Download Print this page

Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual

Hide thumbs Also See for LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION:

Manual (184 pages)

,

Supplementary manual (50 pages)

,

Quick manual (12 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Installation

SUSE Linux Enterprise

Server

10 SP3

October 27, 2009

Installation and Administration

www.novell.com

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION

Page 1 SUSE Linux Enterprise Server 10 SP3 www.novell.com Installation and Administration October 27, 2009...
Page 2 That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. http://www.novell For Novell trademarks, see the Novell Trademark and Service Mark list .com/company/legal/trademarks/tmlist.html.
Page 3: Table Of Contents
Contents About This Guide Part I Deployment 1 Planning for SUSE Linux Enterprise Considerations for Deployment of a SUSE Linux Enterprise ..Deployment of SUSE Linux Enterprise ....Running SUSE Linux Enterprise .
Page 4 3.13 Performing the Installation ..... 3.14 Configuration of the Installed System ....3.15 Graphical Login .
Page 5 8.14 SaX2 ......8.15 Troubleshooting ......8.16 For More Information .
Page 6 14.7 Mounting an OCFS2 Volume ....14.8 Additional Information ..... . 1 5 Access Control Lists in Linux 15.1 Traditional File Permissions .
Page 7 Part III System 1 9 32-Bit and 64-Bit Applications in a 64-Bit System Environment 19.1 Runtime Support ......19.2 Software Development .
Page 8 2 4 Dynamic Kernel Device Management with udev 24.1 The /dev Directory ..... . . 24.2 Kernel uevents and udev ..... 24.3 Drivers, Kernel Modules, and Devices .
Page 9 Part IV Services 3 0 Basic Networking 30.1 IP Addresses and Routing ..... 30.2 IPv6—The Next Generation Internet ....30.3 Name Resolution .
Page 10 3 5 Using NIS 35.1 Configuring NIS Servers ..... . 35.2 Configuring NIS Clients ..... . 3 6 LDAP—A Directory Service 36.1 LDAP versus NIS .
Page 11 4 0 The Apache HTTP Server 40.1 Quick Start ......40.2 Configuring Apache ..... . . 40.3 Starting and Stopping Apache .
Page 12 4 8 Confining Privileges with AppArmor 48.1 Installing Novell AppArmor ....48.2 Enabling and Disabling Novell AppArmor ....
Page 13 Part VI Troubleshooting 5 0 Help and Documentation 50.1 Using the SUSE Help Center ....50.2 Man Pages ......50.3 Info Pages .
Page 15: About This Guide
About This Guide This guide is intended for use by professional network and system administrators during the actual planning, deployment, configuration, and operation of SUSE Linux Enter- prise®. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.
Page 16: Documentation Updates
Security This edition of SUSE Linux Enterprise includes several security-related features. It ships with Novell® AppArmor, which enables you to protect your applications by restricting privileges. Secure login, firewalling, and file system encryption are covered as well. Troubleshooting SUSE Linux Enterprise includes a wealth of applications, tools, and documentation should you need them in case of trouble.
Page 17 Novell AppArmor Administration Guide An in-depth administration guide to Novell AppArmor that introduces application confinement for heightened security in your environment. Storage Administration Guide An introduction to managing various types of storage devices on SUSE Linux En- terprise. Heartbeat Guide An in-depth administration guide to setting up high availability scenarios with Heartbeat.
Page 18 4 Documentation Conventions The following typographical conventions are used in this manual: • /etc/passwd: filenames and directory names • placeholder: replace placeholder with the actual value • PATH: the environment variable PATH • ls, --help: commands, options, and parameters • user: users or groups •...
Page 19: Part I Deployment
Part I. Deployment...
Page 21: Planning For Suse Linux Enterprise
Xen 3.0 Virtualization Runs many virtual machines on a single server, each with its own instance of an operating system. For more information about this technology, see the virtualization http://www.novell.com/documentation/sles10/index manual on .html. YaST Several new configuration options have been developed for YaST.
Page 22 • Microsoft Active Directory • OpenLDAP Novell AppArmor Harden your System with the Novell AppArmor technology. This service is de- scribed in depth in Novell AppArmor Administration Guide (↑Novell AppArmor Administration Guide). iSCSI iSCSI provides an easy and reasonably inexpensive solution for connecting Linux computers to central storage systems.
Page 23: Considerations For Deployment Of A Suse Linux Enterprise
Find the registration and patch support database at .novell.com/patches.html. • Do you need help for your local installation? Novell provides training, support, and consulting for all topics around SUSE Linux Enterprise. Find more information about this at http://www.novell.com/products/server/.
Page 24: Running Suse Linux Enterprise
gies, network root file systems or network storage solutions like iSCSI should be con- sidered. See also Chapter 12, Mass Storage over IP Networks—iSCSI (page 271). SUSE Linux Enterprise provides you with a broad variety of services. Find an overview of the documentation in this book in About This Guide (page xv).
Page 25: Deployment Strategies
Deployment Strategies There are several different ways to deploy SUSE® Linux Enterprise. Choose from various approaches ranging from a local installation using physical media or a network installation server to a mass deployment using a remote-controlled, highly-customized, and automated installation technique. Select the method that best matches your require- ments.
Page 26 Table 2.1 Installing from the SUSE Linux Enterprise Media Installation Source SUSE Linux Enterprise media kit Tasks Requiring Manual Inter- • Inserting the installation media action • Booting the installation target • Changing media • Determining the YaST installation scope •...
Page 27: Deploying Up To 100 Workstations
Table 2.3 Installing from a Network Server Installation Source Network installation server holding the SUSE Linux Enterprise installation media Tasks Requiring Manual • Inserting the boot disk Interaction • Providing boot options • Booting the installation target • Determining the YaST installation scope •...
Page 28 Simple Remote Installation via VNC—Dynamic Network Configuration (page 11) Consider this approach in a small to medium scenario with dynamic network setup through DHCP. A network, network installation server, and VNC viewer application are required. Remote Installation via VNC—PXE Boot and Wake on LAN (page 12) Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets.
Page 29 Table 2.4 Simple Remote Installation via VNC—Static Network Configuration Installation Source Network Preparations • Setting up an installation source • Booting from the installation media Control and Monitoring Remote: VNC Best Suited For small to medium scenarios with varying hardware Drawbacks •...
Page 30 Details Section 4.1.2, “Simple Remote Installation via VNC—Dynamic Network Configuration” (page 49) Table 2.6 Remote Installation via VNC—PXE Boot and Wake on LAN Installation Source Network Preparations • Setting up the installation source • Configuring DHCP, TFTP, PXE boot, and WOL •...
Page 31 • Low bandwidth connections to target Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.4, “Simple Remote Installation via SSH—Static Network Configuration” (page 52) Table 2.8 Remote Installation via SSH—Dynamic Network Configuration Installation Source Network Preparations...
Page 32 • Configuring DHCP, TFTP, PXE boot, and WOL • Booting from the network Control and Monitoring Remote: SSH Best Suited For • Small to medium scenarios with varying hardware • Completely remote installs; cross-site deployment • Low bandwidth connections to target Drawbacks Each machine must be set up individually Details...
Page 33 Best Suited For • Large scenarios • Identical hardware • No access to system (network boot) Drawbacks Applies only to machines with identical hardware Details Section 5.1, “Simple Mass Installation” (page 85) Table 2.11 Rule-Based Autoinstallation Installation Source Preferably network Preparations •...
Page 34: Deploying More Than 100 Workstations
Details Section 5.2, “Rule-Based Autoinstallation” (page 97) 2.3 Deploying More than 100 Workstations Most of the considerations brought up for medium installation scenarios in Section 2.1, “Deploying up to 10 Workstations” (page 7) still hold true for large scale deployments. However, with a growing number of installation targets, the benefits of a fully automated installation method outweigh its disadvantages.
Page 35: Installation With Yast
Installation with YaST After your hardware has been prepared for the installation of SUSE Linux Enterprise® as described in the Architecture-Specific Information manual and after the connection with the installation system has been established, you are presented with the interface of SUSE Linux Enterprise's system assistant YaST.
Page 36: Ibm System Z: System Start-Up For Installation
3.2 IBM System z: System Start-Up for Installation For IBM System z platforms, the system is initialized (IPL) as described in the Archi- tecture-Specific Information manual. SUSE Linux Enterprise does not show a splash screen on these systems. During the installation, load the kernel, initrd, and parmfile manually.
Page 37 Table 3.1 Boot Options Boot Option Description DVD/CD-ROM This is the easiest boot option. This option can be used if the system has a local CD/DVD-ROM drive that is supported by Linux. Floppy The images for generating boot floppies are located on CD/DVD 1 in the /boot directory.
Page 38: The Installation Workflow
The installation program retrieves the location of the network installation source using OpenSLP and configures the network connection with DHCP. If the DHCP network configuration fails, you are prompted to enter the appropriate parameters manually. The installation then proceeds as described below. 3.3.4 Installing from a Network Source without SLP If your network setup does not support OpenSLP for the retrieval of network installation...
Page 39 Installation The normal installation mode. All modern hardware functions are enabled. All modern hardware functions are enabled. Installation—ACPI Disabled If the normal installation fails, this might be due to the system hardware not sup- porting ACPI (advanced configuration and power interface). If this seems to be the case, use this option to install without ACPI support.
Page 40 F2 Language Select the display language for the installation. The default language is English. F3 Video Mode Select various graphical display modes for the installation. Select Text Mode if the graphical installation causes problems. F4 Source Normally, the installation is performed from the inserted installation medium. Here, select other sources, like FTP or NFS servers.
Page 41 smturl URL of the SMT server. The URL has a fixed format https://FQN/center/regsvc/ FQN has to be full qualified hostname of the SMT server. Example: smturl=https://smt.example.com/center/regsvc/ smtcert Location of the SMT server's certificate. Specify one of the following locations: Remote location (http, https or ftp) from which the certificate can be download- ed.
Page 42: Language
smtcert has been entered, you will be prompted for a local path to the certifi- cate. In case smtcert is not specified, it will default to http://FQN/smt.crt with FQN being the name of the SMT server. 3.6 Language YaST and SUSE Linux Enterprise in general can be configured to use different languages according to your needs.
Page 43 Figure 3.1 IBM System z: Selecting a DASD Now specify the DASDs to use for the installation by selecting the corresponding entries in the list then clicking Select or Deselect. After that, activate and make the DASDs available for the installation by selecting Perform Action > Activate. See Figure 3.2, “IBM System z: Activating a DASD”...
Page 44 Figure 3.3 IBM System z: Overview of Available zFCP Disks To use zFCP disks for the SUSE Linux Enterprise installation, select Configure zFCP Disks in the selection dialog. This opens a dialog with a list of the zFCP disks available on the system.
Page 45: Media Check
After adding the disks, reread the partition table. Return to the installation proposal screen and choose Partitioning then select Reread Partition Table. This reads the new partition table and resets any previously entered information. 3.8 Media Check The media check dialog appears only if you install from media created from downloaded ISOs.
Page 46: Installation Mode
3.10 Installation Mode After a system analysis where YaST tries to find other installed systems or an already existing SUSE Linux Enterprise system on your machine, YaST displays the installation modes available: New installation Select this option to start a new installation from scratch. Update an existing system Select this option to update to a newer version.
Page 47: Clock And Time Zone
are available, such as CD, FTP, or a local directory. After adding the add-on media, you may need to agree to additional license agreements for third-party products. 3.11 Clock and Time Zone In this dialog, select your region and time zone from the lists. During installation, both are preselected according to the selected installation language.
Page 48: Keyboard Layout
Figure 3.4 Installation Settings TIP: Resetting the changes to default values You can reset all changes to the defaults by clicking Change > Reset to Defaults. YaST then shows the original proposal again. 3.12.1 Overview The options that sometimes need manual intervention in common installation situations are presented in the Overview tab.
Page 49 ►zseries: On the IBM System z platforms, the installation is performed from a remote terminal. The host as such has no keyboard or mouse locally connected to it. ◄ Partitioning In most cases, YaST proposes a reasonable partitioning scheme that can be accepted without change.
Page 50 or Office software). For a more detailed selection based on software packages to install, select Details to switch to the YaST Software Manager. See Figure 3.5, “Installing and Removing Software with the YaST Software Manager” (page 32). Figure 3.5 Installing and Removing Software with the YaST Software Manager You can also install additional software packages or remove software packages from your system at any time later.
Page 51 3.12.2 Expert If you are an advanced user and want to configure booting or change the time zone or default runlevel, select the Expert tab. It shows the following additional entries not contained on the Overview tab: System This dialog presents all the hardware information YaST could obtain about your computer.
Page 52: Performing The Installation
3.13 Performing the Installation After making all installation settings, click Accept in the suggestion window to begin the installation. Confirm with Install. Some software may require a license confirmation. If your software selection includes such software, license confirmation dialogs are displayed.
Page 53: Installed System
z/VM Installation Log in to the VM guest (see Example “Configuration of a z/VM Directory” (↑Ar- chitecture-Specific Information) for the configuration) as LINUX1 and proceed to IPL the installed system: IPL 151 CLEAR 151 is an example address of the DASD boot device, replace this value with the correct address.
Page 54: Configuration Of The Installed System
http://<IP of installed system>:5801/ Using X to Connect When IPLing the installed system, make sure that the X server used for the first phase of the installation is up and still available before booting from the DASD. YaST opens on this X server to finish the installation. Complications may arise if the system is booted up but unable to connect to the X server in a timely fashion.
Page 55 First, provide a password for the account of the system administrator (the root user). Configure your Internet access and network connection. With a working Internet con- nection, you can perform an update of the system as part of the installation. You can also connect to an authentication server for centralized user administration in a local network.
Page 56: Network Configuration
In many networks, the system receives its name over DHCP. In this case it is not nec- essary to modify the hostname and domain name. Select Change Hostname via DHCP instead. To be able to access your system using this hostname, even when it is not connected to the network, select Write Hostname to /etc/hosts.
Page 57 Apart from the device configuration, the following network settings can be configured in this step: Network Mode Enable or disable the use of NetworkManager as described above. Firewall By default SuSEfirewall2 is enabled on all configured network interfaces. To globally disable the firewall for this computer, click on disable. If the firewall is enabled, you may open the SSH port in order to allow remote connections via secure shell.
Page 58: Novell Customer Center
Configuration To get technical support and product updates, first register and activate your product. Novell Customer Center Configuration provides assistance for doing so. If you are offline or want to skip this step, select Configure Later. This also skips SUSE Linux Enterprise online update.
Page 59: Online Update
.com/support/products/linuxenterpriseserver/. 3.14.5 Online Update If the Novell Customer Center Configuration was successful, select whether to perform a YaST online update. If there are any patched packages available on the servers, download and install them now to fix known bugs or security issues. Directives on how to perform an online update in the installed system are available at Section 8.3.5, “YaST...
Page 60 Figure 3.6 Proposed Setup for Network Services CA Management The purpose of a CA (certificate authority) is to guarantee a trust relationship among all network services communicating with each other. Without a CA, you can secure server communications with SSL and TLS separately for each individual service. By default, a CA is created and enabled during the installation.
Page 61 3.14.7 Users If network access was configured successfully during the previous steps of the installa- tion, you can now choose from several user management options. If a network connection has not been configured, create local user accounts. For detailed information about user management, see Section 8.9.1, “User Management”...
Page 62: Release Notes
Along with the selected user administration method, you can use Kerberos authentication. This is essential for integrating your SUSE Linux Enterprise to an Active Directory domain, which is described in Section 37.6, “Samba Server in the Network with Active Directory” (page 713). To use Kerberos authentication, select Set Up Kerberos Authen- tication.
Page 63: Graphical Login
TIP: Resetting Hardware Configuration to Defaults You can cancel changes by clicking Change > Reset to Defaults. YaST then shows the original proposal again. 3.14.10 Completing the Installation After a successful installation, YaST shows the Installation Completed dialog. In this dialog, select whether to clone your newly installed system forAutoYaST.
Page 65: Remote Installation
Remote Installation SUSE Linux Enterprise® can be installed in several different ways. As well as the usual media installation covered in Chapter 3, Installation with YaST (page 17), you can choose from various network-based approaches or even take a completely hands- off approach to the installation of SUSE Linux Enterprise.
Page 66 IMPORTANT The configuration of the X Window System is not part of any remote installation process. After the installation has finished, log in to the target system as root, enter telinit 3, and start SaX2 to configure the graphics hardware. 4.1.1 Simple Remote Installation via VNC—Static Network Configuration This type of installation still requires some degree of physical access to the target system...
Page 67 2 Boot the target system using the first CD or DVD of the SUSE Linux Enterprise media kit. 3 When the boot screen of the target system appears, use the boot options prompt to set the appropriate VNC options and the address of the installation source. This is described in detail in Section 4.4, “Booting the Target System for Instal- lation”...
Page 68 • Controlling system with working network connection and VNC viewer software or Java-enabled browser (Firefox, Konqueror, Internet Explorer, or Opera) • Physical boot medium (CD, DVD, or custom boot disk) for booting the target system • Running DHCP server providing IP addresses To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources”...
Page 69 4.1.3 Remote Installation via VNC—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. User interaction is only needed for the actual installation. This approach is suitable for cross-site deployments. To perform this type of installation, make sure that the following requirements are met: •...
Page 70 5 Initiate the boot process of the target system using Wake on LAN. This is de- scribed in Section 4.3.7, “Wake on LAN” (page 75). 6 On the controlling workstation, open a VNC viewing application or Web browser and connect to the target system as described in Section 4.5.1, “VNC Installation”...
Page 71 To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 56). Choose an NFS, HTTP, or FTP network server. For an SMB installation source, refer to Section 4.2.5, “Managing an SMB Installation Source”...
Page 72 For this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection • Target system with working network connection • Controlling system with working network connection and working SSH client software •...
Page 73 4.1.6 Remote Installation via SSH—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. To perform this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection •...
Page 74: Setting Up The Server Holding The Installation Sources
6 On the controlling workstation, start an SSH client and connect to the target system as described in Section 4.5.2, “SSH Installation” (page 83). 7 Perform the installation as described in Chapter 3, Installation with YaST (page 17). Reconnect to the target system after it reboots for the final part of the installation.
Page 75 3 Select the server type (HTTP, FTP, or NFS). The selected server service is started automatically every time the system starts. If a service of the selected type is already running on your system and you want to configure it manually for the server, deactivate the automatic configuration of the server service with Do Not Configure Any Network Services.
Page 76 Consider announcing your installation source via OpenSLP if your network setup supports this option. This saves you from entering the network in- stallation path on every target machine. The target systems are just booted using the SLP boot option and find the network installation source without any further configuration.
Page 77 To create a directory holding the installation data, proceed as follows: 1 Log in as root. 2 Create a directory that should later hold all installation data and change into this directory. For example: mkdir install/product/productversion cd install/product/productversion Replace product with an abbreviation of the product name and productversion with a string that contains the product name and version.
Page 78 5 Select Add Host and enter the hostnames of the machines to which to export the installation data. Instead of specifying hostnames here, you could also use wild cards, ranges of network addresses, or just the domain name of your network. Enter the appropriate export options or leave the default, which works fine in most setups.
Page 79 3 Create a configuration file called install.suse.nfs.reg containing the following lines: # Register the NFS Installation Server service:install.suse:nfs://$HOSTNAME/path_to_instsource/CD1,en,65535 description=NFS Installation Source Replace path_to_instsource with the actual path to the installation source on your server. 4 Save this configuration file and start the OpenSLP daemon with rcslpd start. For more information about OpenSLP, refer to the package documentation located under /usr/share/doc/packages/openslp/ or refer to Chapter 31, SLP Services in the Network (page 605).
Page 80 2d Mount the contents of the installation repository into the change root envi- ronment of the FTP server: mount --bind path_to_instsource /srv/ftp/instsource Replace path_to_instsource and instsource with values matching your setup. If you need to make this permanent, add it to /etc/fstab. 2e Start vsftpd with vsftpd.
Page 81 2 Configure the HTTP server to distribute the contents of your installation directory: 2a Install the Web server Apache as described in Section 40.1.2, “Installation” (page 746). 2b Enter the root directory of the HTTP server (/srv/www/htdocs) and create a subdirectory that will hold the installation sources: mkdir instsource Replace instsource with the product name.
Page 82 3b Save this configuration file and start the OpenSLP daemon using rcslpd restart. 4.2.5 Managing an SMB Installation Source Using SMB, you can import the installation sources from a Microsoft Windows server and start your Linux deployment even with no Linux machine around. To set up an exported Windows Share holding your SUSE Linux Enterprise installation sources, proceed as follows: 1 Log in to your Windows machine.
Page 83 4.2.6 Using ISO Images of the Installation Media on the Server Instead of copying physical media into your server directory manually, you can also mount the ISO images of the installation media into your installation server and use them as installation source. To set up an HTTP, NFS or FTP server that uses ISO images instead of media copies, proceed as follows: 1 Download the ISO images and save them to the machine to use as the installation server.
Page 84: Preparing The Boot Of The Target System
4.3 Preparing the Boot of the Target System This section covers the configuration tasks needed in complex boot scenarios. It contains ready-to-apply configuration examples for DHCP, PXE boot, TFTP, and Wake on LAN. 4.3.1 Setting Up a DHCP Server There are two ways to set up a DHCP server. For SUSE Linux Enterprise Server 9 and higher, YaST provides a graphical interface to the process.
Page 85 8 Add another option (next-server) and set its value to the address of the TFTP server. 9 Select OK and Finish to complete the DHCP server configuration. To configure DHCP to provide a static IP address to a specific host, enter the Expert Settings of the DHCP server configuration module (Step 4 (page 66)) and add a new declaration of the host type.
Page 86: Setting Up A Tftp Server
group { # PXE related stuff # "next server" defines the tftp server that will be used next server ip_tftp_server: # "filename" specifies the pxelinux image on the tftp server # the server runs in chroot under /srv/tftpboot filename "pxelinux.0"; host test { hardware ethernet mac_address;...
Page 87 5 Click Browse to browse for the boot image directory. The default directory /tftpboot is created and selected automatically. 6 Click Finish to apply your settings and start the server. Setting Up a TFTP Server Manually 1 Log in as root and install the packages tftp and xinetd. 2 If unavailable, create /srv/tftpboot and /srv/tftpboot/pxelinux .cfg directories.
Page 88 4.3.3 Using PXE Boot Some technical background information as well as PXE's complete specifications are available in the Preboot Execution Environment (PXE) Specification (http://www .pix.net/software/pxeboot/archive/pxespec.pdf). 1 Change to the directory of your installation repository and copy the linux, initrd, message, and memtest files to the /srv/tftpboot directory by entering the following: cp -a boot/loader/linux boot/loader/initrd boot/loader/message boot/loader/memtest /srv/tftpboot...
Page 89 netdevice=interface This entry defines the client's network interface that must be used for the network installation. It is only necessary if the client is equipped with several network cards and must be adapted accordingly. In case of a single network card, this entry can be omitted.
Page 90 # apic label apic kernel linux append initrd=initrd ramdisk_size=65536 apic insmod=e100 \ install=nfs://ip_instserver/path_instsource/product/CD1 # manual label manual kernel linux append initrd=initrd ramdisk_size=65536 manual=1 # rescue label rescue kernel linux append initrd=initrd ramdisk_size=65536 rescue=1 memory test label memtest kernel memtest # hard disk label harddisk localboot 0 implicit...
Page 91 If no configuration file is present or no DEFAULT entry is present in the configu- ration file, the default is the kernel name “linux” with no options. APPEND options... Add one or more options to the kernel command line. These are added for both automatic and manual boots.
Page 92 LOCALBOOT type On PXELINUX, specifying LOCALBOOT 0 instead of a KERNEL option means invoking this particular label and causes a local disk boot instead of a kernel boot. Argument Description Perform a normal boot Perform a local boot with the Universal Network Driver Interface (UNDI) driver still resident in memory Perform a local boot with the entire PXE...
Page 93: Wake On Lan
F10 can be also entered as F0 . Note that there is currently no way to bind filenames to F11 and F12 . 4.3.5 Preparing the Target System for PXE Boot Prepare the system's BIOS for PXE boot by including the PXE option in the BIOS boot order.
Page 94: Booting The Target System For Installation
Users of SUSE Linux Enterprise Server 9 and higher can use a YaST module called WOL to easily configure Wake on LAN. Users of other versions of SUSE Linux-based operating systems can use a command line tool. 4.3.8 Wake on LAN with YaST 1 Log in as root.
Page 95 4.4.1 Using the Default Boot Options The boot options are described in detail in Chapter 3, Installation with YaST (page 17). Generally, just selecting Installation starts the installation boot process. If problems occur, use Installation—ACPI Disabled or Installation—Safe Settings. For more information about troubleshooting the installation process, refer to Section 51.2, “Installation Problems”...
Page 96 Purpose Available Options Default Value Select the installation • CD-ROM or DVD CD-ROM or DVD source • SLP • FTP • HTTP • NFS • SMB • Hard Disk Apply driver update Driver None disk 4.4.3 Using Custom Boot Options Using the appropriate set of boot options helps facilitate your installation procedure.
Page 97 Table 4.2 Installation (Boot) Scenarios Used in This Chapter Installation Scenario Parameters Needed Boot Options for Booting Chapter 3, Installation None: system boots au- None needed with YaST (page 17) tomatically Section 4.1.1, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb)://path_to...
Page 98 Installation Scenario Parameters Needed Boot Options for Booting Section 4.1.4, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb)://path_to SSH—Static Network • Network device _instmedia Configuration” (page 52) • IP address • netdevice=some • Netmask _netdevice (only need- •...
Page 99: Monitoring The Installation Process
TIP: More Information about linuxrc Boot Options Find more information about the linuxrc boot options used for booting a Linux system in /usr/share/doc/packages/linuxrc/linuxrc.html. 4.5 Monitoring the Installation Process There are several options for remotely monitoring the installation process. If the proper boot options have been specified while booting for installation, either VNC or SSH can be used to control the installation and system configuration from a remote workstation.
Page 100 1 Start the KDE file and Web browser Konqueror. 2 Enter service://yast.installation.suse in the location bar. The target system then appears as an icon in the Konqueror screen. Clicking this icon launches the KDE VNC viewer in which to perform the installation. Alternatively, run your VNC viewer software with the IP address provided and add :1 at the end of the IP address for the display the installation is running on.
Page 101 1 Launch your preferred Web browser. 2 Enter the following at the address prompt: http://ip_address_of_target:5801 3 Enter your VNC password when prompted to do so. The browser window now displays the YaST screens as in a normal local installation. 4.5.2 SSH Installation Using SSH, you can remotely control the installation of your Linux machine using any SSH client software.
Page 102 4 When prompted for the password, enter the password that has been set with the SSH boot option. After you have successfully authenticated, a command line prompt for the installation target appears. 5 Enter yast to launch the installation program. A window opens showing the normal YaST screens as described in Chapter 3, Installation with YaST (page 17).
Page 103: Automated Installation
Automated Installation AutoYaST allows you to install SUSE® Linux Enterprise on a large number of machines in parallel. The AutoYaST technology offers great flexibility to adjust deployments to heterogeneous hardware. This chapter tells you how to prepare a simple automated in- stallation and lay out an advanced scenario involving different hardware types and in- stallation purposes.
Page 104 4 Determine and set up the boot scenario for autoinstallation as described in Sec- tion 5.1.4, “Setting Up the Boot Scenario” (page 91). 5 Pass the command line to the installation routines by adding the parameters manually or by creating an info file as described in Section 5.1.5, “Creating the info File”...
Page 105 3 Select Tools > Create Reference Control File to prepare AutoYaST to mirror the current system configuration into an AutoYaST profile. 4 As well as the default resources, like boot loader, partitioning, and software se- lection, you can add various other aspects of your system to the profile by checking the items in the list in Create a Reference Control File.
Page 106 Figure 5.1 Editing an AutoYaST Profile with the AutoYaST Front-End 5.1.2 Distributing the Profile and Determining the autoyast Parameter The AutoYaST profile can be distributed in several different ways. Depending on the protocol used to distribute the profile data, different AutoYaST parameters are used to make the profile location known to the installation routines on the client.
Page 107 Profile Parameter Description Loca- tion autoinst.xml if in the top di- rectory of a CD-ROM). Device autoyast=device://path Makes the installation routines look for the control file on a stor- age device. Only the device name is needed—/dev/sda1 is wrong, use sda1 instead. Floppy autoyast=floppy://path Makes the installation routines...
Page 108 Profile Parameter Description Loca- tion TFTP autoyast=tftp://server/ Has the installation routines re- trieve the control file from a TFTP path server. autoyast=ftp://server/ Has the installation routines re- trieve the control file from an FTP path server. Replace the server and path placeholders with values matching your actual setup. AutoYaST includes a feature that allows binding certain profiles to the client's MAC address.
Page 109 4. If the MAC address–named file cannot be found, YaST searches for a file named default (in lowercase). An example sequence of addresses where YaST searches for the AutoYaST profile looks as follows: C000025B C000025 C00002 C0000 C000 0080C8F6484C default 5.1.3 Providing the Installation Data The installation data can be provided by means of the product CDs or DVDs or using a network installation source.
Page 110 natively, create your own custom CD-ROM holding both the installation sources and the AutoYaST profile. The following sections provide a basic outline of the procedures for network boot or boot from CD-ROM. Preparing for Network Boot Network booting with Wake on LAN, PXE, and TFTP is discussed in Section 4.1.3, “Remote Installation via VNC—PXE Boot and Wake on LAN”...
Page 111 Boot from SUSE Linux Enterprise Media, Get the Profile over the Network Use this approach if a totally network-based scenario is not possible (for example, if your hardware does not support PXE) and you have physical access to system to install during most of the process. You need: •...
Page 112 tion data and the profile itself might prove a good idea, especially if no network is available in your setup. 5.1.5 Creating the info File The installation routines at the target need to be made aware of all the different compo- nents of the AutoYaST framework.
Page 113 Keyword Value netmask Netmask. gateway Gateway. nameserver Name server. autoyast Location of the the control file to use for the automatic installation, such as autoyast=http://192.168.2.1/profiles/. install Location of the installation source, such as install=nfs://192.168.2.1/CDs/. If set to 1, enables VNC remote controlled installation. vncpassword The password for VNC.
Page 114 The info data can be made available to linuxrc in various different ways: • As a file in the root directory of a floppy that is in the client's floppy drive at instal- lation time. • As a file in the root directory of the initial RAM disk used for booting the system provided either from custom installation media or via PXE boot.
Page 115: Rule-Based Autoinstallation
5.1.6 Initiating and Monitoring the Autoinstallation After you have provided all the infrastructure mentioned above (profile, installation source, and info file), you can go ahead and start the autoinstallation. Depending on the scenario chosen for booting and monitoring the process, physical interaction with the client may be needed: •...
Page 116 • Are the machines on your site of different hardware configuration (for example, using different devices or using different memory and disk sizes)? • Do you intend to install across different domains and need to distinguish between them? What rule-based autoinstallation does is, basically, generate a custom profile to match a heterogeneous scenario by merging several profiles into one.
Page 117 3 Determine the source of the AutoYaST profile and the parameter to pass to the installation routines as described in Section 5.1.2, “Distributing the Profile and Determining the autoyast Parameter” (page 88). 4 Determine the source of the SUSE Linux Enterprise installation data as described in Section 5.1.3, “Providing the Installation Data”...
Page 118 Figure 5.2 AutoYaST Rules AutoYaST Directory Enigineering Department Computers rules.xml File Rule 1 Eng. Profile Rule 2 Rule 3 Sales Profile Sales Department Laptops Merge Process Print Server Profile Print Server In a first step, use one of the methods outlined in Section 5.1.1, “Creating an AutoYaST Profile”...
Page 119 In the second step, create rules to distinguish the three hardware types from one another and to tell AutoYaST which profile to use. Use an algorithm similar to the following to set up the rules: 1. Does the machine have an IP of 192.168.27.11? Then make it the print server. 2.
Page 120: For More Information
<operator>and</operator> </rule> <rule> <haspcmcia> <match>0</match> <match_type>exact</match_type> </haspcmcia> <result> <profile>engineering.xml</profile> <continue config:type="boolean">false</continue> </result> </rule> </rules> </autoinstall> When distributing the rules file, make sure that the rules directory resides under the profiles directory specified in the autoyast=protocol:serverip/ profiles/ URL. AutoYaST looks for a rules subdirectory containing a file named rules.xml first then loads and merges the profiles specified in the rules file.
Page 121: Deploying Customized Preinstallations
Deploying Customized Preinstallations Rolling out customized preinstallations of SUSE Linux Enterprise to a large number of identical machines spares you from installing each one of them separately and provides a standardized installation experience for the end users. With YaST firstboot, create customized preinstallation images and determine the workflow for the final personal- ization steps that involve end user interaction.
Page 122: Preparing The Master Machine
6.1 Preparing the Master Machine To prepare a master machine for a firstboot workflow, proceed as follows: 1 Insert the installation media into the master machine. 2 Boot the machine. 3 Perform a normal installation including all necessary configuration steps and wait for the installed machine to boot.
Page 123 • Customizing messages to the user as described in Section 6.2.1, “Customizing YaST Messages” (page 105). • Customizing licenses and license actions as described in Section 6.2.2, “Customizing the License Action” (page 106). • Customizing the release notes to display as described in Section 6.2.3, “Customizing the Release Notes”...
Page 124 2a Set FIRSTBOOT_WELCOME_DIR to the directory path where you want to store the files containing the welcome message and the localized versions, for example: FIRSTBOOT_WELCOME_DIR="/usr/share/firstboot/" 2b If your welcome message has filenames other than welcome.txt and welcome_locale.txt (where locale matches the ISO 639 language codes such as “cs”...
Page 125 6.2.3 Customizing the Release Notes Depending on whether you have changed the instance of SUSE Linux Enterprise you are deploying with firstboot, you probably need to educate the end users about important aspects of their new operating system. A standard installation uses release notes, dis- played during one of the final stages of the installation, to provide important information to the users.
Page 126 • root Password • User Authentication Method • User Management • Hardware Configuration • Finish Setup This standard layout of a firstboot installation workflow is not mandatory. You can enable or disable certain components or hook your own modules into the workflow. To modify the firstboot workflow, manually edit the firstboot configuration file /etc/ YaST2/firstboot.xml.
Page 127 The mode of this proposal. Do not make any changes here. For a firstboot instal- lation, this must be set to installation. The stage of the installation process at which this proposal is invoked. Do not make any changes here. For a firstboot installation, this must be set to firstboot.
Page 128 enable_next Include the Next button in all dialogs. archs Specify the hardware architectures on which this workflow should be used. Example 6.3 Configuring the List of Workflow Components <modules config:type="list"> <module> <label>Language</label> <enabled config:type="boolean">false</enabled> <name>firstboot_language</name> </module> <modules> The container for all components of the workflow. The module definition.
Page 129 • To change the order of proposals, move the respective module elements containing the proposal screens around in the workflow. Note that there may be dependencies to other installation steps that require a certain order of proposals and workflow components. 3 Apply your changes and close the configuration file.
Page 130 TIP: For More Information http://developer For more information about YaST development, refer to .novell.com/wiki/index.php/YaST. 6.2.5 Configuring Additional Scripts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed. To add additional scripts to the firstboot sequence, proceed as...
Page 131: Cloning The Master Installation
6.3 Cloning the Master Installation Clone the master machine's disk using any of the imaging mechanisms available to you and roll these images out to the target machines. 6.4 Personalizing the Installation As soon as the cloned disk image is booted, firstboot starts and the installation proceeds exactly as laid out in Section 6.2.4, “Customizing the Workflow”...
Page 133: Advanced Disk Setup
Advanced Disk Setup Sophisticated system configurations require particular disk setups. All common parti- tioning tasks can be done with YaST. To get persistent device naming with block devices, use the block devices below /dev/disk/by-id/. Logical Volume Management (LVM) is a disk partitioning scheme that is designed to be much more flexible than the physical partitioning used in standard setups.
Page 134 7.1.1 The Logical Volume Manager The Logical Volume Manager (LVM) enables flexible distribution of hard disk space over several file systems. It was developed because sometimes the need to change the segmentation of hard disk space arises only after the initial partitioning during installation has already been done.
Page 135 between different logical volumes need not be aligned with any partition border. See the border between LV 1 and LV 2 in this example. LVM features: • Several hard disks or partitions can be combined in a large logical volume. •...
Page 136: Creating Volume Groups
7.1.2 LVM Configuration with YaST The YaST LVM configuration can be reached from the YaST Expert Partitioner (see Section 8.5.7, “Using the YaST Partitioner” (page 155)). This partitioning tool enables you to edit and delete existing partitions and create new ones that should be used with LVM.
Page 137 Configuring Physical Volumes Once a volume group has been created, the following dialog lists all partitions with either the “Linux LVM” or “Linux native” type. No swap or DOS partitions are shown. If a partition is already assigned to a volume group, the name of the volume group is shown in the list.
Page 138 Configuring Logical Volumes After the volume group has been filled with physical volumes, define the logical volumes the operating system should use in the next dialog. Set the current volume group in a selection box to the upper left. Next to it, the free space in the current volume group is shown.
Page 139 If, for example, only two physical volumes are available, a logical volume with three stripes is impossible. WARNING: Striping YaST has no chance at this point to verify the correctness of your entries con- cerning striping. Any mistake made here is apparent only later when the LVM is implemented on disk.
Page 140 partitioning. It shows the existing physical volumes and logical volumes in two lists and you can manage your LVM system using the methods already described. 7.1.3 Storage Management with EVMS The Enterprise Volume Management System 2 (EVMS2) is a rich, extensible volume manager with built-in cluster awareness.
Page 141: Soft Raid Configuration
Disks This is the lowest level of device. All devices that may be accessed as a physical disk are treated as disks. Segments Segments consist of partitions and other memory regions on a disk, such as the master boot record (MBR). Containers These are the counterparts of volume groups in LVM.
Page 142: Raid Levels
larger number of hard disks in a more effective way than the IDE protocol and is more suitable for parallel processing of commands. There are some RAID controllers that support IDE or SATA hard disks. Soft RAID provides the advantages of RAID systems without the additional cost of hardware RAID controllers.
Page 143 RAID 2 and RAID 3 These are not typical RAID implementations. Level 2 stripes data at the bit level rather than the block level. Level 3 provides byte-level striping with a dedicated parity disk and cannot service simultaneous multiple requests. Both levels are only rarely used.
Page 144 optimize the performance of RAID 0. After creating all the partitions to use with RAID, click RAID > Create RAID to start the RAID configuration. In the next dialog, choose between RAID levels 0, 1, and 5 (see Section 7.2.1, “RAID Levels”...
Page 145: Troubleshooting
Figure 7.7 File System Settings As with conventional partitioning, set the file system to use as well as encryption and the mount point for the RAID volume. After completing the configuration with Finish, see the /dev/md0 device and others indicated with RAID in the expert partitioner. 7.2.3 Troubleshooting Check the file /proc/mdstats to find out whether a RAID partition has been de- stroyed.
Page 146 • http://www.novell.com/documentation/sles10/stor_evms/ data/bookinfo.html • /usr/share/doc/packages/mdadm/Software-RAID.HOWTO.html • http://en.tldp.org/HOWTO/Software-RAID-HOWTO.html http://marc.theaimsgroup Linux RAID mailing lists are also available, such as .com/?l=linux-raid&r=1&w=2. Installation and Administration...
Page 147: System Configuration With Yast
System Configuration with YaST In SUSE Linux Enterprise, YaST handles both the installation and configuration of your system. This chapter describes the configuration of system components (hardware), network access, and security settings, and administration of users. Find a short introduc- tion to the text-based YaST interface in Section 8.12, “YaST in Text Mode”...
Page 148: Yast Language
To start YaST in text mode on another system, use ssh root@<system-to-configure> to open the connection. Then start YaST with yast. To save time, the individual YaST modules can be started directly. To start a module, enter yast2 module_name. View a list of all module names available on your system with yast2 -l or yast2 --list.
Page 149 of the individual items usually consists of several steps. Press Next to proceed to the following step. The left frame of most modules displays the help text, which offers suggestions for configuration and explains the required entries. To get help in modules without a help frame, press F1 or choose Help.
Page 150: Software
8.3 Software 8.3.1 Installing and Removing Software To install, uninstall, and update software on your machine, use Software > Software Management. This opens a package manager dialog as shown in Figure 8.2, “YaST Package Manager” (page 132). Figure 8.2 YaST Package Manager In SUSE®...
Page 151: Installing Packages
uation, some of the possible status flags may not be available for selection. For example, a package that has not yet been installed cannot be set to “Delete.” View the available status flags with Help > Symbols. The font color used for various packages in the individual package window provides additional information.
Page 152 Click the status box at the beginning of a line to install or uninstall this pattern. Select a status directly by right-clicking the pattern and using the context menu. From the in- dividual package overview to the right, which displays the packages included in the current pattern, select and deselect individual packages.
Page 153 Installing Source Packages A package containing the source files for the program is usually available. The sources are not needed for running the program, but you may want to install the sources to compile a custom version of the program. To install sources for selected program, mark the check box in the Source column.
Page 154: Installation Summary
Searching for Packages, Applications, and Files To find a specific package, use the Search filter. Enter a search string and click Search. By specifying various search criteria, you can restrict the search to display a few or even only one package. You can also define special search patterns using wild cards and regular expressions in Search Mode.
Page 155: Disk Usage
Information about Packages Get information about the selected package with the tabs in the bottom right frame. If another version of the package is available, you get information about both versions. The Description tab with the description of the selected package is automatically active. To view information about package size, version, installation media, and other technical details, select Technical Data.
Page 156 If you click Check, located under the information window, the package manager checks if the current package selection results in any unresolved package dependencies or conflicts. In the event of unresolved dependencies, the required additional packages are selected automatically. For package conflicts, the package manager opens a dialog that shows the conflict and offers various options for solving the problem.
Page 157 Sources and choose the installation source to view. To view packages from a selected add-on by package groups, select the secondary filter Package Groups. TIP: Creating Custom Add-On Products Create your own add-on products with YaST Add-On Creator. Read about the http://developer.novell.com/wiki/index YaST add-on creator at .php/Creating_Add-On_Media_with_YaST. Find technical background http://developer.novell.com/wiki/index.php/ information at Creating_Add-Ons.
Page 158: Yast Online Update
To get technical support and product updates, your system must be registered and acti- vated. If you skipped the registration during installation, register with the help of the Novell Customer Center Configuration module from Software. This dialog is the same as that described in Section 3.14.4, “Novell Customer Center Configuration” (page 40).
Page 159: Definition Of Terms
To install updates and improvements with YaST, run Software > Online Update. All new patches (except the optional ones) that are currently available for your system are already marked for installation. Clicking Accept automatically installs these patches. After the installation has completed, confirm with Finish. Your system is now up-to- date.
Page 160 Figure 8.4 YaST Online Update The patch display lists the available patches for SUSE Linux Enterprise. The patches are sorted by security relevance. The color of the patch name, as well as a pop-up window under the mouse cursor, indicate the security status of the patch: Security (red), Recommended (blue), or Optional (black).
Page 161: Automatic Online Update
If you install an up-to-date package from a catalog other than the update catalog, the requirements of a patch for this package may be fulfilled with this installation. In this case a check mark is displayed in front of the patch summary. The patch will be visible in the list until you mark it for installation.
Page 162: Updating The System
8.3.7 Updating from a Patch CD NOTE On s390 systems, the Patch CD update option is not available. The Patch CD Update module from the Software section installs patches from CD, not from an FTP server. The advantage lies in a much faster update with CD. After the patch CD is inserted, all patches on the CD are displayed in the dialog.
Page 163 Additionally, you can use Delete Outdated Packages to remove packages that do not exist in the new version. By default, this option is preselected to prevent outdated packages from unnecessarily occupying hard disk space. Packages Click Packages to start the package manager and select or deselect individual packages for update.
Page 164: Hardware
In most cases, YaST replaces old versions with new ones without problems. A backup of the existing system should be performed prior to updating to ensure that existing configurations are not lost during the update. Conflicts can then be resolved manually after the update has finished.
Page 165 IMPORTANT: Model Designations If your model is not included in the device list, try a model with a similar des- ignation. However, in some cases the model must match exactly, because sim- ilar designations do not always indicate compatibility. 8.4.1 Infrared Device Configure an infrared device with Hardware >...
Page 166 WARNING: Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system. Incorrect settings can prevent the system from booting. 8.4.5 Hardware Information Display detected hardware and technical data using Hardware > Hardware Information. Click any node of the tree for more information about a device.
Page 167 YaST To add a DASD to an installed system, use the YaST DASD module (Hardware > DASD). In the first screen, select the disks to make available to your Linux instal- lation and click Perform Action. Select Activate then leave the dialog with Next. Command Line Issue the following command: dasd_configure 0.0.0150 1 0...
Page 168 8.4.9 Joystick Configure a joystick connected to the sound card with Hardware > Joystick. Select your joystick type in the list provided. If your joystick is not listed, select Generic Analog Joystick. After selecting your joystick, make sure that it is connected then click Test to test the functionality.
Page 169 To configure your mouse for the text environment, use YaST in text mode. After entering text mode and selecting Hardware > Mouse Model, use the keyboard arrow keys to choose your mouse from the provided list. Then click Accept to save the settings and exit the module.
Page 170 2 In Sound Card Configuration, choose the configuration level in the first setup screen: Quick automatic setup You are not required to go through any of the further configuration steps and no sound test is performed. The sound card is configured automatically. Normal setup Adjust the output volume and play a test sound.
Page 171: System
asound.conf and the ALSA configuration data is appended to the end of the files /etc/modprobe.d/sound and /etc/sysconfig/hardware. 8.5 System This group of modules is designed to help you manage your system. All modules in this group are system-related and serve as valuable tools for ensuring that your system runs properly and your data is managed efficiently.
Page 172 WARNING: System Restoration Because this module normally installs, replaces, or uninstalls many packages and files, use it only if you have experience with backups. Otherwise you may lose data. 8.5.3 Boot Loader Configuration To configure booting for systems installed on your computer, use the System > Boot Loader module.
Page 173: Using The Yast Partitioner
8.5.7 Using the YaST Partitioner With the expert partitioner, shown in Figure 8.6, “The YaST Partitioner” (page 155), manually modify the partitioning of one or several hard disks. Partitions can be added, deleted, resized, and edited. Also access the soft RAID, EVMS, and LVM configuration from this YaST module.
Page 174 All existing or suggested partitions on all connected hard disks are displayed in the list of the YaST Expert Partitioner dialog. Entire hard disks are listed as devices without numbers, such as /dev/hda or /dev/sda (or /dev/dasda). Partitions are listed as parts of these devices, such as /dev/hda1 or /dev/sda1 (or /dev/dasda1, respectively).
Page 175: Creating A Partition
number of logical partitions is 15 on SCSI, SATA, and Firewire disks and 63 on (E)IDE disks. It does not matter which types of partitions are used for Linux. Primary and log- ical partitions both work fine. TIP: Hard Disks with a GPT Disk Label For architectures using the GPT disk label, the number of primary partitions is not restricted.
Page 176 Editing a Partition When you create a new partition or modify an existing partition, set various parameters. For new partitions, suitable parameters are set by YaST and usually do not require any modification. To edit your partition setup manually, proceed as follows: 1 Select the partition.
Page 177 Mount Point Specify the directory at which the partition should be mounted in the file system tree. Select from various YaST proposals or enter any other name. 3 Select OK > Apply to activate the partition. Expert Options Expert opens a menu containing the following commands: Reread Partition Table Rereads the partitioning from disk.
Page 178 Example 8.1 /etc/fstab: Partition Data /dev/sda1 /data1 auto noauto,user 0 0 /dev/sda5 /data2 auto noauto,user 0 0 /dev/sda6 /data3 auto noauto,user 0 0 The partitions, regardless of whether they are Linux or FAT partitions, are specified with the options noauto and user. This allows any user to mount or unmount these partitions as needed.
Page 179: Pci Device Drivers
8.5.8 PCI Device Drivers TIP: IBM System z: Continuing For IBM System z, continue with Section 8.5.12, “System Services (Runlevel)” (page 162). Each kernel driver contains a list of device IDs of all devices it supports. If a new device is not in any driver's database, the device is treated as unsupported, even if it can be used with an existing driver.
Page 180: Power Management
To edit a PCI ID, select the device driver from the list and click Edit. Edit the information and click OK to save your changes. To delete an ID, select the driver and click Delete. The ID immediately disappears from the list. When finished, click OK. 8.5.9 Power Management The System >...
Page 181: Language Selection
8.5.13 /etc/sysconfig Editor The directory /etc/sysconfig contains the files with the most important settings for SUSE Linux Enterprise. Use System > /etc/sysconfig Editor to modify the values and save them to the individual configuration files. Generally, manual editing is not necessary, because the files are automatically adapted when a package is installed or a service is configured.
Page 182: Network Devices
Figure 8.8 Setting the Language Select the main language to use for your system in Primary Language. To adjust the keyboard or time zone to this setting, enable Adapt Keyboard Layout or Adapt Time Zone. Set how locale variables are set for the root user with Details. Also use Details to set the primary language to a dialect not available in the main list.
Page 183: Network Services
select it from the list then click Edit. If your device has not been detected, click Add and select it manually. To edit an existing device, select it then click Edit. For more detailed information, see Section 30.4, “Configuring a Network Connection with YaST” (page 565).
Page 184: Mail Server
No Connection If you do not have access to the Internet and are not located in a network, you cannot send or receive e-mail. Activate virus scanning for your incoming and outgoing e-mail with AMaViS by select- ing that option. The package is installed automatically as soon as you activate the mail filtering feature.
Page 185 Fetching Mail Configures mail pick-up from external mail accounts over various protocols. Mail Server Domains This determines for which domains the mail server should be responsible. At least one master domain must be configured if the server should not run as a null client used exclusively for sending mail without receiving any.
Page 186 name and domain name. If the provider has been configured correctly for DSL, modem, or ISDN access, the list of name servers contains the entries that were ex- tracted automatically from the provider data. If you are located in a local network, you might receive your hostname via DHCP, in which case you should not modify the name.
Page 187 NFS Server With NFS, run a file server that all members of your network can access. This file server can be used to make certain applications, files, and storage space available to users. In NFS Server, you can configure your host as an NFS server and determine the directories to export for general use by the network users.
Page 188 WARNING: Configuring Network Services (xinetd) The composition and adjustment of network services on a system is a complex procedure that requires a comprehensive understanding of the concept of Linux services. The default settings are usually sufficient. Proxy Configure Internet proxy client settings in Proxy. Click Enable Proxy then enter the desired proxy settings.
Page 189 Samba Server In a heterogeneous network consisting of Linux and Windows hosts, Samba controls the communication between the two worlds. Information about Samba and the configuration of servers is provided in Chapter 37, Samba (page 703). SLP Server With service location protocol (SLP), you can configure clients in your network without knowledge of server names and services that these servers provide.
Page 190: Apparmor
8.8 AppArmor Novell AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify which files each program may read, write, and execute. To enable or disable Novell AppArmor on your system, use AppArmor Control Panel.
Page 191: Adding Users
Adding Users To add a new user, proceed as follows: 1 Click Add. 2 Enter the necessary data for User Data. If you do not need to adjust any more detailed settings for this new user, proceed to Step 5 (page 173). 3 To change a user's ID, home directory name, default home, group, group mem- berships, directory permissions, or login shell, open the Details tab and change the default values.
Page 192 3 Adjust the settings under User Data, Details, and Password Settings. 4 Save the user account configuration by clicking Accept. Managing Encrypted Home Directories You can create an encrypted home directory as part of the user account creation. To create an encrypted home directory for a user, proceed as follows: 1 Click Add.
Page 193: Auto Login
Auto Login WARNING: Using Auto Login Using the auto login feature on any system that can be physically accessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use the auto login functionality.
Page 194 Disabling User Login To create a system user that should not be able to log in to the system but under whose identity several system-related tasks should be managed, disable the user login when creating the user account. Proceed as follows: 1 Click Add.
Page 195 To change the password expiration policy for an existing user, proceed as follows: 1 Select the user from the list and click Edit. 2 Adjust the values in Password Settings. 3 Apply your settings with Accept. You can limit the lifetime of any user account by specifying a date of expiration for this particular account.
Page 196: Group Management
Several other security-related default settings can be changed using the Local Security module. Refer to Section 8.9.3, “Local Security” (page 179) for information. Changing the Password Encryption NOTE Changes in password encryption apply only to local users. SUSE Linux Enterprise can use DES, MD5, or Blowfish for password encryption. The default password encryption method is Blowfish.
Page 197 Click Expert Options for advanced group management. Find more about these options in Section 8.9.1, “User Management” (page 172). 8.9.3 Local Security To apply a set of security settings to your entire system, use Security and Users > Local Security. These settings include security for booting, login, passwords, user creation, and file permissions.
Page 198: Certificate Management
over the network, enable Allow Remote Graphical Login. Because this access possibility represents a potential security risk, it is inactive by default. User Addition Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as pos- sible.
Page 199: Virtualization
Virtualization makes it possible to run several operating systems on one physical ma- chine. The hardware for the different systems is provided virtually. Virtualization YaST modules provide configuration for the Xen virtualization system. For more information http://www.novell.com/ about this technology, see the virtualization manual on documentation/sles10/index.html..
Page 200: Miscellaneous
8.11 Miscellaneous The YaST Control Center has several modules that cannot easily be classified into the first six module groups. They can be used for things like viewing log files and installing drivers from a vendor CD. 8.11.1 Custom Installation CD Creation With Miscellaneous >...
Page 201: System Log
8.11.5 Release Notes The release notes are an important source about installation, update, configuration, and technical issues. The release notes are continuously updated and published through online update. Use Miscellaneous > Release Notes to view the release notes. 8.11.6 Start-Up Log View information concerning the start-up of the computer in Miscellaneous >...
Page 202 /proc/iomem This displays the status of input/output memory. /proc/ioports This shows which I/O ports are in use at the moment. /proc/meminfo This displays memory status. /proc/modules This displays the individual modules. /proc/mounts This displays devices currently mounted. /proc/partitions This shows the partitioning of all hard disks. /proc/version This displays the current version of Linux.
Page 203: Yast In Text Mode
8.12 YaST in Text Mode This section is intended for system administrators and experts who do not run an X server on their systems and depend on the text-based installation tool. It provides basic information about starting and operating YaST in text mode. When YaST is started in text mode, the YaST Control Center appears first.
Page 204: Navigation In Modules
Press Enter to start the desired module. Various buttons or selection fields in the module contain a letter with a different color (yellow by default). Use Alt + yellow_letter to select a button directly instead of navigating there with Tab . Exit the YaST Control Center by pressing Alt + Q or by selecting Quit and pressing Enter .
Page 205: Restriction Of Key Combinations
Figure 8.10 The Software Installation Module 8.12.2 Restriction of Key Combinations If your window manager uses global Alt combinations, the Alt combinations in YaST might not work. Keys like Alt or Shift can also be occupied by the settings of the termi- nal.
Page 206: Managing Yast From The Command Line
8.13 Managing YaST from the Command Line When a task only needs to be done once, the graphical or ncurses interface is usually the best solution. If a task needs to be done repeatedly, it might be easier to use the YaST command line interface.
Page 207: Managing Users
GenProf, LogProf, SD_AddProfile, SD_DeleteProfile, SD_EditProfile, SD_Report, and subdomain These modules control or configure AppArmor. AppArmor has its own command line tools. 8.13.1 Managing Users The YaST commands for user management, unlike traditional commands, considers the configured authentication method and default user management settings of your system when creating, modifying, or removing users.
Page 208 Example 8.3 Removing Multiple Users #!/bin/bash # the home will be not deleted # to delete homes, use option delete_home for i in `cat /tmp/users.txt`; yast users delete username=$i done 8.13.2 Configuring the Network and Firewall Network and firewall configuration commands are often wanted in scripts. Use yast lan for network configuration and yast firewall.
Page 209: Sax2
8.14 SaX2 Configure the graphical environment of your system with Hardware > Graphics Card and Monitor. This opens the SUSE Advanced X11 Configuration interface (SaX2), where you can configure devices such as your mouse, keyboard, or display devices. This interface can also accessed from the GNOME main menu with Computer > More Applications >...
Page 210 TIP: Autodetecting New Display Hardware If you change your display hardware after installation, use sax2 -r on the command line to cause SaX2 to detect your hardware. You must be root to run SaX2 from the command line. Graphics Card It is not possible to change the graphics card because only known models are supported and these are detected automatically.
Page 211 Resolution and Color Depth The resolution and color depth can be chosen directly from two lists in the middle of the dialog. The resolution you select here marks the highest resolution to use. All common resolutions down to 640x480 are also added to the configuration automatically. Depending on the graphical desktop used, you can switch to any of these later without the need for reconfiguration.
Page 212: Testing The Configuration
detected screens, arranging all screens in a row from left to right. In the Arrangement part of the dialog, determine the way the monitors are arranged by selecting one of the sequence buttons. Click OK to close the dialog. TIP: Using a Beamer with Laptop Computers To connect a beamer to a laptop computer, activate dual head mode.
Page 213 devices operated by the same driver are shown as one mouse. Activate or deactivate the currently selected mouse with the check box at the top of the dialog. Below the check box, see the current settings for that mouse. Normally, the mouse is detected automatically, but you can change it manually if the automatic detection fails.
Page 214 without the need for reconfiguration. After you click OK, the changes are applied im- mediately. 8.14.4 Tablet Properties Use this dialog to configure a graphics tablet attached to your system. Click the Graphics Tablet tab to select vendor and model from the lists. Currently, only a limited number of graphics tablets is supported.
Page 215: Troubleshooting
8.16 For More Information More information about YaST can be found on the following Web sites and directories: • /usr/share/doc/packages/yast2—Local YaST development documen- tation • http://www.opensuse.org/YaST_Development—The YaST project page in the openSUSE wiki • http://forge.novell.com/modules/xfmod/project/ ?yast—Another YaST project page System Configuration with YaST...
Page 217: Managing Software With Zenworks
ZENworks package management tools use a ZENworks Linux Management server to download packages and updates. If no ZENworks Linux Management server is available in your local network, your system can get updates from the Novell Customer Center, which is described in Section 3.14.4, “Novell Customer Center Configuration” (page 40).
Page 218: Update From The Command Line With Rug
-s, --no-services Do not load initial services. -r, --no-remote Do not start remote services. ZMD configuration is stored in /etc/zmd/zmd.conf. You can change the configu- ration manually or with rug. The URL for the ZENworks service that zmd uses at initial start-up and a registration key are stored in /var/lib/zmd.
Page 219 In case of an access denial to the update catalog you will see a warning message with a recommendation to visit the Novell Customer Center and check your http://www.novell subscription. The Novell Customer Center is available at .com/center/.
Page 220 To remove a package, use rug rm package_name. If other packages depend on this package, rug displays their names, versions, and types. Confirm if you want to remove the package anyway. 9.1.4 rug User Management One the main advantages of rug is its user management. Normally, only root can update or install new packages.
Page 221: Scheduling Updates
To give a user permission to update the system, use the rug ua username upgrade command. Replace username by the name of the user. To revoke the privileges of a user, use command rug ud username. To list users with their rights, use rug ul. To change the current privileges of a user, use rug ue username and replace the username by the name of the desired user.
Page 222: Managing Packages With The Zen Tools
9.1.7 For More Information For more information about updating from the command line, enter rug --help or see the rug(1) man page. The --help option is also available for all rug commands. If, for example, you need help for rug update, enter rug update --help. 9.2 Managing Packages with the ZEN Tools The ZEN tools serve as graphical front-ends for the ZENworks Management Daemon...
Page 223 In case of an access denial to the update catalog you will see a warning message with a recommendation to visit the Novell Customer Center and check your http://www.novell subscription. The Novell Customer Center is available at .com/center/.
Page 224: Installing Software
Figure 9.1 Selecting the Software Updates 9.2.3 Installing Software To install software packages, start Install Software from the menu or run zen-installer. The interface is almost identical to Software Updater (see Sec- tion 9.2.2, “Obtaining and Installing Software Updates” (page 204)). The only difference is a search panel you can use to search for packages or to filter the list.
Page 225 complete products), Patterns (see Section “Installing and Removing Patterns” (page 133) for details on patterns), Packages, and Patches. Mark the check box of a list entry that should be removed then press Remove to start the package uninstallation. If other packages depend on the ones marked by you, these are also removed.
Page 226 With Mount, embed a directory mounted on your machine. This is useful, for ex- ample, in a network that regularly mirrors the Novell YUM server and exports its content to the local network. To add the directory, provide the full path to the direc- tory in Service URI.
Page 227: For More Information
Refer to the rug man page for an explanation of the settings. 9.3 For More Information http:// Find more information about ZENworks Linux Management and ZMD at www.novell.com/products/zenworks/linuxmanagement/index.html. Managing Software with ZENworks...
Page 229: 0 Updating Suse Linux Enterprise
Updating SUSE Linux Enterprise SUSE® Linux Enterprise provides the option of updating an existing system to the new version without completely reinstalling it. No new installation is needed. Old data, such as home directories and system configuration, is kept intact. During the life cycle of the product, you can apply Service Packs to increase system security and correct software defects.
Page 230: Possible Problems
applies to files stored in /etc as well as some of the directories and files in /var and /opt. You may also want to write the user data in /home (the HOME directories) to a backup medium. Back up this data as root. Only root has read permission for all local files.
Page 231 10.1.3 Updating with YaST Following the preparation procedure outlined in Section 10.1.1, “Preparations” (page 211), you can now update your system: 1 Optionally, prepare an installation server. For background information, see Sec- tion 4.2.1, “Setting Up an Installation Server Using YaST” (page 56). 2 Boot the system as for the installation, described in Section 3.3, “System Start- Up for Installation”...
Page 232: Installing Service Packs
10.2 Installing Service Packs Use Service Packs to update a SUSE Linux Enterprise installation. There are several different ways in which you can apply a Service Pack. You can either update the existing installation or start a whole new installation using the Service Pack media. Possible scenarios for updating the system and setting up a central network installation source are described here.
Page 233: Network Installation
Installing a SUSE Linux Enterprise Service Pack is very similar to installing the original SUSE Linux Enterprise media. As with the original installation, you can choose to install from a local CD or DVD drive or from a central network installation source. Installing from a Local CD or DVD Drive Before starting a new installation of a SUSE Linux Enterprise SP, ensure that all of the Service Pack installation media (CDs or DVD) are available.
Page 234 1 Insert the SUSE Linux Enterprise SP CD 1 or DVD 1 and boot your machine. A boot screen similar to the original installation of SUSE Linux Enterprise 10 is displayed. 2 Select Installation to boot the SP kernel then use F3 to select a type of network installation source (FTP, HTTP, NFS, or SMB).
Page 235 7 Continue as usual with the installation (entering a password for root, completing the network configuration, testing your Internet connection, activating the Online Update service, selecting the user authentication method, and entering a username and password). For detailed instructions for installing SUSE Linux Enterprise, see Chapter 3, Installation with YaST (page 17).
Page 236 • The system must be online throughout the entire update process, because this process requires access to the Novell Customer Center. • If your setup involves third party software or add-on software, test this procedure on another machine to make sure that the dependencies are not broken by the update.
Page 237 Figure 10.2 Update to Service Pack 2 NOTE During update migration using YaST Online Update, the ZMD stack is updated and the ZMD daemon is restarted, too. Therefore, it is advisable to avoid using any other software management tools such as rug, zen-updater, zen-installer and zen-remover.
Page 238 SUSE Linux Enterprise 10 SP2 maintenance stack update (slesp1u-libzypp) are actually preselected. Then press Accept to apply the selected updates. 3 The Patch Download and Installation dialog tracks the progress log. When Total Progress reaches 100%, click Close. The Online Update will then restart auto- matically.
Page 239 Figure 10.3 Apply SLE10 SP2 Maintenance Stack Update 1 In a running SUSE Linux Enterprise system, start the zen-updater by clicking the updater icon at the bottom. TIP: Waking up ZMD If you see the ZMD not running message, check in a terminal as root with rczmd status whether ZMD is alive.
Page 240 4 In the restarted Software Updater, page down and select the optional move-to-sles10-sp2 patch and apply it. If you do not select it, your system will stay at the SP1 feature level and you will get bug fixes and security updates only for a limited time (six month after the availibility of SP2).
Page 241 SUSE Linux Enterprise GA to SP1 and SP2 NOTE The following steps are only relevant, if your system is still running at the GA patch level. Figure 10.4 Update to Service Pack 1 1 In a running SUSE Linux Enterprise system (GA), select Computer > YaST > Software >...
Page 242: Software Changes From Version 9 To Version 10
3 The Patch Download and Installation dialog tracks the progress log of the migra- tion patch installation. When Total Progress reaches 100%, click Finish. 4 Run the online update a second time. Once done, in the Patch Download and Installation click Close. During this second run YaST installs the kernel and all the other software.
Page 243 10.3.1 Multiple Kernels It is possible to install multiple kernels side by side. This feature is meant to allow ad- ministrators to upgrade from one kernel to another by installing the new kernel, verifying that the new kernel works as expected, then uninstalling the old kernel. While YaST does not yet support this feature, kernels can easily be installed and uninstalled from the shell using rpm -i package.rpm.
Page 244 • km_smartlink-softmodem—Smart Link Soft Modem 10.3.3 Console Number Change and Serial Devices As of 2.6.10, serial devices on ia64 are named based on the order of ACPI and PCI enumeration. The first device in the ACPI name space (if any) becomes /dev/ttyS0, the second becomes /dev/ttyS1, etc., and PCI devices are named sequentially starting after the ACPI devices.
Page 245 10.3.6 Apache 2 Replaced with Apache 2.2 The Apache Web server (version 2) has been replaced with version 2.2. For Apache version 2.2, Chapter 40, The Apache HTTP Server (page 745) was completely reworked. http://httpd.apache.org/ In addition, find generic upgrade information at docs/2.2/upgrading.html http:// and the description of new features at...
Page 246 10.3.8 Hotplug Events Handled by the udev Daemon Hotplug events are now completely handled by the udev daemon (udevd). The event multiplexer system in /etc/hotplug.d and /etc/dev.d is no longer used. Instead, udevd calls all hotplug helper tools directly according to its rules. Udev rules and helper tools are provided by udev and various other packages.
Page 247 10.3.11 Online Update and Delta Packages Online Update now supports a special kind of RPM package that only stores the binary difference from a given base package. This technique significantly reduces the package size and download time at the expense of higher CPU load for reassembling the final package.
Page 248 XFree86 X.Org XFree86.0.log.old Xorg.0.log.old In the course of the change to X.Org, the packages were renamed from XFree86* to xorg-x11*. 10.3.14 X.Org Configuration File The configuration tool SaX2 writes the X.Org configuration settings into /etc/X11/ xorg.conf. During an installation from scratch, no compatibility link from XF86Config to xorg.conf is created.
Page 249 10.3.17 OpenOffice.org (OOo) Directories OOo is now installed in /usr/lib/ooo-2.0 instead of /opt/OpenOffice .org. The default directory for user settings is now ~/.ooo-2.0 instead of ~/ OpenOffice.org1.1. Wrapper There are some new wrappers for starting the OOo components. The new names are shown in Table 10.4, “Wrapper”...
Page 250 The wrapper now supports the option --icons-set for switching between KDE and GNOME icons. The following options are no longer supported: --default-configuration, --gui, --java-path, --skip-check, --lang (the language is now determined by means of locales), --messages-in-window, and --quiet. KDE and GNOME Support KDE and GNOME extensions are available in the OpenOffice_org-kde and OpenOffice_org-gnome packages.
Page 251 10.3.21 JFS: Not Supported Anymore Due to technical problems with JFS, it is no longer supported. The kernel file system driver is still there, but YaST does not offer partitioning with JFS. 10.3.22 AIDE as a Tripwire Replacement As an intrusion detection system, use AIDE (package name aide), which is released under the GPL.
Page 252 password required pam_unix2.so use_first_pass use_authtok #password required pam_make.so /var/yp session required pam_unix2.so you can change it to: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session 10.3.24 Becoming the Superuser Using su By default, calling su to become root does not set the PATH for root. Either call su - to start a login shell with the complete environment for root or set ALWAYS_SET_PATH to yes in /etc/default/su if you want to change the default behavior of su.
Page 253 /etc/powersave.conf has become obsolete. Existing variables have been moved to the files listed in Table 10.5, “Split Configuration Files in /etc/sysconfig/powersave” (page 234). If you changed the “event” variables in /etc/powersave.conf, these must now be adapted in /etc/sysconfig/powersave/events. The names of sleep states have changed from: •...
Page 254 10.3.28 Setting Up D-BUS for Interprocess Communication in .xinitrc Many applications now rely on D-BUS for interprocess communication (IPC). Calling dbus-launch starts dbus-daemon. The systemwide /etc/X11/xinit/ xinitrc uses dbus-launch to start the window manager. If you have a local ~/.xinitrc file, you must change it accordingly. Otherwise ap- plications like f-spot, banshee, tomboy, or Network Manager banshee might fail.
Page 255 FAM daemon. For remote file systems, run FAM on both the server and client and open the firewall for RPC calls by FAM. GNOME (gnome-vfs2 and libgda) contains a wrapper that picks gamin or fam to provide file system change notification: •...
Page 257: Part Ii Administration
Part II. Administration...
Page 259: 1 Openwbem
OpenWBEM Novell® has embraced the open standard strategies of Web-Based Enterprise Manage- ment (WBEM) proposed by the Distributed Management Task Force (DMTF) [http://www.dmtf.org/home]. Implementing these strategies can substantially reduce the level of complexity associated with managing disparate systems in your network.
Page 260 WBEM project [http://openwbem.org]. The Web-Based Enterprise Management software selection includes a set of packages that contain basic Novell providers, including some sample providers, and a base set of accompanying Novell schemas. As Novell moves forward with OpenWBEM and development of specific providers, it will provide tools that offer the following important features: •...
Page 261: Setting Up Openwbem
DMTF and its technologies, you can visit the DMTF Web site [http://www.dmtf.org]. openwbem-base-providers: This package contains a Novell Linux instrumentation of base operating system components such as computer, system, operating system, and processes for the OpenWBEM CIMOM.
Page 262 • Section 11.1.2, “Ensuring Secure Access” (page 244) • Section 11.1.3, “Setting Up Logging” (page 247) 11.1.1 Starting, Stopping, or Checking Status for owcimomd When Web-Based Enterprise Management software is installed, the daemon, owcimomd, is started by default. The following table explains how to start, stop, and check status for owcimomd.
Page 263 /etc/openwbem/servercert.pem If you want to generate a new certificate, use the following command. Running this command replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one. As root in a console shell, enter sh/etc/openwbem/owgencert If you want to change the certificate that OpenWBEM uses, see Section 11.2.2,...
Page 264 Internet be- tween servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configura- tion file. In order for the OpenWBEM CIMOM to communicate with the...
Page 265 Authentication The following authentication settings are set and enabled as the default for OpenWBEM in SUSE Linux Enterprise Server. You can change any of the default settings. See Section 11.2.1, “Changing the Authen- tication Configuration” (page 249). • http_server.allow_local_authentication = true •...
Page 266: Changing The Openwbem Cimom Configuration
This means that owcimomd logging is set up to go to the /var/log/messages file or to other files depending on the configuration of syslogd. It logs all errors for all components (owcimomd). 11.2 Changing the OpenWBEM CIMOM Configuration When OpenWBEM CIMOM (owcimomd) starts, it reads it run-time configuration from the openwbem.conf file.
Page 267 11.2.1 Changing the Authentication Configuration When changing the Authentication configuration, there are several things that you can control: • Who can access the CIMOM • What authentication module is used See the following settings: • Section “http_server.allow_local_authentication ” (page 249) •...
Page 268 Syntax http_server.allow_local_authentication = option Option Description true Enables local authentication. This is the default setting. false Disables local authentication. Example http_server.allow_local_authentication = true http_server.digest_password_file Purpose Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled. Syntax http_server.digest_password_file = path_filename The following is the default path and filename for the digest password file:...
Page 269 http_server.ssl_client_verification Purpose Determines whether the server should attempt to authenticate clients with SSL Client Certificate verification. This setting is disabled by default. Syntax: http_server.ssl_client_verification = option Option Description autoupdate Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authenti- cation are added to a trust store so that subsequent client connec- tions with the same certificate do not require HTTP authentica- tion.
Page 270 http_server.ssl_trust_store Purpose Specifies a directory containing the OpenSSL trust store. Syntax http_server.ssl_trust_store = path The following is the default path for the trust store file. /etc/openwbem/truststore Example http_server.ssl_trust_store = /etc/openwbem/truststore http_server.use_digest Purpose Directs the HTTP server to use Digest authentication, which bypasses the Basic authen- tication mechanism.
Page 271 Option Description true Disables the Basic authentication mechanism. Example http_server.use_digest = false owcimomd.ACL_superuser Purpose Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the owcimomd. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.
Page 272 Option Description false Requires login with a username and password to access owci- momd data. This is the default and recommended setting. true Allows anonymous logins to owcimomd. This disables authentication. No username or password is required to access owcimomd data. Example owcimomd.allowed_anonymous = false owcimomd.allowed_users...
Page 273 Option Description This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set to true. Example owcimomd.allowed_users = bcwhitely jkcarey jlanderson owcimomd.authentication_module Purpose Specifies the authentication module that is used by owcimomd. This setting should be an absolute path to the shared library containing the authentication module. Syntax owcimomd.authentication_module = path_filename The following is the default path and filename for the authentication modules:...
Page 274 Syntax simple_auth.password_file = path_filename Example simple_auth.password_file = /etc/openwbem/simple_auth.passwd 11.2.2 Changing the Certificate Configuration The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS communications.
Page 275 Examples http_server.SSL_cert = /etc/openwbem/servercert.pem http_server.SSL_key = /etc/openwbem/servercert.pem http_server.SSL_key = /etc/openwbem/serverkey.pem 11.2.3 Changing the Port Configuration The http_server.http_port and server.https_port settings specify the port number that owcimomd listens on for all HTTP and HTTPS communications. Syntax http_server.http_port = option http_server.https_port = option Option Description Specific_port_number...
Page 276 Example These settings disable the HTTP port and enable port 5989 for HTTPS communications: http_server.http_port = -1 http_server.https_port = 5989 11.2.4 Changing the Default Logging Configuration The following log settings in the owcimomd.conf file let you specify where and how much logging occurs, the type of errors logged, and the log size, filename, and format: •...
Page 277 log.main.categories Purpose Specifies the categories the log outputs. Syntax log.main.categories = option Option Description category_name Specifies the categories to be logged using a space delimited list. The categories used in owcimomd are: • DEBUG • ERROR • FATAL • INFO For more information about these options, see Section “log.main.level”...
Page 278 Example log.main.categories = FATAL ERROR INFO log.main.components Purpose Specifies the components that the log outputs. Syntax log.main.components = option Option Description component_name Specifies the components to be logged (such as owcimomd) using a space-delimited list. Providers can use their own components. Specifies that all components are logged.
Page 279 Syntax log.main.format = conversion_specifier Option Specifies Component (such as owcimomd) Date Can be followed by a date format specifier enclosed between braces. For example, %d{%H:%M:%S} or %d{%d %b %Y %H:%M:%S}. If no date format specifier is given, then ISO 8601 format is assumed. The only addition is %Q, which is the number of milliseconds.
Page 280 Option Specifies Platform-dependent line separator character (\n) or characters (\r\n). Category, also known as level or priority. Number of milliseconds elapsed between the start of the appli- cation and the creation of the logging event. Thread ID New line Line feed \x<hexDigits>...
Page 281 "%r [%t] %-5p %c - %m" Similar to TTCC but with some fixed-size fields: "%-6r [%15.15t] %-5p %30.30c - %m" XML output conforming to log4j.dtd 1.2, which can be processed by Chainsaw (if used, this must be on one line; it is split up here for readability): "<log4j:event logger="%c"...
Page 282 Option Description INFO Logs all Info, Error, and Fatal error messages. Example log.main. level = ERROR log.main.location Purpose Specifies the location of the log file owcimomd uses when the log.main.type setting option specifies that logging is sent to a file. Syntax log.main.location = path_filename Example...
Page 283 Option Description The default setting is 1 log file. No backup logs are made and the log is trun- cated when it reaches the maximum file size. Example log.main.max_backup_index = 1 log.main.max_file_size Purpose Specifies the maximum size (in KB) that the owcimomd log can grow to. Syntax log.main.max_file_size = option Option...
Page 284 log.main.type Purpose Specifies the type of main log owcimomd uses. Syntax log.main.type = option Option Description file Sends all messages to a file that is identified in the log.main.location configuration setting. null Disables logging. syslog Sends all messages to the syslog interface. This is the default setting.
Page 285 • log.debug.type = stderr Debug Log with Color If you want a color version of the debug log, use the following ASCII escape codes: log.debug.format = \x1b[1;37;40m[\x1b[1;31;40m%-.6t\x1b[1;37;40m]\x1b[1;32;40m %m\x1b[0;37;40m If you want to use additional colors, use the following codes with the log.debug.format command: Table 11.3 Additional Color Codes for the log.debug.format Command...
Page 286 Color Codes dark cyan \x1b[0;36;40m white \x1b[1;37;40m dark white \x1b[0;37;40m gray \x1b[0;37;40m reset color \x1b[0;37;40m 11.2.6 Configuring Additional Logs If you want to create additional logs, list the log names under this setting: owcimomd.additional_logs = logname Separate multiple lognames spaces. Syntax owcimomd.additional_logs = logname For each log, the following settings apply:...
Page 287: For More Information
For more information about OpenWBEM, see the following information: • Documents in usr/share/doc/packages/openwbem on the local server filesystem: • readme • openwbem-faq.html • A Novell Cool Solutions Article: An Introduction to WBEM and OpenWBEM in SUSE Linux [http://www.novell.com/coolsolutions/feature/ 14625.html] • OpenWBEM Web site [http://www.openwbem.org] •...
Page 289: 2 Mass Storage Over Ip Networks-Iscsi
Mass Storage over IP Networks—iSCSI One of the central tasks in computer centers and when operating servers is providing hard disk capacity for server systems. Fiber channel is often used for this purpose in the mainframe sector. So far, UNIX computers and the majority of servers are not connected to central storage solutions.
Page 290 12.1.1 Creating iSCSI Targets with YaST The iSCSI target configuration exports existing block devices or file system images to iSCSI initiators. First create the needed block devices with YaST or create file system images. For an overview of partitioning, see Section 8.5.7, “Using the YaST Partitioner” (page 155).
Page 291 It always starts with iqn. yyyy-mm is the format of the date when this target is ac- http://www tivated. Find more about naming conventions in RFC 3722 (see .ietf.org/rfc/rfc3722.txt). Identifier The Identifier is freely selectable. It should follow some scheme to make the whole system more structured.
Page 292 iSNS for Linux Overview (page 283). Note that the access control for the iSNS discovery is not supported. Just keep iSNSAccessControl no. All direct iSCSI authentication may be done in two directions. The iSCSI target can require the iSCSI initiator to authenticate with the IncomingUser, which can be added multiple times.
Page 293 cat /proc/net/iet/session tid:1 name:iqn.2006-02.com.example.iserv:system-v3 sid:562949957419520 initiator:iqn.2005-11.de.suse:cn=rome.example.com,01.9ff842f5645 cid:0 ip:192.168.178.42 state:active hd:none dd:none sid:281474980708864 initiator:iqn.2006-02.de.suse:01.6f7259c88b70 cid:0 ip:192.168.178.72 state:active hd:none dd:none 12.1.3 Configuring Online Targets with ietadm When changes to the iSCSI target configuration are necessary, you always must restart the target to activate changes that are done in the configuration file. Unfortunately, all active sessions are interrupted in this process.
Page 294 cat /proc/net/iet/session tid:1 name:iqn.2006-03.com.example.iserv:system sid:281474980708864 initiator:iqn.1996-04.com.example:01.82725735af5 cid:0 ip:192.168.178.72 state:active hd:none dd:none To delete the session with the session ID 281474980708864, use the command ietadm --op delete --tid=1 --sid=281474980708864 --cid=0. Be aware that this makes the device unaccessible on the client system and processes accessing this device are likely to hang.
Page 295: Configuring Iscsi Initiator
to the configuration file /etc/ietd.conf. Depending on the usage of iSCSI in your network, this may lead to severe problems. There are several more options available for the command ietadm. Find an overview with ietadm -h. The abbreviations there are target ID (tid), session ID (sid), and connection ID (cid).
Page 296 The virtual iSCSI device is now available. Find the actual device with lsscsi: lsscsi [1:0:0:0] disk VIRTUAL-DISK /dev/sda 12.2.2 Setting Up the iSCSI Initiator Manually Both the discovery and the configuration of iSCSI connections require a running iscsid. When running the discovery the first time, the internal database of the iSCSI initiator is created in the directory /var/lib/open-iscsi.
Page 297: How To Configure
The newly generated devices show up in the output of lsscsi and can now be accessed by mount. 12.2.3 Configuring LVM Autoassembly on iSCSI Devices LVM startup is supported by udev, so that any LVM volume groups will be activated automatically via udev once all required physical volumes have been detected.
Page 298 of targets and one for the discovered nodes. When accessing a database, you first must select if you want to get your data from the discovery or from the node database. Do this with the -m discovery and -m node parameters of iscsiadm. Using iscsiadm just with one of these parameters gives an overview of the stored records: iscsiadm -m discovery 149.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems...
Page 299 Important pages for more information about open-iscsi are: • http://www.open-iscsi.org/ • http://www.open-iscsi.org/cgi-bin/wiki.pl • http://www.novell.com/coolsolutions/appnote/15394.html There is also some online documentation available. See the manual pages of iscsiadm, iscsid, ietd.conf, and ietd and the example configuration file /etc/iscsid .conf.
Page 301: 3 Isns For Linux Overview
iSNS for Linux Overview Storage area networks (SANs) can contain many disk drives that are dispersed across complex networks. This can make device discovery and device ownership difficult. iSCSI initiators must be able to identify storage resources in the SAN and determine whether they have access to them.
Page 302 lishing discovery relationships. This lets you control and simplify the number of targets and initiators that must be discovered. Figure 13.1 iSNS Discovery Domains and Discovery Domain Sets Both, iSCSI targets and iSCSI initiators use iSNS clients to initiate transactions with iSNS servers using the iSNS protocol.
Page 303: Isns For Linux Installation And Setup
Suppose you have a company that has 100 iSCSI initiators and 100 iSCSI targets. De- pending on your configuration, all iSCSI initiators could potentially try to discover and connect to any of the 100 iSCSI targets. This could create a discovery and connection nightmare.
Page 304 iSNS can also be configured to start automatically each time the server is rebooted. To do this 1 Start YaST and under Network Services, select iSNS Server. 2 With the Service tab selected, specify the IP address of your iSNS server, then click Save Address.
Page 305 install iSNS and the default discovery domain is automatically added to that domain set. To create a discovery domain set: 1 Start YaST and under Network Services, select iSNS Server. 2 Click the Discovery Domains Sets tab, then click the Create Discovery Domain Set button.
Page 306: For More Information
4 Click Add existing iSCSI Node, select the node you want to add to the domain, then click Add Node. 5 Repeat the last step for as many nodes as you want to add to the discovery domain, then click Done when you are finished adding nodes. An iSCSI node can belong to more than one discovery domain.
Page 307: 4 Oracle Cluster File System
Oracle Cluster File System 2 Oracle Cluster File System 2 (OCFS2) is a general-purpose journaling file system that is fully integrated in the Linux 2.6 kernel and later. OCFS2 allows you to store applica- tion binary files, data files, and databases on devices in a SAN. All nodes in a cluster have concurrent read and write access to the file system.
Page 308 • An application’s files are available to all nodes in the cluster. Users simply install it once on an OCFS2 volume in the cluster. • All nodes can concurrently read and write directly to storage via the standard file system interface, enabling easy management of applications that run across a cluster. •...
Page 309: O2Cb Cluster Service
14.1 O2CB Cluster Service The O2CB cluster service is a set of modules and in-memory file systems that are re- quired to manage OCFS2 services and volumes. You can enable these modules to be loaded and mounted during system boot. For instructions, see Section 14.6.2, “Config- uring OCFS2 Services”...
Page 310: In-Memory File Systems
The OC2B cluster service communicates the node status via a disk heartbeat. The heartbeat system file resides on the Storage Area Network (SAN), where it is available to all nodes in the cluster. The block assignments in the file correspond sequentially to each node’s slot assignment.
Page 311: Management Utilities And Commands
14.4 Management Utilities and Commands OCFS2 stores node-specific parameter files on the node. The cluster configuration file ( /etc/ocfs2/cluster.conf) resides on each node assigned to the cluster. The ocfs2console utility is a GTK GUI-based interface for managing the configu- ration of the OCFS2 services in the cluster. Use this utility to set up and save the /etc/ ocfs2/cluster.conf file to all member nodes of the cluster.
Page 312 OCFS2 Utili- Description ocfs2cdsl Creates a context-dependent symbolic link (CDSL) for a specified filename (file or directory) for a node. A CDSL filename has its own image for a specific node, but has a common name in the OCFS2. tune.ocfs2 Changes OCFS2 file system parameters, including the volume label, number of node slots, journal size for all node slots, and volume size.
Page 313: Ocfs2 Packages
Command Description /etc/init.d/o2cb stop If the cluster is set up to load on boot, stops the cluster ocfs2 named ocfs2 by offlining the cluster and unloading the O2CB modules and in-memory file systems 14.5 OCFS2 Packages The OCFS2 kernel module ( ocfs2) is installed automatically in SUSE Linux Enterprise Server 10 and later.
Page 314 • Initialize, carve, or configure RAIDs (Redundant Array of Independent Disks) on the SAN disks, as needed, to prepare the devices you plan to use for your OCFS2 volumes. Leave the devices as free space. We recommend that you store application files and data files on different OCFS2 volumes, but it is only mandatory to do so if your application volumes and data volumes have different requirements for mounting.
Page 315 4c At the Cluster to start on boot (Enter “none” to clear) [ocfs2] prompt, enter none. This choice presumes that you are setting up OCFS2 for the first time or resetting the service. You specify a cluster name in the next step when you set up the /etc/ocfs2/cluster .conf file.
Page 316 5f Click Cluster > Propagate Configuration to save the cluster.conf file to all nodes. 6 If you need to restart the OCFS2 cluster for the changes to take effect, enter the following lines, waiting in between for the process to return a status of OK. /etc/init.d/o2cb stop /etc/init.d/o2cb start 14.6.3 Creating an OCFS2 Volume...
Page 317 OCFS2 Pa- Description and Recommendation rameter Volume la- A descriptive name for the volume to make it uniquely identifi- able when it is mounted on different nodes. Use the tunefs.ocfs2 utility to modify the label as needed. Cluster size Cluster size is the smallest unit of space allocated to a file to hold the data.
Page 318: Mounting An Ocfs2 Volume
OCFS2 Pa- Description and Recommendation rameter Options are 512 bytes (not recommended), 1 KB, 2 KB, or 4 KB (recommended for most volumes). Block size cannot be modified after the volume is formatted. 14.7 Mounting an OCFS2 Volume 1 Open a terminal window and log in as the root user. 2 If the O2CB cluster service is offline, start it by entering the following command, then wait for the process to return a status of OK.
Page 319: Additional Information
TIP: Adding New Nodes When new nodes try to connect to the cluster, they are not allowed to join because the nodes have not added them to their connection list. To solve this issue, manually go to each node and issue the following com- mand to update the respective connection list: o2cb_ctl -H -n ocfs2 -t cluster -a online=yes For information about mounting an OCFS2 volume using any of these methods,...
Page 321: 5 Access Control Lists In Linux
Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
Page 322 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.
Page 323: Advantages Of Acls
15.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.
Page 324: Handling Acls
default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
Page 325 Table 15.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 15.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 15.4.1 ACL Entries and File Mode Permission Bits Figure 15.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
Page 326 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 15.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
Page 327 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
Page 328 mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.
Page 329 have changed accordingly: write permission is again limited to the owner of mydir. The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permis- sions, because they are filtered according to the mask entry.
Page 330 setfacl -d -m group:mascots:r-x mydir The option -d of the setfacl command prompts setfacl to perform the fol- lowing modifications (option -m) in the default ACL. Take a closer look at the result of this command: getfacl mydir # file: mydir # owner: tux # group: project3 user::rwx...
Page 331 default:group::r-x default:group:mascots:r-x default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory. The access ACL of mysubdir is an exact reflection of the default ACL of mydir. The default ACL that this directory will hand down to its subordinate objects is also the same.
Page 332: Acl Support In Applications
following sequence: owner, named user, owning group or named group, and other. The access is handled in accordance with the entry that best suits the process. Permissions do not accumulate. Things are more complicated if a process belongs to more than one group and would potentially suit several group entries.
Page 333: 6 Rpm-The Package Manager
RPM—the Package Manager RPM (RPM Package Manager) is used for managing software packages. Its main commands are rpm and rpmbuild. The powerful RPM database can be queried by the users, system administrators, and package builders for detailed information about the installed software. Essentially, rpm has five modes: installing, uninstalling, or updating software packages;...
Page 334: Verifying Package Authenticity
16.1 Verifying Package Authenticity RPM packages have a GnuPG signature. The key including the fingerprint is: 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig package-1.2.3.rpm can be used to verify the signature of an RPM package to determine whether it really originates from SUSE or from another trustworthy facility.
Page 335: Rpm And Patches
• If a configuration file was changed by the system administrator before the update, rpm saves the changed file with the extension .rpmorig or .rpmsave (backup file) and installs the version from the new package, but only if the originally installed file and the newer version are different.
Page 336 result in large amounts of data. However the SUSE RPM offers a feature enabling the installation of patches in packages. The most important considerations are demonstrated using pine as an example: Is the patch RPM suitable for my system? To check this, first query the installed version of the package. For pine, this can be done with rpm -q pine pine-4.44-188...
Page 337: Delta Rpm Packages
Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa. If only one patch is installed in a new system (as in this example), the list appears as follows: rpm -qPa pine-4.44-224...
Page 338: Rpm Queries
applydeltarpm new.delta.rpm new.rpm To derive it from the old RPM without accessing the file system, use the -r option: applydeltarpm -r old.rpm new.delta.rpm new.rpm See /usr/share/doc/packages/deltarpm/README" for technical details. 16.5 RPM Queries With the -q option, rpm initiates queries, making it possible to inspect an RPM archive (by adding the option -p) and also to query the RPM database of installed packages.
Page 339 --scripts Installation scripts (preinstall, postinstall, uninstall) For example, the command rpm -q -i wget displays the information shown in Example 16.1, “rpm -q -i wget” (page 321). Example 16.1 rpm -q -i wget Name : wget Relocations: (not relocatable) Version : 1.9.1 Vendor: SUSE LINUX AG, Nuernberg, Germany...
Page 340 The command rpm -q --changelog rpm displays a detailed list of change infor- mation about a specific package, sorted by date. This example shows information about the package rpm. With the help of the installed RPM database, verification checks can be made. Initiate these with -V, -y, or --verify.
Page 341: Installing And Compiling Source Packages
by the variable MAX_RPMDB_BACKUPS (default: 5) in /etc/sysconfig/backup. The size of a single backup is approximately 1 MB for 1 GB in /usr. 16.6 Installing and Compiling Source Packages All source packages carry a .src.rpm extension (source RPM). Source packages can be copied from the installation medium to the hard disk and unpacked with YaST.
Page 342 When you install a source package with YaST, all the necessary components are installed in /usr/src/packages: the sources and the adjustments in SOURCES and the relevant .spec file in SPECS. WARNING Do not experiment with system components (glibc, rpm, sysvinit, etc.), because this endangers the operability of your system.
Page 343: Compiling Rpm Packages With Build
Do the same as -bb, but with the additional creation of the source RPM. If the compilation was successful, the binary should be in /usr/src/packages/ SRPMS. --short-circuit Skip some steps. The binary RPM created can now be installed with rpm -i or, preferably, with rpm -U.
Page 344: Tools For Rpm Archives And The Rpm Database
16.8 Tools for RPM Archives and the RPM Database Midnight Commander (mc) can display the contents of RPM archives and copy parts of them. It represents archives as virtual file systems, offering all usual menu options of Midnight Commander. Display the HEADER with F3 . View the archive structure with the cursor keys and Enter .
Page 345: 7 System Monitoring Utilities
System Monitoring Utilities A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. For each of the commands introduced, examples of the relevant outputs are presented.
Page 346: Debugging
17.1 Debugging 17.1.1 Specifying the Required Library: ldd Use the command ldd to find out which libraries would load the dynamic executable specified as argument. tux@mercury:~> ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/librt.so.1 (0xb7f97000) libacl.so.1 => /lib/libacl.so.1 (0xb7f91000) libc.so.6 => /lib/libc.so.6 (0xb7e79000) libpthread.so.0 =>...
Page 347 17.1.3 System Calls of a Program Run: strace The utility strace enables you to trace all the system calls of a process currently running. Enter the command in the normal way, adding strace at the beginning of the line: tux@mercury:~> strace ls execve("/bin/ls", ["ls"], [/* 61 vars */]) = 0 uname({sys="Linux", node="mercury", ...}) = 0 brk(0)
Page 348: Files And File Systems
17.2 Files and File Systems 17.2.1 Determine the File Type: file The command file determines the type of a file or a list of files by checking /etc/ magic. tux@mercury:~> file /usr/bin/file /usr/bin/file: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), \ for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped The parameter -f list specifies a file with a list of filenames to examine.
Page 349 Obtain information about total usage of the file systems with the command df. The parameter -h (or --human-readable) transforms the output into a form understand- able for common users. tux@mercury:~> df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 3.2G 6.9G 32% /...
Page 350: Hardware Information
17.2.4 File Properties: stat The command stat displays file properties: tux@mercury:~> stat /etc/profile File: `/etc/profile' Size: 8080 Blocks: 16 IO Block: 4096 regular file Device: 806h/2054d Inode: 64942 Links: 1 Access: (0644/-rw-r--r--) Uid: ( root) Gid: ( root) Access: 2007-07-16 23:28:18.000000000 +0200 Modify: 2006-09-19 14:45:01.000000000 +0200 Change: 2006-12-05 14:54:55.000000000 +0100 The parameter --filesystem produces details of the properties of the file system...
Page 351 Controller (rev 01) 00:1f.3 SMBus: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) \ SMBus Controller (rev 01) 00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM \ (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01) 01:00.0 VGA compatible controller: Matrox Graphics, Inc. G400/G450 (rev 85) 02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM) \ Ethernet Controller (rev 81) Using -v results in a more detailed listing: mercury:~ # lspci...
Page 352 17.3.3 Information about a SCSI Device: scsiinfo The command scsiinfo lists information about a SCSI device. With the option -l, list all SCSI devices known to the system (similar information is obtained via the command lsscsi). The following is the output of scsiinfo -i /dev/sda, which gives information about a hard disk.
Page 353: Networking
# netstat -t -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Pro 0 mercury:33513 www.novell.com:www-http ESTABLISHED 6862/fi 352 mercury:ssh mercury2.:trc-netpoll ESTABLISHED 19422/s 0 localhost:ssh localhost:17828 ESTABLISHED - In the following, statistics for the TCP protocol are displayed: tux@mercury:~>...
Page 354: The /Proc File System
26786 segments send out 54 segments retransmited 0 bad segments received. 6 resets sent [...] TCPAbortOnLinger: 0 TCPAbortFailed: 0 TCPMemoryPressures: 0 17.5 The /proc File System The /proc file system is a pseudo file system in which the kernel reserves important information in the form of virtual files.
Page 355 Some of the important files and their contents are: /proc/devices Available devices /proc/modules Kernel modules loaded /proc/cmdline Kernel command line /proc/meminfo Detailed information about memory usage /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt.
Page 356 dr-xr-xr-x 3 tux users 0 2007-07-16 17:04 task -r--r--r-- 1 tux users 0 2007-07-16 17:04 wchan The address assignment of executables and libraries is contained in the maps file: tux@mercury:~> cat /proc/self/maps 08048000-0804c000 r-xp 00000000 03:03 17753 /bin/cat 0804c000-0804d000 rw-p 00004000 03:03 17753 /bin/cat 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]...
Page 357: Processes
irq 58: 0 uhci_hcd:usb2 5 floppy [2] irq 66: 872711 uhci_hcd:usb3, HDA I irq 74: 15 uhci_hcd:usb4 0 rtc irq 82: 178717720 0 PCI-MSI 0 acpi irq169: 44352794 nvidia irq 12: irq233: 8209068 0 PCI-MSI To see all the information, use the parameter -a. The parameter -nN produces updates of the information every N seconds.
Page 358 To list all processes with user and command line information, use ps axu: tux@mercury:~> ps axu USER PID %CPU %MEM RSS TTY STAT START TIME COMMAND root 272 ? 12:59 0:01 init [5] root 12:59 0:00 [ksoftirqd root S< 12:59 0:00 [events [...] 4047...
Page 359 17.6.3 Process Tree: pstree The command pstree produces a list of processes in the form of a tree: tux@mercury:~> pstree init-+-NetworkManagerD |-acpid |-3*[automount] |-cron |-cupsd |-2*[dbus-daemon] |-dbus-launch |-dcopserver |-dhcpcd |-events/0 |-gpg-agent |-hald-+-hald-addon-acpi `-hald-addon-stor |-kded |-kdeinit-+-kdesu---su---kdesu_stub---yast2---y2controlcenter |-kio_file |-klauncher |-konqueror |-konsole-+-bash---su---bash `-bash `-kwin |-kdesktop---kdesktop_lock---xmatrix |-kdesud...
Page 360 tux@mercury:~> top -n 1 top - 17:06:28 up 2:10, 5 users, load average: 0.00, 0.00, 0.00 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 5.5% us, 0.8% sy, 0.8% ni, 91.9% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 515584k total,...
Page 361: System Information
17.7 System Information 17.7.1 System Activity Information: sar To use sar, sadc (system activity data collector) needs to be running. Check its status or start it with rcsysstat {start|status}. sar can generate extensive reports on almost all important system activities, among them CPU, memory, IRQ usage, IO, or networking.
Page 362 Following termination of the less process, which was running on another terminal, the file system can successfully be unmounted. 17.7.4 Kernel Ring Buffer: dmesg The Linux kernel keeps certain messages in a ring buffer. To view these messages, enter the command dmesg: $ dmesg [...] end_request: I/O error, dev fd0, sector 0...
Page 363 bash 5552 tux 2375 11663 /usr/lib/locale/en_GB. bash 5552 tux 11736 /usr/lib/locale/en_GB. bash 5552 tux 11831 /usr/lib/locale/en_GB. bash 5552 tux 11862 /usr/lib/locale/en_GB. bash 5552 tux 11839 /usr/lib/locale/en_GB. bash 5552 tux 11664 /usr/lib/locale/en_GB. bash 5552 tux 11735 /usr/lib/locale/en_GB. bash 5552 tux 11866 /usr/lib/locale/en_GB. bash 5552 tux 21544...
Page 364 42013K total, Other: 206K total, All: 42219K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 3e00000 18161K 18175K NOVELL: SU 4600000 1 1182 4566K 4600K amaroK - S 1600000 3811K 3816K KDE Deskto 3400000 2816K...
Page 365: User Information
3200000 EMACS 2200000 SUSEWatche 4400000 36K 16489 kdesu 1a00000 KMix 3800000 24K 22242 knotify 1e00000 624B KPowersave 3600000 11K 22236 konqueror 2000000 klipper 3000000 888B KDE Wallet 17.8 User Information 17.8.1 Who Is Doing What: w With the command w, find out who is logged onto the system and what each user is doing.
Page 367: 8 Working With The Shell
Working with the Shell When booting your Linux system, you are usually directed to a graphical user interface that guides you through the login process and the following interactions with the system. Although graphical user interfaces have become very important and user-friendly, using them is not the only way to communicate with your system.
Page 368: Getting Started With The Bash Shell
18.1 Getting Started with the Bash Shell In Linux, you can use the command line parallel to the graphical user interface and easily switch between them. To start a terminal window from the graphical user interface in KDE, click the Konsole icon in the panel. In GNOME, click the GNOME Terminal icon in the panel.
Page 369 IMPORTANT: No News Is Good News The shell is not verbose: in contrast to some graphical user interfaces, it usually does not provide confirmation messages when commands have been executed. Messages only appear in case of problems or errors. Also keep this in mind for commands to delete objects. Before entering a command like rm for removing a file, you should know if you really want to get rid of the object: it will be deleted irretrievably, without enquiry.
Page 370: Getting Help
and are prefixed with a hyphen. The ls -l command shows the contents of the same directory in full detail (long listing format): Figure 18.3 The ls -l Command On the left of each object name, information about the object is shown in several columns.
Page 371 18.1.2 Linux Directory Structure Because the shell does not offer a graphical overview of directories and files like the tree view in a file manager, it is useful to have some basic knowlegde of the default directory structure in a Linux system. You can think of directories as electronic folders in which files, programs, and subdirectories are stored.
Page 372 Table 18.1 Overview of a Standard Directory Tree Root directory, starting point of the directory tree /home Personal directories of users /dev Device files that represent hardware components /etc Important files for system configuration /etc/init.d Boot scripts /bin, /sbin Programs needed early in the boot process (/bin) and for the administrator (/sbin) /usr, /usr/local All application programs and local, distribution-inde-...
Page 373 18.1.3 Working with Directories and Files To address a certain file or directory, you must specify the path leading to that directory or file. There are two ways to specify a path: • The entire (absolute) path from the root directory to the respective file •...
Page 374 1b In your home directory, enter mkdir /tmp/test. mkdir stands for “make directory”. This command creates a new directory named test in the /tmp directory. In this case, use an absolute path to create the directory. 1c To check what happened, now enter ls -l /tmp. The new directory test should appear in the list of contents of the /tmp directory.
Page 375 18.1.4 Useful Features of the Shell Entering commands in Bash can include a lot of typing. In the following, get to know some features of the Bash that can make your work a lot easier and save a lot of typing. History and Completion By default, Bash “remembers”...
Page 376 [set] Matches one of the characters from the group specified inside the square brackets, which is represented here by the string set. As part of set you can also specify character classes using the syntax [:class:], where a class is one of alnum, alpha, ascii, etc.
Page 377 The program less got its name from the the precept that less is more and can also be used to view the output of commands in a convenient way. To see how this works, read Section “Redirection and Pipes” (page 359). Redirection and Pipes Normally, the standard output in the shell is your screen or the console window and the standard input is the keyboard.
Page 378 18.1.5 Archives and Data Compression Now that you have already created a number of files and directories, consider the subject of archives and data compression. Suppose you want to have the entire test directory packed in one file that you can save on a USB stick as a backup copy or send by e-mail. To do so, use the command tar (for tape archiver).
Page 379: Users And Access Permissions
For file compression, the obvious choice is gzip or, for a even better compression ratio, bzip2. Just enter gzip testarchive.tar (or bzip2 testarchive.tar, but gzip is used in this example). With ls, now see that the file testarchive.tar is no longer there and that the file testarchive.tar.gz has been created instead. This file is much smaller and therefore much better suited for transfer via e-mail or storage on a USB stick.
Page 380 loss of data. Because under normal circumstances only root can delete system files or format hard disks, the threat from the Trojan horse effect or from accidentally entering destructive commands can be significantly reduced. 18.2.1 File System Permissions Basically, every file in a Linux file system belongs to a user and a group. Both of these proprietary groups and all others can be authorized to write, read, or execute these files.
Page 381 The next three blocks follow a standard pattern. The first three characters refer to whether the file is readable (r) or not (–). A w in the middle portion symbolizes that the corresponding object can be edited and a hyphen (–) means it is not possible to write to the file.
Page 382 the permissions and one or more filenames. The parameters form different cate- gories: 1. Users concerned • u (user)—owner of the file • g (group)—group that owns the file • o (others)—additional users (if no parameter is given, the changes apply to all categories) 2.
Page 383: Important Linux Commands
Suppose the file Roadmap from Example 18.2, “Sample Output Showing Directory Permissions” (page 363) should no longer belong to tux, but to the user geeko. root should then enter chown geeko Roadmap. chgrp changes the group ownership of the file. However, the owner of the file must be a member of the new group.
Page 384 File Administration ls [options] [files] If you run ls without any additional parameters, the program lists the contents of the current directory in short form. Detailed list Displays hidden files cp [options] source target Copies source to target. Waits for confirmation, if necessary, before an existing target is overwritten Copies recursively (includes subdirectories) mv [options] source target Copies source to target then deletes the original source.
Page 385 ln [options] source target Creates an internal link from source to target. Normally, such a link points directly to source on the same file system. However, if ln is executed with the -s option, it creates a symbolic link that only points to the directory in which source is located, enabling linking across file systems.
Page 386 Group Others For access, grant access with + and deny it with -. The access type is controlled by the following options: Read Write Execute—executing files or changing to the directory Setuid bit—the application or program is started as if it were started by the owner of the file As an alternative, a numeric code can be used.
Page 387 tar options archive files tar puts one or more files into an archive. Compression is optional. tar is a quite complex command with a number of options available. The most frequently used options are: Writes the output to a file and not to the screen as is usually the case Creates a new tar archive Adds files to an existing archive Outputs the contents of an archive...
Page 388 cated. If desired, use wild cards to specify filenames. The program is very speedy, because it uses a database specifically created for the purpose (rather than searching through the entire file system). This very fact, however, also results in a major drawback: locate is unable to find any files created after the latest update of its database.
Page 389: File Systems
grep [options] searchstring files The grep command finds a specific search string in the specified files. If the search string is found, the command displays the line in which searchstring was found along with the filename. Ignores case Only displays the names of the respective files, but not the text lines Additionally displays the numbers of the lines in which it found a hit Only lists the files in which searchstring does not occur diff [options] file1 file2...
Page 390: System Commands
-t filesystem Specify the file system, commonly ext2 for Linux hard disks, msdos for MS-DOS media, vfat for the Windows file system, and iso9660 for CDs For hard disks not defined in the file /etc/fstab, the device type must also be specified.
Page 391 du [options] [path] This command, when executed without any parameters, shows the total disk space occupied by files and subdirectories in the current directory. Displays the size of each individual file Output in human-readable form Displays only the calculated total size free [options] The command free displays information about RAM and swap space usage, showing the total and the used amount in both categories.
Page 392 ps [options] [process ID] If run without any options, this command displays a table of all your own programs or processes—those you started. The options for this command are not preceded by hyphen. Displays a detailed list of all processes, independent of the owner kill [options] process ID Unfortunately, sometimes a program cannot be terminated in the normal way.
Page 393 -i value Specifies the interval between two data packages in seconds (default: one second) nslookup The domain name system resolves domain names to IP addresses. With this tool, send queries to name servers (DNS servers). telnet [options] hostname or IP address [port] Telnet is actually an Internet protocol that enables you to work on remote hosts across a network.
Page 394: The Vi Editor
halt [options] To avoid loss of data, you should always use this program to shut down your system. reboot [options] Does the same as halt except the system performs an immediate reboot. clear This command cleans up the visible area of the console. It has no options. 18.3.3 For More Information There are many more commands than listed in this chapter.
Page 395 Command Mode to Insert Mode There are many possibilities, including A for append, I for insert, or O for a new line under the current line. Insert Mode to Command Mode Press Esc to exit the insert mode. vi cannot be terminated in insert mode, so it is important to get used to pressing Esc .
Page 396 Press Esc to switch from insert mode to command mode. In command mode, move the cursor with H , J , K , and L . The keys have the following functions: Move one character to the left Move one line down Move one line up Move one character to the right The commands in command mode allow diverse variations.
Page 397 Change to insert mode (a new line is inserted after the current one) Shift + O Change to insert mode (a new line is inserted before the cur- rent one) Delete the current character D – D Delete the current line D –...
Page 398 • The Web pages of the vim project at http://www.vim.org feature all kinds of news, mailing lists, and other documentation. • A number of vim sources are available on the Internet: http://www.selflinux .org/selflinux/html/vim.html, http://www.linuxgazette.com/ node/view/9039, and http://www.apmaths.uwo.ca/~xli/vim/vim _tutorial.html. See http://linux-universe.com/HOWTO/ Vim-HOWTO/vim-tutorial.html for further links to tutorials.
Page 399: Part Iii System
Part III. System...
Page 401: 9 32-Bit And 64-Bit Applications In A 64-Bit System Environment
32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE Linux Enterprise® is available for several 64-bit platforms. This does not neces- sarily mean that all the applications included have already been ported to 64-bit plat- forms. SUSE Linux Enterprise supports the use of 32-bit applications in a 64-bit system environment.
Page 402: Runtime Support
19.1 Runtime Support IMPORTANT: Conflicts between Application Versions If an application is available both for 32-bit and 64-bit environments, parallel installation of both versions is bound to lead to problems. In such cases, decide on one of the two versions and install and use this. To be executed correctly, every application requires a range of libraries.
Page 403: Software Development
19.2 Software Development All 64-bit architectures support the development of 64-bit objects. The level of support for 32-bit compiling depends on the architecture. These are the various implementation options for the tool chain from GCC (GNU Compiler Collection) and binutils, which include the assembler as and the linker ld: Biarch Compiler Both 32-bit and 64-bit objects can be generated with a biarch development tool...
Page 404: Software Compilation On Biarch Platforms
19.3 Software Compilation on Biarch Platforms To develop binaries for the other architecture on a biarch architecture, the respective libraries for the second architecture must additionally be installed. These packages are called rpmname-32bit or rpmname-x86 (for ia64) if the second architecture is a 32-bit architecture or rpmname-64bit if the second architecture is a 64-bit architec- ture.
Page 405 When using s390 as second architecture, you have to use -m31 instead of -m32, because this is a 31 bit system. 1 Use the 32-bit compiler: CC="gcc -m32" 2 Instruct the linker to process 32-bit objects (always use gcc as the linker front- end): LD="gcc -m32"...
Page 406: Kernel Specifications
Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.
Page 407: 0 Booting And Configuring A Linux System
Booting and Configuring a Linux System Booting a Linux system involves various different components. The hardware itself is initialized by the BIOS, which starts the kernel by means of a boot loader. After this point, the boot process with init and the runlevels is completely controlled by the oper- ating system.
Page 408 remaining part of the boot process. Therefore, the first 512 bytes on the first hard disk are referred to as the Master Boot Record (MBR). The boot loader then passes control to the actual operating system, in this case, the Linux kernel. More informa- tion about GRUB, the Linux boot loader, can be found in Chapter 21, The Boot Loader (page 405).
Page 409 memory. initramfs must always provide an executable named init that should execute the actual init program on the root file system for the boot process to proceed. Before the root file system can be mounted and the operating system can be started, the kernel needs the corresponding drivers to access the device on which the root file system is located.
Page 410 Loading Kernel Modules Depending on your hardware configuration, special drivers may be needed to access the hardware components of your computer (especially your hard drive). To access the root file system, the kernel needs to load the proper file system drivers. Providing Block Special Files For each loaded module, the kernel generates device events.
Page 411: The Init Process
process are written to INITRD_MODULES in /etc/sysconfig/kernel. These names are used to generate a custom initramfs that is needed to boot the system. If the modules are not needed for boot but for coldplug, the modules are written to /etc/sysconfig/hardware/hwconfig-*. All devices that are described with configuration files in this directory are initialized in the boot process.
Page 412 the line initdefault. Usually this is 3 or 5. See Table 20.1, “Available Runlevels” (page 394). As an alternative, the runlevel can be specified at boot time (by adding the runlevel number at the boot prompt, for instance). Any parameters that are not directly evaluated by the kernel itself are passed to init.
Page 413 telinit 3 All essential programs and services (including network) are started and regular users are allowed to log in and work with the system without a graphical environ- ment. telinit 5 The graphical environment is enabled. Usually a display manager like XDM, GDM, or KDM is started.
Page 414 2. init checks the current runlevel (runlevel) and determines it should start /etc/ init.d/rc with the new runlevel as a parameter. 3. Now rc calls the stop scripts of the current runlevel for which there is no start script in the new runlevel. In this example, these are all the scripts that reside in /etc/init.d/rc3.d (old runlevel was 3) and start with a K.
Page 415 cuted as both a start and a stop script, these scripts must understand the parameters start and stop. The scripts also understand the restart, reload, force-reload, and status options. These different options are explained in Ta- ble 20.2, “Possible init Script Options” (page 397). Scripts that are run directly by init do not have these links.
Page 416 boot Executed while starting the system directly using init. It is independent of the chosen runlevel and is only executed once. Here, the /proc and /dev/pts file systems are mounted and blogd (boot logging daemon) is activated. If the system is booted for the first time after an update or an installation, the initial system con- figuration is started.
Page 417 You can create your own scripts and easily integrate them into the scheme described above. For instructions about formatting, naming, and organizing custom scripts, refer to the specifications of the LSB and to the man pages of init, init.d, chkconfig, and insserv.
Page 418: Configuring System Services
To create the links from the runlevel directories (/etc/init.d/rc?.d/) to the corresponding scripts in /etc/init.d/, enter the command insserv new-script-name. The insserv program evaluates the INIT INFO header to create the necessary links for start and stop scripts in the runlevel directories (/etc/init .d/rc?.d/).
Page 419 Figure 20.1 System Services (Runlevel) For detailed control over the runlevels in which a service is started or stopped or to change the default runlevel, first select Expert Mode. The current default runlevel or “initdefault” (the runlevel into which the system boots by default) is displayed at the top.
Page 420: System Configuration Via /Etc/Sysconfig
WARNING: Faulty Runlevel Settings May Damage Your System Faulty runlevel settings may render a system unusable. Before applying your changes, make absolutely sure that you know their consequences. 20.3 System Configuration via /etc/sysconfig The main configuration of SUSE Linux Enterprise is controlled by the configuration files in /etc/sysconfig.
Page 421 Figure 20.2 System Configuration Using the sysconfig Editor The YaST sysconfig dialog is split into three parts. The left part of the dialog shows a tree view of all configurable variables. When you select a variable, the right part displays both the current selection and the current setting of this variable.
Page 422 2 Bring the system into single user mode (runlevel 1) with init 1. 3 Change the configuration files as needed with an editor of your choice. If you do not use YaST to change the configuration files in /etc/sysconfig, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation marks.
Page 423: 1 The Boot Loader
The Boot Loader This chapter describes how to configure GRUB, the boot loader used in SUSE Linux Enterprise®. A special YaST module is available for performing all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.
Page 424: Selecting A Boot Loader
Boot Sectors Boot sectors are the first sectors of hard disk partitions with the exception of the extended partition, which merely serves as a “container” for other partitions. These boot sectors have 512 bytes of space for code used to boot an operating system in- stalled in the respective partition.
Page 425 access file systems of supported BIOS disk devices (floppy disks or hard disks, CD drives, and DVD drives detected by the BIOS). Therefore, changes to the GRUB con- figuration file (menu.lst) do not require a reinstallation of the boot manager. When the system is booted, GRUB reloads the menu file with the valid paths and partition data of the kernel or the initial RAM disk (initrd) and locates these files.
Page 426 21.2.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
Page 427 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
Page 428 Unfortunately, it is often not possible to map the Linux device names to BIOS device names exactly. It generates this mapping with the help of an algorithm and saves it to the file device.map, which can be edited if necessary. Information about the file device.map is available in Section 21.2.2, “The File device.map”...
Page 429 color white/blue black/light-gray Color scheme: white (foreground), blue (background), black (selection), and light gray (background of the selection). The color scheme has no effect on the splash screen, only on the customizable GRUB menu that you can access by exiting the splash screen with Esc .
Page 430 Editing Menu Entries during the Boot Procedure In the graphical boot menu, select the operating system to boot with the arrow keys. If you select a Linux system, you can enter additional boot parameters at the boot prompt. To edit individual menu entries directly, press Esc to exit the splash screen and get to the GRUB text-based menu then press E .
Page 431 21.2.2 The File device.map The file device.map maps GRUB and BIOS device names to Linux device names. In a mixed system containing IDE and SCSI hard disks, GRUB must try to determine the boot sequence by a special procedure, because GRUB may not have access to the BIOS information on the boot sequence.
Page 432 21.2.3 The File /etc/grub.conf The third most important GRUB configuration file after menu.lst and device.map is /etc/grub.conf. This file contains the commands, parameters, and options the GRUB shell needs for installing the boot loader correctly: root (hd0,4) install /grub/stage1 (hd0,3) /grub/stage2 0x8000 (hd0,4)/grub/menu.lst quit Meaning of the individual entries: root (hd0,4)
Page 433 As the user root, proceed as follows to set a boot password: 1 At the root prompt, encrypt the password using grub-md5-crypt: # grub-md5-crypt Password: **** Retype password: **** Encrypted: $1$lS2dv/$JOYcdxIn7CJk9xShzzJVw/ 2 Paste the encrypted string into the global section of the file menu.lst: gfxmenu (hd0,4)/message color white/blue black/light-gray default 0...
Page 434: Configuring The Boot Loader With Yast
21.3 Configuring the Boot Loader with YaST The easiest way to configure the boot loader in your SUSE Linux Enterprise system is to use the YaST module. In the YaST Control Center, select System > Boot Loader. As in Figure 21.1, “Boot Loader Settings” (page 416), this shows the current boot loader configuration of your system and allows you to make changes.
Page 435 Section 21.2, “Booting with GRUB” (page 406) for details). You can also delete the existing configuration and Start from Scratch or let YaST Propose a New Configuration. It is also possible to write the configuration to disk or reread the configuration from the disk.
Page 436 During the conversion, the old GRUB configuration is saved to disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion. This action is available only on an installed system. NOTE: Custom Boot Loader To use a boot loader other than GRUB or LILO, select Do Not Install Any Boot Loader.
Page 437: Security Settings
21.3.3 Default System To change the system that is booted by default, proceed as follows: Procedure 21.3 Setting the Default System 1 Open the Section Management tab. 2 Select the desired entry from the list. 3 Click Set as Default. 4 Click Finish to activate these changes.
Page 438: Uninstalling The Linux Boot Loader
Procedure 21.5 Setting a Boot Loader Password 1 Open the Boot Loader Installation tab. 2 Click Boot Loader Options. 3 Set your password in Password for the Menu Interface. 4 Click OK. 5 Click Finish to save the changes. 21.4 Uninstalling the Linux Boot Loader YaST can be used to uninstall the Linux boot loader and restore the MBR to the state it had prior to the installation of Linux.
Page 439 2 Create a subdirectory for GRUB: mkdir -p iso/boot/grub 3 Copy the kernel, the files stage2_eltorito, initrd, menu.lst, and message to iso/boot/: cp /boot/vmlinuz iso/boot/ cp /boot/initrd iso/boot/ cp /boot/message iso/boot/ cp /usr/lib/grub/stage2_eltorito iso/boot/grub cp /boot/grub/menu.lst iso/boot/grub 4 Adjust the path entries in iso/boot/grub/menu.lst to make them point to a CD-ROM device.
Page 440: The Graphical Suse Screen
This section lists some of the problems frequently encountered when booting with GRUB and a short description of possible solutions. Some of the problems are covered in articles in the Knowledge base at http://support.novell.com/. Use the search dialog to search for keywords like GRUB, boot, and boot loader.
Page 441 GRUB Reports GRUB Geom Error GRUB checks the geometry of connected hard disks when the system is booted. Sometimes, the BIOS returns inconsistent information and GRUB reports a GRUB Geom Error. If this is the case, use LILO or update the BIOS. Detailed information about the installation, configuration, and maintenance of LILO is available in the Support Database under the keyword LILO.
Page 442: For More Information
21.8 For More Information http://www.gnu.org/ Extensive information about GRUB is available at software/grub/. Also refer to the grub info page. You can also search for the http://www.novell keyword “GRUB” in the Technical Information Search at .com/support to get information about special issues.
Page 443: 2 Special System Features
Special System Features This chapter starts with information about various software packages, the virtual con- soles, and the keyboard layout. We talk about software components like bash, cron, and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
Page 444 2. ~/.profile 3. /etc/bash.bashrc 4. ~/.bashrc Make custom settings in ~/.profile or ~/.bashrc. To ensure the correct process- ing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel after an update.
Page 445 run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily, or other periodic maintenance scripts at custom times, remove the time stamp files regularly using /etc/crontab entries (see Example 22.2, “/etc/crontab: Remove Time Stamp Files”...
Page 446 example, such files ship with the packages, e.g. apache2 (/etc/logrotate.d/ apache2) and syslogd (/etc/logrotate.d/syslog). Example 22.3 Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed...
Page 447 22.1.5 The ulimit Command With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed. ulimit is especially useful for limiting the memory available for applications. With this, an application can be prevented from using too much memory on its own, which could bring the system to a standstill.
Page 448 IMPORTANT Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. 22.1.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used.
Page 449 22.1.8 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. info is GNU's hypertext system. Read an introduction to this system by entering info info.
Page 450: Virtual Consoles
The components of Emacs are divided into several packages: • The base package emacs. • emacs-x11 (usually installed): the program with X11 support. • emacs-nox: the program without X11 support. • emacs-info: online documentation in info format. • emacs-el: the uncompiled library files in Emacs Lisp. These are not required at runtime.
Page 451: Language And Country-Specific Settings
/etc/csh.cshrc /etc/termcap /usr/lib/terminfo/x/xterm /usr/share/X11/app-defaults/XTerm /usr/share/emacs/VERSION/site-lisp/term/*.el These changes only affect applications that use terminfo entries or whose configu- ration files are changed directly (vi, less, etc.). Applications not shipped with the system should be adapted to these defaults. Under X, the compose key (multikey) can be accessed using Ctrl + Shift (right). Also see the corresponding entry in /etc/X11/Xmodmap.
Page 452 RC_LC_MESSAGES, RC_LC_CTYPE, RC_LC_COLLATE, RC_LC_TIME, RC_LC_NUMERIC, RC_LC_MONETARY These variables are passed to the shell without the RC_ prefix and represent the listed categories. The shell profiles concerned are listed below. The current setting can be shown with the command locale. RC_LC_ALL This variable, if set, overwrites the values of the variables already mentioned.
Page 453 localedef -i en_US -f UTF-8 en_US.UTF-8 LANG=en_US.UTF-8 This is the default setting if American English is selected during installation. If you selected another language, that language is enabled but still with UTF-8 as the character encoding. LANG=en_US.ISO-8859-1 This sets the language to English, country to United States, and the character set to ISO-8859-1.
Page 454 22.4.3 Settings for Language Support Files in the category Messages are, as a rule, only stored in the corresponding language directory (like en) to have a fallback. If you set LANG to en_US and the message file in /usr/share/locale/en_US/LC_MESSAGES does not exist, it falls back to /usr/share/locale/en/LC_MESSAGES.
Page 455 22.4.4 For More Information • The GNU C Library Reference Manual, Chapter “Locales and Internationalization”. It is included in glibc-info. • Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, currently at http:// www.cl.cam.ac.uk/~mgk25/unicode.html. • Unicode-Howto, by Bruno Haible: /usr/share/doc/howto/en/html/ Unicode-HOWTO.html. Special System Features...
Page 457: 3 Printer Operation
Printer Operation SUSE Linux Enterprise® supports printing with many types of printers, including remote network printers. Printers can be configured with YaST or manually. Both graphical and command line utilities are available for starting and managing print jobs. If your printer does not work as expected, refer to Section 23.9, “Troubleshooting”...
Page 458 print system can convert PostScript jobs to the respective printer language with the help of Ghostscript. This processing stage is referred to as interpreting. The best- known languages are PCL, which is mostly used by HP printers and their clones, and ESC/P, which is used by Epson printers.
Page 459: The Workflow Of The Printing System
23.1 The Workflow of the Printing System The user creates a print job. The print job consists of the data to print plus information for the spooler, such as the name of the printer or the name of the printer queue, and, optionally, information for the filter, such as printer-specific options.
Page 460: Installing The Software
these platforms, printing is only possible over the network. The cabling for network printers must be installed according to the instructions of the printer manufacturer. ◄ WARNING: Changing Cable Connections in a Running System When connecting the printer to the machine, do not forget that only USB de- vices can be plugged in or unplugged during operation.
Page 461: Setting Up A Printer
23.4 Setting Up a Printer YaST can be used to configure a local printer that is directly connected to your machine (normally with USB or parallel port) or to set up printing over the network. It is also possible to add PPD (PostScript Printer Description) files for your printer with YaST. 23.4.1 Configuring Local Printers If an unconfigured local printer is detected, YaST starts automatically to configure it.
Page 462 printer detection. If more than one printer is connected to the machine or more than one queue is configured for a printer, you can mark the active entry as the default. CUPS Expert Settings and Change IPP Listen are advanced configuration options— refer to Chapter 23, Printer Operation (page 439) for details.
Page 463 which language your printer understands). If this does not work, refer to Section “Adding PPD Files with YaST” (page 446) for another possible solution. 7 The Configuration screen lists a summary of the printer setup. This dialog is also shown when editing an existing printer configuration from the start screen of this YaST module.
Page 464 • With State and banner settings you can, for example, deactivate the printer by changing its state and specify whether a page with a Starting Banner or Ending Banner is printed before or after each job (the default is not to print them).
Page 465: Network Printers
23.4.2 Configuring Network Printers with YaST Network printers are not detected automatically. They must be configured manually using the YaST printer module. Depending on your network setup, you can print to a print server (CUPS, LPD, SMB, or IPX) or directly to a network printer (preferably via TCP).
Page 466 socket Socket refers to a connection in which the data is sent to an Internet socket without first performing a data handshake. Some of the socket port numbers that are com- monly used are 9100 or 35. The device URI (uniform resource identifier) syntax is socket://IP.of.the.printer:port, for example, socket://192.168.2.202:9100/.
Page 467 23.5.1 Configuring CUPS with Command Line Tools Apart from setting CUPS options with YaST when configuring a network printer, CUPS can be configured with command line tools like lpadmin and lpoptions. You need a device URI consisting of a back-end, such as USB, and parameters, like /dev/usb/ lp0.
Page 468: Graphical Printing Interfaces
Resolution/Output Resolution: 150dpi *300dpi 600dpi The activated default option is identified by a preceding asterisk (*). 2 Change the option with lpadmin: lpadmin -p queue -o Resolution=600dpi 3 Check the new setting: lpoptions -p queue -l Resolution/Output Resolution: 150dpi 300dpi *600dpi When a normal user runs lpoptions, the settings are written to ~/.lpoptions.
Page 469: Special Features In Suse Linux Enterprise
Some applications rely on the lp command for printing. In this case, enter the correct command in the application's print dialog, usually without specifying filename, for example, lp -d queuename. 23.8 Special Features in SUSE Linux Enterprise A number of CUPS features have been adapted for SUSE Linux Enterprise. Some of the most important changes are covered here.
Page 470 23.8.2 Changes in the CUPS Print Service Generalized Functionality for BrowseAllow and BrowseDeny The access permissions set for BrowseAllow and BrowseDeny apply to all kinds of packages sent to cupsd. The default settings in /etc/cups/cupsd.conf are as follows: BrowseAllow @LOCAL BrowseDeny All <Location />...
Page 471 printer model, YaST compares the vendor and model determined during hardware de- tection with the vendors and models in all PPD files available in /usr/share/cups/ model on the system. For this purpose, the YaST printer configuration generates a database from the vendor and model information extracted from the PPD files. When you select a printer from the list of vendors and models, receive the PPD files matching the vendor and model.
Page 472 Gimp-Print PPD Files in the cups-drivers-stp Package Instead of foomatic-rip, the CUPS filter rastertoprinter from Gimp-Print can be used for many non-PostScript printers. This filter and suitable Gimp-Print PPD files are available in the cups-drivers-stp package. The Gimp-Print PPD files are located in /usr/share/cups/model/stp/ and have the entries *NickName: ...
Page 473: Troubleshooting
the printer may be unreliable in this mode because it has too little memory or the printer is too slow because its processor is too weak. Furthermore, the printer may not support PostScript by default, for example, because PostScript support is only available as an optional module.
Page 474 print system and that they are suitable for the various hardware platforms. In contrast, printers that support a standard printer language do not depend on a special print system version or a special hardware platform. Instead of spending time trying to make a proprietary Linux driver work, it may be more cost-effective to purchase a supported printer.
Page 475 • DMA: disabled If the printer cannot be addressed on the parallel port despite these settings, enter the I/O address explicitly in accordance with the setting in the BIOS in the form 0x378 in /etc/modprobe.conf. If there are two parallel ports that are set to the I/O ad- dresses 378 and 278 (hexadecimal), enter these in the form 0x378,0x278.
Page 476 Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on host: netcat -z host 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
Page 477 The following command can be used to test if a TCP connection can be established to cupsd (port 631) on host: netcat -z host 631 && echo ok || echo failed If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems.
Page 478 check all possible ports, use the command nmap -p from_port-to_port IP-address. This may take some time. For further information, refer to the man page of nmap. Enter a command like echo -en "\rHello\r\f" | netcat -w 1 IP-address port cat file | netcat -w 1 IP-address port to send character strings or files directly to the respective port to test if the printer can be addressed on this port.
Page 479 warded immediately, it cannot be deleted with the job number on the client host, because the client cupsd regards the print job as completed as soon as it has been forwarded to the server cupsd. To delete the print job on the server, use a command such as lpstat -h cups.example.com -o to determine the job number on the server, provided the server has not already completed the print job (that is, sent it completely to the printer).
Page 480 4 Reset the printer completely by switching it off for some time. Then insert the paper and turn on the printer. 23.9.9 Debugging the CUPS Print System Use the following generic procedure to locate problems in the CUPS print system: 1 Set LogLevel debug in /etc/cups/cupsd.conf.
Page 481: 4 Dynamic Kernel Device Management With Udev
Dynamic Kernel Device Management with udev Since version 2.6, the kernel is capable of adding or removing almost any device in the running system. Changes in device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and discovered.
Page 482: Kernel Uevents And Udev
that directory is copied to the /dev directory with the same ownership and permissions as the files in /lib/udev/devices. 24.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties.
Page 483: Booting And Initial Device Setup
currently available modules. With this infrastructure, module loading is as easy as calling modprobe for every event that carries a MODALIAS key. If modprobe $MODALIAS is called, it matches the device alias composed for the device with the aliases provided by the modules. If a matching entry is found, that module is loaded. All this is triggered by udev and happens automatically.
Page 484 UDEV [1132632714.348966] add@/devices/pci0000:00/0000:00:1d.1/usb2/2-2 UDEV [1132632714.420947] add@/devices/pci0000:00/0000:00:1d.1/usb2/2-2/2-2:1.0 UDEV [1132632714.427298] add@/class/input/input6 UDEV [1132632714.434223] add@/class/usb_device/usbdev2.12 UDEV [1132632714.439934] add@/class/input/input6/mouse2 The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers. The timing is printed in microseconds. The time between UEVENT and UDEV is the time udev took to process this event or the udev daemon has delayed its execution to synchronize this event with related and already running events.
Page 485: Influencing Kernel Device Event Handling With Udev Rules
24.6 Influencing Kernel Device Event Handling with udev Rules A udev rule can match any property the kernel adds to the event itself or any information that the kernel exports to sysfs. The rule can also request additional information from external programs.
Page 486: The Replaced Hotplug Package
|-- pci-0000:00:1f.2-scsi-0:0:0:0-part6 -> ../../sda6 |-- pci-0000:00:1f.2-scsi-0:0:0:0-part7 -> ../../sda7 |-- pci-0000:00:1f.2-scsi-1:0:0:0 -> ../../sr0 |-- usb-02773:0:0:2 -> ../../sdd |-- usb-02773:0:0:2-part1 -> ../../sdd1 `-- by-uuid |-- 159a47a4-e6e6-40be-a757-a629991479ae -> ../../sda7 |-- 3e999973-00c9-4917-9442-b7633bd95b9e -> ../../sda6 `-- 4210-8F8C -> ../../sdd1 24.8 The Replaced hotplug Package The formerly used hotplug package is entirely replaced by udev and the udev-related kernel infrastructure.
Page 487: For More Information
/etc/udev/udev.conf Main udev configuration file /etc/udev/rules.d/* udev event matching rules /lib/udev/devices/* Static /dev content /lib/udev/* Helper programs called from udev rules 24.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules, and other important configuration is- sues.
Page 489: 5 File Systems In Linux
File Systems in Linux SUSE Linux Enterprise® ships with a number of different file systems, including Rei- serFS, Ext2, Ext3, and XFS, from which to choose at installation time. Each file system has its own advantages and disadvantages that can make it more suited to a scenario. To meet the requirements of high-performance clustering scenarios, SUSE Linux En- terprise Server includes OCFS2 (Oracle Cluster File System 2).
Page 490: Major File Systems In Linux
it obsoletes the lengthy search process that checks the entire file system at system start-up. Instead, only the journal is replayed. 25.2 Major File Systems in Linux Unlike two or three years ago, choosing a file system for a Linux system is no longer a matter of a few seconds (Ext2 or ReiserFS?).
Page 491 directly in the B tree leaf nodes instead of being stored elsewhere and just main- taining a pointer to the actual disk location. In addition to that, storage is not allo- cated in chunks of 1 or 4 KB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes.
Page 492 +found). In contrast to journaling file systems, e2fsck analyzes the entire file system and not just the recently modified bits of metadata. This takes significantly longer than checking the log data of a journaling file system. Depending on file system size, this procedure can take half an hour or more. Therefore, it is not desir- able to choose Ext2 for any server that needs high availability.
Page 493 Ext3 in the data=journal mode offers maximum security (data integrity), but can slow down the system because both metadata and data are journaled. A rela- tively new approach is to use the data=ordered mode, which ensures both data and metadata integrity, but uses journaling only for metadata. The file system driver collects all data blocks that correspond to one metadata update.
Page 494 25.2.5 XFS Originally intended as the file system for their IRIX OS, SGI started XFS development in the early 1990s. The idea behind XFS was to create a high-performance 64-bit jour- naling file system to meet the extreme computing challenges of today. XFS is very good at manipulating large files and performs well on high-end hardware.
Page 495 25.2.6 Oracle Cluster File System 2 OCFS2 is a journaling file system that has been tailor-made for clustering setups. In contrast to a standard single-node file system like Ext3, OCFS2 is capable of managing several nodes. OCFS2 allows spreading a file system across shared storage, such as a SAN or multipath setup.
Page 496: Some Other Supported File Systems
DOS, is today used by various operating systems. ncpfs File system for mounting Novell volumes over networks. Network File System: Here, data can be stored on any machine in a network and access may be granted via a network.
Page 497: Large File Support In Linux
umsdos UNIX on MSDOS: Applied on top of a normal fat file system, achieves UNIX functionality (permissions, links, long file- names) by creating special files. vfat Virtual FAT: Extension of the fat file system (supports long filenames). ntfs Windows NT file system, read-only. 25.4 Large File Support in Linux Originally, Linux supported a maximum file size of 2 GB.
Page 498: For More Information
File System File Size (Bytes) File System Size (Bytes) (8 EB) (8 EB) NFSv2 (client side) (2 GB) (8 EB) NFSv3 (client side) (8 EB) (8 EB) IMPORTANT: Linux Kernel Limits Table 25.2, “Maximum Sizes of File Systems (On-Disk Format)” (page 479) de- scribes the limitations regarding the on-disk format.
Page 499 A comprehensive multipart tutorial about Linux file systems can be found at IBM de- http://www-106.ibm.com/developerworks/library/ veloperWorks: l-fs.html. A very in-depth comparison of file systems (not only Linux file systems) http://en.wikipedia.org/wiki/ is available from the Wikipedia project Comparison_of_file_systems#Comparison. File Systems in Linux...
Page 501: 6 The X Window System
The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). This chapter describes the setup and optimization of the X Window System environment, and provides background information about the use of fonts in SUSE Linux Enterprise®.
Page 502 WARNING: Faulty X Configurations can Damage Your Hardware Be very careful when configuring your X Window System. Never start the X Window System until the configuration is finished. A misconfigured system can cause irreparable damage to your hardware (this applies especially to fixed- frequency monitors).
Page 503 Table 26.1 Sections in /etc/X11/xorg.conf Type Meaning Files The paths used for fonts and the RGB color table. ServerFlags General switches for the server behavior. Module A list of modules the server should load. InputDevice Input devices, like keyboards and special input devices (touch- pads, joysticks, etc.), are configured in this section.
Page 504 Type Meaning Screen Combines a Monitor and a Device to form all the necessary settings for X.Org. In the Display subsection, specify the size of the virtual screen (Virtual), the ViewPort, and the Modes used with this screen. ServerLayout The layout of a single or multihead configuration. This section binds the input devices InputDevice and the display devices Screen.
Page 505 Example 26.1 Screen Section of the File /etc/X11/xorg.conf Section "Screen" DefaultDepth SubSection "Display" Depth Modes "1152x864" "1024x768" "800x600" Virtual 1152x864 EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection SubSection "Display" Depth Modes "640x480" EndSubSection SubSection "Display" Depth Modes "1280x1024" EndSubSection Device "Device[0]"...
Page 506 The last line of the Display subsection with Depth 16 refers to the size of the virtual screen. The maximum possible size of a virtual screen depends on the amount of memory installed on the graphics card and the desired color depth, not on the maximum resolution of the monitor.
Page 507 in decimal form, but lspci displays these in hexadecimal form. The value of BusID is automatically detected by SaX2. The value of Driver is automatically set by SaX2 and specifies which driver to use for your graphics card. If the card is a Matrox Millennium, the driver module is called mga.
Page 508: Installing And Configuring Fonts
WARNING Unless you have in-depth knowledge of monitor and graphics card functions, do not change the modelines, because this could severely damage your monitor. Those who try to develop their own monitor descriptions should be very familiar with the documentation in /usr/X11R6/lib/X11/doc/ (the package xorg-x11-doc must be installed).
Page 509 /etc/fonts/suse-font-dirs.conf is automatically generated to pull in fonts that ship with (mostly third party) applications like OpenOffice.org, Java or Adobe Acrobat Reader. Some typical entries of /etc/fonts/suse-font-dirs.conf would look like the following: <dir>/usr/lib/ooo-2.0/share/fonts</dir> <dir>/usr/lib/ooo-2.0/share/fonts/truetype</dir> <dir>/usr/lib/jvm/java-1.5.0-sun-1.5.0_update10/jre/lib/fonts</dir> <dir>/usr/X11R6/lib/Acrobat7/Resource/Font</dir> <dir>/usr/X11R6/lib/Acrobat7/Resource/Font/PFM</dir> To install additional fonts systemwide, manually copy the font files to a suitable direc- tory (as root), such as /usr/share/fonts/truetype.
Page 510 The X11 core font system has a few inherent weaknesses. It is outdated and can no longer be extended in a meaningful way. Although it must be retained for reasons of backward compatibility, the more modern Xft and fontconfig system should be used if at all possible.
Page 511 languages. Direct access to the font files is very useful for embedding fonts for printing to make sure that the printout looks the same as the screen output. In SUSE Linux Enterprise, the two desktop environments KDE and GNOME, Mozilla, and many other applications already use Xft by default.
Page 512 to disable antialiasing for specific fonts. By default, most applications use the font names sans-serif (or the equivalent sans), serif, or monospace. These are not real fonts but only aliases that are re- solved to a suitable font, depending on the language setting. Users can easily add rules to ~/.fonts.conf to resolve these aliases to their favorite fonts: <alias>...
Page 513 FreeMonoOblique.ttf: FreeMono:style=Oblique:weight=80 FreeMono.ttf: FreeMono:style=Medium:weight=80 FreeSans.ttf: FreeSans:style=Medium:weight=80 FreeSerifBold.ttf: FreeSerif:style=Bold:weight=200 FreeSansBoldOblique.ttf: FreeSans:style=BoldOblique:weight=200 FreeMonoBold.ttf: FreeMono:style=Bold:weight=200 Important parameters that can be queried with fc-list: Table 26.2 Parameters of fc-list Parameter Meaning and Possible Values family Name of the font family, for example, FreeSans. foundry The manufacturer of the font, for example, urw.
Page 514: For More Information
26.3 For More Information Install the packages xorg-x11-doc and howtoenh to get more in-depth information on X11. More information on the X11 development can be found on the project's home page at http://www.x.org. Installation and Administration...
Page 515: 7 Authentication With Pam
Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
Page 516: Structure Of A Pam Configuration File
27.1 Structure of a PAM Configuration File Each line in a PAM configuration file contains a maximum of four columns: <Type of module> <Control flag> <Module path> <Options> PAM modules are processed as stacks. Different types of modules have different pur- poses, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings.
Page 517: The Pam Configuration Of Sshd
modules with the same flag are processed before the user receives a message about the failure of the authentication attempt. requisite Modules having this flag must also be processed successfully, in much the same way as a module with the required flag. However, in case of failure a module with this flag gives immediate feedback to the user and no further modules are processed.
Page 518 Example 27.1 PAM Configuration for sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname The typical PAM configuration of an application (sshd, in this case) contains four include statements referring to the configuration files of four module types: common-auth, common-account, common-password, and common-session.
Page 519 successfully before sshd receives a message about the positive result. If one of the modules is not successful, the entire module stack is still processed and only then is sshd notified about the negative result. As soon as all modules of the auth type have been successfully processed, another include statement is processed, in this case, that in Example 27.3, “Default Configuration for the account Section”...
Page 520: Configuration Of Pam Modules
Although pam_unix2 is processed again, it has no practical consequences due to its none option specified in the respective configuration file of this module, pam_unix2 .conf. The pam_limits module loads the file /etc/security/limits.conf, which may define limits on the use of certain system resources. The session modules are called a second time when the user logs out.
Page 521 27.3.2 pam_env.conf This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set.
Page 522: For More Information
words. More options for the module are mentioned in the file /etc/security/pam _pwcheck.conf. Example 27.8 pam_pwcheck.conf password: nullok 27.3.4 limits.conf System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily.
Page 523 Thorsten Kukuk has developed a number of PAM modules and made some information available about them at http://www.suse.de/~kukuk/pam/. Authentication with PAM...
Page 525: 8 Power Management
Power Management Power management is especially important on laptop computers, but is also useful on other systems. Two technologies are available: APM (advanced power management) and ACPI (advanced configuration and power interface). In addition to these, it is also possible to control CPU frequency scaling to save power or decrease noise. These options can be configured manually or using a special YaST module.
Page 526: Power Saving Functions
28.1 Power Saving Functions Power saving functions are not only significant for the mobile use of laptops, but also for desktop systems. The main functions and their use in the power management systems APM and ACPI are: Standby This operating mode turns off the display. On some computers, the processor per- formance is throttled.
Page 527: Apm
with the duration of the sleep periods. Other components, like PCI devices that can be put into a special power saving mode, can be deactivated with ACPI (at least theoretically) or permanently disabled in the BIOS setup. Processor Speed Control In connection with the CPU, energy can be saved in three different ways: frequency and voltage scaling (also known as PowerNow! or Speedstep), throttling, and putting the processor to sleep (C states).
Page 528 on or off Enable or disable APM support. (no-)allow-ints Allow interrupts during the execution of BIOS functions. (no-)broken-psr The “GetPowerStatus” function of the BIOS does not work properly. (no-)realmode-power-off Reset processor to real mode prior to shutdown. (no-)debug Log APM events in system log. (no-)power-off Power system off after shutdown.
Page 529: Acpi
28.3 ACPI ACPI (advanced configuration and power interface) was designed to enable the operating system to set up and control the individual hardware components. ACPI supersedes both PnP and APM. It delivers information about the battery, AC adapter, temperature, fan, and system events, like “close lid” or “battery low.” The BIOS provides tables containing information about the individual components and hardware access methods.
Page 530 acts as a front-end for the Powersave daemon. The following describes the most impor- tant files: /proc/acpi/info General information about ACPI. /proc/acpi/alarm Here, specify when the system should wake from a sleep state. Currently, this feature is not fully supported. /proc/acpi/sleep Provides information about possible sleep states.
Page 531 /proc/acpi/fan/FAN/state Shows if the fan is currently active. Activate or deactivate the fan manually by writing 0 (on) or 3 (off) into this file. However, both the ACPI code in the kernel and the hardware (or the BIOS) overwrite this setting when the system gets too warm.
Page 532 /proc/acpi/thermal_zone/*/state The state indicates if everything is ok or if ACPI applies active or passive cooling. In the case of ACPI-independent fan control, this state is always ok. /proc/acpi/thermal_zone/*/cooling_mode Select the cooling method controlled by ACPI. Choose from passive (less perfor- mance, economical) or active cooling mode (full performance, fan noise).
Page 533 turers. The clock frequency of the CPU and its core voltage are reduced at the same time, resulting in more than linear energy savings. This means that when the fre- quency is halved (half performance), far less than half of the energy is consumed. This technology is independent from APM or ACPI.
Page 534 Putting the Processor to Sleep The operating system puts the processor to sleep whenever there is nothing to do. In this case, the operating system sends the CPU a halt command. There are three states: C1, C2, and C3. In the most economic state, C3, even the synchronization of the processor cache with the main memory is halted.
Page 535 Sometimes, deviations from the ACPI specification are purposely integrated in the BIOS to circumvent errors in the ACPI implementation in other widespread operating systems. Hardware components that have serious errors in the ACPI implementation are recorded in a blacklist that prevents the Linux kernel from using ACPI for these components.
Page 536: Rest For The Hard Disk
For More Information Additional documentation and help on ACPI: • http://www.cpqlinux.com/acpi-howto.html (detailed ACPI HOWTO, contains DSDT patches) • http://www.intel.com/technology/iapc/acpi/faq.htm (ACPI FAQ @Intel) • http://acpi.sourceforge.net/ (the ACPI4Linux project at Sourceforge) • http://www.poupinou.org/acpi/ (DSDT patches by Bruno Ducrot) 28.4 Rest for the Hard Disk In Linux, the hard disk can be put to sleep entirely if it is not needed or it can be run in a more economic or quieter mode.
Page 537: The Powersave Package
Linux handles data that needs to be written to the hard disk. First, all data is buffered in the RAM. This buffer is monitored by the kernel update daemon (kupdated). When the data reaches a certain age limit or when the buffer is filled to a certain degree, the buffer content is flushed to the hard disk.
Page 538 packages, except acpid that acts as a multiplexer for ACPI events, should not be run concurrently with the powersave daemon. Even if your system does not contain all the hardware elements listed above, use the powersave daemon for controlling the power saving function. Because ACPI and APM are mutually exclusive, you can only use one of these systems on your computer.
Page 539 • do_standby • notify • screen_saver • reread_cpu_capabilities throttle slows down the processor by the value defined in MAX_THROTTLING. This value depends on the current scheme. dethrottle sets the processor to full performance. suspend_to_disk, suspend_to_ram, and standby trigger the system event for a sleep mode. These three actions are generally responsible for triggering the sleep mode, but they should always be associated with specific system events.
Page 540 The actions for the event of a sleep button could be modified as in EVENT_BUTTON_SLEEP="notify suspend_to_disk". In this case, the user is informed about the suspend by a pop-up window in X or a message on the console. Subsequently, the event EVENT_GLOBAL_SUSPEND2DISK is generated, resulting in the execution of the mentioned actions and a secure system suspend mode.
Page 541 28.5.2 Configuring APM and ACPI Suspend and Standby There are three basic ACPI sleep modes and two APM sleep modes: Suspend to Disk (ACPI S4, APM suspend) Saves the entire memory content to the hard disk. The computer is switched off completely and does not consume any power.
Page 542 "prepare_standby screen_saver do_standby" EVENT_GLOBAL_RESUME_SUSPEND2DISK= "restore_after_suspend_to_disk" EVENT_GLOBAL_RESUME_SUSPEND2RAM= "restore_after_suspend_to_ram" EVENT_GLOBAL_RESUME_STANDBY= "restore_after_standby" Custom Battery States In the file /etc/sysconfig/powersave/battery, define three battery charge levels (in percent) that trigger system alerts or specific actions when they are reached. BATTERY_WARNING=12 BATTERY_LOW=7 BATTERY_CRITICAL=2 The actions or scripts to execute when the charge levels drop under the specified limits are defined in the configuration file /etc/sysconfig/powersave/events.
Page 543 The schemes are stored in files in /etc/sysconfig/powersave. The filenames are in the format scheme_name-of-the-scheme. The example refers to two schemes: scheme_performance and scheme_powersave. performance, powersave, presentation, and acoustic are preconfigured. Existing schemes can be edited, created, deleted, or associated with different power supply states with the help of the YaST power management module described in Section 28.6, “The YaST Power Management Module”...
Page 544 28.5.4 Troubleshooting All error messages and alerts are logged in the file /var/log/messages. If you cannot find the needed information, increase the verbosity of the messages of powersave using DEBUG in the file /etc/sysconfig/powersave/common. Increase the value of the variable to 7 or even 15 and restart the daemon. The more detailed error messages in /var/log/messages should help you to find the error.
Page 545 CPU Frequency Does Not Work Refer to the kernel sources (kernel-source) to see if your processor is supported. You may need a special kernel module or module option to activate CPU frequency control. This information is available in /usr/src/linux/Documentation/ cpu-freq/*. If a special module or module option is needed, configure it in the file /etc/sysconfig/powersave/cpufreq by means of the variables CPUFREQD_MODULE and CPUFREQD_MODULE_OPTS.
Page 546: The Yast Power Management Module
28.5.5 For More Information • /usr/share/doc/packages/powersave—Local Powersave daemon documentation • http://powersave.sourceforge.net—Most recent Powersave daemon documentation • http://www.opensuse.org/Projects_Powersave—Project page in the openSUSE wiki 28.6 The YaST Power Management Module The YaST power management module can configure all power management settings already described. When started from the YaST Control Center with System > Power Management, the first dialog of the module opens (see Figure 28.1, “Scheme Selection”...
Page 547 In this dialog, select the schemes to use for battery operation and AC operation. To add or modify the schemes, click Edit Schemes, which opens an overview of the existing schemes like that shown in Figure 28.2, “Overview of Existing Schemes” (page 529). Figure 28.2 Overview of Existing Schemes In the scheme overview, select the scheme to modify then click Edit.
Page 548 Figure 28.3 Configuring a Scheme First, enter a suitable name and description for the new or edited scheme. Determine if and how the CPU performance should be controlled for this scheme. Decide if and to what extent frequency scaling and throttling should be used and whether processes with low priority (niced processes) should be ignored when adjusting the CPU frequency.
Page 549 Figure 28.4 Battery Charge Level The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: Warning Capacity, Low Capacity, and Critical Capacity. Specific actions are triggered when the charge level drops under these limits.
Page 550 Figure 28.5 ACPI Settings Access the dialog for configuring the ACPI buttons using ACPI Settings. It is shown in Figure 28.5, “ACPI Settings” (page 532). The settings for the ACPI buttons determine how the system should respond to certain switches. Configure the system response to pressing the power button, pressing the sleep button, and closing the laptop lid.
Page 551: 9 Wireless Communication
Wireless Communication Wireless LAN can be used to establish communication between your SUSE Linux Enterprise® machines. This chapter introduces the principles of wireless networking and the basic configuration for wireless networking. 29.1 Wireless LAN Wireless LANs have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards.
Page 552 Table 29.1 Overview of Various WLAN Standards Name Band (GHz) Maximum Trans- Note mission Rate (Mbit/s) 802.11 Outdated; virtually no end devices available 802.11b Widespread 802.11a Less common 802.11g Backward-compatible with Additionally, there are proprietary standards, like the 802.11b variation of Texas Instru- ments with a maximum transmission rate of 22 Mbit/s (sometimes referred to as 802.11b+).
Page 553 • Texas Instruments ACX100, ACX111 • ZyDAS zd1201 A number of older cards that are rarely used and no longer available are also supported. An extensive list of WLAN cards and the chips they use is available at the Web site of http://www.linux-wlan.org/docs/wlan AbsoluteValue Systems at _adapters.html.gz.
Page 554 original version of the IEEE 802.11 standard, these are described under the term WEP. However, because WEP has proven to be insecure (see Section “Security” (page 542)), the WLAN industry (joined under the name Wi-Fi Alliance) has defined a new extension called WPA, which is supposed to eliminate the weaknesses of WEP.
Page 555 terprises. In private networks, it is scarcely used. For this reason, WPA-EAP is sometimes referred to as WPA “Enterprise”. WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol).
Page 556: Configuration With Yast
CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard. 29.1.3 Configuration with YaST To configure your wireless network card, start the YaST Network Card module.
Page 557 Network Name (ESSID) All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card automatically selects an access point, which may not be the one you intended to use. Authentication Mode Select a suitable authentication method for your network: Open, Shared Key, WPA- PSK, or WPA-EAP.
Page 558 cording to the length previously specified. ASCII requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For Hexadecimal, enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation. WPA-PSK To enter a key for WPA-PSK, select the input method Passphrase or Hexadecimal.
Page 559 system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates. Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. 29.1.4 Utilities hostap (package hostap) is used to run a WLAN card as an access point.
Page 560 Security If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption.
Page 561 to use WPA, read /usr/share/doc/packages/wireless-tools/README .prism2. WPA support is quite new in SUSE Linux Enterprise and still under development. Thus, YaST does not support the configuration of all WPA authentication methods. Not all wireless LAN cards and drivers support WPA. Some cards need a firmware update to enable WPA.
Page 563: Part Iv Services
Part IV. Services...
Page 565: 0 Basic Networking
Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol, TCP/IP, has various services and special features, which are discussed here. Network access using a network card, modem, or other device can be configured with YaST.
Page 566 Table 30.1 Several Protocols in the TCP/IP Protocol Family Protocol Description Transmission Control Protocol: A connection-oriented secure protocol. The data to transmit is first sent by the application as a stream of data then converted by the operating system to the appropriate format. The data arrives at the respective application on the destination host in the original data stream format in which it was initially sent.
Page 567 Figure 30.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
Page 568 located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 30.2 TCP/IP Ethernet Packet When an application sends data over the network, the data passes through each layer, all implemented in the Linux kernel except the physical layer. Each layer is responsible for preparing the data so it can be passed to the next layer.
Page 569: Ip Addresses And Routing
30.1 IP Addresses and Routing The discussion in this section is limited to IPv4 networks. For information about IPv6 protocol, the successor to IPv4, refer to Section 30.2, “IPv6—The Next Generation Internet” (page 554). 30.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 30.1, “Writing IP Addresses”...
Page 570 an IP address belongs to the network. All those bits that are 1 mark the corresponding bit in the IP address as belonging to the network. All bits that are 0 mark bits inside the subnetwork. This means that the more bits are 1, the smaller the subnetwork is. Because the netmask always consists of several successive 1 bits, it is also possible to just count the number of bits in the netmask.
Page 571 Table 30.2 Specific Addresses Address Type Description Base Network Ad- This is the netmask AND any address in the network, as shown dress in Example 30.2, “Linking IP Addresses to the Netmask” (page 552) under Result. This address cannot be assigned to any hosts.
Page 572: Ipv6-The Next Generation Internet
30.2 IPv6—The Next Generation Internet IMPORTANT: IBM System z: IPv6 Support IPv6 is not supported by the CTC and IUCV network connections of the IBM System z hardware. Due to the emergence of the WWW (World Wide Web), the Internet has experienced explosive growth with an increasing number of computers communicating via TCP/IP in the past fifteen years.
Page 573 30.2.1 Advantages The most important and most visible improvement brought by the new protocol is the enormous expansion of the available address space. An IPv6 address is made up of 128 bit values instead of the traditional 32 bits. This provides for as many as several quadrillion IP addresses.
Page 574 Backward Compatibility Realistically, it would be impossible to switch the entire Internet from IPv4 to IPv6 at one time. Therefore, it is crucial that both protocols are able to coexist not only on the Internet, but also on one system. This is ensured by compatible addresses (IPv4 addresses can easily be translated into IPv6 addresses) and through the use of a number of tunnels.
Page 575 Multicast Addresses of this type relate to a group of network interfaces. Packets with such an address are delivered to all destinations that belong to the group. Multicast ad- dresses are mainly used by certain network services to communicate with certain groups of hosts in a well-directed manner.
Page 576 Example 30.4 IPv6 Address Specifying the Prefix Length fe80::10:1000:1a4/64 IPv6 knows about several predefined types of prefixes. Some of these are shown in Table 30.4, “Various IPv6 Prefixes” (page 558). Table 30.4 Various IPv6 Prefixes Prefix (hex) Definition IPv4 addresses and IPv4 over IPv6 compatibility addresses. These are used to maintain compatibility with IPv4.
Page 577 Site Topology The second part contains routing information about the subnetwork to which to deliver the packet. Interface ID The third part identifies the interface to which to deliver the packet. This also allows for the MAC to form part of the address. Given that the MAC is a globally unique, fixed identifier coded into the device by the hardware maker, the configuration procedure is substantially simplified.
Page 578 and the interface ID of the network card, with the middle part consisting of zero bytes. Addresses of this type are used during automatic configuration to communicate with other hosts belonging to the same subnetwork. site-local Packets with this type of address may be routed to other subnetworks, but not to the wider Internet—they must remain inside the organization's own network.
Page 579 30.2.3 Coexistence of IPv4 and IPv6 The migration of all hosts connected to the Internet from IPv4 to IPv6 is a gradual process. Both protocols will coexist for some time to come. The coexistence on one system is guaranteed where there is a dual stack implementation of both protocols. That still leaves the question of how an IPv6 enabled host should communicate with an IPv4 host and how IPv6 packets should be transported by the current networks, which are predominantly IPv4 based.
Page 580 IPv6 Tunnel Broker This method relies on special servers that provide dedicated tunnels for IPv6 hosts. It is described in RFC 3053. 30.2.4 Configuring IPv6 To configure IPv6, you do not normally need to make any changes on the individual workstations.
Page 581: Name Resolution
http://www.bieringer.de/linux/IPv6/ Here, find the Linux IPv6-HOWTO and many links related to the topic. RFC 2640 The fundamental RFC about IPv6. IPv6 Essentials A book describing all the important aspects of the topic is IPv6 Essentials by Silvia Hagen (ISBN 0-596-00125-8). 30.3 Name Resolution DNS assists in assigning an IP address to one or more names and assigning a name to an IP address.
Page 582 The top of the hierarchy is occupied by root name servers. These root name servers manage the top level domains and are run by the Network Information Center (NIC). Each root name server knows about the name servers responsible for a given top level http://www domain.
Page 583: Configuring A Network Connection With Yast
30.4 Configuring a Network Connection with YaST There are many supported networking types on Linux. Most of them use different device names and the configuration files are spread over several locations in the file system. For a detailed overview of the aspects of manual network configuration, see Section 30.7, “Configuring a Network Connection Manually”...
Page 584 The upper part of the next dialog shows a list with all the network cards available for configuration. Any card properly detected is listed with its name. To change the confi- guration of the selected device, click Edit. Devices that could not be detected can be configured using Add as described in Section “Configuring an Undetected Network Card”...
Page 585 NOTE: IBM System z and DHCP On IBM System z platforms, DHCP-based address configuration is only supported with network cards that have a MAC address. This is only the case with OSA and OSA Express cards. DHCP should also be used for a DSL line with no static IP assigned by the ISP. If you decide to use DHCP, configure the details in DHCP Client Options.
Page 586 2 In the Address tab, choose Advanced > Additional Addresses. 3 Click Add. 4 Enter Alias Name, IP Address, and Netmask. 5 Click OK. 6 Click OK again. 7 Click Next. 8 To activate the configuration, click Finish. Configuring Hostname and DNS If you did not change the network configuration during installation and the wired card was available, a hostname was automatically generated for your computer and DHCP was activated.
Page 587 7 Click OK. 8 Click Next. 9 To activate the configuration, click Finish. Configuring Routing To make your machine communicate with other machines and other networks, routing information must be given to make network traffic take the correct path. If DHCP is used, this information is automatically provided.
Page 588 5 Click Next. 6 To activate configuration, click Finish. Starting the Device If you use the traditional method with ifup, you can configure your device to start during boot, on cable connection, on card detection, manually, or never. To change device start-up, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
Page 589 Demilitarized Zone A demilitarized zone is an additional line of defense in front of an internal network and the (hostile) Internet. Hosts assigned to this zone can be reached from the internal network and from the Internet, but cannot access the internal network.
Page 590 name server, and routing details (see Section “Configuring Hostname and DNS” (page 568) and Section “Configuring Routing” (page 569)). If you selected Wireless as the device type of the interface, configure the wireless connection in the next dialog. Detailed information about wireless device confi- guration is available in Section 29.1, “Wireless LAN”...
Page 591 Figure 30.4 Modem Configuration If behind a private branch exchange (PBX), you may need to enter a dial prefix. This is often a zero. Consult the instructions that came with the PBX to find out. Also select whether to use tone or pulse dialing, whether the speaker should be on, and whether the modem should wait until it detects a dial tone.
Page 592 In the last dialog, specify additional connection options: Dial on Demand If you enable dial on demand, set at least one name server. Modify DNS when Connected This option is enabled by default, with the effect that the name server address is updated each time you connect to the Internet.
Page 593 30.4.3 ISDN TIP: IBM System z: ISDN The configuration of this type of hardware is not supported on IBM System z platforms. Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, click Add and manually select it. Multiple interfaces are possible, but several ISPs can be configured for one interface.
Page 594 you to load the ISDN driver as root with the command rcisdn start. On Hotplug, used for PCMCIA or USB devices, loads the driver after the device is plugged in. When finished with these settings, select OK. In the next dialog, specify the interface type for your ISDN card and add ISPs to an existing interface.
Page 595 1. Smaller private branch exchanges (PBX) built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them. Use one of the internal numbers as your MSN. You should be able to use at least one of the exchange's MSNs that have been enabled for direct outward dialing.
Page 596 still need to provide a placeholder address like 192.168.22.99. If your ISP does not support dynamic DNS, specify the name server IP addresses of the ISP. If desired, specify a time-out for the connection—the period of network inactivity (in seconds) after which the connection should be automatically terminated.
Page 597 To configure your DSL device, select the DSL module from the YaST Network Devices section. This YaST module consists of several dialogs in which to set the parameters of DSL links based on one of the following protocols: • PPP over Ethernet (PPPoE) •...
Page 598 Figure 30.7 DSL Configuration To begin the DSL configuration (see Figure 30.7, “DSL Configuration” (page 580)), first select the PPP mode and the ethernet card to which the DSL modem is connected (in most cases, this is eth0). Then use Device Activation to specify whether the DSL link should be established during the boot process.
Page 599 The configuration of T-DSL is very similar to the DSL setup. Just select T-Online as your provider and YaST opens the T-DSL configuration dialog. In this dialog, provide some additional information required for T-DSL—the line ID, the T-Online number, the user code, and your password. All of these should be included in the information you received after subscribing to T-DSL.
Page 600 Choose the Device Settings that fit your devices (usually this would be Compatibility mode). Specify both your IP address and the IP address of the remote partner. If needed, adjust the MTU size with Advanced > Detailed Settings. Leave the network configuration with Next and Finish.
Page 601: Configuring Vlan Interfaces On Suse Linux
30.5 Configuring VLAN Interfaces on SUSE Linux VLAN is an abbreviation of Virtual Local Area Network. It allows the running of multiple logical (virtual) ethernets over one single physical ethernet. It logically splits the network into different broadcast domains so that packets are only switched between ports that are designated for the same VLAN.
Page 602: Managing Network Connections With Networkmanager
2 In Network Configuration, select Device Type Virtual Lan. 3 Change the value of Configuration Name to the ID of your VLAN. Note that VLAN ID 1 is commonly used for managing purposes. 4 Press Next. 5 Select the interface that the VLAN device should connect to below Real Interface for VLAN.
Page 603 • You want to use SCPM for network configuration management. To use SCPM and NetworkManager at the same time, SCPM cannot control network resources. . • You want to use more than one active network connection simultaneously. To enable or disable NetworkManager during the installation, click Enable Network- Manager or Disable NetworkManager in Network Mode of Network Configuration.
Page 604: Configuring A Network Connection Manually
Traditional configuration with ifup also provides some ways to switch, stop, or start the connection with or without user intervention, like user-managed devices, but it always requires root privileges to change or configure a network device. This is often a problem for mobile computing, where is not possible to preconfigure all connection possibilities.
Page 605 All built-in network cards and hotplug network cards (PCMCIA, USB, some PCI cards) are detected and configured via hotplug. The system sees a network card in two different ways: first as a physical device and second as an interface. The insertion or detection of a device triggers a hotplug event.
Page 606 getcfg. The output of getcfg delivers all information that can be used for describing a device. Details regarding the specification of configuration names are available in the manual page of getcfg. With the described method, a network interface is configured with the correct configu- ration even if the network devices are not always initialized in the same order.
Page 607: Configuration Files
ifup interfacename triggered the hardware initialization. Now the procedure has been reversed. First, a hardware component is initialized then all other actions follow. In this way, a varying number of devices can always be configured in the best way possible with an existing set of configurations. Table 30.5, “Manual Network Configuration Scripts”...
Page 608 /etc/syconfig/hardware/hwcfg-* These files contain the hardware configurations of network cards and other devices. They contain the needed parameters, such as the kernel module, start mode, and script associations. Refer to the manual page of hwup for details. Regardless of the existing hardware, the hwcfg-static-* configurations are applied when coldplug is started.
Page 609 207.68.156.51 207.68.145.45 255.255.255.255 eth1 192.168.0.0 207.68.156.51 255.255.0.0 eth1 The route's destination is in the first column. This column may contain the IP address of a network or host or, in the case of reachable name servers, the fully qualified network or hostname.
Page 610 means of the script modify_resolvconf. If the file /etc/resolv.conf has been temporarily modified by this script, it contains a predefined comment giving in- formation about the service that modified it, the location where the original file has been backed up, and how to turn off the automatic modification mechanism. If /etc/ resolv.conf is modified several times, the file includes modifications in a nested form.
Page 611 /etc/networks Here, network names are converted to network addresses. The format is similar to that of the hosts file, except the network names precede the addresses. See Example 30.7, “/etc/networks” (page 593). Example 30.7 /etc/networks loopback 127.0.0.0 localnet 192.168.0.0 /etc/host.conf Name resolution—the translation of host and network names via the resolver library—is controlled by this file.
Page 612 trim domainname The specified domain name is separated from the hostname after hostname resolution (as long as the hostname includes the domain name). This option is useful if only names from the local domain are in the /etc/hosts file, but should still be recognized with the attached domain names.
Page 613 The “databases” available over NSS are listed in Table 30.7, “Databases Available via /etc/nsswitch.conf” (page 595). In addition, automount, bootparams, netmasks, and publickey are expected in the near future. The configuration options for NSS databases are listed in Table 30.8, “Configuration Options for NSS “Databases”” (page 596).
Page 614 Table 30.8 Configuration Options for NSS “Databases” files directly access files, for example, /etc/aliases access via a database nis, nisplus NIS, see also Chapter 35, Using NIS (page 659) can only be used as an extension for hosts and networks compat can only be used as an extension for passwd, shadow, and group...
Page 615 30.7.2 Testing the Configuration Before you write your configuration to the configuration files, you can test it. To set up a test configuration, use the ip command. To test the connection, use the ping command. Older configuration tools, ifconfig and route, are also available. The commands ip, ifconfig, and route change the network configuration directly without saving it in the configuration file.
Page 616 tunnel This object represents a tunnel over IP. If no command is given, the default command is used, usually list. Change the state of a device with the command ip link set device_name command. For example, to deactivate device eth0, enter ip link seteth0 down.
Page 617 ping does more than test only the function of the connection between two computers: it also provides some basic information about the quality of the connection. In Exam- ple 30.10, “Output of the Command ping” (page 599), you can see an example of the ping output.
Page 618 NOTE: ifconfig and ip The program ifconfig is obsolete. Use ip instead. Without arguments, ifconfig displays the status of the currently active interfaces. As you can see in Example 30.11, “Output of the ifconfig Command” (page 600), ifconfig has very well-arranged and detailed output. The output also contains information about the MAC address of your device, the value of HWaddr, in the first line.
Page 619 NOTE: route and ip The program route is obsolete. Use ip instead. route is especially useful if you need quick and comprehensible information about your routing configuration to determine problems with routing. To view your current routing configuration, enter route -n as root. Example 30.12 Output of the route -n Command route -n Kernel IP routing table...
Page 620: Smpppd As Dial-Up Assistant
can start vsftpd whenever an FTP connection is ini- tiated. /etc/init.d/portmap Starts the portmapper needed for the RPC server, such as an NFS server. /etc/init.d/nfsserver Starts the NFS server. /etc/init.d/postfix Controls the postfix process. /etc/init.d/ypserv Starts the NIS server. /etc/init.d/ypbind Starts the NIS client.
Page 621 30.8.1 Configuring smpppd The connections provided by smpppd are automatically configured by YaST. The actual dial-up programs KInternet and cinternet are also preconfigured. Manual settings are only required to configure additional features of smpppd, such as remote control. The configuration file of smpppd is /etc/smpppd.conf. By default, it does not enable remote control.
Page 622 30.8.2 Configuring KInternet, cinternet, and qinternet for Remote Use KInternet, cinternet, and qinternet can be used to control a local or remote smpppd. cinternet is the command-line counterpart of the graphical KInternet. qinternet is basi- cally the same as KInternet, but does not use the KDE libraries, so it can be used without KDE and must be installed separately.
Page 623: 1 Slp Services In The Network
SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.
Page 624: Slp Front-Ends In Suse Linux Enterprise
rcslpd start as root to start it and rcslpd stop to stop it. Perform a restart or status check with restart or status. If slpd should be active by default, enable slpd in YaST System > System Services (Runlevel) or run the insserv slpd command once as root.
Page 625: Providing Services With Slp
linuxrc starts an SLP inquiry after the system has booted from the selected boot medium and displays the sources found. 31.4 Providing Services with SLP Many applications in SUSE Linux Enterprise already have integrated SLP support through the use of the libslp library. If a service has not been compiled with SLP support, use one of the following methods to make it available with SLP: Static Registration with /etc/slp.reg.d Create a separate registration file for each new service.
Page 626: For More Information
TIP: YaST and SLP Some services brokered by YaST, such as an installation server or YOU server, perform this registration automatically when you activate SLP in the module dialogs. YaST then creates registration files for these services. Static Registration with /etc/slp.reg The only difference from the procedure with /etc/slp.reg.d is the grouping of all services within a central file.
Page 627: 2 Time Synchronization With Ntp
Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
Page 628 firewall-protected system, the advanced configuration can open the required ports in SuSEfirewall2. 32.1.1 Quick NTP Client Configuration The quick NTP client configuration (Network Services > NTP Configuration) consists of two dialogs. Set the start mode of xntpd and the server to query in the first dialog. To start xntpd automatically when the system is booted, click During Boot.
Page 629 dialog, test the availability of the selected server with Test and quit the dialog with Finish. 32.1.2 Advanced NTP Client Configuration The advanced configuration of an NTP client can be accessed under Advanced Confi- guration from the main dialog of the NTP Configuration module, shown in Figure 32.1, “YaST: Configuring an NTP Client”...
Page 630 The servers and other time sources for the client to query are listed in the lower part. Modify this list as needed with Add, Edit, and Delete. Display Log provides the possi- bility to view the log files of your client. Click Add to add a new source of time information.
Page 631: Configuring Xntp In The Network
32.2 Configuring xntp in the Network The easiest way to use a time server in the network is to set server parameters. For ex- ample, if a time server called ntp.example.com is reachable from the network, add its name to the file /etc/ntp.conf by adding the following line: server ntp.example.com To add more time servers, insert additional lines with the keyword server.
Page 632 127.127.t.u. Here, t stands for the type of the clock and determines which driver is used and u for the unit, which determines the interface used. Normally, the individual drivers have special parameters that describe configuration details. The file /usr/share/doc/packages/xntp-doc/drivers/driverNN .html (where NN is the number of the driver) provides information about the particular type of clock.
Page 633: 3 The Domain Name System
The Domain Name System DNS (domain name system) is needed to resolve the domain names and hostnames into IP addresses. In this way, the IP address 192.168.0.1 is assigned to the hostname earth, for example. Before setting up your own name server, read the general information about DNS in Section 30.3, “Name Resolution”...
Page 634: Configuration With Yast
(not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone. Forwarder Forwarders are DNS servers to which your DNS server should send queries it cannot answer. Record The record is information about name and IP address. Supported records and their syntax are described in BIND documentation.
Page 635 1 When starting the module for the first time, the Forwarder Settings dialog, shown in Figure 33.1, “DNS Server Installation: Forwarder Settings” (page 617), opens. In it, decide whether the PPP daemon should provide a list of forwarders on dial- up via DSL or ISDN (PPP Daemon Sets Forwarders) or whether you want to supply your own list (Set Forwarders Manually).
Page 636 Figure 33.2 DNS Server Installation: DNS Zones 3 In the final dialog, you can open the DNS port in the firewall by clicking Open Port in Firewall. Then decide whether or not the DNS server should be started (On or Off). You can also activate LDAP support. See Figure 33.3, “DNS Server Installation: Finish Wizard”...
Page 637 Figure 33.3 DNS Server Installation: Finish Wizard 33.2.2 Expert Configuration After starting the module, YaST opens a window displaying several configuration op- tions. Completing it results in a DNS server configuration with the basic functions in place: Starting the DNS Server Under Service Start, define whether the DNS server should be started when the system boots (during booting the system) or manually.
Page 638 DNS Server: Basic Options In this section, set basic server options. From the Option menu, select the desired item then specify the value in the corresponding entry field. Include the new entry by selecting Add. Logging To set what the DNS server should log and how, select Logging. Under Log Type, specify where the DNS server should write the log data.
Page 639 Using ACLs Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under Name, specify an IP address (with or without netmask) under Value in the following fashion: { 10.10/16; } The syntax of the configuration file requires that the address ends with a semicolon and is put into curly braces.
Page 640 Figure 33.5 DNS Server: Slave Zone Editor Adding a Master Zone To add a master zone, select DNS Zones, choose the zone type Master, write the name of the new zone, and click Add. Editing a Master Zone To edit a master zone, select DNS Zones, choose the zone type Master, select the master zone from the table, and click Edit.
Page 641 Figure 33.6 DNS Server: Zone Editor (Basic) Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under Name Server to Add then confirm with Add.
Page 642 Figure 33.7 DNS Server: Zone Editor (NS Records) Zone Editor (MX Records) To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting Add. See Fig- ure 33.8, “DNS Server: Zone Editor (MX Records)”...
Page 643 Figure 33.8 DNS Server: Zone Editor (MX Records) Zone Editor (SOA) This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 33.6, “File /var/lib/named/world.zone” (page 633). Changing SOA records is not supported for dynamic zones managed via LDAP.
Page 644: Starting The Name Server Bind
Figure 33.9 DNS Server: Zone Editor (SOA) Zone Editor (Records) This dialog manages name resolution. In Record Key, enter the hostname then select its type. A-Record represents the main entry. The value for this should be an IP address. CNAME is an alias. Use the types NS and MX for detailed or partial records that expand on the information provided in the NS Records and MX Records tabs.
Page 645 a proper DNS. A simple example of this is included in the documentation in /usr/ share/doc/packages/bind/config. TIP: Automatic Adaptation of the Name Server Information Depending on the type of Internet connection or the network connection, the name server information can automatically be adapted to the current conditions. To do this, set the variable MODIFY_NAMED_CONF_DYNAMICALLY in the file /etc/sysconfig/network/config to yes.
Page 646: The Configuration File /Etc/Named.conf
Example 33.1 Forwarding Options in named.conf options { directory "/var/lib/named"; forwarders { 10.11.12.13; 10.11.12.14; }; listen-on { 127.0.0.1; 192.168.0.99; }; allow-query { 127/8; 192.168.0/24; }; notify no; The options entry is followed by entries for the zone, localhost, and 0.0.127.in-addr.arpa. The type hint entry under “.” should always be present.
Page 647 Example 33.2 A Basic /etc/named.conf options { directory "/var/lib/named"; forwarders { 10.0.0.1; }; notify no; zone "localhost" in { type master; file "localhost.zone"; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; zone "." in { type hint; file "root.hint"; 33.4.1 Important Configuration Options directory "filename";...
Page 648 127.0.0.1 to permit requests from the local host. If you omit this entry entirely, all interfaces are used by default. listen-on-v6 port 53 {any; }; Tells BIND on which port it should listen for IPv6 client requests. The only alter- native to any is none.
Page 649 tected at start-up. Otherwise, the interval can be defined in minutes. The default is sixty minutes. notify no; no prevents other name servers from being informed when changes are made to the zone data or when the name server is restarted. 33.4.2 Logging What, how, and where logging takes place can be extensively configured in BIND.
Page 650 Example 33.5 Zone Entry for other-domain.de zone "other-domain.de" in { type slave; file "slave/other-domain.zone"; masters { 10.0.0.1; }; The zone options: type master; By specifying master, tell BIND that the zone is handled by the local name server. This assumes that a zone file has been created in the correct format. type slave;...
Page 651: Zone Files
33.5 Zone Files Two types of zone files are needed. One assigns IP addresses to hostnames and the other does the reverse: it supplies a hostname for an IP address. TIP: Using the Dot in Zone Files The . has an important meaning in the zone files. If hostnames are given without a final ., the zone is appended.
Page 652 • The name of the domain to administer is world.cosmos in the first position. This ends with a ., because otherwise the zone would be appended a second time. Alternatively, @ can be entered here, in which case the zone would be extracted from the corresponding entry in /etc/named.conf.
Page 653 Line 9: The IN NS specifies the name server responsible for this domain. gateway is extended to gateway.world.cosmos because it does not end with a .. There can be several lines like this—one for the primary and one for each secondary name server.
Page 654 pluto AAAA 0 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 pluto AAAA 0 2345:00D2:DA11:0001:1234:5678:9ABC:DEF0 Do not use IPv4 addresses with IPv6 mapping. Line 18: The alias www can be used to address mond (CNAME means canonical name). The pseudodomain in-addr.arpa is used for the reverse lookup of IP addresses into hostnames.
Page 655: Dynamic Update Of Zone Data
Line 9: Again this line specifies the name server responsible for this zone. This time, however, the name is entered in its complete form with the domain and a . at the end. Lines 11–13: These are the pointer records hinting at the IP addresses on the respective hosts. Only the last part of the IP address is entered at the beginning of the line, without the .
Page 656 Generate a TSIG key with the following command (for details, see man dnssec-keygen): dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2 This creates two files with names similar to these: Khost1-host2.+157+34265.private Khost1-host2.+157+34265.key The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files. To use it for transactions, the second file (Khost1-host2.+157+34265.key) must be transferred to the remote host, preferably in a secure way (using scp, for exam- ple).
Page 657: Dns Security
Add TSIG keys for any ACLs (access control lists, not to be confused with file system ACLs) that are defined for IP addresses and address ranges to enable transaction secu- rity. The corresponding entry could look like this: allow-update { key host1-host2. ;}; This topic is discussed in more detail in the BIND Administrator Reference Manual under update-policy.
Page 659: 4 Dhcp
DHCP The purpose of the dynamic host configuration protocol (DHCP) is to assign network settings centrally from a server rather than configuring them locally on each and every workstation. A host configured to use DHCP does not have control over its own static address.
Page 660: Configuring A Dhcp Server With Yast
uring numerous workstations. Also it is much easier to integrate machines, particularly new machines, into the network, because they can be given an IP address from the pool. Retrieving the appropriate network settings from a DHCP server is especially useful in the case of laptops regularly used in different networks.
Page 661 Interfaces to open the firewall for this interface. See Figure 34.1, “DHCP Server: Card Selection” (page 643). Figure 34.1 DHCP Server: Card Selection Global Settings Use the check box to determine whether your DHCP settings should be automati- cally stored by an LDAP server. In the entry fields, provide the network specifics for all clients the DHCP server should manage.
Page 662 Figure 34.2 DHCP Server: Global Settings Dynamic DHCP In this step, configure how dynamic IP addresses should be assigned to clients. To do so, specify an IP range from which the server can assign addresses to DHCP clients. All these addresses must be covered by the same netmask. Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease.
Page 663 Figure 34.3 DHCP Server: Dynamic DHCP Finishing the Configuration and Setting the Start Mode After the third part of the configuration wizard, a last dialog is shown in which you can define how the DHCP server should be started. Here, specify whether to start the DHCP server automatically when the system is booted or manually when needed (for example, for test purposes).
Page 664 Figure 34.4 DHCP Server: Start-Up Host Management Instead of using dynamic DHCP in the way described in the preceding sections, you can also configure the server to assign addresses in quasi-static fashion. To do so, use the entry fields provided in the lower part to specify a list of the clients to manage in this way.
Page 665 Figure 34.5 DHCP Server: Host Management 34.1.2 Expert Configuration In addition to the configuration method discussed earlier, there is also an expert confi- guration mode that allows you to tweak the DHCP server setup in every detail. Start the expert configuration by selecting Expert Settings in the tree view in the left part of the dialog.
Page 666 Figure 34.6 DHCP Server: Chroot Jail and Declarations Selecting the Declaration Type The Global Options of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types Subnet, Host, Shared Network, Group, Pool of Addresses, and Class.
Page 667 Figure 34.7 DHCP Server: Selecting a Declaration Type Subnet Configuration This dialog allows you specify a new subnet with its IP address and netmask. In the middle part of the dialog, modify the DHCP server start options for the selected subnet using Add, Edit, and Delete.
Page 668 Figure 34.8 DHCP Server: Configuring Subnets TSIG Key Management If you chose to configure dynamic DNS in the previous dialog, you can now con- figure the key management for a secure zone transfer. Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS (see Fig- ure 34.10, “DHCP Server: Interface Configuration for Dynamic DNS”...
Page 669 Figure 34.9 DHCP Server: TSIG Configuration Dynamic DNS: Interface Configuration You can now activate dynamic DNS for the subnet by selecting Enable Dynamic DNS for This Subnet. After doing so, use the drop-down list to choose the TSIG keys for forward and reverse zones, making sure that keys are the same for the DNS and the DHCP server.
Page 670 Figure 34.10 DHCP Server: Interface Configuration for Dynamic DNS Network Interface Configuration To define the interfaces where the DHCP server should listen and to adjust the firewall configuration, select Advanced > Interface Configuration from the expert configuration dialog. From the list of interfaces displayed, select one or more that should be attended by the the DHCP server.
Page 671: Dhcp Software Packages
Figure 34.11 DHCP Server: Network Interface and Firewall After completing all configuration steps, close the dialog with Ok. The server is now started with its new configuration. 34.2 DHCP Software Packages Both a DHCP server and DHCP clients are available for SUSE Linux Enterprise. The DHCP server available is dhcpd (published by the Internet Software Consortium).
Page 672: The Dhcp Server Dhcpd
34.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd.conf. By changing the parameters and values in this file, a system administrator can influence the program's behavior in numerous ways.
Page 673 Ideally, configure a name server on your machine or somewhere else in your network before setting up DHCP. That name server should also define a hostname for each dynamic address and vice versa. To learn how to configure your own name server, read Chapter 33, The Domain Name System (page 615).
Page 674 there were not enough addresses available and the server needed to redistribute them among clients. To identify a client configured with a static address, dhcpd uses the hardware address, which is a globally unique, fixed numerical code consisting of six octet pairs for the identification of all network devices (for example, 00:00:45:12:EE:F4).
Page 675: For More Information
Control the server's behavior regarding this feature by means of entries in the file /etc/ sysconfig/dhcpd. To run dhcpd without the chroot environment, set the variable DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to “no”. To enable dhcpd to resolve hostnames even from within the chroot environment, some other configuration files must be copied as well: •...
Page 677: 5 Using Nis
Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
Page 678 and set up slave servers in the subnets as described in Section 35.1.2, “Configuring a NIS Slave Server” (page 664). 35.1.1 Configuring a NIS Master Server To configure a NIS master server for your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and set up NIS Master Server.
Page 679 Enter the NIS domain name. 3b Define whether the host should also be a NIS client, enabling users to log in and access data from the NIS server, by selecting This host is also a NIS client. Select Changing of passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd).
Page 680 3e Leave this dialog with Next or click Other global settings to make additional settings. Other global settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes so the files (/etc/passwd, /etc/shadow, and /etc/group) are used to build the user database.
Page 681 Figure 35.4 NIS Server Maps Setup 7 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 127.0.0.0...
Page 682 Figure 35.5 Setting Request Permissions for a NIS Server 8 Click Finish to save changes and exit the setup. 35.1.2 Configuring a NIS Slave Server To configure additional NIS slave servers in your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 Select Install and set up NIS Slave Server and click Next.
Page 683: Configuring Nis Clients
3c Set This host is also a NIS client if you want to enable user logins on this server. 3d Adapt the firewall settings with Open Ports in Firewall. 3e Click Next. 4 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button.
Page 684 In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
Page 685: 6 Ldap-A Directory Service
LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
Page 686: Ldap Versus Nis
• Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a con- ventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures ad- ministered in accounting.
Page 687: Structure Of An Ldap Directory Tree
• Mail routing (postfix, sendmail) • Address books for mail clients, like Mozilla, Evolution, and Outlook • Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
Page 688 leaf These objects sit at the end of a branch and have no subordinate objects. Examples are person, InetOrgPerson, or groupofNames. The top of the directory hierarchy has a root element root. This can contain c (country), dc (domain component), or o (organization) as subordinate elements. The relations within an LDAP directory tree become more evident in the following example, shown in Figure 36.1, “Structure of an LDAP Directory”...
Page 689 is, however, possible to create custom schemes or to use multiple schemes complement- ing each other if this is required by the environment in which the LDAP server should operate. Table 36.1, “Commonly Used Object Classes and Attributes” (page 671) offers a small overview of the object classes from core.schema and inetorgperson.schema used in the example, including required attributes and valid attribute values.
Page 690 Example 36.1 Excerpt from schema.core #1 attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName') DESC 'RFC2256: organizational unit this object belongs to' SUP name ) #4 objectclass ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou #8 MAY (userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber...
Page 691: Server Configuration With Slapd.conf
36.3 Server Configuration with slapd.conf Your installed system contains a complete configuration file for your LDAP server at /etc/openldap/slapd.conf. The single entries are briefly described here and necessary adjustments are explained. Entries prefixed with a hash (#) are inactive. This comment character must be removed to activate them.
Page 692 Example 36.4 slapd.conf: Access Control # Sample Access Control Allow read access of root DSE # Allow self write access Allow authenticated users read access Allow anonymous users to authenticate # access to dn="" by * read access to * by self write by users read by anonymous auth # if no access controls are present, the default is:...
Page 693 • what is a placeholder for the object or attribute to which access is granted. Individ- ual directory branches can be protected explicitly with separate rules. It is also possible to process regions of the directory tree with one rule by using regular ex- pressions.
Page 694 Scope of Access compare To objects for comparison access search For the employment of search filters read Read access write Write access slapd compares the access right requested by the client with those granted in slapd.conf. The client is granted access if the rules allow a higher or equal right than the requested one.
Page 695 Apart from the possibility to administer access permissions with the central server configuration file (slapd.conf), there is access control information (ACI). ACI allows storage of the access information for individual objects within the LDAP tree. This type of access control is not yet common and is still considered experimental by the devel- http://www.openldap.org/faq/data/cache/758.html opers.
Page 696 rootdn determines who owns administrator rights to this server. The user declared here does not need to have an LDAP entry or exist as regular user. rootpw sets the administrator password. Instead of using secret here, it is possible to enter the hash of the administrator password created by slappasswd. The directory directive indicates the directory in the file system where the database directories are stored on the server.
Page 697: Data Handling In The Ldap Directory
The YaST runlevel editor, described in Section 20.2.3, “Configuring System Services (Runlevel) with YaST” (page 400), can be used to have the server started and stopped automatically on boot and halt of the system. It is also possible to create the correspond- ing links to the start and stop scripts with the insserv command from a command prompt as described in Section 20.2.2, “Init Scripts”...
Page 698 Example 36.7 Example for an LDIF File # The Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example dc: example # The organizational unit development (devel) dn: ou=devel,dc=example,dc=com objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=example,dc=com objectClass: organizationalUnit ou: doc # The organizational unit internal IT (it)
Page 699 Example 36.8 ldapadd with example.ldif ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com" adding new entry "ou=it,dc=example,dc=com" The user data of individuals can be prepared in separate LDIF files. Example 36.9, “LDIF Data for Tux”...
Page 700 Example 36.10 Modified LDIF File tux.ldif # coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10 Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below: 1 Start ldapmodify and enter your password: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W...
Page 701: Configuring An Ldap Server With Yast
The -b option determines the search base—the section of the tree within which the search should be performed. In the current case, this is dc=example,dc=com. To perform a more finely-grained search in specific subsections of the LDAP directory (for example, only within the devel department), pass this section to ldapsearch with -b.
Page 702 Figure 36.2 YaST LDAP Server Configuration To set up an LDAP server for user account data, proceed as follows: 1 Log in as root. 2 Start YaST and select Network Services > LDAP Server. 3 Set LDAP to be started at system boot. 4 If the LDAP server should announce its services via SLP, check Register at an SLP Daemon.
Page 703 2 With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect the logging options according to your needs. The more options are enabled, the larger your log files grow.
Page 704 To configure the databases managed by your LDAP server, proceed as follows: 1 Select the Databases item in the left part of the dialog. 2 Click Add Database to add the new database. 3 Enter the requested data: Base DN Enter the base DN of your LDAP server.
Page 705 WARNING: Locked Accounts in Security Sensitive Environments Do not use the Disclose Account Locked Status option if your environ- ment is sensitive to security issues, because the “Locked Account” error message provides security sensitive information that can be exploited by a potential attacker. 4d Enter the DN of the default policy object.
Page 706: Configuring An Ldap Client With Yast
3b Determine the time between a password expiration warning and the actual password expiration. 3c Set the number of grace uses of an expired password before the password expires entirely. 4 Configure the lockout policies: 4a Enable password locking. 4b Determine the number of bind failures that trigger a password lock. 4c Determine the duration of the password lock.
Page 707 36.6.1 Standard Procedure Background knowledge of the processes acting in the background of a client machine helps you understand how the YaST LDAP client module works. If LDAP is activated for network authentication or the YaST module is called, the packages pam_ldap and nss_ldap are installed and the two corresponding configuration files are adapted.
Page 708: Basic Configuration
with the command getent passwd. The returned set should contain a survey of the local users of your system as well as all users stored on the LDAP server. To prevent regular users managed through LDAP from logging in to the server with ssh or login, the files /etc/passwd and /etc/group each need to include an additional line.
Page 709 Figure 36.3 YaST: Configuration of the LDAP Client To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows: 1 Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Page 710 6 Select Start Automounter to mount remote directories on your client, such as a remotely managed /home. 7 Select Create Home Directory on Login to have a user's home automatically created on the first user login. 8 Click Finish to apply your settings. Figure 36.4 YaST: Advanced Configuration To modify data on the server as administrator, click Advanced Configuration.
Page 711 by crypt are used. For details on this and other options, refer to the pam_ldap man page. 1c Specify the LDAP group to use with Group Member Attribute. The default value for this is member. 2 In Administration Settings, adjust the following settings: 2a Set the base for storing your user management data via Configuration Base 2b Enter the appropriate value for Administrator DN.
Page 712 Configuring the YaST Group and User Administration Modules Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory.
Page 713 2 Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.
Page 714 Figure 36.6 YaST: Configuration of an Object Template Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template. The default values for an attribute can be created from other attributes by using a variable instead of an absolute value.
Page 715: Configuring Ldap Users And Groups In Yast
36.7 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous. 1 Access the YaST user administration with Security &...
Page 716 Figure 36.7 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
Page 717: Browsing The Ldap Directory Tree
36.8 Browsing the LDAP Directory Tree To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser: 1 Log in as root. 2 Start YaST > Network Services > LDAP Browser. 3 Enter the address of the LDAP server, the AdministratorDN, and the password for the RootDN of this server if you need both to read and write the data stored on the server.
Page 718: For More Information
4 To view any of the entries in detail, select it in the LDAP Tree view and open the Entry Data tab. All attributes and values associated with this entry are displayed. Figure 36.9 Browsing the Entry Data 5 To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the RootDN password when prompted.
Page 719 OpenLDAP Faq-O-Matic A very rich question and answer collection concerning installation, configuration, http://www.openldap.org/faq/data/ and use of OpenLDAP. Find it at cache/1.html. Quick Start Guide Brief step-by-step instructions for installing your first LDAP server. Find it at http://www.openldap.org/doc/admin22/quickstart.html or on an installed system in /usr/share/doc/packages/openldap2/ admin-guide/quickstart.html.
Page 721: 7 Samba
Samba Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the confi- guration file.
Page 722 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.
Page 723: Starting And Stopping Samba
37.2 Starting and Stopping Samba You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 37.3.1, “Configuring a Samba Server with YaST” (page 705). To stop or start running Samba services with YaST, use System >...
Page 724: Starting The Server
Advanced Samba Configuration with YaST During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration. After editing your configuration, click Finish to close the configuration. Starting the Server In the Start Up tab, configure the start of the Samba server.
Page 725: Configuring The Server Manually
Using LDAP In the tab LDAP Settings, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection. To set expert LDAP settings or use default values, click Advanced Settings. Find more information about LDAP configuration in Chapter 36, LDAP—A Directory Service (page 667).
Page 726 The global Section The following parameters of the [global] section need some adjustment to match the requirements of your network setup so other machines can access your Samba server via SMB in a Windows environment. workgroup = TUX-NET This line assigns the Samba server to a workgroup. Replace TUX-NET with an appropriate workgroup of your networking environment.
Page 727 server and wins support must never be enabled at the same time in your smb.conf file. Shares The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients. [cdrom] To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case).
Page 728 Example 37.2 homes Share [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750 [homes] As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives.
Page 729: Configuring Clients
Security Levels To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions: Share Level Security (security = share) A password is firmly assigned to a share. Everyone who knows this password has access to that share.
Page 730: Samba As Login Server
Membership. Click Browse to display all available groups and domains, which can be selected with the mouse. If you activate Also Use SMB Information for Linux Authenti- cation, the user authentication runs over the Samba server. After completing all settings, click Finish to finish the configuration.
Page 731: Samba Server In The Network With Active Directory
encrypt passwords = yes in the [global] section enables this (with Samba version 3, this is now the default). In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name.
Page 732 authentication system. Because Samba can cooperate with an active directory domain, you can join your SUSE Linux Enterprise Server to Active Directory (AD). Join an existing AD domain during installation or by later activating SMB user authen- tication with YaST in the installed system. Domain join during installation is covered in Section 3.14.7, “Users”...
Page 733: Migrating A Windows Nt Server To Samba
6 Provide the password for the Windows Administrator on the AD server and click Figure 37.2 Providing Administrator Credentials Your server is now set up to pull in all authentication data from the Active Direc- tory domain controller. 37.7 Migrating a Windows NT Server to Samba Apart from the Samba and LDAP configuration, the migration of a Windows NT server to a SUSE Linux Enterprise Server Samba server consists of two basic steps.
Page 734 NOTE: LDAP and Security The LDAP administration DN should be an account other than Root DN. To make the network more secure, you can also use a secure connection with TSL. 37.7.2 Preparing the Samba Server Before you start migration, configure your Samba server. Find configuration of profile, netlogon, and home shares in the Shares tab of the YaST Samba Server module.
Page 735: For More Information
37.7.4 Migrating the Windows Accounts Procedure 37.2 The Account Migration Process 1 Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. Samba must not be running. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd net rpc vampire -S NT4PDC -U administrator%passwd pdbedit -L 2 Assign each of the UNIX groups to NT groups:...
Page 736 The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. You can find Samba HOWTO Collection in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf after installing the package samba-doc. Find detailed information about LDAP and migration from Windows NT or 2000 in /usr/share/doc/packages/samba/examples/LDAP/ smbldap-tools-*/doc, where * is your smbldap-tools version.
Page 737: 8 Sharing File Systems With Nfs
Sharing File Systems with NFS Distributing and sharing file systems over a network is a common task in corporate environments. NFS is a proven system that also works together with the yellow pages protocol NIS. For a more secure protocol that works together with LDAP and may also be kerberized, check NFSv4.
Page 738: Importing File Systems With Yast
NFS server software is not part of the default installation. To install the NFS server software, start YaST and select Software > Software Management. Now choose Filter > Patterns and select Misc. Server or use the Search option and search for NFS Server.
Page 739: Importing File Systems Manually
Figure 38.1 NFS Client Configuration with YaST 38.3 Importing File Systems Manually File systems can also be imported manually from an NFS server. The prerequisite for this is a running RPC port mapper, which can be started by entering rcportmap start as root.
Page 740 38.3.1 Importing NFSv4 File Systems The idmapd service must be up and running on the client to do an NFSv4 import. Start the idmapd service from the command prompt with rcidmapd start. Use rcidmapd status to check the status of idmapd. The idmapd services stores its parameters in the /etc/idmapd.conf file.
Page 741: Exporting File Systems With Yast
localdata -fstype=nfs server1:/data nfs4mount -fstype=nfs4 server2:/ Activate the settings with rcautofs start. For this example, /nfsmounts/ localdata, the /data directory of server1, is then mounted with NFS and /nfsmounts/nfs4mount from server2 is mounted with NFSv4. If the /etc/auto.master file is edited while the service autofs is running, the au- tomounter must be restarted for the changes to take effect.
Page 742 Figure 38.2 NFS Server Configuration Tool Next, activate Start NFS Server and enter the NFSv4 domain name. Click Enable GSS Security if you need secure access to the server. A prerequisite for this is to have Kerberos installed in your domain and both the server and the clients are kerberized.
Page 743 Figure 38.3 Configuring an NFS Server with YaST IMPORTANT: Automatic Firewall Configuration If a firewall is active on your system (SuSEfirewall2), YaST adapts its configuration for the NFS server by enabling the nfs service when Open Ports in Firewall is selected.
Page 744 Click Next. The dialog that follows has two sections. The upper half consists of two columns named Directories and Bind mount targets. Directories is a directly editable column that lists the directories to export. For a fixed set of clients, there are two types of directories that can be exported—direc- tories that act as pseudo root file systems and those that are bound to some subdirectory of the pseudo file system.
Page 745 to configure the directory as pseudo root. If this directory should be bound to another directory under an already configured pseudo root, make sure that a target bind path is given in the option list with bind=/target/path. For example, suppose that the directory /exports is chosen as the pseudo root direc- tory for all the clients that can access the server.
Page 746 Figure 38.5 Exporting Directories with NFSv2 and v3 38.4.3 Coexisting v3 and v4 Exports Both NFSv3 and NFSv4 exports can coexist on a server. After enabling the support for NFSv4 in the initial configuration dialog, those exports for which fsid=0 and bind=/target/path are not included in the option list are considered v3 exports.
Page 747: Exporting File Systems Manually
38.5 Exporting File Systems Manually The configuration files for the NFS export service are /etc/exports and /etc/ sysconfig/nfs. In addition to these files, /etc/idmapd.conf is needed for the NFSv4 server configuration. To start or restart the services, run the commands rcnfsserver restart and rcidmapd restart.
Page 748 • Directories that are chosen to be bound to some an existing subdirectory of the pseudo file system. In the example entries above, /data is such a directory that binds to an existing subdirectory (/export/data) of the pseudo file system /export.
Page 749 Do not change these parameters unless you are sure of what you are doing. For further reference, read the man page of idmapd and idmapd.conf; man idmapd, man idmapd.conf . Starting and Stopping Services After changing /etc/exports or /etc/sysconfig/nfs, start or restart the NFS server service with rcnfsserver restart.
Page 750: Nfs With Kerberos
38.6 NFS with Kerberos To use Kerberos authentication for NFS, GSS security must be enabled. To do so, select Enable GSS Security in the initial YaST dialog. Additionally complete the following steps: • Make sure that both the server and the client are in the same Kerberos domain. This means that they access the same KDC (Key Distribution Center) server and share their krb5.keytab file (the default location on any machine is /etc/krb5 .keytab).
Page 751: 9 File Synchronization
File Synchronization Today, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files and subsequently have the latest version of the data available on all computers.
Page 752 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
Page 753: Determining Factors For Selecting A Program
39.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 39.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data. In the first model, all clients synchronize their files with a central server. The server must be accessible by all clients at least occasionally.
Page 754 There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts. To be on safe side, a versioning system like RCS can be additionally employed. 39.2.5 Selecting and Adding Files In CVS, new directories and files must be added explicitly using the command cvs add.
Page 755 39.2.9 User Friendliness rsync is rather easy to use and is also suitable for newcomers. CVS is somewhat more difficult to operate. Users should understand the interaction between the repository and local data. Changes to the data should first be merged locally with the repository. This is done with the command cvs update.
Page 756: Introduction To Cvs
rsync File Sel. Sel./file, dir. Dir. History Hard Disk Space Difficulty Attacks + (ssh) +(ssh) Data Loss 39.3 Introduction to CVS CVS is suitable for synchronization purposes if individual files are edited frequently and are stored in a file format, such as ASCII text or program source text. The use of CVS for synchronizing data in other formats, such as JPEG files, is possible, but leads to large amounts of data, because all variants of a file are stored permanently on the CVS server.
Page 757 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client exclusively to contain files to manage with CVS (the directory can also be empty).
Page 758 Start the synchronization with the server with cvs update. Update individual files or directories as in cvs update file1 directory1. To see the difference between the current files and the versions stored on the server, use the command cvs diff or cvs diff file1 directory1.
Page 759: Introduction To Rsync
• CVS: http://www.cvshome.org • Rsync: http://www.gnu.org/manual 39.4 Introduction to rsync rsync is useful when large amounts of data need to be transmitted regularly while not changing too much. This is, for example, often the case when creating backups. Another application concerns staging servers. These are servers that store complete directory trees of Web servers that are regularly mirrored onto a Web server in a DMZ.
Page 760 gid = nobody uid = nobody read only = true use chroot = no transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log [FTP] path = /srv/ftp comment = An Example Then start rsyncd with rcrsyncd start. rsyncd can also be started automatically during the boot process.
Page 761 A technical reference about the operating principles of rsync is featured in /usr/share/doc/packages/rsync/tech_report.ps. Find the latest news about rsync on the project Web site at http://rsync.samba.org/. http:// If you want Subversion or other tools, download the the SDK. Find it at developer.novell.com/wiki/index.php/SUSE_LINUX_SDK. File Synchronization...
Page 763: 0 The Apache Http Server
The Apache HTTP Server With a share of more than 70%, the Apache HTTP Server (Apache) is the world's most http://www.netcraft widely-used Web server according to the Survey from .com/. Apache, developed by the Apache Software Foundation (http://www .apache.org/), is available for most operating systems. SUSE® Linux Enterprise Server includes Apache version 2.2.
Page 764 2. The machine's exact system time is maintained by synchronizing with a time server. This is necessary because parts of the HTTP protocol depend on the correct time. See Chapter 32, Time Synchronization with NTP (page 609) to learn more about this topic.
Page 765: Configuring Apache
If you have not received error messages when starting Apache, the Web server should be running now. Start a browser and open http://localhost/. You should see an Apache test page starting with “If you can see this, it means that the installation of the Apache Web server software on this system was successful.”...
Page 766 /etc/sysconfig/apache2 /etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general- purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.
Page 767 Apache Configuration Files in /etc/apache2/ charset.conv Specifies which character sets to use for different languages. Do not edit. conf.d/*.conf Configuration files added by other modules. These configuration files can be in- cluded into your virtual host configuration where needed. See vhosts.d/vhost .template for examples.
Page 768 mod_*.conf Configuration files for the modules that are installed by default. Refer to Sec- tion 40.4, “Installing, Activating, and Configuring Modules” (page 763) for details. Note that configuration files for optional modules reside in the directory conf.d. server-tuning.conf Contains configuration directives for the different MPMs (see Section 40.4.4, “Multiprocessing Modules”...
Page 769 Virtual hosts can be configured via YaST (see Section “Virtual Hosts” (page 758)) or by manually editing a configuration file. By default, Apache in SUSE Linux Enterprise Server is prepared for one configuration file per virtual host in /etc/apache2/ vhosts.d/. All files in this directory with the extension .conf are automatically included to the configuration.
Page 770 The wild card * can be used for both the IP address and the port number to receive re- quests on all interfaces. IPv6 addresses must be enclosed in square brackets. Example 40.1 Variations of Name-Based VirtualHost Entries # NameVirtualHost IP-address[:Port] NameVirtualHost 192.168.3.100:80 NameVirtualHost 192.168.3.100 NameVirtualHost *:80...
Page 771 IP-Based Virtual Hosts This alternative virtual host configuration requires the setup of multiple IPs for a ma- chine. One instance of Apache hosts several domains, each of which is assigned a dif- ferent IP. The physical server must have one IP address for each IP-based virtual host. If the machine does not have multiple network cards, virtual network interfaces (IP aliasing) can also be used.
Page 772 DocumentRoot Path to the directory from which Apache should serve files for this host. For secu- rity reasons, access to the entire file system is forbidden by default, so you must explicitly unlock this directory within a Directory container. ServerAdmin E-mail address of the server administrator.
Page 773 40.2.2 Configuring Apache with YaST To configure your Web server with YaST, start YaST and select Network Services > HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make just a few basic decisions concerning administration of the server.
Page 774 Default Host This option pertains to the default Web server. As explained in Section “Virtual Host Configuration” (page 750), Apache can serve multiple virtual hosts from a single phys- ical machine. The first declared virtual host in the configuration file is commonly referred to as the default host.
Page 775 The default SUSE Linux Enterprise Alias /icons points to /usr/share/ apache2/icons for the Apache icons displayed in the directory index view. ScriptAlias Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.
Page 776: Virtual Hosts
Virtual Hosts In this step, the wizard displays a list of already configured virtual hosts (see Section “Virtual Host Configuration” (page 750)). If you have not made manual changes prior to starting the YaST HTTP wizard, no virtual host is present. To add a host, click Add to open a dialog in which to enter basic information about the host.
Page 777: Http Server Configuration
Figure 40.2 HTTP Server Wizard: Summary HTTP Server Configuration The HTTP Server Configuration dialog also lets you make even more adjustments to the configuration than the wizard (which only runs if you configure your Web server for the first time). It consists of four tabs described in the following. No configuration option you change here is effective immediately—you always must confirm your changes with Finish to make them effective.
Page 778: Server Modules
also restart or reload the Web server (see Section 40.3, “Starting and Stopping Apache” (page 761) for details). These commands are effective immediately. Figure 40.3 HTTP Server Configuration: Listen Ports and Addresses Server Modules You can change the status (enabled or disabled) of Apache2 modules by clicking Toggle Status.
Page 779: Starting And Stopping Apache
Figure 40.4 HTTP Server Configuration: Server Modules Main Host or Hosts These dialogs are identical to the ones already described. Refer to Section “Default Host” (page 756) and Section “Virtual Hosts” (page 758). 40.3 Starting and Stopping Apache If configured with YaST (see Section 40.2.2, “Configuring Apache with YaST” (page 755)), Apache is started at boot time in runlevels 3 and 5 and stopped in runlevels 0, 1, 2, and 6.
Page 780 startssl Starts Apache with SSL support if it is not already running. For more information about SSL support, refer to Section 40.6, “Setting Up a Secure Web Server with SSL” (page 773). stop Stops Apache by terminating the parent process. restart Stops then restarts Apache.
Page 781: Installing, Activating, And Configuring Modules
server-status and full-server-status Dumps a short or full status screen, respectively. Requires either lynx or w3m in- stalled as well as the module mod_status enabled. In addition to that, status must be added to APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2. TIP: Additional Flags If you specify additional flags to the rcapache2, these are passed through to the Web server.
Page 782: Module Installation
External Modules Modules labeled external are not included in the official Apache distribution. SUSE Linux Enterprise Server provides several of them readily available for use. Multiprocessing Modules MPMs are responsible for accepting and handling requests to the Web server, rep- resenting the core of the Web server software.
Page 783 40.4.3 Base and Extension Modules All base and extension modules are described in detail in the Apache documentation. Only a brief description of the most important modules is available here. Refer to http://httpd.apache.org/docs/2.2/mod/ to learn details about each module. mod_actions Provides methods to execute a script whenever a certain MIME type (such as application/pdf), a file with a specific extension (like .rpm), or a certain request method (such as GET) is requested.
Page 784 mod_cgi mod_cgi is needed to execute CGI scripts. This module is enabled by default. mod_deflate Using this module, Apache can be configured to compress given file types on the fly before delivering them. mod_dir mod_dir provides the DirectoryIndex directive with which you can configure which files are automatically delivered when a directory is requested (index .html by default).
Page 785 mod_mime The mime module takes care that a file is delivered with the correct MIME header based on the filename's extension (for example text/html for HTML documents). This module is enabled by default. mod_negotiation http://httpd.apache.org/docs/ Necessary for content negotiation. See 2.2/content-negotiation.html for more information.
Page 786 mod_userdir Enables user-specific directories available under ~user/. The UserDir directive must be specified in the configuration. This module is enabled by default. 40.4.4 Multiprocessing Modules SUSE Linux Enterprise Server provides two different multiprocessing modules (MPMs) for use with Apache. Prefork MPM The prefork MPM implements a nonthreaded, preforking Web server.
Page 787 Find a list of all external modules shipped with SUSE Linux Enterprise Server here. Find the module's documentation in the listed directory. mod-apparmor Adds support to Apache to provide Novell AppArmor confinement to individual CGI scripts handled by modules like mod_php5 and mod_perl. Package Name: apache2-mod_apparmor More Information: Novell AppArmor Administration Guide (↑Novell AppArmor...
Page 788 mod_python mod_python allows embedding Python within the Apache HTTP server for a con- siderable boost in performance and added flexibility in designing Web-based appli- cations. Package Name: apache2-mod_python More Information: /usr/share/doc/packages/apache2-mod_python 40.4.6 Compilation Apache can be extended by advanced users by writing custom modules. To develop modules for Apache or compile third-party modules, the package apache2-devel is required along with the corresponding development tools.
Page 789: Getting Cgi Scripts To Work
module, -i installs it, and -a activates it). Other options of apxs2 are described in the apxs2(1) man page. 40.5 Getting CGI Scripts to Work Apache's Common Gateway Interface (CGI) lets you create dynamic content with programs or scripts usually referred to as CGI scripts. CGI scripts can be written in any programming language.
Page 790 Example 40.5 VirtualHost CGI Configuration ScriptAlias /cgi-bin/ "/srv/www/www.example.com/cgi-bin/" <Directory "/srv/www/www.example.com/cgi-bin/"> Options +ExecCGI AddHandler cgi-script .cgi .pl Order allow,deny Allow from all </Directory> Tells Apache to handle all files within this directory as CGI scripts. Enables CGI script execution Tells the server to treat files with the extensions .pl and .cgi as CGI scripts. Adjust according to your needs.
Page 791: Setting Up A Secure Web Server With Ssl
Now call http://localhost/cgi-bin/test.cgi or http://www.example.com/cgi-bin/test.cgi. You should see the “CGI/1.0 test script report”. 40.5.3 Troubleshooting If you do not see the output of the test program but an error message instead, check the following: CGI Troubleshooting • Have you reloaded the server after having changed the configuration? Check with rcapache2 probe.
Page 792 For this purpose, the server sends an SSL certificate that holds information proving the server's valid identity before any request to a URL is answered. In turn, this guarantees that the server is the uniquely correct end point for the communication. Additionally, the certificate generates an encrypted connection between client and server that can transport information without the risk of exposing sensitive, plain-text content.
Page 793 • /etc/apache2/ssl.crt/server.crt • /etc/apache2/ssl.key/server.key • /etc/apache2/ssl.csr/server.csr A copy of ca.crt is also placed at /srv/www/htdocs/CA.crt for download. IMPORTANT A dummy certificate should never be used on a production system. Only use it for testing purposes. Creating a Self-Signed Certificate If you are setting up a secure Web server for an Intranet or for a defined circle of users, it might be sufficient if you sign a certificate with your own certificate authority (CA).
Page 794 answer every question. If one does not apply to you or you want to leave it blank, use “.”. Common name is the name of the CA itself—choose a significant name, such as My company CA. 4 Generating X.509 certificate for CA signed by itself Choose certificate version 3 (the default).
Page 795 Encrypting the server key with a password requires you to enter this password every time you start the Web server. This makes it difficult to automatically start the server on boot or to restart the Web server. Therefore, it is common sense to say N to this question.
Page 796 When requesting an officially signed certificate, you do not send a certificate to the CA. Instead, issue a Certificate Signing Request (CSR). To create a CSR, call the script /usr/share/ssl/misc/CA.sh -newreq. First the script asks for a password with which the CSR should be encrypted. Then you are asked to enter a distinguished name.
Page 797: Avoiding Security Problems
The virtual host configuration directory contains a template /etc/apache2/vhosts .d/vhost-ssl.template with SSL-specific directives that are extensively docu- mented. Refer to Section “Virtual Host Configuration” (page 750) for the general virtual host configuration. To get started, copy the template to /etc/apache2/vhosts.d/mySSL-host .conf and edit it.
Page 798 The SUSE security announcements are available from the following locations: • Web Page http://www.novell.com/linux/security/ securitysupport.html • Mailing List http://en.opensuse.org/Communicate #Mailinglists • RSS Feed http://www.novell.com/linux/security/suse _security.xml 40.7.2 DocumentRoot Permissions By default in SUSE Linux Enterprise Server, the DocumentRoot directory /srv/ www/htdocs and the CGI directory /srv/www/cgi-bin belong to the user and group root.
Page 799: Troubleshooting
trator trusts—allowing users to run their own scripts is generally not a good idea. It is also recommended to do security audits for all scripts. To make the administration of scripts as easy as possible, it is common practice to limit the execution of CGI scripts to specific directories instead of globally allowing them.
Page 800: For More Information
LogLevel directive if more detail is needed in the log files. By default, the error log file is located at /var/log/apache2/error_log. TIP: A Simple Test Watch the Apache log messages with the command tail -F /var/log/apache2/my_error_log. Then run rcapache2 restart. Now, try to connect with a browser and check the output.
Page 801 http://httpd.apache.org/docs-2.2/upgrading 2.0 to 2.2 is available at .html. 40.9.2 Apache Modules More information about external Apache modules from Section 40.4.5, “External Modules” (page 769) is available at the following locations: mod-apparmor http://en.opensuse.org/AppArmor mod_perl http://perl.apache.org/ mod_php5 http://www.php.net/manual/en/install.unix.apache2.php mod_python http://www.modpython.org/ 40.9.3 Development More information about developing Apache modules or about getting involved in the Apache Web server project are available at the following locations: Apache Developer Information...
Page 802 40.9.4 Miscellaneous Sources If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the Technical Information Search at http://www.novell.com/support. http://httpd.apache.org/ABOUT The history of Apache is provided at _APACHE.html. This page also explains why the server is called Apache.
Page 803: 1 The Proxy Server Squid
The Proxy Server Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It may be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent for the end user.
Page 804: Some Facts About Proxy Caches
41.1 Some Facts about Proxy Caches As a proxy cache, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long. 41.1.1 Squid and Security It is possible to use Squid together with a firewall to secure internal networks from the outside using a proxy cache.
Page 805: System Requirements
HIT code if the object was detected or a MISS if it was not. If multiple HIT responses were found, the proxy server decides from which server to download, depending on factors such as which cache sent the fastest answer or which one is closer. If no satis- factory responses are received, the request is sent to the parent cache.
Page 806: Hard Disks
41.2.1 Hard Disks Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks, this parameter is described as random seek time, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk tend to be rather small, the seek time of the hard disk is more important than its data throughput.
Page 807: Starting Squid
It is very important to have sufficient memory for the Squid process, because system performance is dramatically reduced if it must be swapped to disk. The cachemgr.cgi tool can be used for the cache memory management. This tool is introduced in Sec- tion 41.6, “cachemgr.cgi”...
Page 808 so, consider that Squid is made completely accessible to anyone by this action. Therefore, define ACLs that control access to the proxy. More information about this is available in Section 41.4.2, “Options for Access Controls” (page 794). After modifying the configuration file /etc/squid/squid.conf, Squid must reload the configuration file.
Page 809: The Configuration File /Etc/Squid/Squid.conf
Dynamic DNS Normally, with dynamic DNS, the DNS server is set by the provider during the establishment of the Internet connection and the local file /etc/resolv.conf is adjusted automatically. This behavior is controlled in the file /etc/ sysconfig/network/config with the sysconfig variable MODIFY_RESOLV_CONF_DYNAMICALLY, which is set to "yes".
Page 810 with # (the lines are commented) and the relevant specifications can be found at the end of the line. The given values almost always correlate with the default values, so removing the comment signs without changing any of the parameters actually has little effect in most cases.
Page 811 cache_dir ufs /var/cache/squid/ 100 16 256 The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. The ufs parameter should be left alone.
Page 812 overwritten. The default value is 0 because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a cron job set in the configuration file /etc/logrotate/squid. append_domain <domain> With append_domain, specify which domain to append automatically when none is given.
Page 813 acl <acl_name> <type> <data> An ACL requires at least three specifications to define it. The name <acl_name> can be chosen arbitrarily. For <type>, select from a variety of different options, which can be found in the ACCESS CONTROLS section in the /etc/squid/ squid.conf file.
Page 814 and the last http_access deny all redirect_program /usr/bin/squidGuard With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
Page 815: Configuring A Transparent Proxy
41.5 Configuring a Transparent Proxy The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required ob- jects, whether they are in its cache or not. When working in a network, several situations may arise: •...
Page 816 41.5.2 Firewall Configuration with SuSEfirewall2 Now redirect all incoming requests via the firewall with help of a port forwarding rule to the Squid port. To do this, use the enclosed tool SuSEfirewall2, described in Sec- tion 43.4.1, “Configuring the Firewall with YaST” (page 829). Its configuration file can be found in /etc/sysconfig/SuSEfirewall2.
Page 817 Example 41.1 Firewall Configuration: Option 15 # 15.) # Which accesses to services should be redirected to a local port # on the firewall machine? # This can be used to force all internal users to surf via your # Squid proxy, or transparently redirect incoming Web traffic to # a secure Web server.
Page 818: Cachemgr.cgi
41.6 cachemgr.cgi The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the memory usage of a running Squid process. It is also a more convenient way to manage the cache and view statistics without logging the server. 41.6.1 Setup First, a running Web server on your system is required.
Page 819 These rules assume that the Web server and Squid are running on the same machine. If the communication between the cache manager and Squid originates at the Web server on another computer, include an extra ACL as in Example 41.2, “Access Rules” (page 801).
Page 820: Squidguard
41.7 squidGuard This section is not intended to explain an extensive configuration of squidGuard, only to introduce it and give some advice for using it. For more in-depth configuration issues, refer to the squidGuard Web site at http://www.squidguard.org. squidGuard is a free (GPL), flexible, and fast filter, redirector, and access controller plug-in for Squid.
Page 821: Cache Report Generation With Calamaris
Next, create a dummy “access denied” page or a more or less complex CGI page to redirect Squid if the client requests a blacklisted Web site. Using Apache is strongly recommended. Now, configure Squid to use squidGuard. Use the following entry in the /etc/squid/ squid.conf file: redirect_program /usr/bin/squidGuard Another option called redirect_children configures the number of “redirect”...
Page 822: For More Information
include a message or logo in report header More information about the various options can be found in the program's manual page with man calamaris. A typical example is: cat access.log.2 access.log.1 access.log | calamaris -a -w \ > /usr/local/httpd/htdocs/Squid/squidreport.html This puts the report in the directory of the Web server.
Page 823: Part V Security
Part V. Security...
Page 825: 2 Managing X.509 Certification
Managing X.509 Certification An increasing number of authentication mechanisms are based on cryptographic proce- dures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are used for communication and can also be found, for example, on company ID cards.
Page 826 Private Key The private key must be kept safely by the key owner. Accidental publication of the private key compromises the key pair and renders it useless. Public Key The key owner circulates the public key for use by third parties. 42.1.1 Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation.
Page 827 42.1.2 X.509 Certificates An X.509 certificate is a data structure with several fixed fields and, optionally, addi- tional extensions. The fixed fields mainly contain the name of the key owner, the public key, and the data relating to the issuing CA (name and signature). For security reasons, a certificate should only have a limited period of validity, so a field is also provided for this date.
Page 828 Field Content Extensions Optional additional information, such as “KeyUsage” or “BasicConstraints” 42.1.3 Blocking X.509 Certificates If a certificate becomes untrustworthy before it has expired, it must be blocked imme- diately. This can be needed if, for example, the private key has accidentally been made public.
Page 829 Field Content List of revoked certificates Every entry contains the serial number of the certificate, the time of revocation, and optional extensions (CRL entry extensions) Extensions Optional CRL extensions 42.1.4 Repository for Certificates and CRLs The certificates and CRLs for a CA must be made publicly accessible using a repository. Because the signature protects the certificates and CRLs from being forged, the repos- itory itself does not need to be secured in a special way.
Page 830: Yast Modules For Ca Management
42.2 YaST Modules for CA Management YaST provides two modules for basic CA management. The primary management tasks with these modules are explained here. 42.2.1 Creating a Root CA The first step when setting up a PKI is to create a root CA. Do the following: 1 Start YaST and go to Security and Users >...
Page 831 CA Name Enter the technical name of the CA. Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
Page 832 In general, it is best not to allow user certificates to be issued by the root CA. It is better to create at least one sub-CA and create the user certificates from there. This has the advantage that the root CA can be kept isolated and secure, for example, on an isolated computer on secure premises.
Page 833 Figure 42.2 YaST CA Module—Using a CA 4 Click Advanced and select Create SubCA. This opens the same dialog as for creating a root CA. 5 Proceed as described in Section 42.2.1, “Creating a Root CA” (page 812). 6 Select the tab Certificates. Reset compromised or otherwise unwanted sub-CAs here using Revoke.
Page 834 the e-mail address of the recipient (the public key owner) to be included in the certificate. In the case of server and client certificates, the hostname of the server must be entered in the Common Name field. The default validity period for certificates is 365 days. To create client and server certificates, do the following: 1 Start YaST and open the CA module.
Page 835 To revoke compromised or otherwise unwanted certificates, do the following: 1 Start YaST and open the CA module. 2 Select the required CA and click Enter CA. 3 Enter the password if entering a CA the first time. YaST displays the CA key information in the Description tab.
Page 836 3 Click Advanced > Edit Defaults. 4 Choose the type the settings to change. The dialog for changing the defaults, shown in Figure 42.4, “YaST CA Module—Extended Settings” (page 818), then opens. Figure 42.4 YaST CA Module—Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical.
Page 837 42.2.5 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use, they must first be revoked. The procedure for this is explained in Section 42.2.2, “Creating or Revoking a Sub-CA” (page 814) (for sub-CAs) and Section 42.2.3, “Creating or Revoking User Certificates”...
Page 838 must be entered manually. You must always enter several passwords (see Table 42.3, “Passwords during LDAP Export” (page 820)). Table 42.3 Passwords during LDAP Export Password Meaning LDAP Password Authorizes the user to make entries in the LDAP tree. Certificate Password Authorizes the user to export the certificate.
Page 839 42.2.7 Exporting CA Objects as a File If you have set up a repository on the computer for administering CAs, you can use this option to create the CA objects directly as a file at the correct location. Different output formats are available, such as PEM, DER, and PKCS12.
Page 840 The general server certificate is stored in /etc/ssl/servercerts and can be used there by any CA-supported service. When this certificate expires, it can easily be replaced using the same mechanisms. To get things functioning with the replaced certificate, restart the participating services. If you select Import here, you can select the source in the file system.
Page 841: 3 Masquerading And Firewalls
Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
Page 842 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).
Page 843 Figure 43.1 iptables: A Packet's Possible Paths PREROUTING incoming packet mangle INPUT mangle Routing filter FORWARD Processes mangle in the local system filter OUTPUT Routing mangle filter POSTROUTING mangle outgoing packet These tables contain several predefined chains to match packets: Masquerading and Firewalls...
Page 844: Masquerading Basics
PREROUTING This chain is applied to incoming packets. INPUT This chain is applied to packets destined for the system's internal processes. FORWARD This chain is applied to packets that are only routed through the system. OUTPUT This chain is applied to packets originating from the system itself. POSTROUTING This chain is applied to all outgoing packets.
Page 845 hosts in the local network connected to the network card (such as eth0) of the router, they can send any packets not destined for the local network to their default gateway or router. IMPORTANT: Using the Correct Network Mask When configuring your network, make sure both the broadcast address and the netmask are the same for all local hosts.
Page 846: Firewalling Basics
43.3 Firewalling Basics Firewall is probably the term most widely used to describe a mechanism that provides and manages a link between networks while also controlling the data flow between them. Strictly speaking, the mechanism described in this section is called a packet filter. A packet filter regulates the data flow according to certain criteria, such as protocols, ports, and IP addresses.
Page 847 External Zone Given that there is no way to control what is happening on the external network, the host needs to be protected from it. In most cases, the external network is the Internet, but it could be another insecure network, such as a WLAN. Internal Zone This refers to the private network, in most cases the LAN.
Page 848 for activating additional services and ports. The YaST firewall configuration module can be used to activate, deactivate, or reconfigure the firewall. The YaST dialogs for the graphical configuration can be accessed from the YaST Control Center. Select Security and Users > Firewall. The configuration is divided into seven sections that can be accessed directly from the tree structure on the left side.
Page 849: Configuring Manually
The logging of broadcasts that are not accepted can be enabled here. This may be problematic, because Windows hosts use broadcasts to know about each other and so generate many packets that are not accepted. IPsec Support Configure whether the IPsec service should be available to the external network in this dialog.
Page 850 FW_DEV_INT (firewall, masquerading) The device linked to the internal, private network (such as eth0). Leave this blank if there is no internal network and the firewall protects only the host on which it runs. FW_ROUTE (firewall, masquerading) If you need the masquerading function, set this to yes. Your internal hosts will not be visible to the outside, because their private network addresses (e.g., 192.168.x.x) are ignored by Internet routers.
Page 851: For More Information
FW_SERVICES_INT_TCP (firewall) With this variable, define the services available for the internal network. The nota- tion is the same as for FW_SERVICES_EXT_TCP, but the settings are applied to the internal network. The variable only needs to be set if FW_PROTECT_FROM_INT is set to yes. FW_SERVICES_INT_UDP (firewall) See FW_SERVICES_INT_TCP.
Page 853: 4 Ssh: Secure Network Operations
SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.
Page 854: The Ssh Program
44.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
Page 855: Sftp-Secure File Transfer
scp also provides a recursive copying feature for entire directories. The command scp -r src/ sun:backup/ copies the entire contents of the directory src includ- ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically.
Page 856 For the communication between SSH server and SSH client, OpenSSH supports ver- sions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE.
Page 857: Ssh Authentication Mechanisms
44.6 SSH Authentication Mechanisms Now the actual authentication takes place, which, in its simplest form, consists of enter- ing a password as mentioned above. The goal of SSH was to introduce a secure software that is also easy to use. Because it is meant to replace rsh and rlogin, SSH must also be able to provide an authentication method appropriate for daily use.
Page 858: X, Authentication, And Forwarding Mechanisms
44.7 X, Authentication, and Forwarding Mechanisms Beyond the previously described security-related improvements, SSH also simplifies the use of remote X applications. If you run ssh with the option -X, the DISPLAY variable is automatically set on the remote machine and all X output is exported to the remote machine over the existing SSH connection.
Page 859: 5 Network Authentication-Kerberos
Network Authentication—Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
Page 860 credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.
Page 861: How Kerberos Works
replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator. He could then try to resend it (replay) to impersonate you.
Page 862 • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used. This private key is only known to Kerberos and the client, because it is derived from your user password.
Page 863 45.2.3 Mutual Authentication Kerberos authentication can be used in both directions. It is not only a question of the client being the one it claims to be. The server should also be able to authenticate itself to the client requesting its service. Therefore, it sends some kind of authenticator itself. It adds one to the checksum it received in the client's authenticator and encrypts it with the session key, which is shared between it and the client.
Page 864: Users' View Of Kerberos
• The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.
Page 865: For More Information
• rsh, rcp, rshd • ftp, ftpd • ksu You no longer have to enter your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure that the encrypted contents of the tickets are adjusted to the new situation.
Page 867: 6 Installing And Administering Kerberos
Installing and Administering Kerberos This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 45, Network Authentication—Kerberos (page 841)). 46.1 Choosing the Kerberos Realms The domain of a Kerberos installation is called a realm and is identified by a name, such as FOOBAR.COM or simply ACCOUNTING.
Page 868: Setting Up The Kdc Hardware
For the sake of simplicity, assume you are setting up just one realm for your entire or- ganization. For the remainder of this section, the realm name EXAMPLE.COM is used in all examples. 46.2 Setting Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center, or KDC for short.
Page 869: Clock Synchronization
6 Disable all user accounts except root's account by editing /etc/shadow and replacing the hashed passwords with * or ! characters. 46.3 Clock Synchronization To use Kerberos successfully, make sure that all system clocks within your organization are synchronized within a certain range. This is important because Kerberos protects against replayed credentials.
Page 870 1 Install the RPMs On a machine designated as the KDC, install special soft- ware packages. See Section 46.4.1, “Installing the RPMs” (page 852) for details. 2 Adjust the Configuration Files The configuration files /etc/krb5.conf and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your scenario.
Page 871 When you make tape backups of the Kerberos database (/var/lib/kerberos/ krb5kdc/principal), do not back up the stash file (which is in /var/lib/ kerberos/krb5kdc/.k5.EXAMPLE.COM). Otherwise, everyone able to read the tape could also decrypt the database. Therefore, it is also a good idea to keep a copy of the pass phrase in a safe or some other secure location, because you need it to restore your database from backup tape after a crash.
Page 872: Manually Configuring Kerberos Clients
Next, create another principal named newbie/admin by typing ank newbie/admin at the kadmin prompt. The admin suffixed to your username is a role. Later, use this role when administering the Kerberos database. A user can have several roles for dif- ferent purposes.
Page 873 46.5.1 Static Configuration One way to configure Kerberos is to edit the configuration file /etc/krb5.conf. The file installed by default contains various sample entries. Erase all of these entries before starting. krb5.conf is made up of several sections, each introduced by the section name included in brackets like [this].
Page 874 records are not supported in earlier implementations of the BIND name server. At least BIND version 8 is required for this. The name of an SRV record, as far as Kerberos is concerned, is always in the format _service._proto.realm, where realm is the Kerberos realm. Domain names in DNS are case insensitive, so case-sensitive Kerberos realms would break when using this configuration method.
Page 875: Configuring A Kerberos Client With Yast
46.5.3 Adjusting the Clock Skew The clock skew is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock. Usually, the clock skew is set to 300 seconds (five min- utes). This means a ticket can have a time stamp somewhere between five minutes ago and five minutes in the future from the server's point of view.
Page 876 Figure 46.1 YaST: Basic Configuration of a Kerberos Client To configure ticket-related options in the Advanced Settings dialog, choose from the following options: • Specify the Default Ticket Lifetime and the Default Renewable Lifetime in days, hours, or minutes (using the units of measurement d, h, and m, with no blank space between the value and the unit).
Page 877: Remote Kerberos Administration
• Use Clock Skew to set a value for the allowable difference between the time stamps and your host's system time. • To keep the system time in sync with an NTP server, you can also set up the host as an NTP client by selecting NTP Configuration, which opens the YaST NTP client dialog that is described in Section 32.1, “Configuring an NTP Client with YaST”...
Page 878 newbie/admin Replace the username newbie with your own. Restart kadmind for the change to take effect. 46.7.1 Using kadmin for Remote Administration You should now be able to perform Kerberos administration tasks remotely using the kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting to the kadmin server: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.
Page 879: Creating Kerberos Host Principals
kadmin: modify_principal -maxlife "8 hours" newbie Principal "newbie@EXAMPLE.COM" modified. kadmin: getprinc joe Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 08:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:59:49 CET 2005 (newbie/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never]...
Page 880 Kerberos can decrypt the ticket. It would be quite inconvenient for the system adminis- trator if he had to obtain new tickets for the SSH daemon every eight hours or so. Instead, the key required to decrypt the initial ticket for the host principal is extracted by the administrator from the KDC once and stored in a local file called the keytab.
Page 881: Enabling Pam Support For Kerberos
46.9 Enabling PAM Support for Kerberos SUSE Linux Enterprise® comes with a PAM module named pam_krb5, which supports Kerberos login and password update. This module can be used by applications, such as console login, su, and graphical login applications like KDM, where the user presents a password and would like the authenticating application to obtain an initial Kerberos ticket on his behalf.
Page 882: Configuring Ssh For Kerberos Authentication
46.10 Configuring SSH for Kerberos Authentication OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In ver- sion 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services API.
Page 883: Using Ldap And Kerberos
46.11 Using LDAP and Kerberos When using Kerberos, one way to distribute the user information (such as user ID, groups,and home directory) in your local network is to use LDAP. This requires a strong authentication mechanism that prevents packet spoofing and other attacks. One solution is to use Kerberos for LDAP communication, too.
Page 884 A third, and maybe the best solution, is to tell OpenLDAP to use a special keytab file. To do this, start kadmin, and enter the following command after you have added the principal ldap/earth.example.com: ktadd -k /etc/openldap/ldap.keytab ldap/earth.example.com@EXAMPLE.COM Then, on the shell, run: chown ldap.ldap /etc/openldap/ldap.keytab chmod 600 /etc/openldap/ldap.keytab To tell OpenLDAP to use a different keytab file, change the following variable in...
Page 885 As you can see, ldapsearch prints a message that it started GSSAPI authentication. The next message is very cryptic, but it shows that the security strength factor (SSF for short) is 56 (The value 56 is somewhat arbitrary. Most likely it was chosen because this is the number of bits in a DES encryption key).
Page 886 authz-regexp uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com To understand how this works, you need to know that when SASL authenticates a user, OpenLDAP forms a distinguished name from the name given to it by SASL (such as joe) and the name of the SASL flavor (GSSAPI). The result would be uid=joe,cn=GSSAPI,cn=auth.
Page 887: 7 Encrypting Partitions And Files
Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system.
Page 888: Setting Up An Encrypted File System With Yast
mounted and the contents are made available to the user. Refer to Section 47.2, “Using Encrypted Home Directories” (page 873) for more information. Encrypting Single ASCII Text Files If you only have a small number of ASCII text files that hold sensitive or confiden- tial data, you can encrypt them individually and protect them with a password using the vi editor.
Page 889 47.1.1 Creating an Encrypted Partition during Installation WARNING: Password Input Make sure to memorize the password for your encrypted partitions well. Without that password you cannot access or restore the encrypted data. The YaST expert dialog for partitioning offers the options needed for creating an en- crypted partition.
Page 890 password when prompted for it. After you are done with working on this partition, un- mount it with umount name_of_partition to protect it from access by other users. When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation.
Page 891: Using Encrypted Home Directories
The advantage of encrypted container files over encrypted partitions is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions. 47.1.4 Encrypting the Content of Removable Media YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk.
Page 892: Using Vi To Encrypt Single Ascii Text Files
LOGIN.key The image key, protected with the user's login password. On login the home directory automatically gets decrypted. Internally, it is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you have to add this module to the respective configuration file in /etc/pam.d/.
Page 893: 8 Confining Privileges With Apparmor
Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.
Page 894: Installing Novell Apparmor
Guide. 48.1 Installing Novell AppArmor Novell AppArmor is installed and running by default on any installation of SUSE Linux Enterprise® regardless of what patterns are installed. The packages listed below are needed for a fully functional instance of AppArmor •...
Page 895 Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.
Page 896: Getting Started With Profiling Applications
48.3 Getting Started with Profiling Applications Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 48.3.1, “Choosing the Applications to Profile” (page 878).
Page 897: Building And Modifying Profiles
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
Page 898 Outline the basic profile by running YaST > Novell AppArmor > Add Profile Wizard and specifying the complete path of the application to profile. A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing but does not yet restrict 2 Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Page 899 For more information about profile building and modification, refer to Chap- ter 2, Profile Components and Syntax (↑Novell AppArmor Administration Guide), Chapter 3, Building and Managing Profiles with YaST (↑Novell AppArmor Admin- istration Guide), and Chapter 4, Building Profiles from the Command Line (↑Novell AppArmor Administration Guide).
Page 900 48.3.3 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.
Page 901: Updating Your Profiles
Delete unneeded reports or add new ones. TIP: For More Information For more information about configuring event notification in Novell AppArmor, refer to Section “Configuring Security Event Notification” (Chapter 6, Managing Profiled Applications, ↑Novell AppArmor Administration Guide). Find more in- formation about report configuration in Section “Configuring Reports”...
Page 902 TIP: For More Information For more information about updating your profiles from the system logs, refer to Section “Updating Profiles from Log Entries” (Chapter 3, Building and Man- aging Profiles with YaST, ↑Novell AppArmor Administration Guide). Installation and Administration...
Page 903: 9 Security And Confidentiality
Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
Page 904: Local Security And Network Security
49.1 Local Security and Network Security There are several ways of accessing data: • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) •...
Page 905 Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
Page 906: File Permissions
In the seventies, it was argued that this method would be more secure than others due to the relative slowness of the algorithm used, which took a few seconds to encrypt just one password. In the meantime, however, PCs have become powerful enough to do several hundred thousand or even millions of encryptions per second.
Page 907 The permissions of all files included in the SUSE Linux Enterprise distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits. Ex- perienced and security-conscious system administrators always use the -l option with the command ls to get an extensive file list, which allows them to detect any incorrect file permissions immediately.
Page 908 the user) uses up some more space than what is available in the buffer. As a result, data is written beyond the end of that buffer area, which, under certain circumstances, makes it possible for a program to execute program sequences influenced by the user (and not by the programmer), rather than just processing user data.
Page 909: Network Security
cryptographic signature as a digital label that the necessary care was taken to build them. Viruses are a typical sign that the administrator or the user lacks the required se- curity awareness, putting at risk even a system that should be highly secure by its very design.
Page 910 In the case of cookie-based access control, a character string is generated that is only known to the X server and to the legitimate user, just like an ID card of some kind. This cookie (the word goes back not to ordinary cookies, but to Chinese fortune cookies, which contain an epigram) is stored on login in the file .Xauthority in the user's home directory and is available to any X client wanting to use the X server to display a window.
Page 911: Denial Of Service
Buffer overflows and format string bugs exploitable over a network link are certainly the most frequent form of remote attacks in general. Exploits for these—programs to exploit these newly-found security holes—are often posted on the security mailing lists. They can be used to target the vulnerability without knowing the details of the code. Over the years, experience has shown that the availability of exploit codes has contribut- ed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software.
Page 912 the role of the target host, the victims notice this, because they get an error message saying the connection was terminated due to a failure. The fact that there are protocols not secured against hijacking through encryption, which only perform a simple authen- tication procedure upon establishing the connection, makes it easier for attackers.
Page 913: Some General Security Tips And Tricks
49.2 Some General Security Tips and Tricks To handle security competently, it is important to keep up with new developments and stay informed about the latest security issues. One very good way to protect your systems against problems of all kinds is to get and install the updated packages recommended by security announcements as quickly as possible.
Page 914 • Change the /etc/permissions file to optimize the permissions of files crucial to your system's security. If you remove the setuid bit from a program, it might well be that it cannot do its job anymore in the intended way. On the other hand, consider that, in most cases, the program will also have ceased to be a potential security risk.
Page 915: Using The Central Security Reporting Address
SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 http://www.novell.com/linux/ This key is also available for download from security/securitysupport.html. Security and Confidentiality...
Page 917: Part Vi Troubleshooting
Part VI. Troubleshooting...
Page 919: 0 Help And Documentation
Help and Documentation SUSE Linux Enterprise® comes with various sources of information and documentation. The SUSE Help Center provides central access to the most important documentation resources on your system in searchable form. These resources include online help for installed applications, manual pages, info pages, databases on hardware and software topics, and all manuals delivered with your product.
Page 920 configuration of the search function in the Search tab are presented in Section 50.1.2, “The Search Function” (page 903). The Contents tab presents a tree view of all available and currently installed information sources. Click the book icons to open and browse the individual categories.
Page 921: The Search Function
50.1.1 Contents The SUSE Help Center provides access to useful information from various sources. It contains special documentation for SUSE Linux Enterprise (Start-Up, KDE User Guide, GNOME User Guide, and Reference), all available information sources for your workstation environment, online help for the installed programs, and help texts for other applications.
Page 922 Figure 50.3 Generating a Search Index To limit the search base and the hit list as precisely as possible, use the three drop-down menus to determine the number of displayed hits and the selection area of sources to search. The following options are available for determining the selection area: Default A predefined selection of sources is searched.
Page 923: Man
50.2 Man Pages Man pages are an essential part of any Linux system. They explain the usage of a command and all available options and parameters. Man pages are sorted in categories as shown in Table 50.1, “Man Pages—Categories and Descriptions” (page 905) (taken from the man page for man itself).
Page 924: Info
Another possibility to display a man page is to use Konqueror. Start Konqueror and type, for example, man:/ls. If there are different categories for a command, Konqueror displays them as links. 50.3 Info Pages Info pages are another important source of information on your system. Usually they are more verbose than man pages.
Page 925: Wikipedia: The Free Online Encyclopedia
50.5 Wikipedia: The Free Online Encyclopedia Wikipedia is “a multilingual encyclopedia designed to be read and edited by anyone” (see http://en.wikipedia.org). The content of Wikipedia is created by its users and is published under a free license (GFDL). Any visitors can edit articles, which gives the danger of vandalism, but this does not repel visitors.
Page 926: Package Documentation
50.7 Package Documentation If you install a package in your system, a directory /usr/share/doc/ packages/packagename is created. You can find files from the package maintainer as well as additional information from SUSE. Sometimes there are also examples, configuration files, additional scripts, or other things available. Usually you can find the following files, but they are not standard and sometimes not all files are available.
Page 927: Usenet
NEWS Description of what is new in this version. 50.8 Usenet Created in 1979 before the rise of the Internet, Usenet is one of the oldest computer networks and still in active use. The format and transmission of Usenet articles is very similar to e-mail, but is developed for a many-to-many communication.
Page 928 of several standards, such as the important LSB (Linux Standard Base), is supervised by this organization. http://www.w3.org The World Wide Web Consortium (W3C) is certainly one of the best-known standards organizations. It was founded in October 1994 by Tim Berners-Lee and concentrates on standardizing Web technologies.
Page 929 http://www.din.de http://www.din.com The Deutsches Institut für Normung (DIN) is a registered technical and scientific association. It was founded in 1917. According to DIN, the organization is “the institution responsible for standards in Germany and represents German interests in worldwide and European standards organizations.” The association brings together manufacturers, consumers, trade professionals, service companies, scientists and others who have an interest in the establishment of standards.
Page 931: 1 Common Problems And Their Solutions
Common Problems and Their Solutions This chapter offers a range of common problems that can arise with an intention of covering as many of the various types of potential problems as possible. That way, even if your precise situation is not listed here, there might be one similar enough to offer hints as to the solution.
Page 932 Table 51.1 Log Files Log File Description /var/log/boot.msg Messages from the kernel during the boot process. /var/log/mail.* Messages from the mail system. /var/log/messages Ongoing messages from the kernel and system log daemon when running. /var/log/ Log file from NetworkManager to collect problems with network connectivity NetworkManager /var/log/SaX.log...
Page 933 Table 51.2 System Information File Description /proc/cpuinfo This displays processor information, including its type, make, model, and performance. /proc/dma This shows which DMA channels are currently being used. /proc/interrupts This shows which interrupts are in use and how many of each have been in use. /proc/iomem This displays the status of I/O (input/output) memory.
Page 934: Installation Problems
51.2 Installation Problems Installation problems are situations when a machine fails to install. It may fail entirely or it may not be able to start the graphical installer. This section highlights some of the typical problems you might run into and offers possible solutions or workarounds for this kind of situations.
Page 935 Booting from a Floppy Disk Create a boot floppy and boot from floppy disk instead of CD or DVD. Using an External Boot Device If it is supported by the machine's BIOS and the installation kernel, boot for instal- lation from external CD or DVD drives. Network Boot via PXE If a machines lacks a CD or DVD drive, but provides a working ethernet connection, perform a completely network-based installation.
Page 936 verbose 1 in syslinux.cfg for the boot loader to display which action is currently being per- formed. If the machine does not boot from the floppy disk, you may need to change the boot sequence in the BIOS to A,C,CDROM. External Boot Devices Most CD-ROM drives are supported.
Page 937 appears, look for a line, usually below the counter or somewhere at the bottom, men- tioning the key to press to access the BIOS setup. Usually the key to press is Del , F1 , or Esc . Press this key until the BIOS setup screen appears. Procedure 51.1 Changing the BIOS Boot Sequence 1 Enter the BIOS using the proper key as announced by the boot routines and wait for the BIOS screen to appear.
Page 938 7 Exit this screen and confirm with Yes to boot the computer. Regardless of what language and keyboard layout your final installation will be using, most BIOS configurations use the US keyboard layout as depicted in the following figure: Figure 51.1 US Keyboard Layout 51.2.5 Fails to Boot Some hardware types, mainly fairly old or very recent ones, fail to install.
Page 939 If this fails, proceed as above, but choose Installation--Safe Settings instead. This option disables ACPI and DMA support. Most hardware should boot with this option. If both of these options fail, use the boot options prompt to pass any additional param- eters needed to support this type of hardware to the installation kernel.
Page 940 notsc Disable the time stamp counter. This option can be used to work around timing problems on your systems. It is a new feature, if you see regressions on your ma- chine, especially time related or even total hangs, this option is worth a try. nohz=off Disable the nohz feature.
Page 941 To perform an installation in text mode, proceed as follows: 1 Boot for installation. 2 Press F3 and select Text Mode. 3 Select Installation and proceed with the installation as described in Chapter 3, Installation with YaST (page 17). To perform a VNC installation, proceed as follows: 1 Boot for installation.
Page 942: Boot Problems
If you use any kind of VNC viewer on your preferred operating system, enter the IP address and password when prompted to do so. A window opens, displaying the installation dialogs. Proceed with the installation as usual. 51.2.7 Only Minimalistic Boot Screen Started You inserted the first CD or DVD into the drive, the BIOS routines are finished, but the system does not start with the graphical boot screen.
Page 943 51.3.1 Fails to Load the GRUB Boot Loader If the hardware is functioning properly, it is possible that the boot loader has become corrupted and Linux cannot start on the machine. In this case, it is necessary to reinstall the boot loader. To reinstall the boot loader, proceed as follows: 1 Insert the installation media into the drive.
Page 944 51.3.2 No Graphical Login If the machine comes up, but does not boot into the graphical login manager, anticipate problems either with the choice of the default runlevel or the configuration of the X Window System. To check the runlevel configuration, log in as the root user and check whether the machine is configured to boot into runlevel 5 (graphical desktop).
Page 945: Login Problems
51.4 Login Problems Login problems are those where your machine does, in fact, boot to the expected wel- come screen or login prompt, but refuses to accept the username and password or accepts them but then does not behave properly (fails to start the graphic desktop, produces errors, drops to a command line, etc.).
Page 946 In all cases that do not involve external network problems, the solution is to reboot the system into single-user mode and repair the configuration before booting again into operating mode and attempting to log in again. To boot into single-user mode: 1 Reboot the system.
Page 947 2 Log in as root and check /var/log/messages for error messages of the login process and of PAM. 3 Try to log in from a console (using Ctrl + Alt + F1 ). If this is successful, the blame cannot be put on PAM, because it is possible to authenticate this user on this machine.
Page 948 • The user does not have permission to log in to that particular host in the authentica- tion system. • The machine has changed hostnames, for whatever reason, and the user does not have permission to log in to that host. •...
Page 949 7 If graphical login still fails, do a console login with Ctrl + Alt + F1 . Try to start an X session on another display—the first one (:0) is already in use: startx -- :1 This should bring up a graphical screen and your desktop. If it does not, check the log files of the X Window System (/var/log/Xorg.displaynumber .log) or the log file for your desktop applications (.xsession-errors in the user's home directory) for any irregularities.
Page 950 6 Recover your individual application configuration data (including the Evolution e-mail client data) by copying the ~/.gconf-ORIG-RECOVER/apps/ direc- tory back into the new ~/.gconf directory as follows: cp -a .gconf-ORIG-RECOVER/apps .gconf/ If this causes the login problems, attempt to recover only the critical application data and reconfigure the remainder of the applications.
Page 951: Network Problems
3 Move the KDE configuration directory and the .skel files to a temporary loca- tion: mv .kde .kde-ORIG-RECOVER mv .skel .skel-ORIG-RECOVER 4 Log out. 5 Log in again. 6 After the desktop has started successfully, copy the user's own configurations back into place: cp -a .kde-ORIG-RECOVER/share .kde/share IMPORTANT...
Page 952 2 If using a wireless connection, check whether the wireless link can be established by other machines. If this is not the case, contact the wireless network's adminis- trator. 3 Once you have checked your basic network connectivity, try to find out which service is not responding.
Page 953 LDAP (User Management) If your SUSE Linux Enterprise system relied on an LDAP server to provide the user data, users would not be able to log in to this machine if the LDAP service was down. Kerberos (Authentication) Authentication would not work and login to any machine would fail. CUPS (Network Printing) Users would not be able to print.
Page 954 network hardware is faulty. Refer to Step 4c (page 937) for information about this. 4b Use host hostname to check whether the hostname of the server you are trying to connect to is properly translated into an IP address and vice versa.
Page 955 mation. For detailed information about DNS, refer to Chapter 33, The Domain Name System (page 615). If you have made sure that the DNS configuration of your host and the DNS server are correct, proceed with checking the configuration of your network and network device. 4c If your system cannot establish a connection to a network server and you have excluded name service problems from the list of possible culprits, check the configuration of your network card.
Page 956: Data Problems
2 Restart the NetworkManager: rcnetwork restart -o nm 3 Open a web page, for example, http://www.opensuse.org as normal user to see, if you can connect. 4 Collect any information about the state of NetworkManager in /var/log/ NetworkManager. For more information about NetworkManager, refer to Section 30.6, “Managing Network Connections with NetworkManager”...
Page 957 the IP address or name of the server and the directory that should hold your archive. 2d Determine the archive type and click Next. 2e Determine the backup options to use, such as whether files not belonging to any package should be backed up and whether a list of files should be dis- played prior to creating the archive.
Page 958 51.6.2 Restoring a System Backup Use the YaST System Restoration module to restore the system configuration from a backup. Restore the entire backup or select specific components that were corrupted and need to be reset to their old state. 1 Start YaST > System > System Restoration. 2 Enter the location of the backup file.
Page 959 Using YaST System Repair Before launching the YaST System Repair module, determine in which mode to run it to best fit your needs. Depending on the severeness and cause of your system failure and your expertise, there are three different modes to choose from: Automatic Repair If your system failed due to an unknown cause and you basically do not know which part of the system is to blame for the failure, use Automatic Repair.
Page 960 3 At the boot screen, select Installation. 4 Select the language and click Next. 5 Confirm the license agreement and click Next. 6 In System Analysis, select Other > Repair Installed System. 7 Select Automatic Repair. YaST now launches an extensive analysis of the installed system. The progress of the procedure is displayed at the bottom of the screen with two progress bars.
Page 961 Swap Partitions The swap partitions of the installed system are detected, tested, and offered for activation where applicable. The offer should be accepted for the sake of a higher system repair speed. File Systems All detected file systems are subjected to a file system–specific check. Entries in the File /etc/fstab The entries in the file are checked for completeness and consistency.
Page 962 3 At the boot screen, select Installation. 4 Select the language and click Next. 5 Confirm the license agreement and click Next. 6 In System Analysis, select Other > Repair Installed System. 7 Select Customized Repair. Choosing Customized Repair shows a list of test runs that are all marked for ex- ecution at first.
Page 963 2 In System Analysis, select Other > Repair Installed System. 3 Select Expert Tools and choose one or more repair options. 4 After the repair process has been terminated successfully, click OK and Finish and remove the installation media. The system automatically reboots. Expert tools provides the following options to repair your faulty system: Install New Boot Loader This starts the YaST boot loader configuration module.
Page 964 Using the Rescue System SUSE Linux Enterprise contains a rescue system. The rescue system is a small Linux system that can be loaded into a RAM disk and mounted as root file system, allowing you to access your Linux partitions from the outside. Using the rescue system, you can recover or modify any important aspect of your system: •...
Page 965 2 Boot the system using “Wake on LAN”, as described in Section 4.3.7, “Wake on LAN” (page 75). 3 Enter root at the Rescue: prompt. A password is not required. Once you have entered the rescue system, you can make use of the virtual consoles that can be reached with Alt + F1 to Alt + F6 .
Page 966 5 Unmount the root file system from the rescue system: umount /mnt 6 Reboot the machine. Repairing and Checking File Systems Generally, file systems cannot be repaired on a running system. If you encounter serious problems, you may not even be able to mount your root file system and the system boot may end with a kernel panic.
Page 967 4 Finally, mount the remaining partitions from the installed system: mount -a 5 Now you have access to the installed system. Before rebooting the system, un- mount the partitions with umount -a and leave the “change root” environment with exit. WARNING: Limitations Although you have full access to the files and applications of the installed sys- tem, there are some limitations.
Page 968: Ibm System Z: Using Initrd As A Rescue System
Apply fixes to the device mapping (device.map) or the location of the root partition and configuration files, if necessary. 3 Reinstall the boot loader using the following command sequence: grub --batch < /etc/grub.conf 4 Unmount the partitions, log out from the “change root” environment, and reboot the system: umount -a exit...
Page 969 First, IPL the SUSE Linux Enterprise Server for IBM System z installation system as described in the Architecture-Specific Information manual. A list of choices for the network adapter to use is then presented. Select Start Installation or System then Start Rescue System to start the rescue system. Depending on the installation environment, you now must specify the parameters for the network adapter and the installation source.
Page 970 0.0.4000 is the channel to which the adapter is attached and 1 stands for acti- vate (a 0 here would deactivate the adapter). 2 After the adapter is activated, a disk can be configured. Do this with the following command: zfcp_disk_configure 0.0.4000 1234567887654321 8765432100000000 0.0.4000 is the previously-used channel ID, 1234567887654321 is the WWPN (World wide Port Number), and 8765432100000000 is the LUN...
Page 971 Example 51.1 Output of the Mount Command SuSE Instsys suse:/ # mount shmfs on /newroot type shm (rw,nr_inodes=10240) devpts on /dev/pts type devpts (rw) virtual-proc-filesystem on /proc type proc (rw) /dev/dasda2 on /mnt type reiserfs (rw) 51.7.4 Changing to the Mounted File System For the zipl command to read the configuration file from the root device of the installed system and not from the rescue system, change the root device to the installed system with the chroot command:...
Page 972 51.7.6 Exiting the Rescue System To exit the rescue system, first leave the shell opened by the chroot command with exit. To prevent any loss of data, flush all unwritten buffers to disk with the sync command. Now change to the root directory of the rescue system and unmount the root device of SUSE Linux Enterprise Server for IBM System z installation.
Page 973: Index
quick start, 745 Index security, 779 Squid, 800 SSL, 773-779 Symbols configure Apache with SSL, 778 64-bit Linux, 383 creating an SSL certificate, 774 kernel specifications, 388 starting, 761 runtime support, 384 stopping, 761 software development, 385 troubleshooting, 781 authentication Kerberos, 227 access permissions (see permissions) PAM, 497-505...
Page 974 initrd, 391 gzip, 361, 368 log, 183 halt, 376 bzip2, 361 help, 352 ifconfig, 599 ip, 597 kadmin, 853 cards kill, 374 graphics, 489 killall, 374 network, 565 kinit, 860 sound, 151 ktadd, 862 cat, 370 ldapadd, 680 cd, 367 ldapdelete, 683 ldapmodify, 682 booting from, 918...
Page 975 ssh-keygen, 839 openldap, 865 su, 375 pam_unix2.conf, 689, 863 tar, 360, 369 passwd, 212 telnet, 375 permissions, 896 top, 373 powersave, 511 umount, 372 powersave.conf, 235 updatedb, 370 profile, 425, 429, 435 configuration files, 589 resolv.conf, 430, 591, 627, 789 .bashrc, 426, 429 routes, 590 .emacs, 431...
Page 976 hard disks core files, 429 DMA, 148 cp, 366 hardware, 146-153 cpuspeed, 519 IPv6, 562 cron, 426 ISDN, 164, 575 CVS, 734, 738-741 languages, 163 mail servers, 166 modems, 164, 572 date, 373 monitor, 191 deltarpm, 319 network cards, 164 df, 372 networks, 164-172, 565 DHCP, 167, 641-657...
Page 977 terminology, 615 file systems, 471-481 top level domain, 563 ACLs, 303-314 troubleshooting, 627 changing, 158 zones cryptofs, 869 files, 633 encrypting, 869 documentation (see help) Ext2, 473-474 domain name system (see DNS) Ext3, 474-475 LFS, 479 sharing files, 703 limitations, 479 drives OCFS2, 289-301, 477 mounting, 371...
Page 978 fonts, 491 hardware TrueType, 490 DASD, 148 X11 core, 491 graphics cards, 191 Xft, 492 hard disk controllers, 147 free, 373 information, 148, 916 ISDN, 575 monitor, 191 ZFCP, 149 GNOME help, 901-904 shell, 350 books, 907 graphics FAQs, 906 cards guides, 907 drivers, 489...
Page 979 packages, 316 KDC, 850-854 YaST, with, 17-45 administering, 859 internationalization, 433 nsswitch.conf, 850 Internet starting, 854 cinternet, 604 keytab, 862 dial-up, 602-604 LDAP and, 865-868 DSL, 578 master key, 852 ISDN, 575 PAM support, 863 KInternet, 604 principals, 842 qinternet, 604 creating, 853 smpppd, 602-604 host, 861...
Page 980 access control, 676 boot.msg, 183, 511 ACLs, 674 messages, 183, 627, 833 adding data, 679 Squid, 790, 793, 799 administering groups, 697 logging administering users, 697 login attempts, 179 configuring Logical Volume Manager (see LVM) YaST, 683 logrotate, 427 deleting data, 683 LPAR installation directory tree, 669 IPL, 34...
Page 981 Network File System (see NFS) client, 169 Network Information Service (see NIS) NetworkManager, 584 networks, 547 OpenLDAP (see LDAP) authentication OpenSSH (see SSH) Kerberos, 841-847 OpenWBEM, 241-269 base network address, 553 OS/2 broadcast address, 553 sharing files, 703 configuration files, 589-596 configuring, 164-172, 565-581, 586-602 IPv6, 562 package management...
Page 982 absolute, 355 GDI printers, 455 relative, 355 kprinter, 450 PCI device network, 457 drivers, 161 Samba, 704 permissions, 361 troubleshooting ACLs, 303-314 network, 457 changing, 363, 367 xpp, 450 directories, 363 private branch exchange, 576 file permissions, 428 processes, 373 file systems, 362 killing, 374 files, 362...
Page 983 netmasks, 551 server, 704 routes, 590 servers, 171, 705-711 static, 590 shares, 704, 709 RPM, 315-326 SMB, 703 database starting, 705 rebuilding, 317, 323 stopping, 705 deltarpm, 319 swat, 707 dependencies, 316 TCP/IP and, 703 patches, 317 SaX2 queries, 320 display device, 192 rpmnew, 316 display settings, 191...
Page 984 disabling, 404 soft RAID (see RAID) security, 885-897 software attacks, 893-894 compiling, 323 booting, 886, 888 installing, 132-139 bugs and, 889, 892 removing, 132-139 configuring, 172-181 sound DNS, 894 configuring in YaST, 151 engineering, 886 mixers, 232 firewalls, 181, 823 source intrusion detection, 233 compiling, 323...
Page 985 SSH, 835-840 Tripwire authentication mechanisms, 839 replaced by AIDE, 233 daemon, 837 key pairs, 837, 839 scp, 836 ulimit, 429 sftp, 837 options, 429 ssh, 836 umount, 372 ssh-agent, 839, 840 uninstalling ssh-keygen, 839 GRUB, 420 sshd, 837 Linux, 420 X and, 840 updatedb, 370 su, 375...
Page 986 configuring, 483-490 Device, 488 display device, 192 Display, 487 display settings, 191 Files, 485 drivers, 489 InputDevice, 485 dual head, 193 Modeline, 487 font systems, 491 modelines, 485 fonts, 490 Modes, 485, 487 graphics card, 192 modules, 485 graphics tablet, 196 Monitor, 485, 487 help, 490 ServerFlags, 485...
Page 987 DSL, 578 NIS clients, 665 e-mail, 165 Novell AppArmor, 172 EVMS, 154 Novell Customer Center, 140 firewall, 181 NTP client, 169 graphics cards, 191 online update, 140-143 group management, 178 partitioning, 31, 155 GRUB, 417 PCI device drivers, 161 hard disk controllers, 147...
Page 988 text mode, 185-187 time zone, 29, 163 updating, 144, 213 user management, 172 virtualization, 181 hypervisor, 181 installing, 181 X.509 certification, 807 certificates, 815 changing default values, 817 creating CRLs, 819 exporting CA objects as a file, 821 exporting CA objects to LDAP, 819 importing general server certificates, root CA, 812 sub-CA, 814...

This manual is also suitable for:

Suse linux enterprise server 10 sp3