# Gnu/Linux Administration
Here are some general administration tasks
that I find useful to remember.
First see the
section on RPM to learn how to install and
update software. .
See more sections
on Gnu/Linux .
** Books **
Most of the books you want are free from
http://www.linuxdoc.org/ as HOWTO's. Don't
assume that you can get something better in
the bookstore. Many Linux books in the
bookstore are simply bound copies of the
publicly available documents.
"Running Linux" from O'Reilly press is the
best overall book for anyone getting ready to
install Linux for the first time and start
playing with it.
As a quick reference, you may prefer a copy
of O'Reilly's "Linux in a Nutshell", with
concise summaries of all administrative
commands. Read it through because many
standard Unix commands have great new
options. Many new commands become essential.
To understand your Unix system better, get
the new edition of "Unix System
Administration Handbook," by Nemeth, Snyder,
Seebass, and Hein, from Prentice Hall. The
new edition covers Linux, and explains where
other systems differ. This book is superior
to any book specifically for Linux.
For help, I prefer IRC (Internet Relay Chat)
on a freenode.net server. See
http://www.freenode.net/
** A few administration commands **
--
o Use ``whereis'', ``locate'', and ``apropos''
to find programs and manuals. Use ``file''
to identify the type of a file.
o Use ``sudo'' to run individual commands as
root instead of ``su root''. Add your
username to ``/etc/sudoers'' for permission.
o To see what distribution, release, kernel,
and gcc version your system is using, type
=>
lsb_release -a
cat /etc/*release
cat /etc/issue
cat /proc/version
uname -a
<=
o To get info on your hardware, look at the
proc directory, for example
=>
$ cat /proc/cpuinfo /proc/meminfo /proc/pci /proc/mounts
<=
As root you can see most devices with
=>
dmidecode
<=
List PCI buses and what is attached to them
with ``lspci''.
These virtual files are updated dynamically.
The command ``procinfo -a'' will format some
of the information for you.
o You can change your default character
encoding by copying ``/etc/sysconfig/i18n''
to ``$HOME/.i18n'' and modifying it. Look at
this file if your application is complaining
about missing characters. I add
``zh_CN.UTF-8'' to the SUPPORTED entry. You
can also change the system file for all
users.
o Here is how I enabled multiple language
input methods on Fedora Core 3 and CentOS 4.
Preferably, select supported languages during
installation. Otherwise you may have to find
extra resources for each. (If you did a
complete install but didn't add extra
language support, then you may only need to
add entries like ``zh_CN.UTF-8'' to the
SUPPORTED entry in ``/etc/sysconfig/i18n'' or
``~/.i18n''.)
Next create the following file in your home
directory.
=>
$ mkdir ~/.xinput.d
$ ln -s /etc/X11/xinit/xinput.d/iiimf ~/.xinput.d/default
<=
Restart X, right click on the tool bar, press
"add to panel", select "InputMethod
Switcher", and press add. Click once to "Add
or Remove" languages from your choices.
See
http://fedora.redhat.com/projects/i18n/iiimf-faq.html
for more help.
Here is how I started applications
with Chinese input on Fedora Core 1. This
should be unnecessary with later.
=>
$ export LC_ALL=zh_CN ; export LANG=zh_CN.UTF-8 ; XMODIFIERS=@im=chinput
$ locale | grep LANG
$ /usr/bin/chinput
Chinput Version 3.0.2 -- XIM Server
...
$ gedit
$ emacs
$ oowriter
<=
Use ``control-space'' to switch to pinyin
mode. Turn off pinyin before exiting;
otherwise, your next application will fail to
switch properly.
o Edit ``/etc/inittab'' to set your default
runlevel to ``id:3:initdefault:'' to boot to
a console and ``startx'' to start X11.
o Reboot with ``shutdown -r now'' and
shutdown for good with ``shutdown -h now''.
If you are rebooting remotely, you can avoid
a possible hang during shutdown by running
``sync'' to flush file buffers, then ``reboot
-f -n'' for an abrupt termination of
services, and a reboot.
o ``quota'' lists your disk quota.
o Definitions of colors by red/green/black
values are in ``/usr/X11R6/lib/X11/rgb.txt''.
o You can add directories containing shared
objects to ``/etc/ld.so.conf'' instead of to
your ``LD_LIBRARY_PATH''. Type ``ldconfig''
to update your cache.
o To run something at boot time after all
other init scripts, modify
``/etc/rc.d/rc.local''. This is much easier
than adding Start and Kill scripts at the
appropriate runlevel ``/etc/rcd/rc[0-5].d''.
o To export a disk, the following may be
sufficient. (You must already have nfs
and an automounter running.)
=>
echo "/data *(rw,sync)" >> /etc/exports
exportfs -a
<=
_
** Network service configuration **
Redhat configures their network services
during boot with the script
``/etc/rc.d/init.d/network'', which gets
network parameters from
``/etc/sysconfig/network'' and calls scripts
in ``/etc/sysconfig/network-scripts/''. See
``ifcfg-eth0'' and ``ifcfg-lo''. Static
routes can be specified in
``/etc/sysconfig/static-routes''.
Check the active ip address of eth0 with
``ifconfig''. After changing the address,
reset with ``/sbin/ifdown eth0;''
``/sbin/ifup eth0'' or more drastically
``/sbin/service network restart''.
Identify cluster hostnames most simply by
specifying IP addresses in ``/etc/hosts''.
Use the same file for all nodes, including
the mayor.
Make sure you do not have a protocol mismatch
with ``mii-tool -v eth0''. Duplex mode
mismatches will hurt performance.
Here are examples of my network files on
various types of systems.
--
type |
/etc/sysconfig/network |
/etc/sysconfig/network-scripts/ifcfg-eth0 |
DHCP |
NETWORKING=yes
HOSTNAME=hong
DHCP_HOSTNAME=hong
NISDOMAIN=denver.foo.com
|
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
PEERDNS=yes
|
stand-alone (static behind
NAT) |
NETWORKING=yes
HOSTNAME=solar.denver.foo.com
|
DEVICE=eth0
BOOTPROTO=none
BROADCAST=111.111.146.95
HWADDR=00:00:00:00:00:00
IPADDR=111.111.146.90
NETMASK=255.255.255.248
NETWORK=111.111.146.88
ONBOOT=yes
TYPE=Ethernet
GATEWAY=111.111.146.89
|
cluster #1 node (address in
/etc/hosts ) |
NETWORKING=yes
FORWARD_IPV4=false
NISDOMAIN=denver.foo.com
|
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
|
cluster #2 node |
NETWORKING=yes
HOSTNAME=supcl1
NISDOMAIN=denver.foo.com
DHCP_HOSTNAME=supcl1
|
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
|
_
All use the same
``/etc/sysconfig/network-scripts/ifcfg-lo''
==>
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
<==
If you use DNS, then specify your domain,
preferred nameserver lookup order, and
default domain completions in
``/etc/resolv.conf'':
==>
nameserver 111.111.138.22
nameserver 111.111.138.25
nameserver 111.111.88.36
search foo.com denver.foo.com etc.foo.com
<==
If you are using NIS, then specify the NIS
server for each domain in ``/etc/yp.conf'' on
a line like
=>
domain denver.foo.com server denadmin01
domain denver.foo.com server denadmin02
<=
To export a local disk, add a line to
``/etc/exports'', like
=>
/export/d01 *(rw)
<=
Restart ``nfs'' with
=>
$ sudo service nfs restart
<=
Exceptionally slow network performance may
be due to using half rather than full duplex.
Check
=>
$ sudo ethtool eth0
<=
** Installing a distribution **
Try to get the most recent possible release
of any particular distribution. The
improvements you see with a new release will
be much greater than any differences you find
between distributions. Desktops continue to
improve greatly.
Once I find the iso's on a mirror, I download
with a script like
=>
S="ftp://distro.someplace.org/pub/linux/distributions/fedora/linux/core/2/i386/iso/"
P="me@myaddress.com"
for f in \
MD5SUM \
FC2-i386-disc1.iso \
FC2-i386-disc2.iso \
FC2-i386-disc3.iso \
FC2-i386-disc4.iso \
; do
wget $S$f
done
<=
(``curl'' is an advanced alternative to
``wget''.)
Performing a clean install has gotten so easy
that it doesn't seems worth documenting. Use
a default workstation install, then use
``rpm'' to add additional features from your
disks or iso images. See the section on RPM
elsewhere on this page.
On RedHat and Fedora, both ``yum'' and
``up2date'' are great ways to upgrade your
system quickly. Locate on the web a
``/etc/yum.conf'' that points to Fedora
mirrors. You can upgrade all installed
Fedora packages with ``yum update -y''. (I
prepend ``sudo'' to avoid logging in as
root.) If you have registered with the
RedHat network, then you can upgrade
everything with ``up2date --nox -u''. These
commands also install new packages if you
know the name of the new package.
Most yum-based systems come preconfigured to
check a few reliable repositories. Check
``/etc/yum.repos.d/'' to see which are
checked by your system.
For CentOS, I add access to RPMForge,
following these directions: https://rpmrepo.org/RPMforge/Using
More repos are tracked here:
http://wiki.centos.org/Repositories
Many good rpm's are here: http://dag.wieers.com/rpm/
but they are also available through RPMForge.
Create a list of available packages with
``yum list all | tee yum.txt''
Some collections can be installed as a group:
``sudo yum -y groupinstall "X Software Development" ''
If you are reinstalling or upgrading, then
keep a backup copy of the entire /etc
directory on another machine. You may want
to compare configuration files later,
particularly for the network connection.
You are asked a small number of questions
during installation. If you forget your
answers, you can find most of them again in
in ``/etc/sysconfig''.
On redhat systems, there are tools in
``/usr/bin/redhat-config-*'' or
``/usr/bin/system-config-*'' for configuring
specific devices.
See what pci devices were detected with
``lspci''.
Check the X configuration with ``xdpyinfo''
or look in ``/etc/X11/XF86Config*''. Check
your specified video card driver in
``/etc/sysconfig/hwconf'' and ``/proc/pci''.
Change your mouse after installation by
running ``/usr/sbin/mouseconfig''. Check the
configuration file ``/etc/sysconfig/mouse.''
``/dev/mouse'' points to the device file for
the mouse.
You can change your default desktop easily
with ``switchdesk''. This only adds a
``.Xclients-default'' to your home directory,
to be used by ``.Xclients''. Look in
``/etc/X11/xinit'' to see the system
defaults.
Your sound may default to a low level. Try
adjusting with ``aumix''. Your menu should
also contain volume controls.
Dual boots are really not worth the trouble,
unless you are stuck with a laptop. I prefer
to run one OS per machine and connect them
with a hub.
I prefer three partitions: one big partition
for root ``/'', one smaller partition for
``/home'', and a swap partition that is about
2.5 times the size of the resident memory. A
separate partition for ``/home'' will allow a
fresh installation without reconstructing the
home directory. Installs do a good job of
defaulting these partitions.
* Boot floppies *
If you need to make a boot floppy for a
really old Microsoft box, put in the first
CD, and try
=>
C:\> d:
D:\> cd \dosutils
D:\dosutils> rawrite
Enter disk image source file name: ..\images\bootdisk.img
Enter target diskette drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
<=
Recent kernels are too large to fit on a boot
floppy. If you have an older machine that
will not boot from CD, then first install an
older minimal linux so that you have a boot
loader. Then copy the kernel ``vmlinuz'' and
``initrd.img'' onto your ``/boot'' partition
from your newer install CD. Modify
``/etc/grub.conf'' or the equivalent lilo
file to boot from it.
* Time servers *
Most distributions allow you to specify the
name of a time server and be done with it.
Here are nitty gritty details if you must
customize that behavior.
If you are on a network with time servers,
add their hostnames, on one line separated by
spaces, to ``/etc/ntp/step-tickers'', like
``foohost barhost bazhost. Or modify the
``server'' and ``fudge'' lines in
``/etc/ntp.conf'' with a specific server name
like:
=>
server foohost
fudge foohost stratum 10
<=
Start the service with ``chkconfig ntpd on''.
See that it is running with ``chkconfig
--list''.
On redhat, the ``/etc/ntp.conf'' file may
direct you to use the gui application
``dateconfig'', or your changes will be lost.
Restart the time server with
``/etc/rc.d/rc3.d/S26ntpd restart'' or
whatever path is appropriate on your machine.
Synchronize once with another host by typing
=>
$ ntpdate ntp.nasa.gov
or
$ ntpdate time.nist.gov
<=
If you don't use time servers, you can reset
your hardware clock with
=>
$ hwclock --set --date="5/15/02 19:00:00"
<=
Use the two digit year, even though we've
already passed into the next millenium. (A
four digit year will put you in a strange
century.) To avoid upsetting running
processes, your clock does not reset until
the next reboot. Always use local time.
** Devices **
* CD readers and writers *
First of all, to eject your CDROM, type
``eject''. If your CDROM is not visible, try
mounting it with ``mount /mnt/cdrom''
Make a CDROM image (ISO9660) from a file
system with
=>
mkisofs -r -J /my/dir/ > image.iso
<=
(This is faster than specifying the file with
-o).
With Gnome, I can right click on the iso and
specify "Write to CD".
With a recent kernel, you can easily record
from the command line with.
=>
cdrecord -v speed=2 dev=/dev/cdwriter -data image.iso
<=
You'll need to use ``sudo'' or run as
``root''.
If this doesn't work, you can identify your
CD-R device, and burn the iso with
=>
$ cdrecord -scanbus
1,0,0 100) 'HITACHI ' 'DVD-ROM GD-5000 ' '0212' Removable CD-ROM
1,1,0 101) 'SONY ' 'CD-RW CRX220E1 ' '6YS1' Removable CD-ROM
...
$ cdrecord -v speed=2 dev=1,1,0 -data image.iso
<=
Tools for reading music cd's include
``cdparanoia'', ``readcd'', and ``gnome-cd
-unique -device /dev/cdrom -play''. Play a
dvd with ``vlc'' or ``mplayer''. Write or
copy a music CD with ``xcdroast'' which is a
GUI wrapper for ``cdrecord'' and other
utilities.
Most of these will play an audio CD
digitally, without an audio cable connected
to your CDROM. For example, right click on
the ``xmms'' menu for "Options" and
"Preferences." Select the "Audio I/O
Plugins" tab. Highlight "CD Audio Player" in
the panel of "Input plugins" then hit the
"Configure" button. Switch the radio button
for "Play Mode" from "Analog" to "Digital
audio extraction." Hit all the Ok buttons on
your way out. Right click again on the
``xmms'' panel, select "Play File", point at
``/mnt/cdrom'', and hit the forward play
button.
* USB mass storage device *
Most systems now will automatically recognize and mount USB
memory sticks automatically. If yours is not mounted, then look at
``/var/log/messages'' to see if the device was seen at all.
If so, then you just need to solve the problem of mounting.
Look at the rules in ``/etc/udev/rules.d'' and see if any apply
to your USB stick. Rules usually key off a product name and
vendor string. You can see what your stick reports by running
``lsusb -v''. From there, find the rule that udev should use
to mount it. You may have a heretofore unrecognized stick.
If automounting will not work, then you can still mount by hand.
Plug it in to a USB port. Install
``sg3_utils''. Scan raw SCSI devices and
determine the real SCSI device.
=>
root$ sg_scan -i
/dev/sg0: scsi0 channel=0 id=0 lun=0
IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0]
/dev/sg1: scsi0 channel=0 id=1 lun=0
IBM-ESXS ST318305LW !# B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0]
/dev/sg2: scsi2 channel=0 id=0 lun=0 [em]
M-Sys Dell Memory Key 4.50 [rmb=1 cmdq=0 pqual=0 pdev=0x0]
root$ sg_map
/dev/sg0 /dev/sda
/dev/sg1 /dev/sdb
/dev/sg2 /dev/sdc
<=
From this, I see that the memory key is on
``/dev/sdc''. ``/dev/sdc1'' specifies the
first, and usually only, partition.
To mount this, first create a mount point, then mount
=>
sudo mkdir /mnt/flash
sudo mount -o defaults /dev/sdc1 /mnt/flash
<=
Or you can add a line to ``/etc/fstab'', so you can mount and
write as any user. You'll need to see what options are supported,
as these change over time.
To examine, change, and format partitions.
=>
root$ fdisk /dev/sdc
root$ mkfs -t vfat /dev/sdc1
<=
See more at
http://vic.gedris.org/linux-UsbMassStorage/ ,
http://www.linux-usb.org/ , and
http://www.cs.sfu.ca/~ggbaker/personal/cf-linux
* Wrong USB speed *
A device that refuses to mount might be using a faster USB 2
protocol than supported by the device. The log message should
mention a ``new high speed USB device using ehci_hcd and
address ...''
There still seem to be intermittent problems mounting these,
even when the device supports USB2. Try reloading
the appropriate kernel module:
=>
sync
sudo modprobe ehci_hcd
<=
For some reason, this often triggers the correct remounting of
all USB2 devices.
For extra emphasis, you can first remove the module: ``sudo
rmmod ehci_hcd'', which first causes all USB devices to be
mounted at the lower speed. Then add the module back.
For NTFS, install the following packages: fuse, dkms, dkms-fuse, fuse-ntfs-3g
Mount and unmount with the following.
=>
mkdir /mnt/ntfs
ntfs-3g /dev/sdc1 /mnt/ntfs # read-write
ntfs-3g /dev/sdc1 /mnt/ntfs -o ro # read only
umount /mnt/ntfs
<=
* USB Mass Storage is too slow *
You should get around 1Mb/sec transfer rate
with flash memory. First find out what
device your flash is attached to with ``df
/media/usbdisk''. Then check the raw device
transfer rate with ``sudo hdparm -t
/dev/sda1''. If the hardware is fast, and
your file copies are much slower, then your
problem is software. Look at ``lsmod'' while
the flash is attached, and be sure you are
using ``usb_storage'' instead of the slower
``ub''. See that the proper module is loaded
with ``lsmod | egrep ehci_hcd''. Look at
``sudo lsusb -v | less'' to see that you are
using USB 2 instead of 1. You should also
see ``ehci_hcd'' listed after the kernel. If
these are all right, then you may be better
off disabling syncing during writes. See if
the usb drive shows up with ``mount | grep
sync''. See if ``sync'' is specified in
``/etc/fstab'' for the usb drive. If so,
disable it in ``/etc/fstab'' or by examining
``man fstab-sync''. A copy may appear to
occur instantaneously, but much of the file
may be cached in memory. You still need to
``sync'' from the command line to finish the
write, but this should occur at near the
maximum rate for a single write. Finally, as
usual, ``umount /media/usbdisk'' before
disconnecting.
An external hard drive is much easier to handle.
Mine came as nfts. I formatted to a Linux filesystem
like this.
=>
root$ mkfs -t ext4 /dev/sdc1
<=
If you want to delete or add partitions, you can use ``fdisk''
=>
root$ fdisk /dev/sdc1
<=
* EncFS *
EncFS is an excellent way to encrypt files that you may
carry around with you on a portable USB drive.
Most of what you need to know can be found at
http://www.arg0.net/encfs
If you have permission problems, add yourself to the fuse
group in ``/etc/groups'' and
=>
sudo chgrp fuse /usr/bin/fusermount
sudo chmod 4755 /usr/bin/fusermount
<=
Make sure the ``fuse'' modele is loaded with
=>
lsmod | grep fuse
modprobe fuse
<=
* Digital cameras *
For digital cameras, try
http://www.gphoto.org/ .
* CUPS Printer *
Set up a cups printer by modifying the
``ServerName'' in ``/etc/cups/client.conf''.
See which printers are available with
``lpstat -t'' and print with ``lp -d
PRINTER_NAME file''
Set default printer options like this:
``lpoptions -o sides=two-sided-long-edge''
See more on cups at http://localhost:631/ .
** Security **
Check your system for rootkit vulnerabilities
by installing ``rkhunter'' and
``chkrootkit''.
For firewalls, the best single reference is
the book "Linux Firewalls" by Robert L.
Ziegler, from New Riders press.
I now use a hardware firewall, and don't rely
on the built-in packet filtering of
``iptables.'' Do not connect to the internet
until you have some firewall in place.
Distributions should all now have a simple
interface that let you manipulate the rules
of the underlying ``iptables.'' Look for it
on your menu bar. In the past, I exported
only ``ssh'' and let ``iptables'' to block
all other connections on all other ports.
Use ``ssh'' and ``scp'' instead of ``telnet''
and ``ftp'' for your own use.
See what packet filtering you have turned on
with ``iptables --list'' either with ``sudo''
or as root.
See what services are running (at various
runlevels) with ``chkconfig --list'' or more
directly
=>
/sbin/service --status-all | grep running
<=
Disable services you don't need. Anyone able
to connect to these ports can for weaknesses
like buffer overflows in these services.
Useless daemons also waste resources.
Stop services with
=>
/sbin/service sendmail stop
<=
And prevent a service from being started at
your runlevel by removing the startup script,
such as
=>
rm /etc/rc.d/rc3.d/S80sendmail
<=
You can manipulate the symbolic links in the
runlevel directory by using ``chkconfig''.
See what services are running (at various
runlevels) with ``chkconfig --list'.
Disable with ``chkconfig sendmail off''.
See what ports you have open for TCP services
with
=>
netstat -pta | grep LISTEN
<=
Match ports to services by looking at
``/etc/services'' and ``/etc/protocols''.
Check your machine for vulnerabilities at
sites that will scan your ports, like
http://grc.com/ . Then look
at your log files in /var/log/messages* to
see the ignored packets. Use ``nslookup
IP_ADDRESS'' and ``tracepath IP_ADDRESS'' to
see where the packets came from.
Scan your own ports with ``nmap'', which you
can get from http://www.insecure.org/nmap/
This will label the available ports for you.
Use the flags ``nmap -sT -P0 (IP_ADDRESS)''
if you are able to scan your machine from an
unpriviledged domain.
* SSH *
SSH is usually installed and functional with
a default install.
Provide automatic access for one machine at a
time. Set up a custom configuration by
copying ``cp /etc/ssh/ssh_config
$HOME/.ssh/config'' and editing. My defaults
use dsa, so I run ``ssh-keygen -t dsa'' and
provide a passphrase. This creates a
``id_dsa'' and ``id_dsa.pub'' in
``$HOME/.ssh''. Copy the public key in
``id_dsa.pub'' into
``/$HOME/.ssh/authorized_keys'' on a remote
machine. You can do this with
``ssh-copy-id -i $HOME/.ssh/id_dsa.pub remote_host``.
Now go to that remote machine and
ssh back. It should ask for your passphrase
instead of your password. If not, your
configuration files are not compatible with
your choice of keys and protocol. Try
creating keys for rsa and rsa1 too. Add them
all to ``authorized_keys''
When it works, then you can now start a
user agent to manage your login. Try this
=>
$ ssh-agent | grep -v echo | tee ~/.myssh
$ ssh-add
Enter passphrase for /home/me/.ssh/id_dsa:
Identity added: /home/me/.ssh/id_dsa (/home/me/.ssh/id_dsa)
$ ssh-add -l
<=
The first command starts an agent and saves two environment
variables ``SSH_AUTH_SOCK'' and ``SSH_AGENT_PID'' in
a file ``~/.myssh''
Now any shell can source this file and ssh to authorized
hosts without typing a password.
Naturally I put the above commands in a script. I run it once
after rebooting a machine.
In my ``.bashrc'' file, I source this file
=>
if [ -f "$HOME/.myssh" ] ; then
. $HOME/.myssh
fi
<=
Bill Harlan, 2002-2007