Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual

Table of Contents

Quick Links

Download this manual

SUSE Linux Enterprise

Server

May 11, 2007

Installation and Administration

www.novell.com

Table of Contents

Troubleshooting

Summary of Contents for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007

Page 1 SUSE Linux Enterprise Server www.novell.com Installation and Administration May 11, 2007...
Page 2 The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell...
Page 3: Table Of Contents
Contents About This Guide Part I Deployment 1 Planning for SUSE Linux Enterprise Considerations for Deployment of a SUSE Linux Enterprise ..Deployment of SUSE Linux Enterprise ....Running SUSE Linux Enterprise .
Page 4 4 Remote Installation Installation Scenarios for Remote Installation ... . . Setting Up the Server Holding the Installation Sources ..Preparing the Boot of the Target System ....Booting the Target System for Installation .
Page 5 9 Managing Software with ZENworks Managing Packages from the Command Line with rug ..Managing Packages with the ZEN Tools ....For More Information .
Page 6 15.3 RPM and Patches ......15.4 Delta RPM Packages ..... . . 15.5 RPM Queries .
Page 7 20.2 Booting with GRUB ......20.3 Configuring the Boot Loader with YaST ....20.4 Uninstalling the Linux Boot Loader .
Page 8 24.6 Influencing Kernel Device Event Handling with udev Rules ..24.7 Persistent Device Naming ..... 24.8 The Replaced hotplug Package .
Page 9 30.2 IPv6—The Next Generation Internet ....30.3 Name Resolution ......30.4 Configuring a Network Connection with YaST .
Page 10 3 6 LDAP—A Directory Service 36.1 LDAP versus NIS ......36.2 Structure of an LDAP Directory Tree ....36.3 Server Configuration with slapd.conf .
Page 11 40.5 Getting CGI Scripts to Work ....40.6 Setting Up a Secure Web Server with SSL ....40.7 Avoiding Security Problems .
Page 12 4 8 Confining Privileges with AppArmor 48.1 Installing Novell AppArmor ....48.2 Enabling and Disabling Novell AppArmor ....
Page 13 50.3 Info Pages ......50.4 The Linux Documentation Project ....50.5 Wikipedia: The Free Online Encyclopedia .
Page 15: About This Guide
About This Guide This guide is intended for use by professional network and system administrators during the actual planning, deployment, configuration, and operation of SUSE Linux Enter- prise®. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.
Page 16: Documentation Updates
Security This edition of SUSE Linux Enterprise includes several security-related features. It ships with Novell® AppArmor, which enables you to protect your applications by restricting privileges. Secure login, firewalling, and file system encryption are covered as well. Troubleshooting SUSE Linux Enterprise includes a wealth of applications, tools, and documentation should you need them in case of trouble.
Page 17 Novell AppArmor Administration Guide An in-depth administration guide to Novell AppArmor that introduces application confinement for heightened security in your environment. Storage Administration Guide An introduction to managing various types of storage devices on SUSE Linux En- terprise. Heartbeat Guide An in-depth administration guide to setting up high availability scenarios with Heartbeat.
Page 18 4 Documentation Conventions The following typographical conventions are used in this manual: • /etc/passwd: filenames and directory names • placeholder: replace placeholder with the actual value • PATH: the environment variable PATH • ls, --help: commands, options, and parameters • user: users or groups •...
Page 19: Part I Deployment
Part I. Deployment...
Page 21: Planning For Suse Linux Enterprise
Planning for SUSE Linux Enterprise The implementation of an operating system either in an existing IT environment or as a completely new rollout must be carefully prepared. With SUSE Linux Enterprise 10, get a variety of new features. It is impossible to describe all the new features here. The following is just a list of major enhancements that might be of interest.
Page 22 Novell AppArmor Harden your System with the Novell AppArmor technology. This service is de- scribed in depth in Novell AppArmor Administration Guide (↑Novell AppArmor Administration Guide). iSCSI iSCSI provides an easy and reasonably inexpensive solution for connecting Linux computers to central storage systems. Find more information about iSCSI in Chapter 12, Mass Storage over IP Networks—iSCSI...
Page 23: Considerations For Deployment Of A Suse Linux Enterprise
Find the registration and patch support database at http://www.novell .com/suselinuxportal. • Do you need help for your local installation? Novell provides training, support, and consulting for all topics around SUSE Linux Enterprise. Find more information about this at http://www.novell.com/products/ linuxenterpriseserver/.
Page 24: Running Suse Linux Enterprise
Strategies (page 7) for more information. When using the Xen virtualization technolo- gies, network root file systems or network storage solutions like iSCSI should be con- sidered. See also Chapter 12, Mass Storage over IP Networks—iSCSI (page 257). SUSE Linux Enterprise provides you with a broad variety of services. Find an overview of the documentation in this book in About This Guide (page xv).
Page 25: Deployment Strategies
Deployment Strategies There are several different ways to deploy SUSE® Linux Enterprise. Choose from various approaches ranging from a local installation using physical media or a network installation server to a mass deployment using a remote-controlled, highly-customized, and automated installation technique. Select the method that best matches your require- ments.
Page 26 Table 2.1 Installing from the SUSE Linux Enterprise Media Installation Source SUSE Linux Enterprise media kit Tasks Requiring Manual Inter- • Inserting the installation media action • Booting the installation target • Changing media • Determining the YaST installation scope •...
Page 27: Deploying Up To 100 Workstations
Table 2.3 Installing from a Network Server Installation Source Network installation server holding the SUSE Linux Enterprise installation media Tasks Requiring Manual • Inserting the boot disk Interaction • Providing boot options • Booting the installation target • Determining the YaST installation scope •...
Page 28 Simple Remote Installation via VNC—Dynamic Network Configuration (page 11) Consider this approach in a small to medium scenario with dynamic network setup through DHCP. A network, network installation server, and VNC viewer application are required. Remote Installation via VNC—PXE Boot and Wake on LAN (page 12) Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets.
Page 29 Table 2.4 Simple Remote Installation via VNC—Static Network Configuration Installation Source Network Preparations • Setting up an installation source • Booting from the installation media Control and Monitoring Remote: VNC Best Suited For small to medium scenarios with varying hardware Drawbacks •...
Page 30 Details Section 4.1.2, “Simple Remote Installation via VNC—Dynamic Network Configuration” (page 45) Table 2.6 Remote Installation via VNC—PXE Boot and Wake on LAN Installation Source Network Preparations • Setting up the installation source • Configuring DHCP, TFTP, PXE boot, and WOL •...
Page 31 • Low bandwidth connections to target Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.4, “Simple Remote Installation via SSH—Static Network Configuration” (page 48) Table 2.8 Remote Installation via SSH—Dynamic Network Configuration Installation Source Network Preparations...
Page 32 • Configuring DHCP, TFTP, PXE boot, and WOL • Booting from the network Control and Monitoring Remote: SSH Best Suited For • Small to medium scenarios with varying hardware • Completely remote installs; cross-site deployment • Low bandwidth connections to target Drawbacks Each machine must be set up individually Details...
Page 33 Best Suited For • Large scenarios • Identical hardware • No access to system (network boot) Drawbacks Applies only to machines with identical hardware Details Section 5.1, “Simple Mass Installation” (page 81) Table 2.11 Rule-Based Autoinstallation Installation Source Preferably network Preparations •...
Page 34: Deploying More Than 100 Workstations
Details Section 5.2, “Rule-Based Autoinstallation” (page 93) 2.3 Deploying More than 100 Workstations Most of the considerations brought up for medium installation scenarios in Section 2.1, “Deploying up to 10 Workstations” (page 7) still hold true for large scale deployments. However, with a growing number of installation targets, the benefits of a fully automated installation method outweigh its disadvantages.
Page 35: Installation With Yast
Installation with YaST After your hardware has been prepared for the installation of SUSE Linux Enterprise® as described in the Architecture-Specific Information manual and after the connection with the installation system has been established, you are presented with the interface of SUSE Linux Enterprise's system assistant YaST.
Page 36: System Start-Up For Installation
3.2 System Start-Up for Installation You can install SUSE Linux Enterprise from local installation sources, such as the SUSE Linux Enterprise CDs or DVD, or from network source of an FTP, HTTP, or NFS server. Any of these approaches requires physical access to the system to install and user interaction during the installation.
Page 37: The Boot Screen
3.2.2 Installing from the SUSE Linux Enterprise Media To install from the media, insert the first CD or DVD into the appropriate drive of the system to install. Reboot the system to boot from the media and open the boot screen. 3.2.3 Installing from a Network Server Using If your network setup supports OpenSLP and your network installation source has been configured to announce itself via OpenSLP (described in...
Page 38 left in the drive. To install the system, select one of the installation options with the arrow keys. The relevant options are: Installation The normal installation mode. All modern hardware functions are enabled. Installation—ACPI Disabled If the normal installation fails, this might be due to the system hardware not sup- porting ACPI (advanced configuration and power interface).
Page 39: Language
Normally, the installation is performed from the inserted installation medium. Here, select other sources, like FTP or NFS servers. If the installation is carried out in a network with an SLP server, select one of the installation sources available on the server with this option.
Page 40: Ibm System Z: Hard Disk Configuration
3.5 IBM System z: Hard Disk Configuration When installing on IBM System z platforms, the language selection dialog is followed by a dialog to configure the attached hard disks. Select DASD, Fibre Channel Attached SCSI Disks (ZFCP), or iSCSI for installation of SUSE Linux Enterprise. After selecting Configure DASD Disks, an overview lists all available DASDs.
Page 41 Figure 3.2 IBM System z: Activating a DASD Figure 3.3 IBM System z: Overview of Available ZFCP Disks To use ZFCP disks for the SUSE Linux Enterprise installation, select Configure ZFCP Disks in the selection dialog. This opens a dialog with a list of the ZFCP disks available on the system.
Page 42: License Agreement
and the general hard disk configuration dialog with Finish to continue with the rest of the configuration. TIP: Adding DASD or zFCP Disks at a Later Stage Adding DASD or zFCP disks is not only possible during the installation workflow, but also when the installation proposal is shown.
Page 43: Time Zone
Boot Installed System. If you have problems booting an already installed SUSE Linux Enterprise, see Section 51.3, “Boot Problems” (page 918). To repair an installed system that fails to boot, select Repair Installed System. Find a description of the system repair options in Section “Using YaST System Repair”...
Page 44: Installation Summary
3.9 Installation Summary After a thorough system analysis, YaST presents reasonable suggestions for all instal- lation settings. The options that sometimes need manual intervention in common instal- lation situations are presented in the Overview tab. Find more special options in the Expert tab.
Page 45 Select the keyboard layout from the list. Use the Test field at the bottom of the dialog to check if you can enter special characters of that layout correctly. Find more informa- tion about changing the keyboard layout in Section 8.4.10, “Keyboard Layout” (page 144).
Page 46 Package Manager. See Figure 3.5, “Installing and Removing Software with the YaST Package Manager” (page 28). You can also install additional software packages or remove software packages from your system at any time later. For more information, refer to Section 8.3.1, “Installing and Removing Software”...
Page 47 3.9.5 The Expert Configuration The Overview tab in the Installation Settings dialog provides only basic options. If you are an advanced user and want to configure booting or change the time zone or default runlevel, select the Expert tab. It shows the following additional entries not contained on the Overview tab: System This dialog presents all the hardware information YaST could obtain about your...
Page 48: Performing The Installation
3.10 Performing the Installation After making all installation settings, click Accept in the suggestion window to begin the installation. Confirm with Install in the dialog that opens. The installation usually takes between 15 and 30 minutes, depending on the system performance and the software selected.
Page 49: Installed System
3.10.2 IBM System z: Connecting to the Installed System After IPLing the installed system, establish a connection with it to complete the instal- lation. The steps involved in this vary depending on the type of connection used at the outset. Using VNC to Connect A message in the 3270 terminal asks you to connect to the Linux system using a VNC client.
Page 50: Configuration Of The Installed System
Once the message appears, use SSH to log in to the Linux system as root. If the con- nection is denied or times out, wait a few minutes then try again. When the connection is established, execute the command /usr/lib/YaST2/startup/YaST2.ssh. yast does not suffice in this case. YaST then starts to complete the installation of the remaining packages and create an initial system configuration.
Page 51 SUSE Linux Enterprise can use the DES, MD5, or Blowfish encryption types for passwords. The default encryption type is Blowfish. To change the encryption type, click Expert Options > Encryption Type and select the new type. 3.11.2 Hostname The hostname is the computer's name in the network. The domain name is the name of the network.
Page 52 By default, Traditional Method without NetworkManager Applet is enabled. If desired, you can also use NetworkManager to manage all your network devices. However, the traditional method is the preferred option for server solutions. Find detailed information about NetworkManager in Section 30.5, “Managing Network Connections with Net- workManager”...
Page 53 3.11.4 Customer Center To get technical support and product updates, first register and activate your product. Novell Customer Center Configuration provides assistance for doing so. If you are offline or want to skip this step, select Configure Later. This also skips SUSE Linux Enterprise online update.
Page 54: Online Update
Find more information about the technical support at http://www.novell .com/support/products/linuxenterpriseserver/. 3.11.5 Online Update If the Novell Customer Center has not been configured, the next step is the user confi- guration. See Section 3.11.7, “Users” (page 38). For detailed instructions for to perform an online update after the installation, see Section 8.3.5, “YaST Online Update”...
Page 55 Figure 3.6 Proposed Setup for Network Services CA Management The purpose of a CA (certificate authority) is to guarantee a trust relationship among all network services communicating with each other. Without a CA, you can secure server communications with SSL and TLS separately for each individual service. By default, a CA is created and enabled during the installation.
Page 56 TIP: Resetting the Service Configuration to Defaults Restore the defaults by clicking Change > Reset to Defaults. This discards any changes made. 3.11.7 Users If network access was configured successfully during the previous steps of the installa- tion, you now have the following possibilities to manage user administration method on your system: Local (/etc/passwd) Users are administered locally on the installed host.
Page 57: Release Notes
You can also add additional user accounts or change the user authentication method in the installed system. For detailed information about user management, see Section 8.9.1, “User Management” (page 167). Along with the selected user administration method, you can use Kerberos authentication. This is essential for integrating your SUSE Linux Enterprise to an Active Directory domain, which is described in Section 37.6, “Samba Server in the Network with Active...
Page 58: Completing The Installation
You can skip any peripheral devices and configure them later, as described in Section 8.4, “Hardware” (page 141). To skip the configuration, select Skip Configuration and click Next. However, you should configure the graphics card right away. Although the display settings as configured by YaST should be generally acceptable, most users have very strong preferences as far as resolution, color depth, and other graphics features are concerned.
Page 59: Graphical Login
3.12 Graphical Login TIP: IBM System z: No Graphical Login The graphical login is not available on IBM System z platforms. SUSE Linux Enterprise is now installed. Unless you enabled the automatic login function or customized the default runlevel, you should see the graphical login on your screen in which to enter a username and password to log in to the system.
Page 61: Remote Installation
Remote Installation SUSE Linux Enterprise® can be installed in several different ways. As well as the usual CD or DVD installation covered in Chapter 3, Installation with YaST (page 17), you can choose from various network-based approaches or even take a completely hands-off approach to the installation of SUSE Linux Enterprise.
Page 62 IMPORTANT The configuration of the X Window System is not part of any remote installation process. After the installation has finished, log in to the target system as root, enter telinit 3, and start SaX2 to configure the graphics hardware. 4.1.1 Simple Remote Installation via VNC—Static Network Configuration This type of installation still requires some degree of physical access to the target system...
Page 63 2 Boot the target system using the first CD or DVD of the SUSE Linux Enterprise media kit. 3 When the boot screen of the target system appears, use the boot options prompt to set the appropriate VNC options and the address of the installation source. This is described in detail in Section 4.4, “Booting the Target System for Instal- lation”...
Page 64 • Controlling system with working network connection and VNC viewer software or Java-enabled browser (Firefox, Konqueror, Internet Explorer, or Opera) • Physical boot medium (CD, DVD, or custom boot disk) for booting the target system • Running DHCP server providing IP addresses To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server...
Page 65 4.1.3 Remote Installation via VNC—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. User interaction is only needed for the actual installation. This approach is suitable for cross-site deployments. To perform this type of installation, make sure that the following requirements are met: •...
Page 66 5 Initiate the boot process of the target system using Wake on LAN. This is de- scribed in Section 4.3.7, “Wake on LAN” (page 71). 6 On the controlling workstation, open a VNC viewing application or Web browser and connect to the target system as described in Section 4.5.1, “VNC Installation”...
Page 67 To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 52). Choose an NFS, HTTP, or FTP network server. For an SMB installation source, refer to Section 4.2.5, “Managing an SMB Installation Source”...
Page 68 For this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection • Target system with working network connection • Controlling system with working network connection and working SSH client software •...
Page 69 4.1.6 Remote Installation via SSH—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. To perform this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection •...
Page 70: Setting Up The Server Holding The Installation Sources
6 On the controlling workstation, start an SSH client and connect to the target system as described in Section 4.5.2, “SSH Installation” (page 79). 7 Perform the installation as described in Chapter 3, Installation with YaST (page 17). Reconnect to the target system after it reboots for the final part of the installation.
Page 71 3 Select the server type (HTTP, FTP, or NFS). The selected server service is started automatically every time the system starts. If a service of the selected type is already running on your system and you want to configure it manually for the server, deactivate the automatic configuration of the server service with Do Not Configure Any Network Services.
Page 72 Consider announcing your installation source via OpenSLP if your network setup supports this option. This saves you from entering the network in- stallation path on every target machine. The target systems are just booted using the SLP boot option and find the network installation source without any further configuration.
Page 73 To create a directory holding the installation data, proceed as follows: 1 Log in as root. 2 Create a directory that should later hold all installation data and change into this directory. For example: mkdir install/product/productversion cd install/product/productversion Replace product with an abbreviation of the product name and productversion with a string that contains the product name and version.
Page 74 5 Select Add Host and enter the hostnames of the machines to which to export the installation data. Instead of specifying hostnames here, you could also use wild cards, ranges of network addresses, or just the domain name of your network. Enter the appropriate export options or leave the default, which works fine in most setups.
Page 75 3 Create a configuration file called install.suse.nfs.reg containing the following lines: # Register the NFS Installation Server service:install.suse:nfs://$HOSTNAME/path_to_instsource/CD1,en,65535 description=NFS Installation Source Replace path_to_instsource with the actual path to the installation source on your server. 4 Save this configuration file and start the OpenSLP daemon with rcslpd start. For more information about OpenSLP, refer to the package documentation located under /usr/share/doc/packages/openslp/ or refer to Chapter 31, SLP Services...
Page 76 2d Mount the contents of the installation repository into the change root envi- ronment of the FTP server: mount --bind path_to_instsource /srv/ftp/instsource Replace path_to_instsource and instsource with values matching your setup. If you need to make this permanent, add it to /etc/fstab. 2e Start vsftpd with vsftpd.
Page 77 2 Configure the HTTP server to distribute the contents of your installation directory: 2a Install the Web server Apache as described in Section 40.1.2, “Installation” (page 738). 2b Enter the root directory of the HTTP server (/srv/www/htdocs) and create a subdirectory that will hold the installation sources: mkdir instsource Replace instsource with the product name.
Page 78 3b Save this configuration file and start the OpenSLP daemon using rcslpd restart. 4.2.5 Managing an SMB Installation Source Using SMB, you can import the installation sources from a Microsoft Windows server and start your Linux deployment even with no Linux machine around. To set up an exported Windows Share holding your SUSE Linux Enterprise installation sources, proceed as follows: 1 Log in to your Windows machine.
Page 79 4.2.6 Using ISO Images of the Installation Media on the Server Instead of copying physical media into your server directory manually, you can also mount the ISO images of the installation media into your installation server and use them as installation source. To set up an HTTP, NFS or FTP server that uses ISO images instead of media copies, proceed as follows: 1 Download the ISO images and save them to the machine to use as the installation server.
Page 80: Preparing The Boot Of The Target System
4.3 Preparing the Boot of the Target System This section covers the configuration tasks needed in complex boot scenarios. It contains ready-to-apply configuration examples for DHCP, PXE boot, TFTP, and Wake on LAN. 4.3.1 Setting Up a DHCP Server There are two ways to set up a DHCP server. For SUSE Linux Enterprise Server 9 and higher, YaST provides a graphical interface to the process.
Page 81 8 Add another option (next-server) and set its value to the address of the TFTP server. 9 Select OK and Finish to complete the DHCP server configuration. To configure DHCP to provide a static IP address to a specific host, enter the Expert Settings of the DHCP server configuration module (Step 4 (page 62)) and add a new...
Page 82: Setting Up A Tftp Server
group { # PXE related stuff # "next server" defines the tftp server that will be used next server ip_tftp_server: # "filename" specifies the pxelinux image on the tftp server # the server runs in chroot under /srv/tftpboot filename "pxelinux.0"; host test { hardware ethernet mac_address;...
Page 83 5 Click Browse to browse for the boot image directory. The default directory /tftpboot is created and selected automatically. 6 Click Finish to apply your settings and start the server. Setting Up a TFTP Server Manually 1 Log in as root and install the packages tftp and xinetd. 2 If unavailable, create /srv/tftpboot and /srv/tftpboot/pxelinux .cfg directories.
Page 84 4.3.3 Using PXE Boot Some technical background information as well as PXE's complete specifications are available in the Preboot Execution Environment (PXE) Specification (http://www .pix.net/software/pxeboot/archive/pxespec.pdf). 1 Change to the directory of your installation repository and copy the linux, initrd, message, and memtest files to the /srv/tftpboot directory by entering the following: cp -a boot/loader/linux boot/loader/initrd boot/loader/message boot/loader/memtest /srv/tftpboot...
Page 85 netdevice=interface This entry defines the client's network interface that must be used for the network installation. It is only necessary if the client is equipped with several network cards and must be adapted accordingly. In case of a single network card, this entry can be omitted.
Page 86 label apic kernel linux append initrd=initrd ramdisk_size=65536 apic insmod=e100 \ install=nfs://ip_instserver/path_instsource/product/CD1 # manual label manual kernel linux append initrd=initrd ramdisk_size=65536 manual=1 # rescue label rescue kernel linux append initrd=initrd ramdisk_size=65536 rescue=1 memory test label memtest kernel memtest # hard disk label harddisk kernel linux append SLX=0x202...
Page 87 If no configuration file is present or no DEFAULT entry is present in the configu- ration file, the default is the kernel name “linux” with no options. APPEND options... Add one or more options to the kernel command line. These are added for both automatic and manual boots.
Page 88 LOCALBOOT type On PXELINUX, specifying LOCALBOOT 0 instead of a KERNEL option means invoking this particular label and causes a local disk boot instead of a kernel boot. Argument Description Perform a normal boot Perform a local boot with the Universal Network Driver Interface (UNDI) driver still resident in memory Perform a local boot with the entire PXE...
Page 89: Wake On Lan
F10 can be also entered as F0 . Note that there is currently no way to bind filenames to F11 and F12 . 4.3.5 Preparing the Target System for PXE Boot Prepare the system's BIOS for PXE boot by including the PXE option in the BIOS boot order.
Page 90: Booting The Target System For Installation
Users of SUSE Linux Enterprise Server 9 and higher can use a YaST module called WOL to easily configure Wake on LAN. Users of other versions of SUSE Linux-based operating systems can use a command line tool. 4.3.8 Wake on LAN with YaST 1 Log in as root.
Page 91 4.4.1 Using the Default Boot Options The boot options are described in detail in Chapter 3, Installation with YaST (page 17). Generally, just selecting Installation starts the installation boot process. If problems occur, use Installation—ACPI Disabled or Installation—Safe Settings. For more information about troubleshooting the installation process, refer to Section 51.2, “Installation Problems”...
Page 92 Purpose Available Options Default Value Select the installation • CD-ROM or DVD CD-ROM or DVD source • SLP • FTP • HTTP • NFS • SMB • Hard Disk Apply driver update Driver None disk 4.4.3 Using Custom Boot Options Using the appropriate set of boot options helps facilitate your installation procedure.
Page 93 Table 4.2 Installation (Boot) Scenarios Used in This Chapter Installation Scenario Parameters Needed Boot Options for Booting Chapter 3, Installation None: system boots au- None needed with YaST (page 17) tomatically Section 4.1.1, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb)://path_to...
Page 94 Installation Scenario Parameters Needed Boot Options for Booting Section 4.1.4, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb)://path_to SSH—Static Network • Network device _instmedia Configuration” (page 48) • IP address • netdevice=some • Netmask _netdevice (only need- •...
Page 95: Monitoring The Installation Process
TIP: More Information about linuxrc Boot Options Find more information about the linuxrc boot options used for booting a Linux system in /usr/share/doc/packages/linuxrc/linuxrc.html. 4.5 Monitoring the Installation Process There are several options for remotely monitoring the installation process. If the proper boot options have been specified while booting for installation, either VNC or SSH can be used to control the installation and system configuration from a remote workstation.
Page 96 1 Start the KDE file and Web browser Konqueror. 2 Enter service://yast.installation.suse in the location bar. The target system then appears as an icon in the Konqueror screen. Clicking this icon launches the KDE VNC viewer in which to perform the installation. Alternatively, run your VNC viewer software with the IP address provided and add :1 at the end of the IP address for the display the installation is running on.
Page 97 1 Launch your preferred Web browser. 2 Enter the following at the address prompt: http://ip_address_of_target:5801 3 Enter your VNC password when prompted to do so. The browser window now displays the YaST screens as in a normal local installation. 4.5.2 SSH Installation Using SSH, you can remotely control the installation of your Linux machine using any SSH client software.
Page 98 4 When prompted for the password, enter the password that has been set with the SSH boot option. After you have successfully authenticated, a command line prompt for the installation target appears. 5 Enter yast to launch the installation program. A window opens showing the normal YaST screens as described in Chapter 3, Installation with YaST (page 17).
Page 99: Automated Installation
Automated Installation AutoYaST allows you to install SUSE® Linux Enterprise on a large number of machines in parallel. The AutoYaST technology offers great flexibility to adjust deployments to heterogeneous hardware. This chapter tells you how to prepare a simple automated in- stallation and lay out an advanced scenario involving different hardware types and in- stallation purposes.
Page 100 4 Determine and set up the boot scenario for autoinstallation as described in Sec- tion 5.1.4, “Setting Up the Boot Scenario” (page 87). 5 Pass the command line to the installation routines by adding the parameters manually or by creating an info file as described in Section 5.1.5, “Creating File”...
Page 101 3 Select Tools > Create Reference Control File to prepare AutoYaST to mirror the current system configuration into an AutoYaST profile. 4 As well as the default resources, like boot loader, partitioning, and software se- lection, you can add various other aspects of your system to the profile by checking the items in the list in Create a Reference Control File.
Page 102 Figure 5.1 Editing an AutoYaST Profile with the AutoYaST Front-End 5.1.2 Distributing the Profile and Determining the autoyast Parameter The AutoYaST profile can be distributed in several different ways. Depending on the protocol used to distribute the profile data, different AutoYaST parameters are used to make the profile location known to the installation routines on the client.
Page 103 Profile Lo- Parameter Description cation Device Makes the installation routines look for autoyast=device:// the control file on a storage device. Only path the device name is needed—/dev/sda1 is wrong, use sda1 instead. Floppy Makes the installation routines look for autoyast=floppy:// the control file on a floppy in the floppy path drive.
Page 104 AutoYaST includes a feature that allows binding certain profiles to the client's MAC address. Without having to alter the autoyast= parameter, you can have the same setup install several different instances using different profiles. To use this, proceed as follows: 1 Create separate profiles with the MAC address of the client as the filename and put them on the HTTP server that holds your AutoYaST profiles.
Page 105 5.1.3 Providing the Installation Data The installation data can be provided by means of the product CDs or DVDs or using a network installation source. If the product CDs are used as the installation source, physical access to the client to install is needed, because the boot process needs to be initiated manually and the CDs need to be changed.
Page 106 default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ The same example for autoinstallation looks like this: default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ \ autoyast=nfs://192.168.0.23/profiles/autoinst.xml Replace the example IP addresses and paths with the data used in your setup. Preparing to Boot from CD-ROM There are several ways in which booting from CD-ROM can come into play in Auto- YaST installations.
Page 107 Access to the boot prompt of the system to install where you manually enter the autoyast= parameter Boot and Install from SUSE Linux Enterprise Media, Get the Profile from a Floppy Use this approach if an entirely network-based installation scenario would not work.
Page 108 The following parameters are commonly used for linuxrc. For more information, refer to the AutoYaST package documentation under /usr/share/doc/packages/ autoyast. IMPORTANT: Separating Parameters and Values When passing parameters to linuxrc at the boot prompt, use = to separate parameter and value. When using an info file, separate parameter and value with :.
Page 109 If your autoinstallation scenario involves client configuration via DCHP and a network installation source and you want to monitor the installation process using VNC, your info would look like this: autoyast:profile_source install:install_source vnc:1 vncpassword:some_password If you prefer a static network setup at installation time, your info file would look like the following: autoyast:profile_source \ install:install_source \...
Page 110 vnc: 1 vncpassword: test autoyast: file:///info # end_linuxrc_conf # Do not remove the above comment ]]> </info_file> </init> ..</install> ..linuxrc loads the profile containing the boot parameters instead of the traditional info file. The install: parameter points to the location of the installation sources. vnc and vncpassword indicate the use of VNC for installation monitoring.
Page 111: Rule-Based Autoinstallation
5.2 Rule-Based Autoinstallation The following sections introduce the basic concept of rule-based installation using AutoYaST and provide an example scenario that enables you to create your own custom autoinstallation setup. 5.2.1 Understanding Rule-Based Autoinstallation Rule-based AutoYaST installation allows you to cope with heterogeneous hardware environments: •...
Page 112 • Create custom rules by running shell scripts and passing their output to the Auto- YaST framework. The number of custom rules is limited to five. NOTE For more information about rule creation and usage with AutoYaST, refer to the package's documentation under /usr/share/doc/packages/ autoyast2/html/index.html, Chapter Rules and Classes.
Page 113 5.2.2 Example Scenario for Rule-Based Autoinstallation To get a basic understanding of how rules are created, think of the following example, depicted in Figure 5.2, “AutoYaST Rules” (page 96). One run of AutoYaST installs the following setup: A Print Server This machine just needs a minimal installation without a desktop environment and a limited set of software packages.
Page 114 Figure 5.2 AutoYaST Rules AutoYaST Directory Enigineering Department Computers rules.xml File Rule 1 Eng. Profile Rule 2 Rule 3 Sales Profile Sales Department Laptops Merge Process Print Server Profile Print Server Installation and Administration...
Page 115 In a first step, use one of the methods outlined in Section 5.1.1, “Creating an AutoYaST Profile” (page 82) to create profiles for each use case. In this example, you would create print.xml, engineering.xml, and sales.xml. In the second step, create rules to distinguish the three hardware types from one another and to tell AutoYaST which profile to use.
Page 116: For More Information
</custom1> <result> <profile>sales.xml</profile> <continue config:type="boolean">false</continue> </result> <operator>and</operator> </rule> <rule> <haspcmcia> <match>0</match> <match_type>exact</match_type> </haspcmcia> <result> <profile>engineering.xml</profile> <continue config:type="boolean">false</continue> </result> </rule> </rules> </autoinstall> When distributing the rules file, make sure that the rules directory resides under the profiles directory specified in the autoyast=protocol:serverip/ profiles/ URL.
Page 117: Deploying Customized Preinstallations
Deploying Customized Preinstallations Rolling out customized preinstallations of SUSE Linux Enterprise to a large number of identical machines spares you from installing each one of them separately and provides a standardized installation experience for the end users. With YaST firstboot, create customized preinstallation images and determine the workflow for the final personal- ization steps that involve end user interaction.
Page 118: Preparing The Master Machine
6.1 Preparing the Master Machine To prepare a master machine for a firstboot workflow, proceed as follows: 1 Insert the installation media into the master machine. 2 Boot the machine. 3 Perform a normal installation including all necessary configuration steps and wait for the installed machine to boot.
Page 119 • Customizing messages to the user as described in Section 6.2.1, “Customizing YaST Messages” (page 101). • Customizing licenses and license actions as described in Section 6.2.2, “Customizing the License Action” (page 102). • Customizing the release notes to display as described in Section 6.2.3, “Customizing the Release Notes”...
Page 120 2a Set FIRSTBOOT_WELCOME_DIR to the directory path from to read the welcome message and the localized versions, as in: FIRSTBOOT_WELCOME_DIR="/usr/share/firstboot/" 2b If your welcome message has filenames other than welcome.txt and welcome_locale.txt, specify the filename pattern in FIRSTBOOT_WELCOME_PATTERNS. For example: FIRSTBOOT_WELCOME_PATTERNS="mywelcome.txt"...
Page 121 6.2.3 Customizing the Release Notes Depending on whether you have changed the instance of SUSE Linux Enterprise you are deploying with firstboot, you probably need to educate the end users about important aspects of their new operating system. A standard installation uses release notes, dis- played during one of the final stages of the installation, to provide important information to the users.
Page 122 • User Authentication Method • User Management • Hardware Configuration • Finish Setup This standard layout of a firstboot installation workflow is not mandatory. You can enable or disable certain components or hook your own modules into the workflow. To modify the firstboot workflow, manually edit the firstboot configuration file /etc/ YaST2/firstboot.xml.
Page 123 The stage of the installation process at which this proposal is invoked. Do not make any changes here. For a firstboot installation, this must be set to firstboot. The label to be displayed on the proposal. The container for all modules that are part of the proposal screen. One or more modules that are part of the proposal screen.
Page 124 archs Specify the hardware architectures on which this workflow should be used. Example 6.3 Configuring the List of Workflow Components <modules config:type="list"> <module> <label>Language</label> <enabled config:type="boolean">false</enabled> <name>firstboot_language</name> </module> <modules> The container for all components of the workflow. The module definition. The label displayed with the module.
Page 125 3 Apply your changes and close the configuration file. You can always change the workflow of the configuration steps when the default does not meet your needs. Enable or disable certain modules in the workflow or add your own custom ones. To toggle the status of a module in the firstboot workflow, proceed as follows: 1 Open the /etc/YaST2/firstboot.xml configuration file.
Page 126: Cloning The Master Installation
TIP: For More Information For more information about YaST development, refer to http://developer .novell.com/wiki/index.php/YaST. 6.2.5 Configuring Additional Scripts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed. To add additional scripts to the firstboot sequence, proceed as...
Page 127: Personalizing The Installation
6.4 Personalizing the Installation As soon as the cloned disk image is booted, firstboot starts and the installation proceeds exactly as laid out in Section 6.2.4, “Customizing the Workflow” (page 103). Only the components included in the firstboot workflow configuration are started. Any other installation steps are skipped.
Page 129: Advanced Disk Setup
Advanced Disk Setup Sophisticated system configurations require particular disk setups. All common parti- tioning tasks can be done with YaST. To get persistent device naming with block devices, use the block devices below /dev/disk/by-id/. Logical Volume Management (LVM) is a disk partitioning scheme that is designed to be much more flexible than the physical partitioning used in standard setups.
Page 130 7.1.1 The Logical Volume Manager The Logical Volume Manager (LVM) enables flexible distribution of hard disk space over several file systems. It was developed because sometimes the need to change the segmentation of hard disk space arises only after the initial partitioning during installation has already been done.
Page 131 between different logical volumes need not be aligned with any partition border. See the border between LV 1 and LV 2 in this example. LVM features: • Several hard disks or partitions can be combined in a large logical volume. •...
Page 132: Creating Volume Groups
7.1.2 LVM Configuration with YaST The YaST LVM configuration can be reached from the YaST Expert Partitioner (see Section 8.5.7, “Using the YaST Partitioner” (page 149)). This partitioning tool enables you to edit and delete existing partitions and create new ones that should be used with LVM.
Page 133 Configuring Physical Volumes Once a volume group has been created, the following dialog lists all partitions with either the “Linux LVM” or “Linux native” type. No swap or DOS partitions are shown. If a partition is already assigned to a volume group, the name of the volume group is shown in the list.
Page 134 Configuring Logical Volumes After the volume group has been filled with physical volumes, define the logical volumes the operating system should use in the next dialog. Set the current volume group in a selection box to the upper left. Next to it, the free space in the current volume group is shown.
Page 135 If, for example, only two physical volumes are available, a logical volume with three stripes is impossible. WARNING: Striping YaST has no chance at this point to verify the correctness of your entries con- cerning striping. Any mistake made here is apparent only later when the LVM is implemented on disk.
Page 136 partitioning. It shows the existing physical volumes and logical volumes in two lists and you can manage your LVM system using the methods already described. 7.1.3 Storage Management with EVMS The Enterprise Volume Management System 2 (EVMS2) is a rich, extensible volume manager with built-in cluster awareness.
Page 137: Soft Raid Configuration
Disks This is the lowest level of device. All devices that may be accessed as a physical disk are treated as disks. Segments Segments consist of partitions and other memory regions on a disk, such as the master boot record (MBR). Containers These are the counterparts of volume groups in LVM.
Page 138: Raid Levels
larger number of hard disks in a more effective way than the IDE protocol and is more suitable for parallel processing of commands. There are some RAID controllers that support IDE or SATA hard disks. Soft RAID provides the advantages of RAID systems without the additional cost of hardware RAID controllers.
Page 139 RAID 2 and RAID 3 These are not typical RAID implementations. Level 2 stripes data at the bit level rather than the block level. Level 3 provides byte-level striping with a dedicated parity disk and cannot service simultaneous multiple requests. Both levels are only rarely used.
Page 140 optimize the performance of RAID 0. After creating all the partitions to use with RAID, click RAID > Create RAID to start the RAID configuration. In the next dialog, choose between RAID levels 0, 1, and 5 (see Section 7.2.1, “RAID Levels”...
Page 141: Troubleshooting
Figure 7.7 File System Settings As with conventional partitioning, set the file system to use as well as encryption and the mount point for the RAID volume. Checking Persistent Superblock ensures that the RAID partitions are recognized as such when booting. After completing the confi- guration with Finish, see the /dev/md0 device and others indicated with RAID in the expert partitioner.
Page 142 • http://www.novell.com/documentation/sles10/stor_evms/ data/bookinfo.html • /usr/share/doc/packages/mdadm/Software-RAID.HOWTO.html • http://en.tldp.org/HOWTO/Software-RAID-HOWTO.html Linux RAID mailing lists are also available, such as http://marc.theaimsgroup .com/?l=linux-raid&r=1&w=2. Installation and Administration...
Page 143: System Configuration With Yast
System Configuration with YaST In SUSE Linux Enterprise, YaST handles both the installation and configuration of your system. This chapter describes the configuration of system components (hardware), network access, and security settings, and administration of users. Find a short introduc- tion to the text-based YaST interface in Section 8.12, “YaST in Text Mode”...
Page 144: Yast Language
To start YaST in text mode on another system, use ssh root@<system-to-configure> to open the connection. Then start YaST with yast. To save time, the individual YaST modules can be started directly. To start a module, enter yast2 module_name. View a list of all module names available on your system with yast2 -l or yast2 --list.
Page 145: Software
The left frame of most modules displays the help text, which offers suggestions for configuration and explains the required entries. To get help in modules without a help frame, press F1 or choose Help. After selecting the desired settings, complete the pro- cedure by pressing Accept on the last page of the configuration dialog.
Page 146 Figure 8.2 YaST Package Manager In SUSE® Linux Enterprise, software is available in the form of RPM packages. Nor- mally, a package contains everything needed for a program: the program itself, the configuration files, and all documentation. A list of individual packages is displayed to the right in the individual package window.
Page 147: Installing Packages
perfect, but should be sufficient to indicate problematic packages. If necessary, check the version numbers. Installing Packages To install packages, select packages for installation and click Accept. Selected packages should have the Install status icon. The package manager automatically checks the de- pendencies and selects any other required packages (resolution of dependencies).
Page 148 of all languages supported by SUSE Linux Enterprise. If you select one of these, the right frame shows all packages available for this language. Among these, all packages applying to your current software selection are automatically tagged for installation. To uninstall a language from your system, select a language from the language list and uncheck the status box at the beginning of a line.
Page 149 Saving the Package Selection If you want to install the same packages on several computers, you can save your con- figuration to file and use it for other systems. To save your package selection, choose File > Export from the menu. To import a prepared selection, use File > Import. IMPORTANT: Hardware Compatibility Because this function saves the exact package list, it is only reliable when the hardware is identical on the source and target systems.
Page 150 TIP: Quick Search In addition to the Search filter, all lists of the package manager feature a quick search. Simply enter a letter to move the cursor to the first package in the list whose name begins with this letter. The cursor must be in the list (by clicking the list).
Page 151: Disk Usage
The Description tab with the description of the selected package is automatically active. To view information about package size, version, installation media, and other technical details, select Technical Data. Information about provided and required files is in De- pendencies. To view available versions with their installation sources, click Versions. Disk Usage During the selection of the software, the resource window at the bottom left of the module displays the prospective disk usage of all mounted file systems.
Page 152 For example, sendmail and postfix may not be installed concurrently. Figure 8.3, “Conflict Management of the Package Manager” (page 134) shows the conflict message prompting you to make a decision. postfix is already installed. Accordingly, you can refrain from installing sendmail, remove postfix, or take the risk and ignore the conflict.
Page 153 Package Groups. TIP: Creating Custom Add-On Products Create your own add-on products with YaST Add-On Creator. Read about the YaST add-on creator at http://developer.novell.com/wiki/index .php/Creating_Add-On_Media_with_YaST. Find technical background information at http://developer.novell.com/wiki/index.php/ Creating_Add-Ons.
Page 154: Yast Online Update
To get technical support and product updates, your system must be registered and acti- vated. If you skipped the registration during installation, register with the help of the Novell Customer Center Configuration module from Software. This dialog is the same as that described in Section 3.11.4, “Customer Center”...
Page 155 Installing Patches Manually The Online Update window consists of five sections. The list of all patches available is on the left. Find the description of the selected patch displayed below the list of patches. The disk usage is displayed at the bottom of the left column. The right column lists the packages included in the selected patch (a patch can consist of several packages) and, below, a detailed description of the selected package.
Page 156 Most patches include updates for several packages. To change actions for single pack- ages, right-click a package in the package window and choose an action. Once you have marked all patches and packages as desired, proceed with Accept. Another alternative for updating software is the ZENworks updater applet for KDE and GNOME.
Page 157: Update Options
base system. To update the base system, boot the computer from an installation medium, such as CD. When selecting the installation mode in YaST, select Update. The procedure for updating the system is similar to a new installation. Initially, YaST examines the system, determines a suitable update strategy, and presents the results in a suggestion dialog.
Page 158 IMPORTANT: Scope of the Backup This backup does not include the software. It only contains configuration files. Language Primary and other languages currently installed on the system are listed here. Change them by clicking Language in the displayed configuration or with Change > Language. Optionally, adapt the keyboard layout and time zone to the region where the primary language is spoken.
Page 159: Hardware
8.3.10 Checking Media If you encounter any problems using the SUSE Linux Enterprise installation media, you can check the CDs or DVDs with Software > Media Check. Media problems are more likely to occur with media you burn yourself. To check that a SUSE Linux Enter- prise CD or DVD is error-free, insert the medium into the drive and run this module.
Page 160: Hardware Information
8.4.3 Printer Configure a printer with Hardware > Printer. If a printer is properly connected to the system, it should be detected automatically. Find detailed instructions for configuring printers with YaST in Section 23.4, “Setting Up a Printer” (page 439). 8.4.4 Hard Disk Controller Normally, the hard disk controller of your system is configured during the installation.
Page 161 does not have any effect on SCSI devices. DMA modes can substantially increase the performance and data transfer speed in your system. During installation, the current SUSE Linux Enterprise kernel automatically activates DMA for hard disks but not for CD drives, because default DMA activation for all drives often causes problems with CD drives.
Page 162: Keyboard Layout
to make the changes persistent. 8.4.8 IBM System z: ZFCP To add further FCP-attached SCSI devices to the installed system, use the YaST ZFCP module (Hardware > ZFCP). Select Add to add an additional device. Select the Channel Number (adapter) from the list and specify both WWPN and FCP-LUN. Finalize the setup by selecting Next and Close.
Page 163 choose another keyboard layout, select the desired layout from the list provided. Test the layout in Test by pressing keys on the keyboard. Fine-tune the settings by clicking Expert Settings. Adjust the key repeat rate and delay and configure the start-up state by choosing the desired settings in Start-Up States. For Devices to Lock, enter a space-separated list of devices to which to apply the Scroll Lock , Num Lock , and Caps Lock settings.
Page 164 Figure 8.5 Sound Configuration If YaST cannot detect your sound card automatically, proceed as follows: 1 Click Add to open a dialog in which to select a sound card vendor and model. Refer to your sound card documentation for the information required. Find a reference list of sound cards supported by ALSA with their corresponding sound modules in /usr/share/doc/packages/alsa/cards.txt and at http://www.alsa-project.org/alsa-doc/.
Page 165: System
In this dialog, there is also a shortcut to the joystick configuration. Click Joystick configuration and select the joystick type in the following dialog to configure a joystick. Click Next to continue. 3 In Sound Card Volume, test your sound configuration and make adjustments to the volume.
Page 166 TIP: IBM System z: Continuing For IBM System z, continue with Section 8.5.3, “Boot Loader Configuration” (page 149). 8.5.1 Backup Create a backup of both your system and data using System > System Backup. However, the backup created by the module does not include the entire system. The system is backed up by saving important storage areas on your hard disk that may be crucial when trying to restore a system, such as the partition table or master boot record (MBR).
Page 167: Using The Yast Partitioner
8.5.3 Boot Loader Configuration To configure booting for systems installed on your computer, use the System > Boot Loader module. A detailed description of how to configure the boot loader with YaST is available in Section 20.3, “Configuring the Boot Loader with YaST” (page 398).
Page 168 WARNING: Repartitioning the Running System The risk of making a mistake that causes data loss is very high. Before modifying partitions in the installed system, back up your data. Figure 8.6 The YaST Partitioner TIP: IBM System z: Device Names IBM System z recognize only DASD and SCSI hard disks.
Page 169 If you run the expert dialog during installation, any free hard disk space is also listed and automatically selected. To provide more disk space to SUSE Linux Enterprise®, free the needed space starting from the bottom toward the top of the list (starting from the last partition of a hard disk toward the first).
Page 170: Creating A Partition
Creating a Partition To create a partition from scratch, proceed as follows: 1 Select Create. If several hard disks are connected, a selection dialog appears in which to select a hard disk for the new partition. 2 Specify the partition type (primary or extended). Create up to four primary parti- tions or up to three primary partitions and one extended partition.
Page 171 LVM and RAID details, refer to Section 7.1, “LVM Configuration” (page 111) Section 7.2, “Soft RAID Configuration” (page 119). File System Change the file system or format the partition here. File system changes or partition reformats irreversibly delete all data from the partition. For details of the various file systems, refer to Chapter 25, File Systems in Linux (page 469).
Page 172 Delete Partition Table and Disk Label This completely overwrites the old partition table. For example, this can be helpful if you have problems with unconventional disk labels. Using this method, all data on the hard disk is lost. More Partitioning Tips If the partitioning is performed by YaST and other partitions are detected in the system, these partitions are also entered in the file /etc/fstab to enable easy access to this data.
Page 173 to delete the beginning of this volume. For example, in the VG system and PV /dev/ sda2, do this with the command dd if=/dev/zero of=/dev/sda2 bs=512 count=1. WARNING: File System for Booting The file system used for booting (the root file system or /boot) must not be stored on an LVM logical volume.
Page 174: Power Management
Figure 8.7 Adding a PCI ID To add an ID, click Add and select how to assign it: by selecting a PCI device from a list or by manually entering PCI values. In the first option, select the PCI device from the provided list then enter the driver or directory name.
Page 175 8.5.10 Powertweak Configuration Powertweak is a SUSE Linux utility for tweaking your system to peak performance by tuning some kernel and hardware configurations. It should be used only by advanced users. After starting it with System > Powertweak, it detects your system settings and lists them in tree form in the left frame of the module.
Page 176: Language Selection
8.5.14 Time and Date Configuration The time zone is initially set during installation, but you can change it with System > Date and Time. Also use this to change the current system date and time. To change the time zone, select the region in the left column and the location or time zone in the right column.
Page 177: Network Devices
Figure 8.8 Setting the Language Select the main language to use for your system in Primary Language. To adjust the keyboard or time zone to this setting, enable Adapt Keyboard Layout or Adapt Time Zone. Set how locale variables are set for the root user with Details. Also use Details to set the primary language to a dialect not available in the main list.
Page 178: Network Services
select it from the list then click Edit. If your device has not been detected, click Add and select it manually. To edit an existing device, select it then click Edit. For more detailed information, see Section 30.4, “Configuring a Network Connection with YaST” (page 560).
Page 179: Mail Server
No Connection If you do not have access to the Internet and are not located in a network, you cannot send or receive e-mail. Activate virus scanning for your incoming and outgoing e-mail with AMaViS by select- ing that option. The package is installed automatically as soon as you activate the mail filtering feature.
Page 180 Fetching Mail Configures mail pick-up from external mail accounts over various protocols. Mail Server Domains This determines for which domains the mail server should be responsible. At least one master domain must be configured if the server should not run as a null client used exclusively for sending mail without receiving any.
Page 181 name and domain name. If the provider has been configured correctly for DSL, modem, or ISDN access, the list of name servers contains the entries that were ex- tracted automatically from the provider data. If you are located in a local network, you might receive your hostname via DHCP, in which case you should not modify the name.
Page 182 NFS Server With NFS, run a file server that all members of your network can access. This file server can be used to make certain applications, files, and storage space available to users. In NFS Server, you can configure your host as an NFS server and determine the directories to export for general use by the network users.
Page 183 WARNING: Configuring Network Services (xinetd) The composition and adjustment of network services on a system is a complex procedure that requires a comprehensive understanding of the concept of Linux services. The default settings are usually sufficient. Proxy Configure Internet proxy client settings in Proxy. Click Enable Proxy then enter the desired proxy settings.
Page 184 Samba Server In a heterogeneous network consisting of Linux and Windows hosts, Samba controls the communication between the two worlds. Information about Samba and the configuration of servers is provided in Chapter 37, Samba (page 695). SLP Server With service location protocol (SLP), you can configure clients in your network without knowledge of server names and services that these servers provide.
Page 185: Apparmor
8.8 AppArmor Novell AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify which files each program may read, write, and execute. To enable or disable Novell AppArmor on your system, use AppArmor Control Panel.
Page 186: Adding Users
Adding Users To add a new user, proceed as follows: 1 Click Add. 2 Enter the necessary data for User Data. If you do not need to adjust any more detailed settings for this new user, proceed to Step 5 (page 168).
Page 187 3 Adjust the settings under User Data, Details, and Password Settings. 4 Save the user account configuration by clicking Accept. Managing Encrypted Home Directories You can create an encrypted home directory as part of the user account creation. To create an encrypted home directory for a user, proceed as follows: 1 Click Add.
Page 188: Auto Login
Auto Login WARNING: Using Auto Login Using the auto login feature on any system that can be physically accessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use the auto login functionality.
Page 189 Disabling User Login To create a system user that should not be able to log in to the system but under whose identity several system-related tasks should be managed, disable the user login when creating the user account. Proceed as follows: 1 Click Add.
Page 190 To change the password expiration policy for an existing user, proceed as follows: 1 Select the user from the list and click Edit. 2 Adjust the values in Password Settings. 3 Apply your settings with Accept. You can limit the lifetime of any user account by specifying a date of expiration for this particular account.
Page 191: Group Management
Several other security-related default settings can be changed using the Local Security module. Refer to Section 8.9.3, “Local Security” (page 174) for information. Changing the Password Encryption NOTE Changes in password encryption apply only to local users. SUSE Linux Enterprise can use DES, MD5, or Blowfish for password encryption. The default password encryption method is Blowfish.
Page 192 Click Expert Options for advanced group management. Find more about these options Section 8.9.1, “User Management” (page 167). 8.9.3 Local Security To apply a set of security settings to your entire system, use Security and Users > Local Security. These settings include security for booting, login, passwords, user creation, and file permissions.
Page 193: Certificate Management
over the network, enable Allow Remote Graphical Login. Because this access possibility represents a potential security risk, it is inactive by default. User Addition Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as pos- sible.
Page 194: Virtualization
8.9.5 Firewall SuSEfirewall2 can protect your machine against attacks from the Internet. Configure it with Security and Users > Firewall. Find detailed information about SuSEfirewall2 Chapter 43, Masquerading and Firewalls (page 817). TIP: Automatic Activation of the Firewall YaST automatically starts a firewall with suitable settings on every configured network interface.
Page 195 8.11.1 Custom Installation CD Creation With Miscellaneous > CD Creator, you can create a customized installation CD from your original installation set. To start creation, click Add. Use the package manager to select the packages or an AutoYaST control file to use a preconfigured AutoYaST profile for creation.
Page 196: System Log
8.11.6 Start-Up Log View information concerning the start-up of the computer in Miscellaneous > Start-Up Log. This is one of the first places you might want to look when encountering problems with the system or when troubleshooting. It shows the boot log /var/log/boot .msg, which contains the screen messages displayed when the computer starts.
Page 197: Yast In Text Mode
/proc/modules This displays the individual modules. /proc/mounts This displays devices currently mounted. /proc/partitions This shows the partitioning of all hard disks. /proc/version This displays the current version of Linux. /var/log/YaST2/y2log This displays all YaST log messages. /var/log/boot.msg This displays information concerning the start-up of the system. /var/log/faillog This displays login failures.
Page 198 When YaST is started in text mode, the YaST Control Center appears first. See Fig- ure 8.9, “Main Window of YaST in Text Mode” (page 180). The main window consists of three areas. The left frame, which is surrounded by a thick white border, features the categories to which the various modules belong.
Page 199: Navigation In Modules
8.12.1 Navigation in Modules The following description of the control elements in the YaST modules assumes that all function keys and Alt key combinations work and are not assigned different global functions. Read Section 8.12.2, “Restriction of Key Combinations” (page 182) for infor- mation about possible exceptions.
Page 200: Restriction Of Key Combinations
Figure 8.10 The Software Installation Module 8.12.2 Restriction of Key Combinations If your window manager uses global Alt combinations, the Alt combinations in YaST might not work. Keys like Alt or Shift can also be occupied by the settings of the termi- nal.
Page 201: Managing Yast From The Command Line
8.13 Managing YaST from the Command Line When a task only needs to be done once, the graphical or ncurses interface is usually the best solution. If a task needs to be done repeatedly, it might be easier to use the YaST command line interface.
Page 202: Managing Users
GenProf, LogProf, SD_AddProfile, SD_DeleteProfile, SD_EditProfile, SD_Report, and subdomain These modules control or configure AppArmor. AppArmor has its own command line tools. 8.13.1 Managing Users The YaST commands for user management, unlike traditional commands, considers the configured authentication method and default user management settings of your system when creating, modifying, or removing users.
Page 203 Example 8.3 Removing Multiple Users #!/bin/bash # the home will be not deleted # to delete homes, use option delete_home for i in `cat /tmp/users.txt`; yast users delete username=$i done 8.13.2 Configuring the Network and Firewall Network and firewall configuration commands are often wanted in scripts. Use yast lan for network configuration and yast firewall.
Page 204: Sax2
8.14 SaX2 Configure the graphical environment of your system with Hardware > Graphics Card and Monitor. This opens the SUSE Advanced X11 Configuration interface (SaX2), where you can configure devices such as your mouse, keyboard, or display devices. This interface can also accessed from the GNOME main menu with Computer > More Applications >...
Page 205 TIP: Autodetecting New Display Hardware If you change your display hardware after installation, use sax2 -r on the command line to cause SaX2 to detect your hardware. You must be root to run SaX2 from the command line. Graphics Card It is not possible to change the graphics card because only known models are supported and these are detected automatically.
Page 206 Resolution and Color Depth The resolution and color depth can be chosen directly from two lists in the middle of the dialog. The resolution you select here marks the highest resolution to use. All common resolutions down to 640x480 are also added to the configuration automatically. Depending on the graphical desktop used, you can switch to any of these later without the need for reconfiguration.
Page 207: Testing The Configuration
detected screens, arranging all screens in a row from left to right. In the Arrangement part of the dialog, determine the way the monitors are arranged by selecting one of the sequence buttons. Click OK to close the dialog. TIP: Using a Beamer with Laptop Computers To connect a beamer to a laptop computer, activate dual head mode.
Page 208 devices operated by the same driver are shown as one mouse. Activate or deactivate the currently selected mouse with the check box at the top of the dialog. Below the check box, see the current settings for that mouse. Normally, the mouse is detected automatically, but you can change it manually if the automatic detection fails.
Page 209 without the need for reconfiguration. After you click OK, the changes are applied im- mediately. 8.14.4 Tablet Properties Use this dialog to configure a graphics tablet attached to your system. Click the Graphics Tablet tab to select vendor and model from the lists. Currently, only a limited number of graphics tablets is supported.
Page 210: Troubleshooting
8.16 For More Information More information about YaST can be found on the following Web sites and directories: • /usr/share/doc/packages/yast2—Local YaST development documen- tation • http://www.opensuse.org/YaST_Development—The YaST project page in the openSUSE wiki • http://forge.novell.com/modules/xfmod/project/ ?yast—Another YaST project page Installation and Administration...
Page 211: Managing Software With Zenworks
ZENworks package management tools use a ZENworks Linux Management server to download packages and updates. If no ZENworks Linux Management server is available in your local network, your system can get updates from the Novell Customer Center, which is described in Section 3.11.4, “Customer Center”...
Page 212: Managing Packages From The Command Line With Rug
-s, --no-services Do not load initial services. -r, --no-remote Do not start remote services. ZMD configuration is stored in /etc/zmd/zmd.conf. You can change the configu- ration manually or with rug. The URL for the ZENworks service that zmd uses at initial start-up and a registration key are stored in /var/lib/zmd.
Page 213 To see your registered services, use rug sl. If you want to add a new service and you are not sure which services are supported on your system, use rug st. To check for available patches, use rug pch. To view information about a patch, enter rug patch-info patch.
Page 214: Scheduling Updates
lock The user may set package locks remove The user may remove software subscribe The user may change channel subscriptions trusted The user is considered trusted, so may install packages without package signatures upgrade The user may update software packages view This allows the user to see which software is installed on the machine and which software is in available channels.
Page 215: Managing Packages With The Zen Tools
that executes rug up -y. The up -y option downloads and installs the patches from your catalogs without confirmation. If you instead want only to download the patches then select the patches for installation at a later time, use rug up -dy. The up -dy option downloads the patches from your catalogs without confirmation and saves them to the rug cache.
Page 216 NOTE: Packages versus Patches Officially released updates from Novell show up as Patches. New package ver- sions from other sources show up as Packages. To get details about a certain entry, mark it with the mouse and click the Details link under the list window.
Page 217: Installing Software
Use the links All and None to select or deselect all patches. Clicking Update installs the selected programs. Figure 9.1 Selecting the Software Updates 9.2.3 Installing Software To install software packages, start Install Software from the menu or run zen-installer. The interface is almost identical to Software Updater (see Sec- tion 9.2.2, “Obtaining and Installing Software Updates”...
Page 218 9.2.4 Remove Software Start Remove Software from the menu or run zen-remover to uninstall software packages. The list of packages can be narrowed with the links Products (uninstalls the complete products), Patterns (see Section “Installing and Removing Patterns” (page 129) for details on patterns), Packages, and Patches.
Page 219 With Mount, embed a directory mounted on your machine. This is useful, for ex- ample, in a network that regularly mirrors the Novell YUM server and exports its content to the local network. To add the directory, provide the full path to the direc- tory in Service URI.
Page 220: For More Information
As user root, you can also modify the Software Updater settings. As an unprivileged user, you can only view the settings. Refer to the rug man page for an explanation of the settings. 9.3 For More Information Find more information about ZENworks Linux Management and ZMD at http:// www.novell.com/products/zenworks/linuxmanagement/index.html. Installation and Administration...
Page 221: 0 Updating Suse Linux Enterprise
Updating SUSE Linux Enterprise SUSE® Linux Enterprise provides the option of updating an existing system to the new version without completely reinstalling it. No new installation is needed. Old data, such as home directories and system configuration, is kept intact. During the life cycle of the product, you can apply Service Packs to increase system security and correct software defects.
Page 222: Possible Problems
Before starting your update, make note of the root partition. The command df / lists the device name of the root partition. In Example 10.1, “List with df -h” (page 204), the root partition to write down is /dev/hda3 (mounted as /). Example 10.1 List with df -h Filesystem Size...
Page 223: Installing Service Packs
1 Optionally, prepare an installation server. For background information, see Sec- tion 4.2.1, “Setting Up an Installation Server Using YaST” (page 52). 2 Boot the system as for the installation, described in Section 3.2, “System Start- Up for Installation” (page 18). In YaST, choose a language and select Update in the Installation Mode dialog.
Page 224 TIP: Installation Changes Read the installation instructions on the Service Pack media for further changes. 10.2.1 Setting Up a Network Installation Source for Service Pack Media As with the initial installation of SUSE Linux Enterprise, it is much more efficient having a central installation source on your network to serve all clients rather than in- stalling all of them separately using a set of physical media.
Page 225: Network Installation
Procedure 10.1 Booting from the Service Pack Medium 1 Insert the first SUSE Linux Enterprise SP medium (CD 1 or DVD 1) and boot your machine. A boot screen similar to the original installation of SUSE Linux Enterprise 10 is displayed. 2 Select Installation and continue as outlined in the YaST installation instructions Chapter 3, Installation with YaST (page 17).
Page 226 4 Select the appropriate installation server from those offered or use the boot options prompt to provide the type of installation source and its actual location as in Section 3.2.4, “Installing from a Network Source without SLP” (page 19). YaST starts.
Page 227 • The system must be online throughout the entire update process, because this process requires access to the Novell registration server. • If your setup involves third party software or add-on software, test this procedure on another machine to make sure that the dependencies are not broken by the update.
Page 228 Figure 10.1 Update to Service Pack 1 1 In a running SUSE Linux Enterprise system, select Computer > YaST > Software > Online Update. If you are not logged in as root, enter the root password when prompted. 2 The Online Update dialog appears. Scroll down the patch list and select Update to Service Pack 1 as shown in Figure 10.1, “Update to Service Pack 1”...
Page 229: Software Changes From Version 9 To Version
5 Click Finish when you see Installation Finished reported near the end of the progress log. 6 To finish the update, manually reboot the system to activate the new kernel. 10.3 Software Changes from Version 9 to Version 10 The individual aspects changed from version 9 to version 10 are outlined in the following in detail.
Page 230 accessed. Alternatively, GRUB and LILO support wild card boot loader entries. Refer to the GRUB info pages (info grub) and to the lilo.conf(5) manual page for details. 10.3.2 Changes with Kernel Modules The following kernel modules are no longer available: •...
Page 231 Find details in /usr/src/linux/Documentation/ia64/serial.txt, which is part of the kernel-source software package. 10.3.4 LD_ASSUME_KERNEL Environment Variable Do not set the LD_ASSUME_KERNEL environment variable any longer. In the past, it was possible to use it to enforce LinuxThreads support, which was dropped. If you set LD_ASSUME_KERNEL=2.4.x in SUSE Linux Enterprise 10, everything breaks because ld.so looks for glibc and related tools in a path that does not exist.
Page 232 Table 10.1 Backup Files Old File Backup File /etc/krb5.conf /etc/krb5.conf.heimdal /etc/krb5.keytab /etc/krb5.keytab.heimdal The client configuration (/etc/krb5.conf) is very similar to the one of heimdal. If nothing special was configured, it is enough to replace the parameter kpasswd_server with admin_server. It is not possible to copy the server-related (kdc and kadmind) data. After the system update, the old heimdal database is still available under /var/heimdal.
Page 233 If network access is required during the installation or configuration of a service, the respective YaST module opens the needed TCP and UDP ports of all internal and ex- ternal interfaces. If this is not desired, close the ports in the YaST module or specify other detailed firewall settings.
Page 234 Table 10.2 Commands XFree86 X.Org XFree86 Xorg xf86config xorgconfig xf86cfg xorgcfg Table 10.3 Log Files in /var/log XFree86 X.Org XFree86.0.log Xorg.0.log XFree86.0.log.old Xorg.0.log.old In the course of the change to X.Org, the packages were renamed from XFree86* to xorg-x11*. 10.3.14 X.Org Configuration File The configuration tool SaX2 writes the X.Org configuration settings into /etc/X11/ xorg.conf.
Page 235 10.3.16 Terminal Emulators for X11 A number of terminal emulators were removed because they are either no longer maintained or do not work in the default environment, especially by not supporting UTF-8. SUSE Linux Enterprise Server offers standard terminals, such as xterm, the KDE and GNOME terminals, and mlterm (Multilingual Terminal Emulator for X), which might be a replacement for aterm and eterm.
Page 236 /usr/X11R6/bin/OOo-writer /usr/bin/oowriter /usr/X11R6/bin/OOo /usr/bin/ooffice /usr/X11R6/bin/OOo-wrapper /usr/bin/ooo-wrapper The wrapper now supports the option --icons-set for switching between KDE and GNOME icons. The following options are no longer supported: --default-configuration, --gui, --java-path, --skip-check, --lang (the language is now determined by means of locales), --messages-in-window, and --quiet.
Page 237 10.3.20 Starting Manual Installation at the Kernel Prompt The Manual Installation mode is gone from the boot loader screen. You can still get linuxrc into manual mode using manual=1 at the boot prompt. Normally this is not necessary because you can set installation options at the kernel prompt directly, such as textmode=1 or a URL as the installation source.
Page 238 the approximately forty files that used to exist on the system. If you install an application later, it inherits the already applied changes and the administrator is not required to re- member to adjust the configuration. The changes are simple. If you have the following configuration file (which should be the default for most applications): #%PAM-1.0 auth...
Page 239 Now Split Into cpufreq events battery sleep thermal /etc/powersave.conf has become obsolete. Existing variables have been moved to the files listed in Table 10.5, “Split Configuration Files in /etc/sysconfig/powersave” (page 220). If you changed the “event” variables in /etc/powersave.conf, these must now be adapted in /etc/sysconfig/powersave/events.
Page 240 10.3.27 PCMCIA cardmgr no longer manages PC cards. Instead, as with Cardbus cards and other sub- systems, a kernel module manages them. All necessary actions are executed by hotplug. The pcmcia start script has been removed and cardctl is replaced by pccardctl.
Page 241 • /etc/sysconfig/ntp 10.3.30 File System Change Notification for GNOME Applications For proper functionality, GNOME applications depend on file system change notification support. For local-only file systems, install the gamin package (preferred) or run the FAM daemon. For remote file systems, run FAM on both the server and client and open the firewall for RPC calls by FAM.
Page 242 From the command line, you can influence the behavior by using firefox -new-window url or firefox -new-tab url. Installation and Administration...
Page 243: Part Ii Administration
Part II. Administration...
Page 245: 1 Openwbem
OpenWBEM Novell® has embraced the open standard strategies of Web-Based Enterprise Manage- ment (WBEM) proposed by the Distributed Management Task Force (DMTF) [http://www.dmtf.org/home]. Implementing these strategies can substantially reduce the level of complexity associated with managing disparate systems in your network.
Page 246 WBEM project [http://openwbem.org]. The Web-Based Enterprise Management software selection includes a set of packages that contain basic Novell providers, including some sample providers, and a base set of accompanying Novell schemas. As Novell moves forward with OpenWBEM and development of specific providers, it will provide tools that offer the following important features: •...
Page 247: Setting Up Openwbem
DMTF and its technologies, you can visit the DMTF Web site [http:// www.dmtf.org]. • openwbem-base-providers: This package contains a Novell Linux instrumen- tation of base operating system components such as computer, system, operating system, and processes for the OpenWBEM CIMOM. • openwbem-smash-providers:...
Page 248 • Section 11.1.3, “Setting Up Logging” (page 233) 11.1.1 Starting, Stopping, or Checking Status for owcimomd When Web-Based Enterprise Management software is installed, the daemon, owcimomd, is started by default. The following table explains how to start, stop, and check status for owcimomd.
Page 249 /etc/openwbem/servercert.pem If you want to generate a new certificate, use the following command. Running this command replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one. As root in a console shell, enter sh/etc/openwbem/owgencert.
Page 250 Internet be- tween servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configura- tion file. In order for the OpenWBEM CIMOM to communicate with the...
Page 251 Authentication The following authentication settings are set and enabled as the default for OpenWBEM in SUSE Linux Enterprise Server. You can change any of the default settings. See Section 11.2.1, “Changing the Authen- tication Configuration” (page 234). • http_server.allow_local_authentication = true •...
Page 252: Changing The Openwbem Cimom Configuration
11.2 Changing the OpenWBEM CIMOM Configuration When OpenWBEM CIMOM (owcimomd) starts, it reads it run-time configuration from the openwbem.conf file. The openwbem.conffile is located in the /etc/ openwbem directory. Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the default setting.
Page 253 See the following settings: • Section “http_server.allow_local_authentication ” (page 235) • Section “http_server.digest_password_file ” (page 236) • Section “http_server.ssl_client_verification ” (page 236) • Section “http_server.ssl_trust_store ” (page 237) • Section “http_server.use_digest” (page 238) • Section “owcimomd.ACL_superuser” (page 239) • Section “owcimomd.allow_anonymous” (page 239) •...
Page 254 Option Description false Disables local authentication. Example http_server.allow_local_authentication = true http_server.digest_password_file Purpose Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled. Syntax http_server.digest_password_file = path_filename The following is the default path and filename for the digest password file: /etc/openwbem/digest_auth.passwd Example http_server.digest_password_file =...
Page 255 Syntax: http_server.ssl_client_verification = option Option Description autoupdate Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authenti- cation are added to a trust store so that subsequent client connec- tions with the same certificate do not require HTTP authentica- tion.
Page 256 /etc/openwbem/truststore Example http_server.ssl_trust_store = /etc/openwbem/truststore http_server.use_digest Purpose Directs the HTTP server to use Digest authentication, which bypasses the Basic authen- tication mechanism. To use digest, you must set up the digest password file using owdigestgenpass. Digest doesn’t use the authentication module specified by the owcimomd.authentica- tion_module configuration setting.
Page 257 owcimomd.ACL_superuser Purpose Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the owcimomd. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.
Page 258 Option Description This disables authentication. No username or password is required to access owcimomd data. Example owcimomd.allowed_anonymous = false owcimomd.allowed_users Purpose Specifies a list of users who are allowed to access owcimomd data. Syntax owcimomd.allowed_users = option Option Description Specifies one or more users who are allowed to access the owci- username momd data.
Page 259 owcimomd.authentication_module Purpose Specifies the authentication module that is used by owcimomd. This setting should be an absolute path to the shared library containing the authentication module. Syntax owcimomd.authentication_module = path_filename The following is the default path and filename for the authentication modules: /usr/lib/openwbem/authentication/libpamauthentication.so Example owcimomd.authentication_module =...
Page 260 11.2.2 Changing the Certificate Configuration The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS communications. The .pem files are located in the following default location: /etc/openwbem/servercert.pem /etc/openwbem/serverkey.pem Syntax...
Page 261 11.2.3 Changing the Port Configuration The http_server.http_port and server.https_port settings specify the port number that owcimomd listens on for all HTTP and HTTPS communications. Syntax http_server.http_port = option http_server.https_port = option Option Description Specify the specific port for HTTP or HTTPS com- Specific_port_number munications.
Page 262 11.2.4 Changing the Default Logging Configuration The following log settings in the owcimomd.conf file let you specify where and how much logging occurs, the type of errors logged, and the log size, filename, and format: • Section “log.main.categories” (page 244) •...
Page 263 Option Description Specifies the categories to be logged using a space delimited category_name list. The categories used in owcimomd are: • DEBUG • ERROR • FATAL • INFO For more information about these options, see Section “log.main.level” (page 249). If specified in this option, the predefined categories are not treated as levels, but as independent categories.
Page 264 Syntax log.main.components = option Option Description Specifies the components to be logged (such as owcimomd) component_name using a space-delimited list. Providers can use their own components. Specifies that all components are logged. This is the default setting. Example log.main.components = owcimomd nssd log.main.format Purpose Specifies the format (text mixed with printf() style conversion specifiers) of the log...
Page 265 Option Specifies Can be followed by a date format specifier enclosed between braces. For example, %d{%H:%M:%S} or %d{%d %b %Y %H:%M:%S}. If no date format specifier is given, then ISO 8601 format is assumed. The only addition is %Q, which is the number of milliseconds. For more information about the date format specifiers, see the documentation for the strftime() function found in the <ctime>...
Page 266 Option Specifies Line feed \x<hexDigits> Character represented in hexadecimal It is possible to change the minimum field width, the maximum field width, and justifi- cation. The optional format modifier is placed between the percent sign (%) and the conversion character. The first optional format modifier is the left justification flag, which is the minus (-) character.
Page 267 <log4j:locationInfo class="" method="" file="%F" line="%L"/></log4j:event>" The following is the default: log.main.format = [%t]%m log.main.level Purpose Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the specified level. Syntax log.main.level = option Option Description DEBUG Logs all Debug, Info, Error, and Fatal error messages.
Page 268 log.main.location Purpose Specifies the location of the log file owcimomd uses when the log.main.type setting option specifies that logging is sent to a file. Syntax log.main.location = path_filename Example log.main.location = /system/cimom/var/owcimomd.log log.main.max_backup_index Purpose Specifies the amount of backup logs that are kept before the oldest is erased. Syntax log.main.backup_index = option Option...
Page 269 log.main.max_file_size Purpose Specifies the maximum size (in KB) that the owcimomd log can grow to. Syntax log.main.max_file_size = option Option Description Limits the log to a certain size in KB. unsigned _integer_in_KB Lets the log grow to an unlimited size. This is the default setting.
Page 270 Option Description null Disables logging. syslog Sends all messages to the syslog interface. This is the default setting. Example log.main.type = syslog 11.2.5 Configuring Debug Logging If owcimomd is run in debug mode, then the debug log is active with the following settings: •...
Page 271 Table 11.3 Additional Color Codes for the log.debug.format Command Color Codes \x1b[1;31;40m dark red \x1b[0;31;40m green \x1b[1;32;40m dark green \x1b[0;32;40m yellow \x1b[1;33;40m dark yellow \x1b[0;33;40m blue \x1b[1;34;40m dark blue \x1b[0;34;40m purple \x1b[1;35;40m dark purple \x1b[0;35;40m cyan \x1b[1;36;40m dark cyan \x1b[0;36;40m white \x1b[1;37;40m dark white...
Page 272: For More Information
owcimomd.additional_logs = logname Separate multiple lognames spaces. Syntax owcimomd.additional_logs = logname For each log, the following settings apply: • log.log_name.categories • log.log_name.components • log.log_name.format • log.log_name.level • log.log_name.location • log.log_name.max_backup_index • log.log_name.max_file_size Example owcimomd.additional_logs = errorlog1 errorlog2 errorlog3 11.3 For More Information For more information about OpenWBEM, see the following information: •...
Page 273 • A Novell Cool Solutions Article: An Introduction to WBEM and OpenWBEM in SUSE Linux [http://www.novell.com/coolsolutions/feature/ 14625.html] • OpenWBEM Web site [http://www.openwbem.org] • DMTF Web site [http://www.dmtf.org] OpenWBEM...
Page 275: 2 Mass Storage Over Ip Networks-Iscsi
Mass Storage over IP Networks—iSCSI One of the central tasks in computer centers and when operating servers is providing hard disk capacity for server systems. Fiber channel is often used for this purpose in the mainframe sector. So far, UNIX computers and the majority of servers are not connected to central storage solutions.
Page 276 12.1.1 Creating iSCSI Targets with YaST The iSCSI target configuration exports existing block devices or file system images to iSCSI initiators. First create the needed block devices with YaST or create file system images. For an overview of partitioning, see Section 8.5.7, “Using the YaST Partitioner”...
Page 277 Identifier The Identifier is freely selectable. It should follow some scheme to make the whole system more structured. It is possible to assign several LUNs to a target. To do this, select a target in the Targets tab then click Edit. There, add new LUNs to an existing target. Path Add the path to the block device or file system image to export.
Page 278 In the Target line, yyyy-mm is the date when this target is activated, and identifier is freely selectable. Find more about naming conventions in RFC 3722 (see http:// www.ietf.org/rfc/rfc3722.txt). Three different block devices are exported in this example. The first one is a logical volume (see also Section 7.1, “LVM Configu- ration”...
Page 279 To create a new iSCSI target with a LUN, first update your configuration file. The ad- ditional entry could be: Target iqn.2006-02.com.example.iserv:system2 Lun 0 Path=/dev/mapper/system-swap2 IncomingUser joe secret To set up this configuration manually, proceed as follows: 1 Create a new target with the command ietadm --op new --tid=2 --params Name=iqn.2006-02.com.example.iserv:system2.
Page 280: Configuring Iscsi Initiator
MaxBurstLength=262144 FirstBurstLength=65536 DefaultTime2Wait=2 DefaultTime2Retain=20 MaxOutstandingR2T=1 DataPDUInOrder=Yes DataSequenceInOrder=Yes ErrorRecoveryLevel=0 HeaderDigest=None DataDigest=None OFMarker=No IFMarker=No OFMarkInt=Reject IFMarkInt=Reject All of these parameters may be changed easily. For example, if you want to change the maximum number of connections to two, use ietadm --op update --tid=1 --params=MaxConnections=2.
Page 281 12.2.1 Using YaST for the iSCSI Initiator Configuration The configuration is divided into three tabs. The Service tab may be used to enable the iSCSI initiator at boot time. The Connected Targets tab gives an overview of the cur- rently connected iSCSI targets. Like the Discovered Targets tab, it gives the option to add new targets to the system.
Page 282 edited to provide the information. To add your password information for the discovery, add the following lines to the end of /etc/iscsid.conf: discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = <username> discovery.sendtargets.auth.password = <password> The discovery stores all received values in an internal persistent database. In addition, it displays all detected targets.
Page 283 The iSCSI protocol has been available for several years. There are many reviews and additional documentation comparing iSCSI with SAN solutions, doing performance benchmarks, or just describing hardware solutions. Important pages for more information about open-iscsi are: • http://www.open-iscsi.org/ • http://www.open-iscsi.org/cgi-bin/wiki.pl • http://www.novell.com/coolsolutions/appnote/15394.html Mass Storage over IP Networks—iSCSI...
Page 284 There is also some online documentation available. See the manual pages of iscsiadm, iscsid, ietd.conf, and ietd and the example configuration file /etc/iscsid .conf. Installation and Administration...
Page 285: 3 Oracle Cluster File System
Oracle Cluster File System 2 • Section 13.1, “Overview of OCFS2” (page 267) • Section 13.2, “Creating an OCFS2 Volume” (page 274) • Section 13.3, “Mounting an OCFS2 Volume” (page 279) • Section 13.4, “Additional Information” (page 280) 13.1 Overview of OCFS2 Oracle Cluster File System 2 (OCFS2) is a general-purpose journaling file system that is fully integrated in the Linux 2.6 kernel and later.
Page 286 • Oracle RAC and other databases • General applications and workloads • XEN image store in a cluster XEN virtual machines and virtual servers can be stored on OCFS2 volumes that are mounted by cluster servers to provide quick and easy portability of XEN virtual machines between servers.
Page 287: O2Cb Cluster Service
• Operation as a shared-root file system • Support for multiple-block sizes (each volume can have a different block size) up to 4 KB, for a maximum volume size of 16 TB • Support for up to 255 cluster nodes •...
Page 288: Disk Heartbeat
Service Description DLMFS User space interface to the kernel space DLM. For de- tails, see Section 13.1.4, “In-Memory File Systems” (page 270). 13.1.3 Disk Heartbeat OCFS2 requires the nodes to be alive on the network. The O2CB cluster service sends regular keepalive packets to ensure that they are.
Page 289: Management Utilities And Commands
Table 13.2 In-Memory File Systems Used by OCFS2 In-Memory Description Mount Point File System configfs Communicates the list of nodes in the cluster to /config the in-kernel node manager, and communicates the resource used for the heartbeat to the in-kernel heartbeat thread ocfs2_dlmfs Communicates locking and unlocking for cluster-...
Page 290 Table 13.3 OCFS2 Utilities OCFS2 Utili- Description Examines the state of the OCFS file system for the purpose of debug- bugfs.ocfs2 ging. fsck.ocfs2 Checks the file system for errors and optionally repairs errors. mkfs.ocfs2 Creates an OCFS2 file system on a device, usually a partition on a shared physical or logical disk.
Page 291: Ocfs2 Packages
Command Description At least one node in the cluster must be active for the cluster to be online. /etc/init.d/o2cb offline Offlines the cluster named ocfs2 ocfs2 /etc/init.d/o2cb unload Unloads the O2CB modules and in-memory file systems /etc/init.d/o2cb start If the cluster is set up to load on boot, starts the cluster named ocfs2 by loading o2cb and onlining the cluster ocfs2 At least one node in the cluster must be active for the...
Page 292: Creating An Ocfs2 Volume
4 If you need to install the packages, select them, then click Install and follow the on-screen instructions. 13.2 Creating an OCFS2 Volume Follow the procedures in this section to configure your system to use OCFS2 and to create OCFS2 volumes. 13.2.1 Prerequisites Before you begin, do the following: •...
Page 293 chkconfig --add o2cb When you add a new service, chkconfig ensures that the service has either a start or a kill entry in every run level. 3 If the ocfs2 service is not already enabled, enter chkconfig --add ocfs2 4 Configure the o2cb cluster service driver to load on boot. 4a Enter /etc/init.d/o2cb configure 4b At the Load O2CB driver on boot (y/n) [n] prompt, enter...
Page 294 However, if you change other settings, such as the cluster name and IP address, you must restart the cluster for the changes to take effect, as described in Step 6 (page 276). 5a Open the ocfs2console GUI by entering ocfs2console 5b In the ocfs2console, select Cluster >...
Page 295 13.2.3 Creating an OCFS2 Volume Creating an OCFS2 file system and adding new nodes to the cluster should be performed on only one of the nodes in the cluster. 1 Open a terminal window and log in as the root user or equivalent. 2 If the O2CB cluster service is offline, start it by entering the following command, then wait for the process to return a status of OK.
Page 296 OCFS2 Pa- Description and Recommendation rameter Cluster size Cluster size is the smallest unit of space allocated to a file to hold the data. Options are 4, 8, 16, 32, 64, 128, 256, 512, and 1024 KB. Cluster size cannot be modified after the volume is formatted. Oracle recommends a cluster size of 128 KB or larger for database volumes.
Page 297: Mounting An Ocfs2 Volume
13.3 Mounting an OCFS2 Volume 1 Open a terminal window and log in as the root user or equivalent. 2 If the O2CB cluster service is offline, start it by entering the following command, then wait for the process to return a status of OK. /etc/init.d/o2cb online ocfs2 Replace ocfs2 with the actual cluster name of your OCFS2 cluster.
Page 298: Additional Information
Option Description Ensures that the Oracle processes open the files with the o_direct datavolume flag. No interruptions. Ensures the IO is not interrupted by signals. nointr 13.4 Additional Information For information about using OCFS2, see the OCFS2 User Guide [http://oss .oracle.com/projects/ocfs2/documentation/] on the OCFS2 project at Oracle [http://oss.oracle.com/projects/ocfs2/].
Page 299: 4 Access Control Lists In Linux
Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
Page 300 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.
Page 301: Advantages Of Acls
14.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.
Page 302: Handling Acls
default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
Page 303 Table 14.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 14.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 14.4.1 ACL Entries and File Mode Permission Bits Figure 14.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
Page 304 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 14.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
Page 305 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
Page 306 user::rwx user:geeko:rwx group::r-x group:mascots:rwx mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.
Page 307 group:mascots:rwx # effective: r-x mask::r-x other::--- After executing the chmod command to remove the write permission from the group class bits, the output of the ls command is sufficient to see that the mask bits must have changed accordingly: write permission is again limited to the owner of mydir. The output of the getfacl confirms this.
Page 308 Application of Default ACLs The following three examples show the main operations for directories and default ACLs: 1. Add a default ACL to the existing directory mydir with: setfacl -d -m group:mascots:r-x mydir The option -d of the setfacl command prompts setfacl to perform the fol- lowing modifications (option -m) in the default ACL.
Page 309 getfacl mydir/mysubdir # file: mydir/mysubdir # owner: tux # group: project3 user::rwx group::r-x group:mascots:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:mascots:r-x default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory. The access ACL of mysubdir is an exact reflection of the default ACL of mydir.
Page 310: Acl Support In Applications
This approach ensures the smooth interaction of applications, such as compilers, with ACLs. You can create files with restricted access permissions and subsequently mark them as executable. The mask mechanism guarantees that the right users and groups can execute them as desired. 14.4.4 The ACL Check Algorithm A check algorithm is applied before any process or application is granted access to an ACL-protected file system object.
Page 311: For More Information
14.6 For More Information Detailed information about ACLs is available at http://acl.bestbits.at/. Also see the man pages for getfacl(1), acl(5), and setfacl(1). Access Control Lists in Linux...
Page 313: 5 Rpm-The Package Manager
RPM—the Package Manager RPM (RPM Package Manager) is used for managing software packages. Its main commands are rpm and rpmbuild. The powerful RPM database can be queried by the users, system administrators, and package builders for detailed information about the installed software. Essentially, rpm has five modes: installing, uninstalling, or updating software packages;...
Page 314: Verifying Package Authenticity
15.1 Verifying Package Authenticity RPM packages have a GnuPG signature. The key including the fingerprint is: 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig package-1.2.3.rpm can be used to verify the signature of an RPM package to determine whether it really originates from SUSE or from another trustworthy facility.
Page 315: Rpm And Patches
• If a configuration file was changed by the system administrator before the update, rpm saves the changed file with the extension .rpmorig or .rpmsave (backup file) and installs the version from the new package, but only if the originally installed file and the newer version are different.
Page 316 result in large amounts of data. However the SUSE RPM offers a feature enabling the installation of patches in packages. The most important considerations are demonstrated using pine as an example: Is the patch RPM suitable for my system? To check this, first query the installed version of the package. For pine, this can be done with rpm -q pine pine-4.44-188...
Page 317: Delta Rpm Packages
Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa. If only one patch is installed in a new system (as in this example), the list appears as follows: rpm -qPa pine-4.44-224...
Page 318: Rpm Queries
Using applydeltarpm, you can reconstruct the new RPM from the file system if the old package is already installed: applydeltarpm new.delta.rpm new.rpm To derive it from the old RPM without accessing the file system, use the -r option: applydeltarpm -r old.rpm new.delta.rpm new.rpm See /usr/share/doc/packages/deltarpm/README"...
Page 319 Capabilities the package requires --requires, -R Installation scripts (preinstall, postinstall, uninstall) --scripts For example, the command rpm -q -i wget displays the information shown in Example 15.1, “rpm -q -i wget” (page 301). Example 15.1 rpm -q -i wget Name : wget Relocations: (not relocatable) Version...
Page 320 Example 15.2 Script to Search for Packages #! /bin/sh for i in $(rpm -q -a -l | grep $1); do echo "\"$i\" is in package:" rpm -q -f $i echo "" done The command rpm -q --changelog rpm displays a detailed list of change infor- mation about a specific package, sorted by date.
Page 321: Installing And Compiling Source Packages
The files of the RPM database are placed in /var/lib/rpm. If the partition /usr has a size of 1 GB, this database can occupy nearly 30 MB, especially after a complete update. If the database is much larger than expected, it is useful to rebuild the database with the option --rebuilddb.
Page 322 RPMS where the completed binary packages are stored SRPMS here are the source RPMs When you install a source package with YaST, all the necessary components are installed in /usr/src/packages: the sources and the adjustments in SOURCES and the relevant .spec file in SPECS. WARNING Do not experiment with system components (glibc, rpm, sysvinit, etc.), because this endangers the operability of your system.
Page 323: Compiling Rpm Packages With Build
Do the same as -bi, but with the additional creation of the binary package. If the compile was successful, the binary should be in /usr/src/packages/RPMS. Do the same as -bb, but with the additional creation of the source RPM. If the compilation was successful, the binary should be in /usr/src/packages/ SRPMS.
Page 324: Tools For Rpm Archives And The Rpm Database
rpm command to one of the above-mentioned stages. Access additional information with build --help and by reading the build man page. 15.8 Tools for RPM Archives and the RPM Database Midnight Commander (mc) can display the contents of RPM archives and copy parts of them.
Page 325: 6 System Monitoring Utilities
System Monitoring Utilities A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. For each of the commands introduced, examples of the relevant outputs are presented.
Page 326: Debugging
16.1 Debugging 16.1.1 Specifying the Required Library: ldd Use the command ldd to find out which libraries would load the dynamic executable specified as argument. tester@linux:~> ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/librt.so.1 (0xb7f97000) libacl.so.1 => /lib/libacl.so.1 (0xb7f91000) libc.so.6 => /lib/libc.so.6 (0xb7e79000) libpthread.so.0 =>...
Page 327 1.17 0.230765 8358 memcpy [...] 0.00 0.000036 1 textdomain ------ ----------- ----------- --------- -------------------- 100.00 19.662715 105717 total 16.1.3 System Calls of a Program Run: strace The utility strace enables you to trace all the system calls of a process currently running.
Page 328: Files And File Systems
open("/lib/libc.so.6", O_RDONLY) open("/lib/libpthread.so.0", O_RDONLY) open("/lib/libattr.so.1", O_RDONLY) [...] To trace all the child processes, use the parameter -f. The behavior and output format of strace can be largely controlled. For information, see man strace. 16.2 Files and File Systems 16.2.1 Determine the File Type: file The command file determines the type of a file or a list of files by checking /etc/ magic.
Page 329 proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) /dev/hda1 on /boot type ext2 (rw,acl,user_xattr) /dev/hda4 on /local type reiserfs (rw,acl,user_xattr) /dev/fd0 on /media/floppy type subfs (rw,nosuid,nodev,noatime,fs=floppyfss,p Obtain information about total usage of the file systems with the command df.
Page 330 Machine: Intel 80386 Version: Entry point address: 0x8049b60 Start of program headers: 52 (bytes into file) Start of section headers: 81112 (bytes into file) Flags: Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: Size of section headers: 40 (bytes) Number of section headers:...
Page 331: Hardware Information
16.3 Hardware Information 16.3.1 PCI Resources: lspci The command lspci lists the PCI resources: linux:~ # lspci 00:00.0 Host bridge: Intel Corporation 82845G/GL[Brookdale-G]/GE/PE \ DRAM Controller/Host-Hub Interface (rev 01) 00:01.0 PCI bridge: Intel Corporation 82845G/GL[Brookdale-G]/GE/PE \ Host-to-AGP Bridge (rev 01) 00:1d.0 USB Controller: Intel Corporation 82801DB/DBL/DBM \ (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 01) 00:1d.1 USB Controller: Intel Corporation 82801DB/DBL/DBM \...
Page 332 Information about device name resolution is obtained from the file /usr/share/ pci.ids. PCI IDs not listed in this file are marked “Unknown device.” The parameter -vv produces all the information that could be queried by the program. To view the pure numeric values, use the parameter -n. 16.3.2 USB Devices: lsusb The command lsusb lists all USB devices.
Page 333: Networking
Linked Commands Command Queueing SftRe Device Type Peripheral Qualifier Removable? Device Type Modifier ISO Version ECMA Version ANSI Version AENC TrmIOP Response Data Format Vendor: FUJITSU Product: MAS3367NP Revision level: 0104A0K7P43002BE The option -d puts out a defects list with two tables of bad blocks of a hard disk: first the one supplied by the vendor (manufacturer table) and second the list of bad blocks that appeared in operation (grown table).
Page 334: The /Proc File System
# netstat -t -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Pro 0 linux:33513 www.novell.com:www-http ESTABLISHED 6862/fi 352 linux:ssh linux2.:trc-netpoll ESTABLISHED 19422/s 0 localhost:ssh localhost:17828 ESTABLISHED - In the following, statistics for the TCP protocol are displayed: tester@linux:~>...
Page 335 tester@linux:~> cat /proc/cpuinfo processor vendor_id : AuthenticAMD cpu family model model name : AMD Athlon(tm) XP 2400+ stepping cpu MHz : 2009.343 cache size : 256 KB fdiv_bug : no [...] Query the allocation and use of interrupts with the following command: tester@linux:~>...
Page 336 /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt. Find information about processes currently running in the /proc/NNN directories, where NNN is the process ID (PID) of the relevant process. Every process can find its own characteristics in /proc/self/ tester@linux:~>...
Page 337 b7f52000-b7f53000 r--p 00000000 03:03 11842 /usr/lib/locale/en_GB.utf8/ [...] b7f5b000-b7f61000 r--s 00000000 03:03 9109 /usr/lib/gconv/gconv-module b7f61000-b7f62000 r--p 00000000 03:03 9720 /usr/lib/locale/en_GB.utf8/ b7f62000-b7f76000 r-xp 00000000 03:03 8828 /lib/ld-2.3.6.so b7f76000-b7f78000 rw-p 00013000 03:03 8828 /lib/ld-2.3.6.so bfd61000-bfd76000 rw-p bfd61000 00:00 0 [stack] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] 16.5.1 procinfo Important information from the /proc file system is summarized by the command...
Page 338: Processes
By default, the cumulative values are displayed. The parameter -d produces the differ- ential values. procinfo -dn5 displays the values that have changed in the last five seconds: 16.6 Processes 16.6.1 Interprocess Communication: ipcs The command ipcs produces a list of the IPC resources currently in use: ------ Shared Memory Segments -------- shmid owner...
Page 339: Memory Usage
tester 4047 6.0 158548 31400 ? 13:02 0:06 mono-best tester 4057 9036 3684 ? 13:02 0:00 /opt/gnome tester 4067 2204 636 ? 13:02 0:00 /opt/gnome tester 4072 15996 5160 ? 13:02 0:00 gnome-scre tester 4114 3.7 130988 19172 ? 13:06 0:04 sound-juic tester 4818...
Page 340 tester@linux:~> pstree init-+-NetworkManagerD |-acpid |-3*[automount] |-cron |-cupsd |-2*[dbus-daemon] |-dbus-launch |-dcopserver |-dhcpcd |-events/0 |-gpg-agent |-hald-+-hald-addon-acpi `-hald-addon-stor |-kded |-kdeinit-+-kdesu---su---kdesu_stub---yast2---y2controlcenter |-kio_file |-klauncher |-konqueror |-konsole-+-bash---su---bash `-bash `-kwin |-kdesktop---kdesktop_lock---xmatrix |-kdesud |-kdm-+-X `-kdm---startkde---kwrapper [...] The parameter -p adds the process ID to a given name. To have the command lines displayed as well, use the -a parameter: 16.6.4 Processes: top The command top, which stands for "table of processes,"...
Page 341 tester@linux:~> top -n 1 top - 17:06:28 up 2:10, 5 users, load average: 0.00, 0.00, 0.00 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 5.5% us, 0.8% sy, 0.8% ni, 91.9% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 515584k total,...
Page 342: System Information
16.7 System Information 16.7.1 System Activity Information: sar To use sar, sadc (system activity data collector) needs to be running. Check its status or start it with rcsysstat {start|status}. sar can generate extensive reports on almost all important system activities, among them CPU, memory, IRQ usage, IO, or networking.
Page 343 USER PID ACCESS COMMAND /mnt/notes.txt tester 26597 f..less Following termination of the less process, which was running on another terminal, the file system can successfully be unmounted. 16.7.4 Kernel Ring Buffer: dmesg The Linux kernel keeps certain messages in a ring buffer. To view these messages, enter the command dmesg: $ dmesg [...]...
Page 344 bash 5552 tester 882134 11868 /usr/lib/locale/en_GB. bash 5552 tester 3,3 1386997 8837 /lib/libc-2.3.6.so bash 5552 tester 13836 8843 /lib/libdl-2.3.6.so bash 5552 tester 290856 12204 /lib/libncurses.so.5.5 bash 5552 tester 26936 13004 /lib/libhistory.so.5.1 bash 5552 tester 190200 13006 /lib/libreadline.so.5. bash 5552 tester 11842 /usr/lib/locale/en_GB.
Page 345 42013K total, Other: 206K total, All: 42219K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 3e00000 18161K 18175K NOVELL: SU 4600000 1 1182 4566K 4600K amaroK - S 1600000 3811K 3816K KDE Deskto 3400000 2816K...
Page 346: User Information
2c00000 2374K 2378K Linux Shel 2e00000 2341K 2344K Linux Shel 2600000 1772K 1775K Root - Kon 4800000 1772K 1775K Root - Kon 2a00000 1111K 1123K Trekstor25 1800000 1039K 1052K kicker 1400000 777K 796K kwin 3c00000 510K 520K de.comp.la 3a00000 486K 506K [opensuse- 0a00000...
Page 347: Time And Date
16.9 Time and Date 16.9.1 Time Measurement with time Determine the time spent by commands with the time utility. This utility is available in two versions: as a shell built-in and as a program (/usr/bin/time). tester@linux:~> time find . > /dev/null real 0m4.051s user...
Page 349: 7 Working With The Shell
Working with the Shell When booting your Linux system, you are usually directed to a graphical user interface that guides you through the login process and the following interactions with the system. Although graphical user interfaces have become very important and user-friendly, using them is not the only way to communicate with your system.
Page 350: Getting Started With The Bash Shell
17.1 Getting Started with the Bash Shell In Linux, you can use the command line parallel to the graphical user interface and easily switch between them. To start a terminal window from the graphical user interface in KDE, click the Konsole icon in the panel. In GNOME, click the GNOME Terminal icon in the panel.
Page 351 IMPORTANT: No News Is Good News The shell is not verbose: in contrast to some graphical user interfaces, it usually does not provide confirmation messages when commands have been executed. Messages only appear in case of problems or errors. Also keep this in mind for commands to delete objects. Before entering a command like rm for removing a file, you should know if you really want to get rid of the object: it will be deleted irretrievably, without enquiry.
Page 352: Getting Help
and are prefixed with a hyphen. The ls -l command shows the contents of the same directory in full detail (long listing format): Figure 17.3 The ls -l Command On the left of each object name, information about the object is shown in several columns.
Page 353 17.1.2 Linux Directory Structure Because the shell does not offer a graphical overview of directories and files like the tree view in a file manager, it is useful to have some basic knowlegde of the default directory structure in a Linux system. You can think of directories as electronic folders in which files, programs, and subdirectories are stored.
Page 354 Table 17.1 Overview of a Standard Directory Tree Root directory, starting point of the directory tree Personal directories of users /home Device files that represent hardware components /dev Important files for system configuration /etc Boot scripts /etc/init.d Programs needed early in the boot process (/bin) and /bin, /sbin for the administrator (/sbin) All application programs and local, distribution-indepen-...
Page 355 17.1.3 Working with Directories and Files To address a certain file or directory, you must specify the path leading to that directory or file. There are two ways to specify a path: • The entire (absolute) path from the root directory to the respective file •...
Page 356 1b In your home directory, enter mkdir /tmp/test. mkdir stands for “make directory”. This command creates a new directory named test in the /tmp directory. In this case, use an absolute path to create the directory. 1c To check what happened, now enter ls -l /tmp. The new directory test should appear in the list of contents of the /tmp directory.
Page 357 17.1.4 Useful Features of the Shell Entering commands in Bash can include a lot of typing. In the following, get to know some features of the Bash that can make your work a lot easier and save a lot of typing. History and Completion By default, Bash “remembers”...
Page 358 [set] Matches one of the characters from the group specified inside the square brackets, which is represented here by the string set. As part of set you can also specify character classes using the syntax [:class:], where a class is one of alnum, alpha, ascii, etc.
Page 359 The program less got its name from the the precept that less is more and can also be used to view the output of commands in a convenient way. To see how this works, read Section “Redirection and Pipes” (page 341). Redirection and Pipes Normally, the standard output in the shell is your screen or the console window and the standard input is the keyboard.
Page 360 17.1.5 Archives and Data Compression Now that you have already created a number of files and directories, consider the subject of archives and data compression. Suppose you want to have the entire test directory packed in one file that you can save on a USB stick as a backup copy or send by e-mail. To do so, use the command tar (for tape archiver).
Page 361: Users And Access Permissions
For file compression, the obvious choice is gzip or, for a even better compression ratio, bzip2. Just enter gzip testarchive.tar (or bzip2 testarchive.tar, but gzip is used in this example). With ls, now see that the file testarchive.tar is no longer there and that the file testarchive.tar.gz has been created instead. This file is much smaller and therefore much better suited for transfer via e-mail or storage on a USB stick.
Page 362 format hard disks, the threat from the Trojan horse effect or from accidentally entering destructive commands can be significantly reduced. 17.2.1 File System Permissions Basically, every file in a Linux file system belongs to a user and a group. Both of these proprietary groups and all others can be authorized to write, read, or execute these files.
Page 363 The next three blocks follow a standard pattern. The first three characters refer to whether the file is readable (r) or not (–). A w in the middle portion symbolizes that the corresponding object can be edited and a hyphen (–) means it is not possible to write to the file.
Page 364 1. Users concerned • u (user)—owner of the file • g (group)—group that owns the file • o (others)—additional users (if no parameter is given, the changes apply to all categories) 2. A character for deletion (–), setting (=), or insertion (+) 3.
Page 365: Important Linux Commands
chgrp changes the group ownership of the file. However, the owner of the file must be a member of the new group. In this way, the user tux from Example 17.1, “Sample Output Showing File Permissions” (page 344) can switch the group owning the file ProjectData to project4 with the command chgrp project4 ProjectData, as long as he is a member of this new group.
Page 366 Detailed list Displays hidden files cp [options] source target Copies source to target. Waits for confirmation, if necessary, before an existing target is overwritten Copies recursively (includes subdirectories) mv [options] source target Copies source to target then deletes the original source. Creates a backup copy of the source before moving Waits for confirmation, if necessary, before an existing targetfile is overwritten...
Page 367 Creates a symbolic link cd [options] [directory] Changes the current directory. cd without any parameters changes to the user's home directory. mkdir [options] directory Creates a new directory. rmdir [options] directory Deletes the specified directory if it is already empty. chown [options] username[:[group]] files Transfers ownership of a file to the user with the specified username.
Page 368 The access type is controlled by the following options: Read Write Execute—executing files or changing to the directory Setuid bit—the application or program is started as if it were started by the owner of the file As an alternative, a numeric code can be used. The four digits of this code are composed of the sum of the values 4, 2, and 1—the decimal result of a binary mask.
Page 369 Creates a new tar archive Adds files to an existing archive Outputs the contents of an archive Adds files, but only if they are newer than the files already contained in the archive Unpacks files from an archive (extraction) Packs the resulting archive with gzip Compresses the resulting archive with bzip2 Lists files processed The archive files created by tar end with .tar.
Page 370 place it in the background by appending an ampersand (&), so you can immediately continue working on the same command line (updatedb &). This command usually runs as a daily cron job (see cron.daily). find [options] With find, search for a file in a given directory. The first argument specifies the directory in which to start the search.
Page 371: File Systems
Only displays the names of the respective files, but not the text lines Additionally displays the numbers of the lines in which it found a hit Only lists the files in which searchstring does not occur diff [options] file1 file2 The diff command compares the contents of any two files.
Page 372: System Commands
umount [options] mountpoint This command unmounts a mounted drive from the file system. To prevent data loss, run this command before taking a removable data medium from its drive. Normally, only root is allowed to run the commands mount and umount. To enable other users to run these commands, edit the /etc/fstab file to specify the option user for the respective drive.
Page 373 free [options] The command free displays information about RAM and swap space usage, showing the total and the used amount in both categories. See Section 21.1.6, “The free Command” (page 412) for more information. Output in bytes Output in kilobytes Output in megabytes date [options] This simple program displays the current system time.
Page 374 Sends a KILL signal instead of a TERM signal, bringing the specified process to an end in almost all cases killall [options] processname This command is similar to kill, but uses the process name (instead of the process ID) as an argument, killing all processes with that name. Network ping [options] hostname or IP address The ping command is the standard tool for testing the basic functionality of TCP/IP...
Page 375 WARNING Do not use telnet over a network on which third parties can “eavesdrop.” Particularly on the Internet, use encrypted transfer methods, such as ssh, to avoid the risk of malicious misuse of a password (see the man page for ssh).
Page 376: The Vi Editor
17.4 The vi Editor Text editors are still used for many system administration tasks as well as for program- ming. In the world of Unix, vi stands out as an editor that offers comfortable editing functions and is more ergonomic than many editors with mouse support. 17.4.1 Operating Modes NOTE: Display of Keys In the following, find several commands that you can enter in vi by just pressing...
Page 377 It is not possible to switch directly from insert mode to extended mode without first switching to command mode. vi, like other editors, has its own procedure for terminating the program. You cannot terminate vi while in insert mode. First, exit insert mode by pressing Esc . Subsequently, you have two options: 1.
Page 378 A selection of important commands is shown in Table 17.2, “Simple Commands of the vi Editor” (page 360) This list is far from complete. More complete lists are available in the documentation found in Section 17.4.3, “For More Information” (page 361) Table 17.2 Simple Commands of the vi Editor Change to command mode...
Page 379 Shift + J Join the following line with the current one Repeat the last command 17.4.3 For More Information vi supports a wide range of commands. It enables the use of macros, shortcuts, named buffers, and many other useful features. A detailed description of the various options would exceed the scope of this manual.
Page 381: Part Iii System
Part III. System...
Page 383: 8 32-Bit And 64-Bit Applications In A 64-Bit System Environment
32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE Linux Enterprise® is available for several 64-bit platforms. This does not neces- sarily mean that all the applications included have already been ported to 64-bit plat- forms. SUSE Linux Enterprise supports the use of 32-bit applications in a 64-bit system environment.
Page 384: Runtime Support
18.1 Runtime Support IMPORTANT: Conflicts between Application Versions If an application is available both for 32-bit and 64-bit environments, parallel installation of both versions is bound to lead to problems. In such cases, decide on one of the two versions and install and use this. To be executed correctly, every application requires a range of libraries.
Page 385: Software Development
18.2 Software Development All 64-bit architectures support the development of 64-bit objects. The level of support for 32-bit compiling depends on the architecture. These are the various implementation options for the tool chain from GCC (GNU Compiler Collection) and binutils, which include the assembler as and the linker ld: Biarch Compiler Both 32-bit and 64-bit objects can be generated with a biarch development tool...
Page 386: Software Compilation On Biarch Platforms
18.3 Software Compilation on Biarch Platforms To develop binaries for the other architecture on a biarch architecture, the respective libraries for the second architecture must additionally be installed. These packages are called rpmname-32bit or rpmname-x86 (for ia64) if the second architecture is a 32-bit architecture or rpmname-64bit if the second architecture is a 64-bit architec- ture.
Page 387 When using s390 as second architecture, you have to use -m31 instead of -m32, because this is a 31 bit system. 1 Use the 32-bit compiler: CC="gcc -m32" 2 Instruct the linker to process 32-bit objects (always use gcc as the linker front- end): LD="gcc -m32"...
Page 388: Kernel Specifications
Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.
Page 389: 9 Booting And Configuring A Linux System
Booting and Configuring a Linux System Booting a Linux system involves various different components. Started by the BIOS, the boot loader runs the kernel and some drivers that are necessary for booting. After this, the behavior of the computer strongly depends on init and the configuration of the runlevel used.
Page 390 disk are referred to as the Master Boot Record (MBR). The boot loader then passes control to the actual operating system, in this case, the Linux kernel. More information about GRUB, the Linux boot loader, can be found in Chapter 20, The Boot Loader (page 387).
Page 391 Before the root file system can be mounted and the operating system can be started, the kernel needs the corresponding drivers to access the device on which the root file system is located. These drivers may include special drivers for certain kinds of hard drives or even network drivers to access a network file system.
Page 392 Providing Block Special Files For each loaded module, the kernel generates device events. udev handles these events and generates the needed device special files on a RAM file system in /dev. Without those special files, the file system would not be accessible. Managing RAID and LVM Setups If you configured your system to hold the root file system under RAID or LVM, init sets up LVM or RAID to enable access to the root file system later.
Page 393: The Init Process
Loading the Installation System or Rescue System As soon as the hardware has been properly recognized, the appropriate drivers have been loaded, and udev has created the device special files, init starts the installation system, which contains the actual YaST installer, or the rescue system. Starting YaST Finally, init starts YaST, which starts package installation and system configuration.
Page 394 Table 19.1 Available Runlevels Runlevel Description System halt Single user mode; from the boot prompt, only with US keyboard mapping Single user mode Local multiuser mode without remote network (NFS, etc.) Full multiuser mode with network Not used Full multiuser mode with network and X display manag- er—KDM, GDM, or XDM System reboot IMPORTANT: Avoid Runlevel 2 with a Partition Mounted via NFS...
Page 395 telinit 3 All essential programs and services (including network) are started and regular users are allowed to log in and work with the system without a graphical environ- ment. telinit 5 The graphical environment is enabled. Usually a display manager like XDM, GDM, or KDM is started.
Page 396 2. init checks the current runlevel (runlevel) and determines it should start /etc/ init.d/rc with the new runlevel as a parameter. 3. Now rc calls the stop scripts of the current runlevel for which there is no start script in the new runlevel. In this example, these are all the scripts that reside in /etc/init.d/rc3.d (old runlevel was 3) and start with a K.
Page 397 start and stop. The scripts also understand the restart, reload, force-reload, and status options. These different options are explained in ble 19.2, “Possible init Script Options” (page 379). Scripts that are run directly by init do not have these links. They are run independently from the runlevel when needed. Table 19.2 Possible init Script Options Option...
Page 398 for the first time after an update or an installation, the initial system configuration is started. The blogd daemon is a service started by boot and rc before any other one. It is stopped after the actions triggered by these scripts (running a number of subscripts, for example, making block special files available) are completed.
Page 399 WARNING: Faulty init Scripts May Halt Your System Faulty init scripts may hang your machine. Edit such scripts with great care and, if possible, subject them to heavy testing in the multiuser environment. Find some useful information about init scripts in Section 19.2.1, “Runlevels”...
Page 400: Configuring System Services
runlevel by including the necessary numbers in the names of these links. If you prefer a graphical tool to create such links, use the runlevel editor provided by YaST, as de- scribed in Section 19.2.3, “Configuring System Services (Runlevel) with YaST” (page 382).
Page 401 Figure 19.1 System Services (Runlevel) For detailed control over the runlevels in which a service is started or stopped or to change the default runlevel, first select Expert Mode. The current default runlevel or “initdefault” (the runlevel into which the system boots by default) is displayed at the top.
Page 402: System Configuration Via /Etc/Sysconfig
WARNING: Faulty Runlevel Settings May Damage Your System Faulty runlevel settings may render a system unusable. Before applying your changes, make absolutely sure that you know their consequences. 19.3 System Configuration via /etc/sysconfig The main configuration of SUSE Linux Enterprise is controlled by the configuration files in /etc/sysconfig.
Page 403 WARNING: Modifying /etc/sysconfig/* Files Can Damage Your Installation Do not modify the /etc/sysconfig files if you lack previous experience and knowledge. It could do considerable damage to your system. The files in /etc/sysconfig include a short comment for each variable to explain what effect they actually have.
Page 404 19.3.2 Changing the System Configuration Manually To manually change the system configuration, proceed as follows 1 Become root. 2 Bring the system into single user mode (runlevel 1) with init 1. 3 Change the configuration files as needed with an editor of your choice. If you do not use YaST to change the configuration files in /etc/sysconfig, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation...
Page 405: 0 The Boot Loader
The Boot Loader This chapter describes how to configure GRUB, the boot loader used in SUSE Linux Enterprise®. A special YaST module is available for performing all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.
Page 406: Selecting A Boot Loader
Boot Sectors Boot sectors are the first sectors of hard disk partitions with the exception of the extended partition, which merely serves as a “container” for other partitions. These boot sectors have 512 bytes of space for code used to boot an operating system in- stalled in the respective partition.
Page 407 access file systems of supported BIOS disk devices (floppy disks or hard disks, CD drives, and DVD drives detected by the BIOS). Therefore, changes to the GRUB con- figuration file (menu.lst) do not require a reinstallation of the boot manager. When the system is booted, GRUB reloads the menu file with the valid paths and partition data of the kernel or the initial RAM disk (initrd) and locates these files.
Page 408 20.2.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
Page 409 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
Page 410 the file device.map, which can be edited if necessary. Information about the file device.map is available in Section 20.2.2, “The File device.map” (page 395). A complete GRUB path consists of a device name written in parentheses and the path to the file in the file system in the specified partition. The path begins with a slash. For example, the bootable kernel could be specified as follows on a system with a single IDE hard disk containing Linux in its first partition: (hd0,0)/boot/vmlinuz...
Page 411 color white/blue black/light-gray Color scheme: white (foreground), blue (background), black (selection), and light gray (background of the selection). The color scheme has no effect on the splash screen, only on the customizable GRUB menu that you can access by exiting the splash screen with Esc .
Page 412 Editing Menu Entries during the Boot Procedure In the graphical boot menu, select the operating system to boot with the arrow keys. If you select a Linux system, you can enter additional boot parameters at the boot prompt. To edit individual menu entries directly, press Esc to exit the splash screen and get to the GRUB text-based menu then press E .
Page 413 20.2.2 The File device.map The file device.map maps GRUB and BIOS device names to Linux device names. In a mixed system containing IDE and SCSI hard disks, GRUB must try to determine the boot sequence by a special procedure, because GRUB may not have access to the BIOS information on the boot sequence.
Page 414 20.2.3 The File /etc/grub.conf The third most important GRUB configuration file after menu.lst and device.map is /etc/grub.conf. This file contains the commands, parameters, and options the GRUB shell needs for installing the boot loader correctly: root (hd0,4) install /grub/stage1 (hd0,3) /grub/stage2 0x8000 (hd0,4)/grub/menu.lst quit Meaning of the individual entries: root (hd0,4)
Page 415 As the user root, proceed as follows to set a boot password: 1 At the root prompt, encrypt the password using grub-md5-crypt: # grub-md5-crypt Password: **** Retype password: **** Encrypted: $1$lS2dv/$JOYcdxIn7CJk9xShzzJVw/ 2 Paste the encrypted string into the global section of the file menu.lst: gfxmenu (hd0,4)/message color white/blue black/light-gray default 0...
Page 416: Configuring The Boot Loader With Yast
20.3 Configuring the Boot Loader with YaST The easiest way to configure the boot loader in your SUSE Linux Enterprise system is to use the YaST module. In the YaST Control Center, select System > Boot Loader. As Figure 20.1, “Boot Loader Settings” (page 398), this shows the current boot loader configuration of your system and allows you to make changes.
Page 417 20.3.1 Boot Loader Type Set the boot loader type in Boot Loader Installation. The default boot loader in SUSE Linux Enterprise is GRUB. To use LILO, proceed as follows: Procedure 20.1 Changing the Boot Loader Type 1 Select the Boot Loader Installation tab. 2 For Boot Loader, select LILO.
Page 418 During the conversion, the old GRUB configuration is saved to disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion. This action is available only on an installed system. NOTE: Custom Boot Loader To use a boot loader other than GRUB or LILO, select Do Not Install Any Boot Loader.
Page 419 20.3.3 Default System To change the system that is booted by default, proceed as follows: Procedure 20.3 Setting the Default System 1 Open the Section Management tab. 2 Select the desired entry from the list. 3 Click Set as Default. 4 Click Finish to activate these changes.
Page 420: Uninstalling The Linux Boot Loader
20.3.5 Security Settings Using this YaST module, you can also set a password to protect booting. This gives you an additional level of security. Procedure 20.5 Setting a Boot Loader Password 1 Open the Boot Loader Installation tab. 2 Click Boot Loader Options. 3 Set your password in Password for the Menu Interface.
Page 421 Creating a bootable CD-ROM with GRUB merely requires a special form of stage2 called stage2_eltorito and, optionally, a customized menu.lst. The classic files stage1 and stage2 are not required. Procedure 20.6 Creating Boot CDs 1 Change into a directory in which to create the ISO image, for example: cd /tmp 2 Create a subdirectory for GRUB: mkdir -p iso/boot/grub...
Page 422: The Graphical Suse Screen
5 Create the ISO image with the following command: mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot \ -boot-load-size 4 -boot-info-table -o grub.iso /tmp/iso 6 Write the resulting file grub.iso to a CD using your preferred utility. Do not burn the ISO image as data file, but use the option for burning a CD image in your burning utility.
Page 423: Troubleshooting
This section lists some of the problems frequently encountered when booting with GRUB and a short description of possible solutions. Some of the problems are covered in articles in the Knowledgebase at http://support.novell.com/. Use the search dialog to search for keywords like GRUB, boot, and boot loader.
Page 424: For More Information
Extensive information about GRUB is available at http://www.gnu.org/ software/grub/. Also refer to the grub info page. You can also search for the keyword “GRUB” in the Technical Information Search at http://www.novell to get information about special issues. .com/support Installation and Administration...
Page 425: 1 Special System Features
Special System Features This chapter starts with information about various software packages, the virtual con- soles, and the keyboard layout. We talk about software components like bash, cron, and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
Page 426 2. ~/.profile 3. /etc/bash.bashrc 4. ~/.bashrc Make custom settings in ~/.profile or ~/.bashrc. To ensure the correct process- ing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel following an update.
Page 427 execution is controlled by /usr/lib/cron/run-crons. /usr/lib/cron/ run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily, or other periodic maintenance scripts at custom times, remove the time stamp files regularly using /etc/crontab entries (see Example 21.2, “/etc/crontab: Remove Time Stamp Files”...
Page 428 Example 21.3 Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d...
Page 429 21.1.5 The ulimit Command With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed. ulimit is especially useful for limiting the memory available for applications. With this, an application can be prevented from using too much memory on its own, which could bring the system to a standstill.
Page 430 IMPORTANT Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. 21.1.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used.
Page 431 21.1.8 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. info is GNU's hypertext system. Read an introduction to this system by entering info info.
Page 432: Virtual Consoles
The components of Emacs are divided into several packages: • The base package emacs. • emacs-x11 (usually installed): the program with X11 support. • emacs-nox: the program without X11 support. • emacs-info: online documentation in info format. • emacs-el: the uncompiled library files in Emacs Lisp. These are not required at runtime.
Page 433: Language And Country-Specific Settings
/etc/csh.cshrc /etc/termcap /usr/lib/terminfo/x/xterm /usr/share/X11/app-defaults/XTerm /usr/share/emacs/VERSION/site-lisp/term/*.el These changes only affect applications that use terminfo entries or whose configu- ration files are changed directly (vi, less, etc.). Applications not shipped with the system should be adapted to these defaults. Under X, the compose key (multikey) can be accessed using Ctrl + Shift (right). Also see the corresponding entry in /etc/X11/Xmodmap.
Page 434 RC_LC_MESSAGES, RC_LC_CTYPE, RC_LC_COLLATE, RC_LC_TIME, RC_LC_NUMERIC, RC_LC_MONETARY These variables are passed to the shell without the RC_ prefix and represent the listed categories. The shell profiles concerned are listed below. The current setting can be shown with the command locale. RC_LC_ALL This variable, if set, overwrites the values of the variables already mentioned.
Page 435 localedef -i en_US -f UTF-8 en_US.UTF-8 LANG=en_US.UTF-8 This is the default setting if American English is selected during installation. If you selected another language, that language is enabled but still with UTF-8 as the character encoding. LANG=en_US.ISO-8859-1 This sets the language to English, country to United States, and the character set to ISO-8859-1.
Page 436 21.4.3 Settings for Language Support Files in the category Messages are, as a rule, only stored in the corresponding language directory (like en) to have a fallback. If you set LANG to en_US and the message file in /usr/share/locale/en_US/LC_MESSAGES does not exist, it falls back to /usr/share/locale/en/LC_MESSAGES.
Page 437 • Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, currently at http:// www.cl.cam.ac.uk/~mgk25/unicode.html. • Unicode-Howto, by Bruno Haible: /usr/share/doc/howto/en/html/ Unicode-HOWTO.html. Special System Features...
Page 439: 2 Virtualization
Virtualization The Novell® virtualization strategy is based on combining the SUSE® Linux operating system with Xen* hypervisor software to create a virtualization host server platform capable of hosting virtual machines. • Section 22.1, “System and Software Requirements” (page 422) •...
Page 440: System And Software Requirements
22.1 System and Software Requirements The following sections list the system and software requirements for running virtualiza- tion. Remember that virtual machines, just like physical machines, perform better when they run on faster processors and have access to more system memory. •...
Page 441 22.1.2 Virtualization Host Server Software Requirements Virtualization packages are available in SUSE Linux operating system products based on code path 10 and later. Code path 10 includes SUSE Linux Enterprise Server 10, SUSE Linux Enterprise Desktop 10, and OpenSUSE® 10.1. The virtualization host server requires the following software packages and their depen- dencies to be installed: •...
Page 442 SUSE Linux Enterprise Desktop 10 SP1 Open Enterprise Server 2 - NetWare Open Enterprise Server 2 - Linux RedHat Enterprise Linux 5 For more information on specific guest operating systems, see the Guest Operating System Guide at Novell Virtualization Technology [http://www.novell.com/ documentation/vmserver/]. Installation and Administration...
Page 443: Virtualization Infrastructure
22.2 Virtualization Infrastructure The basic components of virtualization are a virtualization host server and virtual ma- chines. • The virtualization host server provides a virtualization platform (Xen Hypervisor) and a management environment (SUSE Linux desktop) to host virtual machines. • Virtual machines are instances of virtual hardware that operating systems recognize as a physical computer.
Page 444: Installing Virtualization Software
Figure 22.1 Virtualization Architecture 22.3 Installing Virtualization Software You can set up a computer to be a virtualization host server during the installation of the SUSE Linux operating system or added to a computer already running SUSE Linux. NOTE Only applications and processes required for virtualization should be installed on the virtualization host server.
Page 445: Starting The Virtualization Host Server
• On a computer already running SUSE Linux, run YaST > Virtualization > Install Hypervisor and Tools. Complete the on-screen instructions and restart the computer. • On a computer already running SUSE Linux, enter yast2 xen from a command line interface. Complete the on-screen instructions and restart the computer. •...
Page 446: Managing Virtual Machines
If the GRUB boot loader does not display or the Xen option is not on the menu, review the steps for installation and verify that the GRUB boot loader has been updated. 22.5 Managing Virtual Machines Virtual machines can be created and managed by using the Virtual Machine Manager. 1 On the virtualization host server, click YaST >...
Page 447 2 From the Virtual Machine Manager page, you can perform the following actions: • New starts the process to create a new virtual machine. • Details displays status and hardware of the selected virtual machine or Do- main-0 • Open displays the command console for the selected virtual machine. •...
Page 448 Command Action View a list of all registered and running xm list virtual machines. Create and register a new virtual machine xm new /etc/xen/vm/vm_name based on settings in a configuration file. This command does not create a configu- ration file or virtual disk. Start a virtual machine.
Page 449: Creating Virtual Machines
22.6 Creating Virtual Machines The Create Virtual Machine Wizard helps you through the steps required to create a virtual machine and install its operating system. 1 Launch the Create Virtual Machine Wizard by using one of the following methods: • From the virtualization host server desktop, click YaST > Virtualization > Create Virtual Machine •...
Page 450: Windows Server 2003 Virtual Machines
6 Follow the on-screen instructions to complete the installation program. The virtual machine should now appear in the Virtual Machine Manager. 22.7 Windows Server 2003 Virtual Machines Setting up a virtual machine to run Windows Server 2003 is no different than setting up any other unmodified operating system.
Page 451: For More Information
• Virtual machines are managed using the Virtual Machine Manager, which is available by running YaST > Virtualization > Virtual Machine Manager. 22.8 For More Information For more information about virtualization technology and specific operating systems running on virtual machines, see Novell Virtualization Technology [http://www .novell.com/documentation/vmserver/]. Virtualization...
Page 453: 3 Printer Operation
Printer Operation SUSE Linux Enterprise® supports printing with many types of printers, including remote network printers. Printers can be configured with YaST or manually. Both graphical and command line utilities are available for starting and managing print jobs. If your printer does not work as expected, refer to Section 23.9, “Troubleshooting”...
Page 454 print system can convert PostScript jobs to the respective printer language with the help of Ghostscript. This processing stage is referred to as interpreting. The best- known languages are PCL, which is mostly used by HP printers and their clones, and ESC/P, which is used by Epson printers.
Page 455: The Workflow Of The Printing System
23.1 The Workflow of the Printing System The user creates a print job. The print job consists of the data to print plus information for the spooler, such as the name of the printer or the name of the printer queue, and, optionally, information for the filter, such as printer-specific options.
Page 456: Installing The Software
►zseries: Printers and similar devices provided by the z/VM that you can connect locally with the IBM System z mainframes are not supported by CUPS or LPRng. On these platforms, printing is only possible over the network. The cabling for network printers must be installed according to the instructions of the printer manufacturer.
Page 457: Setting Up A Printer
23.4 Setting Up a Printer YaST can be used to configure a local printer that is directly connected to your machine (normally with USB or parallel port) or to set up printing over the network. It is also possible to add PPD (PostScript Printer Description) files for your printer with YaST. 23.4.1 Configuring Local Printers If an unconfigured local printer is detected, YaST starts automatically to configure it.
Page 458 printer detection. If more than one printer is connected to the machine or more than one queue is configured for a printer, you can mark the active entry as the default. CUPS Expert Settings and Change IPP Listen are advanced configuration options— refer to Chapter 23, Printer Operation (page 435) for details.
Page 459 which language your printer understands). If this does not work, refer to Section “Adding PPD Files with YaST” (page 442) for another possible solution. 7 The Configuration screen lists a summary of the printer setup. This dialog is also shown when editing an existing printer configuration from the start screen of this YaST module.
Page 460 • With State and banner settings you can, for example, deactivate the printer by changing its state and specify whether a page with a Starting Banner or Ending Banner is printed before or after each job (the default is not to print them).
Page 461: Network Printers
23.5 Network Printers A network printer can support various protocols, some of them even concurrently. Al- though most of the supported protocols are standardized, some manufacturers expand (modify) the standard because they test systems that have not implemented the standard correctly or because they want to provide certain functions that are not available in the standard.
Page 462 SMB (Windows Share) CUPS also supports printing on printers connected to Windows shares. The protocol used for this purpose is SMB. SMB uses the port numbers 137, 138, and 139. Example device URIs are smb://user:password@workgroup/server/printer, smb://user:password@host/printer, and smb://server/printer. The protocol supported by the printer must be determined before configuration. If the manufacturer does not provide the needed information, the command nmap, which comes with the nmap package, can be used to guess the protocol.
Page 463 23.5.2 Configuring Network Printers with Command Line Tools Apart from setting CUPS options with YaST when configuring a network printer, CUPS can be configured with command line tools like lpadmin and lpoptions. You need a device URI consisting of a back-end, such as USB, and parameters, like /dev/usb/ lp0.
Page 464: Graphical Printing Interfaces
During printer setup, certain options are set as default. These options can be modified for every print job (depending on the print tool used). Changing these default options with YaST is also possible. Using command line tools, set default options as follows: 1 First, list all options: lpoptions -p queue -l Example:...
Page 465: Printing From The Command Line
conflict with that of KPrinter and that printing options are only changed through KPrinter after it has been enabled. 23.7 Printing from the Command Line To print from the command line, enter lp -d queuename filename, substituting the corresponding names for queuename and filename. Some applications rely on the lp command for printing.
Page 466 This is the best CUPS configuration for printing over remote CUPS servers. However, there is a risk that an attacker sends IPP broadcasts with queues and the local daemon accesses a counterfeit queue. If it then displays the queue with the same name as another queue on the local server, the owner of the job may believe the job is sent to a local server, while in reality it is sent to the attacker's server.
Page 467 printcap. To ensure that applications that can only read queue names from /etc/ printcap continue to work properly, /etc/printcap is a symbolic link pointing to /etc/cups/printcap. When cupsd runs as lp, port 631 cannot be opened. Therefore, cupsd cannot be reloaded with rccups reload.
Page 468 23.8.3 PPD Files in Various Packages The YaST printer configuration sets up the queues for CUPS using only the PPD files installed in /usr/share/cups/model. To find the suitable PPD files for the printer model, YaST compares the vendor and model determined during hardware de- tection with the vendors and models in all PPD files available in /usr/share/cups/ model on the system.
Page 469 YaST prefers a Foomatic PPD file if a Foomatic PPD file with the entry *NickName: ... Foomatic ... (recommended) matches the printer model and the manufacturer-PPDs package does not contain a more suitable PPD file. Gimp-Print PPD Files in the cups-drivers-stp Package Instead of foomatic-rip, the CUPS filter rastertoprinter from Gimp-Print can be used for many non-PostScript printers.
Page 470: Troubleshooting
• The Foomatic PostScript PPD file is not recommended. This may be because the printer model does not operate efficiently enough in PostScript mode, for example, the printer may be unreliable in this mode because it has too little memory or the printer is too slow because its processor is too weak.
Page 471 Some manufacturers provide proprietary drivers for their printers. The disadvantage of proprietary printer drivers is that there is no guarantee that these work with the installed print system and that they are suitable for the various hardware platforms. In contrast, printers that support a standard printer language do not depend on a special print system version or a special hardware platform.
Page 472 23.9.3 Parallel Ports The safest approach is to connect the printer directly to the first parallel port and to select the following parallel port settings in the BIOS: • I/O address: 378 (hexadecimal) • Interrupt: irrelevant • Mode: Normal, SPP, or Output Only •...
Page 473 Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on host: netcat -z host 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
Page 474 ►zseries: Take into account that IBM System z ethernet devices do not receive broadcasts by default. ◄ The following command can be used to test if a TCP connection can be established to cupsd (port 631) on host: netcat -z host 631 && echo ok || echo failed If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems.
Page 475 This output indicates that the printer connected to the print server box can be ad- dressed via TCP socket on port 9100. By default, nmap only checks a number of commonly known ports listed in /usr/share/nmap/nmap-services. To check all possible ports, use the command nmap -p from_port-to_port IP-address.
Page 476 23.9.7 CUPS Browsing: Deleting Print Jobs If a CUPS network server broadcasts its queues to the client hosts via browsing and a suitable local cupsd is active on the client hosts, the client cupsd accepts print jobs from applications and forwards them to the cupsd on the server. When cupsd accepts a print job, it is assigned a new job number.
Page 477 3 Some data may still be transferred to the printer even though the print job has been deleted from the queue. Check if a CUPS back-end process is still running for the respective queue and terminate it. For example, for a printer connected to the parallel port, the command fuser -k /dev/lp0 can be used to termi- nate all processes that are still accessing the printer (more precisely: the parallel port).
Page 479: 4 Dynamic Kernel Device Management With Udev
Dynamic Kernel Device Management with udev Since version 2.6, the kernel is capable of adding or removing almost any device in the running system. Changes in device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and discovered.
Page 480: Kernel Uevents And Udev
24.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties. Every time a device is added or removed, the kernel sends a uevent to notify udev of the change.
Page 481: Booting And Initial Device Setup
aliases provided by the modules. If a matching entry is found, that module is loaded. All this is triggered by udev and happens automatically. 24.4 Booting and Initial Device Setup All device events happening during the boot process before the udev daemon is running are lost, because the infrastructure to handle these events lives on the root file system and is not available at that time.
Page 482: Influencing Kernel Device Event Handling With Udev Rules
The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers. The timing is printed in microseconds. The time between UEVENT and UDEV is the time udev took to process this event or the udev daemon has delayed its execution to synchronize this event with related and already running events.
Page 483: Persistent Device Naming
Every line in the rules file contains at least one key value pair. There are two kinds of keys, match and assignment keys. If all match keys match their values, the rule is applied and the assignment keys are assigned the specified value. A matching rule may specify the name of the device node, add symlinks pointing to the node, or run a specified program as part of the event handling.
Page 484: The Replaced Hotplug Package
24.8 The Replaced hotplug Package The formerly used hotplug package is entirely replaced by udev and the udev-related kernel infrastructure. The following parts of the former hotplug infrastructure have been made obsolete or had their functionality taken over by udev: /etc/hotplug/*.agent No longer needed or moved to /lib/udev /etc/hotplug/*.rc...
Page 485: For More Information
/lib/udev/* Helper programs called from udev rules 24.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules, and other important configuration is- sues. udevinfo udevinfo can be used to query device information from the udev database. udevd Information about the udev event managing daemon.
Page 487: 5 File Systems In Linux
File Systems in Linux SUSE Linux Enterprise® ships with a number of different file systems, including Rei- serFS, Ext2, Ext3, and XFS, from which to choose at installation time. Each file system has its own advantages and disadvantages that can make it more suited to a scenario. To meet the requirements of high-performance clustering scenarios, SUSE Linux En- terprise Server includes OCFS2 (Oracle Cluster File System 2).
Page 488: Major File Systems In Linux
it obsoletes the lengthy search process that checks the entire file system at system start-up. Instead, only the journal is replayed. 25.2 Major File Systems in Linux Unlike two or three years ago, choosing a file system for a Linux system is no longer a matter of a few seconds (Ext2 or ReiserFS?).
Page 489 directly in the B tree leaf nodes instead of being stored elsewhere and just main- taining a pointer to the actual disk location. In addition to that, storage is not allo- cated in chunks of 1 or 4 KB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes.
Page 490 +found). In contrast to journaling file systems, e2fsck analyzes the entire file system and not just the recently modified bits of metadata. This takes significantly longer than checking the log data of a journaling file system. Depending on file system size, this procedure can take half an hour or more. Therefore, it is not desir- able to choose Ext2 for any server that needs high availability.
Page 491 Ext3 in the data=journal mode offers maximum security (data integrity), but can slow down the system because both metadata and data are journaled. A rela- tively new approach is to use the data=ordered mode, which ensures both data and metadata integrity, but uses journaling only for metadata. The file system driver collects all data blocks that correspond to one metadata update.
Page 492 25.2.5 XFS Originally intended as the file system for their IRIX OS, SGI started XFS development in the early 1990s. The idea behind XFS was to create a high-performance 64-bit jour- naling file system to meet the extreme computing challenges of today. XFS is very good at manipulating large files and performs well on high-end hardware.
Page 493 25.2.6 Oracle Cluster File System 2 OCFS2 is a journaling file system that has been tailor-made for clustering setups. In contrast to a standard single-node file system like Ext3, OCFS2 is capable of managing several nodes. OCFS2 allows spreading a file system across shared storage, such as a SAN or multipath setup.
Page 494: Some Other Supported File Systems
DOS, is today used by msdos various operating systems. File system for mounting Novell volumes over networks. ncpfs Network File System: Here, data can be stored on any machine in a network and access may be granted via a network.
Page 495: Large File Support In Linux
UNIX on MSDOS: Applied on top of a normal fat file system, umsdos achieves UNIX functionality (permissions, links, long filenames) by creating special files. Virtual FAT: Extension of the fat file system (supports long vfat filenames). Windows NT file system, read-only. ntfs 25.4 Large File Support in Linux Originally, Linux supported a maximum file size of 2 GB.
Page 496: For More Information
File System File Size (Bytes) File System Size (Bytes) (8 EB) (8 EB) NFSv2 (client side) (2 GB) (8 EB) NFSv3 (client side) (8 EB) (8 EB) IMPORTANT: Linux Kernel Limits Table 25.2, “Maximum Sizes of File Systems (On-Disk Format)” (page 477) de- scribes the limitations regarding the on-disk format.
Page 497 A comprehensive multipart tutorial about Linux file systems can be found at IBM de- veloperWorks: http://www-106.ibm.com/developerworks/library/ l-fs.html. A very in-depth comparison of file systems (not only Linux file systems) is available from the Wikipedia project http://en.wikipedia.org/wiki/ Comparison_of_file_systems#Comparison. File Systems in Linux...
Page 499: 6 The X Window System
The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). The X Window System environment is very configurable.
Page 500 WARNING: Faulty X Configurations Can Damage Your Hardware Be very careful when configuring your X Window System. Never start the X Window System until the configuration is finished. A wrongly configured system can cause irreparable damage to your hardware (this applies especially to fixed- frequency monitors).
Page 501 Table 26.1 Sections in /etc/X11/xorg.conf Type Meaning The paths used for fonts and the RGB color table. Files General switches. ServerFlags A list of modules the server should load. Module Input devices, like keyboard, mouse, and special input devices InputDevice (touchpads, joysticks, etc.), are configured in this section.
Page 502 Type Meaning of the virtual screen (Virtual), the ViewPort, and the Modes used with this screen. The layout of a single or multihead configuration. Binds the input ServerLayout devices InputDevice and the display devices Screen. Provides information for the Direct Rendering Infrastructure (DRI).
Page 503 Example 26.1 Screen Section of the File /etc/X11/xorg.conf Section "Screen" DefaultDepth SubSection "Display" Depth Modes "1152x864" "1024x768" "800x600" Virtual 1152x864 EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection SubSection "Display" Depth Modes "640x480" EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection Device "Device[0]"...
Page 504 The last line of the Display subsection with Depth 16 refers to the size of the virtual screen. The maximum possible size of a virtual screen depends on the amount of memory installed on the graphics card and the desired color depth, not on the maximum resolution of the monitor.
Page 505 in decimal form, but lspci displays these in hexadecimal form. The value of BusID is automatically detected by SaX2. The value of Driver is automatically set by SaX2 and specifies which driver to use for your graphics card. If the card is a Matrox Millennium, the driver module is called mga.
Page 506: Installing And Configuring Fonts
Those who try to develop their own monitor descriptions should be very familiar with the documentation in /usr/X11R6/lib/X11/doc/ (the package xorg-x11-doc must be installed). Manual specification of modelines is rarely required today. If you are using a modern multisync monitor, the allowed frequencies and optimal resolutions can, as a rule, be read directly from the monitor by the X server via DDC, as described in the SaX2 configuration section.
Page 507 To install additional fonts systemwide, manually copy the font files to a suitable direc- tory (as root), such as /usr/share/fonts/truetype. Alternatively, the task can be performed with the KDE font installer in the KDE Control Center. The result is the same. Instead of copying the actual fonts, you can also create symbolic links.
Page 508 the Files section. Display the actual FontPath with xset q. This path may also be changed at runtime with xset. To add an additional path, use xset +fp <path>. To remove an unwanted path, use xset -fp <path>. If the X server is already active, newly installed fonts in mounted directories can be made available with the command xset fp rehash.
Page 509 <?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <fontconfig> and end with </fontconfig> To add directories to search for fonts, append lines such as the following: <dir>/usr/local/share/fonts/</dir> However, this is usually not necessary. By default, the user-specific directory ~/.fonts is already entered in /etc/fonts/fonts.conf. Accordingly, all you need to do to install additional fonts is to copy them to ~/.fonts.
Page 510 <alias> <family>sans-serif</family> <prefer> <family>FreeSans</family> </prefer> </alias> <alias> <family>serif</family> <prefer> <family>FreeSerif</family> </prefer> </alias> <alias> <family>monospace</family> <prefer> <family>FreeMono</family> </prefer> </alias> Because nearly all applications use these aliases by default, this affects almost the entire system. Thus, you can easily use your favorite fonts almost everywhere without having to modify the font settings in the individual applications.
Page 511: For More Information
Table 26.2 Parameters of fc-list Parameter Meaning and Possible Values Name of the font family, for example, FreeSans. family The manufacturer of the font, for example, urw. foundry The font style, such as Medium, Regular, Bold, style Italic, or Heavy. The language that the font supports, for example, de for lang German, ja for Japanese, zh-TW for traditional Chinese,...
Page 513: 7 Authentication With Pam
Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
Page 514: Structure Of A Pam Configuration File
27.1 Structure of a PAM Configuration File Each line in a PAM configuration file contains a maximum of four columns: <Type of module> <Control flag> <Module path> <Options> PAM modules are processed as stacks. Different types of modules have different pur- poses, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings.
Page 515: The Pam Configuration Of Sshd
modules with the same flag are processed before the user receives a message about the failure of the authentication attempt. requisite Modules having this flag must also be processed successfully, in much the same way as a module with the required flag. However, in case of failure a module with this flag gives immediate feedback to the user and no further modules are processed.
Page 516 Example 27.1 PAM Configuration for sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname The typical PAM configuration of an application (sshd, in this case) contains four include statements referring to the configuration files of four module types: common-auth, common-account, common-password, and common-session.
Page 517 that all modules of the stack have the required control flag, they must all be processed successfully before sshd receives a message about the positive result. If one of the modules is not successful, the entire module stack is still processed and only then is sshd notified about the negative result.
Page 518: Configuration Of Pam Modules
As the final step, the modules of the session type, bundled in the common-session file are called to configure the session according to the settings for the user in question. Although pam_unix2 is processed again, it has no practical consequences due to its none option specified in the respective configuration file of this module, pam_unix2 .conf.
Page 519 27.3.2 pam_env.conf This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set.
Page 520: For More Information
Example 27.8 pam_pwcheck.conf password: nullok 27.3.4 limits.conf System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.
Page 521: 8 Power Management
Power Management Power management is especially important on laptop computers, but is also useful on other systems. Two technologies are available: APM (advanced power management) and ACPI (advanced configuration and power interface). In addition to these, it is also possible to control CPU frequency scaling to save power or decrease noise. These options can be configured manually or using a special YaST module.
Page 522: Power Saving Functions
28.1 Power Saving Functions Power saving functions are not only significant for the mobile use of laptops, but also for desktop systems. The main functions and their use in the power management systems APM and ACPI are: Standby This operating mode turns off the display. On some computers, the processor per- formance is throttled.
Page 523: Apm
Shutdown of System Components Switching off the hard disk is the greatest single aspect of the power saving potential of the overall system. Depending on the reliability of the overall system, the hard disk can be put to sleep for some time. However, the risk of losing data increases with the duration of the sleep periods.
Page 524 on or off Enable or disable APM support. (no-)allow-ints Allow interrupts during the execution of BIOS functions. (no-)broken-psr The “GetPowerStatus” function of the BIOS does not work properly. (no-)realmode-power-off Reset processor to real mode prior to shutdown. (no-)debug Log APM events in system log. (no-)power-off Power system off after shutdown.
Page 525: Acpi
28.3 ACPI ACPI (advanced configuration and power interface) was designed to enable the operating system to set up and control the individual hardware components. ACPI supersedes both PnP and APM. It delivers information about the battery, AC adapter, temperature, fan, and system events, like “close lid” or “battery low.” The BIOS provides tables containing information about the individual components and hardware access methods.
Page 526 /proc/acpi/info General information about ACPI. /proc/acpi/alarm Here, specify when the system should wake from a sleep state. Currently, this feature is not fully supported. /proc/acpi/sleep Provides information about possible sleep states. /proc/acpi/event All events are reported here and processed by the Powersave daemon (powersaved).
Page 527 and the hardware (or the BIOS) overwrite this setting when the system gets too warm. /proc/acpi/processor/* A separate subdirectory is kept for each CPU included in your system. /proc/acpi/processor/*/info Information about the energy saving options of the processor. /proc/acpi/processor/*/power Information about the current processor state. An asterisk next to C2 indicates that the processor is idle.
Page 528 /proc/acpi/thermal_zone/*/cooling_mode Select the cooling method controlled by ACPI. Choose from passive (less perfor- mance, economical) or active cooling mode (full performance, fan noise). /proc/acpi/thermal_zone/*/trip_points Enables the determination of temperature limits for triggering specific actions, like passive or active cooling, suspension (hot), or a shutdown (critical). The possible actions are defined in the DSDT (device-dependent).
Page 529 cation. Therefore, there are different kernel governors that can be set below /sys/ devices/system/cpu/cpu*/cpufreq/. userspace governor If the userspace governor is set, the kernel gives the control of CPU frequency scaling to a userspace application, usually a daemon. In SUSE Linux Enterprise distributions, this daemon is the powersaved package.
Page 530 only be applied if no other device modifies the contents of the main memory via bus master activity. Some drivers prevent the use of C3. The current state is dis- played in /proc/acpi/processor/*/power. Frequency scaling and throttling are only relevant if the processor is busy, because the most economic C state is applied anyway when the processor is idle.
Page 531 The first thing to do when problems are encountered is to update the BIOS. If the computer does not boot at all, one of the following boot parameters may be helpful: pci=noacpi Do not use ACPI for configuring the PCI devices. acpi=ht Only perform a simple resource configuration.
Page 532: Rest For The Hard Disk
For More Information Additional documentation and help on ACPI: • (detailed ACPI HOWTO, http://www.cpqlinux.com/acpi-howto.html contains DSDT patches) • (ACPI http://www.intel.com/technology/iapc/acpi/faq.htm FAQ @Intel) • (the ACPI4Linux project at Sourceforge) http://acpi.sourceforge.net/ • (DSDT patches by Bruno Ducrot) http://www.poupinou.org/acpi/ 28.4 Rest for the Hard Disk In Linux, the hard disk can be put to sleep entirely if it is not needed or it can be run in a more economic or quieter mode.
Page 533: The Powersave Package
in the RAM. This buffer is monitored by the kernel update daemon (kupdated). When the data reaches a certain age limit or when the buffer is filled to a certain degree, the buffer content is flushed to the hard disk. The buffer size is dynamic and depends on the size of the memory and the system load.
Page 534 packages, except acpid that acts as a multiplexer for ACPI events, should not be run concurrently with the powersave daemon. Even if your system does not contain all the hardware elements listed above, use the powersave daemon for controlling the power saving function. Because ACPI and APM are mutually exclusive, you can only use one of these systems on your computer.
Page 535 • do_standby • notify • screen_saver • reread_cpu_capabilities throttle slows down the processor by the value defined in MAX_THROTTLING. This value depends on the current scheme. dethrottle sets the processor to full performance. suspend_to_disk, suspend_to_ram, and standby trigger the system event for a sleep mode. These three actions are generally responsible for triggering the sleep mode, but they should always be associated with specific system events.
Page 536 The actions for the event of a sleep button could be modified as in EVENT_BUTTON_SLEEP="notify suspend_to_disk". In this case, the user is informed about the suspend by a pop-up window in X or a message on the console. Subsequently, the event EVENT_GLOBAL_SUSPEND2DISK is generated, resulting in the execution of the mentioned actions and a secure system suspend mode.
Page 537 28.5.2 Configuring APM and ACPI Suspend and Standby There are three basic ACPI sleep modes and two APM sleep modes: Suspend to Disk (ACPI S4, APM suspend) Saves the entire memory content to the hard disk. The computer is switched off completely and does not consume any power.
Page 538 EVENT_GLOBAL_RESUME_SUSPEND2DISK= "restore_after_suspend_to_disk" EVENT_GLOBAL_RESUME_SUSPEND2RAM= "restore_after_suspend_to_ram" EVENT_GLOBAL_RESUME_STANDBY= "restore_after_standby" Custom Battery States In the file /etc/sysconfig/powersave/battery, define three battery charge levels (in percent) that trigger system alerts or specific actions when they are reached. BATTERY_WARNING=12 BATTERY_LOW=7 BATTERY_CRITICAL=2 The actions or scripts to execute when the charge levels drop under the specified limits are defined in the configuration file /etc/sysconfig/powersave/events.
Page 539 The schemes are stored in files in /etc/sysconfig/powersave. The filenames are in the format scheme_name-of-the-scheme. The example refers to two schemes: scheme_performance and scheme_powersave. performance, powersave, presentation, and acoustic are preconfigured. Existing schemes can be edited, created, deleted, or associated with different power supply states with the help of the YaST power management module described in Section 28.6, “The YaST Power Management Module”...
Page 540 28.5.4 Troubleshooting All error messages and alerts are logged in the file /var/log/messages. If you cannot find the needed information, increase the verbosity of the messages of powersave using DEBUG in the file /etc/sysconfig/powersave/common. Increase the value of the variable to 7 or even 15 and restart the daemon. The more detailed error messages in /var/log/messages should help you to find the error.
Page 541 CPU Frequency Does Not Work Refer to the kernel sources (kernel-source) to see if your processor is supported. You may need a special kernel module or module option to activate CPU frequency control. This information is available in /usr/src/linux/Documentation/ cpu-freq/*. If a special module or module option is needed, configure it in the file /etc/sysconfig/powersave/cpufreq by means of the variables CPUFREQD_MODULE and CPUFREQD_MODULE_OPTS.
Page 542: The Yast Power Management Module
28.5.5 For More Information • /usr/share/doc/packages/powersave—Local Powersave daemon documentation • http://powersave.sourceforge.net—Most recent Powersave daemon documentation • http://www.opensuse.org/Projects_Powersave—Project page in the openSUSE wiki 28.6 The YaST Power Management Module The YaST power management module can configure all power management settings already described. When started from the YaST Control Center with System > Power Management, the first dialog of the module opens (see Figure 28.1, “Scheme Selection”...
Page 543 In this dialog, select the schemes to use for battery operation and AC operation. To add or modify the schemes, click Edit Schemes, which opens an overview of the existing schemes like that shown in Figure 28.2, “Overview of Existing Schemes” (page 525).
Page 544 Figure 28.3 Configuring a Scheme First, enter a suitable name and description for the new or edited scheme. Determine if and how the CPU performance should be controlled for this scheme. Decide if and to what extent frequency scaling and throttling should be used and whether processes with low priority (niced processes) should be ignored when adjusting the CPU frequency.
Page 545 Figure 28.4 Battery Charge Level The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: Warning Capacity, Low Capacity, and Critical Capacity. Specific actions are triggered when the charge level drops under these limits.
Page 546 Figure 28.5 ACPI Settings Access the dialog for configuring the ACPI buttons using ACPI Settings. It is shown Figure 28.5, “ACPI Settings” (page 528). The settings for the ACPI buttons determine how the system should respond to certain switches. Configure the system response to pressing the power button, pressing the sleep button, and closing the laptop lid.
Page 547: 9 Wireless Communication
Wireless Communication Wireless LAN can be used to establish communication between your SUSE Linux Enterprise® machines. This chapter introduces the principles of wireless networking and the basic configuration for wireless networking. 29.1 Wireless LAN Wireless LANs have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards.
Page 548 Table 29.1 Overview of Various WLAN Standards Name Band (GHz) Maximum Trans- Note mission Rate (Mbit/s) 802.11 Outdated; virtually no end devices available 802.11b Widespread 802.11a Less common 802.11g Backward-compatible with Additionally, there are proprietary standards, like the 802.11b variation of Texas Instru- ments with a maximum transmission rate of 22 Mbit/s (sometimes referred to as 802.11b+).
Page 549 • Texas Instruments ACX100, ACX111 • ZyDAS zd1201 A number of older cards that are rarely used and no longer available are also supported. An extensive list of WLAN cards and the chips they use is available at the Web site of AbsoluteValue Systems at http://www.linux-wlan.org/docs/wlan _adapters.html.gz.
Page 550 However, because WEP has proven to be insecure (see Section “Security” (page 538)), the WLAN industry (joined under the name Wi-Fi Alliance) has defined a new extension called WPA, which is supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i standard (also referred to as WPA2, because WPA is based on a draft version 802.11i) includes WPA and some other authentication and encryption methods.
Page 551 terprises. In private networks, it is scarcely used. For this reason, WPA-EAP is sometimes referred to as WPA “Enterprise”. WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol).
Page 552: Configuration With Yast
CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard. 29.1.3 Configuration with YaST To configure your wireless network card, start the YaST Network Card module.
Page 553 Network Name (ESSID) All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card automatically selects an access point, which may not be the one you intended to use. Authentication Mode Select a suitable authentication method for your network: Open, Shared Key, WPA- PSK, or WPA-EAP.
Page 554 cording to the length previously specified. ASCII requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For Hexadecimal, enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation. WPA-PSK To enter a key for WPA-PSK, select the input method Passphrase or Hexadecimal.
Page 555 system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates. Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. 29.1.4 Utilities hostap (package hostap) is used to run a WLAN card as an access point.
Page 556 Security If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption.
Page 557 to use WPA, read /usr/share/doc/packages/wireless-tools/README .prism2. WPA support is quite new in SUSE Linux Enterprise and still under development. Thus, YaST does not support the configuration of all WPA authentication methods. Not all wireless LAN cards and drivers support WPA. Some cards need a firmware update to enable WPA.
Page 559: Part Iv Services
Part IV. Services...
Page 561: 0 Basic Networking
Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol, TCP/IP, has various services and special features, which are discussed here. Network access using a network card, modem, or other device can be configured with YaST.
Page 562 Table 30.1 Several Protocols in the TCP/IP Protocol Family Protocol Description Transmission Control Protocol: A connection-oriented secure protocol. The data to transmit is first sent by the application as a stream of data then converted by the operating system to the appropriate format. The data arrives at the respective application on the destination host in the original data stream format in which it was initially sent.
Page 563 Figure 30.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
Page 564 located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 30.2 TCP/IP Ethernet Packet Usage Data (maximum 1460 bytes) TCP (Layer 4) Protocol Header (approx. 20 bytes) IP (Layer 3) Protocol Header (approx. 20 bytes) Ethernet (Layer 2) Protocol Header (approx.
Page 565: Ip Addresses And Routing
30.1 IP Addresses and Routing The discussion in this section is limited to IPv4 networks. For information about IPv6 protocol, the successor to IPv4, refer to Section 30.2, “IPv6—The Next Generation Internet” (page 550). 30.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 30.1, “Writing IP Addresses”...
Page 566 an IP address belongs to the network. All those bits that are 1 mark the corresponding bit in the IP address as belonging to the network. All bits that are 0 mark bits inside the subnetwork. This means that the more bits are 1, the smaller the subnetwork is. Because the netmask always consists of several successive 1 bits, it is also possible to just count the number of bits in the netmask.
Page 567 Table 30.2 Specific Addresses Address Type Description Base Network Ad- This is the netmask AND any address in the network, as shown dress Example 30.2, “Linking IP Addresses to the Netmask” (page 548) under Result. This address cannot be assigned to any hosts.
Page 568: Ipv6-The Next Generation Internet
30.2 IPv6—The Next Generation Internet IMPORTANT: IBM System z: IPv6 Support IPv6 is not supported by the CTC and IUCV network connections of the IBM System z hardware. Due to the emergence of the WWW (World Wide Web), the Internet has experienced explosive growth with an increasing number of computers communicating via TCP/IP in the past fifteen years.
Page 569 30.2.1 Advantages The most important and most visible improvement brought by the new protocol is the enormous expansion of the available address space. An IPv6 address is made up of 128 bit values instead of the traditional 32 bits. This provides for as many as several quadrillion IP addresses.
Page 570 Backward Compatibility Realistically, it would be impossible to switch the entire Internet from IPv4 to IPv6 at one time. Therefore, it is crucial that both protocols are able to coexist not only on the Internet, but also on one system. This is ensured by compatible addresses (IPv4 addresses can easily be translated into IPv6 addresses) and through the use of a number of tunnels.
Page 571 Multicast Addresses of this type relate to a group of network interfaces. Packets with such an address are delivered to all destinations that belong to the group. Multicast ad- dresses are mainly used by certain network services to communicate with certain groups of hosts in a well-directed manner.
Page 572 Example 30.4 IPv6 Address Specifying the Prefix Length fe80::10:1000:1a4/64 IPv6 knows about several predefined types of prefixes. Some of these are shown in Table 30.4, “Various IPv6 Prefixes” (page 554). Table 30.4 Various IPv6 Prefixes Prefix (hex) Definition IPv4 addresses and IPv4 over IPv6 compatibility addresses. These are used to maintain compatibility with IPv4.
Page 573 Site Topology The second part contains routing information about the subnetwork to which to deliver the packet. Interface ID The third part identifies the interface to which to deliver the packet. This also allows for the MAC to form part of the address. Given that the MAC is a globally unique, fixed identifier coded into the device by the hardware maker, the configuration procedure is substantially simplified.
Page 574 zero bytes. Addresses of this type are used during automatic configuration to communicate with other hosts belonging to the same subnetwork. site-local Packets with this type of address may be routed to other subnetworks, but not to the wider Internet—they must remain inside the organization's own network. Such addresses are used for intranets and are an equivalent of the private address space defined by IPv4.
Page 575 system is guaranteed where there is a dual stack implementation of both protocols. That still leaves the question of how an IPv6 enabled host should communicate with an IPv4 host and how IPv6 packets should be transported by the current networks, which are predominantly IPv4 based.
Page 576 30.2.4 Configuring IPv6 To configure IPv6, you do not normally need to make any changes on the individual workstations. IPv6 is enabled by default. You can disable it during installation in the network configuration step described in Section 3.11.3, “Network” (page 33).
Page 577: Name Resolution
IPv6 Essentials A book describing all the important aspects of the topic is IPv6 Essentials by Silvia Hagen (ISBN 0-596-00125-8). 30.3 Name Resolution DNS assists in assigning an IP address to one or more names and assigning a name to an IP address.
Page 578: Configuring A Network Connection With Yast
For your machine to resolve an IP address, it must know about at least one name server and its IP address. Easily specify such a name server with the help of YaST. If you have a modem dial-up connection, you may not need to configure a name server manually at all.
Page 579 check Traditional Method with ifup and click Next. To use NetworkManager, check User Controlled with NetworkManager and click Next. Find detailed information about NetworkManager in Section 30.5, “Managing Network Connections with NetworkMan- ager” (page 578). NOTE: Network Method and Xen NetworkManager does not work with Xen.
Page 580 Address Setup dialog appears in which to adjust the card configuration using the Address and General tabs. For information about wireless card configuration, see Section 29.1.3, “Configuration with YaST” (page 534). Configuring IP Addresses When possible, wired network cards available during installation are automatically configured to use automatic address setup, DHCP.
Page 581 Configuring Aliases One network device can have multiple IP addresses, called aliases. To set an alias for your network card, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit. 2 In the Address tab, choose Advanced >...
Page 582 3 To disable DHCP-driven host name configuration, deselect Change Hostname via DHCP. 4 Enter Hostname and, if it is needed, Domain Name. 5 To disable DHCP driven updates of the name server list, deselect Update Name Servers and Search List via DHCP. 6 Enter the name servers and domain search list.
Page 583 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit. 2 In the Address tab, click Advanced > Hardware Details. 3 In Options, enter the parameters for your network card. If two cards are configured that use the same module, these parameters are used for both.
Page 584 3 Determine the firewall zone to which your interface should be assigned. The following options are available: Firewall Disabled The firewall is not run at all. Only use this option if your machine part of a greater network that is protected by an outer firewall. Internal Zone (Unprotected) The firewall is run, but does not enforce any rules to protect this interface.
Page 585 Hardware Configuration Name specifies the name of the /etc/sysconfig/ hardware/hwcfg-* file containing the hardware settings of your network card. This contains the name of the kernel module as well as the options needed to initialize the hardware. 3 Click Next. 4 In the Address tab, set the device type of the interface, the configuration name, and IP address.
Page 586 TIP: CDMA and GPRS Modems Configure supported CDMA and GPRS modems with the YaST modem module just as you would configure regular modems. Figure 30.4 Modem Configuration If behind a private branch exchange (PBX), you may need to enter a dial prefix. This is often a zero.
Page 587 In the next dialog, select the ISP (Internet service provider). To choose from a predefined list of ISPs operating in your country, select Country. Alternatively, click New to open a dialog in which to provide the data for your ISP. This includes a name for the dial-up connection and ISP as well as the login and password provided by your ISP.
Page 588 30.4.3 ISDN TIP: IBM System z: ISDN The configuration of this type of hardware is not supported on IBM System z platforms. Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, click Add and manually select it. Multiple interfaces are possible, but several ISPs can be configured for one interface.
Page 589 you to load the ISDN driver as root with the command rcisdn start. On Hotplug, used for PCMCIA or USB devices, loads the driver after the device is plugged in. When finished with these settings, select OK. In the next dialog, specify the interface type for your ISDN card and add ISPs to an existing interface.
Page 590 1. Smaller private branch exchanges (PBX) built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them. Use one of the internal numbers as your MSN. You should be able to use at least one of the exchange's MSNs that have been enabled for direct outward dialing.
Page 591 still need to provide a placeholder address like 192.168.22.99. If your ISP does not support dynamic DNS, specify the name server IP addresses of the ISP. If desired, specify a time-out for the connection—the period of network inactivity (in seconds) after which the connection should be automatically terminated.
Page 592 To configure your DSL device, select the DSL module from the YaST Network Devices section. This YaST module consists of several dialogs in which to set the parameters of DSL links based on one of the following protocols: • PPP over Ethernet (PPPoE) •...
Page 593 Figure 30.7 DSL Configuration To begin the DSL configuration (see Figure 30.7, “DSL Configuration” (page 575)), first select the PPP mode and the ethernet card to which the DSL modem is connected (in most cases, this is eth0). Then use Device Activation to specify whether the DSL link should be established during the boot process.
Page 594 The configuration of T-DSL is very similar to the DSL setup. Just select T-Online as your provider and YaST opens the T-DSL configuration dialog. In this dialog, provide some additional information required for T-DSL—the line ID, the T-Online number, the user code, and your password. All of these should be included in the information you received after subscribing to T-DSL.
Page 595 Choose the Device Settings that fit your devices (usually this would be Compatibility mode). Specify both your IP address and the IP address of the remote partner. If needed, adjust the MTU size with Advanced > Detailed Settings. Leave the network configuration with Next and Finish.
Page 596: Managing Network Connections With Networkmanager
30.5 Managing Network Connections with NetworkManager NetworkManager is the ideal solution for a mobile workstation. With NetworkManager, you do not need to worry about reconfiguring network interfaces and switching between networks when your location changes. NetworkManager can automatically connect to known WLAN networks.
Page 597 the network configuration with YaST in Section 30.4, “Configuring a Network Connec- tion with YaST” (page 560) and Section 29.1, “Wireless LAN” (page 529). Configure supported wireless cards directly in NetworkManager. To configure NetworkManager, use NetworkManager applets. KDE and GNOME each have their own applets for NetworkManager.
Page 598: Configuring A Network Connection Manually
30.5.2 For More Information Find more information about NetworkManager on the following Web sites and directo- ries: • http://www.gnome.org/projects/NetworkManager/—NetworkMan- ager project page • http://en.opensuse.org/Projects/KNetworkManager—Network- Manager KNetworkManager project page 30.6 Configuring a Network Connection Manually Manual configuration of the network software should always be the last alternative. Using YaST is recommended.
Page 599 with which they are associated. Because the former mapping of drivers to interface name required static interface names, this mapping can no longer take place in /etc/ modprobe.conf. In the new concept, alias entries in this file would cause undesirable side effects.
Page 600 external, internal, or dmz. Make sure that the same interface name is not used twice. Allowed characters in interface names are restricted to [a-zA-Z0-9]. A persistent name can only be assigned to an interface immediately after its regis- tration, which means that the driver of the network card must be reloaded or hwup device description must be executed.
Page 601: Configuration Files
Configura- Command Function tion Stage Interface getcfg can be used to query the inter- getcfg face name associated with a configuration name or a hardware description. More information is available in the manual page of getcfg. Interface The if* scripts start existing network if{up,down,status} interfaces or return the status of the specified interface.
Page 602 ►zseries: IBM System z do not support USB. The names of the interface files and network aliases contain System z-specific elements like qeth. ◄ /etc/sysconfig/network/config, dhcp, wireless The file config contains general settings for the behavior of ifup, ifdown, and ifstatus.
Page 603 An (optional) fifth column can be used to specify the type of a route. Columns that are not needed should contain a minus sign - to ensure that the parser correctly interprets the command. For details, refer to the routes(5) man page. /etc/resolv.conf The domain to which the host belongs is specified in this file (keyword search).
Page 604 YaST uses the command modify_resolvconf check to find out whether resolv .conf has been modified and subsequently warns the user that changes will be lost after restoring the file. Apart from this, YaST does not rely on modify_resolvconf, which means that the impact of changing resolv.conf through YaST is the same as that of any manual change.
Page 605 current glibc programs, refer to the settings in /etc/nsswitch.conf. A parameter must always stand alone in its own line. Comments are preceded by a # sign. Table 30.6, “Parameters for /etc/host.conf” (page 587) shows the parameters available. A sample /etc/host.conf is shown in Example 30.8, “...
Page 606 /etc/nsswitch.conf The introduction of the GNU C Library 2.0 was accompanied by the introduction of the Name Service Switch (NSS). Refer to the nsswitch.conf(5) man page and The GNU C Library Reference Manual for details. The order for queries is defined in the file /etc/nsswitch.conf. A sample nsswitch.conf is shown in Example 30.9, “/etc/nsswitch.conf”...
Page 607 For hostnames and IP addresses, used by gethostbyname hosts and similar functions. Valid host and user lists in the network for the purpose of netgroup controlling access permissions; see the netgroup(5) man page. Network names and addresses, used by getnetent. networks User passwords, used by getpwent;...
Page 608 /etc/nscd.conf This file is used to configure nscd (name service cache daemon). See the nscd(8) and nscd.conf(5) man pages. By default, the system entries of passwd and groups are cached by nscd. This is important for the performance of directory services, like NIS and LDAP, because otherwise the network connection needs to be used for every access to names or groups.
Page 609 link This object represents a network device. address This object represents the IP address of device. neighbour This object represents a ARP or NDISC cache entry. route This object represents the routing table entry. rule This object represents a rule in the routing policy database. maddress This object represents a multicast address.
Page 610 To display all devices, use ip link ls. To display the running interfaces only, use ip link ls up. To print interface statistics for a device, enter ip -s link ls device_name. To view addresses of your devices, enter ip addr. In the output of the ip addr, also find information about MAC addresses of your devices.
Page 611 Example 30.10 Output of the Command ping ping -c 3 example.com PING example.com (130.57.5.75) 56(84) bytes of data. 64 bytes from example.com (130.57.5.75): icmp_seq=1 ttl=49 time=188 ms 64 bytes from example.com (130.57.5.75): icmp_seq=2 ttl=49 time=184 ms 64 bytes from example.com (130.57.5.75): icmp_seq=3 ttl=49 time=183 ms --- example.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2007ms rtt min/avg/max/mdev = 183.417/185.447/188.259/2.052 ms...
Page 612 Example 30.11 Output of the ifconfig Command eth0 Link encap:Ethernet HWaddr 00:08:74:98:ED:51 inet6 addr: fe80::208:74ff:fe98:ed51/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:634735 errors:0 dropped:0 overruns:4 frame:0 TX packets:154779 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:162531992 (155.0 Mb) TX bytes:49575995 (47.2 Mb) Interrupt:11 Base address:0xec80 Link encap:Local Loopback inet addr:127.0.0.1...
Page 613 Example 30.12 Output of the route -n Command route -n Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.20.0.0 255.255.248.0 0 eth0 link-local 255.255.0.0 0 eth0 loopback 255.0.0.0 0 lo default styx.exam.com 0.0.0.0 0 eth0 For more options and information about using route, enter route -h or see the route (8) man page.
Page 614: Smpppd As Dial-Up Assistant
Starts the NIS server. /etc/init.d/ypserv Starts the NIS client. /etc/init.d/ypbind 30.7 smpppd as Dial-up Assistant Most home users do not have a dedicated line connecting them to the Internet. Instead, they use dial-up connections. Depending on the dial-up method (ISDN or DSL), the connection is controlled by ipppd or pppd.
Page 615 bind-address = ip address If a host has several IP addresses, use this parameter to determine at which IP ad- dress smpppd should accept connections. The default is to listen at all addresses. host-range = min ip max ip The parameter host-range defines a network range. Hosts whose IP addresses are within this range are granted access to smpppd.
Page 616 server = server Here, specify the host on which smpppd runs. password = password Insert the password selected for smpppd. If smpppd is active, you can now try to access it, for example, with cinternet --verbose --interface-list. If you experience difficulties at this point, refer to the smpppd-c.conf(5) and cinternet(8) man pages.
Page 617: 1 Slp Services In The Network
SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.
Page 618: Slp Front-Ends In Suse Linux Enterprise
rcslpd start as root to start it and rcslpd stop to stop it. Perform a restart or status check with restart or status. If slpd should be active by default, enable slpd in YaST System > System Services (Runlevel) or run the insserv slpd command once as root.
Page 619: Providing Services With Slp
31.4 Providing Services with SLP Many applications in SUSE Linux Enterprise already have integrated SLP support through the use of the libslp library. If a service has not been compiled with SLP support, use one of the following methods to make it available with SLP: Static Registration with /etc/slp.reg.d Create a separate registration file for each new service.
Page 620: For More Information
Static Registration with /etc/slp.reg The only difference from the procedure with /etc/slp.reg.d is the grouping of all services within a central file. Dynamic Registration with slptool If a service should be registered for SLP from proprietary scripts, use the slptool command line front-end.
Page 621: 2 Time Synchronization With Ntp
Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
Page 622 firewall-protected system, the advanced configuration can open the required ports in SuSEfirewall2. 32.1.1 Quick NTP Client Configuration The quick NTP client configuration (Network Services > NTP Configuration) consists of two dialogs. Set the start mode of xntpd and the server to query in the first dialog. To start xntpd automatically when the system is booted, click During Boot.
Page 623 dialog, test the availability of the selected server with Test and quit the dialog with Finish. 32.1.2 Advanced NTP Client Configuration The advanced configuration of an NTP client can be accessed under Advanced Confi- guration from the main dialog of the NTP Configuration module, shown in Figure 32.1, “YaST: Configuring an NTP Client”...
Page 624 The servers and other time sources for the client to query are listed in the lower part. Modify this list as needed with Add, Edit, and Delete. Display Log provides the possi- bility to view the log files of your client. Click Add to add a new source of time information.
Page 625: Configuring Xntp In The Network
32.2 Configuring xntp in the Network The easiest way to use a time server in the network is to set server parameters. For ex- ample, if a time server called ntp.example.com is reachable from the network, add its name to the file /etc/ntp.conf by adding the line server ntp.example.com.
Page 626 Normally, the individual drivers have special parameters that describe configuration details. The file /usr/share/doc/packages/xntp-doc/html/driverNN .htm (where NN is the number of the driver) provides information about the particular type of clock. For example, the “type 8” clock (radio clock over serial interface) requires an additional mode that specifies the clock more precisely.
Page 627: 3 The Domain Name System
The Domain Name System DNS (domain name system) is needed to resolve the domain names and hostnames into IP addresses. In this way, the IP address 192.168.0.1 is assigned to the hostname earth, for example. Before setting up your own name server, read the general information about DNS in Section 30.3, “Name Resolution”...
Page 628: Configuration With Yast
(not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone. Forwarder Forwarders are DNS servers to which your DNS server should send queries it cannot answer. Record The record is information about name and IP address. Supported records and their syntax are described in BIND documentation.
Page 629 1 When starting the module for the first time, the Forwarder Settings dialog, shown Figure 33.1, “DNS Server Installation: Forwarder Settings” (page 611), opens. In it, decide whether the PPP daemon should provide a list of forwarders on dial- up via DSL or ISDN (PPP Daemon Sets Forwarders) or whether you want to supply your own list (Set Forwarders Manually).
Page 630 Figure 33.2 DNS Server Installation: DNS Zones 3 In the final dialog, you can open the DNS port in the firewall by clicking Open Port in Firewall. Then decide whether or not the DNS server should be started (On or Off). You can also activate LDAP support. See Figure 33.3, “DNS Server Installation: Finish Wizard”...
Page 631 Figure 33.3 DNS Server Installation: Finish Wizard 33.2.2 Expert Configuration After starting the module, YaST opens a window displaying several configuration op- tions. Completing it results in a DNS server configuration with the basic functions in place: Starting the DNS Server Under Service Start, define whether the DNS server should be started when the system boots (during booting the system) or manually.
Page 632 DNS Server: Basic Options In this section, set basic server options. From the Option menu, select the desired item then specify the value in the corresponding entry field. Include the new entry by selecting Add. Logging To set what the DNS server should log and how, select Logging. Under Log Type, specify where the DNS server should write the log data.
Page 633 Using ACLs Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under Name, specify an IP address (with or without netmask) under Value in the following fashion: { 10.10/16; } The syntax of the configuration file requires that the address ends with a semicolon and is put into curly braces.
Page 634 Figure 33.5 DNS Server: Slave Zone Editor Adding a Master Zone To add a master zone, select DNS Zones, choose the zone type Master, write the name of the new zone, and click Add. Editing a Master Zone To edit a master zone, select DNS Zones, choose the zone type Master, select the master zone from the table, and click Edit.
Page 635 Figure 33.6 DNS Server: Zone Editor (Basic) Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under Name Server to Add then confirm with Add.
Page 636 Figure 33.7 DNS Server: Zone Editor (NS Records) Zone Editor (MX Records) To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting Add. See Fig- ure 33.8, “DNS Server: Zone Editor (MX Records)”...
Page 637 Figure 33.8 DNS Server: Zone Editor (MX Records) Zone Editor (SOA) This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 33.6, “File /var/lib/named/world.zone” (page 627). Changing SOA records is not supported for dynamic zones managed via LDAP.
Page 638: Starting The Name Server Bind
Figure 33.9 DNS Server: Zone Editor (SOA) Zone Editor (Records) This dialog manages name resolution. In Record Key, enter the hostname then select its type. A-Record represents the main entry. The value for this should be an IP address. CNAME is an alias. Use the types NS and MX for detailed or partial records that expand on the information provided in the NS Records and MX Records tabs.
Page 639 a proper DNS. A simple example of this is included in the documentation in /usr/ share/doc/packages/bind/sample-config. TIP: Automatic Adaptation of the Name Server Information Depending on the type of Internet connection or the network connection, the name server information can automatically be adapted to the current conditions. To do this, set the variable MODIFY_NAMED_CONF_DYNAMICALLY in the file /etc/sysconfig/network/config to yes.
Page 640: The Configuration File /Etc/Named.conf
The options entry is followed by entries for the zone, localhost, and 0.0.127.in-addr.arpa. The type hint entry under “.” should always be present. The corresponding files do not need to be modified and should work as they are. Also make sure that each entry is closed with a “;” and that the curly braces are in the correct places.
Page 641 Example 33.2 A Basic /etc/named.conf options { directory "/var/lib/named"; forwarders { 10.0.0.1; }; notify no; zone "localhost" in { type master; file "localhost.zone"; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; zone "." in { type hint; file "root.hint"; 33.4.1 Important Configuration Options directory "filename";...
Page 642 127.0.0.1 to permit requests from the local host. If you omit this entry entirely, all interfaces are used by default. listen-on-v6 port 53 {any; }; Tells BIND on which port it should listen for IPv6 client requests. The only alter- native to any is none.
Page 643 notify no; no prevents other name servers from being informed when changes are made to the zone data or when the name server is restarted. 33.4.2 Logging What, how, and where logging takes place can be extensively configured in BIND. Normally, the default settings should be sufficient.
Page 644: Zone Files
The zone options: type master; By specifying master, tell BIND that the zone is handled by the local name server. This assumes that a zone file has been created in the correct format. type slave; This zone is transferred from another name server. It must be used together with masters.
Page 645 TIP: Using the Dot in Zone Files The . has an important meaning in the zone files. If hostnames are given without a final ., the zone is appended. Complete hostnames specified with a full domain name must end with a . to avoid having the domain added to it again.
Page 646 • After IN SOA is the name of the name server in charge as master for this zone. The name is expanded from gateway to gateway.world.cosmos, because it does not end with a .. • An e-mail address of the person in charge of this name server follows. Because the @ sign already has a special meaning, .
Page 647 Line 10: The MX record specifies the mail server that accepts, processes, and forwards e- mails for the domain world.cosmos. In this example, this is the host sun.world.cosmos. The number in front of the hostname is the preference value. If there are multiple MX entries, the mail server with the smallest value is taken first and, if mail delivery to this server fails, an attempt is made with the next higher value.
Page 648 The pseudodomain in-addr.arpa is used for the reverse lookup of IP addresses into hostnames. It is appended to the network part of the address in reverse notation. So 192.168.1 is resolved into 1.168.192.in-addr.arpa. See Example 33.7, “Reverse Lookup” (page 630). Example 33.7 Reverse Lookup $TTL 2D 1.168.192.in-addr.arpa.
Page 649: Dynamic Update Of Zone Data
the . at the end. Appending the zone to this (without the .in-addr.arpa) results in the complete IP address in reverse order. Normally, zone transfers between different versions of BIND should be possible without any problem. 33.6 Dynamic Update of Zone Data The term dynamic update refers to operations by which entries in the zone files of a master server are added, changed, or deleted.
Page 650 The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files. To use it for transactions, the second file (Khost1-host2.+157+34265.key) must be transferred to the remote host, preferably in a secure way (using scp, for exam- ple). On the remote server, the key must be included in the file /etc/named.conf to enable a secure communication between host1 and host2: key host1-host2.
Page 651: Dns Security
33.8 DNS Security DNSSEC, or DNS security, is described in RFC 2535. The tools available for DNSSEC are discussed in the BIND Manual. A zone considered secure must have one or several zone keys associated with it. These are generated with dnssec-keygen, just like the host keys. The DSA encryption algorithm is currently used to generate these keys.
Page 653: 4 Dhcp
DHCP The purpose of the dynamic host configuration protocol (DHCP) is to assign network settings centrally from a server rather than configuring them locally on each and every workstation. A host configured to use DHCP does not have control over its own static address.
Page 654: Configuring A Dhcp Server With Yast
uring numerous workstations. Also it is much easier to integrate machines, particularly new machines, into the network, because they can be given an IP address from the pool. Retrieving the appropriate network settings from a DHCP server is especially useful in the case of laptops regularly used in different networks.
Page 655 Figure 34.1 DHCP Server: Card Selection Global Settings Use the check box to determine whether your DHCP settings should be automati- cally stored by an LDAP server. In the entry fields, provide the network specifics for all clients the DHCP server should manage. These specifics are the domain name, address of a time server, addresses of the primary and secondary name server, addresses of a print and a WINS server (for a mixed network with both Windows and Linux clients), gateway address, and lease time.
Page 656 Figure 34.2 DHCP Server: Global Settings Dynamic DHCP In this step, configure how dynamic IP addresses should be assigned to clients. To do so, specify an IP range from which the server can assign addresses to DHCP clients. All these addresses must be covered by the same netmask. Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease.
Page 657 Figure 34.3 DHCP Server: Dynamic DHCP Finishing the Configuration and Setting the Start Mode After the third part of the configuration wizard, a last dialog is shown in which you can define how the DHCP server should be started. Here, specify whether to start the DHCP server automatically when the system is booted or manually when needed (for example, for test purposes).
Page 658 Figure 34.4 DHCP Server: Start-Up Host Management Instead of using dynamic DHCP in the way described in the preceding sections, you can also configure the server to assign addresses in quasi-static fashion. To do so, use the entry fields provided in the lower part to specify a list of the clients to manage in this way.
Page 659 Figure 34.5 DHCP Server: Host Management 34.1.2 Expert Configuration In addition to the configuration method discussed earlier, there is also an expert confi- guration mode that allows you to tweak the DHCP server setup in every detail. Start the expert configuration by selecting Expert Settings in the tree view in the left part of the dialog.
Page 660 Figure 34.6 DHCP Server: Chroot Jail and Declarations Selecting the Declaration Type The Global Options of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types Subnet, Host, Shared Network, Group, Pool of Addresses, and Class.
Page 661 Figure 34.7 DHCP Server: Selecting a Declaration Type Subnet Configuration This dialog allows you specify a new subnet with its IP address and netmask. In the middle part of the dialog, modify the DHCP server start options for the selected subnet using Add, Edit, and Delete.
Page 662 Figure 34.8 DHCP Server: Configuring Subnets TSIG Key Management If you chose to configure dynamic DNS in the previous dialog, you can now con- figure the key management for a secure zone transfer. Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS (see Fig- ure 34.10, “DHCP Server: Interface Configuration for Dynamic DNS”...
Page 663 Figure 34.9 DHCP Server: TSIG Configuration Dynamic DNS: Interface Configuration You can now activate dynamic DNS for the subnet by selecting Enable Dynamic DNS for This Subnet. After doing so, use the drop-down list to choose the TSIG keys for forward and reverse zones, making sure that keys are the same for the DNS and the DHCP server.
Page 664 Figure 34.10 DHCP Server: Interface Configuration for Dynamic DNS Network Interface Configuration To define the interfaces where the DHCP server should listen and to adjust the firewall configuration, select Advanced > Interface Configuration from the expert configuration dialog. From the list of interfaces displayed, select one or more that should be attended by the the DHCP server.
Page 665: Dhcp Software Packages
Figure 34.11 DHCP Server: Network Interface and Firewall After completing all configuration steps, close the dialog with Ok. The server is now started with its new configuration. 34.2 DHCP Software Packages Both a DHCP server and DHCP clients are available for SUSE Linux Enterprise. The DHCP server available is dhcpd (published by the Internet Software Consortium).
Page 666: The Dhcp Server Dhcpd
34.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd.conf. By changing the parameters and values in this file, a system administrator can influence the program's behavior in numerous ways.
Page 667 before setting up DHCP. That name server should also define a hostname for each dynamic address and vice versa. To learn how to configure your own name server, read Chapter 33, The Domain Name System (page 609). • The line option broadcast-address defines the broadcast address the re- questing client should use.
Page 668 there were not enough addresses available and the server needed to redistribute them among clients. To identify a client configured with a static address, dhcpd uses the hardware address, which is a globally unique, fixed numerical code consisting of six octet pairs for the identification of all network devices (for example, 00:00:45:12:EE:F4).
Page 669: For More Information
Control the server's behavior regarding this feature by means of entries in the file /etc/ sysconfig/dhcpd. To run dhcpd without the chroot environment, set the variable DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to “no”. To enable dhcpd to resolve hostnames even from within the chroot environment, some other configuration files must be copied as well: •...
Page 671: 5 Using Nis
Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
Page 672 and set up slave servers in the subnets as described in Section 35.1.2, “Configuring a NIS Slave Server” (page 658). 35.1.1 Configuring a NIS Master Server To configure a NIS master server for your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and set up NIS Master Server.
Page 673 Enter the NIS domain name. 3b Define whether the host should also be a NIS client, enabling users to log in and access data from the NIS server, by selecting This host is also a NIS client. Select Changing of passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd).
Page 674 3e Leave this dialog with Next or click Other global settings to make additional settings. Other global settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes so the files (/etc/passwd, /etc/shadow, and /etc/group) are used to build the user database.
Page 675 Figure 35.4 NIS Server Maps Setup 7 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 127.0.0.0...
Page 676 Figure 35.5 Setting Request Permissions for a NIS Server 8 Click Finish to save changes and exit the setup. 35.1.2 Configuring a NIS Slave Server To configure additional NIS slave servers in your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 Select Install and set up NIS Slave Server and click Next.
Page 677: Configuring Nis Clients
3c Set This host is also a NIS client if you want to enable user logins on this server. 3d Adapt the firewall settings with Open Ports in Firewall. 3e Click Next. 4 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button.
Page 678 In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
Page 679: 6 Ldap-A Directory Service
LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
Page 680: Ldap Versus Nis
• Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a con- ventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures ad- ministered in accounting.
Page 681: Structure Of An Ldap Directory Tree
• Mail routing (postfix, sendmail) • Address books for mail clients, like Mozilla, Evolution, and Outlook • Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
Page 682 Figure 36.1 Structure of an LDAP Directory dc=example,dc=com ou=devel ou=doc ou=it cn=Tux Linux cn=Geeko Linux The complete diagram is a fictional directory information tree. The entries on three levels are depicted. Each entry corresponds to one box in the picture. The complete, valid distinguished name for the fictional employee Geeko Linux, in this case, is cn=Geeko Linux,ou=doc,dc=example,dc=com.
Page 683 Table 36.1 Commonly Used Object Classes and Attributes Object Class Meaning Example En- Required At- tributes dcObject domainComponent (name example components of the domain) organizationalU- organizationalUnit (organiza- tional unit) inetOrgPerson inetOrgPerson (person-related Geeko Linux sn and cn data for the intranet or Internet) Example 36.1, “Excerpt from schema.core ”...
Page 684: Server Configuration With Slapd.conf
Line 2 gives a brief description of the attribute with DESC. The corresponding RFC on which the definition is based is also mentioned here. SUP in line 3 indicates a superor- dinate attribute type to which this attribute belongs. The definition of the object class organizationalUnit begins in line 4, like in the definition of the attribute, with an OID and the name of the object class.
Page 685 This first directive in slapd.conf, shown in Example 36.2, “slapd.conf: Include Directive for Schemes” (page 666), specifies the scheme by which the LDAP directory is organized. The entry core.schema is required. Additionally required schemes are appended to this directive. Find information in the included OpenLDAP documentation. Example 36.3 slapd.conf: pidfile and argsfile pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args...
Page 686 • what is a placeholder for the object or attribute to which access is granted. Individ- ual directory branches can be protected explicitly with separate rules. It is also possible to process regions of the directory tree with one rule by using regular ex- pressions.
Page 687 Scope of Access To objects for comparison access compare For the employment of search filters search Read access read Write access write slapd compares the access right requested by the client with those granted in slapd.conf. The client is granted access if the rules allow a higher or equal right than the requested one.
Page 688 Apart from the possibility to administer access permissions with the central server configuration file (slapd.conf), there is access control information (ACI). ACI allows storage of the access information for individual objects within the LDAP tree. This type of access control is not yet common and is still considered experimental by the devel- opers.
Page 689 rootdn determines who owns administrator rights to this server. The user declared here does not need to have an LDAP entry or exist as regular user. rootpw sets the administrator password. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd. The directory directive indicates the directory in the file system where the database directories are stored on the server.
Page 690: Data Handling In The Ldap Directory
The YaST runlevel editor, described in Section 19.2.3, “Configuring System Services (Runlevel) with YaST” (page 382), can be used to have the server started and stopped automatically on boot and halt of the system. It is also possible to create the correspond- ing links to the start and stop scripts with the insserv command from a command prompt as described in Section 19.2.2, “Init Scripts”...
Page 691 Example 36.7 Example for an LDIF File # The Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example dc: example # The organizational unit development (devel) dn: ou=devel,dc=example,dc=com objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=example,dc=com objectClass: organizationalUnit ou: doc # The organizational unit internal IT (it)
Page 692 Example 36.8 ldapadd with example.ldif ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com" adding new entry "ou=it,dc=example,dc=com" The user data of individuals can be prepared in separate LDIF files. Example 36.9, “LDIF Data for Tux”...
Page 693 Example 36.10 Modified LDIF File tux.ldif # coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10 Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below: 1 Start ldapmodify and enter your password: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W...
Page 694: Configuring An Ldap Server With Yast
The -b option determines the search base—the section of the tree within which the search should be performed. In the current case, this is dc=example,dc=com. To perform a more finely-grained search in specific subsections of the LDAP directory (for example, only within the devel department), pass this section to ldapsearch with -b.
Page 695 Figure 36.2 YaST LDAP Server Configuration To set up an LDAP server for user account data, proceed as follows: 1 Log in as root. 2 Start YaST and select Network Services > LDAP Server. 3 Set LDAP to be started at system boot. 4 If the LDAP server should announce its services via SLP, check Register at an SLP Daemon.
Page 696 2 With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect the logging options according to your needs. The more options are enabled, the larger your log files grow.
Page 697 To configure the databases managed by your LDAP server, proceed as follows: 1 Select the Databases item in the left part of the dialog. 2 Click Add Database to add the new database. 3 Enter the requested data: Base DN Enter the base DN of your LDAP server.
Page 698 WARNING: Locked Accounts in Security Sensitive Environments Do not use the Disclose Account Locked Status option if your environ- ment is sensitive to security issues, because the “Locked Account” error message provides security sensitive information that can be exploited by a potential attacker. 4d Enter the DN of the default policy object.
Page 699: Configuring An Ldap Client With Yast
3b Determine the time between a password expiration warning and the actual password expiration. 3c Set the number of grace uses of an expired password before the password expires entirely. 4 Configure the lockout policies: 4a Enable password locking. 4b Determine the number of bind failures that trigger a password lock. 4c Determine the duration of the password lock.
Page 700 36.6.1 Standard Procedure Background knowledge of the processes acting in the background of a client machine helps you understand how the YaST LDAP client module works. If LDAP is activated for network authentication or the YaST module is called, the packages pam_ldap and nss_ldap are installed and the two corresponding configuration files are adapted.
Page 701: Basic Configuration
with the command getent passwd. The returned set should contain a survey of the local users of your system as well as all users stored on the LDAP server. To prevent regular users managed through LDAP from logging in to the server with ssh or login, the files /etc/passwd and /etc/group each need to include an additional line.
Page 702 Figure 36.3 YaST: Configuration of the LDAP Client To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows: 1 Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Page 703 6 Select Start Automounter to mount remote directories on your client, such as a remotely managed /home. 7 Select Create Home Directory on Login to have a user's home automatically created on the first user login. 8 Click Finish to apply your settings. Figure 36.4 YaST: Advanced Configuration To modify data on the server as administrator, click Advanced Configuration.
Page 704 by crypt are used. For details on this and other options, refer to the pam_ldap man page. 1c Specify the LDAP group to use with Group Member Attribute. The default value for this is member. 2 In Administration Settings, adjust the following settings: 2a Set the base for storing your user management data via Configuration Base 2b Enter the appropriate value for Administrator DN.
Page 705 Configuring the YaST Group and User Administration Modules Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory.
Page 706 2 Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.
Page 707 Figure 36.6 YaST: Configuration of an Object Template Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template. The default values for an attribute can be created from other attributes by using a variable instead of an absolute value.
Page 708: Configuring Ldap Users And Groups In Yast
36.7 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous. 1 Access the YaST user administration with Security &...
Page 709 Figure 36.7 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
Page 710: Browsing The Ldap Directory Tree
36.8 Browsing the LDAP Directory Tree To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser: 1 Log in as root. 2 Start YaST > Network Services > LDAP Browser. 3 Enter the address of the LDAP server, the AdministratorDN, and the password for the RootDN of this server if you need both to read and write the data stored on the server.
Page 711: For More Information
4 To view any of the entries in detail, select it in the LDAP Tree view and open the Entry Data tab. All attributes and values associated with this entry are displayed. Figure 36.9 Browsing the Entry Data 5 To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the RootDN password when prompted.
Page 712 OpenLDAP Faq-O-Matic A very rich question and answer collection concerning installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/ cache/1.html. Quick Start Guide Brief step-by-step instructions for installing your first LDAP server. Find it at or on http://www.openldap.org/doc/admin22/quickstart.html an installed system in /usr/share/doc/packages/openldap2/ admin-guide/quickstart.html.
Page 713: 7 Samba
Samba Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the confi- guration file.
Page 714 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.
Page 715: Starting And Stopping Samba
37.2 Starting and Stopping Samba You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 37.3.1, “Configuring a Samba Server with YaST” (page 697).
Page 716: Starting The Server
Advanced Samba Configuration with YaST During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration. After editing your configuration, click Finish to close the configuration. Starting the Server In the Start Up tab, configure the start of the Samba server.
Page 717: Configuring The Server Manually
Using LDAP In the tab LDAP Settings, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection. To set expert LDAP settings or use default values, click Advanced Settings. Find more information about LDAP configuration in Chapter 36, LDAP—A Directory Service...
Page 718 workgroup = TUX-NET This line assigns the Samba server to a workgroup. Replace TUX-NET with an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to any other machine in the network.
Page 719 Shares The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients. [cdrom] To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
Page 720 Example 37.2 homes Share [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750 [homes] As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives.
Page 721: Configuring Clients
Security Levels To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions: Share Level Security (security = share) A password is firmly assigned to a share. Everyone who knows this password has access to that share.
Page 722: Samba As Login Server
selected with the mouse. If you activate Also Use SMB Information for Linux Authenti- cation, the user authentication runs over the Samba server. After completing all settings, click Finish to finish the configuration. 37.4.2 Windows 9x and ME Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default.
Page 723: Samba Server In The Network With Active Directory
version 3, this is now the default). In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name. Create the domain account for the computers, re- quired by the Windows NT domain concept, with the following commands: Example 37.4 Setting Up a Machine Account useradd hostname\$...
Page 724 Join an existing AD domain during installation or by later activating SMB user authen- tication with YaST in the installed system. Domain join during installation is covered Section 3.11.7, “Users” (page 38). To join an AD domain in a running system, proceed as follows: 1 Log in as root and start YaST.
Page 725: Migrating A Windows Nt Server To Samba
Figure 37.2 Providing Administrator Credentials Your server is now set up to pull in all authentication data from the Active Direc- tory domain controller. 37.7 Migrating a Windows NT Server to Samba Apart from the Samba and LDAP configuration, the migration of a Windows NT server to a SUSE Linux Enterprise Server Samba server consists of two basic steps.
Page 726 37.7.2 Preparing the Samba Server Before you start migration, configure your Samba server. Find configuration of profile, netlogon, and home shares in the Shares tab of the YaST Samba Server module. To do the default value, select the share and click Edit. To add LDAP configuration for your Samba server and the credentials of the LDAP administrator, use the LDAP Settings tab of the YaST Samba Server module.
Page 727: For More Information
37.7.4 Migrating the Windows Accounts Procedure 37.2 The Account Migration Process 1 Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. Samba must not be running. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd net rpc vampire -S NT4PDC -U administrator%passwd pdbedit -L 2 Assign each of the UNIX groups to NT groups:...
Page 728 The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. You can find Samba HOWTO Collection in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf after installing the package samba-doc. Find detailed information about LDAP and migration from Windows NT or 2000 in /usr/share/doc/packages/samba/examples/LDAP/ smbldap-tools-*/doc, where * is your smbldap-tools version.
Page 729: 8 Sharing File Systems With Nfs
Sharing File Systems with NFS As mentioned in Chapter 35, Using NIS (page 653), NFS works with NIS to make a network transparent to the user. With NFS, it is possible to distribute file systems over the network. It does not matter at which terminal users are logged in. They always find themselves in the same environment.
Page 730: Importing File Systems With Yast
38.2 Importing File Systems with YaST Users authorized to do so can mount NFS directories from an NFS server into their own file trees. This can be achieved most easily using the YaST module NFS Client. Just enter the hostname of the NFS server, the directory to import, and the mount point at which to mount this directory locally.
Page 731: Importing File Systems Manually
38.3 Importing File Systems Manually File systems can easily be imported manually from an NFS server. The prerequisite for this is a running RPC port mapper, which can be started by entering rcportmap start as root. Once this prerequisite is met, remote exported file systems can be mounted in the file system just like local hard disks using the mount command in the following manner: mount host:remote-path local-path...
Page 732 system is given. This is a concept called pseudo file system, which is explained in Sec- tion 38.4.1, “Exporting for NFSv4 Clients” (page 716). 38.3.2 Using the Automount Service As well as the regular local device mounts, the autofs daemon can be used to mount remote file systems automatically too.
Page 733: Exporting File Systems With Yast
38.4 Exporting File Systems with YaST With YaST, turn a host in your network into an NFS server—a server that exports di- rectories and files to all hosts granted access to it. This could be done to provide appli- cations to all members of a group without installing them locally on each and every host.
Page 734 and IP networks. For a more thorough explanation of these options, refer to exports man page. Click Finish to complete the configuration. Figure 38.3 Configuring an NFS Server with YaST IMPORTANT: Automatic Firewall Configuration If a firewall is active on your system (SuSEfirewall2), YaST adapts its configuration for the NFS server by enabling the nfs service when Open Ports in Firewall is selected.
Page 735 (the default) if you do not have special requirements. For more information, see Sec- tion 38.7, “For More Information” (page 723). Click Next. The dialog that follows has two sections. The upper half consists of two columns named Directories and Bind mount targets. Directories is a directly editable column that lists the directories to export.
Page 736 In the small dialog that opens, enter the host wild card. There are four possible types of host wild cards that can be set for each host: a single host (name or IP address), net- groups, wild cards (such as * indicating all machines can access the server), and IP networks.
Page 737 Figure 38.5 Exporting Directories with NFSv2 and v3 38.4.3 Coexisting v3 and v4 Exports Both NFSv3 and NFSv4 exports can coexist on a server. After enabling the support for NFSv4 in the initial configuration dialog, those exports for which fsid=0 and bind=/target/path are not included in the option list are considered v3 exports.
Page 738: Exporting File Systems Manually
38.5 Exporting File Systems Manually The configuration files for the NFS export service are /etc/exports and /etc/ sysconfig/nfs. In addition to these files, /etc/idmapd.conf is needed for the NFSv4 server configuration. To start or restart the services, run the commands rcnfsserver restart and rcidmapd restart.
Page 739 binds to an existing subdirectory (/export/data) of the pseudo file system /export. The pseudo file system is the top level directory under which all file systems that need to be NFSv4 exported take their places. For a client or set of clients, there can only be one directory on the server configured as the pseudo root for export.
Page 740 Do not change these parameters unless you are sure of what you are doing. For further reference, read the man page of idmapd and idmapd.conf; man idmapd, man idmapd.conf . Starting and Stopping Services After changing /etc/exports or /etc/sysconfig/nfs, start or restart the nf- sserver service with rcnfsserver restart.
Page 741: Nfs With Kerberos
38.6 NFS with Kerberos To use Kerberos authentication for NFS, GSS security must be enabled. To do so, select Enable GSS Security in the initial YaST dialog. Additionally complete the following steps: • Make sure that both the server and the client are in the same Kerberos domain. This means that they access the same KDC (Key Distribution Center) server and share their krb5.keytab file (the default location on any machine is /etc/krb5 .keytab).
Page 743: 9 File Synchronization
File Synchronization Today, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files and subsequently have the latest version of the data available on all computers.
Page 744 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
Page 745: Determining Factors For Selecting A Program
39.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 39.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data. In the first model, all clients synchronize their files with a central server. The server must be accessible by all clients at least occasionally.
Page 746 There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts. To be on safe side, a versioning system like RCS can be additionally employed. 39.2.5 Selecting and Adding Files In CVS, new directories and files must be added explicitly using the command cvs add.
Page 747 39.2.9 User Friendliness rsync is rather easy to use and is also suitable for newcomers. CVS is somewhat more difficult to operate. Users should understand the interaction between the repository and local data. Changes to the data should first be merged locally with the repository. This is done with the command cvs update.
Page 748: Introduction To Cvs
rsync File Sel. Sel./file, dir. Dir. History Hard Disk Space Difficulty Attacks + (ssh) +(ssh) Data Loss 39.3 Introduction to CVS CVS is suitable for synchronization purposes if individual files are edited frequently and are stored in a file format, such as ASCII text or program source text. The use of CVS for synchronizing data in other formats, such as JPEG files, is possible, but leads to large amounts of data, because all variants of a file are stored permanently on the CVS server.
Page 749 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client exclusively to contain files to manage with CVS (the directory can also be empty).
Page 750 Start the synchronization with the server with cvs update. Update individual files or directories as in cvs update file1 directory1. To see the difference between the current files and the versions stored on the server, use the command cvs diff or cvs diff file1 directory1.
Page 751: Introduction To Rsync
• http://www.cvshome.org/ • http://www.gnu.org/manual/ 39.4 Introduction to rsync rsync is useful when large amounts of data need to be transmitted regularly while not changing too much. This is, for example, often the case when creating backups. Another application concerns staging servers. These are servers that store complete directory trees of Web servers that are regularly mirrored onto a Web server in a DMZ.
Page 752 gid = nobody uid = nobody read only = true use chroot = no transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log [FTP] path = /srv/ftp comment = An Example Then start rsyncd with rcrsyncd start. rsyncd can also be started automatically during the boot process.
Page 753 A technical reference about the operating principles of rsync is featured in /usr/share/doc/packages/rsync/tech_report.ps. Find the latest news about rsync on the project Web site at http://rsync.samba.org/. If you want Subversion or other tools, download the the SDK. Find it at http:// developer.novell.com/wiki/index.php/SUSE_LINUX_SDK. File Synchronization...
Page 755: 0 The Apache Http Server
The Apache HTTP Server With a share of more than 70%, the Apache HTTP Server (Apache) is the world's most widely-used Web server according to the November 2005 Survey from http://www .netcraft.com/. Apache, developed by the Apache Software Foundation (http://www.apache.org/), is available for most operating systems. SUSE® Linux Enterprise Server includes Apache version 2.2.
Page 756 2. The machine's exact system time is maintained by synchronizing with a time server. This is necessary because parts of the HTTP protocol depend on the correct time. See Chapter 32, Time Synchronization with NTP (page 603) to learn more about this topic.
Page 757: Configuring Apache
If you have not received error messages when starting Apache, the Web server should be running now. Start a browser and open http://localhost/. You should see an Apache test page starting with “If you can see this, it means that the installation of the Apache Web server software on this system was successful.”...
Page 758 /etc/sysconfig/apache2 /etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general- purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.
Page 759 |- vhosts.d |- *.conf Apache Configuration Files in /etc/apache2/ charset.conv Specifies which character sets to use for different languages. Do not edit. conf.d/*.conf Configuration files added by other modules. These configuration files can be in- cluded into your virtual host configuration where needed. See vhosts.d/vhost .template for examples.
Page 760 mime.types MIME types known by the system (this actually is a link to /etc/mime.types). Do not edit. If you need to add MIME types not listed here, add them to mod _mime-defaults.conf. mod_*.conf Configuration files for the modules that are installed by default. Refer to Sec- tion 40.4, “Installing, Activating, and Configuring Modules”...
Page 761 Virtual Host Configuration The term virtual host refers to Apache's ability to serve multiple URIs (universal resource identifiers) from the same physical machine. This means that several domains, such as www.example.com and www.example.net, are run by a single Web server on one physical machine.
Page 762 matching ServerName entry of one of the virtual host declarations. If no matching ServerName is found, the first specified virtual host is used as a default. The directive NameVirtualHost tells Apache on which IP address and, optionally, which port to listen for requests by clients containing the domain name in the HTTP header.
Page 763 Example 40.2 Name-Based VirtualHost Directives <VirtualHost 192.168.1.100:80> </VirtualHost> <VirtualHost 192.168.1.100> </VirtualHost> <VirtualHost *:80> </VirtualHost> <VirtualHost *> </VirtualHost> <VirtualHost [2002:c0a8:164::]> </VirtualHost> IP-Based Virtual Hosts This alternative virtual host configuration requires the setup of multiple IPs for a ma- chine. One instance of Apache hosts several domains, each of which is assigned a dif- ferent IP.
Page 764 Example 40.3 IP-Based VirtualHost Directives <VirtualHost 192.168.0.20> </VirtualHost> <VirtualHost 192.168.0.30> </VirtualHost> Here, VirtualHost directives are only specified for interfaces other than 192.168.0.10. When a Listen directive is also configured for 192.168.0.10, a separate IP-based virtual host must be created to answer HTTP requests to that inter- face—otherwise the directives found in the default server configuration (/etc/ apache2/default-server.conf) are applied.
Page 765 CustomLog The access log file for this virtual host. Although it is not necessary to create separate access log files for each virtual host, it is common practice to do so, because it allows separate analysis of access statistics for each host. /var/log/apache2/ is the default directory where Apache's log files should be kept.
Page 766 40.2.2 Configuring Apache with YaST To configure your Web server with YaST, start YaST and select Network Services > HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make just a few basic decisions concerning administration of the server.
Page 767 Default Host This option pertains to the default Web server. As explained in Section “Virtual Host Configuration” (page 743), Apache can serve multiple virtual hosts from a single phys- ical machine. The first declared virtual host in the configuration file is commonly referred to as the default host.
Page 768 The default SUSE Linux Enterprise Alias /icons points to /usr/share/ apache2/icons for the Apache icons displayed in the directory index view. ScriptAlias Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.
Page 769: Virtual Hosts
the HTTP header information the client sends. See Section “IP-Based Virtual Hosts” (page 745) for more details on IP-based virtual hosts. After finishing with the Default Host step, click Next to continue with the configuration. Virtual Hosts In this step, the wizard displays a list of already configured virtual hosts (see Section “Virtual Host Configuration”...
Page 770: Http Server Configuration
Summary This is the final step of the wizard. Here, determine how and when the Apache server is started: when booting or manually. Also see a short summary of the configuration made so far. If you are satisfied with your settings, click Finish to complete configura- tion.
Page 771: Server Modules
Listen Ports and Addresses In HTTP Service, select whether Apache should be running (Enabled) or stopped (Disabled). In Listen on Ports, Add, Edit, or Delete addresses and ports on which the server should be available. The default is to listen on all interfaces on port 80. You should always check Open Firewall on Selected Ports, because otherwise the Web server is not reachable from the outside.
Page 772: Starting And Stopping Apache
Figure 40.4 HTTP Server Configuration: Server Modules Main Host or Hosts These dialogs are identical to the ones already described. Refer to Section “Default Host” (page 749) and Section “Virtual Hosts” (page 751). 40.3 Starting and Stopping Apache If configured with YaST (see Section 40.2.2, “Configuring Apache with YaST”...
Page 773 To start, stop, or manipulate Apache on a running system, use the init script /usr/sbin/rcapache2 (refer to Section 19.2.2, “Init Scripts” (page 378) for a general information about init scripts.). The rcapache2 command takes the following parameters: start Starts Apache if it is not already running. startssl Starts Apache with SSL support if it is not already running.
Page 774: Installing, Activating, And Configuring Modules
probe Probes for the necessity of a reload (checks whether the configuration has changed) and suggests the required arguments for the rcapache2 command. server-status and full-server-status Dumps a short or full status screen, respectively. Requires either lynx or w3m in- stalled as well as the module mod_status enabled.
Page 775: Module Installation
Enterprise Server, they are available as shared objects that can be loaded into Apache at runtime. External Modules Modules labeled external are not included in the official Apache distribution. SUSE Linux Enterprise Server provides several of them readily available for use. Multiprocessing Modules MPMs are responsible for accepting and handling requests to the Web server, rep- resenting the core of the Web server software.
Page 776 IMPORTANT: Including Configuration Files for External Modules If you have activated external modules manually, make sure to load their con- figuration files in all virtual host configurations. Configuration files for external modules are located under /etc/apache2/conf.d/ and are not loaded by default.
Page 777 mod_autoindex Autoindex generates directory listings when no index file (for example, index .html) is present. The look and feel of these indexes is configurable. This module is enabled by default. However, directory listings are disabled by default via the Options directive—overwrite this setting in your virtual host configuration. The default configuration file for this module is located at /etc/apache2/mod _autoindex-defaults.conf.
Page 778 mod_log_config With this module, you can configure the looks of the Apache log files. This module is enabled by default. mod_mime The mime module takes care that a file is delivered with the correct MIME header based on the filename's extension (for example text/html for HTML documents). This module is enabled by default.
Page 779 mod_suexec mod_suexec lets you run CGI scripts under a different user and group. This module is enabled by default. mod_userdir Enables user-specific directories available under ~user/. The UserDir directive must be specified in the configuration. This module is enabled by default. 40.4.4 Multiprocessing Modules SUSE Linux Enterprise Server provides two different multiprocessing modules (MPMs) for use with Apache.
Page 780 Find a list of all external modules shipped with SUSE Linux Enterprise Server here. Find the module's documentation in the listed directory. mod-apparmor Adds support to Apache to provide Novell AppArmor confinement to individual CGI scripts handled by modules like mod_php5 and mod_perl. Package Name: apache2-mod_apparmor More Information: Novell AppArmor Administration Guide (↑Novell AppArmor...
Page 781 Configuration File: /etc/apache2/conf.d/php5.conf More Information: /usr/share/doc/packages/apache2-mod_php5 mod_python mod_python allows embedding Python within the Apache HTTP server for a con- siderable boost in performance and added flexibility in designing Web-based appli- cations. Package Name: apache2-mod_python More Information: /usr/share/doc/packages/apache2-mod_python 40.4.6 Compilation Apache can be extended by advanced users by writing custom modules. To develop modules for Apache or compile third-party modules, the package apache2-devel is required along with the corresponding development tools.
Page 782: Getting Cgi Scripts To Work
Install and activate a module from source code with the commands cd /path/to/module/source; apxs2 -cia mod_foo.c (-c compiles the module, -i installs it, and -a activates it). Other options of apxs2 are described in the apxs2(1) man page. 40.5 Getting CGI Scripts to Work Apache's Common Gateway Interface (CGI) lets you create dynamic content with programs or scripts usually referred to as CGI scripts.
Page 783 Example 40.5 VirtualHost CGI Configuration ScriptAlias /cgi-bin/ "/srv/www/example.com_cgi-bin/" <Directory "/srv/www/example.com_cgi-bin/"> Options +ExecCGI AddHandler cgi-script .cgi .pl Order allow,deny Allow from all </Directory> Tells Apache to handle all files within this directory as CGI scripts. Enables CGI script execution Tells the server to treat files with the extensions .pl and .cgi as CGI scripts. Adjust according to your needs.
Page 784: Setting Up A Secure Web Server With Ssl
Now call http://localhost/cgi-bin/test.cgi or http://example.com/cgi-bin/test.cgi. You should see the “CGI/1.0 test script report”. 40.5.3 Troubleshooting If you do not see the output of the test program but an error message instead, check the following: CGI Troubleshooting • Have you reloaded the server after having changed the configuration? Check with rcapache2 probe.
Page 785 client is established. Data integrity is ensured and client and server are able to authenti- cate each other. For this purpose, the server sends an SSL certificate that holds information proving the server's valid identity before any request to a URL is answered. In turn, this guarantees that the server is the uniquely correct end point for the communication.
Page 786 Creating a “Dummy” Certificate Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the following files: • /etc/apache2/ssl.crt/ca.crt • /etc/apache2/ssl.crt/server.crt • /etc/apache2/ssl.key/server.key • /etc/apache2/ssl.csr/server.csr A copy of ca.crt is also placed at /srv/www/htdocs/CA.crt for download. IMPORTANT A dummy certificate should never be used on a production system.
Page 787 No interaction needed. 3 Generating X.509 certificate signing request for CA Create the CA's distinguished name here. This requires you to answer a few questions, such as country name or organization name. Enter valid data, because everything you enter here later shows up in the certificate. You do not need to answer every question.
Page 788 8 Encrypting RSA private key of CA with a pass phrase for security It is strongly recommended to encrypt the private key of the CA with a password, so choose Y and enter a password. 9 Encrypting RSA private key of SERVER with a pass phrase for security Encrypting the server key with a password requires you to enter this password every time you start the Web server.
Page 789 Getting an Officially Signed Certificate There are a number of official certificate authorities that sign your certificates. The certificate is signed by a trustworthy third party, so can be fully trusted. Publicly oper- ating secure Web servers usually have got an officially signed certificate. The best-known official CAs are Thawte (http://www.thawte.com/) or Verisign (http://www.verisign.com).
Page 790: Avoiding Security Problems
To use SSL, it must be activated in the global server configuration. Open /etc/ sysconfig/apache2 in an editor and search for APACHE_MODULES. Add “ssl” to the list of modules if it is not already present (mod_ssl is activated by default). Next, search for APACHE_SERVER_FLAGS and add “SSL”.
Page 791 If there are vulnerabilities found in the Apache software, a security advisory will be issued by SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied soon as possible. The SUSE security announcements are available from the following locations: • Web Page http://www.novell.com/linux/security/ securitysupport.html • Mailing List http://www.suse.com/us/private/support/online _help/mailinglists/ •...
Page 792: Troubleshooting
40.7.4 CGI Scripts Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server adminis- trator trusts—allowing users to run their own scripts is generally not a good idea.
Page 793: For More Information
starting or stopping the Web server. Avoid doing this and use the rcapache2 script instead. rcapache2 even provides tips and hints for solving configuration errors. Second, the importance of log files cannot be overemphasized. In case of both fatal and nonfatal errors, the Apache log files, mainly the error log file, are the places to look for causes.
Page 794 40.9.1 Apache 2.2 For a list of new features in Apache 2.2, refer to http://httpd.apache.org/ docs/2.2/new_features_2_2.html. Information about upgrading from version 2.0 to 2.2 is available at http://httpd.apache.org/docs-2.2/upgrading .html. 40.9.2 Apache Modules More information about external Apache modules from Section 40.4.5, “External Modules”...
Page 795 40.9.4 Miscellaneous Sources If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the Technical Information Search at http://www.novell.com/support. The history of Apache is provided at http://httpd.apache.org/ABOUT _APACHE.html. This page also explains why the server is called Apache.
Page 797: 1 The Proxy Server Squid
The Proxy Server Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It may be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent for the end user.
Page 798: Some Facts About Proxy Caches
41.1 Some Facts about Proxy Caches As a proxy cache, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long. 41.1.1 Squid and Security It is possible to use Squid together with a firewall to secure internal networks from the outside using a proxy cache.
Page 799: System Requirements
HIT code if the object was detected or a MISS if it was not. If multiple HIT responses were found, the proxy server decides from which server to download, depending on factors such as which cache sent the fastest answer or which one is closer. If no satis- factory responses are received, the request is sent to the parent cache.
Page 800: Hard Disks
41.2.1 Hard Disks Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks, this parameter is described as random seek time, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk tend to be rather small, the seek time of the hard disk is more important than its data throughput.
Page 801: Starting Squid
It is very important to have sufficient memory for the Squid process, because system performance is dramatically reduced if it must be swapped to disk. The cachemgr.cgi tool can be used for the cache memory management. This tool is introduced in Sec- tion 41.6, “cachemgr.cgi”...
Page 802 so, consider that Squid is made completely accessible to anyone by this action. Therefore, define ACLs that control access to the proxy. More information about this is available Section 41.4.2, “Options for Access Controls” (page 788). After modifying the configuration file /etc/squid/squid.conf, Squid must reload the configuration file.
Page 803: The Configuration File /Etc/Squid/Squid.conf
Dynamic DNS Normally, with dynamic DNS, the DNS server is set by the provider during the establishment of the Internet connection and the local file /etc/resolv.conf is adjusted automatically. This behavior is controlled in the file /etc/ sysconfig/network/config with the sysconfig variable MODIFY_RESOLV_CONF_DYNAMICALLY, which is set to "yes".
Page 804 end of the line. The given values almost always correlate with the default values, so removing the comment signs without changing any of the parameters actually has little effect in most cases. If possible, leave the sample as it is and insert the options along with the modified parameters in the line below.
Page 805 cache_dir ufs /var/cache/squid/ 100 16 256 The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. The ufs parameter should be left alone.
Page 806 overwritten. The default value is 0 because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a cron job set in the configuration file /etc/logrotate/squid. append_domain <domain> With append_domain, specify which domain to append automatically when none is given.
Page 807 acl <acl_name> <type> <data> An ACL requires at least three specifications to define it. The name <acl_name> can be chosen arbitrarily. For <type>, select from a variety of different options, which can be found in the ACCESS CONTROLS section in the /etc/squid/ squid.conf file.
Page 808 and the last http_access deny all redirect_program /usr/bin/squidGuard With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
Page 809: Configuring A Transparent Proxy
41.5 Configuring a Transparent Proxy The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required ob- jects, whether they are in its cache or not. When working in a network, several situations may arise: •...
Page 810 41.5.2 Firewall Configuration with SuSEfirewall2 Now redirect all incoming requests via the firewall with help of a port forwarding rule to the Squid port. To do this, use the enclosed tool SuSEfirewall2, described in Sec- tion 43.4.1, “Configuring the Firewall with YaST” (page 822).
Page 811 Example 41.1 Firewall Configuration: Option 15 # 15.) # Which accesses to services should be redirected to a local port # on the firewall machine? # This can be used to force all internal users to surf via your # Squid proxy, or transparently redirect incoming Web traffic to # a secure Web server.
Page 812: Cachemgr.cgi
41.6 cachemgr.cgi The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the memory usage of a running Squid process. It is also a more convenient way to manage the cache and view statistics without logging the server. 41.6.1 Setup First, a running Web server on your system is required.
Page 813 These rules assume that the Web server and Squid are running on the same machine. If the communication between the cache manager and Squid originates at the Web server on another computer, include an extra ACL as in Example 41.2, “Access Rules” (page 795).
Page 814: Squidguard
41.7 squidGuard This section is not intended to explain an extensive configuration of squidGuard, only to introduce it and give some advice for using it. For more in-depth configuration issues, refer to the squidGuard Web site at http://www.squidguard.org. squidGuard is a free (GPL), flexible, and fast filter, redirector, and access controller plug-in for Squid.
Page 815: Cache Report Generation With Calamaris
Next, create a dummy “access denied” page or a more or less complex CGI page to redirect Squid if the client requests a blacklisted Web site. Using Apache is strongly recommended. Now, configure Squid to use squidGuard. Use the following entry in the /etc/squid/ squid.conf file: redirect_program /usr/bin/squidGuard Another option called redirect_children configures the number of “redirect”...
Page 816: For More Information
include a message or logo in report header More information about the various options can be found in the program's manual page with man calamaris. A typical example is: cat access.log.2 access.log.1 access.log | calamaris -a -w \ > /usr/local/httpd/htdocs/Squid/squidreport.html This puts the report in the directory of the Web server.
Page 817: Part V Security
Part V. Security...
Page 819: 2 Managing X.509 Certification
Managing X.509 Certification An increasing number of authentication mechanisms are based on cryptographic proce- dures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are used for communication and can also be found, for example, on company ID cards.
Page 820 Private Key The private key must be kept safely by the key owner. Accidental publication of the private key compromises the key pair and renders it useless. Public Key The key owner circulates the public key for use by third parties. 42.1.1 Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation.
Page 821 42.1.2 X.509 Certificates An X.509 certificate is a data structure with several fixed fields and, optionally, addi- tional extensions. The fixed fields mainly contain the name of the key owner, the public key, and the data relating to the issuing CA (name and signature). For security reasons, a certificate should only have a limited period of validity, so a field is also provided for this date.
Page 822 Field Content Extensions Optional additional information, such as “KeyUsage” or “BasicConstraints” 42.1.3 Blocking X.509 Certificates If a certificate becomes untrustworthy before it has expired, it must be blocked imme- diately. This can be needed if, for example, the private key has accidentally been made public.
Page 823 Field Content List of revoked certificates Every entry contains the serial number of the certificate, the time of revocation, and optional extensions (CRL entry extensions) Extensions Optional CRL extensions 42.1.4 Repository for Certificates and CRLs The certificates and CRLs for a CA must be made publicly accessible using a repository. Because the signature protects the certificates and CRLs from being forged, the repos- itory itself does not need to be secured in a special way.
Page 824: Yast Modules For Ca Management
42.2 YaST Modules for CA Management YaST provides two modules for basic CA management. The primary management tasks with these modules are explained here. 42.2.1 Creating a Root CA The first step when setting up a PKI is to create a root CA. Do the following: 1 Start YaST and go to Security and Users >...
Page 825 CA Name Enter the technical name of the CA. Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
Page 826 In general, it is best not to allow user certificates to be issued by the root CA. It is better to create at least one sub-CA and create the user certificates from there. This has the advantage that the root CA can be kept isolated and secure, for example, on an isolated computer on secure premises.
Page 827 Figure 42.2 YaST CA Module—Using a CA 4 Click Advanced and select Create SubCA. This opens the same dialog as for creating a root CA. 5 Proceed as described in Section 42.2.1, “Creating a Root CA” (page 806). 6 Select the tab Certificates. Reset compromised or otherwise unwanted sub-CAs here using Revoke.
Page 828 the e-mail address of the recipient (the public key owner) to be included in the certificate. In the case of server and client certificates, the hostname of the server must be entered in the Common Name field. The default validity period for certificates is 365 days. To create client and server certificates, do the following: 1 Start YaST and open the CA module.
Page 829 To revoke compromised or otherwise unwanted certificates, do the following: 1 Start YaST and open the CA module. 2 Select the required CA and click Enter CA. 3 Enter the password if entering a CA the first time. YaST displays the CA key information in the Description tab.
Page 830 3 Click Advanced > Edit Defaults. 4 Choose the type the settings to change. The dialog for changing the defaults, shown in Figure 42.4, “YaST CA Module—Extended Settings” (page 812), then opens. Figure 42.4 YaST CA Module—Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical.
Page 831 42.2.5 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use, they must first be revoked. The procedure for this is explained in Section 42.2.2, “Creating or Revoking a Sub-CA” (page 808) (for sub-CAs) and Section 42.2.3, “Creating or Revoking User Certificates”...
Page 832 must be entered manually. You must always enter several passwords (see Table 42.3, “Passwords during LDAP Export” (page 814)). Table 42.3 Passwords during LDAP Export Password Meaning LDAP Password Authorizes the user to make entries in the LDAP tree. Certificate Password Authorizes the user to export the certificate.
Page 833 42.2.7 Exporting CA Objects as a File If you have set up a repository on the computer for administering CAs, you can use this option to create the CA objects directly as a file at the correct location. Different output formats are available, such as PEM, DER, and PKCS12.
Page 834 If you select Import here, you can select the source in the file system. This op- tion can also be used to import certificates from a transport medium, such as a USB stick. To import a common server certificate, do the following: 1 Start YaST and open Common Server Certificate under Security and Users 2 View the data for the current certificate in the description field after YaST has been started.
Page 835: 3 Masquerading And Firewalls
Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
Page 836 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).
Page 837: Masquerading Basics
POSTROUTING This chain is applied to all outgoing packets. Figure 43.1, “iptables: A Packet's Possible Paths” (page 818) illustrates the paths along which a network packet may travel on a given system. For the sake of simplicity, the figure lists tables as parts of chains, but in reality these chains are held within the tables themselves.
Page 838: Firewalling Basics
As mentioned, whenever one of the LAN hosts sends a packet destined for an Internet address, it goes to the default router. However, the router must be configured before it can forward such packets. For security reasons, this is not enabled in a default installa- tion.
Page 839: Susefirewall2
A more effective but more complex mechanism is the combination of several types of systems, such as a packet filter interacting with an application gateway or proxy. In this case, the packet filter rejects any packets destined for disabled ports. Only packets directed to the application gateway are accepted.
Page 840 be used to put an additional line of defense in front of the internal network, because the DMZ systems are isolated from the internal network. Any kind of network traffic not explicitly allowed by the filtering rule set is suppressed by iptables.
Page 841 Interfaces All known network interfaces are listed here. To remove an interface from a zone, select the interface, press Change, and choose No Zone Assigned. To add an interface to a zone, select the interface, press Change and choose any of the available zones. You may also create a special interface with your own settings by using Custom.
Page 842: Configuring Manually
All services, ports, and protocols that have been allowed are listed in this summary. To modify the configuration, use Back. Press Accept to save your configuration. 43.4.2 Configuring Manually The following paragraphs provide step-by-step instructions for a successful configura- tion. Each configuration item is marked as to whether it is relevant to firewalling or masquerading.
Page 843 proxy server between the hosts of the internal network and the Internet. Masquerad- ing is not needed for services a proxy server provides. FW_MASQ_NETS (masquerading) Specify the hosts or networks to masquerade, leaving a space between the individ- ual entries. For example: FW_MASQ_NETS="192.168.0.0/24 192.168.10.1"...
Page 844: For More Information
SPT=48091 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A061AFEBC0000000001030300) Other packages to test your firewall setup are nmap or nessus. The documentation of nmap is found at /usr/share/doc/packages/nmap and the documentation of nessus resides in the directory /usr/share/doc/packages/nessus-core after installing the respective package. 43.5 For More Information The most up-to-date information and other documentation about the SuSEfirewall2 package is found in /usr/share/doc/packages/SuSEfirewall2.
Page 845: 4 Ssh: Secure Network Operations
SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.
Page 846: The Ssh Program
44.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
Page 847: Sftp-Secure File Transfer
scp also provides a recursive copying feature for entire directories. The command scp -r src/ sun:backup/ copies the entire contents of the directory src includ- ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically.
Page 848: Ssh Authentication Mechanisms
For the communication between SSH server and SSH client, OpenSSH supports ver- sions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE.
Page 849 that is also easy to use. Because it is meant to replace rsh and rlogin, SSH must also be able to provide an authentication method appropriate for daily use. SSH accomplishes this by way of another key pair, which is generated by the user. The SSH package provides a helper program for this: ssh-keygen.
Page 850: X, Authentication, And Forwarding Mechanisms
44.7 X, Authentication, and Forwarding Mechanisms Beyond the previously described security-related improvements, SSH also simplifies the use of remote X applications. If you run ssh with the option -X, the DISPLAY variable is automatically set on the remote machine and all X output is exported to the remote machine over the existing SSH connection.
Page 851: 5 Network Authentication-Kerberos
Network Authentication—Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
Page 852 credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.
Page 853: How Kerberos Works
replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator. He could then try to resend it (replay) to impersonate you.
Page 854 • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used. This private key is only known to Kerberos and the client, because it is derived from your user password.
Page 855 45.2.3 Mutual Authentication Kerberos authentication can be used in both directions. It is not only a question of the client being the one it claims to be. The server should also be able to authenticate itself to the client requesting its service. Therefore, it sends some kind of authenticator itself. It adds one to the checksum it received in the client's authenticator and encrypts it with the session key, which is shared between it and the client.
Page 856: Users' View Of Kerberos
• The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.
Page 857: For More Information
• rsh, rcp, rshd • ftp, ftpd • ksu You no longer have to enter your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure that the encrypted contents of the tickets are adjusted to the new situation.
Page 859: 6 Installing And Administering Kerberos
Installing and Administering Kerberos This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 45, Network Authentication—Kerberos (page 833)). 46.1 Choosing the Kerberos Realms The domain of a Kerberos installation is called a realm and is identified by a name, such as FOOBAR.COM or simply ACCOUNTING.
Page 860: Setting Up The Kdc Hardware
For the sake of simplicity, assume you are setting up just one realm for your entire or- ganization. For the remainder of this section, the realm name EXAMPLE.COM is used in all examples. 46.2 Setting Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center, or KDC for short.
Page 861: Clock Synchronization
6 Disable all user accounts except root's account by editing /etc/shadow and replacing the hashed passwords with * or ! characters. 46.3 Clock Synchronization To use Kerberos successfully, make sure that all system clocks within your organization are synchronized within a certain range. This is important because Kerberos protects against replayed credentials.
Page 862 1 Install the RPMs On a machine designated as the KDC, install special soft- ware packages. See Section 46.4.1, “Installing the RPMs” (page 844) for details. 2 Adjust the Configuration Files The configuration files /etc/krb5.conf and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your scenario.
Page 863: Installing And Administering Kerberos
When you make tape backups of the Kerberos database (/var/lib/kerberos/ krb5kdc/principal), do not back up the stash file (which is in /var/lib/ kerberos/krb5kdc/.k5.EXAMPLE.COM). Otherwise, everyone able to read the tape could also decrypt the database. Therefore, it is also a good idea to keep a copy of the pass phrase in a safe or some other secure location, because you need it to restore your database from backup tape after a crash.
Page 864: Manually Configuring Kerberos Clients
Next, create another principal named newbie/admin by typing ank newbie/admin at the kadmin prompt. The admin suffixed to your username is a role. Later, use this role when administering the Kerberos database. A user can have several roles for dif- ferent purposes.
Page 865 46.5.1 Static Configuration One way to configure Kerberos is to edit the configuration file /etc/krb5.conf. The file installed by default contains various sample entries. Erase all of these entries before starting. krb5.conf is made up of several sections, each introduced by the section name included in brackets like [this].
Page 866 The name of an SRV record, as far as Kerberos is concerned, is always in the format _service._proto.realm, where realm is the Kerberos realm. Domain names in DNS are case insensitive, so case-sensitive Kerberos realms would break when using this configuration method. _service is a service name (different names are used when trying to contact the KDC or the password service, for example).
Page 867: Configuring A Kerberos Client With Yast
46.5.3 Adjusting the Clock Skew The clock skew is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock. Usually, the clock skew is set to 300 seconds (five min- utes). This means a ticket can have a time stamp somewhere between five minutes ago and five minutes in the future from the server's point of view.
Page 868 Figure 46.1 YaST: Basic Configuration of a Kerberos Client To configure ticket-related options in the Advanced Settings dialog, choose from the following options: • Specify the Default Ticket Lifetime and the Default Renewable Lifetime in days, hours, or minutes (using the units of measurement d, h, and m, with no blank space between the value and the unit).
Page 869: Remote Kerberos Administration
• Use Clock Skew to set a value for the allowable difference between the time stamps and your host's system time. • To keep the system time in sync with an NTP server, you can also set up the host as an NTP client by selecting NTP Configuration, which opens the YaST NTP client dialog that is described in Section 32.1, “Configuring an NTP Client with...
Page 870 newbie/admin Replace the username newbie with your own. Restart kadmind for the change to take effect. 46.7.1 Using kadmin for Remote Administration You should now be able to perform Kerberos administration tasks remotely using the kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting to the kadmin server: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.
Page 871: Creating Kerberos Host Principals
kadmin: modify_principal -maxlife "8 hours" newbie Principal "newbie@EXAMPLE.COM" modified. kadmin: getprinc joe Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 08:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:59:49 CET 2005 (newbie/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never]...
Page 872 Kerberos can decrypt the ticket. It would be quite inconvenient for the system adminis- trator if he had to obtain new tickets for the SSH daemon every eight hours or so. Instead, the key required to decrypt the initial ticket for the host principal is extracted by the administrator from the KDC once and stored in a local file called the keytab.
Page 873: Enabling Pam Support For Kerberos
46.9 Enabling PAM Support for Kerberos SUSE Linux Enterprise® comes with a PAM module named pam_krb5, which supports Kerberos login and password update. This module can be used by applications, such as console login, su, and graphical login applications like KDM, where the user presents a password and would like the authenticating application to obtain an initial Kerberos ticket on his behalf.
Page 874: Configuring Ssh For Kerberos Authentication
46.10 Configuring SSH for Kerberos Authentication OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In ver- sion 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services API.
Page 875: Using Ldap And Kerberos
46.11 Using LDAP and Kerberos When using Kerberos, one way to distribute the user information (such as user ID, groups,and home directory) in your local network is to use LDAP. This requires a strong authentication mechanism that prevents packet spoofing and other attacks. One solution is to use Kerberos for LDAP communication, too.
Page 876 A third, and maybe the best solution, is to tell OpenLDAP to use a special keytab file. To do this, start kadmin, and enter the following command after you have added the principal ldap/earth.example.com: ktadd -k /etc/openldap/ldap.keytab ldap/earth.example.com@EXAMPLE.COM Then, on the shell, run: chown ldap.ldap /etc/openldap/ldap.keytab chmod 600 /etc/openldap/ldap.keytab To tell OpenLDAP to use a different keytab file, change the following variable in...
Page 877 As you can see, ldapsearch prints a message that it started GSSAPI authentication. The next message is very cryptic, but it shows that the security strength factor (SSF for short) is 56 (The value 56 is somewhat arbitrary. Most likely it was chosen because this is the number of bits in a DES encryption key).
Page 878 authz-regexp uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com To understand how this works, you need to know that when SASL authenticates a user, OpenLDAP forms a distinguished name from the name given to it by SASL (such as joe) and the name of the SASL flavor (GSSAPI). The result would be uid=joe,cn=GSSAPI,cn=auth.
Page 879: 7 Encrypting Partitions And Files
Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access.
Page 880: Setting Up An Encrypted File System With Yast
mounted and the contents are made available to the user. Refer to Section 47.2, “Using Encrypted Home Directories” (page 865) for more information. Encrypting Single Files If you only have a small number of files that hold sensitive or confidential data, you can encrypt them individually and protect them with a password using the vi editor.
Page 881 47.1.1 Creating an Encrypted Partition during Installation WARNING: Password Input Observe the warnings about password security when setting the password for encrypted partitions and memorize it well. Without the password, the encrypted data cannot be accessed or restored. The YaST expert dialog for partitioning offers the options needed for creating an en- crypted partition.
Page 882 47.1.2 Creating an Encrypted Partition on a Running System WARNING: Activating Encryption in a Running System It is also possible to create encrypted partitions on a running system. However, encrypting an existing partition destroys all data on it and requires resize and restructuring of existing partitions.
Page 883: Using Encrypted Home Directories
47.1.4 Encrypting the Content of Removable Media YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk. Container files or partitions on such media can be encrypted as described above. However, enable Do Not Mount During Booting in the Fstab Options dialog, because removable media are usually only connected while the system is running.
Page 884 WARNING: Security Restrictions Encrypting a user's home directory does not provide strong security from other users. If strong security is required, the system should not be physically shared. To enhance security, also encrypt the swap partition, /tmp, and /var/tmp, because these can contain temporary images of critical data. You can encrypt swap, /tmp, and /var/tmp with the YaST partitioner as described Section 47.1.1, “Creating an Encrypted Partition during Installation”...
Page 885: Using Vi To Encrypt Single Files
47.3 Using vi to Encrypt Single Files The disadvantage of using encrypted partitions is that while the partition is mounted, at least root can access the data. To prevent this, vi can be used in encrypted mode. Use vi -x filename to edit a new file. vi prompts you to set a password, after which it encrypts the content of the file.
Page 887: 8 Confining Privileges With Apparmor
Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.
Page 888: Installing Novell Apparmor
Guide. 48.1 Installing Novell AppArmor Novell AppArmor is installed and running by default on any installation of SUSE Linux Enterprise® regardless of what patterns are installed. The packages listed below are needed for a fully functional instance of AppArmor •...
Page 889 Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.
Page 890: Getting Started With Profiling Applications
48.3 Getting Started with Profiling Applications Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 48.3.1, “Choosing the Applications to Profile”...
Page 891: Building And Modifying Profiles
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
Page 892 1 As root, let AppArmor create a rough outline of the application's profile by running aa-genprof programname Outline the basic profile by running YaST > Novell AppArmor > Add Profile Wizard and specifying the complete path of the application to profile.
Page 893 “aa-complain—Entering Complain or Learning Mode” (Chapter 4, Building Profiles from the Command Line, ↑Novell AppArmor Administration Guide) and Section “aa-enforce—Entering Enforce Mode” (Chapter 4, Building Profiles from the Command Line, ↑Novell AppArmor Administration Guide). Test your profile settings by performing every task you need with the application you just confined.
Page 894 48.3.3 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.
Page 895 To configure the AppArmor reports, proceed as follows: 1 Log in as root and start YaST. Select Novell AppArmor > AppArmor Reports. 2 Select the type of report to examine or configure from Executive Security Sum- mary, Applications Audit, and Security Incident Report.
Page 896: Updating Your Profiles
To update your profile set, proceed as follows: 1 Log in as root and start YaST. 2 Start Novell AppArmor > Update Profile Wizard. 3 Adjust access or execute rights to any resource or for any executable that has been logged when prompted.
Page 897: 9 Security And Confidentiality
Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
Page 898: Local Security And Network Security
49.1 Local Security and Network Security There are several ways of accessing data: • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) •...
Page 899 Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
Page 900: File Permissions
In the seventies, it was argued that this method would be more secure than others due to the relative slowness of the algorithm used, which took a few seconds to encrypt just one password. In the meantime, however, PCs have become powerful enough to do several hundred thousand or even millions of encryptions per second.
Page 901 The permissions of the more than 200,000 files included in a SUSE Linux Enterprise distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permis- sion bits.
Page 902 is written beyond the end of that buffer area, which, under certain circumstances, makes it possible for a program to execute program sequences influenced by the user (and not by the programmer), rather than just processing user data. A bug of this kind may have serious consequences, especially if the program is being executed with special privileges (see Section 49.1.4, “File Permissions”...
Page 903: Network Security
them. Viruses are a typical sign that the administrator or the user lacks the required se- curity awareness, putting at risk even a system that should be highly secure by its very design. Viruses should not be confused with worms, which belong to the world of networks entirely.
Page 904 In the case of cookie-based access control, a character string is generated that is only known to the X server and to the legitimate user, just like an ID card of some kind. This cookie (the word goes back not to ordinary cookies, but to Chinese fortune cookies, which contain an epigram) is stored on login in the file .Xauthority in the user's home directory and is available to any X client wanting to use the X server to display a window.
Page 905: Denial Of Service
exploit these newly-found security holes—are often posted on the security mailing lists. They can be used to target the vulnerability without knowing the details of the code. Over the years, experience has shown that the availability of exploit codes has contribut- ed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software.
Page 906 not secured against hijacking through encryption, which only perform a simple authen- tication procedure upon establishing the connection, makes it easier for attackers. Spoofing is an attack where packets are modified to contain counterfeit source data, usually the IP address. Most active forms of attack rely on sending out such fake packets—something that, on a Linux machine, can only be done by the superuser (root).
Page 907: Some General Security Tips And Tricks
SUSE security announcements are published on a mailing list to which you can subscribe by following the link http:// www.novell.com/linux/security/securitysupport.html. The list is a first-hand source of information re- suse-security-announce@suse.com garding updated packages and includes members of SUSE's security team among its active contributors.
Page 908 • Change the /etc/permissions file to optimize the permissions of files crucial to your system's security. If you remove the setuid bit from a program, it might well be that it cannot do its job anymore in the intended way. On the other hand, consider that, in most cases, the program will also have ceased to be a potential security risk.
Page 909: Using The Central Security Reporting Address
SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 This key is also available for download from http://www.novell.com/linux/ security/securitysupport.html. Security and Confidentiality...
Page 911: Part Vi Troubleshooting
Part VI. Troubleshooting...
Page 913: 0 Help And Documentation
Help and Documentation SUSE Linux Enterprise® comes with various sources of information and documentation. The SUSE Help Center provides central access to the most important documentation resources on your system in searchable form. These resources include online help for installed applications, manual pages, info pages, databases on hardware and software topics, and all manuals delivered with your product.
Page 914 configuration of the search function in the Search tab are presented in Section 50.1.2, “The Search Function” (page 897). The Contents tab presents a tree view of all available and currently installed information sources. Click the book icons to open and browse the individual categories.
Page 915: The Search Function
50.1.1 Contents The SUSE Help Center provides access to useful information from various sources. It contains special documentation for SUSE Linux Enterprise (Start-Up, KDE User Guide, GNOME User Guide, and Reference), all available information sources for your workstation environment, online help for the installed programs, and help texts for other applications.
Page 916 Figure 50.3 Generating a Search Index To limit the search base and the hit list as precisely as possible, use the three drop-down menus to determine the number of displayed hits and the selection area of sources to search. The following options are available for determining the selection area: Default A predefined selection of sources is searched.
Page 917: Man
50.2 Man Pages Man pages are an essential part of any Linux system. They explain the usage of a command and all available options and parameters. Man pages are sorted in categories as shown in Table 50.1, “Man Pages—Categories and Descriptions” (page 899) (taken from the man page for man itself).
Page 918: Info
Another possibility to display a man page is to use Konqueror. Start Konqueror and type, for example, man:/ls. If there are different categories for a command, Konqueror displays them as links. 50.3 Info Pages Info pages are another important source of information on your system. Usually they are more verbose than man pages.
Page 919: Wikipedia: The Free Online Encyclopedia
50.5 Wikipedia: The Free Online Encyclopedia Wikipedia is “a multilingual encyclopedia designed to be read and edited by anyone” (see http://en.wikipedia.org). The content of Wikipedia is created by its users and is published under a free license (GFDL). Any visitors can edit articles, which gives the danger of vandalism, but this does not repel visitors.
Page 920: Package Documentation
50.7 Package Documentation If you install a package in your system, a directory /usr/share/doc/packages/ packagename is created. You can find files from the package maintainer as well as additional information from SUSE. Sometimes there are also examples, configuration files, additional scripts, or other things available. Usually you can find the following files, but they are not standard and sometimes not all files are available.
Page 921: Usenet
50.8 Usenet Created in 1979 before the rise of the Internet, Usenet is one of the oldest computer networks and still in active use. The format and transmission of Usenet articles is very similar to e-mail, but is developed for a many-to-many communication. Usenet is organized into seven topical categories: comp.* for computer-related discus- sions, misc.* for miscellaneous topics, news.* for newsgroup-related matters, rec.* for recreation and entertainment, sci.* for science-related discussions, soc.*...
Page 922 concentrates on standardizing Web technologies. W3C promotes the dissemination of open, license-free, and manufacturer-independent specifications, such as HTML, XHTML, and XML. These Web standards are developed in a four-stage process in working groups and are presented to the public as W3C recommendations (REC). http://www.oasis-open.org OASIS (Organization for the Advancement of Structured Information Standards) is an international consortium specializing in the development of standards for Web...
Page 923 The association brings together manufacturers, consumers, trade professionals, service companies, scientists and others who have an interest in the establishment of standards. The standards are subject to a fee and can be ordered using the DIN home page. Help and Documentation...
Page 925: 1 Common Problems And Their Solutions
Common Problems and Their Solutions This chapter offers a range of common problems that can arise with an intention of covering as many of the various types of potential problems as possible. That way, even if your precise situation is not listed here, there might be one similar enough to offer hints as to the solution.
Page 926 Table 51.1 Log Files Log File Description Messages from the kernel during the boot /var/log/boot.msg process. Messages from the mail system. /var/log/mail.* Ongoing messages from the kernel and sys- /var/log/messages tem log daemon when running. Hardware messages from the SaX display /var/log/SaX.log and KVM system.
Page 927 Table 51.2 System Information File Description This displays processor information, including its /proc/cpuinfo type, make, model, and performance. This shows which DMA channels are currently in /proc/dma use. This shows which interrupts are in use and how /proc/interrupts many of each have been in use. This displays the status of I/O memory.
Page 928: Installation Problems
51.2 Installation Problems Installation problems are situations when a machine fails to install. It may fail entirely or it may not be able to start the graphical installer. This section highlights some of the typical problems you might run into and offers possible solutions or workarounds for this kind of situations.
Page 929 Booting from a Floppy Disk Create a boot floppy and boot from floppy disk instead of CD or DVD. Using an External Boot Device If it is supported by the machine's BIOS and the installation kernel, boot for instal- lation from external CD or DVD drives. Network Boot via PXE If a machines lacks a CD or DVD drive, but provides a working ethernet connection, perform a completely network-based installation.
Page 930 verbose 1 in syslinux.cfg for the boot loader to display which action is currently being per- formed. If the machine does not boot from the floppy disk, you may need to change the boot sequence in the BIOS to A,C,CDROM. External Boot Devices Most CD-ROM drives are supported.
Page 931 appears, look for a line, usually below the counter or somewhere at the bottom, men- tioning the key to press to access the BIOS setup. Usually the key to press is Del , F1 , or Esc . Press this key until the BIOS setup screen appears. Procedure 51.1 Changing the BIOS Boot Sequence 1 Enter the BIOS using the proper key as announced by the boot routines and wait for the BIOS screen to appear.
Page 932 7 Exit this screen and confirm with Yes to boot the computer. Regardless of what language and keyboard layout your final installation will be using, most BIOS configurations use the US keyboard layout as depicted in the following figure: Figure 51.1 US Keyboard Layout &...
Page 933 If this fails, proceed as above, but choose Installation--Safe Settings instead. This option disables ACPI and DMA support. Most hardware should boot with this option. If both of these options fail, use the boot options prompt to pass any additional param- eters needed to support this type of hardware to the installation kernel.
Page 934 If unexplainable errors occur when the kernel is loaded or during the installation, select Memory Test in the boot menu to check the memory. If Memory Test returns an error, it is usually a hardware error. 51.2.6 Fails to Launch Graphical Installer After you insert the first CD or DVD into your drive and reboot your machine, the in- stallation screen comes up, but after you select Installation, the graphical installer does not start.
Page 935 2 Enter the following text at the boot options prompt: vnc=1 vncpassword=some_password Replace some_password with the password to use for installation. 3 Select Installation then press Enter to start the installation. Instead of starting right into the graphical installation routine, the system continues to run in text mode then halts, displaying a message containing the IP address and port number at which the installer can be reached via a browser interface or a VNC viewer application.
Page 936: Boot Problems
Although the text boot screen looks minimalistic, it provides nearly the same function- ality as the graphical one: Boot Options Unlike the graphical interface, the different boot options cannot be selected using the cursor keys of your keyboard. The boot menu of the text mode boot screen offers some keywords to enter at the boot prompt.
Page 937 5 Accept the license agreement. 6 In the Installation Mode screen, select Other and set the installation mode to Repair Installed System. 7 Once in the YaST System Repair module, select Expert Tools then select Install New Boot Loader. 8 Restore the original settings and reinstall the boot loader. 9 Leave YaST System Repair and reboot the system.
Page 938: Login Problems
IMPORTANT Do not edit the runlevel configuration manually. Otherwise SuSEconfig (run by YaST) will overwrite these changes on its next run. If you need to make manual changes here, disable future SuSEconfig changes by setting CHECK_INITTAB in /etc/sysconfig/suseconfig to no. If the runlevel is set to 5, you might have corruption problems with your desktop or X Windows software.
Page 939 • DNS is not working at the moment (which prevents GNOME or KDE from working and the system from making validated requests to secure servers). One indication that this is the case is that the machine takes an extremely long time to respond to any action.
Page 940 Local user management can fail for the following reasons: • The user might have entered the wrong password. • The user's home directory containing the desktop configuration files is corrupted or write protected. • There might be problems with the X Window System authenticating this particular user, especially if the user's home directory has been used with another Linux dis- tribution prior to installing the current one.
Page 941 6 If the desktop could not start because of corrupt configuration files, proceed with Section 51.4.3, “Login Successful but GNOME Desktop Fails ” (page 924) or Section 51.4.4, “Login Successful but KDE Desktop Fails” (page 925). The following are some common reasons why network authentication for a particular user might fail on a specific machine: •...
Page 942 log/messages file. Locate the time stamps that correspond to the login at- tempts and determine if PAM has produced any error messages. 5 Try to log in from a console (using Ctrl + Alt + F1 ). If this is successful, the blame cannot be put on PAM or the directory server on which the user's home is hosted, because it is possible to authenticate this user on this machine.
Page 943 causes GNOME to initialize a new one. Although the user is forced to reconfigure GNOME, no data is lost. 1 Switch to a text console by pressing Ctrl + Alt + F1 . 2 Log in with your username. 3 Move the user's GNOME configuration directories to a temporary location: mv .gconf .gconf-ORIG-RECOVER mv .gnome2 .gnome2-ORIG-RECOVER...
Page 944: Network Problems
Replace user with the actual username. Removing these two directories just removes the corrupted cache files. No real data is harmed using this procedure. Corrupted desktop configuration files can always be replaced with the initial configura- tion files. If you want to recover the user's adjustments, carefully copy them back from their temporary location after the configuration has been restored using the default configuration values.
Page 945 be a network problem of some kind. This section introduces a simple check list you can apply to identify the cause of any network problem encountered. When checking the network connection of your machine, proceed as follows: 1 If using an ethernet connection, check the hardware first. Make sure that your network cable is properly plugged into your computer.
Page 946 Samba (File Service) If any application needed data stored in a directory on a Samba server, it would not be able to start or function properly if this service was down. NIS (User Management) If your SUSE Linux Enterprise system relied on a NIS server to provide the user data, users would not be able to log in to this machine if the NIS service was down.
Page 947 from another machine. If you can reach your machine from another machine, it is the server that is not running at all or not configured correctly. If ping fails with unknown host, the name service is not configured cor- rectly or the hostname used was incorrect. Use ping -n ipaddress to try to connect to this host without name service.
Page 948 hosts: files dns networks: files dns The dns entry is vital. It tells Linux to use an external name server. Normally, these entries are automatically made by YaST, but it never hurts to check. If all the relevant entries on the host are correct, let your system admin- istrator check the DNS server configuration for the correct zone infor- mation.
Page 949: Data Problems
51.5.1 NetworkManager Problems If you have a problem with network connectivity, narrow it down as described in (page 927). If NetworkManager seems to be the culprit, proceed as follows to get logs providing hints on why NetworkManager fails: 1 Open a shell and log in as root. 2 Restart NetworkManager: rcnetwork restart -o nm 3 Open a Web page, for example,...
Page 950 2a Select Profile Management > Add. 2b Enter a name for the archive. 2c Enter the path to the location of the backup if you want to keep a local backup. For your backup to be archived on a network server (via NFS), enter the IP address or name of the server and the directory that should hold your archive.
Page 951 5 Decide whether to keep old backups and how many should be kept. To receive an automatically generated status message of the backup process, check Send Summary Mail to User root. 6 Click OK to apply your settings and have the first backup start at the time speci- fied.
Page 952 51.6.3 Recovering a Corrupted System There are several reasons why a system could fail to come up and run properly. A cor- rupted file system after a system crash, corrupted configuration files, or a corrupted boot loader configuration are the most common ones. SUSE Linux Enterprise offers two different methods to cope with this kind of situation.
Page 953 Choose one of the repair modes as described above and proceed with the system repair as outlined in the following sections. Automatic Repair To start the automatic repair mode of YaST System Repair, proceed as follows: 1 Insert the first installation medium of SUSE Linux Enterprise into your CD or DVD drive.
Page 954 Figure 51.2 Automatic Repair Mode Partition Tables of All Hard Disks Checks the validity and coherence of the partition tables of all detected hard disks. Swap Partitions The swap partitions of the installed system are detected, tested, and offered for activation where applicable. The offer should be accepted for the sake of a higher system repair speed.
Page 955 Package Database This checks whether all packages necessary for the operation of a minimal installation are present. While it is optionally possible also to analyze the base packages, this takes a long time because of their vast number. 8 Whenever an error is encountered, the procedure stops and a dialog opens outlin- ing the details and possible solutions.
Page 956 Not all test groups can be applied individually. The analysis of the fstab entries is always bound to an examination of the file systems, including existing swap partitions. YaST automatically resolves such dependencies by selecting the smallest number of necessary test runs. 8 Whenever an error is encountered, the procedure stops and a dialog opens outlin- ing the details and possible solutions.
Page 957 Repair File System This checks the file systems of your installed system. You are first offered a selec- tion of all detected partitions and can then choose the ones to check. Recover Lost Partitions It is possible to attempt to reconstruct damaged partition tables. A list of detected hard disks is presented first for selection.
Page 958 • Resize partitions using the parted command. Find more information about this tool at the Web site of GNU Parted (http://www.gnu.org/software/parted/ parted.html). The rescue system can be loaded from various sources and locations. The simplest option is to boot the rescue system from the original installation CD or DVD: 1 Insert the installation medium into your CD or DVD drive.
Page 959 To see the system messages, either use the command dmesg or view the file /var/ log/messages. Checking and Manipulating Configuration Files As an example for a configuration that might be fixed using the rescue system, imagine you have a broken configuration file that prevents the system from booting properly. You can fix this using the rescue system.
Page 960 utilities to check and repair the ext2, ext3, reiserfs, xfs, dosfs, and vfat file systems. Accessing the Installed System If you need to access the installed system from the rescue system to, for example, modify the boot loader configuration, or to execute a hardware configuration utility, you need to do this in a “change root”...
Page 961 WARNING: Limitations Although you have full access to the files and applications of the installed sys- tem, there are some limitations. The kernel that is running is the one that was booted with the rescue system. It only supports essential hardware and it is not possible to add kernel modules from the installed system unless the kernel versions are exactly the same (which is unlikely).
Page 962: Ibm System Z: Using Initrd As A Rescue System
4 Unmount the partitions, log out from the “change root” environment, and reboot the system: umount -a exit reboot 51.7 IBM System z: Using initrd as a Rescue System If the kernel of the SUSE® Linux Enterprise Server for IBM System z is upgraded or modified, it is possible to reboot the system accidentally in an inconsistent state, so standard procedures of IPLing the installed system fail.
Page 963 Select 4 Start Installation or System then 3 Start Rescue System to start the rescue system. Depending on the installation environment, you now must specify the parameters for the network adapter and the installation source. The rescue system is loaded and the following login prompt is shown at the end: Skipped services in runlevel 3: nfs nfsboot...
Page 964 2 After the adapter is activated, a disk can be configured. Do this with the following command: zfcp_disk_configure 0.0.4000 1234567887654321 8765432100000000 0.0.4000 is the previously-used channel ID, 1234567887654321 is the WWPN (World wide Port Number), and 8765432100000000 is the LUN (logical unit number).
Page 965 51.7.4 Changing to the Mounted File System For the zipl command to read the configuration file from the root device of the installed system and not from the rescue system, change the root device to the installed system with the chroot command: Example 51.2 chroot to the Mounted File System SuSE Instsys suse:/ # cd /mnt SuSE Instsys suse:/mnt # chroot /mnt...
Page 966 Finally, halt the rescue system with the halt command. The SUSE Linux Enterprise Server system can now be IPLed as described in Section 3.10.1, “IBM System z: IPLing the Installed System” (page 30). Installation and Administration...
Page 967: Index
quick start, 737 Index security, 772 Squid, 794 SSL, 766-772 Symbols configure Apache with SSL, 771 64-bit Linux, 365 creating an SSL certificate, 767 kernel specifications, 370 starting, 754 runtime support, 366 stopping, 754 software development, 367 troubleshooting, 774 authentication Kerberos, 213 access permissions (see permissions) PAM, 495-502...
Page 968 initrd, 373 gzip, 343, 350 log, 178 halt, 357 bzip2, 343 help, 334 ifconfig, 593 ip, 590 kadmin, 845 cards kill, 355 graphics, 487 killall, 356 network, 560 kinit, 852 sound, 145 ktadd, 854 cat, 352 ldapadd, 673 cd, 349 ldapdelete, 676 ldapmodify, 675 booting from, 912...
Page 969 ssh-keygen, 830 openldap, 857 su, 357 pam_unix2.conf, 682, 855 tar, 342, 350 passwd, 204 telnet, 356 permissions, 890 top, 355 powersave, 507 umount, 354 powersave.conf, 221 updatedb, 351 profile, 407, 411, 417 configuration files, 583 resolv.conf, 412, 585, 621, 783 .bashrc, 408, 411 routes, 584 .emacs, 413...
Page 970 hard disks core files, 411 DMA, 142 cp, 348 hardware, 141-147 cpuspeed, 515 IPv6, 558 cron, 408 ISDN, 159, 570 CVS, 726, 730-733 languages, 158 mail servers, 161 modems, 159, 567 date, 355 monitor, 186 deltarpm, 299 network cards, 159 df, 354 networks, 159-167, 560 DHCP, 162, 635-651...
Page 971 terminology, 609 file systems, 469-479 top level domain, 559 ACLs, 281-293 troubleshooting, 621 changing, 153 zones cryptofs, 861 files, 626 encrypting, 861 documentation (see help) Ext2, 471-472 domain name system (see DNS) Ext3, 472-473 LFS, 477 sharing files, 695 limitations, 477 drives OCFS2, 267-280, 475 mounting, 353...
Page 972 fonts, 489 hardware TrueType, 488 DASD, 143 X11 core, 489 graphics cards, 186 Xft, 490 hard disk controllers, 142 free, 355 information, 142, 910 ISDN, 570 monitor, 186 ZFCP, 144 GNOME help, 895-898 shell, 332 books, 901 graphics FAQs, 900 cards guides, 901 drivers, 487...
Page 973 packages, 296 KDC, 842-846 YaST, with, 17-41 administering, 851 internationalization, 415 nsswitch.conf, 842 Internet starting, 846 cinternet, 597 keytab, 854 dial-up, 596-598 LDAP and, 857-860 DSL, 573 master key, 844 ISDN, 570 PAM support, 855 KInternet, 597 principals, 834 qinternet, 597 creating, 845 smpppd, 596-598 host, 853...
Page 974 access control, 669 boot.msg, 178, 507 ACLs, 667 messages, 178, 621, 825 adding data, 672 Squid, 784, 787, 793 administering groups, 690 logging administering users, 690 login attempts, 174 configuring Logical Volume Manager (see LVM) YaST, 676 logrotate, 409 deleting data, 676 LPAR installation directory tree, 663 IPL, 30...
Page 975 Network File System (see NFS) Network Information Service (see NIS) OpenLDAP (see LDAP) NetworkManager, 578 OpenSSH (see SSH) networks, 543 OpenWBEM, 227-255 authentication OS/2 Kerberos, 833-839 sharing files, 695 base network address, 549 broadcast address, 549 configuration files, 583-590 package management configuring, 159-167, 560-576, 580-596 zmd, 193 IPv6, 558...
Page 976 PCI device network, 454 drivers, 155 Samba, 696 permissions, 343 troubleshooting ACLs, 281-293 network, 454 changing, 345, 349 xpp, 446 directories, 345 private branch exchange, 571 file permissions, 410 processes, 355 file systems, 344 killing, 355 files, 344 overview, 355 viewing, 345 protocols ping, 356, 592...
Page 977 static, 584 shares, 696, 701 RPM, 295-306 SMB, 695 database starting, 697 rebuilding, 297, 303 stopping, 697 deltarpm, 299 swat, 699 dependencies, 296 TCP/IP and, 695 patches, 297 SaX2 queries, 300 display device, 187 rpmnew, 296 display settings, 186 rpmorig, 296 dual head, 188 rpmsave, 296 graphics card, 187...
Page 978 security, 879-891 software attacks, 887-888 compiling, 303 booting, 880, 882 installing, 127-134 bugs and, 883, 886 removing, 127-134 configuring, 167-176 sound DNS, 888 configuring in YaST, 145 engineering, 880 mixers, 218 firewalls, 176, 817 source intrusion detection, 219 compiling, 303 local, 881-885 spm, 303 network, 885-888...
Page 979 authentication mechanisms, 830 replaced by AIDE, 219 daemon, 829 key pairs, 829, 831 scp, 828 ulimit, 411 sftp, 829 options, 411 ssh, 828 umount, 354 ssh-agent, 831-832 uninstalling ssh-keygen, 831 GRUB, 402 sshd, 829 Linux, 402 X and, 832 updatedb, 351 su, 357 updating support query, 907...
Page 980 display device, 187 Device, 486 display settings, 186 Display, 485 drivers, 487 Files, 483 dual head, 188 InputDevice, 483 font systems, 489 Modeline, 485 fonts, 488 modelines, 483 graphics card, 187 Modes, 483, 485 graphics tablet, 191 Monitor, 483, 485 help, 487 ServerFlags, 483 keyboard settings, 190...
Page 981 DSL, 573 Novell AppArmor, 167 e-mail, 160 Novell Customer Center, 136 EVMS, 149 NTP client, 164 firewall, 176 online update, 136-138 graphics cards, 186 partitioning, 27, 149 group management, 173 PCI device drivers, 155 GRUB, 399 power management, 156, 524...
Page 982 updating, 138, 204 user management, 167 virtualization, 176 hypervisor, 176 installing, 176 X.509 certification, 801 certificates, 809 changing default values, 811 creating CRLs, 813 exporting CA objects as a file, 815 exporting CA objects to LDAP, 813 importing general server certificates, root CA, 806 sub-CA, 808 ZFCP, 144...

This manual is also suitable for:

Suse linux enterprise server 10

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual

About this Guide

Part I Deployment

1 Planning for SUSE Linux Enterprise

2 Deployment Strategies

3 Installation with Yast

4 Remote Installation

5 Automated Installation

6 Deploying Customized Preinstallations

7 Advanced Disk Setup

8 System Configuration with Yast

9 Managing Software with Zenworks

10 Updatingsuselinuxenterprise

Part II Administration

1 Openwbem

2 Mass Storage over IP Networks-Iscsi

3 Oracle Cluster File System

4 Access Control Lists in Linux

5 RPM-The Package Manager

6 System Monitoring Utilities

7 Working with the Shell

Part III System

8 32-Bit and 64-Bit Applications in a 64-Bit System Environment

9 Booting and Configuring a Linux System

20 The Boot Loader

1 Special System Features

2 Virtualization

3 Printer Operation

4 Dynamic Kernel Device Management with Udev

5 File Systems in Linux

6 The X Window System

7 Authentication with PAM

8 Power Management

9 Wireless Communication

Part IV Services

30 Basic Networking

1 SLP Services in the Network

2 Time Synchronization with NTP

3 The Domain Name System

4 Dhcp

5 Using NIS

6 LDAP-A Directory Service

7 Samba

8 Sharing File Systems with NFS

Quick Links

Troubleshooting

Related Manuals for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007

Summary of Contents for Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007