Here are some general administration tasks that I find useful to remember.
First see the section on RPM to learn how to install and update software. .
See more sections on Gnu/Linux .
Most of the books you want are free from http://www.linuxdoc.org/ as HOWTO's. Don't assume that you can get something better in the bookstore. Many Linux books in the bookstore are simply bound copies of the publicly available documents.
"Running Linux" from O'Reilly press is the best overall book for anyone getting ready to install Linux for the first time and start playing with it.
As a quick reference, you may prefer a copy of O'Reilly's "Linux in a Nutshell", with concise summaries of all administrative commands. Read it through because many standard Unix commands have great new options. Many new commands become essential.
To understand your Unix system better, get the new edition of "Unix System Administration Handbook," by Nemeth, Snyder, Seebass, and Hein, from Prentice Hall. The new edition covers Linux, and explains where other systems differ. This book is superior to any book specifically for Linux.
For help, I prefer IRC (Internet Relay Chat) on a freenode.net server. See http://www.freenode.net/
whereis, locate, and apropos
to find programs and manuals. Use file
to identify the type of a file.
sudo to run individual commands as
root instead of su root. Add your
username to /etc/sudoers for permission.
lsb_release -a cat /etc/*release cat /etc/issue cat /proc/version uname -a |
$ cat /proc/cpuinfo /proc/meminfo /proc/pci /proc/mounts |
As root you can see most devices with
dmidecode |
List PCI buses and what is attached to them
with lspci.
These virtual files are updated dynamically.
The command procinfo -a will format some
of the information for you.
/etc/sysconfig/i18n
to $HOME/.i18n and modifying it. Look at
this file if your application is complaining
about missing characters. I add
zh_CN.UTF-8 to the SUPPORTED entry. You
can also change the system file for all
users.
zh_CN.UTF-8 to the
SUPPORTED entry in /etc/sysconfig/i18n or
~/.i18n.)
Next create the following file in your home directory.
$ mkdir ~/.xinput.d $ ln -s /etc/X11/xinit/xinput.d/iiimf ~/.xinput.d/default |
Restart X, right click on the tool bar, press "add to panel", select "InputMethod Switcher", and press add. Click once to "Add or Remove" languages from your choices.
See http://fedora.redhat.com/projects/i18n/iiimf-faq.html for more help.
Here is how I started applications
with Chinese input on Fedora Core 1. This
should be unnecessary with later.
$ export LC_ALL=zh_CN ; export LANG=zh_CN.UTF-8 ; XMODIFIERS=@im=chinput
$ locale | grep LANG
$ /usr/bin/chinput
Chinput Version 3.0.2 -- XIM Server
...
$ gedit
$ emacs
$ oowriter
Use control-space to switch to pinyin
mode. Turn off pinyin before exiting;
otherwise, your next application will fail to
switch properly.
/etc/inittab to set your default
runlevel to id:3:initdefault: to boot to
a console and startx to start X11.
shutdown -r now and
shutdown for good with shutdown -h now.
If you are rebooting remotely, you can avoid
a possible hang during shutdown by running
sync to flush file buffers, then reboot
-f -n for an abrupt termination of
services, and a reboot.
quota lists your disk quota.
/usr/X11R6/lib/X11/rgb.txt.
/etc/ld.so.conf instead of to
your LD_LIBRARY_PATH. Type ldconfig
to update your cache.
/etc/rc.d/rc.local. This is much easier
than adding Start and Kill scripts at the
appropriate runlevel /etc/rcd/rc[0-5].d.
echo "/data *(rw,sync)" >> /etc/exports exportfs -a |
Redhat configures their network services
during boot with the script
/etc/rc.d/init.d/network, which gets
network parameters from
/etc/sysconfig/network and calls scripts
in /etc/sysconfig/network-scripts/. See
ifcfg-eth0 and ifcfg-lo. Static
routes can be specified in
/etc/sysconfig/static-routes.
Check the active ip address of eth0 with
ifconfig. After changing the address,
reset with /sbin/ifdown eth0;
/sbin/ifup eth0 or more drastically
/sbin/service network restart.
Identify cluster hostnames most simply by
specifying IP addresses in /etc/hosts.
Use the same file for all nodes, including
the mayor.
Make sure you do not have a protocol mismatch
with mii-tool -v eth0. Duplex mode
mismatches will hurt performance.
Here are examples of my network files on various types of systems.
| type | /etc/sysconfig/network | /etc/sysconfig/network-scripts/ifcfg-eth0 |
|---|---|---|
| DHCP |
NETWORKING=yes HOSTNAME=hong DHCP_HOSTNAME=hong NISDOMAIN=denver.foo.com
|
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes TYPE=Ethernet USERCTL=no PEERDNS=yes
|
| stand-alone (static behind NAT) |
NETWORKING=yes HOSTNAME=solar.denver.foo.com |
DEVICE=eth0 BOOTPROTO=none BROADCAST=111.111.146.95 HWADDR=00:00:00:00:00:00 IPADDR=111.111.146.90 NETMASK=255.255.255.248 NETWORK=111.111.146.88 ONBOOT=yes TYPE=Ethernet GATEWAY=111.111.146.89
|
| cluster #1 node (address in /etc/hosts ) |
NETWORKING=yes FORWARD_IPV4=false NISDOMAIN=denver.foo.com
|
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
|
| cluster #2 node |
NETWORKING=yes HOSTNAME=supcl1 NISDOMAIN=denver.foo.com DHCP_HOSTNAME=supcl1
|
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
|
All use the same
/etc/sysconfig/network-scripts/ifcfg-lo
DEVICE=lo IPADDR=127.0.0.1 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes NAME=loopback |
If you use DNS, then specify your domain,
preferred nameserver lookup order, and
default domain completions in
/etc/resolv.conf:
nameserver 111.111.138.22 nameserver 111.111.138.25 nameserver 111.111.88.36 search foo.com denver.foo.com etc.foo.com |
If you are using NIS, then specify the NIS
server for each domain in /etc/yp.conf on
a line like
domain denver.foo.com server denadmin01 domain denver.foo.com server denadmin02 |
To export a local disk, add a line to
/etc/exports, like
/export/d01 *(rw) |
Restart nfs with
$ sudo service nfs restart |
Exceptionally slow network performance may be due to using half rather than full duplex. Check
$ sudo ethtool eth0 |
Try to get the most recent possible release of any particular distribution. The improvements you see with a new release will be much greater than any differences you find between distributions. Desktops continue to improve greatly.
Once I find the iso's on a mirror, I download with a script like
S="ftp://distro.someplace.org/pub/linux/distributions/fedora/linux/core/2/i386/iso/"
P="me@myaddress.com"
for f in \
MD5SUM \
FC2-i386-disc1.iso \
FC2-i386-disc2.iso \
FC2-i386-disc3.iso \
FC2-i386-disc4.iso \
; do
wget $S$f
done
|
(curl is an advanced alternative to
wget.)
Performing a clean install has gotten so easy
that it doesn't seems worth documenting. Use
a default workstation install, then use
rpm to add additional features from your
disks or iso images. See the section on RPM
elsewhere on this page.
On RedHat and Fedora, both yum and
up2date are great ways to upgrade your
system quickly. Locate on the web a
/etc/yum.conf that points to Fedora
mirrors. You can upgrade all installed
Fedora packages with yum update -y. (I
prepend sudo to avoid logging in as
root.) If you have registered with the
RedHat network, then you can upgrade
everything with up2date --nox -u. These
commands also install new packages if you
know the name of the new package.
Most yum-based systems come preconfigured to
check a few reliable repositories. Check
/etc/yum.repos.d/ to see which are
checked by your system.
For CentOS, I add access to RPMForge, following these directions: https://rpmrepo.org/RPMforge/Using
More repos are tracked here: http://wiki.centos.org/Repositories
Many good rpm's are here: http://dag.wieers.com/rpm/ but they are also available through RPMForge.
Create a list of available packages with
yum list all | tee yum.txt
Some collections can be installed as a group:
sudo yum -y groupinstall "X Software Development"
If you are reinstalling or upgrading, then keep a backup copy of the entire /etc directory on another machine. You may want to compare configuration files later, particularly for the network connection.
You are asked a small number of questions
during installation. If you forget your
answers, you can find most of them again in
in /etc/sysconfig.
On redhat systems, there are tools in
/usr/bin/redhat-config-* or
/usr/bin/system-config-* for configuring
specific devices.
See what pci devices were detected with
lspci.
Check the X configuration with xdpyinfo
or look in /etc/X11/XF86Config*. Check
your specified video card driver in
/etc/sysconfig/hwconf and /proc/pci.
Change your mouse after installation by
running /usr/sbin/mouseconfig. Check the
configuration file /etc/sysconfig/mouse.
/dev/mouse points to the device file for
the mouse.
You can change your default desktop easily
with switchdesk. This only adds a
.Xclients-default to your home directory,
to be used by .Xclients. Look in
/etc/X11/xinit to see the system
defaults.
Your sound may default to a low level. Try
adjusting with aumix. Your menu should
also contain volume controls.
Dual boots are really not worth the trouble, unless you are stuck with a laptop. I prefer to run one OS per machine and connect them with a hub.
I prefer three partitions: one big partition
for root /, one smaller partition for
/home, and a swap partition that is about
2.5 times the size of the resident memory. A
separate partition for /home will allow a
fresh installation without reconstructing the
home directory. Installs do a good job of
defaulting these partitions.
If you need to make a boot floppy for a really old Microsoft box, put in the first CD, and try
C:\> d: D:\> cd \dosutils D:\dosutils> rawrite Enter disk image source file name: ..\images\bootdisk.img Enter target diskette drive: a: Please insert a formatted diskette into drive A: and press -ENTER- : |
Recent kernels are too large to fit on a boot
floppy. If you have an older machine that
will not boot from CD, then first install an
older minimal linux so that you have a boot
loader. Then copy the kernel vmlinuz and
initrd.img onto your /boot partition
from your newer install CD. Modify
/etc/grub.conf or the equivalent lilo
file to boot from it.
Most distributions allow you to specify the name of a time server and be done with it.
Here are nitty gritty details if you must customize that behavior.
If you are on a network with time servers,
add their hostnames, on one line separated by
spaces, to /etc/ntp/step-tickers, like
foohost barhost bazhost. Or modify the
server and fudge lines in
/etc/ntp.conf with a specific server name
like:
server foohost
fudge foohost stratum 10
Start the service with chkconfig ntpd on.
See that it is running with chkconfig
--list.
On redhat, the /etc/ntp.conf file may
direct you to use the gui application
dateconfig, or your changes will be lost.
Restart the time server with
/etc/rc.d/rc3.d/S26ntpd restart or
whatever path is appropriate on your machine.
Synchronize once with another host by typing
$ ntpdate ntp.nasa.gov or $ ntpdate time.nist.gov |
If you don't use time servers, you can reset your hardware clock with
$ hwclock --set --date="5/15/02 19:00:00" |
Use the two digit year, even though we've already passed into the next millenium. (A four digit year will put you in a strange century.) To avoid upsetting running processes, your clock does not reset until the next reboot. Always use local time.
First of all, to eject your CDROM, type
eject. If your CDROM is not visible, try
mounting it with mount /mnt/cdrom
Make a CDROM image (ISO9660) from a file system with
mkisofs -r -J /my/dir/ > image.iso |
(This is faster than specifying the file with -o).
With Gnome, I can right click on the iso and specify "Write to CD".
With a recent kernel, you can easily record from the command line with.
cdrecord -v speed=2 dev=/dev/cdwriter -data image.iso |
You'll need to use sudo or run as
root.
If this doesn't work, you can identify your CD-R device, and burn the iso with
$ cdrecord -scanbus 1,0,0 100) 'HITACHI ' 'DVD-ROM GD-5000 ' '0212' Removable CD-ROM 1,1,0 101) 'SONY ' 'CD-RW CRX220E1 ' '6YS1' Removable CD-ROM ... $ cdrecord -v speed=2 dev=1,1,0 -data image.iso |
Tools for reading music cd's include
cdparanoia, readcd, and gnome-cd
-unique -device /dev/cdrom -play. Play a
dvd with vlc or mplayer. Write or
copy a music CD with xcdroast which is a
GUI wrapper for cdrecord and other
utilities.
Most of these will play an audio CD
digitally, without an audio cable connected
to your CDROM. For example, right click on
the xmms menu for "Options" and
"Preferences." Select the "Audio I/O
Plugins" tab. Highlight "CD Audio Player" in
the panel of "Input plugins" then hit the
"Configure" button. Switch the radio button
for "Play Mode" from "Analog" to "Digital
audio extraction." Hit all the Ok buttons on
your way out. Right click again on the
xmms panel, select "Play File", point at
/mnt/cdrom, and hit the forward play
button.
Most systems now will automatically recognize and mount USB
memory sticks automatically. If yours is not mounted, then look at
/var/log/messages to see if the device was seen at all.
If so, then you just need to solve the problem of mounting.
Look at the rules in /etc/udev/rules.d and see if any apply
to your USB stick. Rules usually key off a product name and
vendor string. You can see what your stick reports by running
lsusb -v. From there, find the rule that udev should use
to mount it. You may have a heretofore unrecognized stick.
If automounting will not work, then you can still mount by hand.
Plug it in to a USB port. Install
sg3_utils. Scan raw SCSI devices and
determine the real SCSI device.
root$ sg_scan -i
/dev/sg0: scsi0 channel=0 id=0 lun=0
IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0]
/dev/sg1: scsi0 channel=0 id=1 lun=0
IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0]
/dev/sg2: scsi2 channel=0 id=0 lun=0 [em]
M-Sys Dell Memory Key 4.50 [rmb=1 cmdq=0 pqual=0 pdev=0x0]
root$ sg_map
/dev/sg0 /dev/sda
/dev/sg1 /dev/sdb
/dev/sg2 /dev/sdc
|
From this, I see that the memory key is on
/dev/sdc. /dev/sdc1 specifies the
first, and usually only, partition.
To mount this, first create a mount point, then mount
sudo mkdir /mnt/flash sudo mount -o defaults /dev/sdc1 /mnt/flash |
Or you can add a line to /etc/fstab, so you can mount and
write as any user. You'll need to see what options are supported,
as these change over time.
To examine, change, and format partitions.
root$ fdisk /dev/sdc root$ mkfs -t vfat /dev/sdc1 |
See more at http://vic.gedris.org/linux-UsbMassStorage/ , http://www.linux-usb.org/ , and http://www.cs.sfu.ca/~ggbaker/personal/cf-linux
A device that refuses to mount might be using a faster USB 2
protocol than supported by the device. The log message should
mention a new high speed USB device using ehci_hcd and
address ...
There still seem to be intermittent problems mounting these, even when the device supports USB2. Try reloading the appropriate kernel module:
sync sudo modprobe ehci_hcd |
For some reason, this often triggers the correct remounting of all USB2 devices.
For extra emphasis, you can first remove the module: sudo
rmmod ehci_hcd, which first causes all USB devices to be
mounted at the lower speed. Then add the module back.
For NTFS, install the following packages: fuse, dkms, dkms-fuse, fuse-ntfs-3g Mount and unmount with the following.
mkdir /mnt/ntfs ntfs-3g /dev/sdc1 /mnt/ntfs # read-write ntfs-3g /dev/sdc1 /mnt/ntfs -o ro # read only umount /mnt/ntfs |
You should get around 1Mb/sec transfer rate
with flash memory. First find out what
device your flash is attached to with df
/media/usbdisk. Then check the raw device
transfer rate with sudo hdparm -t
/dev/sda1. If the hardware is fast, and
your file copies are much slower, then your
problem is software. Look at lsmod while
the flash is attached, and be sure you are
using usb_storage instead of the slower
ub. See that the proper module is loaded
with lsmod | egrep ehci_hcd. Look at
sudo lsusb -v | less to see that you are
using USB 2 instead of 1. You should also
see ehci_hcd listed after the kernel. If
these are all right, then you may be better
off disabling syncing during writes. See if
the usb drive shows up with mount | grep
sync. See if sync is specified in
/etc/fstab for the usb drive. If so,
disable it in /etc/fstab or by examining
man fstab-sync. A copy may appear to
occur instantaneously, but much of the file
may be cached in memory. You still need to
sync from the command line to finish the
write, but this should occur at near the
maximum rate for a single write. Finally, as
usual, umount /media/usbdisk before
disconnecting.
An external hard drive is much easier to handle. Mine came as nfts. I formatted to a Linux filesystem like this.
root$ mkfs -t ext4 /dev/sdc1 |
If you want to delete or add partitions, you can use fdisk
root$ fdisk /dev/sdc1 |
EncFS is an excellent way to encrypt files that you may carry around with you on a portable USB drive.
Most of what you need to know can be found at http://www.arg0.net/encfs
If you have permission problems, add yourself to the fuse
group in /etc/groups and
sudo chgrp fuse /usr/bin/fusermount sudo chmod 4755 /usr/bin/fusermount |
Make sure the fuse modele is loaded with
lsmod | grep fuse modprobe fuse |
For digital cameras, try http://www.gphoto.org/ .
Set up a cups printer by modifying the
ServerName in /etc/cups/client.conf.
See which printers are available with
lpstat -t and print with lp -d
PRINTER_NAME file
Set default printer options like this:
lpoptions -o sides=two-sided-long-edge
See more on cups at http://localhost:631/ .
Check your system for rootkit vulnerabilities
by installing rkhunter and
chkrootkit.
For firewalls, the best single reference is the book "Linux Firewalls" by Robert L. Ziegler, from New Riders press.
I now use a hardware firewall, and don't rely
on the built-in packet filtering of
iptables. Do not connect to the internet
until you have some firewall in place.
Distributions should all now have a simple
interface that let you manipulate the rules
of the underlying iptables. Look for it
on your menu bar. In the past, I exported
only ssh and let iptables to block
all other connections on all other ports.
Use ssh and scp instead of telnet
and ftp for your own use.
See what packet filtering you have turned on
with iptables --list either with sudo
or as root.
See what services are running (at various
runlevels) with chkconfig --list or more
directly
/sbin/service --status-all | grep running |
Disable services you don't need. Anyone able to connect to these ports can for weaknesses like buffer overflows in these services. Useless daemons also waste resources.
Stop services with
/sbin/service sendmail stop |
And prevent a service from being started at your runlevel by removing the startup script, such as
rm /etc/rc.d/rc3.d/S80sendmail |
You can manipulate the symbolic links in the
runlevel directory by using chkconfig.
See what services are running (at various
runlevels) with chkconfig --list'.
Disable with chkconfig sendmail off.
See what ports you have open for TCP services with
netstat -pta | grep LISTEN |
Match ports to services by looking at
/etc/services and /etc/protocols.
Check your machine for vulnerabilities at
sites that will scan your ports, like
http://grc.com/ . Then look
at your log files in /var/log/messages* to
see the ignored packets. Use nslookup
IP_ADDRESS and tracepath IP_ADDRESS to
see where the packets came from.
Scan your own ports with nmap, which you
can get from http://www.insecure.org/nmap/
This will label the available ports for you.
Use the flags nmap -sT -P0 (IP_ADDRESS)
if you are able to scan your machine from an
unpriviledged domain.
SSH is usually installed and functional with a default install.
Provide automatic access for one machine at a
time. Set up a custom configuration by
copying cp /etc/ssh/ssh_config
$HOME/.ssh/config and editing. My defaults
use dsa, so I run ssh-keygen -t dsa and
provide a passphrase. This creates a
id_dsa and id_dsa.pub in
$HOME/.ssh. Copy the public key in
id_dsa.pub into
/$HOME/.ssh/authorized_keys on a remote
machine. You can do this with
ssh-copy-id -i $HOME/.ssh/id_dsa.pub remote_host.
Now go to that remote machine and
ssh back. It should ask for your passphrase
instead of your password. If not, your
configuration files are not compatible with
your choice of keys and protocol. Try
creating keys for rsa and rsa1 too. Add them
all to authorized_keys
When it works, then you can now start a user agent to manage your login. Try this
$ ssh-agent | grep -v echo | tee ~/.myssh $ ssh-add Enter passphrase for /home/me/.ssh/id_dsa: Identity added: /home/me/.ssh/id_dsa (/home/me/.ssh/id_dsa) $ ssh-add -l |
The first command starts an agent and saves two environment
variables SSH_AUTH_SOCK and SSH_AGENT_PID in
a file ~/.myssh
Now any shell can source this file and ssh to authorized hosts without typing a password.
Naturally I put the above commands in a script. I run it once after rebooting a machine.
In my .bashrc file, I source this file
if [ -f "$HOME/.myssh" ] ; then . $HOME/.myssh fi |
Bill Harlan, 2002-2007
Return to parent directory.