Download Print this page

Novell LINUX ENTERPRISE SERVER 11 - ADMINISTRATION Administration Manual

Hide thumbs Also See for LINUX ENTERPRISE SERVER 11 - ADMINISTRATION:

Installation (5 pages)

,

Manual (450 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation, Manual

SUSE Linux Enterprise

Server

11

March 23, 2009

Administration Guide

www.novell.com

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the LINUX ENTERPRISE SERVER 11 - ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell LINUX ENTERPRISE SERVER 11 - ADMINISTRATION

Page 1 SUSE Linux Enterprise Server www.novell.com Administration Guide March 23, 2009...
Page 2 That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. http://www.novell For Novell trademarks, see the Novell Trademark and Service Mark list .com/company/legal/trademarks/tmlist.html.
Page 3: Table Of Contents
2 Gathering System Information for Support Novell Support Link Overview ....Using Supportconfig ......
Page 4 5 Bash and Bash Scripts What is “The Shell”? ......Writing Shell Scripts ......Redirecting Command Events .
Page 5 1 0 Printer Operation 10.1 The Workflow of the Printing System ....10.2 Methods and Protocols for Connecting Printers ... . 10.3 Installing the Software .
Page 6 14.4 For More Information ..... . 1 5 Power Management 15.1 Power Saving Functions ..... . 15.2 ACPI .
Page 7 19.6 For More Information ..... . 2 0 Time Synchronization with NTP 20.1 Configuring an NTP Client with YaST ....20.2 Manually Configuring ntp in the Network .
Page 8 24.2 Starting and Stopping Samba ....24.3 Configuring a Samba Server ....24.4 Configuring Clients .
Page 9 2 9 The Proxy Server Squid 29.1 Some Facts about Proxy Caches ....29.2 System Requirements ..... . . 29.3 Starting Squid .
Page 11: About This Guide
About This Guide This guide is intended for use by professional network and system administrators during the operation of SUSE® Linux Enterprise. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.
Page 12 Introduces basic concepts of system security, covering both local and network se- curity aspects. Shows how to make use of the product inherent security software like Novell AppArmor (which lets you specify per program which files the program may read, write, and execute) or the auditing system that reliably collects informa- tion about any security-relevant events.
Page 13 • To report bugs for a product component or to submit enhancements requests, please use https://bugzilla.novell.com/. If you are new to Bugzilla, you might find the Bug Writing FAQs helpful, available from the Novell Bugzilla home page. • We want to hear your comments and suggestions about this manual and the other documentation included with this product.
Page 14 at the bottom of each page of the online documentation and enter your comments there. 3 Documentation Conventions The following typographical conventions are used in this manual: • /etc/passwd: directory names and filenames • placeholder: replace placeholder with the actual value •...
Page 15: Part I Support And Common Tasks
Part I. Support and Common Tasks...
Page 17: Yast Online Update
YaST Online Update Novell offers a continuous stream of software security updates for your product. By default openSUSE Updater is used to keep your system up-to-date. Refer to Sec- tion “Keeping the System Up-to-date” (Chapter 9, Installing or Removing Software, ↑Deployment Guide) for further information on openSUSE Updater.
Page 18: Installing Patches Manually Using The Qt Interface
The Novell Customer Center is available at .com/center/. Novell provides updates with different relevance levels. Security updates fix severe security hazards and should definitely be installed. Recommended updates fix issues that could compromise your computer, whereas Optional updates fix non-security relevant issues or provide enhancements.
Page 19 Figure 1.1 YaST Online Update The patch display lists the available patches for SUSE Linux Enterprise Server. The patches are sorted by security relevance (security, recommended, and optional). There are three different views on patches. Use Show Patch Category to toggle the views: Needed Patches (default view) Non-installed patches that apply to packages installed on your system.
Page 20: Installing Patches Manually Using The Gtk Interface
If you install an up-to-date package from a repository other than the update repository, the requirements of a patch for this package may be fulfilled with this installation. In this case a check mark is displayed in front of the patch summary. The patch will be visible in the list until you mark it for installation.
Page 21: Automatic Online Update
Patch List Filters Available Non-installed patches that apply to packages installed on your system. Installed Patches that are already installed. Patches that are either already installed or available. Severity Only show Optional, Recommended, or Security patches. By default, All patches are shown.
Page 23: Gathering System Information For Support
Center find your problem. 2.1 Novell Support Link Overview Novell Support Link (NSL) is new to SUSE Linux Enterprise Server. It is a tool that gathers system information and allows you to upload that information to another server for further analysis. Novell Support Center uses Novell Support Link to gather system information from problematic servers and sends the information to Novell's public FTP server.
Page 24: Using Supportconfig
6 Enter your contact information. Use your service request number from Step 1 (page 10) and enter it into the text field labeled Novell 11 digit service request number. Proceed with Next. 7 The information gathering begins. After the process is finished, continue with Next.
Page 25 2.2.2 Using Supportconfig Directly to Collect Information To use supportconfig from the the commandline, proceed as follows: 1 Open a shell and become root. 2 Run supportconfig without any options. This gathers the default system information. 3 Wait for the tool to complete the operation. 4 The default archive location is /var/log with the filename format nts_HOST _DATE_TIME.tbz 2.2.3 Common Supportconfig Options...
Page 26: Submitting Information To Novell
You can use the YaST Support module or the supportconfig command line utility to submit system information to Novell. When you experience a server issue and would like Novell's assistance, you will need to open a service request and submit your server information to Novell. Both YaST and command line methods are described.
Page 27 Novell. Continue with Next. 7 By default, a copy of the tarball will be saved in /root. Confirm you are using one of the Novell upload targets described above and the Upload log files tarball into URL is activated. Finish with Next.
Page 28: For More Information
4c You can also attach the tarball to your service request using the service re- quest URL: http://www.novell.com/center/eservice. 5 Once the tarball is in the ftp://ftp.novell.com/incoming directory, it becomes automatically attached to your service request. 2.4 For More Information Find more information about gathering system information in the following documents: •...
Page 29: Yast In Text Mode
YaST in Text Mode This section is intended for system administrators and experts who do not run an X server on their systems and depend on the text-based installation tool. It provides basic information about starting and operating YaST in text mode. YaST in text mode uses the ncurses library to provide an easy pseudo-graphical user interface.
Page 30: Navigation In Modules
active category is indicated by a colored background. The right frame, which is sur- rounded by a thin white border, provides an overview of the modules available in the active category. The bottom frame contains the buttons for Help and Quit. When the YaST Control Center is started, the category Software is selected automati- cally.
Page 31: Restriction Of Key Combinations
confirm with Enter . If you navigate to an item with Tab , press Enter to execute the selected action or activate the respective menu item. Function Keys The F keys ( F1 through F12 ) enable quick access to the various buttons. Available F key shortcuts are shown in the bottom line of the YaST screen.
Page 32: Yast Command Line Options
Replacing Alt with Esc Alt shortcuts can be executed with Esc instead of Alt . For example, Esc – H replaces Alt + H . (First press Esc , then press H .) Backward and Forward Navigation with Ctrl + F and Ctrl + B If the Alt and Shift combinations are occupied by the window manager or the ter- minal, use the combinations Ctrl + F (forward) and Ctrl + B (backward) instead.
Page 33 yast --install <package_name> package_name can be a single short package name, for example gvim, which is installed with dependency checking, or the full path to an rpm package, which is installed without dependency checking. If you need a command-line based software management utility with functionality be- yond what YaST provides, consider using zypper.
Page 35: Managing Software With Command Line Tools
Managing Software with Command Line Tools This chapter describes Zypper and RPM, two command line tools for managing software. 4.1 Using Zypper Zypper is a command line tool for installing and updating packages. Zypper's syntax is similar to that of rug. In contrast to rug, zypper does not require the zmd daemon to run behind the scenes.
Page 36 Additionally, you can choose from one or more global options by typing them just before the command. For example, --non-interactive means, run the command without asking anything, decide on your own: zypper --non-interactive patch To use the options specific to a particular command, type them right after the command. For example, --auto-agree-with-licenses means, apply all needed patches to the system without asking to confirm any licenses—all of them were read in advance: zypper patch --auto-agree-with-licenses...
Page 37 To remove an installed package, use: zypper remove package_name To install and remove packages simultaneously use the +/- or ~/! modifiers: zypper install emacs -vim zypper remove emacs +vim Or, if you choose to use - with the first package you specify, you must write -- before it to prevent its interpretation as a command option: zypper install -- -vim emacs WARNING: Do not Remove Mandatory System Packages...
Page 38 If an error occurs during installation, or anytime you feel the need, verify whether all dependencies are still fulfilled: zypper verify 4.1.3 Updating Software with Zypper There are two different ways to update software using Zypper. To integrate all officially released patches into your system, just run: zypper patch In this case, all patches available in your repositories are checked for relevance and...
Page 39 The result will look similar to the following output: # | Alias | Name | Enabled | Refresh --+-----------------------------------+-----------------------------------+---------+-------- 1 | SUSE-Linux-Enterprise-Server 11-0 | SUSE-Linux-Enterprise-Server 11-0 | Yes | No 2 | SLES-11-Updates | SLES 11 Online Updates | Yes | Yes 3 | broadcomdrv | Broadcom Drivers...
Page 40: Rpm-The Package Manager
search works on package names or, optionally, on package summaries and descrip- tions, and displays status (S) information in the first column of the list of found packages. info with a package name as an argument displays detailed information about a package.
Page 41: Verifying Package Authenticity
TIP: Software Development Packages For a number of packages, the components needed for software development (libraries, headers, include files, etc.) have been put into separate packages. These development packages are only needed if you want to compile software yourself (for example, the most recent GNOME packages). They can be identified by the name extension -devel, such as the packages alsa-devel, gimp-devel, and kdelibs3-devel.
Page 42 of the old version and immediately installs the new files. The difference between the two versions is that -U installs packages that previously did not exist in the system, but -F merely updates previously installed packages. When updating, rpm updates confi- guration files carefully using the following strategy: •...
Page 43: Rpm And Patches
(even if no additional dependencies exist), it may be helpful to rebuild the RPM database using the option --rebuilddb. 4.2.3 RPM and Patches To guarantee the operational security of a system, update packages must be installed in the system from time to time. Previously, a bug in a package could only be eliminated by replacing the entire package.
Page 44: Delta Rpm Packages
/etc/pine.conf.fixed /usr/bin/pine How can a patch RPM be installed in the system? Patch RPMs are used just like normal RPMs. The only difference is that a suitable RPM must already be installed. Which patches are already installed in the system and for which package versions? A list of all patches installed in the system can be displayed with the command rpm -qPa.
Page 45: Rpm Queries
xdelta delta -0 old.cpio new.cpio delta writedeltarpm new.rpm delta info new.delta.rpm Finally, remove the temporary working files old.cpio, new.cpio, and delta. Using applydeltarpm, you can reconstruct the new RPM from the file system if the old package is already installed: applydeltarpm new.delta.rpm new.rpm To derive it from the old RPM without accessing the file system, use the -r option: applydeltarpm -r old.rpm new.delta.rpm new.rpm...
Page 46 --provides List features of the package that another package can re- quest with --requires --requires, -R Capabilities the package requires --scripts Installation scripts (preinstall, postinstall, uninstall) For example, the command rpm -q -i wget displays the information shown in Example 4.1, “rpm -q -i wget” (page 32).
Page 47 Example 4.2 Script to Search for Packages #! /bin/sh for i in $(rpm -q -a -l | grep $1); do echo "\"$i\" is in package:" rpm -q -f $i echo "" done The command rpm -q --changelog rpm displays a detailed list of change infor- mation about a specific package, sorted by date.
Page 48 The files of the RPM database are placed in /var/lib/rpm. If the partition /usr has a size of 1 GB, this database can occupy nearly 30 MB, especially after a complete update. If the database is much larger than expected, it is useful to rebuild the database with the option --rebuilddb.
Page 49 RPMS where the completed binary packages are stored SRPMS here are the source RPMs When you install a source package with YaST, all the necessary components are installed in /usr/src/packages: the sources and the adjustments in SOURCES and the relevant .spec file in SPECS. WARNING Do not experiment with system components (glibc, rpm, sysvinit, etc.), because this endangers the stability of your system.
Page 50: Compiling Rpm Packages With Build
Do the same as -bi, but with the additional creation of the binary package. If the compile was successful, the binary should be in /usr/src/packages/RPMS. Do the same as -bb, but with the additional creation of the source RPM. If the compilation was successful, the binary should be in /usr/src/packages/ SRPMS.
Page 51 4.2.8 Tools for RPM Archives and the RPM Database Midnight Commander (mc) can display the contents of RPM archives and copy parts of them. It represents archives as virtual file systems, offering all usual menu options of Midnight Commander. Display the HEADER with F3 . View the archive structure with the cursor keys and Enter .
Page 53: Bash And Bash Scripts
Bash and Bash Scripts These days many people use computers with a graphical user interface (GUI) like KDE or GNOME. Although they offer lots of features, their use is limited when it comes to the execution of automatical tasks. Shells are a good addition to GUIs and this chapter gives you an overview of some aspects of shells, in this case Bash.
Page 54 Depending on which type of shell you use, different configuration files are being read. The following tables show the login and non-login shell configuration files. Table 5.1 Bash Configuration Files for Login Shells File Description /etc/profile Do not modify this file, otherwise your modifica- tions can be destroyed during your next update! /etc/profile.local use this file if you extent /etc/profile...
Page 55 5.1.2 The Directory Structure The following table provides a short overview of the most important higher-level direc- tories you find on a Linux system. Find more detailed information about the directories and important subdirectories in the following list. Table 5.4 Overview of a Standard Directory Tree Directory Contents...
Page 56 Directory Contents /srv Data for services provided by the system. /tmp Temporary files. /usr Secondary hierarchy with read-only data. /var Variable data such as log files. /windows Only available if you have both Microsoft Windows* and Linux installed on your system. Contains the Windows data.
Page 57 guration data for their desktop in .kde or .kde4 respectively, GNOME users find it in .gconf. NOTE: Home Directory in a Network Environment If you are working in a network environment, your home directory may be mapped to a directory in the file system other than /home. /lib Contains essential shared libraries needed to boot the system and to run the com- mands in the root file system.
Page 58 /tmp This directory is used by programs that require temporary storage of files. /usr /usr has nothing to do with users, but is the acronym for UNIX system resources. The data in /usr is static, read-only data that can be shared among various hosts compliant to the Filesystem Hierarchy Standard (FHS).
Page 59: Writing Shell Scripts
example, the log files of your system are in /var/log/messages (only acces- sible for root). 5.2 Writing Shell Scripts Shell scripts are a convenient way of doing all sorts of tasks: collecting data, searching for a word or phrase in a text and many other useful things. The following example shows a small shell script that prints a text: Example 5.1 A Shell Script Printing a Text #!/bin/sh...
Page 60: Redirecting Command Events
second one searches for the command in each directory given by the PATH environment variable. 5.3 Redirecting Command Events Each command can use three channels, either for input or output: • Standard Output This is the default output channel. Whenever a command prints something, it uses the standard output channel.
Page 61: Using Aliases
acter. For example, the following line searches for a file starting with foo, but suppresses its errors by redirecting it to /dev/null: find / -name "foo*" 2>/dev/null 5.4 Using Aliases An alias is a shortcut definition of one or more commands. The syntax for an alias is: alias NAME=DEFINITION For example, the following line defines an alias lt which outputs a long listing (option -l), sorts it by modification time (-t) and prints it in reverse order while sorting (-r):...
Page 62 To remove a variable, use unset: unset NAME The following table contains some common environment variables which can be used in you shell scripts: Table 5.5 Useful Environment Variables HOME the home directory of the current user HOST the current host name LANG when a tool is localized, it uses the language from this envi- ronment variable.
Page 63 #!/bin/sh echo \"$1\" \"$2\" \"$3\" \"$4\" If you execute this script with the above arguments, you get: "Tux Penguin" "2000" "" "" 5.5.2 Using Variable Substitution Variable substitutions apply a pattern to the content of a variable either from the left or right side.
Page 64: Grouping And Combining Commands
5.6 Grouping And Combining Commands Shells allow0.0 you to concatenate and group commands for conditional execution. Each command returns an exit code which determines the success or failure of its oper- ation. If it is 0 (zero) the command was successful, everything else marks an error which is specific to the command.
Page 65: Working With Common Flow Constructs
which prints: Hello Tux 5.7 Working with Common Flow Constructs To control the flow of your script, a shell has while, if, for and case constructs. 5.7.1 The if Control Command The if is used to check expressions. For example, the following code tests whether the current user is Tux: if test $USER = "tux"...
Page 66: For More Information
5.8 For More Information Important information about Bash is provided in the man pages man sh. More about this topic can be found in the following list: • http://tldp.org/LDP/Bash-Beginners-Guide/html/index .html—Bash Guide for Beginners • http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO.html—BASH Programming - Introduction HOW-TO • http://tldp.org/LDP/abs/html/index.html—Advanced Bash- Scripting Guide •...
Page 67: Part Ii System
Part II. System...
Page 69: 32-Bit And 64-Bit Applications In A 64-Bit System Environment
32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE® Linux Enterprise Server is available for several 64-bit platforms. This does not necessarily mean that all the applications included have already been ported to 64-bit platforms. SUSE Linux Enterprise Server supports the use of 32-bit applications in a 64-bit system environment.
Page 70: Runtime Support
6.1 Runtime Support IMPORTANT: Conflicts between Application Versions If an application is available both for 32-bit and 64-bit environments, parallel installation of both versions is bound to lead to problems. In such cases, decide on one of the two versions and install and use this. An exception to this rule is PAM (pluggable authentication modules).
Page 71: Software Development
6.2 Software Development All 64-bit architectures support the development of 64-bit objects. The level of support for 32-bit compiling depends on the architecture. These are the various implementation options for the tool chain from GCC (GNU Compiler Collection) and binutils, which include the assembler as and the linker ld: Biarch Compiler Both 32-bit and 64-bit objects can be generated with a biarch development tool...
Page 72 packages and the development libraries for the second architecture from rpmname-devel-32bit or rpmname-devel-64bit. For example, to compile a program that uses libaio on a system whose second archi- tecture is a 32-bit architecture (x86_64 or System z), you need the following RPMs: libaio-32bit 32-bit runtime package libaio-devel-32bit...
Page 73: Kernel Specifications
LDFLAGS="-L/usr/lib" 5 Determine that the libraries are stored in the lib subdirectory: --libdir=/usr/lib 6 Determine that the 32-bit X libraries are used: --x-libraries=/usr/lib/xorg Not all of these variables are needed for every program. Adapt them to the respective program. An example configure call to compile a native 32-bit application on x86_64, ppc64 or System z could appear as follows: CC="gcc -m32"...
Page 74 Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.
Page 75: Booting And Configuring A Linux System
Booting and Configuring a Linux System Booting a Linux system involves different components. The hardware itself is initialized by the BIOS, which starts the kernel by means of a boot loader. After this point, the boot process with init and the runlevels is completely controlled by the operating system. The runlevel concept enables you to maintain setups for everyday usage as well as to perform maintenance tasks on the system.
Page 76 remaining part of the boot process. Therefore, the first 512 bytes on the first hard disk are referred to as the Master Boot Record (MBR). The boot loader then passes control to the actual operating system, in this case, the Linux kernel. More information about GRUB, the Linux boot loader, can be found in Chapter 8, The Boot Loader GRUB...
Page 77 memory. initramfs must always provide an executable named init that should execute the actual init program on the root file system for the boot process to proceed. Before the root file system can be mounted and the operating system can be started, the kernel needs the corresponding drivers to access the device on which the root file system is located.
Page 78 Loading Kernel Modules Depending on your hardware configuration, special drivers may be needed to access the hardware components of your computer (the most important component being your hard drive). To access the final root file system, the kernel needs to load the proper file system drivers.
Page 79: The Init Process
process are written to INITRD_MODULES in /etc/sysconfig/kernel. These names are used to generate a custom initramfs that is needed to boot the system. If the modules are not needed for boot but for coldplug, the modules are written to /etc/sysconfig/hardware/hwconfig-*. All devices that are described with configuration files in this directory are initialized in the boot process.
Page 80 7.2.1 Runlevels In Linux, runlevels define how the system is started and what services are available in the running system. After booting, the system starts as defined in /etc/inittab in the line initdefault. Usually this is 3 or 5. See Table 7.1, “Available Runlevels”...
Page 81 To change runlevels while the system is running, enter telinit and the corresponding number as an argument. Only the system administrator is allowed to do this. The fol- lowing list summarizes the most important commands in the runlevel area. telinit 1 or shutdown now The system changes to single user mode.
Page 82 Generally, two things happen when you change runlevels. First, stop scripts of the current runlevel are launched, closing down some programs essential for the current runlevel. Then start scripts of the new runlevel are started. Here, in most cases, a number of programs are started.
Page 83 Scripts Executed Indirectly by init These are run when changing the runlevel and always call the master script /etc/init.d/rc, which guarantees the correct order of the relevant scripts. All scripts are located in /etc/init.d. Scripts that are run at boot time are called through symbolic links from /etc/init.d/boot.d.
Page 84 All of these settings may also be changed with the help of the YaST module. If you need to check the status on the command line, use the tool chkconfig, described in the chkconfig(8) man page. A short introduction to the boot and stop scripts launched first or last, respectively, follows as well as an explanation of the maintaining script.
Page 85 This script calls the appropriate stop scripts of the current runlevel and the start scripts of the newly selected runlevel. Like the /etc/init.d/boot script, this script is called from /etc/inittab with the desired runlevel as parameter. You can create your own scripts and easily integrate them into the scheme described above.
Page 86 should automatically be started or stopped. Finally, for Description:, provide a short description of the service in question. To create the links from the runlevel directories (/etc/init.d/rc?.d/) to the corresponding scripts in /etc/init.d/, enter the command insserv new-script-name. The insserv program evaluates the INIT INFO header to create the necessary links for start and stop scripts in the runlevel directories (/etc/init .d/rc?.d/).
Page 87 level 5 (full multiuser mode with network and X). A suitable alternative might be run- level 3 (full multiuser mode with network). This YaST dialog allows the selection of one of the runlevels (as listed in Table 7.1, “Available Runlevels” (page 66)) as the new default.
Page 88: System Configuration Via /Etc/Sysconfig
changes to the system or to restore the settings that existed before starting the runlevel editor. Selecting Finish saves the changed settings to disk. 7.3 System Configuration via /etc/sysconfig The main configuration of SUSE Linux Enterprise Server is controlled by the configu- ration files in /etc/sysconfig.
Page 89 Figure 7.2 System Configuration Using the sysconfig Editor The YaST sysconfig dialog is split into three parts. The left part of the dialog shows a tree view of all configurable variables. When you select a variable, the right part displays both the current selection and the current setting of this variable.
Page 90 7.3.2 Changing the System Configuration Manually To manually change the system configuration, proceed as follows 1 Become root. 2 Bring the system into single user mode (runlevel 1) with telinit 1. 3 Change the configuration files as needed with an editor of your choice. If you do not use YaST to change the configuration files in /etc/sysconfig, make sure that empty variable values are represented by two quotation marks (KEYTABLE="") and that values with blanks in them are enclosed in quotation...
Page 91: The Boot Loader Grub
The Boot Loader GRUB This chapter describes how to configure GRUB, the boot loader used in SUSE® Linux Enterprise Server. A special YaST module is available for configuring all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.
Page 92: Booting With Grub
part of a boot loader program or an operating system selector. The next 64 bytes provide space for a partition table of up to four entries. The partition table contains information about the partitioning of the hard disk and the file system types. The operating system needs this table for handling the hard disk.
Page 93 GRUB configuration file (menu.lst) do not require a new installation of the boot manager. When the system is booted, GRUB reloads the menu file with the valid paths and partition data of the kernel or the initial RAM disk (initrd) and locates these files.
Page 94 8.1.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
Page 95 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
Page 96 the file device.map, which can be edited if necessary. Information about the file device.map is available in Section 8.1.2, “The File device.map” (page 85). A complete GRUB path consists of a device name written in parentheses and the path to the file in the file system in the specified partition. The path begins with a slash. For example, the bootable kernel could be specified as follows on a system with a single IDE hard disk containing Linux in its first partition: (hd0,0)/boot/vmlinuz...
Page 97 color white/blue black/light-gray Color scheme: white (foreground), blue (background), black (selection) and light gray (background of the selection). The color scheme has no effect on the splash screen, only on the customizable GRUB menu that you can access by exiting the splash screen with Esc .
Page 98 Editing Menu Entries during the Boot Procedure In the graphical boot menu, select the operating system to boot with the arrow keys. If you select a Linux system, you can enter additional boot parameters at the boot prompt. To edit individual menu entries directly, press Esc to exit the splash screen and get to the GRUB text-based menu then press E .
Page 99 8.1.2 The File device.map The file device.map maps GRUB and BIOS device names to Linux device names. In a mixed system containing IDE and SCSI hard disks, GRUB must try to determine the boot sequence by a special procedure, because GRUB may not have access to the BIOS information on the boot sequence.
Page 100 8.1.3 The File /etc/grub.conf The third important GRUB configuration file after menu.lst and device.map is /etc/grub.conf. This file contains the commands, parameters and options the GRUB shell needs for installing the boot loader correctly: setup --stage2=/boot/grub/stage2 --force-lba (hd0,1) (hd0,1) quit This command tells GRUB to automatically install the boot loader to the second partition on the first hard disk (hd0,1) using the boot images located on the same partition.
Page 101: Configuring The Boot Loader With Yast
Now GRUB commands can only be executed at the boot prompt after pressing P and entering the password. However, users can still boot all operating systems from the boot menu. 3 To prevent one or several operating systems from being booted from the boot menu, add the entry lock to every section in menu.lst that should not be bootable without entering a password.
Page 102 Figure 8.1 Boot Loader Settings Use the Section Management tab to edit, change and delete boot loader sections for the individual operating systems. To add an option, click Add. To change the value of an existing option, select it with the mouse and click Edit. To remove an existing entry, select it and click Delete.
Page 103 Procedure 8.1 Setting the Default System 1 Open the Section Management tab. 2 Select the desired entry from the list. 3 Click Set as Default. 4 Click Finish to activate these changes. 8.2.2 Modifying the Boot Loader Location To modify the location of the boot loader, follow these steps: Procedure 8.2 Changing the Boot Loader Location 1 Select the Boot Loader Installation tab and then choose one of the following options for Boot Loader Location:...
Page 104 8.2.3 Changing the Boot Loader Time-Out The boot loader does not boot the default system immediately. During the time-out, you can select the system to boot or write some kernel parameters. To set the boot loader time-out, proceed as follows: Procedure 8.3 Changing the Boot Loader Time-Out 1 Open the Boot Loader Installation tab.
Page 105 8.2.5 Adjusting the Disk Order If your computer has more than one hard disk, you can specify the boot sequence of the disks to match the BIOS setup of the machine (see Section 8.1.2, “The File de- vice.map” (page 85)). To do so, proceed as follows: Procedure 8.5 Setting the Disk Order 1 Open the Boot Loader Installation tab.
Page 106 Graphical Menu File Path to the graphics file used when displaying the boot screen. Serial Connection Parameters If your machine is controlled via a serial console, you can specify which COM port to use at which speed. Also set Terminal Definition to “serial”. See info grub http://www.gnu.org/software/grub/manual/grub.html details.
Page 107: Uninstalling The Linux Boot Loader
4 Click OK to save the changes 5 Click Finish in the main dialog to apply the changes. During the conversion, the old GRUB configuration is saved to the disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion.
Page 108 Procedure 8.7 Creating Boot CDs 1 Change into a directory in which to create the ISO image, for example: cd /tmp 2 Create a subdirectory for GRUB and change into the newly created iso directory: mkdir -p iso/boot/grub && cd iso 3 Copy the kernel, the files stage2_eltorito, initrd, menu.lst and message to iso/boot/: cp /boot/vmlinuz boot/...
Page 109: The Graphical Suse Screen
This section lists some of the problems frequently encountered when booting with GRUB and a short description of possible solutions. Some of the problems are covered in articles in the Knowledge base at http://support.novell.com/. Use the search dialog to search for keywords like GRUB, boot and boot loader.
Page 110 GRUB and XFS XFS leaves no room for stage1 in the partition boot block. Therefore, do not specify an XFS partition as the location of the boot loader. This problem can be solved by creating a separate boot partition that is not formatted with XFS. GRUB Reports GRUB Geom Error GRUB checks the geometry of connected hard disks when the system is booted.
Page 111: For More Information
8.7 For More Information http://www.gnu.org/ Extensive information about GRUB is available at software/grub/. Also refer to the grub info page. You can also search for the http://www.novell keyword “GRUB” in the Technical Information Search at .com/support to get information about special issues.
Page 113: Special System Features
Special System Features This chapter starts with information about various software packages, the virtual consoles and the keyboard layout. We talk about software components like bash, cron and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
Page 114 1. /etc/profile 2. ~/.profile 3. /etc/bash.bashrc 4. ~/.bashrc Make custom settings in ~/.profile or ~/.bashrc. To ensure the correct process- ing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel after an update.
Page 115 A number of packages install shell scripts to the directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly and /etc/cron.monthly, whose execution is controlled by /usr/lib/cron/run-crons. /usr/lib/cron/ run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily or other periodic maintenance scripts at custom times, remove the time stamp files regularly using /etc/crontab entries (see Example 9.2,...
Page 116 Configure logrotate with the file /etc/logrotate.conf. In particular, the include specification primarily configures the additional files to read. Programs that produce log files install individual configuration files in /etc/logrotate.d. For example, such files ship with the packages, e.g. apache2 (/etc/logrotate.d/ apache2) and syslogd (/etc/logrotate.d/syslog).
Page 117 9.1.4 The locate Command locate, a command for quickly finding files, is not included in the standard scope of installed software. If desired, install the package findutils-locate. The updatedb process is started automatically every night or about 15 minutes after booting the system. 9.1.5 The ulimit Command With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed.
Page 118 Example 9.4 ulimit: Settings in ~/.bashrc # Limits maximum resident set size (physical memory): ulimit -m 98304 # Limits of virtual memory: ulimit -v 98304 Memory allocations must be specified in KB. For more detailed information, see man bash. IMPORTANT Not all shells support ulimit directives.
Page 119 9.1.7 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. Info is GNU's hypertext system. Read an introduction to this system by entering info info.
Page 120: Virtual Consoles
.gnu-emacs defines the file ~/.gnu-emacs-custom as custom-file. If users make settings with the customize options in Emacs, the settings are saved to ~/ .gnu-emacs-custom. With SUSE Linux Enterprise Server, the emacs package installs the file site-start .el in the directory /usr/share/emacs/site-lisp. The file site-start .el is loaded before the initialization file ~/.emacs.
Page 121: Keyboard Mapping
is reserved for X and the tenth console shows kernel messages. More or fewer consoles can be assigned by modifying the file /etc/inittab. To switch to a console from X without shutting it down, use Ctrl + Alt + F1 to Ctrl + Alt + F6 .
Page 122: Language And Country-Specific Settings
9.4 Language and Country-Specific Settings The system is, to a very large extent, internationalized and can be flexibly modified for local needs. In other words, internationalization (I18N) allows specific localizations (L10N). The abbreviations I18N and L10N are derived from the first and last letters of the words and, in between, the number of letters omitted.
Page 123 9.4.1 Some Examples You should always set the language and country codes together. Language settings http://www.evertype.com/ follow the standard ISO 639 available at standards/iso639/iso639-en.html http://www.loc.gov/ standards/iso639-2/. Country codes are listed in ISO 3166 available at http:// www.din.de/gremien/nas/nabd/iso3166ma/codlstp1/en_listp1 .html. It only makes sense to set values for which usable description files can be found in /usr/lib/locale.
Page 124 profile. /etc/SuSEconfig/csh.cshrc is sourced by /etc/csh.cshrc. This makes the settings available systemwide. Users can override the system defaults by editing their ~/.bashrc accordingly. For instance, if you do not want to use the systemwide en_US for program messages, include LC_MESSAGES=es_ES so that messages are displayed in Spanish instead. 9.4.2 Locale Settings in ~/.i18n If you are not satisfied with locale system defaults, change the settings in ~/.i18n according to the Bash scripting syntax.
Page 125 LANG="nb_NO" LANGUAGE="nb_NO:nn_NO:no" Note that in Norwegian, LC_TIME is also treated differently. One problem that can arise is a separator used to delimit groups of digits not being recognized properly. This occurs if LANG is set to only a two-letter language code like de, but the definition file glibc uses is located in /usr/share/lib/de_DE/LC _NUMERIC.
Page 127: 0 Printer Operation
Printer Operation SUSE® Linux Enterprise Server supports printing with many types of printers, including remote network printers. Printers can be configured manually or with YaST. For confi- guration instructions, refer to Section “Setting Up a Printer” (Chapter 8, Setting Up Hardware Components with YaST, ↑Deployment Guide).
Page 128 Standard Printers (Languages Like PCL and ESC/P) Although these printer languages are quite old, they are still undergoing expansion to address new features in printers. In the case of known printer languages, the print system can convert PostScript jobs to the respective printer language with the help of Ghostscript.
Page 129: The Workflow Of The Printing System
10.1 The Workflow of the Printing System The user creates a print job. The print job consists of the data to print plus information for the spooler, such as the name of the printer or the name of the printer queue, and optionally, information for the filter, such as printer-specific options.
Page 130: Installing The Software
WARNING: Changing Cable Connections in a Running System When connecting the printer to the machine, do not forget that only USB de- vices can be plugged in or unplugged during operation. To avoid damaging your system or printer, shut down the system before changing any connections that are not USB.
Page 131: Network Printers
10.4 Network Printers A network printer can support various protocols, some of them even concurrently. Al- though most of the supported protocols are standardized, some manufacturers expand (modify) the standard because they test systems that have not implemented the standard correctly or because they want to provide certain functions that are not available in the standard.
Page 132 SMB (Windows Share) CUPS also supports printing on printers connected to Windows shares. The protocol used for this purpose is SMB. SMB uses the port numbers 137, 138 and 139. Example device URIs are smb://user:password@workgroup/smb.example.com/printer, smb://user:password@smb.example.com/printer, and smb://smb.example.com/printer. The protocol supported by the printer must be determined before configuration. If the manufacturer does not provide the needed information, the command nmap (which comes with the nmap package) can be used to ascertain the protocol.
Page 133: Graphical Printing Interfaces
lpadmin -p ps -v parallel:/dev/lp0 -P \ /usr/share/cups/model/Postscript.ppd.gz -E The following example configures a network printer: lpadmin -p ps -v socket://192.168.2.202:9100/ -P \ /usr/share/cups/model/Postscript-level1.ppd.gz -E For more options of lpadmin, see the man page of lpadmin(1). During printer setup, certain options are set as default. These options can be modified for every print job (depending on the print tool used).
Page 134: Printing From The Command Line
either kprinter or kprinter --stdin as the print command. The command to use depends on how the application transmits the data—just try which one works. If set up correctly, the application should open the KPrinter dialog whenever a print job is issued from it, so you can use the dialog to select a queue and set other printing op- tions.
Page 135 CUPS Client Normally, a CUPS client runs on a regular workstation located in a trusted network environment behind a firewall. In this case it is recommended to configure the network interface to be in the Internal Zone, so the workstation is reachable from within the network.
Page 136 CUPS PPD Files in the cups Package The generic PPD files in the cups package have been complemented with adapted Foomatic PPD files for PostScript level 1 and level 2 printers: • /usr/share/cups/model/Postscript-level1.ppd.gz • /usr/share/cups/model/Postscript-level2.ppd.gz PPD Files in the cups-drivers Package Normally, the Foomatic printer filter foomatic-rip is used together with Ghostscript for non-PostScript printers.
Page 137: Troubleshooting
manufacturer-PPDs. YaST cannot use any PPD file from the manufacturer-PPDs package if the model name does not match. This may happen if the manufacturer-PPDs package contains only one PPD file for similar models, like Funprinter 12xx series. In this case, select the respective PPD file manually in YaST.
Page 138 printers that support a standard printer language do not depend on a special print system version or a special hardware platform. Instead of spending time trying to make a proprietary Linux driver work, it may be more cost-effective to purchase a supported printer. This would solve the driver problem once and for all, eliminating the need to install and configure special driver software and obtain driver updates that may be required due to new developments in the print system.
Page 139 If the printer cannot be addressed on the parallel port despite these settings, enter the I/O address explicitly in accordance with the setting in the BIOS in the form 0x378 in /etc/modprobe.conf. If there are two parallel ports that are set to the I/O ad- dresses 378 and 278 (hexadecimal), enter these in the form 0x378,0x278.
Page 140 echo -e "\004queue" \ | netcat -w 2 -p 722 host 515 If lpd does not respond, it may not be active or there may be basic network prob- lems. If lpd responds, the response should show why printing is not possible on the queue on host.
Page 141 The next command can be used to test if the queue on host accepts a print job consisting of a single carriage-return character. Nothing should be printed. Possibly, a blank page may be ejected. echo -en "\r" \ | lp -d queue -h host Troubleshooting a Network Printer or Print Server Box Spoolers running in a print server box sometimes cause problems when they have to deal with multiple print jobs.
Page 142 10.8.5 Defective Printouts without Error Message For the print system, the print job is completed when the CUPS back-end completes the data transfer to the recipient (printer). If further processing on the recipient fails (for example, if the printer is not able to print the printer-specific data) the print system does not notice this.
Page 143 10.8.8 Defective Print Jobs and Data Transfer Errors if you switch the printer off or shut down the computer during the printing process, print jobs remain in the queue. Printing resumes when the computer (or the printer) is switched back on. Defective print jobs must be removed from the queue with cancel. If a print job is defective or an error occurs in the communication between the host and the printer, the printer prints numerous sheets of paper with unintelligible characters, because it is unable to process the data correctly.
Page 144 6 Check the messages in /var/log/cups/error_log* to identify the cause of the problem. 10.8.10 For More Information Solutions to many specific problems are presented in the Novell Knowledgebase (http://support.novell.com/). Locate the relevant articles with a text search for CUPS. Administration Guide...
Page 145: 1 Dynamic Kernel Device Management With Udev
Dynamic Kernel Device Management with udev The kernel can add or remove almost any device in a running system. Changes in the device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and recognized. Users of a certain device need to be informed about any changes in this device's recog- nized state.
Page 146: Kernel Uevents And Udev
11.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties. Every time a device is added or removed, the kernel sends a uevent to notify udev of the change.
Page 147: Booting And Initial Device Setup
calling modprobe for every event that carries a MODALIAS key. If modprobe $MODALIAS is called, it matches the device alias composed for the device with the aliases provided by the modules. If a matching entry is found, that module is loaded. All this is automatically triggered by udev.
Page 148 UEVENT[1185238505.279527] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0 (usb) UDEV [1185238505.285573] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0 (usb) UEVENT[1185238505.298878] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10 (input) UDEV [1185238505.305026] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10 (input) UEVENT[1185238505.305442] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10/mouse2 (input) UEVENT[1185238505.306440] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10/event4 (input) UDEV [1185238505.325384] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10/event4 (input) UDEV [1185238505.342257] add /devices/pci0000:00/0000:00:1d.2/usb3/3-1/3-1:1.0/input/input10/mouse2 (input) The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers.
Page 149: Influencing Kernel Device Event Handling With Udev Rules
11.6 Influencing Kernel Device Event Handling with udev Rules A udev rule can match any property the kernel adds to the event itself or any information that the kernel exports to sysfs. The rule can also request additional information from external programs.
Page 150 The serial devices rule is not available in 50-udev-default.rules any- more, but it is still worth considering. It consists of two match keys (KERNEL and ATTRS) and one assign key (SYMLINK). The KERNEL key searches for all devices of the ttyUSB type. Using the * wild card, this key matches several of these devices. The second match key, ATTRS, checks whether the product attribute file in sysfs for any ttyUSB device contains a certain string.
Page 151 • udev rules support substitutions. 11.6.1 Using Operators in udev Rules Creating keys you can choose from several different operators, depending on the type of key you want to create. Match keys will normally just be used to find a value that either matches or explicitly mismatches the search value.
Page 152 %p, $devpath The value of DEVPATH. %k, $kernel The value of KERNEL or the internal device name. %n, $number The device number. %N, $tempnode The temporary name of the device file. %M, $major The major number of the device. %m, $minor The minor number of the device.
Page 153 ACTION The name of the event action, for example, add or remove when adding or remov- ing a device. DEVPATH The device path of the event device, for example, DEVPATH=/bus/pci/drivers/ipw3945 to search for all events related to the ipw3945 driver. KERNEL The internal (kernel) name of the event device.
Page 154 PROGRAM Let udev execute an external program. To be successful, the program must return with exit code zero. The program's output, printed to stdout, is available to the RESULT key. RESULT Match the output string of the last PROGRAM call. Either include this key in the same rule as the PROGRAM key or in a later one.
Page 155 Tell udev to add a program to the list of programs to be executed for this device. Keep in mind to restrict this to very short tasks to avoid blocking further events for this device. LABEL Add a label where a GOTO can jump to. GOTO Tell udev to skip a number of rules and continue with the one that carries the label referenced by the GOTO key.
Page 156: Persistent Device Naming
11.7 Persistent Device Naming The dynamic device directory and the udev rules infrastructure make it possible to provide stable names for all disk devices—regardless of their order of recognition or the connection used for the device. Every appropriate block device the kernel creates is examined by tools with special knowledge about certain buses, drive types or file systems.
Page 157: For More Information
The following files and directories contain the crucial elements of the udev infrastructure: /etc/udev/udev.conf Main udev configuration file. /etc/udev/rules.d/* udev event matching rules. /lib/udev/devices/* Static /dev content. /lib/udev/* Helper programs called from udev rules. 11.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules and other important configuration is- sues.
Page 159: 2 The X Window System
The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). This chapter describes the setup and optimization of the X Window System environment, and provides background information about the use of fonts in SUSE®...
Page 160 WARNING: Faulty X Configurations can Damage Your Hardware Be very careful when configuring your X Window System. Never start the X Window System until the configuration is finished. A misconfigured system can cause irreparable damage to your hardware (this applies especially to fixed- frequency monitors).
Page 161 Table 12.1 Sections in /etc/X11/xorg.conf Type Meaning Files The paths used for fonts and the RGB color table. ServerFlags General switches for the server behavior. Module A list of modules the server should load InputDevice Input devices like keyboards and special input devices (touch- pads, joysticks, etc.) are configured in this section.
Page 162 Type Meaning Device A specific graphics card. It is referenced by its descriptive name. The options available in this section strongly depend on the driver used. For example, if you use the i810 driver, find more information about the available options in the manual page man 4 i810.
Page 163 12.1.1 Screen Section The screen section combines a monitor with a device section and determines the reso- lution and color depth to use. A screen section might resemble Example 12.1, “Screen Section of the File /etc/X11/xorg.conf” (page 149). Example 12.1 Screen Section of the File /etc/X11/xorg.conf Section "Screen"...
Page 164 on the capability of both the monitor and the graphics card. The Monitor settings determine the resulting Modeline. The first resolution found is the Default mode. With Ctrl + Alt + + (on the number pad) switch to the next resolution in the list to the right. With Ctrl + Alt + –...
Page 165 Driver "mga" Identifier "Device[0]" VendorName "Matrox" Option "sw_cursor" EndSection The BusID refers to the PCI or AGP slot in which the graphics card is installed. This matches the ID displayed by the command lspci. The X server needs details in decimal form, but lspci displays these in hexadecimal form. The value of BusID is automatically detected by SaX2.
Page 166: Installing And Configuring Fonts
the X server calculates appropriate values from the general synchronization values. The server layout section specifies which Monitor section is relevant. Monitor definitions should only be set by experienced users. The modelines are an important part of the Monitor sections. Modelines set horizontal and vertical timings for the respective resolution.
Page 167 links starting with a two digit number are loaded by fontconfig. For a more detailed explanation of this functionality, have a look at /etc/fonts/conf.d/README.  <dir>/usr/share/fonts</dir> <dir>/usr/X11R6/lib/X11/fonts</dir> <dir>/opt/kde3/share/fonts</dir> <dir>/usr/local/share/fonts</dir> <dir>~/.fonts</dir> <include ignore_missing="yes">conf.d</include> /etc/fonts/suse-font-dirs.conf is automatically generated to pull in fonts that ship with (mostly third party) applications like OpenOffice.org, Java or Adobe Acrobat Reader.
Page 168 12.2.1 X11 Core Fonts Today, the X11 core font system supports not only bitmap fonts but also scalable fonts, like Type1 fonts, TrueType, and OpenType fonts. Scalable fonts are only supported without antialiasing and subpixel rendering and the loading of large scalable fonts with glyphs for many languages may take a long time.
Page 169 12.2.2 Xft From the outset, the programmers of Xft made sure that scalable fonts including an- tialiasing are well supported. If Xft is used, the fonts are rendered by the application using the fonts, not by the X server as in the X11 core font system. In this way, the re- spective application has access to the actual font files and full control of how the glyphs are rendered.
Page 170 to disable antialiasing for all fonts or <match target="font"> <test name="family"> <string>Luxi Mono</string> <string>Luxi Sans</string> </test> <edit name="antialias" mode="assign"> <bool>false</bool> </edit> </match> to disable antialiasing for specific fonts. By default, most applications use the font names sans-serif (or the equivalent sans), serif, or monospace.
Page 171 (:lang=he), their font names (family), their style (style), their weight (weight) and the name of the files containing the fonts, enter the following command: fc-list ":lang=he:scalable=true" family style weight The output of this command could look like the following: Lucida Sans:style=Demibold:weight=200 DejaVu Sans:style=Bold Oblique:weight=200 Lucida Sans Typewriter:style=Bold:weight=200 FreeSerif:style=Bold,polkrepko:weight=200...
Page 172: For More Information
Parameter Meaning and Possible Values bitmap true for bitmap fonts or false for other fonts. pixelsize Font size in pixels. In connection with fc-list, this option only makes sense for bitmap fonts. 12.3 For More Information Install the packages xorg-x11-doc and howtoenh to get more in-depth information about X11.
Page 173: 3 Accessing File Systems With Fuse
Accessing File Systems with FUSE FUSE is the acronym for file system in userspace. This means you can configure and mount a file system as an unprivileged user. Normally, you have to be root for this task. FUSE alone is a kernel module. Combined with plug-ins, it allows you to extend FUSE to access almost all file systems like remote SSH connections, ISO images, and more 13.1 Configuring FUSE...
Page 174: Mounting Remote File System With Sshfs
1 Become root and install the package ntfs-3g. 2 Create the directory /media/windows. 3 Find out which Window partition you need. Use YaST and start the partitioner module to see which partition belongs to Windows, but do not modify anything. Alternatively, become root and execute /sbin/fdisk -l.
Page 175: Mounting An Iso File System
2 Create a directory, where you want to access the remote computer. A good idea is to use ~/mounts/HOST. Replace HOST with the name of your remote computer. 3 Mount the remote file system: sshfs USER:HOST ~/mounts/HOST Replace USER and HOST with your respective values. 4 Enter your password for the remote computer.
Page 176: For More Information
wdfs mount WebDAV file systems 13.6 For More Information http://fuse.sourceforge.net See the homepage of FUSE for more informa- tion. Administration Guide...
Page 177: Part Iii Mobile Computers
Part III. Mobile Computers...
Page 179: 4 Mobile Computing With Linux
Mobile Computing with Linux Mobile computing is mostly associated with laptops, PDAs and cellular phones (and the data exchange between them). Mobile hardware components, such as external hard disks, flash drives, or digital cameras, can be connected to laptops or desktop systems. A number of software components are involved in mobile computing scenarios and some applications are tailor-made for mobile use.
Page 180 14.1.1 Power Conservation The inclusion of energy-optimized system components during laptop manufacturing contributes to their suitability for use without access to the electrical power grid. Their contribution towards conservation of power is at least as important as that of the oper- ating system.
Page 181 Figure 14.1 Integrating a Mobile Computer in an Existing Environment Printing Mail Proxy X configuration Network The services affected in the case of a laptop commuting back and forth between a small home network and an office network are: Network This includes IP address assignment, name resolution, Internet connectivity and connectivity to other networks.
Page 182 SUSE Linux Enterprise Server offers several ways of integrating laptops into existing operating environments: NetworkManager NetworkManager is especially tailored for mobile networking on laptops. It provides a means to easily and automatically switch between network environments or dif- ferent types of networks, such as wireless LAN and ethernet. NetworkManager supports WEP and WPA-PSK encryption in wireless LANs.
Page 183: System Monitoring
profiles for all the different setups you want to use this system in. Switching between profiles can either be done in the running system via scpm or at system boot time via the F3 key. When switching profiles, SCPM automatically adjusts your system configuration to the new environment laid out in the profile you have chosen.
Page 184: Wireless Communication
lected data can be customized. It is possible to monitor different system parameters in various data pages or collect the data of various machines in parallel over the network. KSysguard can also run as a daemon on machines without a KDE envi- ronment.
Page 185: Data Security
WLAN With the largest range of these wireless technologies, WLAN is the only one suitable for the operation of large and sometimes even spatially disjointed networks. Single machines can connect with each other to form an independent wireless network or access the Internet.
Page 186: Mobile Hardware
Strong Authentication Use biometric authentication in addition to standard authentication via login and password. SUSE Linux Enterprise Server supports fingerprint authentication. For more details, see Chapter 7, Using the Fingerprint Reader (↑Security Guide). Securing Data on the System Important data should not only be encrypted during transmission, but also on the hard disk.
Page 187: Cellular Phones And Pdas
a hard disk from the name it had been given by the system, select the corresponding menu item from the menu that opens when the icon is right-clicked. This name change is limited to display in the file manager. The descriptor by which the device is mounted in /media remains unaffected by this.
Page 188 SUSE maintains a mailing list in German dedicated to the subject of laptops. See http://lists.opensuse.org/opensuse-mobile-de/. On this list, users and developers discuss all aspects of mobile computing with SUSE Linux Enterprise Server. Postings in English are answered, but the majority of the archived information http://lists.opensuse.org/ is only available in German.
Page 189: 5 Power Management
Power Management ►zseries: The features and hardware described in this chapter do not exist on IBM System z, making this chapter irrelevant for these platforms. ◄ Power management is especially important on laptop computers, but is also useful on other systems. ACPI (advanced configuration and power interface) is available on all modern computers (laptops, desktops, and servers).
Page 190: Acpi
Hibernation (suspend to disk) In this operating mode, the entire system state is written to the hard disk and the system is powered off. There must be a swap partition at least as big as the RAM to write all the active data. Reactivation from this state takes about 30 to 90 seconds. The state prior to the suspend is restored.
Page 191 15.2.1 Controlling the CPU Performance The CPU can save energy in three ways. Depending on the operating mode of the computer, these methods can be combined. Saving energy also means that the system heats up less and the fans are activated less frequently. Frequency and Voltage Scaling PowerNow! and Speedstep are the designations AMD and Intel use for this tech- nology.
Page 192 performance governor The cpu frequency is statically set to the highest possible. Throttling the Clock Frequency This technology omits a certain percentage of the clock signal impulses for the CPU. At 25% throttling, every fourth impulse is omitted. At 87.5%, only every eighth impulse reaches the processor.
Page 193 monitoring changes (akpi, acpiw, gtkacpiw) and tools for editing the ACPI tables in the BIOS (package pmtools). 15.2.3 Troubleshooting There are two different types of problems. On one hand, the ACPI code of the kernel may contain bugs that were not detected in time. In this case, a solution will be made available for download.
Page 194: Rest For The Hard Disk
BIOS is ignored. The procedure is described in Section 15.4, “Troubleshooting” (page 182). In the kernel configuration, there is a switch for activating ACPI debug messages. If a kernel with ACPI debugging is compiled and installed, experts searching for an error can be supported with detailed information.
Page 195 Values from 1 to 240 are multiplied by 5 seconds. Values from 241 to 251 correspond to 1 to 11 times 30 minutes. Internal power saving options of the hard disk can be controlled with the option -B. Select a value from 0 to 255 for maximum saving to maximum throughput. The result depends on the hard disk used and is difficult to assess.
Page 196: Troubleshooting
down. To avoid this, a special kernel extension has been developed for mobile devices. See /usr/src/linux/Documentation/laptop-mode.txt for details. Another important factor is the way active programs behave. For example, good editors regularly write hidden backups of the currently modified file to the hard disk, causing the disk to wake up.
Page 197 shown by the file extension .aml (ACPI machine language). If this is the case, continue with step 3. 2 If the file extension of the downloaded table is .asl (ACPI source language), compile it with iasl (package pmtools). Enter the command iasl -sa file.asl.
Page 198: For More Information
15.5 For More Information • http://www.opensuse.org/S2ram—How to get Suspend to RAM working • http://www.opensuse.org/Pm-utils—How to modify the general sus- pend framework Administration Guide...
Page 199: 6 Using Tablet Pcs
Using Tablet PCs SUSE® Linux Enterprise Server comes with support for Tablet PCs. In the following, learn how to install and configure your Tablet PC and discover some useful Linux* applications which accept input from digital pens. The following Tablet PCs are supported: •...
Page 200: Installing Tablet Pc Packages
After you have installed the Tablet PC packages and configured your digitizer correctly, input with the pen (also called a stylus) can be used for the following actions and appli- cations: • Logging in to KDM or GDM • Unlocking your screen on the KDE and GNOME desktops •...
Page 201: Configuring Your Tablet Device
• xournal: an application for note taking and sketching • xstroke: a gesture recognition program for the X Window System • xvkbd: a virtual keyboard for the X Window System • x11-input-fujitsu: the X input module for Fujitsu P-Series tablets •...
Page 202: Using The Virtual Keyboard
4 Switch to the Electronic Pens tab and make sure the following options are acti- vated: Add Pen and Add Eraser. If you have a Tablet PC with touch screen, also activate Add Touch. 5 Click OK to save the changes. After finishing the X Window System configuration, restart your X server by logging out.
Page 203: Rotating Your Display
16.4 Rotating Your Display Use KRandRTray (KDE) or gnome-display-properties (GNOME) to rotate or resize your display manually on the fly. Both KRandRTray and gnome-display-properties are applets for the RANDR extension of the X server. Start KRandRTray or gnome-display-properties from the main menu, or enter krandrtray or gnome-display-properties to start the applet from a shell.
Page 204 Procedure 16.1 Training CellWriter 1 Start CellWriter from the main menu or with cellwriter from the command line. On the first start, CellWriter automatically starts in the training mode. In training mode it shows a set of characters of the currently chosen key map. 2 Enter the gesture you would like to use for a character into the respective charac- ter's cell.
Page 205 Figure 16.2 Gesture Recognition with CellWriter If you click the Keys button in CellWriter, you get a virtual keyboard that can be used instead of the handwriting recognition. To hide CellWriter, close the CellWriter window. The application now appears as icon in your system tray.
Page 206: Taking Notes And Sketching With The Pen
16.6 Taking Notes and Sketching with the Pen To create drawings with the pen, you can use a professional graphics editor like The GIMP or try one of the note-taking applications, Xournal or Jarnal. With both Xournal and Jarnal, you can take notes, create drawings or comment PDF files with the pen. As a Java-based application available for several platforms, Jarnal also offers basic collab- http://www.dklevine.com/ oration features.
Page 207 of text using only the pen (or other input devices—it can even be driven with an eye tracker). Start Dasher from the main menu or with dasher from a shell. Move your pen in one direction and the application starts to zoom into the letters on the right side. From the letters passing the cross hairs in the middle, the text is created or predicted and is printed to the upper part of the window.
Page 208: Troubleshooting
16.7 Troubleshooting Virtual Keyboard Does Not Appear on Login Screen Occasionally, the virtual keyboard is not displayed on the login screen. To solve this, restart the X server by pressing Ctrl + Alt + <— or press the appropriate key on your Tablet PC (if you use a slate model without integrated keyboard).
Page 209: For More Information
use your fingers on the tablet to move the cursor), you need to rotate also the touch device. 16.8 For More Information Some of the applications mentioned here do not offer integrated online help, but you can find some useful information about usage and configuration in your installed system in /usr/share/doc/package/packagename or on the Web: •...
Page 211: Part Iv Services
Part IV. Services...
Page 213: 7 Basic Networking
Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol (TCP/IP) has various services and special features, which are discussed here. Network access using a network card, modem or other device can be configured with YaST. Manual configuration is also possible.
Page 214 Table 17.1 Several Protocols in the TCP/IP Protocol Family Protocol Description Transmission Control Protocol: a connection-oriented secure protocol. The data to transmit is first sent by the application as a stream of data and converted into the appropriate format by the operating system. The data arrives at the respective application on the destination host in the original data stream format it was initially sent.
Page 215 Figure 17.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
Page 216: Ip Addresses And Routing
located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 17.2 TCP/IP Ethernet Packet Usage Data (maximum 1460 bytes) TCP (Layer 4) Protocol Header (approx. 20 bytes) IP (Layer 3) Protocol Header (approx. 20 bytes) Ethernet (Layer 2) Protocol Header (approx.
Page 217 17.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 17.1, “Writing IP Addresses” (page 203). Example 17.1 Writing IP Addresses IP Address (binary): 11000000 10101000 00000000 00010100 IP Address (decimal):...
Page 218 Example 17.2 Linking IP Addresses to the Netmask IP address (192.168.0.20): 11000000 10101000 00000000 00010100 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 --------------------------------------------------------------- Result of the link: 11000000 10101000 00000000 00000000 In the decimal system: 192. 168. IP address (213.95.15.200): 11010101 10111111 00001111 11001000 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 ---------------------------------------------------------------...
Page 219: Ipv6-The Next Generation Internet
Address Type Description ample therefore results in 192.168.0.255. This address cannot be assigned to any hosts. Local Host The address 127.0.0.1 is assigned to the “loopback device” on each host. A connection can be set up to your own machine with this address.
Page 220 in the past fifteen years. Since Tim Berners-Lee at CERN (http://public.web .cern.ch) invented the WWW in 1990, the number of Internet hosts has grown from a few thousand to about a hundred million. As mentioned, an IPv4 address consists of only 32 bits. Also, quite a few IP addresses are lost—they cannot be used due to the way in which networks are organized.
Page 221 Autoconfiguration IPv6 makes the network “plug and play” capable, which means that a newly set up system integrates into the (local) network without any manual configuration. The new host uses its automatic configuration mechanism to derive its own address from the information made available by the neighboring routers, relying on a pro- tocol called the neighbor discovery (ND) protocol.
Page 222 or each host individually through unicasting). Which hosts are addressed as a group may depend on the concrete application. There are some predefined groups to ad- dress all name servers (the all name servers multicast group), for example, or all routers (the all routers multicast group).
Page 223 An IPv6 address is made up of eight four-digit fields, each representing 16 bits, written in hexadecimal notation. They are also separated by colons (:). Any leading zero bytes within a given field may be dropped, but zeros within the field or at its end may not. Another convention is that more than four consecutive zero bytes may be collapsed into a double colon.
Page 224 Prefix (hex) Definition 2 or 3 as the first Aggregatable global unicast addresses. As is the case with IPv4, an interface can be assigned to form part of a certain subnetwork. digit Currently, there are the following address spaces: 2001::/16 (production quality address space) and 2002::/16 (6to4 address space).
Page 225 On top of this basic structure, IPv6 distinguishes between five different types of unicast addresses: :: (unspecified) This address is used by the host as its source address when the interface is initialized for the first time—when the address cannot yet be determined by other means. ::1 (loopback) The address of the loopback device.
Page 226 through the same interface. One of these networks can be configured completely auto- matically using the MAC and a known prefix with the result that all hosts on the local network can be reached as soon as IPv6 is enabled (using the link-local address). With the MAC forming part of it, any IP address used in the world is unique.
Page 227 However, the configuration and maintenance of static tunnels is often too labor-intensive to use them for daily communication needs. Therefore, IPv6 provides for three different methods of dynamic tunneling: 6over4 IPv6 packets are automatically encapsulated as IPv4 packets and sent over an IPv4 network capable of multicasting.
Page 228: Name Resolution
tions which prefix to use for the IPv6 addresses and which routers. Alternatively, use zebra/quagga for automatic configuration of both addresses and routing. Consult the ifcfg-tunnel (5) man page to get information about how to set up various types of tunnels using the /etc/sysconfig/network files. 17.2.5 For More Information The above overview does not cover the topic of IPv6 comprehensively.
Page 229 Consider a complete name, such as jupiter.example.com, written in the format hostname.domain. A full name, referred to as a fully qualified domain name (FQDN), consists of a hostname and a domain name (example.com). The latter also includes the top level domain or TLD (com). TLD assignment has become quite confusing for historical reasons.
Page 230: Configuring A Network Connection With Yast
NOTE: MDNS and .local Domain Names The .local top level domain is treated as link-local domain by the resolver. DNS requests are send as multicast DNS requests instead of normal DNS re- quests. If you already use the .local domain in your nameserver configuration, you must switch this option off in /etc/host.conf.
Page 231 17.4.1 Configuring the Network Card with YaST To configure your wired or wireless network card in YaST, select Network Devices > Network Settings. After starting the module, YaST displays the Network Settings dialog with four tabs: Global Options, Overview, Hostname/DNS and Routing. The Global Options tab allows you to set general networking options such as the use of NetworkManager, IPv6 and general DHCP options.
Page 232 Figure 17.3 Configuring Network Settings Configuring Global Networking Options The Global Options tab of the YaST Network Settings module allows you to set impor- tant global networking options, such as the use of NetworkManager, IPv6 and DHCP client options. These settings are applicable for all network interfaces. In the Network Setup Method choose the way network connections are managed.
Page 233 networks not using IPv6 protocol, response times can be faster with IPv6 protocol dis- abled. If you want to disable IPv6, uncheck the Enable IPv6 option. This disables au- toload of the kernel module for IPv6. This will be applied after reboot. In the DHCP Client Options configure options for the DHCP client.
Page 234 If possible, the first network card with link that is available during the installation is automatically configured to use automatic address setup via DHCP. On SUSE Linux Enterprise Desktop, where NetworkManager is active by default, all network cards are configured. NOTE: IBM System z and DHCP On IBM System z platforms, DHCP-based address configuration is only supported with network cards that have a MAC address.
Page 235 If you use the static address, the name servers and default gateway are not configured automatically. To configure name servers, proceed as described in Section “Configuring Hostname and DNS” (page 225). To configure a gateway, proceed as described in Section “Configuring Routing”...
Page 236 4 To change the device name, check the Change Device Name option and edit the name. 5 Click OK and Next. 6 To activate the configuration, click OK. Changing Network Card Kernel Driver For some network cards, several kernel drivers may be available. If the card is already configured, YaST allows you to select a kernel driver to be used from a list of available suitable drivers.
Page 237 On Hotplug, the interface is set as soon as available. It is similar to the At Boot Time option, and only differs in the fact that no error occurs if the interface is not present at boot time. Choose Manually to control the interface manually with ifup or KInternet.
Page 238 2 Enter the General tab of the Network Settings dialog. 3 Determine the firewall zone to which your interface should be assigned. The following options are available: Firewall Disabled This option is available only if the firewall is disabled and the firewall does not run at all.
Page 239 can configure it manually. You can also configure special network device types, such as bridge, bond, TUN or TAP. To configure an undetected network card (or a special device) proceed as follows: 1 In the Network Devices > Network Settings > Overview dialog in YaST click Add.
Page 240 1 Go to the Network Settings > Hostname/DNS tab in the Network Devices module in YaST. 2 Enter the Hostname and, if needed, the Domain Name. The domain is especially important if the machine is a mail server. Note that the hostname is global and applies to all set network interfaces.
Page 241 STATIC_FALLBACK The static settings are used only when no dynamic configuration is avalaible. For more information, see the man 8 netconfig. 4 Enter the Name Servers and fill in the Domain Search list. Name servers must be specified by IP addresses, such as 192.168.1.116, not by hostnames. Names specified in the Domain Search tab are domain names used for resolving host- names without a specified domain.
Page 242 kernel does not use metric in static routing, only routing daemons like multipathd do. 4 If the system is a router, enable the IP Forwarding option in the Network Settings. 5 To activate the configuration, click OK. 17.4.2 Modem TIP: IBM System z: Modem The configuration of this type of hardware is not supported on IBM System z platforms.
Page 243 Figure 17.4 Modem Configuration If you are behind a private branch exchange (PBX), you may need to enter a dial prefix. This is often a zero. Consult the instructions that came with the PBX to find out. Also select whether to use tone or pulse dialing, whether the speaker should be on and whether the modem should wait until it detects a dial tone.
Page 244 In the last dialog, specify additional connection options: Dial on Demand If you enable Dial on Demand, set at least one name server. Use this feature only if your Internet connection is inexpensive, because there are programs that period- ically request data from the Internet. Modify DNS when Connected This option is enabled by default, with the effect that the name server address is updated each time you connect to the Internet.
Page 245 17.4.3 ISDN TIP: IBM System z: ISDN The configuration of this type of hardware is not supported on IBM System z platforms. Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, click on Add in the ISDN Devices tab and manually select your card.
Page 246 your Area Code and the Dial Prefix if necessary. If you do not want to log all your ISDN traffic, uncheck the Start ISDN Log option. Activate Device defines how the ISDN interface should be started: At Boot Time causes the ISDN driver to be initialized each time the system boots.
Page 247 ISDN Card Connected to a Private Branch Exchange Again, the configuration may vary depending on the equipment installed: 1. Smaller private branch exchanges (PBX) built for home purposes mostly use the Euro-ISDN (EDSS1) protocol for internal calls. These exchanges have an internal S0 bus and use internal numbers for the equipment connected to them.
Page 248 To use Dial on Demand on a stand-alone workstation, specify the name server (DNS server) as well. Most ISPs support dynamic DNS, which means the IP address of a name server is sent by the ISP each time you connect. For a single workstation, however, you still need to provide a placeholder address like 192.168.22.99.
Page 249 17.4.5 DSL TIP: IBM System z: DSL The configuration of this type of hardware is not supported on IBM System z platforms. To configure your DSL device, select the DSL module from the YaST Network Devices section. This YaST module consists of several dialogs in which to set the parameters of DSL links based on one of the following protocols: •...
Page 250 most cases, this is eth0). Then use Activate Device to specify whether the DSL link should be established during the boot process. Click Enable Device Control for Non- root User via KInternet to authorize the normal user without root permissions to activate or deactivate the interface with KInternet.
Page 251 onds. If Dial on Demand is disabled, it may be useful to set the time-out to zero to prevent automatic hang-up. The configuration of T-DSL is very similar to the DSL setup. Just select T-Online as your provider and YaST opens the T-DSL configuration dialog. In this dialog, provide some additional information required for T-DSL—the line ID, the T-Online number, the user code and your password.
Page 252 The ctc Device To add a ctc (IBM parallel CTC Adapter) interface to the installed system, start the Network Devices > Network Settings module in YaST. Select one of the devices marked IBM Parallel CTC Adapter to use as your read channel and click Configure. Choose the Device Settings that fit your devices (usually this would be Compatibility Mode).
Page 253: Networkmanager
WARNING The use of this interface is deprecated. This interface will not be supported in future versions of SUSE Linux Enterprise Server. 17.5 NetworkManager NetworkManager is the ideal solution for a mobile workstation. With NetworkManager, you do not need to worry about configuring network interfaces and switching between networks when you are moving.
Page 254: Configuring A Network Connection Manually
Types of Network Connections Both traditional configuration and NetworkManager can handle network connections with a wireless network (with WEP, WPA-PSK, and WPA-Enterprise access), dial- up and wired networks using DHCP and static configuration. They also support connection through VPN. NetworkManager tries to keep your computer connected at all times using the best connection available.
Page 255: Configuration Files
Table 17.5, “Manual Network Configuration Scripts” (page 241) summarizes the most important scripts involved in the network configuration. Table 17.5 Manual Network Configuration Scripts Command Function if{up,down,status} The if* scripts start, stop network interfaces or return the status of the specified interface. More information is available in the manual page of ifup.
Page 256 manual page of ifup. Additionally, all variables from the files dhcp, wireless and config can be used in the ifcfg-* files if a general setting should be used for only one interface. ►zseries: IBM System z do not support USB. The names of the interface files and network aliases contain System z-specific elements like qeth.
Page 257 The second column contains the default gateway or a gateway through which a host or network can be accessed. The third column contains the netmask for networks or hosts behind a gateway. For example, the mask is 255.255.255.255 for a host behind a gateway.
Page 258 /sbin/netconfig netconfig is a modular tool to manage additional network configuration settings. It merges statically defined settings with settings provided by autoconfiguration mecha- nisms as dhcp or ppp according to a predefined policy. The required changes are applied to the system by calling the netconfig modules that are responsible for modifying a configuration file and restarting a service or a similar action.
Page 259 actions. NetworkManager also uses netconfig modify and netconfig remove actions. When NetworkManager is enabled, netconfig (in policy mode auto) uses only NetworkManager settings, ignoring settings from any other interfaces configured using the traditional ifup method. If NetworkManager does not provide any setting, static settings are used as a fallback.
Page 260 must always stand alone in its own line. Comments are preceded by a # sign. Table 17.6, “Parameters for /etc/host.conf” (page 246) shows the parameters available. A sample /etc/host.conf is shown in Example 17.8, “/etc/host.conf” (page 246). Table 17.6 Parameters for /etc/host.conf order hosts, bind Specifies in which order the services are accessed for the name resolution.
Page 261 The order for queries is defined in the file /etc/nsswitch.conf. A sample nsswitch.conf is shown in Example 17.9, “/etc/nsswitch.conf” (page 247). Comments are introduced by # signs. In this example, the entry under the hosts database means that a request is sent to /etc/hosts (files) via DNS (see Chap- ter 21, The Domain Name System (page 279)).
Page 262 networks Network names and addresses, used by getnetent. passwd User passwords, used by getpwent; see the passwd(5) man page. protocols Network protocols, used by getprotoent; see the protocols(5) man page. Remote procedure call names and addresses, used by getrpcbyname and similar functions. services Network services, used by getservent.
Page 263: Testing The Configuration
every access to names or groups. hosts is not cached by default, because the mecha- nism in nscd to cache hosts makes the local system unable to trust forward and reverse lookup checks. Instead of asking nscd to cache names, set up a caching DNS server. If the caching for passwd is activated, it usually takes about fifteen seconds until a newly added local user is recognized.
Page 264 neighbour This object represents a ARP or NDISC cache entry. route This object represents the routing table entry. rule This object represents a rule in the routing policy database. maddress This object represents a multicast address. mroute This object represents a multicast routing cache entry. tunnel This object represents a tunnel over IP.
Page 265 For more information about using ip, enter ip help or see the ip(8) man page. The help option is also available for all ip objects. If, for example, you want to read help for ip addr, enter ip addr help. Find the ip manual in /usr/share/doc/ packages/iproute2/ip-cref.pdf.
Page 266 In a system with multiple network devices, it is sometimes useful to send the ping through a specific interface address. To do so, use the -I option with the name of the selected device, for example, ping -I wlan1 example.com. For more options and information about using ping, enter ping -h or see the ping (8) man page.
Page 267 Example 17.11 Output of the ifconfig Command eth0 Link encap:Ethernet HWaddr 00:08:74:98:ED:51 inet6 addr: fe80::208:74ff:fe98:ed51/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:634735 errors:0 dropped:0 overruns:4 frame:0 TX packets:154779 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:162531992 (155.0 Mb) TX bytes:49575995 (47.2 Mb) Interrupt:11 Base address:0xec80 Link encap:Local Loopback inet addr:127.0.0.1...
Page 268 Example 17.12 Output of the route -n Command route -n Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.20.0.0 255.255.248.0 0 eth0 link-local 255.255.0.0 0 eth0 loopback 255.0.0.0 0 lo default styx.exam.com 0.0.0.0 0 eth0 For more options and information about using route, enter route -h or see the route (8) man page.
Page 269: Smpppd As Dial-Up Assistant
/etc/init.d/ypbind Starts the NIS client. 17.7 smpppd as Dial-up Assistant Some home users do not have a dedicated line connecting them to the Internet. Instead, they use dial-up connections. Depending on the dial-up method (ISDN or DSL), the connection is controlled by ipppd or pppd. Basically, all that needs to be done to go online is to start these programs correctly.
Page 270 bind-address = ip address If a host has several IP addresses, use this parameter to determine at which IP ad- dress smpppd should accept connections. The default is to listen at all addresses. host-range = min ipmax ip The parameter host-range defines a network range. Hosts whose IP addresses are within this range are granted access to smpppd.
Page 271 server = server Specify the host on which smpppd runs. port = port Specify the port on which smpppd runs. password = password Insert the password selected for smpppd. If smpppd is active, you can now try to access it. For example, with cinternet --verbose --interface-list.
Page 273: 8 Wireless Communication
Wireless Communication Wireless LAN can be used to establish communication between your SUSE® Linux Enterprise Server machines. This chapter introduces the principles and basic configura- tion of wireless networking. 18.1 Wireless LAN Wireless LANs have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards.
Page 274 Name Band (GHz) Maximum Note Transmission Rate (Mbit/s) 802.11b Less common 802.11g Widespread, backwards- compatible with 11b 802.11n draft 2.4 and/or 5 Common 802.11 Legacy cards are not supported by SUSE® Linux Enterprise Server. Most cards using 802.11a, 802.11b, 802.11g and 802.11n draft are supported. New cards usually comply with the 802.11n draft standard, but cards using 802.11g are still available.
Page 275 However, because WEP has proven to be insecure (see Section “Security” (page 267)), the WLAN industry (joined under the name Wi-Fi Alliance) has defined a new extension called WPA, which is supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i standard (also referred to as WPA2, because WPA is based on a draft version of 802.11i) includes WPA and some other authentication and encryption methods.
Page 276 WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol). In a nutshell, these options work as follows: EAP-TLS TLS authentication relies on the mutual exchange of certificates for both server and client.
Page 277: Configuration With Yast
for every data packet, attacks against these keys are fruitless. TKIP is used together with WPA-PSK. CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard.
Page 278 Figure 18.1 YaST: Configuring the Wireless Network Card Operating Mode A station can be integrated in a WLAN in three different modes. The suitable mode depends on the network in which to communicate: Ad-hoc (peer-to-peer network without access point), Managed (network is managed by an access point), or Master (your network card should be used as the access point).
Page 279 WEP Keys Either enter the default key here or click WEP Keys to enter the advanced key configuration dialog. Set the length of the key to 128 bit or 64 bit. The default setting is 128 bit. In the list area at the bottom of the dialog, up to four different keys can be specified for your station to use for the encryption.
Page 280 Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. Use Power Management When you are on the road, use power saving technologies to maximize the operating time of your battery. More information about power management is available in Chapter 15, Power Management (page 175).
Page 281 18.1.4 Tips and Tricks for Setting Up a WLAN These tips can help tweak speed and stability as well as security aspects of your WLAN. Stability and Speed The performance and reliability of a wireless network mainly depend on whether the participating stations receive a clean signal from the other stations.
Page 282 18.1.5 Troubleshooting If your WLAN card fails to respond, check if you have downloaded the needed firmware. Refer to /usr/share/doc/packages/wireless-tools/README.firmware for more information. Multiple Network Devices Modern laptops usually have a network card and a WLAN card. If you configured both devices with DHCP (automatic address assignment), you may encounter problems with the name resolution and the default gateway.
Page 283: 9 Slp Services In The Network
SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.
Page 284: Activating Slp
19.2 Activating SLP slpd must run on your system to offer services with SLP. If the machine should only operate as client, and does not offer services, it is not necessary to run slpd. Like most system services in SUSE Linux Enterprise Server, the slpd daemon is controlled by means of a separate init script.
Page 285: Installation Over Slp
19.4 Installation over SLP If you offer an installation server with SUSE Linux Enterprise Server installation media within your network, this can be registered with SLP. For details, see Section “Setting Up the Server Holding the Installation Sources” (Chapter 14, Remote Installation, ↑Deployment Guide).
Page 286: For More Information
The second variable contains a more precise description of the service that is dis- played in suitable browsers. TIP: YaST and SLP Some services brokered by YaST, such as an installation server or YOU server, perform this registration automatically when you activate SLP in the module dialogs.
Page 287: 0 Time Synchronization With Ntp
Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
Page 288 firewall-protected system, the advanced configuration can open the required ports in SuSEfirewall2. 20.1.1 Advanced NTP Client Configuration You can either configure the NTP client manually or automatically to get a list of the NTP servers available in your network via DHCP. If you choose Configure NTP Daemon via DHCP, the manual options explained below are not available.
Page 289 server, enter the address of the system. The rest of the dialog is identical to the Server dialog. Radio Clock To use a radio clock in your system for the time synchronization, enter the clock type, unit number, device name, and other options in this dialog. Click Driver Calibration to fine-tune the driver.
Page 290 Figure 20.1 Advanced NTP Configuration: Security Settings In the Security Settings tab, determine whether ntpd should be started in a chroot jail. By default, Run NTP Daemon in Chroot Jail is activated. This increases the security in the event of an attack over ntpd, as it prevents the attacker from compromising the entire system.
Page 291: Manually Configuring Ntp In The Network
20.2 Manually Configuring ntp in the Network The easiest way to use a time server in the network is to set server parameters. For ex- ample, if a time server called ntp.example.com is reachable from the network, add its name to the file /etc/ntp.conf by adding the following line: server ntp.example.com To add more time servers, insert additional lines with the keyword server.
Page 292: Clock Synchronization To An External Time Reference (Etr)
work. For this purpose, they are assigned special IP addresses in the form 127.127.t.u. Here, t stands for the type of the clock and determines which driver is used and u for the unit, which determines the interface used. Normally, the individual drivers have special parameters that describe configuration details.
Page 293: 1 The Domain Name System
The Domain Name System DNS (domain name system) is needed to resolve the domain names and hostnames into IP addresses. In this way, the IP address 192.168.2.100 is assigned to the hostname jupiter, for example. Before setting up your own name server, read the general in- formation about DNS in Section 17.3, “Name Resolution”...
Page 294: Installation
(not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone. Forwarder Forwarders are DNS servers to which your DNS server should send queries it cannot answer. To enable different configuration sources in one configuration, netconfig is used (see also man 8 netconfig).
Page 295 aspects. The expert mode can be used to deal with more advanced configuration tasks, such as setting up ACLs, logging, TSIG keys, and other options. 21.3.1 Wizard Configuration The wizard consists of three steps or dialogs. At the appropriate places in the dialogs, you are given the opportunity to enter the expert configuration mode.
Page 296 Zone to configure other settings of an existing zone. To remove a zone, click Delete Zone. Figure 21.2 DNS Server Installation: DNS Zones 3 In the final dialog, you can open the DNS port in the firewall by clicking Open Port in Firewall.
Page 297 Figure 21.3 DNS Server Installation: Finish Wizard 21.3.2 Expert Configuration After starting the module, YaST opens a window displaying several configuration op- tions. Completing it results in a DNS server configuration with the basic functions in place: Start-Up Under Start-Up, define whether the DNS server should be started on startup (during the booting the system) or manually.
Page 298 Forwarders If your local DNS server cannot answer a request, it tries to forward the request to a Forwarder, if configured so. This forwarder may be added manually to the Forwarder List. If the forwarder is not static like in dial-up connections, netconfig handles the configuration.
Page 299 Figure 21.4 DNS Server: Logging Using ACLs Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under Name, specify an IP address (with or without netmask) under Value in the following fashion: { 192.168.1/24;...
Page 300 To use a previously created key, leave the Key ID field blank and select the file where it is stored under File Name. After that, confirm with Add. Adding a Slave Zone To add a slave zone, select DNS Zones, choose the zone type Slave, write the name of the new zone, and click Add.
Page 301 Figure 21.5 DNS Server: Zone Editor (Basic) Zone Editor (NS Records) This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under Name Server to Add then confirm with Add.
Page 302 Figure 21.6 DNS Server: Zone Editor (NS Records) Zone Editor (MX Records) To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting Add. See Fig- ure 21.7, “DNS Server: Zone Editor (MX Records)”...
Page 303 Zone Editor (SOA) This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 21.6, “File /var/lib/named/exam- ple.com.zone” (page 296). Changing SOA records is not supported for dynamic zones managed via LDAP. Figure 21.8 DNS Server: Zone Editor (SOA) Zone Editor (Records) This dialog manages name resolution.
Page 304: Starting The Name Server Bind
Generate Records From and select your forward zone. That way, all changes to the forward zone are automatically updated in the reverse zone. 21.4 Starting the Name Server BIND On a SUSE® Linux Enterprise Server system, the name server BIND (Berkeley Internet Name Domain) comes preconfigured so it can be started right after installation without any problem.
Page 305: The Configuration File /Etc/Named.conf
enter host 127.0.0.1, which should always work. If you get an error message, use rcnamed status to see whether the server is actually running. If the name server does not start or behaves unexpectedly, you can usually find the cause in the log file /var/log/messages.
Page 306 /etc/named.conf is roughly divided into two areas. One is the options section for general settings and the other consists of zone entries for the individual domains. A logging section and acl (access control list) entries are optional. Comment lines begin with a # sign or //. A minimal /etc/named.conf is shown in Example 21.2, “A Basic /etc/named.conf”...
Page 307 be written to have all requests forwarded and none sent to the root name servers. This makes sense for firewall configurations. listen-on port 53 { 127.0.0.1; ip-address; }; Tells BIND on which network interfaces and port to accept client queries. port 53 does not need to be specified explicitly, because 53 is the default port.
Page 308 cleaning-interval 720; This option defines at which time intervals BIND clears its cache. This triggers an entry in /var/log/messages each time it occurs. The time specification is in minutes. The default is 60 minutes. interface-interval 0; BIND regularly searches the network interfaces for new or nonexistent interfaces. If this value is set to 0, this is not done and BIND only listens at the interfaces de- tected at start-up.
Page 309 After zone, specify the name of the domain to administer (example.com) followed by in and a block of relevant options enclosed in curly braces, as shown in Exam- (page 294). To define a slave zone, switch the ple 21.4, “Zone Entry for example.com” type to slave and specify a name server that administers this zone as master (which, in turn, may be a slave of another master), as shown in Example 21.5, “Zone...
Page 310: Zone Files
entry, zone updates are not allowed at all. The above entry achieves the same be- cause ! * effectively bans any such activity. 21.6 Zone Files Two types of zone files are needed. One assigns IP addresses to hostnames and the other does the reverse: it supplies a hostname for an IP address.
Page 311 Line 1: $TTL defines the default time to live that should apply to all the entries in this file. In this example, entries are valid for a period of two days (2 D). Line 2: This is where the SOA (start of authority) control record begins: •...
Page 312 Line 6: The expiration time specifies the time frame after which a secondary name server discards the cached data if it has not regained contact to the primary server. Here, a week. Line 7: The last entry in the SOA record specifies the negative caching TTL—the time for which results of unresolved DNS queries from other servers may be cached.
Page 313 pluto AAAA 2345:00C1:CA11::1234:5678:9ABC:DEF0 pluto AAAA 2345:00D2:DA11::1234:5678:9ABC:DEF0 Line 20: The alias ntp can be used to address dns (CNAME means canonical name). The pseudodomain in-addr.arpa is used for the reverse lookup of IP addresses into hostnames. It is appended to the network part of the address in reverse notation. So 192.168 is resolved into 168.192.in-addr.arpa.
Page 314: Dynamic Update Of Zone Data
Line 9: Again this line specifies the name server responsible for this zone. This time, however, the name is entered in its complete form with the domain and a "." at the end. Lines 11–13: These are the pointer records hinting at the IP addresses on the respective hosts. Only the last part of the IP address is entered at the beginning of the line, without the "."...
Page 315 Generate a TSIG key with the following command (for details, see man dnssec-keygen): dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2 This creates two files with names similar to these: Khost1-host2.+157+34265.private Khost1-host2.+157+34265.key The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files. To use it for transactions, the second file (Khost1-host2.+157+34265.key) must be transferred to the remote host, preferably in a secure way (using scp, for exam- ple).
Page 316: Dns Security
Add TSIG keys for any ACLs (access control lists, not to be confused with file system ACLs) that are defined for IP addresses and address ranges to enable transaction secu- rity. The corresponding entry could look like this: allow-update { key host1-host2. ;}; This topic is discussed in more detail in the BIND Administrator Reference Manual under update-policy.
Page 317: 2 Dhcp
DHCP The purpose of the dynamic host configuration protocol (DHCP) is to assign network settings centrally (from a server) rather than configuring them locally on each and every workstation. A host configured to use DHCP does not have control over its own static address.
Page 318: Configuring A Dhcp Server With Yast
uring numerous workstations. It is also much easier to integrate machines, particularly new machines, into the network, because they can be given an IP address from the pool. Retrieving the appropriate network settings from a DHCP server is especially useful in the case of laptops regularly used in different networks.
Page 319 Card Selection In the first step, YaST looks for the network interfaces available on your system, then displays them in a list. From the list, select the interface on which the DHCP server should listen and click Add. After this, select Open Firewall for Selected Interfaces to open the firewall for this interface.
Page 320 Figure 22.2 DHCP Server: Global Settings Dynamic DHCP In this step, configure how dynamic IP addresses should be assigned to clients. To do so, specify an IP range from which the server can assign addresses to DHCP clients. All these addresses must be covered by the same netmask. Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease.
Page 321 Figure 22.3 DHCP Server: Dynamic DHCP Finishing the Configuration and Setting the Start Mode After the third part of the configuration wizard, a last dialog is shown in which you can define how the DHCP server should be started. Here, specify whether to start the DHCP server automatically when the system is booted or manually when needed (for example, for test purposes).
Page 322 Figure 22.4 DHCP Server: Start-Up Host Management Instead of using dynamic DHCP in the way described in the preceding sections, you can also configure the server to assign addresses in quasi-static fashion. To do so, use the entry fields provided in the lower part to specify a list of the clients to manage in this way.
Page 323 Figure 22.5 DHCP Server: Host Management 22.1.2 Expert Configuration In addition to the configuration method discussed earlier, there is also an expert confi- guration mode that allows you to tweak the DHCP server setup in every detail. Start the expert configuration by selecting Expert Settings in the tree view in the left part of the dialog.
Page 324 Figure 22.6 DHCP Server: Chroot Jail and Declarations Selecting the Declaration Type The Global Options of the DHCP server are made up of a number of declarations. This dialog lets you set the declaration types Subnet, Host, Shared Network, Group, Pool of Addresses, and Class.
Page 325 Figure 22.7 DHCP Server: Selecting a Declaration Type Subnet Configuration This dialog allows you specify a new subnet with its IP address and netmask. In the middle part of the dialog, modify the DHCP server start options for the selected subnet using Add, Edit, and Delete.
Page 326 Figure 22.8 DHCP Server: Configuring Subnets TSIG Key Management If you chose to configure dynamic DNS in the previous dialog, you can now con- figure the key management for a secure zone transfer. Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS (see Fig- ure 22.10, “DHCP Server: Interface Configuration for Dynamic DNS”...
Page 327 Figure 22.9 DHCP Server: TSIG Configuration Dynamic DNS: Interface Configuration You can now activate dynamic DNS for the subnet by selecting Enable Dynamic DNS for This Subnet. After doing so, use the drop-down list to choose the TSIG keys for forward and reverse zones, making sure that the keys are the same for the DNS and the DHCP server.
Page 328 Figure 22.10 DHCP Server: Interface Configuration for Dynamic DNS Network Interface Configuration To define the interfaces where the DHCP server should listen and to adjust the firewall configuration, select Advanced > Interface Configuration from the expert configuration dialog. From the list of interfaces displayed, select one or more that should be attended by the the DHCP server.
Page 329: Dhcp Software Packages
Figure 22.11 DHCP Server: Network Interface and Firewall After completing all configuration steps, close the dialog with Ok. The server is now started with its new configuration. 22.2 DHCP Software Packages Both the DHCP server and the DHCP clients are available for SUSE Linux Enterprise Server.
Page 330: The Dhcp Server Dhcpd
22.3 The DHCP Server dhcpd The core of any DHCP system is the dynamic host configuration protocol daemon. This server leases addresses and watches how they are used, according to the settings defined in the configuration file /etc/dhcpd.conf. By changing the parameters and values in this file, a system administrator can influence the program's behavior in numerous ways.
Page 331 Ideally, configure a name server on your machine or somewhere else in your network before setting up DHCP. That name server should also define a hostname for each dynamic address and vice versa. To learn how to configure your own name server, read Chapter 21, The Domain Name System (page 279).
Page 332 there were not enough addresses available and the server needed to redistribute them among clients. To identify a client configured with a static address, dhcpd uses the hardware address (which is a globally unique, fixed numerical code consisting of six octet pairs) for the identification of all network devices (for example, 00:30:6E:08:EC:80).
Page 333: For More Information
Control the server's behavior regarding this feature by means of entries in the file /etc/ sysconfig/dhcpd. To run dhcpd without the chroot environment, set the variable DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to “no”. To enable dhcpd to resolve hostnames even from within the chroot environment, some other configuration files must be copied as well: •...
Page 335: 3 Using Networkmanager
Using NetworkManager NetworkManager is the ideal solution for laptops and other portable computers. With NetworkManager, you do not need to worry about configuring network interfaces and switching between wired or wireless networks when you are moving. NetworkManager can automatically connect to known wireless networks. It can also manage several network connections in parallel, the fastest connection is then used as default.
Page 336: Enabling Networkmanager
• You want to use SCPM for network configuration management. To use SCPM and NetworkManager at the same time, disable the network resource in SCPM configu- ration. 23.2 Enabling NetworkManager If you want to manage your network connection with NetworkManager, enable Net- workManager in the YaST Network Settings module.
Page 337: Configuring Network Connections
23.3 Configuring Network Connections After having enabled NetworkManager in YaST, configure your network connections in a dialog available from the GNOME Control Center or from the Personal Settings in KDE 4. If you use GNOME, start the GNOME Control Center from the main menu, then select System >...
Page 338: Using Kde Networkmanager Widget
to confirm your settings. The newly configured network connection now appears in the list of available networks you get by left-clicking the NetworkManager applet or widget. NOTE: Hidden Networks To connect to a “hidden” network (a network that does not broadcast its ser- vice) you have to know the Extended Service Set Identifier (ESSID) of the net- work because it cannot be detected automatically.
Page 339: Using Gnome Networkmanager Applet
Left-click any of the connection applets to choose another network connection at any time. Such a choice takes priority over automatically selected networks. The chosen network is used as long as it is available, meaning that plugging a network cable in does not switch to a wired network connection automatically.
Page 340 Procedure 23.1 Connecting to a Wireless Network 1 To connect to a wireless network, left-click the applet icon and choose en entry from the list of available wireless networks. 2 If the network is encrypted, a dialog opens. Choose the type of Wireless Security the network uses and enter the appropriate Password.
Page 341: Networkmanager And Vpn
2 Add the network name and set the encryption in the Wireless Security dialog. IMPORTANT: Unprotected Wireless Networks Are a Security Risk If you set Wireless Security to None, everybody can connect to your network, reuse your connectivity and intercept your network connection. To restrict access to your access point and to secure your connection, use encryption.
Page 342: Networkmanager And Security
PPTP support for KDE is not available yet, but is being worked on. For GNOME, choose one of the following: • NovellVPN support for GNOME NetworkManager applet—package NetworkManager-novellvpn-gnome • OpenVPN support for GNOME NetworkManager applet—package NetworkManager-openvpn-gnome • vpnc (Cisco) support for GNOME NetworkManager applet—package NetworkManager-vpnc-gnome •...
Page 343: Frequently Asked Questions
nections that are defined as system connection can be shared by all users and are made available right after NetworkManager is started—before any users log in. In case of system connections, all credentials must be provided at the time the connection is cre- ated.
Page 344 connection you want to modify and click Edit. On the Wired or Wireless tab, enter the MAC address of the device and confirm your changes with OK. How to specify a certain access point in case multiple access points with the same ESSID are detected? When multiple access points with different wireless bands (a/b/g/n) are available, the access point with the strongest signal is automatically chosen by default.
Page 345: Troubleshooting
Control Center with System > Network Configurations or in KDE 4 from the Per- sonal Settings with Advanced > Network Settings. Choose the connection you want to modify and click Edit. Switch to the IPv4 Settings tab, and from the Method drop-down list, choose Automatic (DHCP) addresses only.
Page 346: For More Information
NetworkManager Applet/Widget Does Not Include the VPN Option Support for NetworkManager, applets, and VPN for NetworkManager is distributed in separate packages. If your NetworkManager applet/widget does not include the VPN option, check if the packages with NetworkManager support for your VPN technology are installed.
Page 347: 4 Samba
Samba Using Samba, a Unix machine can be configured as a file and print server for Mac OS X, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or by editing the configuration file manually.
Page 348 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols imple- mented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.
Page 349: Starting And Stopping Samba
A domain controller (DC) is a server that handles accounts in domain. For data replication, additional domain controllers are available in one domain. 24.2 Starting and Stopping Samba You can start or stop the Samba server automatically (during boot) or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 24.3.1, “Configuring a Samba Server with YaST”...
Page 350: Starting The Server
Workgroup or Domain Name Select an existing name from Workgroup or Domain Name or enter a new one and click Next. Samba Server Type In the next step, specify whether your server should act as CD (PDC) and click Next. Start-Up Select whether you want to start Samba During Boot or Manually and click OK.
Page 351: Using Ldap
Allow Users to Share Their Directories enables members of the group in Permitted Group to share directories they own with other users. For example, users for a local scope or DOMAIN\Users for a domain scope. The user also must make sure that the file system permissions allow access.
Page 352: Configuring The Server Manually
NOTE: Activating SWAT After Samba server installation, SWAT is not activated. To activate it, open Network Services > Network Services (xinetd) in YaST, enable the network services configuration, select swat from the table, and click Toggle Status (On or Off). 24.3.3 Configuring the Server Manually If you intend to use Samba as a server, install samba.
Page 353 If no other SMB server is present in your network (such as a Windows 2000 server) and you want the Samba server to keep a list of all systems present in the local environment, set the os level to a higher value (for example, 65). Your Samba server is then chosen as LMB for your local network.
Page 354 [cdrom] and comment The entry [cdrom] is the name of the share that can be seen by all SMB clients on the network. An additional comment can be added to further describe the share. path = /media/cdrom path exports the directory /media/cdrom. By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system.
Page 355: Security Levels
browseable = No This setting makes the share invisible in the network environment. read only = No By default, Samba prohibits write access to any exported share by means of the read only = Yes parameter. To make a share writable, set the value read only = No, which is synonymous with writable = Yes.
Page 356: Configuring Clients
ADS Level Security (security = ADS) In this mode, Samba will act as a domain member in an Active Directory environ- ment. To operate in this mode, the machine running Samba needs Kerberos installed and configured. You must join the machine using Samba to the ADS realm. This can be done using the YaST Windows Domain Membership module.
Page 357: Samba As Login Server
24.5 Samba as Login Server In networks where predominantly Windows clients are found, it is often preferable that users may only register with a valid account and password. In a Windows-based network, this task is handled by a primary domain controller (PDC). You can use a Windows NT server configured as PDC, but this task can also be done with the help of a Samba server.
Page 358: Samba Server In The Network With Active Directory
ntadmin group. After that, all users belonging to this Linux group can be assigned Domain Admin status with the command: net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin More information about this topic is provided in Chapter 12 of the Samba HOWTO Collection, found in /usr/share/doc/packages/samba/ Samba-HOWTO-Collection.pdf.
Page 359: For More Information
Figure 24.1 Determining Windows Domain Membership 4 Check Also Use SMB Information for Linux Authentication to use the SMB source for Linux authentication on your SUSE Linux Enterprise Server. 5 Click OK and confirm the domain join when prompted for it. 6 Provide the password for the Windows Administrator on the AD server and click Your server is now set up to pull in all authentication data from the Active Direc- tory domain controller.
Page 360 The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. You can find Samba HOWTO Collection in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf after installing the package samba-doc. http://en.openSUSE.org/ Also read the Samba page in the openSUSE wiki at Samba.
Page 361: 5 Sharing File Systems With Nfs
Sharing File Systems with NFS Distributing and sharing file systems over a network is a common task in corporate environments. NFS is a proven system that also works together with the yellow pages protocol NIS. For a more secure protocol that works together with LDAP and may also be kerberized, check NFSv4.
Page 362: Importing File Systems With Yast
NFS server software is not part of the default installation. To install the NFS server software, start YaST and select Software > Software Management. Now choose Filter > Patterns and select Misc. Server or use the Search option and search for NFS Server.
Page 363: Importing File Systems Manually
Figure 25.1 NFS Client Configuration with YaST 25.3 Importing File Systems Manually File systems can also be imported manually from an NFS server. The prerequisite for this is a running RPC port mapper, which can be started by entering rcrpcbind start as root.
Page 364 25.3.1 Using the Automount Service As well as the regular local device mounts, the autofs daemon can be used to mount remote file systems automatically, as well. To do this, add the following entry in the your /etc/auto.master file: /nfsmounts /etc/auto.nfs Now the /nfsmounts directory acts as a root for all the NFS mounts on the client if the auto.nfs file is completed appropriately.
Page 365: Exporting File Systems With Yast
Note, that if you do not enter the noauto option, the initialization scripts of the system will handle the mount of those file systems at start up. 25.4 Exporting File Systems with YaST With YaST, turn a host in your network into an NFS server—a server that exports di- rectories and files to all hosts granted access to it.
Page 366 previous dialog. Bindmount Targets is shown in the right pane. For more details, refer to the help shown on the left pane. In the lower half of the dialog, there are four options that can be set for each host: single host, netgroups, wildcards, and IP networks.
Page 367 After activating NFSv4, enter an appropriate domain name. Make sure the name is the same as the one in the /etc/idmapd.conf file of any NFSv4 client that accesses this particular server. This parameter is for the idmapd service that is required for NFSv4 support (on both server and client).
Page 368 the client and option information pops up automatically. After that, to add a new client (client set), click Add Host. In the small dialog that opens, enter the host wild card. There are four possible types of host wild cards that can be set for each host: a single host (name or IP address), net- groups, wild cards (such as * indicating all machines can access the server), and IP networks.
Page 369 Figure 25.5 Exporting Directories with NFSv2 and v3 25.4.3 Coexisting v3 and v4 Exports Both, NFSv3 and NFSv4 exports can coexist on a server. After enabling the support for NFSv4 in the initial configuration dialog, those exports for which fsid=0 and bind=/target/path are not included in the option list are considered v3 exports.
Page 370: Exporting File Systems Manually
25.5 Exporting File Systems Manually The configuration files for the NFS export service are /etc/exports and /etc/ sysconfig/nfs. In addition to these files, /etc/idmapd.conf is needed for the NFSv4 server configuration. To start or restart the services, run the command rcnfsserver restart.
Page 371 In the example above, /data is not below the /export, but we want to export it anyway, so we export /export/data, and specify that the /data directory should be bound to that name. The directory /export/data must exist and should normally be empty.
Page 372 Do not change these parameters unless you know exactly what you are doing. For further reference, read the man page of idmapd and idmapd.conf; man idmapd, man idmapd.conf. Starting and Stopping Services After changing /etc/exports or /etc/sysconfig/nfs, start or restart the nfs server service with rcnfsserver restart.
Page 373: Nfs With Kerberos
25.6 NFS with Kerberos To use Kerberos authentication for NFS, GSS security must be enabled. To do so, select Enable GSS Security in the initial YaST dialog. Note, that you must have a working Kerberos server to use this feature. YaST does not set up the server but only uses the provided functionality.
Page 375: 6 File Synchronization
File Synchronization These days, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files so that you have the latest version of the data available on all computers.
Page 376 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
Page 377: Determining Factors For Selecting A Program
26.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 26.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data. In the first model, all clients synchronize their files with a central server. The server must be accessible by all clients at least occasionally.
Page 378 There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts. To be on the safe side, a versioning system like RCS can additionally be employed. 26.2.5 Selecting and Adding Files In CVS, new directories and files must be added explicitly using the command cvs add.
Page 379 26.2.9 User Friendliness rsync is rather easy to use and is also suitable for newcomers. CVS is somewhat more difficult to operate. Users should understand the interaction between the repository and local data. Changes to the data should first be merged locally with the repository. This is done with the command cvs update.
Page 380: Introduction To Cvs
rsync File Sel. Sel./file, dir. Dir. History Hard Disk Space Difficulty Attacks + (ssh) +(ssh) Data Loss 26.3 Introduction to CVS CVS is suitable for synchronization purposes if individual files are edited frequently and are stored in a file format, such as ASCII text or program source text. The use of CVS for synchronizing data in other formats (such as JPEG files) is possible, but leads to large amounts of data, because all variants of a file are stored permanently on the CVS server.
Page 381 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client to contain files to manage with CVS (the directory can also be empty). The name of the directory is also the name of the synchronization.
Page 382: Introduction To Rsync
Start the synchronization with the server with cvs update. Update individual files or directories as in cvs update file1 directory1. To see the difference between the current files and the versions stored on the server, use the command cvs diff or cvs diff file1 directory1.
Page 383: Configuration And Operation
application concerns staging servers. These are servers that store complete directory trees of Web servers that are regularly mirrored onto a Web server in a DMZ. 26.4.1 Configuration and Operation rsync can be operated in two different modes. It can be used to archive or copy data. To accomplish this, only a remote shell, like ssh, is required on the target system.
Page 384: For More Information
can alternatively be started by xinetd. This is, however, only recommended for servers that rarely use rsyncd. The example also creates a log file listing all connections. This file is stored in /var/ log/rsyncd.log. It is then possible to test the transfer from a client system. Do this with the following command: rsync -avz sun::FTP This command lists all files present in the directory /srv/ftp of the server.
Page 385: 7 The Apache Http Server
The Apache HTTP Server With a share of more than 70%, the Apache HTTP Server (Apache) is the world's most http://www.netcraft widely-used Web server according to the Survey from .com/. Apache, developed by the Apache Software Foundation (http://www .apache.org/), is available for most operating systems. SUSE® Linux Enterprise Server includes Apache version 2.2.
Page 386 time. See Chapter 20, Time Synchronization with NTP (page 273) to learn more about this topic. 3. The latest security updates are installed. If in doubt, run a YaST Online Update. 4. The default Web server port (port 80) is opened in the firewall. For this, configure the SUSEFirewall2 to allow the service HTTP Server in the external zone.
Page 387: Configuring Apache
test page stating “It works!”. If you do not see this page, refer to Section 27.8, “Trou- bleshooting” (page 409). Now that the Web server is running, you can add your own documents, adjust the con- figuration according to your needs, or add functionality by installing modules. 27.2 Configuring Apache Apache in SUSE Linux Enterprise Server can be configured in two different ways: with YaST or manually.
Page 388 /etc/sysconfig/apache2 /etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general- purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.
Page 389 Apache Configuration Files in /etc/apache2/ charset.conv Specifies which character sets to use for different languages. Do not edit. conf.d/*.conf Configuration files added by other modules. These configuration files can be in- cluded into your virtual host configuration where needed. See vhosts.d/vhost .template for examples.
Page 390 mod_*.conf Configuration files for the modules that are installed by default. Refer to Sec- tion 27.4, “Installing, Activating, and Configuring Modules” (page 391) for details. Note that configuration files for optional modules reside in the directory conf.d. server-tuning.conf Contains configuration directives for the different MPMs (see Section 27.4.4, “Multiprocessing Modules”...
Page 391 To list all existing virtual hosts, use the command httpd2 -S. This outputs a list showing the default server and all virtual hosts together with their IP addresses and listening ports. Furthermore, the list also contains an entry for each virtual host showing its location in the configuration files.
Page 392 Name-Based Virtual Hosts With name-based virtual hosts, more than one Web site is served per IP address. Apache uses the host field in the HTTP header sent by the client to connect the request to a matching ServerName entry of one of the virtual host declarations. If no matching ServerName is found, the first specified virtual host is used as a default.
Page 393 Example 27.2 Name-Based VirtualHost Directives <VirtualHost 192.168.3.100:80> </VirtualHost> <VirtualHost 192.168.3.100> </VirtualHost> <VirtualHost *:80> </VirtualHost> <VirtualHost *> </VirtualHost> <VirtualHost [2002:c0a8:364::]> </VirtualHost> IP-Based Virtual Hosts This alternative virtual host configuration requires the setup of multiple IPs for a ma- chine. One instance of Apache hosts several domains, each of which is assigned a dif- ferent IP.
Page 394 Here, VirtualHost directives are only specified for interfaces other than 192.168.3.100. When a Listen directive is also configured for 192.168.3.100, a separate IP-based virtual host must be created to answer HTTP requests to that interface—otherwise the directives found in the default server configu- ration (/etc/apache2/default-server.conf) are applied.
Page 395 <Directory "/srv/www/www.example.com/htdocs"> Order allow,deny Allow from all </Directory> The complete configuration file looks like this: Example 27.4 Basic VirtualHost Configuration <VirtualHost 192.168.3.100> ServerName www.example.com; DocumentRoot /srv/www/www.example.com/htdocs ServerAdmin webmaster@example.com ErrorLog /var/log/apache2/www.example.com_log CustomLog /var/log/apache2/www.example.com-access_log common <Directory "/srv/www/www.example.com/htdocs"> Order allow,deny Allow from all </Directory>...
Page 396 Check Open Firewall for Selected Ports to open the ports in the firewall that the Web server listens on. This is necessary to make the Web server available on the network, which can be a LAN, WAN, or the public Internet. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary.
Page 397 Figure 27.1 HTTP Server Wizard: Default Host Here is list of the default settings of the server: Document Root Path to the directory from which Apache serves files for this host. /srv/www/ htdocs is the default location. Alias With the help of Alias directives, URLs can be mapped to physical file system locations.
Page 398: Virtual Hosts
Directory With the Directory setting, you can enclose a group of configuration options that will only apply to the specified directory. Access and display options for the directories /usr/share/apache2/icons and /srv/www/cgi-bin are configured here. It should not be necessary to change the defaults.
Page 399 Clicking Next advances to the second part of the virtual host configuration dialog. In part two of the virtual host configuration you can specify whether or not to enable CGI scripts and which directory to use for these scripts. It is also possible to enable SSL.
Page 400: Http Server Configuration
Figure 27.2 HTTP Server Wizard: Summary HTTP Server Configuration The HTTP Server Configuration dialog also lets you make even more adjustments to the configuration than the wizard (which only runs if you configure your Web server for the first time). It consists of four tabs described in the following. No configuration option you change here is effective immediately—you always must confirm your changes with Finish to make them effective.
Page 401: Server Modules
With Log Files, watch either the access log or the error log. This is useful if you want to test your configuration. The log file opens in a separate window from which you can also restart or reload the Web server (see Section 27.3, “Starting and Stopping Apache”...
Page 402: Starting And Stopping Apache
Figure 27.4 HTTP Server Configuration: Server Modules Main Host or Hosts These dialogs are identical to the ones already described. Refer to Section “Default Host” (page 382) and Section “Virtual Hosts” (page 384). 27.3 Starting and Stopping Apache If configured with YaST (see Section 27.2.2, “Configuring Apache with YaST”...
Page 403 start Starts Apache if it is not already running. startssl Starts Apache with SSL support if it is not already running. For more information about SSL support, refer to Section 27.6, “Setting Up a Secure Web Server with SSL” (page 401). stop Stops Apache by terminating the parent process.
Page 404 GracefulShutdownTimeout needs to be set, otherwise restart-graceful will result in a regular restart. If set to zero, the server will wait indefinitely until all remaining requests have been fully served. A graceful restart can fail if the original Apache instance is not able to clear all necessary ressources.
Page 405: Installing, Activating, And Configuring Modules
27.4 Installing, Activating, and Configuring Modules The Apache software is built in a modular fashion: all functionality except some core tasks is handled by modules. This has progressed so far that even HTTP is processed by a module (http_core). Apache modules can be compiled into the Apache binary at build time or dynamically loaded at runtime.
Page 406 You can install additional external modules by starting YaST and choosing Software > Software Management. Now choose Filter > Search and search for apache. Among other packages, the results list contains all available external Apache modules. 27.4.2 Activation and Deactivation Using YaST, you can activate or deactivate the script language modules (PHP5, Perl, Python) with the module configuration described in Section “HTTP Server Wizard”...
Page 407 mod_alias Provides Alias and Redirect directives with which you can map a URl to a specific directory (Alias) or redirect a requested URL to another location. This module is enabled by default. mod_auth* The authentication modules provide different authentication methods: basic authen- tication with mod_auth_basic or digest authentication with mod_auth_digest.
Page 408 mod_env Controls the environment that is passed to CGI scripts or SSI pages. Environment variables can be set or unset or passed from the shell that invoked the httpd process. This module is enabled by default. mod_expires With mod_expires, you can control how often proxy and browser caches refresh your documents by sending an Expires header.
Page 409 mod_setenvif Sets environment variables based on details of the client's request, such as the browser string the client sends, or the client's IP address. This module is enabled by default. mod_speling mod_speling attempts to automatically correct typographical errors in URLs, such as capitalization errors.
Page 410 Find a list of all external modules shipped with SUSE Linux Enterprise Server here. Find the module's documentation in the listed directory. mod-apparmor Adds support to Apache to provide Novell AppArmor confinement to individual CGI scripts handled by modules like mod_php5 and mod_perl. Administration Guide...
Page 411 Package Name: apache2-mod_apparmor More Information: Part “Confining Privileges with Novell AppArmor” (↑Security Guide) mod_mono Using mod_mono allows you to run ASP.NET pages in your server. Package Name: apache2-mod_mono Configuration File: /etc/apache2/conf.d/mod_mono.conf mod_perl mod_perl enables you to run Perl scripts in an embedded interpreter. The persistent interpreter embedded in the server avoids the overhead of starting an external inter- preter and the penalty of Perl start-up time.
Page 412: Getting Cgi Scripts To Work
contains the apxs2 tools, which are necessary for compiling additional modules for Apache. apxs2 enables the compilation and installation of modules from source code (including the required changes to the configuration files), which creates dynamic shared objects (DSOs) that can be loaded into Apache at runtime. The apxs2 binaries are located under /usr/sbin: •...
Page 413 27.5.1 Apache Configuration In SUSE Linux Enterprise Server, the execution of CGI scripts is only allowed in the directory /srv/www/cgi-bin/. This location is already configured to execute CGI scripts. If you have created a virtual host configuration (see Section “Virtual Host Configuration”...
Page 414 directory of your virtual host (/srv/www/www.example.com/cgi-bin/) and name it test.cgi. Files accessible by the Web server should be owned by to the user root (see Sec- tion 27.7, “Avoiding Security Problems” (page 407) for additional information). Because the Web server runs with a different user, the CGI scripts must be world-executable and world-readable.
Page 415: Setting Up A Secure Web Server With Ssl
27.6 Setting Up a Secure Web Server with SSL Whenever sensitive data, such as credit card information, is transferred between Web server and client, it is desirable to have a secure, encrypted connection with authentica- tion. mod_ssl provides strong encryption using the secure sockets layer (SSL) and transport layer security (TLS) protocols for HTTP communication between a client and the Web server.
Page 416 TIP: For More Information http:// To learn more about concepts and definitions of SSL/TSL, refer to httpd.apache.org/docs/2.2/ssl/ssl_intro.html. Creating a “Dummy” Certificate Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the following files: • /etc/apache2/ssl.crt/ca.crt •...
Page 417 Procedure 27.1 Creating a Self-Signed Certificate with mkcert.sh 1 Decide the signature algorithm used for certificates Choose RSA ( R , the default), because some older browsers have problems with DSA. 2 Generating RSA private key for CA (1024 bit) No interaction needed.
Page 418 IMPORTANT: Selecting a Common Name The common name you enter here must be the fully qualified hostname of your secure server (for example, www.example.com). Otherwise the browser issues a warning that the certificate does not match the server when accessing the Web server. 7 Generating X.509 certificate signed by own CA Choose certificate version 3 (the default).
Page 419 The last step is to copy the CA certificate file from /etc/apache2/ssl.crt/ca .crt to a location where your users can access it in order to incorporate it into the list of known and trusted CAs in their Web browsers. Otherwise a browser complains that the certificate was issued by an unknown authority.
Page 420 27.6.2 Configuring Apache with SSL The default port for SSL and TLS requests on the Web server side is 443. There is no conflict between a “regular” Apache listening on port 80 and an SSL/TLS-enabled Apache listening on port 443. In fact, HTTP and HTTPS can be run with the same Apache instance.
Page 421: Avoiding Security Problems
SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied as soon as possible. The SUSE security announcements are available from the following locations: • Web Page http://www.novell.com/linux/security/ securitysupport.html • Mailing List http://en.opensuse.org/Communicate #Mailinglists •...
Page 422: User Directories
for all, any user could place files into them. These files might then be executed by Apache with the permissions of wwwrun, which may give the user unintended access to file system resources. Use subdirectories of /srv/www to place the DocumentRoot and CGI directories for your virtual hosts and make sure that directories and files belong to user and group root.
Page 423: Troubleshooting
security settings. At least you should limit the user's engagement by using the directive AllowOverRide. In SUSE Linux Enterprise Server, .htaccess files are enabled by default, but the user is not allowed to overwrite any Option directives when using mod_userdir (see the /etc/apache2/mod_userdir.conf configuration file). 27.8 Troubleshooting If Apache does not start, the Web page is not accessible, or users cannot connect to the Web server, it is important to find the cause of the problem.
Page 424: For More Information
http:// the Apache user community can be reached via a mailing list available at httpd.apache.org/userslist.html. A recommended newsgroup is comp .infosystems.www.servers.unix. 27.9 For More Information The package apache2-doc contains the complete Apache manual in various local- izations for local installation and reference. It is not installed by default—the quickest way to install it is to use the command zypper in apache2-doc.
Page 425 27.9.4 Miscellaneous Sources If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the Technical Information Search at http://www.novell.com/support. http://httpd.apache.org/ABOUT The history of Apache is provided at _APACHE.html. This page also explains why the server is called Apache.
Page 427: 8 Setting Up An Ftp Server With Yast
Setting up an FTP server with YaST Using the YaST FTP Server module, you can configure your machine to function as an FTP server. Anonymous and/or authenticated users can connect to your machine and download and, depending on the configuration, upload files using the FTP protocol. YaST provides a unified configuration interface for various FTP server daemons installed on your system.
Page 428: Starting The Ftp Server
In the General dialog, configure FTP directories, welcome message, file creation masks and various other paramaters. For more information, see Section 28.2, “FTP General Settings” (page 415). In the Performance dialog, set the parameters that affect the load on the FTP server.
Page 429: Ftp General Settings
Figure 28.1 FTP Server Configuration — Start-Up 28.2 FTP General Settings In the General Settings frame of the FTP General Settings dialog you can set the Wel- come message which is shown after connecting to the FTP server. If you check the Chroot Everyone option, all local users will be placed in a chroot jail in their home directory after login.
Page 430: Ftp Performance Settings
does not allow this directory to be writable for all users. The subdirectory upload with write permissions for anonymous users is created instead. NOTE The pure-ftpd server allows the FTP directory for anonymous users to be writable. Make sure you removed the write permissions in the directory that was used with pure-ftpd before switching back to the vsftpd server.
Page 431: Expert Settings
NOTE If a vsftpd server is used and you want anonymous users to be able to upload files or create directories, a subdirectory with writing permissions for all users has to be created in the anonymous FTP directory. 28.5 Expert Settings A FTP server can run in active or in passive mode.
Page 433: 9 The Proxy Server Squid
The Proxy Server Squid Squid is a widely-used proxy cache for Linux and UNIX platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It may be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent for the end user.
Page 434: Some Facts About Proxy Caches
29.1 Some Facts about Proxy Caches As a proxy cache, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long. 29.1.1 Squid and Security It is possible to use Squid together with a firewall to secure internal networks from the outside using a proxy cache.
Page 435: System Requirements
HIT code if the object was detected or a MISS if it was not. If multiple HIT responses were found, the proxy server decides from which server to download, depending on factors such as which cache sent the fastest answer or which one is closer. If no satis- factory responses are received, the request is sent to the parent cache.
Page 436: Hard Disks
29.2.1 Hard Disks Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks, this parameter is described as random seek time, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk tend to be rather small, the seek time of the hard disk is more important than its data throughput.
Page 437: Starting Squid
It is very important to have sufficient memory for the Squid process, because system performance is dramatically reduced if it must be swapped to disk. The cachemgr.cgi tool can be used for the cache memory management. This tool is introduced in Sec- tion 29.6, “cachemgr.cgi”...
Page 438 so, consider that Squid is made completely accessible to anyone by this action. Therefore, define ACLs that control access to the proxy. More information about this is available Section 29.4.2, “Options for Access Controls” (page 428). After modifying the configuration file /etc/squid/squid.conf, Squid must reload the configuration file.
Page 439: The Configuration File /Etc/Squid/Squid.conf
Dynamic DNS Normally, with dynamic DNS, the DNS server is set by the provider during the establishment of the Internet connection and the local file /etc/resolv.conf is adjusted automatically. This behavior is controlled in the file /etc/ sysconfig/network/config with the sysconfig variable MODIFY_RESOLV_CONF_DYNAMICALLY, which is set to "yes".
Page 440 with # (the lines are commented) and the relevant specifications can be found at the end of the line. The given values almost always correlate with the default values, so removing the comment signs without changing any of the parameters actually has little effect in most cases.
Page 441 cache_dir ufs /var/cache/squid/ 100 16 256 The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. The ufs parameter should be left alone.
Page 442 overwritten. The default value is 0 because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a cron job set in the configuration file /etc/logrotate/squid. append_domain <domain> With append_domain, specify which domain to append automatically when none is given.
Page 443 acl <acl_name> <type> <data> An ACL requires at least three specifications to define it. The name <acl_name> can be chosen arbitrarily. For <type>, select from a variety of different options, which can be found in the ACCESS CONTROLS section in the /etc/squid/ squid.conf file.
Page 444 and the last http_access deny all redirect_program /usr/bin/squidGuard With this option, specify a redirector such as squidGuard, which allows the blocking of unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
Page 445: Configuring A Transparent Proxy
29.5 Configuring a Transparent Proxy The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required ob- jects, whether they are in its cache or not. When working in a network, several situations may arise: •...
Page 446 tion “Configuring the Firewall with YaST” (Chapter 15, Masquerading and Firewalls, ↑Security Guide). Its configuration file can be found in /etc/sysconfig/ SuSEfirewall2. The configuration file consists of well-documented entries. To set a transparent proxy, you must configure several firewall options: •...
Page 447 Example 29.1 Firewall Configuration: Option 15 # 15.) # Which accesses to services should be redirected to a local port on # the firewall machine? # This option can be used to force all internal users to surf via # your squid proxy, or transparently redirect incoming webtraffic to # a secure webserver.
Page 448: Cachemgr.cgi
29.6 cachemgr.cgi The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the memory usage of a running Squid process. It is also a more convenient way to manage the cache and view statistics without logging the server. 29.6.1 Setup First, a running Web server on your system is required.
Page 449 The following rules give Apache the access rights to Squid: http_access allow manager localhost http_access deny manager These rules assume that the Web server and Squid are running on the same machine. If the communication between the cache manager and Squid originates at the Web server on another computer, include an extra ACL as in Example 29.2, “Access Rules”...
Page 450: Cache Report Generation With Calamaris
29.7 Cache Report Generation with Calamaris Calamaris is a Perl script used to generate reports of cache activity in ASCII or HTML format. It works with native Squid access log files. The Calamaris home page is located at http://Calamaris.Cord.de/. The program is quite easy to use. Log in as root then enter cat access.log | calamaris options >...
Page 451: For More Information
29.8 For More Information Visit the home page of Squid at http://www.squid-cache.org/. Here, find the “Squid User Guide” and a very extensive collection of FAQs on Squid. Following the installation, a small HOWTO about transparent proxies is available in howtoenh as /usr/share/doc/howto/en/txt/TransparentProxy.gz. squid-users@squid-cache In addition, mailing lists are available for Squid at .org.

This manual is also suitable for:

Suse linux enterprise server 11