1 Configuration Files This section provides an overview of the network configuration files and explains their purpose and the format used. /etc/syconfig/hardware/hwcfg-* These files contain the hardware configurations of network cards and other devices. They contain the needed parameters, such as the kernel module, start mode, and script associations.
  • Page 604 For each interface that needs individual routing, define an additional configuration file: /etc/sysconfig/network/ifroute-*. Replace * with the name of the inter- face. The entries in the routing configuration files look like this: # Destination Dummy/Gateway Netmask Device 127.0.0.0 0.0.0.0 255.255.255.0 204.127.235.0 0.0.0.0 255.255.255.0...
  • Page 605 Example 31.5 /etc/resolv.conf # Our domain search example.com # We use sun (192.168.0.20) as nameserver nameserver 192.168.0.20 Some services, like pppd (wvdial), ipppd (isdn), dhcp (dhcpcd and dhclient), pcmcia, and hotplug, modify the file /etc/resolv.conf by means of the script modify_resolvconf. If the file /etc/resolv.conf has been temporarily modified by this script, it contains a predefined comment giving in- formation about the service that modified it, the location where the original file has been backed up, and how to turn off the automatic modification mechanism.
  • Page 606 Example 31.6 /etc/hosts 127.0.0.1 localhost 192.168.0.20 sun.example.com sun 192.168.0.0 earth.example.com earth /etc/networks Here, network names are converted to network addresses. The format is similar to that of the hosts file, except the network names precede the addresses. See Example 31.7, “/etc/networks”...
  • Page 607 nospoof on These parameters influence the name server spoofing, but, spoofalert on/off apart from that, do not exert any influence on the network configuration. trim domainname The specified domain name is separated from the hostname after hostname resolution (as long as the hostname includes the domain name).
  • Page 608 The “databases” available over NSS are listed in Table 31.7, “Databases Available via /etc/nsswitch.conf” (page 608). In addition, automount, bootparams, netmasks, and publickey are expected in the near future. The configuration options for NSS databases are listed in Table 31.8, “Configuration Options for NSS “Databases”” (page 609).
  • Page 609 Table 31.8 Configuration Options for NSS “Databases” directly access files, for example, /etc/aliases files access via a database NIS, see also Chapter 36, Using NIS (page 673) nis, nisplus can only be used as an extension for hosts and networks can only be used as an extension for passwd, shadow, compat and group...
  • Page 610 31.6.2 Testing the Configuration Before you write your configuration to the configuration files, you can test it. To set up a test configuration, use the ip command. To test the connection, use the ping command. Older configuration tools, ifconfig and route, are also available. The commands ip, ifconfig, and route change the network configuration directly without saving it in the configuration file.
  • Page 611 tunnel This object represents a tunnel over IP. If no command is given, the default command is used, usually list. Change the state of a device with the command ip link set device_name command. For example, to deactivate device eth0, enter ip link seteth0 down.
  • Page 612 ping output. The second-to-last line contains information about number of transmitted packets, packet loss, and total time of ping running. As the destination, you can use a hostname or IP address, for example, ping example.com or ping 130.57.5.75. The program sends packets until you press Ctrl If you only need to check the functionality of the connection, you can limit the number...
  • Page 613 NOTE: ifconfig and ip The program ifconfig is obsolete. Use ip instead. Without arguments, ifconfig displays the status of the currently active interfaces. As you can see in Example 31.11, “Output of the ifconfig Command” (page 613), ifconfig has very well-arranged and detailed output. The output also contains information about the MAC address of your device, the value of HWaddr, in the first line.
  • Page 614 NOTE: route and ip The program route is obsolete. Use ip instead. route is especially useful if you need quick and comprehensible information about your routing configuration to determine problems with routing. To view your current routing configuration, enter route -n as root. Example 31.12 Output of the route -n Command route -n Kernel IP routing table...

  • Page 615: Smpppd As Dial-Up Assistant

    Starts xinetd. xinetd can be used to make server ser- /etc/init.d/inetd vices available on the system. For example, it can start vsftpd whenever an FTP connection is initiated. Starts the portmapper needed for the RPC server, such /etc/init.d/portmap as an NFS server. Starts the NFS server.
  • Page 616 31.7.1 Configuring smpppd The connections provided by smpppd are automatically configured by YaST. The actual dial-up programs KInternet and cinternet are also preconfigured. Manual settings are only required to configure additional features of smpppd, such as remote control. The configuration file of smpppd is /etc/smpppd.conf. By default, it does not enable remote control.
  • Page 617 31.7.2 Configuring KInternet, cinternet, and qinternet for Remote Use KInternet, cinternet, and qinternet can be used to control a local or remote smpppd. cinternet is the command-line counterpart of the graphical KInternet. qinternet is basi- callly the same as KInternet, but does not use the KDE libraries, so it can be used without KDE and must be installed separately.

  • Page 619: Slp Services In The Network

    SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.

  • Page 620: Registering Your Own Services

    linuxrc starts an SLP inquiry after the system has booted from the selected boot medium and displays the sources found. 32.2 Registering Your Own Services Many applications under SUSE Linux Enterprise already have integrated SLP support through the use of the libslp library. If a service has not been compiled with SLP support, use one of the following methods to make it available with SLP: Static Registration with /etc/slp.reg.d Create a separate registration file for each new service.

  • Page 621: Slp Front-Ends In Suse Linux Enterprise

    TIP: YaST and SLP Some services brokered by YaST, such as an installation server or YOU server, perform this registration for you automatically when you activate SLP in the module dialogs. YaST then creates registration files for these services. Static Registration with /etc/slp.reg The only difference from the procedure with /etc/slp.reg.d is the grouping of all services within a central file.

  • Page 622: Activating Slp

    32.4 Activating SLP slpd must run on your system if you want to offer services. It is not necessary to start this daemon simply to make service inquiries. Like most system services in SUSE Linux Enterprise, the slpd daemon is controlled by means of a separate init script. The daemon is inactive by default.

  • Page 623: Time Synchronization With Ntp

    Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
  • Page 624 SuSEfirewall because they are part of a protected intranet. Both are described in the following. 33.1.1 Quick NTP Client Configuration The quick NTP client configuration (Network Services → NTP Client) consists of two dialogs. Set the start mode of xntpd and the server to query in the first dialog. To start xntpd automatically when the system is booted, click During Boot.
  • Page 625 dialog, test the availability of the selected server with Test and quit the dialog with Finish. 33.1.2 Complex NTP Client Configuration The complex configuration of an NTP client can be accessed under Complex Configu- ration from the main dialog of the NTP Client module, shown in Figure 33.1, “YaST: Configuring an NTP Client”...

  • Page 626: Configuring Xntp In The Network

    Click Add to add a new source of time information. In the following dialog, select the type of source with which the time synchronization should be made. The following options are available: Server Another dialog enables you to select an NTP server (as described in Section 33.1.1, “Quick NTP Client Configuration”...

  • Page 627: Setting Up A Local Reference Clock

    its name to the file /etc/ntp.conf by adding the line server ntp.example.com. To add more time servers, insert additional lines with the key- word server. After initializing xntpd with the command rcntpd start, it takes about one hour until the time is stabilized and the drift file for correcting the local computer clock is created.
  • Page 628 module, for example, has mode 5. To use this clock as a preferred reference, specify the keyword prefer. The complete server line for a Conrad DCF77 receiver module would be: server 127.127.8.0 mode 5 prefer Other clocks follow the same pattern. Following the installation of the xntp-doc package, the documentation for xntp is available in the directory /usr/share/doc/ packages/xntp-doc/html.

  • Page 629: The Domain Name System

    The Domain Name System DNS (domain name system) is needed to resolve the domain names and hostnames into IP addresses. In this way, the IP address 192.168.0.0 is assigned to the hostname earth, for example. Before setting up your own name server, read the general information about DNS in Section 31.3, “Name Resolution”...

  • Page 630: Configuration With Yast

    (not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone. Forwarder Forwarders are DNS servers to which your DNS server should send queries it cannot answer. Record The record is information about name and IP address. Supported records and their syntax are described in BIND documentation.
  • Page 631 1 When starting the module for the first time, the Forwarder Settings dialog, shown Figure 34.1, “DNS Server Installation: Forwarder Settings” (page 631), opens. In it, decide whether the PPP daemon should provide a list of forwarders on dial- up via DSL or ISDN (PPP Daemon Sets Forwarders) or whether you want to supply your own list (Set Forwarders Manually).
  • Page 632 Figure 34.2 DNS Server Installation: DNS Zones 3 In the final dialog, you can open the DNS port in the firewall by clicking Open Port in Firewall. Then decide whether or not the DNS server should be started (On or Off). You can also activate LDAP support. See Figure 34.3, “DNS Server Installation: Finish Wizard”...
  • Page 633 Figure 34.3 DNS Server Installation: Finish Wizard 34.2.2 Expert Configuration After starting the module, YaST opens a window displaying several configuration op- tions. Completing it results in a DNS server configuration with the basic functions in place: Starting the DNS Server Under Booting, define whether the DNS server should be started when the system boots (during booting the system) or manually.
  • Page 634 DNS Server: Basic Options In this section, set basic server options. From the Option menu, select the desired item then specify the value in the corresponding entry field. Include the new entry by selecting Add. Logging To set what the DNS server should log and how, select Logging. Under Log Type, specify where the DNS server should write the log data.
  • Page 635 Using ACLs Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under Name, specify an IP address (with or without netmask) under Value in the following fashion: { 10.10/16; } The syntax of the configuration file requires that the address ends with a semicolon and is put into curly braces.
  • Page 636 Figure 34.5 DNS Server: Slave Zone Editor Adding a Master Zone To add a master zone, select DNS Zones, choose the zone type Master, write the name of the new zone, and click Add. Editing a Master Zone To edit a master zone, select DNS Zones, choose the zone type Master, select the master zone from the table, and click Edit.
  • Page 637 Figure 34.6 DNS Server: Zone Editor (Basic) Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under Name Server to Add then confirm with Add.
  • Page 638 Figure 34.7 DNS Server: Zone Editor (NS Records) Zone Editor (MX Records) To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting Add. See Fig- ure 34.8, “DNS Server: Zone Editor (MX Records)”...
  • Page 639 Figure 34.8 DNS Server: Zone Editor (MX Records) Zone Editor (SOA) This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 34.6, “File /var/lib/named/world.zone” (page 647). Changing SOA records is not supported for dynamic zones managed via LDAP.

  • Page 640: Starting The Name Server Bind

    Figure 34.9 DNS Server: Zone Editor (SOA) Zone Editor (Records) This dialog manages name resolution. In Record Key, enter the hostname then select its type. A-Record represents the main entry. The value for this should be an IP address. CNAME is an alias. Use the types NS and MX for detailed or partial records that expand on the information provided in the NS Records and MX Records tabs.
  • Page 641 a proper DNS. A simple example of this is included in the documentation in /usr/ share/doc/packages/bind/sample-config. TIP: Automatic Adaptation of the Name Server Information Depending on the type of Internet connection or the network connection, the name server information can automatically be adapted to the current conditions. To do this, set the variable MODIFY_NAMED_CONF_DYNAMICALLY in the file /etc/sysconfig/network/config to yes.

  • Page 642: The Configuration File /Etc/Named.conf

    The options entry is followed by entries for the zone, localhost, and 0.0.127.in-addr.arpa. The type hint entry under “.” should always be present. The corresponding files do not need to be modified and should work as they are. Also make sure that each entry is closed with a “;” and that the curly braces are in the correct places.
  • Page 643 Example 34.2 A Basic /etc/named.conf options { directory "/var/lib/named"; forwarders { 10.0.0.1; }; notify no; zone "localhost" in { type master; file "localhost.zone"; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; zone "." in { type hint; file "root.hint"; 34.4.1 Important Configuration Options directory "filename";...
  • Page 644 127.0.0.1 to permit requests from the local host. If you omit this entry entirely, all interfaces are used by default. listen-on-v6 port 53 {any; }; Tells BIND on which port it should listen for IPv6 client requests. The only alter- native to any is none.
  • Page 645 notify no; no prevents other name servers from being informed when changes are made to the zone data or when the name server is restarted. 34.4.2 Logging What, how, and where logging takes place can be extensively configured in BIND. Normally, the default settings should be sufficient.

  • Page 646: Zone Files

    type master; By specifying master, tell BIND that the zone is handled by the local name server. This assumes that a zone file has been created in the correct format. type slave; This zone is transferred from another name server. It must be used together with masters.
  • Page 647 again. A missing or wrongly placed dot is probably the most frequent cause of name server configuration errors. The first case to consider is the zone file world.zone, responsible for the domain world.cosmos, shown in Example 34.6, “File /var/lib/named/world.zone” (page 647). Example 34.6 File /var/lib/named/world.zone $TTL 2D world.cosmos.
  • Page 648 root@world.cosmos the entry must read root.world.cosmos.. The . must be included at the end to prevent the zone from being added. • The ( includes all lines up to ) into the SOA record. Line 3: The serial number is an arbitrary number that is increased each time this file is changed.
  • Page 649 taken first and, if mail delivery to this server fails, an attempt is made with the next higher value. Lines 12–17: These are the actual address records where one or more IP addresses are assigned to hostnames. The names are listed here without a . because they do not include their domain, so world.cosmos is added to all of them.
  • Page 650 Example 34.7 Reverse Lookup $TTL 2D 1.168.192.in-addr.arpa. IN SOA gateway.world.cosmos. root.world.cosmos. ( 2003072441 ; serial ; refresh ; retry ; expiry 2D ) ; minimum IN NS gateway.world.cosmos. IN PTR gateway.world.cosmos. IN PTR earth.world.cosmos. IN PTR mars.world.cosmos. Line 1: $TTL defines the standard TTL that applies to all entries here. Line 2: The configuration file should activate reverse lookup for the network 192.168.1.0.

  • Page 651: Dynamic Update Of Zone Data

    34.6 Dynamic Update of Zone Data The term dynamic update refers to operations by which entries in the zone files of a master server are added, changed, or deleted. This mechanism is described in RFC 2136. Dynamic update is configured individually for each zone entry by adding an optional allow-update or update-policy rule.

  • Page 652: Dns Security

    secret ";ejIkuCyyGJwwuN3xAteKgg==; WARNING: File Permissions of /etc/named.conf Make sure that the permissions of /etc/named.conf are properly restricted. The default for this file is 0640, with the owner being root and the group named. As an alternative, move the keys to an extra file with specially limited permissions, which is then included from /etc/named.conf.

  • Page 653: For More Information

    algorithm is currently used to generate these keys. The public keys generated should be included in the corresponding zone file with an $INCLUDE rule. With the command dnssec-makekeyset, all keys generated are packaged into one set, which must then be transferred to the parent zone in a secure manner. On the parent, the set is signed with dnssec-signkey.
  • Page 655 DHCP The purpose of the dynamic host configuration protocol (DHCP) is to assign network settings centrally from a server rather than configuring them locally on each and every workstation. A host configured to use DHCP does not have control over its own static address.
  • Page 656 uring numerous workstations. Also it is much easier to integrate machines, particularly new machines, into the network, because they can be given an IP address from the pool. Retrieving the appropriate network settings from a DHCP server is especially useful in the case of laptops regularly used in different networks.
  • Page 657 Figure 35.1 DHCP Server: Card Selection Global Settings Use the check box to determine whether your DHCP settings should be automati- cally stored by an LDAP server. In the entry fields, provide the network specifics for all clients the DHCP server should manage. These specifics are the domain name, address of a time server, addresses of the primary and secondary name server, addresses of a print and a WINS server (for a mixed network with both Windows and Linux clients), gateway address, and lease time.
  • Page 658 Figure 35.2 DHCP Server: Global Settings Dynamic DHCP In this step, configure how dynamic IP addresses should be assigned to clients. To do so, specify an IP range from which the server can assign addresses to DHCP clients. All these addresses must be covered by the same netmask. Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease.
  • Page 659 Figure 35.3 DHCP Server: Dynamic DHCP Finishing the Configuration and Setting the Start Mode After the third part of the configuration wizard, a last dialog is shown in which you can define how the DHCP server should be started. Here, specify whether to start the DHCP server automatically when the system is booted or manually when needed (for example, for test purposes).
  • Page 660 Figure 35.4 DHCP Server: Start-Up Host Management Instead of using dynamic DHCP in the way described in the preceding sections, you can also configure the server to assign addresses in quasi-static fashion. To do so, use the entry fields provided in the lower part to specify a list of the clients to manage in this way.
  • Page 661 Figure 35.5 DHCP Server: Host Management 35.1.2 Expert Configuration In addition to the configuration method discussed earlier, there is also an expert confi- guration mode that allows you to tweak the DHCP server setup in every detail. Start the expert configuration by selecting Expert Settings in the tree view in the left part of the dialog.
  • Page 662 Figure 35.6 DHCP Server: Chroot Jail and Declarations Selecting the Declaration Type The Global Options of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types Subnet, Host, Shared Network, Group, Pool of Addresses, and Class.
  • Page 663 Figure 35.7 DHCP Server: Selecting a Declaration Type Subnet Configuration This dialog allows you specify a new subnet with its IP address and netmask. In the middle part of the dialog, modify the DHCP server start options for the selected subnet using Add, Edit, and Delete.
  • Page 664 Figure 35.8 DHCP Server: Configuring Subnets TSIG Key Management If you chose to configure dynamic DNS in the previous dialog, you can now con- figure the key management for a secure zone transfer. Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS (see Fig- ure 35.10, “DHCP Server: Interface Configuration for Dynamic DNS”...
  • Page 665 Figure 35.9 DHCP Server: TSIG Configuration Dynamic DNS: Interface Configuration You can now activate dynamic DNS for the subnet by selecting Enable Dynamic DNS for This Subnet. After doing so, use the drop-down list to choose the TSIG keys for forward and reverse zones, making sure that keys are the same for the DNS and the DHCP server.
  • Page 666 Figure 35.10 DHCP Server: Interface Configuration for Dynamic DNS Network Interface Configuration To define the interfaces where the DHCP server should listen and adjust the firewall configuration, select Advanced → Interface Configuration from the expert confi- guration dialog. From the list of interfaces displayed, select one or more that should be attended by the the DHCP server.

  • Page 667: Dhcp Software Packages

    Figure 35.11 DHCP Server: Network Interface and Firewall After completing all the configuration steps, close the dialog with Ok. The server is now started with its new configuration. 35.2 DHCP Software Packages Both a DHCP server and DHCP clients are available for SUSE Linux Enterprise. The DHCP server available is dhcpd (published by the Internet Software Consortium).

  • Page 668: The Dhcp Server Dhcpd

    35.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd.conf. By changing the parameters and values in this file, a system administrator can influence the program's behavior in numerous ways.
  • Page 669 dynamic address and vice versa. To learn how to configure your own name server, read Chapter 34, The Domain Name System (page 629). • The line option broadcast-address defines the broadcast address the re- questing client should use. • With option routers, set where the server should send data packets that cannot be delivered to a host on the local network (according to the source and target host address and the subnet mask provided).
  • Page 670 To identify a client configured with a static address, dhcpd uses the hardware address, which is a globally unique, fixed numerical code consisting of six octet pairs for the identification of all network devices (for example, 00:00:45:12:EE:F4). If the respective lines, like the ones in Example 35.2, “Additions to the Configuration File”...

  • Page 671: For More Information

    • /etc/localtime • /etc/host.conf • /etc/hosts • /etc/resolv.conf These files are copied to /var/lib/dhcp/etc/ when starting the init script. Take these copies into account for any changes that they require if they are dynamically modified by scripts like /etc/ppp/ip-up. However, there should be no need to worry about this if the configuration file only specifies IP addresses (instead of host- names).

  • Page 673: Configuring Nis Servers

    Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
  • Page 674 and set up slave servers in the subnets as described in Section 36.1.2, “Configuring a NIS Slave Server” (page 678). 36.1.1 Configuring a NIS Master Server To configure a NIS master server for your network, proceed as follows: 1 Start YaST → Network Services → NIS Server. 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and set up NIS Master Server.
  • Page 675 Enter the NIS domain name. b Define whether the host should also be a NIS client, enabling users to log in and access data from the NIS server, by selecting This host is also a NIS client. Select Changing of passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd).
  • Page 676 e Leave this dialog with Next or click Other global settings to make additional settings. Other global settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes so the files (/etc/passwd, /etc/shadow, and /etc/group) are used to build the user database.
  • Page 677 Figure 36.4 NIS Server Maps Setup 7 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 127.0.0.0...
  • Page 678 Figure 36.5 Setting Request Permissions for a NIS Server 8 Click Finish to save changes and exit the setup. 36.1.2 Configuring a NIS Slave Server To configure additional NIS slave servers in your network, proceed as follows: 1 Start YaST → Network Services → NIS Server. 2 Select Install and set up NIS Slave Server and click Next.

  • Page 679: Configuring Nis Clients

    c Set This host is also a NIS client if you want to enable user logins on this server. d Adapt the firewall settings with Open Ports in Firewall. e Click Next. 4 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button.
  • Page 680 In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
  • Page 681 LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.

  • Page 682: Ldap Versus Nis

    • Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a con- ventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures ad- ministered in accounting.

  • Page 683: Structure Of An Ldap Directory Tree

    • Mail routing (postfix, sendmail) • Address books for mail clients, like Mozilla, Evolution, and Outlook • Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
  • Page 684 Figure 37.1 Structure of an LDAP Directory The complete diagram is a fictional directory information tree. The entries on three levels are depicted. Each entry corresponds to one box in the picture. The complete, valid distinguished name for the fictional SUSE employee Geeko Linux, in this case, is cn=Geeko Linux,ou=doc,dc=suse,dc=de.
  • Page 685 Table 37.1 Commonly Used Object Classes and Attributes Object Class Meaning Example En- Required At- tributes dcObject domainComponent (name com- suse ponents of the domain) organizationalU- organizationalUnit (organiza- tional unit) inetOrgPerson inetOrgPerson (person-related Geeko Linux sn and cn data for the intranet or Internet) Example 37.1, “Excerpt from schema.core ”...
  • Page 686 Line 2 gives a brief description of the attribute with DESC. The corresponding RFC on which the definition is based is also mentioned here. SUP in line 3 indicates a superor- dinate attribute type to which this attribute belongs. The definition of the object class organizationalUnit begins in line 4, like in the definition of the attribute, with an OID and the name of the object class.
  • Page 687 Example 37.3 slapd.conf: pidfile and argsfile pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args These two files contain the PID (process ID) and some of the arguments with which the slapd process is started. There is no need for modifications here. Example 37.4 slapd.conf: Access Control # Sample Access Control Allow read access of root DSE # Allow self write access...
  • Page 688 the first match, so more specific rules should be listed before the more general ones. The entries shown in Table 37.2, “User Groups and Their Access Grants” (page 688) are possible. Table 37.2 User Groups and Their Access Grants Scope All users without exception Not authenticated (“anonymous”) users anonymous...
  • Page 689 slapd compares the access right requested by the client with those granted in slapd.conf. The client is granted access if the rules allow a higher or equal right than the requested one. If the client requests higher rights than those declared in the rules, it is denied access.
  • Page 690 37.3.2 Database-Specific Directives in slapd.conf Example 37.6 slapd.conf: Database-Specific Directives database bdb checkpoint 1024 cachesize 10000 suffix "dc=suse,dc=de" rootdn "cn=admin,dc=suse,dc=de" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools.

  • Page 691: Data Handling In The Ldap Directory

    server manually, enter the command rcldap stop. Request the status of the running LDAP server with rcldap status. The YaST runlevel editor, described in Section 20.2.3, “Configuring System Services (Runlevel) with YaST” (page 396), can be used to have the server started and stopped automatically on boot and halt of the system.
  • Page 692 Example 37.7 Example for an LDIF File # The SUSE Organization dn: dc=suse,dc=de objectClass: dcObject objectClass: organization o: SUSE AG dc: suse # The organizational unit development (devel) dn: ou=devel,dc=suse,dc=de objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=suse,dc=de objectClass: organizationalUnit ou: doc...
  • Page 693 Example 37.8 ldapadd with example.ldif ldapadd -x -D cn=admin,dc=suse,dc=de -W -f example.ldif Enter LDAP password: adding new entry "dc=suse,dc=de" adding new entry "ou=devel,dc=suse,dc=de" adding new entry "ou=doc,dc=suse,dc=de" adding new entry "ou=it,dc=suse,dc=de" The user data of individuals can be prepared in separate LDIF files. Example 37.9, “LDIF Data for Tux”...
  • Page 694 Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=admin,dc=suse,dc=de -W -f tux.ldif Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below: 1 Start ldapmodify and enter your password: ldapmodify -x -D cn=admin,dc=suse,dc=de -W Enter LDAP password: 2 Enter the changes while carefully complying with the syntax in the order presented...

  • Page 695: Configuring An Ldap Server With Yast

    37.4.4 Deleting Data from an LDAP Directory Delete unwanted entries with ldapdelete. The syntax is similar to that of the other commands. To delete, for example, the complete entry for Tux Linux, issue the fol- lowing command: ldapdelete -x -D cn=admin,dc=suse,dc=de -W cn=Tux \ Linux,ou=devel,dc=suse,dc=de 37.5 Configuring an LDAP Server with YaST...
  • Page 696 1 Log in as root. 2 Start YaST and select Network Services → LDAP Server. 3 Set LDAP to be started at system boot. 4 If the LDAP server should announce its services via SLP, check Register at an SLP Daemon. 5 Select Configure to configure General Settings and Databases.
  • Page 697 update_anon Enabling this option allows nonauthenticated (anonymous) update operations. Access is restricted according to ACLs and other rules (see Section 37.3.1, “Global Directives in slapd.conf” (page 686)). 4 To configure secure communication between client and server, proceed with TLS Settings: a Set TLS Active to Yes to enable TLS and SSL encryption of the client/server communication.

  • Page 698: Configuring An Ldap Client With Yast

    LDAP Password Enter the password for the database administrator. Encryption Determine the encryption algorithm to use to secure the password of Root DN. Choose crypt, smd5, ssha, or sha. The dialog also includes a plain option to enable the use of plain text passwords, but enabling this is not recommend- ed for security reasons.
  • Page 699 pam_ldap.so is installed and the PAM configuration is adapted (see Example 37.11, “pam_unix2.conf Adapted to LDAP” (page 699)). Example 37.11 pam_unix2.conf Adapted to LDAP auth: use_ldap account: use_ldap password: use_ldap session: none When manually configuring additional services to use LDAP, include the PAM LDAP module in the PAM configuration file corresponding to the service in /etc/pam.d.

  • Page 700: Basic Configuration

    37.6.2 Configuring the LDAP Client After the initial adjustments of nss_ldap, pam_ldap, /etc/passwd, and /etc/ group have been taken care of by YaST, you can simply connect your client to the server and let YaST manage users over LDAP. This basic setup is described in Section “Basic Configuration”...
  • Page 701 To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows: 1 Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
  • Page 702 Figure 37.4 YaST: Advanced Configuration To modify data on the server as administrator, click Advanced Configuration. The following dialog is split in two tabs. See Figure 37.4, “YaST: Advanced Configuration” (page 702). 1 In the Client Settings tab, adjust the following settings to your needs: a If the search base for users, passwords, and groups differs from the global search base specified the LDAP base DN, enter these different naming contexts in User Map, Password Map, and Group Map.
  • Page 703 Set the base for storing your user management data via Configuration Base b Enter the appropriate value for Administrator DN. This DN must be identical with the rootdn value specified in /etc/openldap/slapd.conf to enable this particular user to manipulate data stored on the LDAP server. Enter the full DN (such as cn=admin,dc=suse,dc=de) or activate Append Base DN to have the base DN added automatically when you enter cn=admin.
  • Page 704 Figure 37.5 YaST: Module Configuration The dialog for module configuration (Figure 37.5, “YaST: Module Configuration” (page 704)) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules. To create a new configuration module, proceed as follows: 1 Click New and select the type of module to create.
  • Page 705 The YaST modules for group and user administration embed templates with sensible standard values. To edit a template associated with a configuration module, proceed as follows: 1 In the Module Configuration dialog, click Configure Template. 2 Determine the values of the general attributes assigned to this template according to your needs or leave some of them empty.
  • Page 706 new user, cn=%sn %givenName is created automatically from the attribute values for sn and givenName. Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST. 37.7 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure...

  • Page 707: For More Information

    Figure 37.7 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
  • Page 708 Quick Start Guide Brief step-by-step instructions for installing your first LDAP server. Find it at or on http://www.openldap.org/doc/admin22/quickstart.html an installed system in /usr/share/doc/packages/openldap2/ admin-guide/quickstart.html. OpenLDAP 2.2 Administrator's Guide A detailed introduction to all important aspects of LDAP configuration, including access controls and encryption. See http://www.openldap.org/doc/ or, on an installed system, /usr/share/doc/packages/ admin22/...

  • Page 709: Terminology

    Samba Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the confi- guration file.
  • Page 710 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.

  • Page 711: Starting And Stopping Samba

    38.2 Starting and Stopping Samba You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 38.3.1, “Configuring a Samba Server with YaST” (page 711).

  • Page 712: Starting The Server

    Advanced Samba Configuration with YaST During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration. After editing your configuration, click Finish to close the configuration. Starting the Server In the Start Up tab, configure the start of the Samba server.

  • Page 713: Using Ldap

    Using LDAP In the tab LDAP Settings, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection. To set expert LDAP settings or use default values, click Advanced Settings. Find more information about LDAP configuration in Chapter 37, LDAP—A Directory Service...
  • Page 714 workgroup = TUX-NET This line assigns the Samba server to a workgroup. Replace TUX-NET with an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to any other machine in the network.
  • Page 715 Shares The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients. [cdrom] To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
  • Page 716 Example 38.2 homes Share [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750 [homes] As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives.

  • Page 717: Configuring Clients

    Security Levels To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions: Share Level Security (security = share) A password is firmly assigned to a share. Everyone who knows this password has access to that share.

  • Page 718: Samba As Login Server

    mouse. If you activate Also Use SMB Information for Linux Authentication, the user authentication runs over the Samba server. After completing all settings, click Finish to finish the configuration. 38.4.2 Windows 9x and ME Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default.

  • Page 719: Samba Server In The Network With Active Directory

    and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name. Create the domain account for the computers, re- quired by the Windows NT domain concept, with the following commands: Example 38.4 Setting Up a Machine Account useradd hostname\$ smbpasswd -a -m hostname With the useradd command, a dollar sign is added.
  • Page 720 To join an AD domain in a running system, proceed as follows: 1 Log in as root and start YaST. 2 Start Network Services → Windows Domain Membership. 3 Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen.

  • Page 721: Migrating A Windows Nt Server To Samba

    Figure 38.2 Providing Administrator Credentials Your server is now set up to pull in all authentication data from the Active Direc- tory domain controller. 38.7 Migrating a Windows NT Server to Samba Apart from the Samba and LDAP configuration, the migration of a Windows NT server to a SUSE Linux Enterprise Server Samba server consists of two basic steps.
  • Page 722 38.7.2 Preparing the Samba Server Before you start migration, configure your Samba server. Find configuration of profile, netlogon, and home shares in the Shares tab of the YaST Samba Server module. To do the default value, select the share and click Edit. To add LDAP configuration for your Samba server and the credentials of the LDAP administrator, use the LDAP Settings tab of the YaST Samba Server module.

  • Page 723: For More Information

    38.7.4 Migrating the Windows Accounts Procedure 38.2 The Account Migration Process 1 Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. Samba must not be running. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd net rpc vampire -S NT4PDC -U administrator%passwd pdbedit -L 2 Assign each of the UNIX groups to NT groups: Example 38.6 Example Script initGroups.sh...
  • Page 724 Find detailed information about LDAP and migration from Windows NT or 2000 in /usr/share/doc/packages/samba/examples/LDAP/ smbldap-tools-*/doc, where * is your smbldap-tools version. Installation and Administration...

  • Page 725: Sharing File Systems With Nfs

    Sharing File Systems with NFS As mentioned in Chapter 36, Using NIS (page 673), NFS works with NIS to make a network transparent to the user. With NFS, it is possible to distribute file systems over the network. It does not matter at which terminal users are logged in. They always find themselves in the same environment.

  • Page 726: Importing File Systems Manually

    Figure 39.1 NFS Client Configuration with YaST 39.2 Importing File Systems Manually File systems can easily be imported manually from an NFS server. The only prerequisite is a running RPC port mapper, which can be started by entering the command rcportmap start as root.
  • Page 727 cations to all members of a group without installing them locally on each and every host. To install such a server, start YaST and select Network Services → NFS Server. A dialog like that in Figure 39.2, “NFS Server Configuration Tool” (page 727) opens.

  • Page 728: For More Information

    Figure 39.3 Configuring an NFS Server with YaST IMPORTANT: Automatic Firewall Configuration If a firewall is active on your system (SuSEfirewall2), YaST adapts its configuration for the NFS server by enabling the nfs service when Open Ports in Firewall is selected.

  • Page 729: File Synchronization

    File Synchronization Today, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files and subsequently have the latest version of the data available on all computers.
  • Page 730 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
  • Page 731 40.1.3 Subversion In contrast to CVS, which “evolved,” Subversion (SVN) is a consistently designed project. Subversion was developed as a technically improved successor to CVS. Subversion has been improved in many respects to its predecessor. Due to its history, CVS only maintains files and is oblivious of directories. Directories also have a version history in Subversion and can be copied and renamed just like files.

  • Page 732: Determining Factors For Selecting A Program

    The effort put into the detection of the changes comes at a price. The systems to syn- chronize should be scaled generously for the usage of rsync. RAM is especially impor- tant. 40.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 40.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data.
  • Page 733 40.2.4 Conflicts: Incidence and Solution Conflicts only rarely occur in Subversion or CVS, even when several people work on one large program project. This is because the documents are merged on the basis of individual lines. When a conflict occurs, only one client is affected. Usually conflicts in Subversion or CVS can easily be resolved.
  • Page 734 40.2.7 Data Volume and Hard Disk Requirements A sufficient amount of free space for all distributed data is required on the hard disks of all involved hosts. Subversion and CVS require additional space for the repository database on the server. The file history is also stored on the server, requiring even more space.
  • Page 735 40.2.10 Security against Attacks During transmission, the data should ideally be protected against interception and ma- nipulation. Unison, CVS, rsync, and Subversion can easily be used via ssh (secure shell), providing security against attacks of this kind. Running CVS or Unison via rsh (remote shell) should be avoided.

  • Page 736: Introduction To Unison

    unison CVS/SVN rsync mailsync History Hard Disk Space Difficulty Attacks +(ssh) +/+(ssh) +(ssh) +(SSL) Data Loss ++/++ 40.3 Introduction to Unison Unison is an excellent solution for synchronizing and transferring entire directory trees. The synchronization is performed in both directions and can be controlled by means of an intuitive graphical front-end.
  • Page 737 40.3.2 Using Unison The approach used by Unison is the association of two directories (roots) with each other. This association is symbolic—it is not an online connection. In this example, the directory layout is as follows: Client: /home/tux/dir1 Server: /home/geeko/dir2 You want to synchronize these two directories.

  • Page 738: Introduction To Cvs

    Example 40.1 The file ~/.unison/example.prefs root=/home/tux/dir1 root=ssh://wilber@server//homes/wilber/dir2 batch=true For each pair, a synchronization log is maintained in the user directory ~/.unison. Configuration sets, such as ~/.unison/example.prefs, can also be stored in this directory. To start the synchronization, specify this file as the command-line param- eter as in unison example.prefs.
  • Page 739 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client exclusively to contain files to manage with CVS (the directory can also be empty).
  • Page 740 cvs diff file1 directory1. Use cvs -nq update to see which files would be affected by an update. Here are some of the status symbols displayed during an update: The local version was updated. This affects all files that are provided by the server and missing on the local system.

  • Page 741: Introduction To Subversion

    40.5 Introduction to Subversion Subversion is a free open source versioning control system and is widely regarded as the successor to CVS, meaning that features already introduced for CVS are normally also in Subversion. It is especially recommended when the advantages of CVS are sought without having to put up with its disadvantages.
  • Page 742 40.5.2 Usage and Operation Use the command svn (similar to cvs) to access a Subversion repository. With svn help, obtain the description of a parameter of a command: checkout (co): Check out a working copy from a repository. usage: checkout URL[@REV]... [PATH] If specified, REV determines in which revision the URL is first looked up.
  • Page 743 svn proplist --verbose foo.txt Properties on 'foo.txt': license : GPL Save the changes to the server with svn commit Another user can incorporate your changes in his working directory by synchronizing with the server using svn update. Unlike CVS, the status of a working directory in Subversion can be displayed without accessing the repository with svn status.

  • Page 744: Introduction To Rsync

    40.5.3 For More Information The first point of reference is the home page of the Subversion project at http:// subversion.tigris.org/. A highly recommendable book can be found in the directory file:///usr/share/doc/packages/subversion/html/book/ after installation of the package subversion-doc and is also svn-book.html available online at http://svnbook.red-bean.com/svnbook/index.html.
  • Page 745 gid = nobody uid = nobody read only = true use chroot = no transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log [FTP] path = /srv/ftp comment = An Example Then start rsyncd with rcrsyncd start. rsyncd can also be started automatically during the boot process.

  • Page 746: Introduction To Mailsync

    40.7 Introduction to mailsync mailsync is mainly suitable for the following three tasks: • Synchronization of locally stored e-mails with mails stored on a server • Migration of mailboxes to a different format or to a different server • Integrity check of a mailbox or search for duplicates 40.7.1 Configuration and Use mailsync distinguishes between the mailbox itself (the store) and the connection between two mailboxes (the channel).
  • Page 747 The above example merely addresses the main folder on the IMAP server. A store for the subfolders would appear as follows: store imapdir { server {mail.edu.harvard.com/user=gulliver} ref {mail.edu.harvard.com} pat INBOX.* prefix INBOX. If the IMAP server supports encrypted connections, the server specification should be changed to server {mail.edu.harvard.com/ssl/user=gulliver} or, if the server certificate is not known, to...
  • Page 748 • If the message is missing on one side and is new (not listed in the msinfo file), it is transmitted there. • If the message merely exists on one side and is old (already listed in the msinfo file), it is deleted there (because the message that had obviously existed on the other side was deleted).
  • Page 749 40.7.3 For More Information The README in /usr/share/doc/packages/mailsync/, which is included in mailsync, provides additional information. In this connection, RFC 2076 “Common Internet Message Headers” is of special interest. File Synchronization...

  • Page 751: The Apache Http Server

    The Apache HTTP Server With a share of more than 70%, the Apache HTTP Server (Apache) is the world's most widely-used Web server according to the November 2005 Survey from http://www .netcraft.com/. Apache, developed by the Apache Software Foundation (http://www.apache.org/), is available for most operating systems. SUSE® Linux Enterprise Server includes Apache version 2.2.
  • Page 752 correct time. See Chapter 33, Time Synchronization with NTP (page 623) to learn more about this topic. The latest security updates are installed. If in doubt, run a YaST Online Update. The default Web server port (port 80) is opened in the firewall. For this, configure the SUSEFirewall2 to allow the service HTTP Server in the external zone.

  • Page 753: Configuring Apache

    an Apache test page starting with “If you can see this, it means that the installation of the Apache Web server software on this system was successful.” If you do not see this page, refer to Section 41.8, “Troubleshooting” (page 786). Now that the Web server is running, you can add your own documents, adjust the con- figuration according to your needs, or add functionality by installing modules.
  • Page 754 /etc/sysconfig/apache2 /etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general- purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.
  • Page 755 |- loadmodule.conf . . |- uid.conf |- vhosts.d |- *.conf Apache Configuration Files in /etc/apache2/ charset.conv Specifies which character sets to use for different languages. Do not edit. conf.d/*.conf Configuration files added by other modules. These configuration files can be in- cluded into your virtual host configuration where needed.
  • Page 756 mime.types MIME types known by the system (this actually is a link to /etc/mime.types). Do not edit. If you need to add MIME types not listed here, add them to mod _mime-defaults.conf. mod_*.conf Configuration files for the modules that are installed by default. Refer to Sec- tion 41.4, “Installing, Activating, and Configuring Modules”...
  • Page 757 It is common practice to use virtual hosts to save administrative effort (only a single Web server needs to be maintained) and hardware expenses (each domain does not re- quire a dedicated server). Virtual hosts can be name based, IP based, or port based. Virtual hosts can be configured via YaST (see Section “Virtual Hosts”...
  • Page 758 The first argument can be a fully qualified domain name, but it is recommended to use the IP address. The second argument is the port and is optional. By default, port 80 is used and is configured via the Listen directive. The wild card * can be used for both the IP address and the port number to receive re- quests on all interfaces.
  • Page 759 IP-Based Virtual Hosts This alternative virtual host configuration requires the setup of multiple IPs for a ma- chine. One instance of Apache hosts several domains, each of which is assigned a dif- ferent IP. The physical server must have one IP address for each IP-based virtual host. If the machine does not have multiple network cards, virtual network interfaces (IP aliasing) can also be used.
  • Page 760 DocumentRoot Path to the directory from which Apache should serve files for this host. For secu- rity reasons, access to the entire file system is forbidden by default, so you must explicitly unlock this directory within a Directory container. ServerAdmin E-mail address of the server administrator.
  • Page 761 41.2.2 Configuring Apache with YaST To configure your Web server with YaST, start YaST and select Network Services → HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make just a few basic decisions concerning administration of the server.
  • Page 762 Default Host This option pertains to the default Web server. As explained in Section “Virtual Host Configuration” (page 756), Apache can serve multiple virtual hosts from a single phys- ical machine. The first declared virtual host in the configuration file is commonly referred to as the default host.
  • Page 763 The default SUSE Linux Enterprise Server Alias /icons points to /usr/ share/apache2/icons for the Apache icons displayed in the directory index view. ScriptAlias Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.

  • Page 764: Virtual Hosts

    the HTTP header information the client sends. See Section “IP-Based Virtual Hosts” (page 759) for more details on IP-based virtual hosts. After finishing with the Default Host step, click Next to continue with the configuration. Virtual Hosts In this step, the wizard displays a list of already configured virtual hosts (see Section “Virtual Host Configuration”...

  • Page 765: Http Server Configuration

    Summary This is the final step of the wizard. Here, determine how and when the Apache server is started: when booting or manually. Also see a short summary of the configuration made so far. If you are satisfied with your settings, click Finish to complete configura- tion.

  • Page 766: Server Modules

    Listen Ports and Addresses In HTTP Service, select whether Apache should be running (Enabled) or stopped (Disabled). In Listen on Ports, Add, Edit, or Delete addresses and ports on which the server should be available. The default is to listen on all interfaces on port 80. You should always check Open Firewall on Selected Ports, because otherwise the Web server is not reachable from the outside.

  • Page 767: Starting And Stopping Apache

    Figure 41.4 HTTP Server Configuration: Server Modules Default Host or Hosts These dialogs are identical to the ones already described. Refer to Section “Default Host” (page 762) and Section “Virtual Hosts” (page 764). 41.3 Starting and Stopping Apache If configured with YaST (see Section 41.2.2, “Configuring Apache with YaST”...
  • Page 768 startssl Starts Apache with SSL support if it is not already running. For more information about SSL support, refer to Section 41.6, “Setting Up a Secure Web Server with SSL” (page 779). restart Stops then restarts Apache. Starts the Web server if it was not running before. try-restart Stops then restarts Apache only if it has been running before.

  • Page 769: Installing, Activating, And Configuring Modules

    TIP: Additional Flags If you specify additional flags to the rcapache2, these are passed through to the Web server. 41.4 Installing, Activating, and Configuring Modules The Apache software is built in a modular fashion: all functionality except some core tasks is handled by modules. This has progressed so far that even HTTP is processed by a module (http_core).

  • Page 770: Module Installation

    41.4.1 Module Installation If you have followed the default way of installing Apache (described in Section 41.1.2, “Installation” (page 752)), it is installed with all base and extension modules, the multi- processing module Prefork MPM, and the external module PHP5. You can install additional external modules by starting YaST and choosing Software →...
  • Page 771 mod_alias Provides Alias and Redirect directives with which you can map a URl to a specific directory (Alias) or redirect a requested URL to another location. This module is enabled by default. mod_auth* The authentication modules provide different authentication methods: basic authen- tication with mod_auth_basic or digest authentication with mod_auth_digest.
  • Page 772 mod_expires With mod_expires, you can control how often proxy and browser caches refresh your documents by sending an Expires header. This module is enabled by default. mod_include mod_include lets you use Server Side Includes (SSI), which provide a basic func- tionality to generate HTML pages dynamically.
  • Page 773 mod_status Provides information on server activity and performance under http://localhost/serv- er-status/. For security reasons, you should always limit access to this URL. By default, only localhost is allowed to access this URl. mod_status is configured at /etc/apache2/mod_status.conf mod_suexec mod_suexec lets you run CGI scripts under a different user and group. This module is enabled by default.
  • Page 774 Instead of only forking child processes, the worker MPM serves requests by using threads with server processes. The preforked child processes are multithreaded. This approach makes Apache perform better by consuming fewer system resources than the prefork MPM. One major disadvantage is the stability of the worker MPM: if a thread becomes corrupt, all threads of a process can be affected.
  • Page 775 Configuration File: /etc/apache2/conf.d/mod_perl.conf More Information: /usr/share/doc/packages/apache2-mod_perl mod_php5 PHP is a server-side, cross-platform HTML embedded scripting language. Package Name: apache2-mod_php5 Configuration File: /etc/apache2/conf.d/php5.conf More Information: /usr/share/doc/packages/apache2-mod_php5 mod_python mod_python allows embedding Python within the Apache HTTP server for a con- siderable boost in performance and added flexibility in designing Web-based appli- cations.

  • Page 776: Getting Cgi Scripts To Work

    apxs2 enables the compilation and installation of modules from source code (including the required changes to the configuration files), which creates dynamic shared objects (DSOs) that can be loaded into Apache at runtime. The apxs2 binaries are located under /usr/sbin: •...
  • Page 777 41.5.1 Apache Configuration In SUSE Linux Enterprise Server, the execution of CGI scripts is only allowed in the directory /srv/www/cgi-bin/. This location is already configured to execute CGI scripts. If you have created a virtual host configuration (see Section “Virtual Host Configuration”...
  • Page 778 directory of your virtual host (/srv/www/example.com_cgi-bin/) and name it test .cgi. Files accessible by the Web server should be owned by to the user root (see Sec- tion 41.7, “Avoiding Security Problems” (page 784) for additional information). Because the Web server runs with a different user, the CGI scripts must be world-executable and world-readable.

  • Page 779: Setting Up A Secure Web Server With Ssl

    41.6 Setting Up a Secure Web Server with SSL Whenever sensitive data, such as credit card information, is transferred between Web server and client, it would be desirable to have a secure, encrypted connection with authentication. mod_ssl provides strong encryption using the secure sockets layer (SSL) and transport layer security (TLS) protocols for HTTP communication between a client and the Web server.
  • Page 780 TIP: For More Information To learn more about concepts and definitions of SSL/TSL, refer to http:// httpd.apache.org/docs/2.2/ssl/ssl_intro.html. Creating a “Dummy” Certificate Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the following files: • /etc/apache2/ssl.crt/ca.crt •...
  • Page 781 Choose RSA ( , the default), because some older browsers have problems with DSA. 2 Generating RSA private key for CA (1024 bit) No interaction needed. 3 Generating X.509 certificate signing request for CA Create the CA's distinguished name here. This requires you to answer a few questions, such as country name or organization name.
  • Page 782 8 Encrypting RSA private key of CA with a pass phrase for security It is strongly recommended to encrypt the private key of the CA with a password, so choose and enter a password. 9 Encrypting RSA private key of SERVER with a pass phrase for security Encrypting the server key with a password requires you to enter this password every time you start the Web server.
  • Page 783 Getting an Officially Signed Certificate There are a number of official certificate authorities that sign your certificates. The certificate is signed by a trustworthy third party, so can be fully trusted. Publicly oper- ating secure Web servers usually have got an officially signed certificate. The best-known official CAs are Thawte (http://www.thawte.com/ or Verisign...

  • Page 784: Avoiding Security Problems

    To use SSL, it must be activated in the global server configuration. Open /etc/ sysconfig/apache2 in an editor and search for APACHE_MODULES. Add “ssl” to the list of modules if it is not already present (mod_ssl is activated by default). Next, search for APACHE_SERVER_FLAGS and add “SSL”.
  • Page 785 _help/mailinglists/ • Mailing List http://www.suse.com/us/private/support/online _help/mailinglists/ • RSS Feed http://www.novell.com/linux/security/suse _security.xml 41.7.2 DocumentRoot Permissions By default in SUSE Linux Enterprise Server, the DocumentRoot directory /srv/ www/htdocs and the CGI directory /srv/www/cgi-bin belong to the user and group root. You should not change these permissions. If the directories were writable for all, any user could place files into them.

  • Page 786: Troubleshooting

    41.7.4 CGI Scripts Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server adminis- trator trusts—allowing users to run their own scripts is generally not a good idea.

  • Page 787: For More Information

    starting or stopping the Web server. Avoid doing this and use the rcapache2 script instead. rcapache2 even provides tips and hints for solving configuration errors. Second, the importance of log files cannot be overemphasized. In case of both fatal and nonfatal errors, the Apache log files, mainly the error log file, are the places to look for causes.
  • Page 788 41.9.1 Apache 2.2 For a list of new features in Apache 2.2, refer to http://httpd.apache.org/ docs/2.2/new_features_2_2.html. Information about upgrading from version 2.0 to 2.2 is available at http://httpd.apache.org/docs-2.2/upgrading .html. 41.9.2 Apache Modules More information about external Apache modules from Section 41.4.5, “External Modules”...
  • Page 789 Writing Apache Modules with Perl and C http://www.modperl.com/ 41.9.4 Miscellaneous Sources If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the SUSE Support Database at http://en.opensuse.org/SDB:SDB. The history of Apache is provided at http://httpd.apache.org/ABOUT _APACHE.html.

  • Page 791: The Proxy Server Squid

    The Proxy Server Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It may be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent for the end user.

  • Page 792: Some Facts About Proxy Caches

    42.1 Some Facts about Proxy Caches As a proxy cache, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long. 42.1.1 Squid and Security It is possible to use Squid together with a firewall to secure internal networks from the outside using a proxy cache.

  • Page 793: System Requirements

    HIT code if the object was detected or a MISS if it was not. If multiple HIT responses were found, the proxy server decides from which server to download, depending on factors such as which cache sent the fastest answer or which one is closer. If no satis- factory responses are received, the request is sent to the parent cache.

  • Page 794: Hard Disks

    42.2.1 Hard Disks Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks, this parameter is described as random seek time, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk tend to be rather small, the seek time of the hard disk is more important than its data throughput.

  • Page 795: Starting Squid

    It is very important to have sufficient memory for the Squid process, because system performance is dramatically reduced if it must be swapped to disk. The cachemgr.cgi tool can be used for the cache memory management. This tool is introduced in Sec- tion 42.6, “cachemgr.cgi”...
  • Page 796 so, consider that Squid is made completely accessible to anyone by this action. Therefore, define ACLs that control access to the proxy. More information about this is available Section 42.4.2, “Options for Access Controls” (page 800). After modifying the configuration file /etc/squid/squid.conf, Squid must reload the configuration file.

  • Page 797: The Configuration File /Etc/Squid/Squid.conf

    Dynamic DNS Normally, with dynamic DNS, the DNS server is set by the provider during the establishment of the Internet connection and the local file /etc/resolv.conf is adjusted automatically. This behavior is controlled in the file /etc/ sysconfig/network/config with the sysconfig variable MODIFY_RESOLV_CONF_DYNAMICALLY, which is set to "yes".
  • Page 798 end of the line. The given values almost always correlate with the default values, so removing the comment signs without changing any of the parameters actually has little effect in most cases. If possible, leave the sample as it is and insert the options along with the modified parameters in the line below.
  • Page 799 cache_dir ufs /var/cache/squid/ 100 16 256 The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. The ufs parameter should be left alone.
  • Page 800 overwritten. The default value is 0 because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a cron job set in the configuration file /etc/logrotate/squid. append_domain <domain> With append_domain, specify which domain to append automatically when none is given.
  • Page 801 acl <acl_name> <type> <data> An ACL requires at least three specifications to define it. The name <acl_name> can be chosen arbitrarily. For <type>, select from a variety of different options, which can be found in the ACCESS CONTROLS section in the /etc/squid/ squid.conf file.

  • Page 802: Configuring A Transparent Proxy

    redirect_program /usr/bin/squidGuard With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured. auth_param basic program /usr/sbin/pam_auth If users must be authenticated on the proxy, set a corresponding program, such as pam_auth.
  • Page 803 jects, whether they are in its cache or not. When working in a network, several situations may arise: • For security reasons, it is recommended that all clients use a proxy to surf the Inter- net. • All clients must use a proxy, regardless of whether they are aware of it. •...
  • Page 804 tion 44.4.1, “Configuring the Firewall with YaST” (page 834). Its configuration file can be found in /etc/sysconfig/SuSEfirewall2. The configuration file consists of well-documented entries. To set a transparent proxy, you must configure several firewall options: • Device pointing to the Internet: FW_DEV_EXT="eth1" •...

  • Page 805: Cachemgr.cgi

    The comments above show the syntax to follow. First, enter the IP address and the netmask of the internal networks accessing the proxy firewall. Second, enter the IP address and the netmask to which these clients send their requests. In the case of Web browsers, specify the networks 0/0, a wild card that means “to everywhere.”...
  • Page 806 Apache is running on the machine. Otherwise, enter rcapache start to start Apache with the SUSE Linux Enterprise Server default settings. The last step to set it up is to copy the file cachemgr.cgi to the Apache directory cgi-bin: cp /usr/share/doc/packages/squid/scripts/cachemgr.cgi /srv/www/cgi-bin/ 42.6.2 Cache Manager ACLs in /etc/squid/squid.conf There are some default settings in the original file required for the cache manager.

  • Page 807: Squidguard

    cachemgr_passwd with a password for the manager and the list of options to view. This list appears as a part of the entry comments in /etc/squid/squid.conf. Restart Squid every time the configuration file is changed. Do this easily with rcsquid reload. 42.6.3 Viewing the Statistics Go to the corresponding Web site—http://webserver.example.org/...
  • Page 808 • Use different access rules based on time of day, day of the week, date, etc. • Use different rules for different user groups. squidGuard and Squid cannot be used to: • Edit, filter, or censor text inside documents. • Edit, filter, or censor HTML-embedded script languages, such as JavaScript or VBscript.

  • Page 809: Cache Report Generation With Calamaris

    42.8 Cache Report Generation with Calamaris Calamaris is a Perl script used to generate reports of cache activity in ASCII or HTML format. It works with native Squid access log files. The Calamaris home page is located at http://Calamaris.Cord.de/. The program is quite easy to use. Log in as root then enter cat access.log.files | calamaris options >...

  • Page 810: For More Information

    42.9 For More Information Visit the home page of Squid at http://www.squid-cache.org/. Here, find the “Squid User Guide” and a very extensive collection of FAQs on Squid. Following the installation, a small HOWTO about transparent proxies is available in howtoenh as /usr/share/doc/howto/en/txt/TransparentProxy.gz. In addition, mailing lists are available for Squid at squid-users@squid-cache .org.

  • Page 811: Part V Security

    Part V. Security...

  • Page 813: Managing X.509 Certification

    Managing X.509 Certification An increasing number of authentication mechanisms are based on cryptographic proce- dures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are used for communication and can also be found, for example, on company ID cards.
  • Page 814 Private Key The private key must be kept safely by the key owner. Accidental publication of the private key compromises the key pair and renders it useless. Public Key The key owner circulates the public key for use by third parties. 43.1.1 Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation.
  • Page 815 43.1.2 X.509 Certificates An X.509 certificate is a data structure with several fixed fields and, optionally, addi- tional extensions. The fixed fields mainly contain the name of the key owner, the public key, and the data relating to the issuing CA (name and signature). For security reasons, a certificate should only have a limited period of validity, so a field is also provided for this date.
  • Page 816 Field Content Extensions Optional additional information, such as “KeyUsage” or “BasicConstraints” 43.1.3 Blocking X.509 Certificates If a certificate becomes untrustworthy before it has expired, it must be blocked imme- diately. This can be needed if, for example, the private key has accidentally been made public.
  • Page 817 Field Content List of revoked certificates Every entry contains the serial number of the certificate, the time of revocation, and optional extensions (CRL entry extensions) Extensions Optional CRL extensions 43.1.4 Repository for Certificates and CRLs The certificates and CRLs for a CA must be made publicly accessible using a repository. Because the signature protects the certificates and CRLs from being forged, the repos- itory itself does not need to be secured in a special way.
  • Page 818 43.2 YaST Modules for CA Management YaST provides two modules for basic CA management. The primary management tasks with these modules are explained here. 43.2.1 Creating a Root CA The first step when setting up a PKI is to create a root CA. Do the following: 1 Start YaST and go to Security and Users →...
  • Page 819 CA Name Enter the technical name of the CA. Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
  • Page 820 In general, it is best not to allow user certificates to be issued by the root CA. It is better to create at least one sub-CA and create the user certificates from there. This has the advantage that the root CA can be kept isolated and secure, for example, on an isolated computer on secure premises.
  • Page 821 Figure 43.2 YaST CA Module—Using a CA 4 Click Advanced and select Create SubCA. This opens the same dialog as for creating a root CA. 5 Proceed as described in Section 43.2.1, “Creating a Root CA” (page 818). 6 Select the tab Certificates. Reset compromised or otherwise unwanted sub-CAs here using Revoke.
  • Page 822 the e-mail address of the recipient (the public key owner) to be included in the certificate. In the case of server and client certificates, the hostname of the server must be entered in the Common Name field. The default validity period for certificates is 365 days. To create client and server certificates, do the following: 1 Start YaST and open the CA module.
  • Page 823 To revoke compromised or otherwise unwanted certificates, do the following: 1 Start YaST and open the CA module. 2 Select the required CA and click Enter CA. 3 Enter the password if entering a CA the first time. YaST displays the CA key information in the Description tab.
  • Page 824 3 Click Advanced → Edit Defaults. 4 Choose the type the settings to change. The dialog for changing the defaults, shown in Figure 43.4, “YaST CA Module—Extended Settings” (page 824), then opens. Figure 43.4 YaST CA Module—Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical.
  • Page 825 43.2.5 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use, they must first be revoked. The procedure for this is explained in Section 43.2.2, “Creating or Revoking a Sub-CA” (page 820) (for sub-CAs) and Section 43.2.3, “Creating or Revoking User Certificates”...
  • Page 826 must be entered manually. You must always enter several passwords (see Table 43.3, “Passwords during LDAP Export” (page 826)). Table 43.3 Passwords during LDAP Export Password Meaning LDAP Password Authorizes the user to make entries in the LDAP tree. Certificate Password Authorizes the user to export the certificate.
  • Page 827 43.2.7 Exporting CA Objects as a File If you have set up a repository on the computer for administering CAs, you can use this option to create the CA objects directly as a file at the correct location. Different output formats are available, such as PEM, DER, and PKCS12.
  • Page 828 If you select Import here, you can select the source in the file system. This op- tion can also be used to import certificates from a transport medium, such as a USB stick. To import a common server certificate, do the following: 1 Start YaST and open Common Server Certificate under Security and Users 2 View the data for the current certificate in the description field after YaST has been started.

  • Page 829: Masquerading And Firewalls

    Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
  • Page 830 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).

  • Page 831: Masquerading Basics

    POSTROUTING This chain is applied to all outgoing packets. Figure 44.1, “iptables: A Packet's Possible Paths” (page 830) illustrates the paths along which a network packet may travel on a given system. For the sake of simplicity, the figure lists tables as parts of chains, but in reality these chains are held within the tables themselves.

  • Page 832: Firewalling Basics

    As mentioned, whenever one of the LAN hosts sends a packet destined for an Internet address, it goes to the default router. However, the router must be configured before it can forward such packets. For security reasons, SUSE® Linux Enterprise does not enable this in a default installation.

  • Page 833: Susefirewall2

    A more effective but more complex mechanism is the combination of several types of systems, such as a packet filter interacting with an application gateway or proxy. In this case, the packet filter rejects any packets destined for disabled ports. Only packets directed to the application gateway are accepted.
  • Page 834 be used to put an additional line of defense in front of the internal network, because the DMZ systems are isolated from the internal network. Any kind of network traffic not explicitly allowed by the filtering rule set is suppressed by iptables.
  • Page 835 Interfaces All known network interfaces are listed here. To remove an interface from a zone, select the interface, press Change, and choose No Zone Assigned. To add an interface to a zone, select the interface, press Change and choose any of the available zones. You may also create a special interface with your own settings by using Custom.

  • Page 836: Configuring Manually

    All services, ports, and protocols that have been allowed are listed in this summary. To modify the configuration, use Back. Press Accept to save your configuration. 44.4.2 Configuring Manually The following paragraphs provide step-by-step instructions for a successful configura- tion. Each configuration item is marked as to whether it is relevant to firewalling or masquerading.
  • Page 837 proxy server between the hosts of the internal network and the Internet. Masquerad- ing is not needed for services a proxy server provides. FW_MASQ_NETS (masquerading) Specify the hosts or networks to masquerade, leaving a space between the individ- ual entries. For example: FW_MASQ_NETS="192.168.0.0/24 192.168.10.1"...

  • Page 838: For More Information

    Other packages to test your firewall setup are nmap or nessus. The documentation of nmap is found at /usr/share/doc/packages/nmap and the documentation of nessus resides in the directory /usr/share/doc/packages/nessus-core after installing the respective package. 44.5 For More Information The most up-to-date information and other documentation about the SuSEfirewall2 package is found in /usr/share/doc/packages/SuSEfirewall2.

  • Page 839: Ssh: Secure Network Operations

    SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.

  • Page 840: The Ssh Program

    45.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
  • Page 841 ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically. The option -p tells scp to leave the time stamp of files unchanged. -C compresses the data transfer. This minimizes the data volume to transfer, but creates a heavier burden on the processor.

  • Page 842: Ssh Authentication Mechanisms

    Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE. This document also describes how an SSH 1 environment can be transformed into a working SSH 2 environment with just a few steps.

  • Page 843: X, Authentication, And Forwarding Mechanisms

    this by way of another key pair, which is generated by the user. The SSH package provides a helper program for this: ssh-keygen. After entering ssh-keygen -t rsa or ssh-keygen -t dsa, the key pair is generated and you are prompted for the base filename in which to store the keys.
  • Page 844 remote machine over the existing SSH connection. At the same time, X applications started remotely and locally viewed with this method cannot be intercepted by unautho- rized individuals. By adding the option -A, the ssh-agent authentication mechanism is carried over to the next machine.

  • Page 845: Kerberos Terminology

    Network Authentication—Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
  • Page 846 credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.

  • Page 847: How Kerberos Works

    replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator. He could then try to resend it (replay) to impersonate you.
  • Page 848 • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used. This private key is only known to Kerberos and the client, because it is derived from your user password.
  • Page 849 46.2.3 Mutual Authentication Kerberos authentication can be used in both directions. It is not only a question of the client being the one it claims to be. The server should also be able to authenticate itself to the client requesting its service. Therefore, it sends some kind of authenticator itself. It adds one to the checksum it received in the client's authenticator and encrypts it with the session key, which is shared between it and the client.

  • Page 850: Users' View Of Kerberos

    • The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.

  • Page 851: For More Information

    • rsh, rcp, rshd • ftp, ftpd • ksu You no longer have to enter your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure that the encrypted contents of the tickets are adjusted to the new situation.

  • Page 853: Installing And Administering Kerberos

    Installing and Administering Kerberos This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 46, Network Authentication—Kerberos (page 845)). 47.1 Choosing the Kerberos Realms The domain of a Kerberos installation is called a realm and is identified by a name, such as FOOBAR.COM or simply ACCOUNTING.

  • Page 854: Setting Up The Kdc Hardware

    For the sake of simplicity, assume you are setting up just one realm for your entire or- ganization. For the remainder of this section, the realm name EXAMPLE.COM is used in all examples. 47.2 Setting Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center, or KDC for short.

  • Page 855: Clock Synchronization

    6 Disable all user accounts except root's account by editing /etc/shadow and replacing the hashed passwords with * or ! characters. 47.3 Clock Synchronization To use Kerberos successfully, make sure that all system clocks within your organization are synchronized within a certain range. This is important because Kerberos protects against replayed credentials.
  • Page 856 1 Install the RPMs On a machine designated as the KDC, install special soft- ware packages. See Section 47.4.1, “Installing the RPMs” (page 856) for details. 2 Adjust the Configuration Files The configuration files /etc/krb5.conf and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your scenario.
  • Page 857 When you make tape backups of the Kerberos database (/var/lib/kerberos/ krb5kdc/principal), do not back up the stash file (which is in /var/lib/ kerberos/krb5kdc/.k5.EXAMPLE.COM). Otherwise, everyone able to read the tape could also decrypt the database. Therefore, it is also a good idea to keep a copy of the pass phrase in a safe or some other secure location, because you need it to restore your database from backup tape after a crash.

  • Page 858: Manually Configuring Kerberos Clients

    role when administering the Kerberos database. A user can have several roles for dif- ferent purposes. Roles are basically completely different accounts with similar names. 47.4.4 Starting the KDC Start the KDC daemon and the kadmin daemon. To start the daemons manually, enter rckrb5kdc start and rckadmind start.
  • Page 859 To configure your Kerberos clients, add the following stanza to krb5.conf (where kdc.example.com is the hostname of the KDC): [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc.example.com admin_server = kdc.example.com The default_realm line sets the default realm for Kerberos applications. If you have several realms, just add additional statements to the [realms] section.
  • Page 860 The data portion of SRV resource records consists of a priority value, a weight, a port number, and a hostname. The priority defines the order in which hosts should be tried (lower values indicate a higher priority). The weight is there to support some sort of load balancing among servers of equal priority.

  • Page 861: Configuring A Kerberos Client With Yast

    47.6 Configuring a Kerberos Client with YaST As an alternative to the manual configuration described above, use YaST to configure a Kerberos client. Proceed as follows: 1 Log in as root and select Network Services → Kerberos Client. 2 Select Use Kerberos. 3 To configure a DNS-based Kerberos client, proceed as follows: a Confirm the Basic Kerberos Settings that are displayed.
  • Page 862 Figure 47.1 YaST: Basic Configuration of a Kerberos Client To configure ticket-related options in the Advanced Settings dialog, choose from the following options: • Specify the Default Ticket Lifetime and the Default Renewable Lifetime in days, hours, or minutes (using the units of measurement d, h, and m, with no blank space between the value and the unit).

  • Page 863: Remote Kerberos Administration

    • Use Clock Skew to set a value for the allowable difference between the time stamps and your host's system time. • To keep the system time in sync with an NTP server, you can also set up the host as an NTP client by selecting NTP Configuration, which opens the YaST NTP client dialog that is described in Section 33.1, “Configuring an NTP Client with...
  • Page 864 newbie/admin Replace the username newbie with your own. Restart kadmind for the change to take effect. 47.7.1 Using kadmin for Remote Administration You should now be able to perform Kerberos administration tasks remotely using the kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting to the kadmin server: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.

  • Page 865: Creating Kerberos Host Principals

    kadmin: getprinc joe Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 08:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:59:49 CET 2005 (newbie/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0...
  • Page 866 Services such the SSH daemon read this key and use it to obtain new tickets automati- cally when needed. The default keytab file resides in /etc/krb5.keytab. To create a host principal for test.example.com, enter the following commands during your kadmin session: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.

  • Page 867: Configuring Ssh For Kerberos Authentication

    The pam_unix2 module also supports Kerberos authentication and password update. To enable Kerberos support in pam_unix2, edit the file /etc/security/pam _unix2.conf so it contains the following lines: auth: use_krb5 nullok account: use_krb5 password: use_krb5 nullok session: none After that, all programs evaluating the entries in this file use Kerberos for user authen- tication.

  • Page 868: Using Ldap And Kerberos

    # KerberosTicketCleanup yes # These are for version 2 - better to use this GSSAPIAuthentication yes GSSAPICleanupCredentials yes Then restart your SSH daemon using rcsshd restart. To use Kerberos authentication with protocol version 2, enable it on the client side as well.
  • Page 869 By default, the LDAP server slapd runs as user and group ldap, while the keytab file is readable by root only. Therefore, either change the LDAP configuration so the server runs as root or make the keytab file readable by the group ldap. The latter is done automatically by the OpenLDAP start script (/etc/init.d/ldap) if the keytab file has been specified in the OPENLDAP_KRB5_KEYTAB variable in /etc/ sysconfig/openldap and the OPENLDAP_CHOWN_DIRS variable is set to yes,...

  • Page 870: Access Control

    47.11.1 Using Kerberos Authentication with LDAP You should now be able to use tools, such as ldapsearch, with Kerberos authentication automatically. ldapsearch -b ou=people,dc=example,dc=com '(uid=newbie)' SASL/GSSAPI authentication started SASL SSF: 56 SASL installing layers [...] # newbie, people, example.com dn: uid=newbie,ou=people,dc=example,dc=com uid: newbie cn: Olaf Kirch [...]...
  • Page 871 access to dn="*,ou=people,dc=example,dc=com" attrs=loginShell by self write # Every user can read everything access to * by users read The second statement gives authenticated users write access to the loginShell at- tribute of their own LDAP entry. The third statement gives all authenticated users read access to the entire LDAP directory.

  • Page 873: Encrypting Partitions And Files

    Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access.
  • Page 874 editor. Refer to Section 48.2, “Using vi to Encrypt Single Files” (page 876) for more information. WARNING: Encrypted Media Is Limited Protection Be aware that with the methods described in this chapter, you cannot protect your running system from being compromised. After the encrypted media is successfully mounted, everybody with appropriate permissions has access to it.
  • Page 875 new encrypted partition, click Create. In the dialog that opens, enter the partitioning parameters for the new partition, such as the desired formatting and the mount point. Complete the process by clicking Encrypt File System. In the following dialog, enter the password twice.

  • Page 876: Using Vi To Encrypt Single Files

    the procedure is the same as in Section 48.1.1, “Creating an Encrypted Partition during Installation” (page 874). 48.1.3 Creating an Encrypted File as a Container Instead of using a partition, it is possible to create an encrypted file of a certain size that can then hold other files or folders containing confidential data.
  • Page 877 For even more security, you can place the encrypted text file in an encrypted partition. This is recommended because the encryption used in vi is not very strong. Encrypting Partitions and Files...

  • Page 879: Confining Privileges With Apparmor

    Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.

  • Page 880: Installing Novell Apparmor

    • yast2-apparmor • apparmor-profiles • apparmor-utils 49.2 Enabling and Disabling Novell AppArmor Novell AppArmor is configured to run by default on any fresh installation of SUSE Linux Enterprise. There are two ways of toggling the status of AppArmor: Installation and Administration...
  • Page 881 Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.

  • Page 882: Choosing The Applications To Profile

    5 Exit the AppArmor Control Panel with Done. 49.3 Getting Started with Profiling Applications Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 49.3.1,...

  • Page 883: Building And Modifying Profiles

    There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
  • Page 884 1 As root, let AppArmor create a rough outline of the application's profile by running aa-genprof programname Outline the basic profile by running YaST → Novell AppArmor → Add Profile Wizard and specifying the complete path of the application to profile.
  • Page 885 (page 884). Determine the access rights or restrictions when prompted. TIP: For More Information For more information about profile building and modification, refer to Chap- ter 3, Building Novell AppArmor Profiles (↑Novell AppArmor 2.0 Administration Guide). Confining Privileges with AppArmor...
  • Page 886 49.3.3 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.

  • Page 887: Updating Your Profiles

    Delete unneeded reports or add new ones. TIP: For More Information For more information about configuring event notification in Novell AppArmor, refer to Section 4.2, “Setting Up Event Notification” (Chapter 4, Managing Profiled Applications, ↑Novell AppArmor 2.0 Administration Guide). Find more information about report configuration in Section 4.3, “Reports”...
  • Page 888 TIP: For More Information For more information about updating your profiles from the system logs, refer to Section 3.3.5, “Updating Profiles from Log Entries” (Chapter 3, Building Novell AppArmor Profiles, ↑Novell AppArmor 2.0 Administration Guide). Installation and Administration...

  • Page 889: Security And Confidentiality

    Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
  • Page 890 • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) • over a serial line • using a network link In all these cases, a user should be authenticated before accessing the resources or data in question.
  • Page 891 achieved with a printer can also be accomplished in other ways, depending on the effort that goes into the attack. Reading a file locally on a host requires other access rules than opening a network connection with a server on a different host. There is a distinction between local secu- rity and network security.

  • Page 892: File Permissions

    encrypted passwords should not be visible to regular users (/etc/shadow cannot be read by normal users). It is even more important that passwords are not easy to guess, in case the password file becomes visible due to some error. Consequently, it is not re- ally useful to “translate”...
  • Page 893 file permissions immediately. An incorrect file attribute does not only mean that files could be changed or deleted. These modified files could be executed by root or, in the case of configuration files, programs could use such files with the permissions of root.
  • Page 894 Format string bugs work in a slightly different way, but again it is the user input that could lead the program astray. In most cases, these programming errors are exploited with programs executed with special permissions—setuid and setgid programs—which also means that you can protect your data and your system from such bugs by removing the corresponding execution privileges from programs.

  • Page 895: Network Security

    50.1.7 Network Security Network security is important for protecting from an attack that is started outside. The typical login procedure requiring a username and a password for user authentication is still a local security issue. In the particular case of logging in over a network, differen- tiate between the two security aspects.
  • Page 896 more about X Window System security mechanisms in the man page of Xsecurity (man Xsecurity). SSH (secure shell) can be used to encrypt a network connection completely and forward it to an X server transparently without the encryption mechanism being perceived by the user.

  • Page 897: Denial Of Service

    50.1.10 Denial of Service The purpose of a denial of service (DoS) attack is to block a server program or even an entire system, something that could be achieved by various means: overloading the server, keeping it busy with garbage packets, or exploiting a remote buffer overflow. Often a DoS attack is made with the sole purpose of making the service disappear.

  • Page 898: Some General Security Tips And Tricks

    it makes it easier for him to push the active attack, because the host will not be able to interfere with the attack for some time. 50.1.12 DNS Poisoning DNS poisoning means that the attacker corrupts the cache of a DNS server by replying to it with spoofed DNS reply packets, trying to get the server to send certain data to a victim who is requesting information from that server.
  • Page 899 The list is a first-hand source of information re- suse-security-announce@suse.de garding updated packages and includes members of SUSE's security team among its active contributors. The mailing list is a good place to discuss any security suse-security@suse.de issues of interest. Subscribe to it on the same Web page.
  • Page 900 use netstat -ap or netstat -anp. The -p option allows you to see which process is occupying a port under which name. Compare the netstat results with those of a thorough port scan done from outside your host. An excellent program for this job is nmap, which not only checks out the ports of your machine, but also draws some conclusions as to which services are waiting behind them.

  • Page 901: Using The Central Security Reporting Address

    SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 This key is also available for download from http://www.novell.com/linux/ security/securitysupport.html. Security and Confidentiality...

  • Page 903: Part Vi Troubleshooting

    Part VI. Troubleshooting...

  • Page 905: Help And Documentation

    Help and Documentation SUSE® Linux Enterprise comes with various sources of information and documentation. The SUSE Help Center provides central access to the most important documentation resources on your system in searchable form. These resources include online help for installed applications, manual pages, info pages, databases on hardware and software topics, and all manuals delivered with your product.
  • Page 906 configuration of the search function in the Search tab are presented in Section 51.1.2, “The Search Function” (page 907). The Contents tab presents a tree view of all available and currently installed information sources. Click the book icons to open and browse the individual categories.

  • Page 907: The Search Function

    installed programs, and help texts for other applications. Furthermore, the SUSE Help Center provides access to SUSE's online databases that cover special hardware and software issues for SUSE Linux Enterprise. All these sources can be searched comfort- ably once a search index has been generated. 51.1.2 The Search Function To search all installed information sources of SUSE Linux Enterprise, generate a search index and set a number of search parameters.
  • Page 908 Figure 51.3 Generating a Search Index To limit the search base and the hit list as precisely as possible, use the three drop-down menus to determine the number of displayed hits and the selection area of sources to search. The following options are available for determining the selection area: Default A predefined selection of sources is searched.

  • Page 909: Man Pages

    51.2 Man Pages Man pages are an essential part of any Linux system. They explain the usage of a command and all available options and parameters. Man pages are sorted in categories as shown in Table 51.1, “Man Pages—Categories and Descriptions” (page 909) (taken from the man page for man itself).

  • Page 910: Info Pages

    Another possibility to display a man page is to use Konqueror. Start Konqueror and type, for example, man:/ls. If there are different categories for a command, Konqueror displays them as links. 51.3 Info Pages Info pages are another important source of information on your system. Usually they are more verbose than man pages.

  • Page 911: Wikipedia: The Free Online Encyclopedia

    51.5 Wikipedia: The Free Online Encyclopedia Wikipedia is “a multilingual encyclopedia designed to be read and edited by anyone” (see http://en.wikipedia.org). The content of Wikipedia is created by its users and is published under a free license (GFDL). Any visitors can edit articles, which gives the danger of vandalism, but this does not repel visitors.

  • Page 912: Package Documentation

    51.7 Package Documentation If you install a package in your system, a directory /usr/share/doc/packages/ packagename is created. You can find files from the package maintainer as well as additional information from SUSE. Sometimes there are also examples, configuration files, additional scripts, or other things available. Usually you can find the following files, but they are not standard and sometimes not all files are available.

  • Page 913: Usenet

    51.8 Usenet Created in 1979 before the rise of the Internet, Usenet is one of the oldest computer networks and still in active use. The format and transmission of Usenet articles is very similar to e-mail, but is developed for a many-to-many communication. Usenet is organized into seven topical categories: comp.* for computer-related discus- sions, misc.* for miscellaneous topics, news.* for newsgroup-related matters, rec.* for recreation and entertainment, sci.* for science-related discussions, soc.*...
  • Page 914 concentrates on standardizing Web technologies. W3C promotes the dissemination of open, license-free, and manufacturer-independent specifications, such as HTML, XHTML, and XML. These Web standards are developed in a four-stage process in working groups and are presented to the public as W3C recommendations (REC). http://www.oasis-open.org OASIS (Organization for the Advancement of Structured Information Standards) is an international consortium specializing in the development of standards for Web...
  • Page 915 The association brings together manufacturers, consumers, trade professionals, service companies, scientists and others who have an interest in the establishment of standards. The standards are subject to a fee and can be ordered using the DIN home page. Help and Documentation...

  • Page 917: Common Problems And Their Solutions

    Common Problems and Their Solutions This chapter offers a range of common problems that can arise with an intention of covering as many of the various types of potential problems as possible. That way, even if your precise situation is not listed here, there might be one similar enough to offer hints as to the solution.

  • Page 918: Installation Problems

    Log File Description Hardware messages from the SaX display /var/log/SaX.log and KVM system. Messages from the desktop applications cur- /home/user/ rently running. Replace user with the actual .xsession-errors username. All messages from the kernel and system log /var/log/warn daemon assigned WARNING level or higher. Binary file containing user login records for /var/log/wtmp the current machine session.
  • Page 919 typical problems you might run into and offers possible solutions or workarounds for this kind of situations. 52.2.1 No Bootable CD-ROM Drive Available If your computer does not contain a bootable CD or DVD-ROM drive or if the one you have is not supported by Linux, there are several options for installing your machine without a need for a built-in CD or DVD drive: Booting from a Floppy Disk...
  • Page 920 The program checks if the BIOS provides VESA 2.0–compliant framebuffer support and boots the kernel accordingly. The monitor data (DDC info) is read. The first block of the first hard disk (MBR) is read to map BIOS IDs to Linux device names during the boot loader configuration.
  • Page 921 Incorrect Boot Sequence in BIOS The BIOS boot sequence must have CD-ROM set as the first entry for booting. Otherwise the machine would try to boot from another medium, typically the hard disk. Guidance for changing the BIOS boot sequence can be found the documenta- tion provided with your motherboard or in the following paragraphs.
  • Page 922 Make note of the SCSI ID of your CD-ROM drive. 3 Exit the menu with 4 Open Configure Adapter Settings. Under Additional Options, select Boot Device Options and press Enter 5 Enter the ID of the CD-ROM drive and press again.
  • Page 923 1 With the first CD or DVD still in the CD-ROM drive, reboot the machine with or using the hardware reset button. Ctrl 2 When the boot screen appears, use the arrow keys of your keyboard to navigate to Installation--ACPI Disabled and press to launch the boot and installation Enter process.
  • Page 924 acpi=strict Be less tolerant of platforms that are not strictly ACPI specification compliant. pci=noacpi Disable PCI IRQ routing of the new ACPI system. Once you have determined the right parameter combination, YaST automatically writes them to the boot loader configuration to make sure that the system boots properly next time.
  • Page 925 1 Boot for installation. 2 Press and select Text Mode. 3 Select Installation and proceed with the installation as described in Chapter 3, Installation with YaST (page 35). To perform a VNC installation, proceed as follows: 1 Boot for installation. 2 Enter the following text at the boot options prompt: vnc=1 vncpassword=some_password Replace some_password with the password to use for installation.

  • Page 926: Boot Problems

    52.2.5 Only Minimalistic Boot Screen Started You inserted the first CD or DVD into the drive, the BIOS routines are finished, but the system does not start with the graphical boot screen. Instead it launches a very minimalistic text-based interface. This might happen on any machine not providing sufficient graphics memory for rendering a graphical boot screen.
  • Page 927 52.3.1 Fails to Load the GRUB Boot Loader If the hardware is functioning properly, it is possible that the boot loader has become corrupted and Linux cannot start on the machine. In this case, it is necessary to reinstall the boot loader. To reinstall the boot loader, proceed as follows: 1 Insert the installation media into the drive.

  • Page 928: Login Problems

    52.3.2 No Graphical Login If the machine comes up, but does not boot into the graphical login manager, anticipate problems either with the choice of the default runlevel or the configuration of the X Window System. To check the runlevel configuration, log in as the root user and check whether the machine is configured to boot into runlevel 5 (graphical desktop).
  • Page 929 them but then does not behave properly (fails to start the graphic desktop, produces errors, drops to a command line, etc.). 52.4.1 Valid Username and Password Combinations Fail This usually occurs when the system is configured to use network authentication or directory services and, for some reason, is unable to retrieve results from its configured servers.
  • Page 930 3 Enter the username and password for root. 4 Make all the necessary changes. 5 Boot into the full multiuser and network mode by entering telinit 5 at the command line. 52.4.2 Valid Username and Password Not Accepted This is by far the most common problem users encounter, because there are many reasons this can occur.
  • Page 931 Login Successful but GNOME Desktop Fails ” (page 933) and Section 52.4.4, “ Login Successful but KDE Desktop Fails” (page 934). 4 If the user's home directory has been used with another Linux distribution, remove the Xauthority file in the user's home. Use a console login via Ctrl and run rm .Xauthority as this user.
  • Page 932 • There might be problems with the X Window System authenticating this particular user, especially if the user's home has been used with another Linux distribution prior to installing the current one. To locate the cause of the login failures with network authentication, proceed as follows: 1 Check whether the user remembered his password correctly before you start de- bugging the whole authentication mechanism.
  • Page 933 8 If the desktop could not start because of corrupt configuration files, proceed with Section 52.4.3, “ Login Successful but GNOME Desktop Fails ” (page 933) or Section 52.4.4, “ Login Successful but KDE Desktop Fails” (page 934). 52.4.3 Login Successful but GNOME Desktop Fails If this is true for a particular user, it is likely that the user's GNOME configuration files have become corrupted.
  • Page 934 52.4.4 Login Successful but KDE Desktop Fails There are several reasons why a KDE desktop would not allow users to login. Corrupted cache data can cause login problems as well as corrupt KDE desktop configuration files. Cache data is used at desktop start-up to increase performance. If this data is corrupted, start-up is slowed down or fails entirely.

  • Page 935: Network Problems

    5 Let the user log in to this machine. 6 After the desktop has started successfully, copy the user's own configurations back into place: cp -a .kde-ORIG-RECOVER/share .kde/share IMPORTANT If the user's own adjustments caused the login to fail and continue to do so, repeat the procedure as described above, but do not copy the .kde/ share directory.
  • Page 936 DNS (Name Service) A broken or malfunctioning name service affects the network's functioning in many ways. If the local machine relies on any network servers for authen- tication and these servers cannot be found due to name resolution issues, users would not even be able to log in. Machines in the network managed by a broken name server would not be able to “see”...
  • Page 937 IMPORTANT The debugging procedure described below only applies to a simple net- work server/client setup that does not involve any internal routing. It assumes both server and client are members of the same subnet without the need for additional routing. a Use ping hostname (replace hostname with the hostname of the server) to check whether each one of them is up and responding to the net- work.
  • Page 938 search fully_qualified_domain_name nameserveripaddress_of_nameserver This file can contain more than one name server address, but at least one of them must be correct to provide name resolution to your host. If needed, adjust this file using the YaST DNS and Hostname module. If your network connection is handled via DHCP, enable DHCP to change hostname and name service information by selecting Change Hostname via DHCP and Update Name Servers and Search List via...

  • Page 939: Data Problems

    d If the name service and network hardware are properly configured and running, but some external network connections still get long time-outs or fail entirely, use traceroute fully_qualified_domain_name (executed as root) to track the network route these requests are taking. This command lists any gateway (hop) a request from your machine passes on its way to its destination.
  • Page 940 c Enter the path to the location of the backup if you want to keep a local backup. For your backup to be archived on a network server (via NFS), enter the IP address or name of the server and the directory that should hold your archive.
  • Page 941 52.6.2 Restoring a System Backup Use the YaST System Restoration module to restore the system configuration from a backup. Restore the entire backup or select specific components that were corrupted and need to be reset to their old state. 1 Start YaST → System → System Restoration. 2 Enter the location of the backup file.
  • Page 942 Using YaST System Repair Before launching the YaST System Repair module, determine in which mode to run it to best fit your needs. Depending on the severeness and cause of your system failure and your expertise, there are three different modes to choose from: Automatic Repair If your system failed due to an unknown cause and you basically do not know which part of the system is to blame for the failure, use Automatic Repair.
  • Page 943 3 Select Automatic Repair. YaST now launches an extensive analysis of the installed system. The progress of the procedure is displayed at the bottom of the screen with two progress bars. The upper bar shows the progress of the currently running test. The lower bar shows the overall progress of the analysis.
  • Page 944 Entries in the File /etc/fstab The entries in the file are checked for completeness and consistency. All valid partitions are mounted. Boot Loader Configuration The boot loader configuration of the installed system (GRUB or LILO) is checked for completeness and coherence. Boot and root devices are examined and the availability of the initrd modules is checked.
  • Page 945 Not all test groups can be applied individually. The analysis of the fstab entries is always bound to an examination of the file systems, including existing swap partitions. YaST automatically resolves such dependencies by selecting the smallest number of necessary test runs. 4 Whenever an error is encountered, the procedure stops and a dialog opens outlin- ing the details and possible solutions.
  • Page 946 Start Partitioning Tool This starts the expert partitioning tool in YaST. Find details in Section 7.5.8, “Partitioner” (page 161). Repair File System This checks the file systems of your installed system. You are first offered a selec- tion of all detected partitions and can then choose the ones to check. Recover Lost Partitions It is possible to attempt to reconstruct damaged partition tables.
  • Page 947 • Access the installed system in a “change root” environment • Check, modify, and reinstall the boot loader configuration • Resize partitions using the parted command. Find more information about this tool at the Web site of GNU Parted (http://www.gnu.org/software/parted/ parted.html).
  • Page 948 shutdown, and ifconfig, ip, route, and netstat for maintaining the network. The directory /usr/bin contains the vi editor, find, less, and ssh. To see the system messages, either use the command dmesg or view the file /var/ log/messages. Checking and Manipulating Configuration Files As an example for a configuration that might be fixed using the rescue system, imagine you have a broken configuration file that prevents the system from booting properly.
  • Page 949 task (see Section “Using YaST System Repair” (page 942) for details). However, if you need to do a manual file system check or repair, boot the rescue system. It contains the utilities to check and repair the ext2, ext3, reiserfs, xfs, jfs, dosfs, and vfat file systems.
  • Page 950 versions are exactly the same (which is unlikely). So you cannot access a sound card, for example. It is also not possible to start a graphical user interface. Also note that you leave the “change root” environment when you switch the console with Modifying and Reinstalling the Boot Loader Sometimes a system cannot boot because the boot loader configuration is corrupted.

  • Page 951: Ibm System Z: Using Initrd As A Rescue System

    52.7 IBM System z: Using initrd as a Rescue System If the kernel of the SUSE® Linux Enterprise Server for IBM System z is upgraded or modified, it is possible to reboot the system accidentally in an inconsistent state, so standard procedures of IPLing the installed system fail.
  • Page 952 52.7.2 Configuring Disks In this state, no disks are configured. You need to configure them before you can pro- ceed. Procedure 52.3 Configuring DASDs 1 Configure DASDs with the following command: dasd_configure 0.0.0150 1 0 0.0.0150 is the channel to which the DASD is connected. The 1 means activate the disk (a 0 at this place would deactivate the disk).
  • Page 953 52.7.3 Mounting the Root Device If all needed disks are online, you should now be able to mount the root device. Assum- ing that the root device is on the second partition of the DASD device (/dev/dasda2), the corresponding command is mount /dev/dasda2 /mnt. IMPORTANT: File System Consistency If the installed system has not been shut down properly, it may be advisable to check the file system consistency prior to mounting.
  • Page 954 Example 52.3 Installing the IPL Record with zipl sh-2.05b# zipl building bootmap : /boot/zipl/bootmap adding Kernel Image : /boot/kernel/image located at 0x00010000 adding Ramdisk : /boot/initrd located at 0x00800000 adding Parmline : /boot/zipl/parmfile located at 0x00001000 Bootloader for ECKD type devices with z/OS compatible layout installed. Syncing disks..

  • Page 955: Index

    quick start, 751 Index security, 784 Squid, 805 SSL, 779–784 Symbols configure Apache with SSL, 783 64-bit Linux, 379 creating an SSL certificate, 779 kernel specifications, 383 starting, 767 runtime support, 380 stopping, 767 software development, 380 troubleshooting, 786 authentication Kerberos, 210 access permissions (see permissions) PAM, 513–520...
  • Page 956 initrd, 387 gzip, 357, 365 log, 182 halt, 372 bzip2, 357 help, 348 ifconfig, 612 ip, 610 kadmin, 857 cards kill, 370 graphics, 501 killall, 370 network, 578–579 kinit, 864 sound, 156 ktadd, 866 cat, 367 ldapadd, 692 cd, 363 ldapdelete, 695 ldapmodify, 694 booting from, 920...
  • Page 957 ssh-keygen, 842 nsswitch.conf, 607, 699 su, 372 openldap, 869 tar, 356, 365 pam_unix2.conf, 699, 867 telnet, 371 passwd, 200 top, 370 permissions, 899 umount, 368 powersave, 525 updatedb, 366 powersave.conf, 218 configuration files, 603 profile, 421, 425, 431 .bashrc, 422, 425 resolv.conf, 426, 604, 641, 795 .emacs, 427 routes, 603...
  • Page 958 hard disk controllers, 153 cp, 362 hard disks cpuspeed, 533 DMA, 154 cron, 422 hardware, 152–158 CVS, 730, 738–740 IPv6, 576 ISDN, 169, 589 languages, 168 date, 370 mail servers, 171 deltarpm, 315 modems, 169, 586 df, 369 monitor, 153, 190 DHCP, 172, 655–671 network cards, 169 configuring with YaST, 656...
  • Page 959 security and, 898 error messages Squid and, 796 bad interpreter, 165 starting, 641 permission denied, 165 terminology, 629 top level domain, 577 troubleshooting, 641 file, 367 zones file servers, 174 files, 646 file systems, 483–493 documentation (see help) ACLs, 299–310 domain name system (see DNS) cryptofs, 873 encrypting, 873...
  • Page 960 mailsync, 731, 746–749 testing, 510 rsync, 731 grep, 367 Subversion, 731 groups Unison, 730, 736–738 managing, 178 uncompressing, 357 GRUB, 401–420 viewing, 355, 367 boot menu, 404 find, 366 boot password, 410 Firefox boot sectors, 402 URL open command, 220 booting, 402 firewalls, 180, 829 commands, 402–411...
  • Page 961 warm standby, 270 adding scripts, 394 halt, 372 inittab, 389 hard disks scripts, 392–396 DMA, 154 installation support hardware 3D graphics cards and, 510 DASD, 157 installing graphics cards, 153, 190 directory, into, 151 hard disk controllers, 153 GRUB, 402 information, 154 manually, 215 infrared, 153...
  • Page 962 administering, 853–871 kill, 370 authenticators, 846 killall, 370 clients configuring, 858–860 clock skew, 860 L10N, 429 clock synchronization, 855 languages, 150, 168 configuring laptops clients, 858–860 power management, 521–533 credentials, 846 LDAP, 681–708 installing, 853–871 access control, 689 KDC, 854–858 ACLs, 687 administering, 863 adding data, 691...
  • Page 963 sharing files with another OS, 709 YaST, 586 uninstalling, 416 more, 355 Linux virtual server, 275 mount, 368 linuxrc mouse manual installation, 215 configuring, 155 ln, 363 multipath IO, 251–257 localization, 429 LVM2, 257 locate, 366, 424 mdadm, 257 log files, 179, 423 software configuration, 253 boot.msg, 182, 525 supported hardware, 252...
  • Page 964 IP address, 581 creating, 44, 161, 163 starting, 584 encrypting, 874 NFS, 725 EVMS, 163 clients, 173, 725 fstab, 164 importing, 726 LVM, 163 mounting, 726 parameters, 163 servers, 174, 726 partition table, 401 NIS, 673–680 RAID, 163 clients, 174, 679 resizing Windows, 47 masters, 673–679 swap, 163...
  • Page 965 cpufrequency, 533 caches, 791 cpuspeed, 533 transparent, 802 hibernation, 522 ps, 370 powersave, 533 standby, 522 suspend, 522 RAID, 274 YaST, 541 YaST, 131 powersave, 533 reboot, 372 configuring, 533 registering printing, 451, 455–457 command line, 152 applications, from, 461 Internet, without, 152 command line, 461 YaST, 152...
  • Page 966 updating, 312 resolution and color depth, 192 verify, 318 touchscreen, 196 verifying, 312 SCPM, 167 rpmbuild, 311 screen rsync, 274, 731, 744 resolution, 501 runlevels, 167, 389–392 scripts changing, 391–392 init.d, 389, 392–396, 614 editing in YaST, 396 boot, 393 boot.local, 394 boot.setup, 394 halt, 394...
  • Page 967 serial terminals, 890 ACLs, 800 Squid, 792 Apache, 805 SSH, 839–844 cachemgr.cgi, 805, 807 tcpd, 901 caches, 791–792 telnet, 839 damaged, 796 tips and tricks, 898 size, 794 viruses, 894 Calamaris, 809 worms, 898 configuring, 797 X and, 895 CPU and, 795 Service Location Protocol (see SLP) directories, 795 shells, 345–376...
  • Page 968 SUSE books, 911 updating SUSE SDK, 147 online, 148–149 SVN (Subversion), 731 command line, 187 system passwd and group, 200 configuring, 137–184 patch CD, 149 languages, 168 problems, 200 limiting resource use, 425 sound mixers, 215 localizing, 429 YaST, 200 rebooting, 372 users rescuing, 946...
  • Page 969 keyboard settings, 195 Modes, 499–500 mouse settings, 194 Monitor, 498, 500 multihead, 193 ServerFlags, 498 optimizing, 497–503 remote access (VNC), 196 resolution and color depth, 192 YaST SaX2, 497 3D, 509 security, 895 add-on, 146 SSH and, 843 autoinstallation, 181 touchscreen, 196 profiles, 181 TrueType fonts, 503...
  • Page 970 58, 169–176 T-DSL, 595 NFS clients, 173 text mode, 184–190 NFS server, 174 modules, 187 NIS clients, 65, 679 time zone, 43, 168 Novell AppArmor, 176 updating, 149, 200 NTP client, 174 user management, 177 online update, 148–149 X.509 certification, 813...
  • Page 971 certificates, 821 changing default values, 823 creating CRLs, 825 exporting CA objects as a file, 827 exporting CA objects to LDAP, 825 importing general server certificates, root CA, 818 sub-CA, 820 Xen, 151 ZFCP, 158 YP (see NIS) z/VM Installation IPL, 55...

This manual is also suitable for:

Suse linux enterprise server 10

Table of Contents