# Gnu/Linux Administration Here are some general administration tasks that I find useful to remember. First see the section on RPM to learn how to install and update software. . See more sections on Gnu/Linux . ** Books ** Most of the books you want are free from http://www.linuxdoc.org/ as HOWTO's. Don't assume that you can get something better in the bookstore. Many Linux books in the bookstore are simply bound copies of the publicly available documents. "Running Linux" from O'Reilly press is the best overall book for anyone getting ready to install Linux for the first time and start playing with it. As a quick reference, you may prefer a copy of O'Reilly's "Linux in a Nutshell", with concise summaries of all administrative commands. Read it through because many standard Unix commands have great new options. Many new commands become essential. To understand your Unix system better, get the new edition of "Unix System Administration Handbook," by Nemeth, Snyder, Seebass, and Hein, from Prentice Hall. The new edition covers Linux, and explains where other systems differ. This book is superior to any book specifically for Linux. For help, I prefer IRC (Internet Relay Chat) on a freenode.net server. See http://www.freenode.net/ ** A few administration commands ** -- o Use ``whereis'', ``locate'', and ``apropos'' to find programs and manuals. Use ``file'' to identify the type of a file. o Use ``sudo'' to run individual commands as root instead of ``su root''. Add your username to ``/etc/sudoers'' for permission. o To see what distribution, release, kernel, and gcc version your system is using, type => lsb_release -a cat /etc/*release cat /etc/issue cat /proc/version uname -a <= o To get info on your hardware, look at the proc directory, for example => $ cat /proc/cpuinfo /proc/meminfo /proc/pci /proc/mounts <= As root you can see most devices with => dmidecode <= List PCI buses and what is attached to them with ``lspci''. These virtual files are updated dynamically. The command ``procinfo -a'' will format some of the information for you. o You can change your default character encoding by copying ``/etc/sysconfig/i18n'' to ``$HOME/.i18n'' and modifying it. Look at this file if your application is complaining about missing characters. I add ``zh_CN.UTF-8'' to the SUPPORTED entry. You can also change the system file for all users. o Here is how I enabled multiple language input methods on Fedora Core 3 and CentOS 4. Preferably, select supported languages during installation. Otherwise you may have to find extra resources for each. (If you did a complete install but didn't add extra language support, then you may only need to add entries like ``zh_CN.UTF-8'' to the SUPPORTED entry in ``/etc/sysconfig/i18n'' or ``~/.i18n''.) Next create the following file in your home directory. => $ mkdir ~/.xinput.d $ ln -s /etc/X11/xinit/xinput.d/iiimf ~/.xinput.d/default <= Restart X, right click on the tool bar, press "add to panel", select "InputMethod Switcher", and press add. Click once to "Add or Remove" languages from your choices. See http://fedora.redhat.com/projects/i18n/iiimf-faq.html for more help. Here is how I started applications with Chinese input on Fedora Core 1. This should be unnecessary with later. => $ export LC_ALL=zh_CN ; export LANG=zh_CN.UTF-8 ; XMODIFIERS=@im=chinput $ locale | grep LANG $ /usr/bin/chinput Chinput Version 3.0.2 -- XIM Server ... $ gedit $ emacs $ oowriter <= Use ``control-space'' to switch to pinyin mode. Turn off pinyin before exiting; otherwise, your next application will fail to switch properly. o Edit ``/etc/inittab'' to set your default runlevel to ``id:3:initdefault:'' to boot to a console and ``startx'' to start X11. o Reboot with ``shutdown -r now'' and shutdown for good with ``shutdown -h now''. If you are rebooting remotely, you can avoid a possible hang during shutdown by running ``sync'' to flush file buffers, then ``reboot -f -n'' for an abrupt termination of services, and a reboot. o ``quota'' lists your disk quota. o Definitions of colors by red/green/black values are in ``/usr/X11R6/lib/X11/rgb.txt''. o You can add directories containing shared objects to ``/etc/ld.so.conf'' instead of to your ``LD_LIBRARY_PATH''. Type ``ldconfig'' to update your cache. o To run something at boot time after all other init scripts, modify ``/etc/rc.d/rc.local''. This is much easier than adding Start and Kill scripts at the appropriate runlevel ``/etc/rcd/rc[0-5].d''. o To export a disk, the following may be sufficient. (You must already have nfs and an automounter running.) => echo "/data *(rw,sync)" >> /etc/exports exportfs -a <= _ ** Network service configuration ** Redhat configures their network services during boot with the script ``/etc/rc.d/init.d/network'', which gets network parameters from ``/etc/sysconfig/network'' and calls scripts in ``/etc/sysconfig/network-scripts/''. See ``ifcfg-eth0'' and ``ifcfg-lo''. Static routes can be specified in ``/etc/sysconfig/static-routes''. Check the active ip address of eth0 with ``ifconfig''. After changing the address, reset with ``/sbin/ifdown eth0;'' ``/sbin/ifup eth0'' or more drastically ``/sbin/service network restart''. Identify cluster hostnames most simply by specifying IP addresses in ``/etc/hosts''. Use the same file for all nodes, including the mayor. Make sure you do not have a protocol mismatch with ``mii-tool -v eth0''. Duplex mode mismatches will hurt performance. Here are examples of my network files on various types of systems. --
type /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-eth0
DHCP
NETWORKING=yes 
HOSTNAME=hong
DHCP_HOSTNAME=hong 
NISDOMAIN=denver.foo.com
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
PEERDNS=yes
stand-alone
(static behind NAT)
 
NETWORKING=yes
HOSTNAME=solar.denver.foo.com
DEVICE=eth0
BOOTPROTO=none
BROADCAST=111.111.146.95
HWADDR=00:00:00:00:00:00
IPADDR=111.111.146.90
NETMASK=255.255.255.248
NETWORK=111.111.146.88
ONBOOT=yes
TYPE=Ethernet
GATEWAY=111.111.146.89
cluster #1 node
(address in /etc/hosts )
NETWORKING=yes
FORWARD_IPV4=false
NISDOMAIN=denver.foo.com
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
cluster #2 node
NETWORKING=yes
HOSTNAME=supcl1
NISDOMAIN=denver.foo.com
DHCP_HOSTNAME=supcl1
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
_ All use the same ``/etc/sysconfig/network-scripts/ifcfg-lo'' ==> DEVICE=lo IPADDR=127.0.0.1 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes NAME=loopback <== If you use DNS, then specify your domain, preferred nameserver lookup order, and default domain completions in ``/etc/resolv.conf'': ==> nameserver 111.111.138.22 nameserver 111.111.138.25 nameserver 111.111.88.36 search foo.com denver.foo.com etc.foo.com <== If you are using NIS, then specify the NIS server for each domain in ``/etc/yp.conf'' on a line like => domain denver.foo.com server denadmin01 domain denver.foo.com server denadmin02 <= To export a local disk, add a line to ``/etc/exports'', like => /export/d01 *(rw) <= Restart ``nfs'' with => $ sudo service nfs restart <= Exceptionally slow network performance may be due to using half rather than full duplex. Check => $ sudo ethtool eth0 <= ** Installing a distribution ** Try to get the most recent possible release of any particular distribution. The improvements you see with a new release will be much greater than any differences you find between distributions. Desktops continue to improve greatly. Once I find the iso's on a mirror, I download with a script like => S="ftp://distro.someplace.org/pub/linux/distributions/fedora/linux/core/2/i386/iso/" P="me@myaddress.com" for f in \ MD5SUM \ FC2-i386-disc1.iso \ FC2-i386-disc2.iso \ FC2-i386-disc3.iso \ FC2-i386-disc4.iso \ ; do wget $S$f done <= (``curl'' is an advanced alternative to ``wget''.) Performing a clean install has gotten so easy that it doesn't seems worth documenting. Use a default workstation install, then use ``rpm'' to add additional features from your disks or iso images. See the section on RPM elsewhere on this page. On RedHat and Fedora, both ``yum'' and ``up2date'' are great ways to upgrade your system quickly. Locate on the web a ``/etc/yum.conf'' that points to Fedora mirrors. You can upgrade all installed Fedora packages with ``yum update -y''. (I prepend ``sudo'' to avoid logging in as root.) If you have registered with the RedHat network, then you can upgrade everything with ``up2date --nox -u''. These commands also install new packages if you know the name of the new package. Most yum-based systems come preconfigured to check a few reliable repositories. Check ``/etc/yum.repos.d/'' to see which are checked by your system. For CentOS, I add access to RPMForge, following these directions: https://rpmrepo.org/RPMforge/Using More repos are tracked here: http://wiki.centos.org/Repositories Many good rpm's are here: http://dag.wieers.com/rpm/ but they are also available through RPMForge. Create a list of available packages with ``yum list all | tee yum.txt'' Some collections can be installed as a group: ``sudo yum -y groupinstall "X Software Development" '' If you are reinstalling or upgrading, then keep a backup copy of the entire /etc directory on another machine. You may want to compare configuration files later, particularly for the network connection. You are asked a small number of questions during installation. If you forget your answers, you can find most of them again in in ``/etc/sysconfig''. On redhat systems, there are tools in ``/usr/bin/redhat-config-*'' or ``/usr/bin/system-config-*'' for configuring specific devices. See what pci devices were detected with ``lspci''. Check the X configuration with ``xdpyinfo'' or look in ``/etc/X11/XF86Config*''. Check your specified video card driver in ``/etc/sysconfig/hwconf'' and ``/proc/pci''. Change your mouse after installation by running ``/usr/sbin/mouseconfig''. Check the configuration file ``/etc/sysconfig/mouse.'' ``/dev/mouse'' points to the device file for the mouse. You can change your default desktop easily with ``switchdesk''. This only adds a ``.Xclients-default'' to your home directory, to be used by ``.Xclients''. Look in ``/etc/X11/xinit'' to see the system defaults. Your sound may default to a low level. Try adjusting with ``aumix''. Your menu should also contain volume controls. Dual boots are really not worth the trouble, unless you are stuck with a laptop. I prefer to run one OS per machine and connect them with a hub. I prefer three partitions: one big partition for root ``/'', one smaller partition for ``/home'', and a swap partition that is about 2.5 times the size of the resident memory. A separate partition for ``/home'' will allow a fresh installation without reconstructing the home directory. Installs do a good job of defaulting these partitions. * Boot floppies * If you need to make a boot floppy for a really old Microsoft box, put in the first CD, and try => C:\> d: D:\> cd \dosutils D:\dosutils> rawrite Enter disk image source file name: ..\images\bootdisk.img Enter target diskette drive: a: Please insert a formatted diskette into drive A: and press -ENTER- : <= Recent kernels are too large to fit on a boot floppy. If you have an older machine that will not boot from CD, then first install an older minimal linux so that you have a boot loader. Then copy the kernel ``vmlinuz'' and ``initrd.img'' onto your ``/boot'' partition from your newer install CD. Modify ``/etc/grub.conf'' or the equivalent lilo file to boot from it. * Time servers * Most distributions allow you to specify the name of a time server and be done with it. Here are nitty gritty details if you must customize that behavior. If you are on a network with time servers, add their hostnames, on one line separated by spaces, to ``/etc/ntp/step-tickers'', like ``foohost barhost bazhost. Or modify the ``server'' and ``fudge'' lines in ``/etc/ntp.conf'' with a specific server name like: => server foohost fudge foohost stratum 10 <= Start the service with ``chkconfig ntpd on''. See that it is running with ``chkconfig --list''. On redhat, the ``/etc/ntp.conf'' file may direct you to use the gui application ``dateconfig'', or your changes will be lost. Restart the time server with ``/etc/rc.d/rc3.d/S26ntpd restart'' or whatever path is appropriate on your machine. Synchronize once with another host by typing => $ ntpdate ntp.nasa.gov or $ ntpdate time.nist.gov <= If you don't use time servers, you can reset your hardware clock with => $ hwclock --set --date="5/15/02 19:00:00" <= Use the two digit year, even though we've already passed into the next millenium. (A four digit year will put you in a strange century.) To avoid upsetting running processes, your clock does not reset until the next reboot. Always use local time. ** Devices ** * CD readers and writers * First of all, to eject your CDROM, type ``eject''. If your CDROM is not visible, try mounting it with ``mount /mnt/cdrom'' Make a CDROM image (ISO9660) from a file system with => mkisofs -r -J /my/dir/ > image.iso <= (This is faster than specifying the file with -o). With Gnome, I can right click on the iso and specify "Write to CD". With a recent kernel, you can easily record from the command line with. => cdrecord -v speed=2 dev=/dev/cdwriter -data image.iso <= You'll need to use ``sudo'' or run as ``root''. If this doesn't work, you can identify your CD-R device, and burn the iso with => $ cdrecord -scanbus 1,0,0 100) 'HITACHI ' 'DVD-ROM GD-5000 ' '0212' Removable CD-ROM 1,1,0 101) 'SONY ' 'CD-RW CRX220E1 ' '6YS1' Removable CD-ROM ... $ cdrecord -v speed=2 dev=1,1,0 -data image.iso <= Tools for reading music cd's include ``cdparanoia'', ``readcd'', and ``gnome-cd -unique -device /dev/cdrom -play''. Play a dvd with ``vlc'' or ``mplayer''. Write or copy a music CD with ``xcdroast'' which is a GUI wrapper for ``cdrecord'' and other utilities. Most of these will play an audio CD digitally, without an audio cable connected to your CDROM. For example, right click on the ``xmms'' menu for "Options" and "Preferences." Select the "Audio I/O Plugins" tab. Highlight "CD Audio Player" in the panel of "Input plugins" then hit the "Configure" button. Switch the radio button for "Play Mode" from "Analog" to "Digital audio extraction." Hit all the Ok buttons on your way out. Right click again on the ``xmms'' panel, select "Play File", point at ``/mnt/cdrom'', and hit the forward play button. * USB mass storage device * Most systems now will automatically recognize and mount USB memory sticks automatically. If yours is not mounted, then look at ``/var/log/messages'' to see if the device was seen at all. If so, then you just need to solve the problem of mounting. Look at the rules in ``/etc/udev/rules.d'' and see if any apply to your USB stick. Rules usually key off a product name and vendor string. You can see what your stick reports by running ``lsusb -v''. From there, find the rule that udev should use to mount it. You may have a heretofore unrecognized stick. If automounting will not work, then you can still mount by hand. Plug it in to a USB port. Install ``sg3_utils''. Scan raw SCSI devices and determine the real SCSI device. => root$ sg_scan -i /dev/sg0: scsi0 channel=0 id=0 lun=0 IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0] /dev/sg1: scsi0 channel=0 id=1 lun=0 IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0] /dev/sg2: scsi2 channel=0 id=0 lun=0 [em] M-Sys Dell Memory Key 4.50 [rmb=1 cmdq=0 pqual=0 pdev=0x0] root$ sg_map /dev/sg0 /dev/sda /dev/sg1 /dev/sdb /dev/sg2 /dev/sdc <= From this, I see that the memory key is on ``/dev/sdc''. ``/dev/sdc1'' specifies the first, and usually only, partition. To mount this, first create a mount point, then mount => sudo mkdir /mnt/flash sudo mount -o defaults /dev/sdc1 /mnt/flash <= Or you can add a line to ``/etc/fstab'', so you can mount and write as any user. You'll need to see what options are supported, as these change over time. To examine, change, and format partitions. => root$ fdisk /dev/sdc root$ mkfs -t vfat /dev/sdc1 <= See more at http://vic.gedris.org/linux-UsbMassStorage/ , http://www.linux-usb.org/ , and http://www.cs.sfu.ca/~ggbaker/personal/cf-linux * Wrong USB speed * A device that refuses to mount might be using a faster USB 2 protocol than supported by the device. The log message should mention a ``new high speed USB device using ehci_hcd and address ...'' There still seem to be intermittent problems mounting these, even when the device supports USB2. Try reloading the appropriate kernel module: => sync sudo modprobe ehci_hcd <= For some reason, this often triggers the correct remounting of all USB2 devices. For extra emphasis, you can first remove the module: ``sudo rmmod ehci_hcd'', which first causes all USB devices to be mounted at the lower speed. Then add the module back. For NTFS, install the following packages: fuse, dkms, dkms-fuse, fuse-ntfs-3g Mount and unmount with the following. => mkdir /mnt/ntfs ntfs-3g /dev/sdc1 /mnt/ntfs # read-write ntfs-3g /dev/sdc1 /mnt/ntfs -o ro # read only umount /mnt/ntfs <= * USB Mass Storage is too slow * You should get around 1Mb/sec transfer rate with flash memory. First find out what device your flash is attached to with ``df /media/usbdisk''. Then check the raw device transfer rate with ``sudo hdparm -t /dev/sda1''. If the hardware is fast, and your file copies are much slower, then your problem is software. Look at ``lsmod'' while the flash is attached, and be sure you are using ``usb_storage'' instead of the slower ``ub''. See that the proper module is loaded with ``lsmod | egrep ehci_hcd''. Look at ``sudo lsusb -v | less'' to see that you are using USB 2 instead of 1. You should also see ``ehci_hcd'' listed after the kernel. If these are all right, then you may be better off disabling syncing during writes. See if the usb drive shows up with ``mount | grep sync''. See if ``sync'' is specified in ``/etc/fstab'' for the usb drive. If so, disable it in ``/etc/fstab'' or by examining ``man fstab-sync''. A copy may appear to occur instantaneously, but much of the file may be cached in memory. You still need to ``sync'' from the command line to finish the write, but this should occur at near the maximum rate for a single write. Finally, as usual, ``umount /media/usbdisk'' before disconnecting. An external hard drive is much easier to handle. Mine came as nfts. I formatted to a Linux filesystem like this. => root$ mkfs -t ext4 /dev/sdc1 <= If you want to delete or add partitions, you can use ``fdisk'' => root$ fdisk /dev/sdc1 <= * EncFS * EncFS is an excellent way to encrypt files that you may carry around with you on a portable USB drive. Most of what you need to know can be found at http://www.arg0.net/encfs If you have permission problems, add yourself to the fuse group in ``/etc/groups'' and => sudo chgrp fuse /usr/bin/fusermount sudo chmod 4755 /usr/bin/fusermount <= Make sure the ``fuse'' modele is loaded with => lsmod | grep fuse modprobe fuse <= * Digital cameras * For digital cameras, try http://www.gphoto.org/ . * CUPS Printer * Set up a cups printer by modifying the ``ServerName'' in ``/etc/cups/client.conf''. See which printers are available with ``lpstat -t'' and print with ``lp -d PRINTER_NAME file'' Set default printer options like this: ``lpoptions -o sides=two-sided-long-edge'' See more on cups at http://localhost:631/ . ** Security ** Check your system for rootkit vulnerabilities by installing ``rkhunter'' and ``chkrootkit''. For firewalls, the best single reference is the book "Linux Firewalls" by Robert L. Ziegler, from New Riders press. I now use a hardware firewall, and don't rely on the built-in packet filtering of ``iptables.'' Do not connect to the internet until you have some firewall in place. Distributions should all now have a simple interface that let you manipulate the rules of the underlying ``iptables.'' Look for it on your menu bar. In the past, I exported only ``ssh'' and let ``iptables'' to block all other connections on all other ports. Use ``ssh'' and ``scp'' instead of ``telnet'' and ``ftp'' for your own use. See what packet filtering you have turned on with ``iptables --list'' either with ``sudo'' or as root. See what services are running (at various runlevels) with ``chkconfig --list'' or more directly => /sbin/service --status-all | grep running <= Disable services you don't need. Anyone able to connect to these ports can for weaknesses like buffer overflows in these services. Useless daemons also waste resources. Stop services with => /sbin/service sendmail stop <= And prevent a service from being started at your runlevel by removing the startup script, such as => rm /etc/rc.d/rc3.d/S80sendmail <= You can manipulate the symbolic links in the runlevel directory by using ``chkconfig''. See what services are running (at various runlevels) with ``chkconfig --list'. Disable with ``chkconfig sendmail off''. See what ports you have open for TCP services with => netstat -pta | grep LISTEN <= Match ports to services by looking at ``/etc/services'' and ``/etc/protocols''. Check your machine for vulnerabilities at sites that will scan your ports, like http://grc.com/ . Then look at your log files in /var/log/messages* to see the ignored packets. Use ``nslookup IP_ADDRESS'' and ``tracepath IP_ADDRESS'' to see where the packets came from. Scan your own ports with ``nmap'', which you can get from http://www.insecure.org/nmap/ This will label the available ports for you. Use the flags ``nmap -sT -P0 (IP_ADDRESS)'' if you are able to scan your machine from an unpriviledged domain. * SSH * SSH is usually installed and functional with a default install. Provide automatic access for one machine at a time. Set up a custom configuration by copying ``cp /etc/ssh/ssh_config $HOME/.ssh/config'' and editing. My defaults use dsa, so I run ``ssh-keygen -t dsa'' and provide a passphrase. This creates a ``id_dsa'' and ``id_dsa.pub'' in ``$HOME/.ssh''. Copy the public key in ``id_dsa.pub'' into ``/$HOME/.ssh/authorized_keys'' on a remote machine. You can do this with ``ssh-copy-id -i $HOME/.ssh/id_dsa.pub remote_host``. Now go to that remote machine and ssh back. It should ask for your passphrase instead of your password. If not, your configuration files are not compatible with your choice of keys and protocol. Try creating keys for rsa and rsa1 too. Add them all to ``authorized_keys'' When it works, then you can now start a user agent to manage your login. Try this => $ ssh-agent | grep -v echo | tee ~/.myssh $ ssh-add Enter passphrase for /home/me/.ssh/id_dsa: Identity added: /home/me/.ssh/id_dsa (/home/me/.ssh/id_dsa) $ ssh-add -l <= The first command starts an agent and saves two environment variables ``SSH_AUTH_SOCK'' and ``SSH_AGENT_PID'' in a file ``~/.myssh'' Now any shell can source this file and ssh to authorized hosts without typing a password. Naturally I put the above commands in a script. I run it once after rebooting a machine. In my ``.bashrc'' file, I source this file => if [ -f "$HOME/.myssh" ] ; then . $HOME/.myssh fi <=
Bill Harlan, 2002-2007