directory

Document Sample
directory Powered By Docstoc
					Unix Administration




     Guntis Barzdins
Linux System Administration


                  SYS ADMIN TASKS
    Setting the Run Level
    System Services
    User Management
    Network Settings
    Scheduling Jobs
    Quota Management
    Backup and Restore
    Adding and Removing software/packages
    Setting a Printer
    Monitoring the system (general, logs)
    Monitoring any specific services running. Eg. DNS, DHCP, Web,
    NIS, NPT, Proxy etc.
Have you used UNIX before?



            • Which OS did Apple choose
              when it needed a stable OS layer
              for its Mac OSX?

            • Which OS made the biggest
              impact to the online lives as you
              know it today?
               Process Manipulation
 Once you run a program (e.g. vi, myprog,...), that program
  will suspend the terminal you called it in (the terminal will not
  be receiving input from you).

       You can start the program in the background to avoid this:
            myprog &

       You can suspend a program that is running and send it to
        background, if you already started it:
            Ctrl-z (to suspend)
            bg (sends the suspended program to the background)

   ps (show running processes)
   top (monitor running processes)
   kill (kill processes)

   & (send process to background)
   bg (send process to background)
   fg (get process from background)
   Ctrl+c (terminate process)
   Ctrl+z (suspend process)
         Intrusion Detection System
                    (IDS)
 Tripwire – is a file integrity-checking program for
  UNIX/Linux operating systems
     Software that alerts you when important files change
     Tripwire keeps a hash value for each designated file
     When a file is altered/deleted, tripwire will have a
      new hash value that is different than the original
     For implementation referrer to:
       http://www.cert.org/security-
            improvement/implementations/i002.02.html
           Tripwire tutorial in a slide
 Initial setup
      download / build / install it
      modify policy file (e.g. remove unnecessary files)
        # vi /etc/tripwire/twpol.txt
      generate policy file
        # twadmin –create-polfile /etc/tripwire/twpol.txt
      build initial database
        # tripwire –init
 check periodically
   # tripwire –check
    reconcile differences (e.g. software installation)

        # tripwire –update –accept-all –twrfile report_file
Linux Security


                 LINUX Firewall
Linux Security


                                 SELinux
     Malicious or broken software can have root-level access to the
     entire system by running as a root process.
     SELinux (Security Enhanced Linux) provides enhanced
     security.
     Through SELinux policies, a process can be granted just the
     permissions it needs to be functional, thus reducing the risk

  SELINUX can take one of these three values
    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.
    disabled - SELinux is fully disabled.
Linux Security


                 SELinux Configuration
                          Log files
 On linux, you can go to /var/log
 Depends on the application
 Information shown in log files depend on the debug level you
  defined
Linux System Administration


               Configuring Disk Quotas
  To implement disk quotas, use the following steps:

    Enable quotas per file system by modifying /etc/fstab
    Remount the file system(s)
    Create the quota files and generate the disk usage table
    Assign quotas
Linux System Administration


                Configuring Disk Quotas
     Enabling Quotas: Edit fstab to enable usrquota

  LABEL=/1        /          ext3   defaults                    11
  LABEL=/boot     /boot      ext3   defaults                    12
  LABEL=/users    /users     ext3   exec,dev,suid,rw,usrquota   12
  LABEL=/var      /var       ext3   defaults                    12
  LABEL=SWAP-sda5 swap       swap    defaults                   00
Linux System Administration


                  Configuring Disk Quotas
     Remounting the File Systems: Issue the umount command
     followed by the mount command to remount the file system in which
     quota has been implemented (umount /users;mount /users)

     Creating the Quota Database Files: Use quotacheck command to
     create quota.user file
     quotacheck -cu /users

     Assigning Quotas per User: assigning the disk quotas with the
     edquota command (edquota <username>)
  Disk quotas for user web_cc (uid 524):
   Filesystem            blocks     soft hard     inodes   soft   hard
   /dev/sdb1             988612 1024000 1075200     7862     0     0
Linux Commands


        Linux Filesystem Management
    badblocks Used to search a disk or partition for badblocks.
    (badblocks device) (badblocks hda)
    df Shows the disk free space on one or more filesystems. (df –k, df -h)
    du Shows how much disk space a directory and all its files contain.
    (du <directory>, du –sk <directory>, du –sh <directory>)
    fsck Filesystem check. Must not be run on a mounted file system.
    (fsck <filesystem>)
Linux Commands


        Linux Filesystem Management
     sync Synchronize data on disk with memory. `sync' writes any data
     buffered in memory out to disk.
     mount Used to mount a filesystem. Complement is umount. (mount
     <filesystem>, mount –a)
     umount Unmounts a filesystem. Complement is mount. (umount
     <filesystem>)
       Native UNIX Backup Utilities

 UNIX Systems include 3 core utilities that allow
  you to backup files to tape or disk.
      tar (very simple to use)
      cpio (a bit more complex)
      dump (most complex of the three)
   Using the tar Utility for Backup

 tar usage:
tar [x|c]vf [tape device name] [files or
  directory]
 Where:
     x = extract from a tape
    c = compress onto tape

   (just like when we tar and untar regular .tar files)
       Other UNIX Backup Utilities
 cpio – has the ability to detect I/O errors during backup
  that tar cannot detect. Also has the ability to do things
  like specify wildcard patters during restore.
 dump – very fast, detects I/O errors, allows you to
  perform incremental backups.
                                                                                  TAR                                                      CPIO                                                   DUMP

Simplicity of Invocation                                 Very Simple                                             Needs find to specify file names                      Simple. Few Options
                                                         (tar c files)

Recover from I/O errors?                                 None. Write your own utility                            Resync Option on HP-UX will cause some data loss      Automatically skips over bad section


Backup special files                                     Later Revisions                                         Yes                                                   Yes

Multi-volume backup                                      Later Revisions                                         Yes                                                   Yes

Backup across network?                                   Using rsh only                                          Using rsh only                                        Yes

Append files to backup                                   Yes, (tar –r)                                           No                                                    No

Multiple Independent Backups on Single Tape              Yes                                                     Yes                                                   Yes

Ease of listing files on the volume                      Difficult, Must search entire backup                    Difficult, Must search entire backup                  Simple, Index at front
                                                         ( tar –t )                                              ( cpio –it )                                          ( restore –t )

Ease and speed of finding a particular file              Difficult, No wildcards, Must search entire volume      Moderate, Wildcards, Must search entire volume        Interactive. Very easy with commands like cd, ls


Incremental backup                                       No                                                      Must use find to locate new/modified files            Incremental of whole filesystem only, Mult. Levels


List files as they are being backed up                   tar cvf 2>logfile                                       cpio –v 2>logfile                                     Only after backup with restore –t >logfile
                                                                                                                                                                       (Dump can show % complete, though.)

Backup based on other criteria                           No                                                      Find can use multiple criteria                        No

Restore absolute path names to relative location         Only by using chroot                                    Limited with cpio -I                                  Always relative to current working directory

Interactive decision on restore                          Yes or No possible with tar –w                          Can specify new path or name on each file             Specify individual files in interactive mode

Compatibility                                            Multiple platform                                       Multiple platform with ASCII header, not always       Readable between some platforms, but cannot be
                                                                                                                 portable                                              relied on

Primary usefulness                                       Individual user backup, transfer files between          System backup, transfer files between filesystems     System backup
                                                         filesystems

Volume efficiency                                        Medium, usually limited to 10k block size               Medium, usually only 5K block size, but can specify   High, can usually specify up to maximum block size of
                                                                                                                 larger size on some OSs                               device

Wildcards on restore                                     No                                                      Yes                                                   Only in interactive mode

Simplicity of selecting files for backup from numerous   Low, must specify each independent directory,           Medium, find options                                  None, will backup one and only one filesystem
directories                                              subdirectories included

Specifying directory on restore get files in that        Yes                                                     No, must use "path/*"                                 Yes
directory

Stop reading tape after a restored file is found         No                                                      No                                                    Will stop reading tape as soon as last file is found


Track deleted files                                      No                                                      No                                                    If you restore with –r, files deleted before last
                                                                                                                                                                       incremental dump will be deleted.

Filesystem efficiency                                    Better                                                  Worst (files get a stat from both find and cpio)      Best

Limit on path length                                     155 characters. Complains "prefix is greater than 155   255 characters. Doesn’t complain. Just truncates      1056 characters.
(Tests done with Solaris native utils 7/99.)             characters." Gtar has slight workaround.                pathname to 255 char’s.


Likelihood that file exists in TOC but not in archive    Low                                                     Low                                                   Medium (since TOC is made first)
                   Lost Root Passwd

 If you have Lilo installed, type
      LILI: linux init 1
      Change the root passwd, reboot aga
 If you have installed grub
      Type ‘e’ to go to edit mode, add init 1 argument at the end
 Boot with knoppix or single floppy linux
      Mount the disk and change root passwd
      Reboot !!
Linux System Administration

                     Linux Services

       There are 113 deamons, Out of them, the following are most
       widely used:
       apmd : Power Management
       autofs : Automount services
       crond : Periodic Command Scheduler
       cups : Common Unix Printing System
       dhcpd : The DHCP server
       dovecot : IMAP (Internet Message Access Protocol) and POP3
       (Post Office Protocol) server
       gpm : Mouse
       httpd : Apache Web server
Linux System Administration

                       Linux Services
     iptables : Kernel based Packet Filtering firewall
     kudzu: Finds new Hardware
     mysqld : MySQL server
     named : BIND server
     network : Networking
     nfs : Network File Share
     nfslock : NFS file locking
     ntpd : NTP (Network Time Protocol) server
     portmap : RPC (Remote Procedure Call) support
     postgresql : The Postgresql Database Engine
Linux System Administration

                         Linux Services
     sendmail : Sendmail Mail Server
     smb : Samba Network Services
     snmpd : Simple Network Management Protocol
     squid : Squid Proxy Server
     sshd : Open SSH and SFTP server
     syslog : System Logging
     xinetd : Provides support for telnet, ftp, talk, tftp etc.
     ypbind : NIS Server
                      Automating Unix
                       Administration
 You don’t want to spend the whole day making sure that all
  servers/workstations and its services are fine
 Use monitoring tools that can alert you for any problem in the
  network
       mon, nagios, cacti, angel
 Create scripts to check the status of servers/services and use cron
  to run it periodically
       Mail the result to admin
#!/bin/sh
machine="sunfire"
                                        Example script
down=
i=0
while [ $i -le 15 ]
do
      sun=$machine"$i"
      /usr/sbin/ping $sun > /dev/null
      if [ $? -ne 0 ]
      then
             down="$down:$sun"
      fi
      i=`echo "$i+1" | bc -l`
done

if [ -n "$down" ]
then
echo $down | tr : '\012' | /usr/ucb/mail -s "DOWN machines" admin@ccse.kfupm.edu.sa
fi

exit 0
                    NFS Architecture
VFS layer hides differences between OS’s
     It doesn’t matter what OS the client or server implements, UNIX
      or Windows. As long as the file systems are compliant with the
      file system model offered by NFS.
Operations on VFS are either passed to local FS
 or to NFS Client, which handles files at the
 remote server.
All client-server communication is done through
 RPCs, with client and server stubs. Implemented
 with either UDP or TCP.
NFS Architecture
Stateless vs. Stateful
              NFS (Network File System)
RCP request        Action                              Idempotent

GETATTR            Get file attribute                               YES

SETATTR            Set file attribute                               YES

LOOKUP             File name search                                 YES

ACCESS             Check access                                     YES

READLINK           Read from symbolic link                          YES

READ               Read file                                        YES

WRITE              Write to the file                                YES

COMMIT             Fix server cache data to the disk                YES

CREATE             Create file                                      NO

REMOVE             Remove file                                      NO

RENAME             Rename file                                      NO
              NFS (Network File System)
RCP request        Action                     Idempotent

LINK               Create hard link                        NO

SYMLINK            Create symbolic link                    NO

MKNOD              Create special node                     NO

MKDIR              Crate directory                         NO

RMDIR              Remove directory                        NO

READDIR            Read directory                          YES

READDIRPLUS        Extended directory read                 YES

FSSTAT             Get FS dynamic attribute                YES

FSINFO             Get FS static attribute                 YES

PATHCONF           Get POSIX information                   YES
        NFS (Network File System)
   Stateless protocol problems:
     Local file systems have state.
     Shared lock’s implemented by user space daemon
      rcp.lockd
     Performance problems, because all file system
      modification commands should be fixed on disks
      before RPC request can be positively answered. In
      most cases it is 3 I/O operations.
   In NFSv3 protocol there is asynchronous writes.
    Implemented using cookies to control server state
    during asynchronous writes.
       FreeBSD NFS implementation
There are 3 type of leases:
      Non-cache lease – define that all file system operations
       should be take synchronously with server
      Read cache lease – let client cache data, not allow to change
       file.
      Write cache lease – let client to cache write operations for
       lease time. So if client cache write data, then this data will not
       be written to the server synchronously. When lease time
       coming to the end client will try to get another lease, but if it’s
       not possible, then data have to be written to the server.
                   FreeBSD NFS implementation (read cache lease)


              Client A                        Server                               Client B

   Read sys. call        Read req. + lease

                                 Answer            Read cache lease                      Time
                         Read req.                 for client A
  Read sys. Call
  (from cache)           (cache miss)
                                     Answer
  Lease timeout                                   Lease expired
  Read sys. call         Read lease req.
                            Answer with                  Read req. + lease       Read sys. call
ctime the same -            same ctime
cache valid
  Read sys. Call           Read req.                   Answer
  (from cache)             (cache miss)                Client B added to lease
                                                                                 Read sys. call
                                                         Read req.
                                   Answer                (cache miss)
  Lease timeout
                                                            Answer                Lease timeout
                FreeBSD NFS implementation (write cache lease)
                     Server                                          Client B

                                      Write cached lease                   Write system call
Write cached lease
for client B                  Answer                                      Write system call
                              (write cache lease)                         (cached leaved records)

                                                                           Write cached lease
     Lease update                    Get record
                                                                           req. before previous lease
                                     lease
                                                                           expired.
                                               Answer
                                               (write cache lease)
                                                                           System call
     Lease timeout                    record                               Lease expired

   Lease expiration
   Stopped for a                   answer
   moment because                  record
   of records
                                                                                         Time
Write_slack seconds                  answer
After last records
                            FreeBSD NFS implementation (non-cache lease)
                 Client A                                Server                                 Client B
                            Read req. + lease
Read sys. call req.                                          Read cache lease                              Time
                                                             for A client
  Read req.                      Read req.    answer
  (from cache)                   (miss cache)

                                                answer       Lease expired
  Lease timeout                                                         Get write cache lease      Write sys. call req.

                              Lease request                                                        Write sys. call
Read sys. call req.                                                                                (async write cached)
                                                                                Cleanup req.
                                                                     record
                                                                                                   Write cached
                                                                  record      answer               data to server


                                                              Release msg. answer
                                                                      Get write cache lease          Write sys. call req.
                                  Answer (non-cache lease)
Read sys. call req.                         Read req.
(non-cache lease                                                  Answer (non-cache lease)
                                                                   record
mode)
                                       Read data                                                   Synchronous
                                                                     answer                        Writes wihout cache
                          Starting up NFS
 There are three key things you need to start on Linux to make NFS
  work.
       /usr/sbin/rpc.portmap
       /usr/sbin/rpc.mountd
       /usr/sbin/rpc.nfsd


 These things should start up automatically at boot time.
       The file that makes this happen is "/etc/rc.d/rc.inet2"
              rpcinfo -p localhost
                 program vers proto             port
                  100000    2   tcp              111    portmapper
                  100000    2   udp              111    portmapper
                  100005    1   udp              679    mountd
                  100005    1   tcp              681    mountd
                  100003    2   udp             2049    nfs
                  100003    2   tcp             2049    nfs
                  Exporting File System
 To make parts of your file system accessible over the
  network to other systems
      The /etc/exports file must be set up to define which of the local
       directories will be available to remote users and how each is used
        # sample /etc/exports file
        /home/yourname 192.168.12.1(rw)
        /master(rw) trusty(rw,no_root_squash)
        /projects proj*.local.domain(rw)
        /usr *.local.domain(ro) @trusted(rw)
        /home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
        /pub (ro,insecure,all_squash)
        /pub/private (noaccess)

      stop and restart the server
        # etc/rc.d/init.d/nfs stop
        # etc/rc.s/init.d/nfs start



                                                                        37
                          The NFS Server
 Started though rc script:
  /etc/rc.d/init.d/nfs
  Must be started after:
  /etc/rc.d/init.d/portmap
 Uses these RPC daemons in /usr/sbin:
      rpc.nfsd – main component of NFS system
      rcp.mountd – handles mount requests
      rpc.quotad – allows for quota enforcement via NFS.
      All of which are started in the nfs rc script when the system starts
 /etc/exports – the main server configuration file
 Above utilities are part of knfsd package .rpm package on
  Linux.
                        /etc/exports
 Contains information about the directory paths and partitions that
  are sharable and hosts they can be shared with.
       i.e. “Any host from .rutgers.edu can access the /home/documents
        directory on my server”
 Entry format:
   /dir/to/export client1(permissions) client2
   (permissions)
   Sample entry:
   /tmp iti.rutgers.edu(rw) 185.14.237.4(ro)
 Need to run exportfs to inform NFS server process about
  changes in /etc/exports:
  > /usr/sbin/exportfs –a (exports all entries)
                       The NFS Client
 Requires knfsd-clients .rpm package on Linux.
 Necessary services started from:
  /etc/rc.d/init.d/nfslock
 RPC daemons in /sbin handle file locking between client and
  server:
      rpc.locked
      rpc.statd
      All are started from the nfslock rc script automatically
 Allows clients to mount remote file systems either using the
  mount command or by placing an entry in the /etc/fstab
  file.
     Local and remote file systems accessible on
                   an NFS client
   Serv er 1                            Client                            Serv er 2
          (root)                        (root)                                     (root)




    ex port                   . . . v munix   us r                              nf s



                     Remote                                  Remote
      people                    students      x      staff                 us ers
                     mount                                   mount

 big jon bob . . .                                                    jim ann jane joe




mount –t nfs Server1:/export/people                          /usr/students
mount –t nfs Server2:/nfs/users                              /usr/staff
                                SMB
 SMB is Microsoft’s protocol to share files and printers
       Also renamed CIFS (Common Internet File System)
       Client/Server, no location transparency
       Not the same as Samba: an open source implementation of SMB primarily
        found on UNIX systems (Linux)
       SMB usually runs on NetBIOS (naming + sessions + datagram)
 NetBIOS + SMB developed for LAN use                                NT-Domain
 A number of other services run on top of SMB                        MS-RPC
       In particular MS-RPC, a modified variant of DCE-RPC             SMB
       Authentication for SMB handled by the NT Domains
        suite of protocols, running on top of MS-RPC                  NetBIOS
                                                                       TCP/IP
                   To know more: Timothy D Evans, NetBIOS, NetBEUI, NBF,
                   NBT, NBIPX, SMB, CIFS Networking
                   http://timothydevans.me.uk/nbf2cifs/nbf2cifs.pdf
                Samba Services

 File sharing.
 Printer sharing.
 Client authentication.
                     SMB Protocol

 Request/response.
 Runs atop TCP/IP.
 E.g., file and print operations.
      Open close, read, write, delete, etc.
      Queuing/dequeing files in printer spool.
                  Network Booting

 No need for harddisk(or harddisk with Linux) on
  every host
 High level work flow
      The system boots up, may be with floppy (could be
       with hard disk also)
      Sends dhcp request for IP number, gets one
      Mounts the root file system over NFS
            Requirements for Network
                    Booting
   Setup an LAN infrastructure
   Need to setup nfs server
   Need to setup dhcp server
   Build a kernel image for network booting
            Setup an LAN infrastructure

                        Ethernet   Hub   Ethernet
                        Cable            Cable



Your m/c to be booted                                  NFS server




      Your host, NFS server and DHCP server should be on
      same LAN
                         Setup nfs server
• Edit /etc/exports file before starting the nfs server.
   • / 10.114.7.115(rw,no_root_squash)
   • This will export all files with root r/w to host
     10.114.7.115
• Save your exports file and from the prompt execute exportfs
  command
• Start the nfs server (nfs daemon)
   • E.g. /etc/rc.d/inid.d/nfs start
                   Setup dhcp server
 Add in your /etc/dhcpd.conf before starting the dhcp server.

 Set the correct MAC address in /etc/dhcpd.conf as follows:

subnet <subnet address e.g.10.3.31.0> netmask 255.255.255.0 {
}
subnet 10.10.10.0 netmask 255.255.255.0 {
   host master {
   hardware Ethernet <Mac address of your Ethernet card>;
   fixed-address <IP address of your machine e.g.10.10.10.1>;
   option root-path <your root path>”;
                             }
}
 Save your /etc/dhcpd.conf file
 start the dhcpd dameon by “/etc/rc.d/init.d/dhcpd start” command
  Build a kernel image for network
              booting
 Linux Kernel compilation steps:
      Assumptions: machine x86 (i386); boot loader lilo.
      Get plain vanilla kernel from www.kernel.org
      Explode it into a directory (better if can do it in /usr/src/) => tar -zxvf linux-2.x.xx.tar.gz
      Optional: create a symbolic link ln -s linux-2.x.xx linux
      cd to linux directory
      cd /usr/src/linux or cd /usr/src/linux-2.x.xx
      Select the components support by make menuconfig or make xconfig - save the
       configuration
         Select IP:BOOTP support from Networking options
         In File system -> Network File System -> Select
                 NFS File system support and
                 Root file system on NFS
        Do
              Make dep bzImage
              Make modules modules_install
 Build a kernel image for network
            booting…
 Copy the /usr/src/linux/arch/i386/boot/bzImage
  to /boot
 Do mkbootdisk with new kernel as argument
 Optional take a coffee or tea break ?
Just imagine if one day...

Your CEO announces:
 • Company is changing name from "Windoze" to "UsefulNix"
 • TOMORROW!

Your "small part":
 • Update the company website* to reflect that!

Can you deliver this in time?
*: About 20,000 html files.
                      Demo (1/2)
                   - UNIX vs. Window
• Task 1 : Open a file. Find occurrences of "Windoze".

   Windows: use Ctrl-F at any text editor.

   UNIX: grep -l Windoze fileName


• Task 2 : Find all files in folder A containing "html".

   Windows: Arggghhhh!!! Open all files and check?

   UNIX: find A -type f | xargs grep -l Windoze
                          Demo (2/2)
                        - UNIX vs. Window

• Task 3 : Open a file. Replace "Windoze" by "UsefulNIX"
     Windows: Use Ctrl + H at any text editor
     UNIX:     perl -pi -e 's/Windoze/UsefulNIX/g'
      fileName

• Task 4 : Find all files in folder A with "html", and replace by
  "UsefulNIX"
     Windows: haizzz....
     UNIX: find A -type f | xargs grep -l Windoze |
      xargs perl -pi -e 's/Windoze/UsefulNIX/g'

See how powerful UNIX is ^^ & the idea of "achieving complex tasks
through small toys“

 Let's learn UNIX !!!

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:11/15/2012
language:Latin
pages:55