Uploaded by Anitha Selvaraj

Intro to Linux Systems Administration

advertisement
Intro to Linux Systems
Administration
Systems Administration
•
•
•
•
•
•
Administering the system?
Keep the system up in a consistent state
Monitor performance
Babysit users, make changes on their behalf
Install, configure, upgrade, maintain
Backup, restore, disaster recovery
Sysadmins
• System administration handled by various
people
– Full time dedicated sysadmins on site
– Remote services
– Generic ‘IT’ personnel
– That user that seems to know what they’re doing
• Can be a skill set central to a career path, or
a means to an end
Privilege Hierarchy
• Want to divide system privilege by account
• First step is file level permissions
– Default permissions limit end users in what
configuration files they can read and which
programs they can run
• Next level is within system programs
– Limit certain functions to only users with
‘elevated’ privileges
The Superuser
• By default, one account has elevated
privileges to issue any command, access any
file, and perform every function
• Superuser, a.k.a. root
– Technically, can change to anything – but don’t
• User and group number 0
The Superuser, cont
• Must limit use of root
– Inexperienced users can cause serious harm
– Use of root for non-privileged tasks unnecessary
and can be open to attack
– Security and privacy violations – root can look at
anyone’s files
• Limit what root can do remotely
• Ensure a strong password
Superuser Privileges
• What usually works best is short periods of
superuser privilege, only when necessary
• Obtain privileges, complete task, relenquish
privileges
• Most common ways are su and sudo
• Can also use the setuid/setgid method (Ch.
4), but not recommended
su
• Short for substitute or switch user
• Syntax: su [options] [username]
– If username is omitted, root is assumed
• After issuing command, prompted for that
user’s password
• A new shell opened with the privileges of that
user
• Once done issuing commands, must type
exit
sudo
• Allows you to issue a single command as
another user
• Syntax:
sudo [options] [-u user] command
•
•
•
•
Again, if no user specified, root assumed
New shell opened with user’s privileges
Specified command executed
Shell exited
sudoers
• Must configure a user to run commands as
another user when using sudo
• Permissions stored in /etc/sudoers
• Use utility visudo to edit this file (run as
root)
• Permissions granted to users or groups, to
certain commands or all, and with or without
password being required
Other permissions models
• Some Linux distributions such as Ubuntu
obscure away the root account altogether
• By default the end user doesn’t know the root
password
– Can’t login as root
– Can’t su
• Must rely on sudo (and the graphical
gksudo) to obtain privilege, along with
‘Unlock’ functions in GUI
System Operation
•
•
•
•
Booting the system
Runlevels
Modes
Shutting down the system
Booting the System
• Power on, POST, hardware initialization
• Boot device selected by BIOS/user
interaction
• Master boot record of boot device read
• Initializes the bootloader
– lilo (LInux LOader)
– grub (GRand Unified Bootloader)
Booting, cont
• Boot loader selects and loads an OS kernel
• Kernel stored as an compiled image file
• Kernel loads modules for hardware and
software functions
• Interrupts, device management, memory
management, paging
• Last thing kernel does is call init
init
• First non-kernel code loaded
• Process number 1
• Acts as parent to all other processes on
system
• Handles starting services and programs
• Based on runlevel, runs the appropriate
scripts
Runlevels
• A set of defined system states that init can bring
the system into (varies on distro)
• 0: Halt/shutdown
• 1: Single user mode
• 2: Multiuser mode
• 3: Multiuser mode with networking
• 4: Not used
• 5: Multiuser mode with networking and GUI
• 6: Reboot
Runlevels, cont
• On boot, init checks /etc/inittab to see what
runlevel to bring system to
• To change runlevel after boot
– telinit runlevel
– shutdown/halt/reboot
• Any time the runlevel changes, init consults a
set of scripts to determine what to stop/start
Scripts
• Init works with run command (rc) scripts
• Found in /etc/rc.d
• All scripts housed in /etc/rc.d/init.d
• Each script takes a parameter for changing
operation (start/stop/halt/reboot)
• Each runlevel has it’s own directory
– /etc/rc.d/rcN.d
Scripts, cont
• In each runlevel directory, there are symbolic
links to scripts in /etc/rc.d/init.d
• The name of the link is crucial
– Starting with S means start in this runlevel
– Starting with K means kill in this runlevel
– After S/K, there is an order number
• Start ascending
• Kill descending
Notes
• What we’ve described is the traditional Linux
init/boot process
• Different distros do things differently
– launchd in Mac OS X
– Upstart in Ubuntu Linux
– Initng in Debian, Gentoo, others
• The classic init is called System V init
Single User Mode
•
•
•
•
•
•
•
Runlevel 1
Console only – no terminals
Very minimal environment
Some filesystems might not be mounted
Maintenance of filesystems
Fixing configuration errors
Disaster recovery
Multiuser Mode
•
•
•
•
Runlevels 2-5
Runlevel 2 allows terminal logins
Runlevel 3 allows remote terminal logins
Runlevel 5 enable X11 graphical
environment
• Runlevels 3 and 5 are the most common
levels for day-to-day operations
Shutting Down the System
• Syntax:
shutdown [options] time [message]
– Time: XX:XX or +X or NOW
– -k: don’t really shutdown, just send message
– -r: reboot
– -h: halt
– -c: cancel a shutdown
• halt: calls shutdown –h
• reboot: calls shutdown -r
Scheduling
• Linux systems uses the Cron system for timebased job scheduling
• Allows users to schedule jobs to run
• Allows sysadmins to run jobs and batch
processes
• Different distros implement the structures
differently
• Most use /etc/crontab as primary set of
instructions
• Sometimes other files are used, like
/var/spool/cron/*
crontab
• Each line schedules a job
• Syntax:
* * * * * command
• First field is minutes (0-59)
• Second field is hours (0-23)
• Third is day of the month (1-31)
• Fourth is month of year (1-12)
• Fifth is day of week (0-6, starting with Sun)
Filesystem Management
• A Linux installation can be comprised of
many different filesystems
• Each filesystem (except for swap) is
connected to the filesystem hierarchy at a
specific point in the tree
• This is referred to as the mount point
• A sysadmin uses mount, umount and
/etc/fstab to manage these mounts
mount
• Syntax (most commonly):
mount –t type device directory
• Associates a device (partition, CD-ROM, etc)
formatted with a particular type of filesystem
with a specified directory in the hierarchy
• Requires root privileges to mount in most
cases
• mount with no arguments displays list of
mounted filesystems
umount
• Syntax:
umount directory | device
• Removes that association
• Cannot umount if device is still being
accessed (i.e. open files)
• Again, most likely requires root privileges
fstab
• For filesystems that should be mounted on
boot every time, put them in /etc/fstab
• Basically a tab delimited file that contains the
command line parameters you’d give to
mount
– Device
– Mount point (directory)
– FS type
– Options (Readonly, attributes, etc)
Creating New Filesystems
• First use fdisk device to create a
partition
– Similar in function to old fdisk from DOS
– Use ? to display commands, p to display partition
info
• Once partition created, must be formatted
– mkfs –t type filesystem
• Once formatted, you can mount it
Filesystem Integrity
• Filesystem problems? Corrupt files? Forced
into single user mode to fix errors?
• fsck
• Syntax:
fsck [options] –t type filesystem
• Again, usually need root permissions
• Also, filesystem should NOT be mounted
while running fsck – can cause damage
Monitoring Disk Usage
•
•
•
•
du – disk usage on files and directories
df – reports filesystem utilization
lsof – list open file handles
quota – configure and display user quotas
– quotactl
– quotacheck
– quotaon
– edquota
Installing Software
• The open source movement has provided an
enormous volume of freely available
programs
• Two primary methods of installing programs
– By source
– By package manager
Installing by Source
• Download source code
• Usually comes in a compressed tar archive
(.tar.gz or similar)
• Extract source code
• Configure the installation (usually
./configure)
• Then compile (make)
• Then copy into filesystem (make install)
Package Managers
• There are a wide variety of package managers
available for different Linux distributions
• In turn, there are several different types of
packages available for each of these managers
• Packages are an archived version of the source
code
• Often tailored to a specific architecture or
distribution
RPM
• Red Hat Package Manager
• Package format and manager created by
Red Hat developers
• Used widely by Red Hat, Red Hat-based
distros, and many others
• System maintains a local RPM database to
maintain consistency and track installs
RPM, cont
• Many different utilities for managing RPMs
• rpm: command line package manager for
installing/removing/configuring packages
• up2date: command line package manager
that fetches packages from internet and
resolves dependencies
• yum, yast: similar to up2date
• Many GUI frontends available to these
utilities
deb
• Debian package format
• Used in Debian Linux and it’s derivatives
such as Ubuntu and Knoppix
• Contains compressed binary data and
metadata
• Again, usually specific to a distro and an
architecture
deb cont
• dpkg: Debian package manager, for
installing/removing/configuring packages
• apt: Advanced Package Tool, for installing
and configuring packages from online
sources. Also does dependency resolution
• Again, graphical front ends available for each
of these
User Administration
• User configuration stored in /etc/passwd
• File got it’s name because it originally
contained passwords as well
– Security problem – too many processes need to
read passwd
– A shadow file used now instead (more in a sec)
• Each line contains info for one user
passwd
jsmith:x:1001:1001:Joe Smith,Rm27,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/bash
•
•
•
•
•
First field is username
Second was password – now a dummy char
Third is userid (uid)
Fourth is groupid (gid)
Fifth is GECOS field
– Full name, contact info
– Gen. Elec. Comprehensive OS
• Sixth is user’s home directory
• Seventh is user’s default shell
passwd, cont
• Originally passwd contained a user’s
password information
• How it works
– User picks a password
– A random number is generated (called the salt)
– The salt and the password is passed into a hash
function (a one-way cryptographic algorithm)
– The salt and result are stored in ASCII
passwd, cont
• Problem – user-level programs need to read
passwd
– Get user name, location
– Home directory, shell
• So passwd was world readable
• So anyone on system could see a user’s
salted hash
• It’s encrypted – what’s the big deal???
passwd, cont
• Original salt was 12-bit ... 4096 possibilities
• Many early users used bad passwords
– Dictionary words
• Even with 1970’s computing, it wouldn’t take
very long to try all combinations of salts and
passwords through the hash function
• Just wait for a match
• Brute force crack
shadow
• Wasn’t acceptable to have passwd world
readable if it contained hashes
• So salted hashes moved to a new file
• /etc/shadow
• Format similar to passwd, one user per line
• Readable only by root
shadow, cont
jsmith:$1$CzzxUSse$bKJL9wAns39vlxQlBZ8wd/:13744:0:99999:7:::
• First field is username
• Second is the salted hash or account status
– NP or ! or null for blank password
– LK or * for locked/disabled account
– !! for account with expired password
• Third is days since last password change
– Measured from epoch (midnight UTC 1/1/1970)
shadow, cont
• Fourth is days until password is eligible to be
changed
• Fifth is days before change is required
• Sixth is days before expiration to warn
• Seventh is days before account expires
• Eighth is days since epoch when account
expires
• Ninth is unused/reserved
Adding Users
• If you really wanted to, edit /etc/passwd
by hand
• Some distributions have graphical or
simplified ways to add users
• Most widely available however is command
line utility useradd
Adding Users, cont
• Syntax:
useradd [options] [-g group] [-d home]
[-s shell] username
•
•
•
•
\
-g to define user’s initial group
-d to define user’s home directory
-s to define user’s default shell
Other options for expiration, using defaults,
etc
Deleting Users
• Again, could just hack /etc/passwd
• More elegant:
• Syntax: userdel [-r] username
• -r to delete home directory and it’s contents
Modifying Users
• Syntax: usermod [options] username
• Options are pretty much identical to those of
useradd
• Also, -l to change the user’s login name
• And –G to list additional groups to add user
to
Group Management
• Group info housed in /etc/group
•
•
•
•
Similar to user management
groupadd
groupdel
groupmod
Daemons as Users
• For the most part, Linux daemons (services)
each run as a unique user account
• Provides additional security by segregating
processes and files
• Running daemons as root usually a bad idea
• Accounts usually created automatically and
assigned passwords
• Usually disabled from logging into system
Networking
• Linux is a powerful networking operating
system
• Much of it developed in tandem with the
Internet
• Ability to work as a client, server, or network
device
– Proxies, firewalls, routers, bridges, etc
Networking, cont
• Overall networking usually governed by
/etc/rc.d/init.d/network
• Invoked in runlevels 3 and 5 usually
• Network device/interface configurations in
either /etc/sysconfig/networking or
in /etc/sysconfig/network-scripts
• Can either edit manually, or use utilities to
manage
ifconfig
• Displays or alters network device configs
• Syntax:
ifconfig interface [options]
• With no options, shows interface’s config
• If interface omitted as well, show all configs
• Options include flags, IP address, subnet
mask, etc
route
• Display or change routing
• In simple configurations, mostly used to set
default gateway
• Syntax:
route [options] [add/delete] [target]
• With no arguments, show route table
hostname
• Used to set/display the computer’s network
name
• Depending on what protocols your network
uses, may also need to look at
– domainname
– dnsdomainname
• Especially important for Internet-accessible
systems
• Can be defined in /etc/sysconfig/network
Interfaces
• By default, wired ethernet interfaces are
found as ethX, with X starting at 0
• These are aliases to the actual physical
adapter and driver
• To enable an interface:
– ifup interface
• To disable an interface:
– ifdown interface
Interfaces, cont
• Other types of interfaces exist
– ppp, slip, atm, etc
• Management of them work similarly
• Wireless interfaces a bit different
– Use iwconfig to manage these and display info
– Has the additional options for frequency,
encryption, channel, passphrases, etc
Networking
• As with most things, GUI tools available
• Similar to TCP/IP configuration in Windows
• More advanced operations (bridging, NAT/IP
Masquerading, advanced routing) take a little
more configuration
• Default firewall software is iptables or
ipchains
Network Shares
• Samba SMB/CIFS
• CUPS
• NFS
Kernel Modification
• Vast majority of Linux kernel releases
incredibly stable
• New features/improvements
• Bug fixes
• Modules vs. in kernel
• We need to recompile
Kernel Mods, cont
• If we just want to upgrade to a newer kernel
release, there are a couple of options
• Can download and install new kernel
packages (RPM, deb, etc)
• Pre-compiled, and most package managers
do all the work
• Or the manual way …
– Necessary to do any real customization
Kernel Compilation
•
•
•
•
•
•
First, need to get kernel source code
www.kernel.org
Current mainline branch is 2.6
For legacy systems/apps, 2.4 is still available
Usually a tar.gz or tar.bz2
Copy to either a temp location, or maybe
/usr/src/kernel/
Kernel Compilation, cont
• Once you have the compressed archive,
uncompress and extract contents
• Should make a directory named after the
kernel release
– i.e. linux-2.6.31.6/
• Now go into that directory
• Should see lots of directories for different
aspects of the system, and a Makefile
Kernel Compilation, cont
• Now we need to configure kernel
– Select options
– Choose which items should be modules vs. in
kernel itself
• To import in the previous system config
– make oldconfig
• The config is stored in the .config file
Kernel Compilation, cont
• Want to configure from scratch? Or further
customize?
• A few different methods
– make menuconfig (ncurses)
– make xconfig (X11 Qt)
– make gconfig (X11 Gtk)
• All basically do the same thing – make
selections
Kernel Compilation, cont
• Once you’ve done the config and saved it,
time to compile
• make
•
•
•
•
Will take a while
Lots of info will scroll by
Don’t worry about warnings, it’s cool
Errors would be bad though
Kernel Compilation, cont
• Once kernel itself is compiled, must compile
the kernel modules
• make modules
• Once that’s done, we need to install the
modules into the correct location in the
filesystem
• make modules_install
Kernel Compilation, cont
• Now we need to install the kernel into the
right spot
• make install
• This moves three things to /boot
– The system map (symbol lookup in memory)
– The config
– The kernel image (vmlinuz)
• vm = virtual memory support (from UNIX days)
• z = compressed
Kernel Compilation
• Now we have the kernel in place
• But we need the info necessary to launch init
• We need an initial filesystem loaded so that
init has what is necessary to load devices
and other filesystems (including /)
• So we use a temporary, memory contained
filesystem – a RAM disk
Kernel Compilation, cont
• So we need to create an initrd – a RAM Disk
for init to work with before the real
filesystems is mounted
• So go to /boot
• mkinitrd –o initrd.img-<kern-ver>
• Makes an image of the necessary filesystem
components for that version of the kernel
Kernel Compilation, cont
•
•
•
•
Now all the pieces are in place
One last step – tell the bootloader about it
Edit /boot/grub/menu.lst
Basically just copy the block from the current
running kernel, change the version info, and
you’re done
• In most cases, you can usually instead just
issue update-grub, but should still check
Kernel Compilation, cont
• Example grub block
title Red Hat Enterprise Linux ES (2.6.9-5.ELsmp)
root (hd0,0) kernel /boot/vmlinuz root=/dev/hdb1 ro
initrd /boot/initrd.img-2.6.25
savedefault
boot
Kernel Compilation, cont
• Now you can reboot and try it out
• Check the grub menu for the new kernel you
installed and select it
• System should boot fine and everything
should work
• Panic? Reboot, select old kernel, boot into it
• Retrace your steps, debug kernel, etc
Download