Anda di halaman 1dari 68

Redhat Enterprise Linux

1
Content

1. Few words about linux

2. Understanding Files and Folders

3. Few important commands

4. Understanding File permission

5. Vi editor

6. Package management with RPM

7. Local YUM repo

8. Network

9. Init Process

10. Schedule tasks on Linux using crontab

11. FTP

12. What is fstab and why it’s useful

13. Network Filesystems

14. Squid

15. Linux logical volume manager

2
Few words about Linux
Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance
of developers around the world. Developed under the GNU General Public License, the source
code for Linux is freely available to everyone. Click on the link below to find out more about the
operating system that is causing a revolution in the world of computers.

Who developed Linux?

Linus Benedict Torvalds born December 28, 1969 in Helsinki, Finland) is a Finnish software engineer best known
for having initiated the development of the Linux kernel. He later became the chief architect of the Linux kernel, and
now acts as the project's coordinator.

Well-known Linux distributions include:

• Arch Linux, a distribution based on the KISS principle with a rolling release system
• CentOS, a distribution derived from the same sources used by Red Hat, maintained by a
dedicated volunteer community of developers with both 100% Red Hat-compatible
versions and an upgraded version that is not always 100% upstream compatible
• Debian, a non-commercial distribution maintained by a volunteer developer community
with a strong commitment to free software principles
• Fedora, a community distribution sponsored by Red Hat

3
• Gentoo, a distribution targeted at power users, known for its FreeBSD Ports-like
automated system for compiling applications from source code
• Knoppix, the first Live CD distribution to run completely from removable media without
installation to a hard disk, derived from Debian
• Kubuntu, the KDE version of Ubuntu
• Linux Mint, a distribution based on and compatible with Ubuntu
• Mandriva, a Red Hat derivative popular in France and Brazil, today maintained by the
French company of the same name
• openSUSE, originally derived from Slackware, sponsored by the company Novell
• Oracle Enterprise Linux, which is a derivative of Red Hat Enterprise Linux, maintained and
commercially supported by Oracle
• PCLinuxOS, a derivative of Mandriva, grew from a group of packages into a community-
spawned desktop distribution.
• Red Hat Enterprise Linux, which is a derivative of Fedora, maintained and commercially
supported by Red Hat
• Sabayon Linux, Gentoo Based Distribution, aiming at working Out of the box.
• SimplyMEPIS, a Debian-based distribution intended for easy desktop use and strong
support.
• Slackware, one of the first Linux distributions, founded in 1993, and since then actively
maintained by Patrick J. Volkerding
• Ubuntu, a popular desktop distribution derived from Debian, maintained by Canonical.
Ubuntu also has a netbook version called the Ubuntu netbook remix.
• Xubuntu, is the Xfce version of the popular desktop distro Ubuntu. Commonly used by
Linux users that wish to have the function of a bigger distro such as Ubuntu or openSuse
with the speed of a smaller distro.

Kernel Architecture

4
Understanding files and folders
Linux is made with one thought in mind: Everything is a file.

A blank piece of paper is called a file in the world of computers. You can use this piece of paper
to write a text or make a drawing. Your text or drawing is called information. A computer file is
another way of storing your information.

If you make many drawings then you will eventually want to sort them in different piles or make
some other system that allows you to easily locate a given drawing. Computers use folders to
sort your files in a hieratic system.

A file is an element of data storage in a file system (file systems manual page). Files are usually
stored on harddrives, cdroms and other media, but may also be information stored in RAM or
links to devices.

To organize our files into a system we use folders. The lowest possible folder is root / where you
will find the user homes called /home/.

/
/home/
/home/mom/
/home/dad/

Behind every configurable option there is a simple human-readable text file you can hand-edit to
suit your needs. These days most programs come with nice GUI (graphical user interface) like
Mandrakes Control Center and Suses YAST that can smoothly guide you through most
configuration. Those who choose can gain full control of their system by manually adjusting the
configuration files from foo=yes to foo=no in an editor.

Almost everything you do on a computer involves one or more files stored locally or on a
network.

Your filesystems lowest folder root / contains the following folders:

/bin Essential user command binaries (for use by all users)

/boot Static files of the boot loader, only used at system startup

Device files, links to your hardware devices like /dev/sound, /dev/input/js0


/dev
(joystick)

/etc Host-specific system configuration

5
/home User home directories. This is where you save your personal files

/lib Essential shared libraries and kernel modules

/mnt Mount point for a temporarily mounted filesystem like /mnt/cdrom

/opt Add-on application software packages

/usr is the second major section of the filesystem. /usr is shareable, read-only
data. That means that /usr should be shareable between various FHS-compliant
/usr
hosts and must not be written to. Any information that is host-specific or varies
with time is stored elsewhere.

/var contains variable data files. This includes spool directories and files,
/var
administrative and logging data, and transient and temporary files.

/proc System information stored in memory mirrored as files.

The only folder a normal user needs to use is /home/you/ - this is where you will be keeping all
your documents.

/home/elvis/Documents
/home/elvis/Music
/home/elvis/Music/60s

Files are case sensitive, "myfile" and "MyFile" are two different files.

For more details, check out:

Understanding users and permissions


Linux is based on the idea that everyone using a system has their own username and password.

Every file belongs to a user and a group, and has a set of given attributes (read, write and
executable) for users, groups and all (everybody).

A file or folder can have permissions that only allows the user it belongs to to read and write to
it, allowing the group it belongs to to read it and at the same time all other users can't even read
the file.

Who and what is root


6
Linux has one special user called root (this is the user name). Root is the "system administrator"
and has access to all files and folders. This special user has the right to do anything.

You should never log on as this user unless you actually need to do something that requires it!

Use su - to temporary become root and do the things you need, again: never log into your sytem
as root!

Root is only for system maintenance, this is not a regular user (LindowsOS don't have any user
management at all and uses root for everything, this is a very bad idea!).

You can execute a command as root with:

su -c 'command done as root'

Gentoo Linux: Note that on Gentoo Linux only users that are member of the wheel group are
allowed to su to root.

Opening a command shell / terminal


Pressing CTRL-ALT-F1 to CTRL-ALT-F6 gives you the console command shell windows,
while CTRL-ALT-F7 gives you XFree86 (the graphical interface).

Your first Linux commands


Now you should have managed to open a terminal shell and are ready to try your first Linux
commands. Simply ask the computer to do the tasks you want it to using it's language and press
the enter key (the big one with an arrow). You can add a & after the command to make it run in
the background (your terminal will be available while the job is done). It can be practical to do
things like moving big divx movies as a background process: cp movie.avi /pub &. Jobs - the
basics of job control

6.1. ls - short for list


ls lists the files in the current working folder..

Examples:

ls

ls -al

7
cd - Change directory
cd stands for change (working) directory and that's what it does. The folder below you (unless
you are in /, where there is no lower directory) is called "..".

To go one folder down:

cd ..

Change into the folder Documents in your current working directory:

cd Documents

Change into a folder somewhere else:

cd /pub/video

The / in front of pub means that the folder pub is located in the / (lowest folder).

The basic commands


chmod - Make a file executable
To make a file executable and runnable by any user:

chmod +x myfile

df - view filesystem disk space usage


df -h

Filesystem Size Used Avail Use% Mounted on


/dev/hda3 73G 67G 2.2G 97% /
tmpfs 2.0M 24K 2.0M 2% /mnt/.init.d
tmpfs 252M 0 252M 0% /dev/shm

du - View the space used by files and folders


Use du (Disk Usage) to view how much space files and folders occupy.

Example du usage:

du -sh Documents/
409M Documents

8
mkdir - makes folders
Folders are created with the command mkdir:

mkdir folder

To make a long path, use mkdir -p :

mkdir -p /use/one/command/to/make/a/long/path/

Like most programs mkdir supports -v (verbose). Practical when used in scripts.

You can make multiple folders in bash and other shells with {folder1,folder2} :

mkdir /usr/local/src/bash/{old,new,dist,bugs}

The command rmdir removes folders.

passwd - changes your login password


To change your password in Linux, type:

passwd

The root user can change the password of any user by running passwd with the user name as
argument:

passwd jonny

will change jonnys password. Running passwd without arguments as root changes the root
password.

rm - delete files and folders, short for remove


Files are deleted with the command rm:

rm /home/you/youfile.txt

To delete folders, use rm together with -f (Do not prompt for confirmation) and -r (Recursively
remove directory trees):

rm -rf /home/you/foo/

Like most programs rm supports -v (verbose).

9
ln - make symbolic links
A symbolic link is a "file" pointing to another file.

To make a symbolic link :

ln /original/file /new/link

This makes /original/file and /new/link the same file - edit one and the other will change. The file
will not be gone until both /original/file and /new/link are deleted.

You can only do this with files. For folders, you must make a "soft" link.

To make a soft symbolic link :

ln -s /original/file /new/link

Example:

ln -s /usr/src/linux-2.4.20 /usr/src/linux

Note that -s makes an "empty" file pointing to the original file/folder. So if you delete the folder
a symlink points to, you will be stuck with a dead symlink (just rm it).

tar archiving utility - tar.bz2 and tar.gz


tar (manual page) is a very handle little program to store files and folders in archives, originally
made for tapestreamer backups. Tar is usually used together with gzip (manual page) or bzip2
(manual page), comprepssion programs that make your .tar archive a much smaller .tar.gz or
.tar.bz2 archive.

tar files (.tar.gz)

To untar files:

tar xvzf file.tar.gz

To tar files:

tar cvzf file.tar.gz filedir1 filedir2 filedir2...

Note: A .tgz file is the same as a .tar.gz file. Both are also often refered to as tarballs.

The flags: z is for gzip, v is for verbose, c is for create, x is for extract, f is for file (default is to
use a tape device).

10
bzip2 files (.tar.bz2)

To unpack files:

tar xjvf file.tar.bz2

To pack files:

tar cvjf file.tar.bz2 filedir1 filedir2 filedir2...

The flags: Same as above, but with j for for bzip2

You can also use bunzip2 file.tar.bz2 , will turn it into a tar.

For older versions of tar, try tar -xjvf or -xYvf or -xkvf to unpack.There's a few other options it
could be, they couldn't decide which switch to use for bzip2 for a while.

How to untar an entire directory full or archives?

.tar:

for i in `ls *.tar`; do tar xvf $i; done

.tar.gz: for i in `ls *.tar.gz`; do tar xvfz $i; done

.tar.bz2: for i in `ls *.tar.bz2`; do tar xvfj $i; done

Few important commands:

How to view installed RAM?

- free –m
- cat /proc/meminfo

How to view installed Harddisk?

- fdisk –l

11
How to view disk space usage?

- df –h

How to view installed?

- cat /proc/cpuinfo

How to view running processes?

- ps ax

How to view cpu and memory usage?

- top

How to view hardware information of a system?

- dmesg

How to view physical information of a hard drive?

- hdparm /dev/had
( use –i to display info detected at boot time/ -I for current dectection)

How to create mirror copy of one disk to another?

- dd if=source disk of=destination disk


- dd if=/dev/hda of=/dev/hdb

How to copy directory of another system to current system?

- scp –r 192.168.1.2:/root/ /root/

12
How to copy content of one directory to another?

- rsync –avr /media/RHEL/ /root/rehat/

How to search for a file?

- find / -name abc.txt

How to download a file?

- wget http://www.songs.pk/test.mp3

How to start/stop a service?

- service servicename start (e.g. service network start)


- service servicename restart (e.g. service network restart)
- service servicename stop (e.g. service network stop)
- service servicename status (e.g. service network status)
- /etc/init.d/servicename start or stop or restart or status
- (e.g. /etc/init.d/network start)

How to know my current working directory?

- pwd

How to kill a process?

- kill process_id
(you can view process id by ps ax | grep process name)

How to view system uptime?

- uptime

How to trace route to a host?

- traceroute ip_address_of_host

13
How to view first 10 lines of a file?

- head -10 filename

How to view last 10 lines of a file?

- tail -10 filename

How to find logged in users?

- who

How to restart a pc?

- init 6

How to shutdown a pc?

- init 0

How to clear terminal screen?

- clear

How to add user?

- useradd username

How to change password?

- passwd username

How to delete a user?

- userdel username

14
Linux File Permission

Linux (the same as any UNIX) is a secure, multiuser operating system, and this creates a
level a complexity with "files permissions". Trouble with file permissions can lead to
unexpected and nasty problems. Understanding file permissions is of uttermost importance
to be able to administer any multiuser operating system (be it UNIX, WinNT, or Linux). My
advice would be: learn the system of Linux (or any UNIX) file permission conventions; you
will not regret it.

File owners. Each file (or directory) belongs to an owner (normally a login name) and to a
group. The owner is typically the person who created (or copied) the file. The group often
consists of one person--the owner, and has a name identical to that of the owner, but it
does not need to be so. A file can be removed (erased) only by the owner of the file, or a
member of the group that owns the file, or the root. Other users, however, may be able to
modify or erase the contents of the file if they are given permission to do so--read on. The
owner and group that owns the file will be shown in the output from the ls -l command
(="list in the long format"). For example, the command:

ls -l junk

produced this output on my screen:

-rwx------ 1 yogin inca 27 Apr 24 14:12 junk

This shows the file "junk", belonging to the owner "yogin" and to the group "inca".

The ownership of a file can be changed using the commands chown (change owner) and
chgrp (change group), which are normally executed by root:

chown peter junk


chgrp peter junk
ls -l junk

After executing the above 3 lines, the command ls-l junk produces this output on my
screen:

-rwx------ 1 peter peter 27 Apr 25 20:27 junk

Changing file ownership comes handy if you move/copy files around as root for use by other
users. At the end of your housekeeping you typically want to hand the file ownership over to
the proper user.

File permissions. Now, an owner of a file can make the file accessible in three modes:
read (r), write (w) and execute (x) to three classes of users: owner (u), members of a

15
group (g), others on the system (o). You can check the current access permissions using:

ls -l filename
If the file is accessible to all users (owner, group, others) in all three modes (read, write,
execute) it will show:

-rwxrwxrwx

Skip the first "-" (it shows the type of file, and is "-" for normal files, "d" for directories, "l"
for links, "c" for character devices, "b" for block devices, "p" for named pipes i.e. FIFO files,
"f" for stacks i.e. LIFO files). After the initial "-" character, the first triplet shows the file
permission for the owner of the file, the second triplet shows the permissions for the group
that owns the file, the third triplet shows the permissions for other users. A "no" permission
is shown as "-". Here is an output from the ls -l command on a file that is owned by root,
for which the owner (root) has all permissions, but the group and others can only read and
execute:

drwxr-xr-x 2 root root 21504 Apr 24 19:27 dev

The first letter "d" shows that the file is actually a directory.

You can change the permissions on a file which you own using the command chmod
(="change mode"). For example, this command will add the permission to read the file
"junk" to all (=user+group+others):

chmod a+r junk

In the command above, instead of "a" (="all"), I could have used "u", "g" or "o" (="user",
"group" or "others"). Instead of "+" (="add the permission"), I could have used "-" or "="
("remove the permission" or "set the permission"). Instead of "r" (="read permission"), I
could have used "w" or "x" ("write permission" or "execute permission").
Second example. This command will remove the permission to execute the file "junk" from
others:

chmod o-x junk

Instead of letters, one can also use numbers to specify the permissions. To understand how
it works, look at this:

execute=1
write=2
read=4

The total permission for a class of users is the sum of the three. Thus:

This table shows what numeric values mean:

16
Octal digit Text equivalent Binary value Meaning

0 --- 000 All types of access are denied

1 --x 001 Execute access is allowed only

2 -w- 010 Write access is allowed only

3 -wx 011 Write and execute access are allowed

4 r-- 100 Read access is allowed only

5 r-x 101 Read and execute access are allowed

6 rw- 110 Read and write access are allowed

7 rwx 111 Everything is allowed

The permission for all three classes of users (owner, group, others) is obtained by gluing
the three digits together one by one. For example, the command:

chmod 770 junk

will give the owner and the group the completto of permissions, but no permissions to
others. The command:

chmod 666 junk

gives all three classes of users (owner, group, others) the permissions to read and write
(but not execute) the example file named "junk". Please note the "666". It is quite often
used and, for at least one person I know, it is proof that Linux (any UNIX for that matter) is
the work of the devil >:-0.
This command:

chmod 411 junk

would give the owner the permission to read only, and the group and others to execute
only. This one does not seem useful, but might be funny, at least for those North American
Linux users who dial 411 (telephone number) for directory assistance. Mail me if you can
think of any other funny permissions (perhaps 007?).
The numerical way of representing file permissions is called "octal" because the numbers
have the base 8 (the decimal system's base is 10). The highest digit in the octal system is 7
(the octal system has eight digits: 0 to 7, analogous to the decimal system having ten
digits: 0 to 9). The octal representation is really a convenient notation for the binary
representation of file permissions, where each permission is flagged as "set" or "denied"
with a one or zero and the total is represented as a string of zeroes and ones, as in this

17
diagram:

user class: owner group others


example permissions: rwx rw- r--
absent permissions: --- --x -wx
binary representation of the permissions: 111 110 100
octal representation of the binary: 7 6 4

Permissions for directories.


The meaning of the permissions is different for directories than it is for "normal" files. For
normal files: r=permission to read the contents of the file, w=permission to modify the
contents of the file, and x=permission to execute the file.
For directories: r=permission to list the filenames in the directory, w=permission to create
or delete files in the directory, and x=permission to access the directory. Otherwise, the
permissions are set the same way for directories as they are for normal files.

Difference in access permissions for files and folders


Access permissions for files and folders mean different things from the user standpoint. The
table below shows the difference.

Access
File Folder
type

If the file contents can be


Read If the directory listing can be obtained
read

If user or process can write If user or process can change directory contents
Write to the file (change its somehow: create new or delete existing files in the
contents) directory or rename files.

If user or process can access the directory, that is,


If the file can be
Execute go to it (make it to be the current working
executed
directory)

Default file permissions with umask. When a new file is created, it is given default
permissions. On my system, these are:

-rw-r--r--

This means that files created by a user can be read and written by this user; the group and
the others can only read the file. Still, on my default RedHat system, users cannot read the
files in the other users' home directories because the permissions on the home directories

18
are:

drwx------

I can check the default file permissions given to my newly created files using:

umask -S

(The option "-S" stands for "symbolic" and tells umask to display the permissions in an easy-
to-read form, instead of the default numeric mode.)
I can change the default file permissions for newly created files using a command like:

umask u=rw,g=,o=

which will give the owner the read and write permissions on newly created files (r+w), and
no permission to the group and others.
Using numbers to set default permissions with umask is more tricky. The number shows the
permissions that you take away for users (opposite to chmod). Thus:

umask 000

will give full permissions to everybody on newly created files. The next example gives read
and write permissions to the owner, and zero permissions for everybody else (seems that's
what one might want):

umask 177

To make the settings permanent for all users on the system, adjust the appropriate line(s)
in the file /etc/profile .

VI editor:

History: The original vi program was written by Bill Joy in 1976 for an early BSD Unix release.
Some current implementations of vi can trace their source code ancestry to Bill Joy; others are
completely new, largely compatible reimplementations.

How to run?

Type vi filename or vim filename (vi improved)at command prompt and press enter.

How do I enter text?

i. Press i
ii. Start typing texts
iii. When finished press escape.

How do I save text?

19
i. Type :w and press enter. (you will remain in vi environment)
ii. Type :x and press enter. (document will be saved and vi editor will be closed)

How to save the file in different name?

i. Open the file.


ii. Edit it as you like.
iii. Press escape to exit insert mode.
iv. :w new filename and enter.

How do I quit without saving document.

i. Press escape after entering text.


ii. :q! and enter to quit without saving.

How do I search for word?

i. :/word press enter. (for upward search)


ii. :?word press enter.(for downward search)

How do I search and replace?

i. :%s/oldstring/newstring/cg

How do I Undo previous command?

i. :u (small)

How do I all changes to line?


:U (Capital)

Package Management with RPM


The Red Hat Package Manager (RPM) is an open packaging system, available for anyone to
use, which runs on Red Hat Linux as well as other Linux and UNIX systems. Red Hat, Inc.
encourages other vendors to use RPM for their own products. RPM is distributable under the
terms of the GPL.

RPM has five basic modes of operation (not counting package building): installing, uninstalling,
upgrading, querying, and verifying. This section contains an overview of each mode. For
complete details and options try rpm --help, or turn to the section called Additional Resources
for more information on RPM.

Finding RPMs

20
Before using an RPM, you must know where to find them. An Internet search will return many
RPM repositories, but if you are looking for RPM packages built by Red Hat, they can be found
at the following locations:

• The official Red Hat Linux CD-ROMs


• The Red Hat Errata Page available at http://www.redhat.com/support/errata
• A Red Hat FTP Mirror Site available at http://www.redhat.com/mirrors.html
• Red Hat Network

RPM packages typically have file names like foo-1.0-1.i386.rpm. The file name includes
the package name (foo), version (1.0), release (1), and architecture (i386). Installing a
package is as simple as typing the following command at a shell prompt:

# rpm -ivh foo-1.0-1.i386.rpm


foo ####################################
#

As you can see, RPM prints out the name of the package and then prints a succession of hash
marks as the package is installed as a progress meter.

Note

Although a command like rpm -ivh foo-1.0-1.i386.rpm is commonly used to install an


RPM package, you may want to consider using rpm -Uvh foo-1.0-1.i386.rpm instead.
-U is commonly used for upgrading a package, but it will also install new packages. See the
section called Upgrading for more information about using the -U RPM option.

Installing packages is designed to be simple, but you may sometimes see errors:

Package Already Installed

If the package of the same version is already installed, you will see:

# rpm -ivh foo-1.0-1.i386.rpm


foo package foo-1.0-1 is already installed
#

If you want to install the package anyway and the same version you are trying to install is
already installed, you can use the --replacepkgs option, which tells RPM to ignore the error:

# rpm -ivh --replacepkgs foo-1.0-1.i386.rpm


foo ####################################
#

21
This option is helpful if files installed from the RPM were deleted or if you want the original
configuration files from the RPM to be installed.

Conflicting Files

If you attempt to install a package that contains a file which has already been installed by another
package or an earlier version of the same package, you'll see:

# rpm -ivh foo-1.0-1.i386.rpm


foo /usr/bin/foo conflicts with file from bar-1.0-1
#

To make RPM ignore this error, use the --replacefiles option:

# rpm -ivh --replacefiles foo-1.0-1.i386.rpm


foo ####################################
#

Unresolved Dependency

RPM packages can "depend" on other packages, which means that they require other packages
to be installed in order to run properly. If you try to install a package which has an unresolved
dependency, you'll see:

# rpm -ivh foo-1.0-1.i386.rpm


failed dependencies:
bar is needed by foo-1.0-1
#

To handle this error you should install the requested packages. If you want to force the
installation anyway (a bad idea since the package probably will not run correctly), use the --
nodeps option.

Uninstalling
Uninstalling a package is just as simple as installing one. Type the following command at a shell
prompt:

# rpm -e foo
#

Note

Notice that we used the package name foo, not the name of the original package file foo-
1.0-1.i386.rpm. To uninstall a package, you will need to replace foo with the actual
package name of the original package.

22
You can encounter a dependency error when uninstalling a package if another installed package
depends on the one you are trying to remove. For example:

# rpm -e foo
removing these packages would break dependencies:
foo is needed by bar-1.0-1
#

To cause RPM to ignore this error and uninstall the package anyway (which is also a bad idea
since the package that depends on it will probably fail to work properly), use the --nodeps
option.

Upgrading
Upgrading a package is similar to installing one. Type the following command at a shell prompt:

# rpm -Uvh foo-2.0-1.i386.rpm


foo ####################################
#

What you do not see above is that RPM automatically uninstalled any old versions of the foo
package. In fact, you may want to always use -U to install packages, since it will work even
when there are no previous versions of the package installed.

Since RPM performs intelligent upgrading of packages with configuration files, you may see a
message like the following:

saving /etc/foo.conf as /etc/foo.conf.rpmsave

This message means that your changes to the configuration file may not be "forward compatible"
with the new configuration file in the package, so RPM saved your original file, and installed a
new one. You should investigate the differences between the two configuration files and resolve
them as soon as possible, to ensure that your system continues to function properly.

Upgrading is really a combination of uninstalling and installing, so during an RPM upgrade you
can encounter uninstalling and installing errors, plus one more. If RPM thinks you are trying to
upgrade to a package with an older version number, you will see:

# rpm -Uvh foo-1.0-1.i386.rpm


foo package foo-2.0-1 (which is newer) is already installed
#

To cause RPM to "upgrade" anyway, use the --oldpackage option:

# rpm -Uvh --oldpackage foo-1.0-1.i386.rpm


foo ####################################
#

23
Freshening
Freshening a package is similar to upgrading one. Type the following command at a shell
prompt:

# rpm -Fvh foo-1.2-1.i386.rpm


foo ####################################
#

RPM's freshen option checks the versions of the packages specified on the command line against
the versions of packages that have already been installed on your system. When a newer version
of an already-installed package is processed by RPM's freshen option, it will be upgraded to the
newer version. However, RPM's freshen option will not install a package if no previously-
installed package of the same name exists. This differs from RPM's upgrade option, as an
upgrade will install packages, whether or not an older version of the package was already
installed.

RPM's freshen option works for single packages or a group of packages. If you have just
downloaded a large number of different packages, and you only want to upgrade those packages
that are already installed on your system, freshening will do the job. If you use freshening, you
will not have to deleting any unwanted packages from the group that you downloaded before
using RPM.

In this case, you can simply issue the following command:

# rpm -Fvh *.rpm

RPM will automatically upgrade only those packages that are already installed.

Querying
Use the rpm -q command to query the database of installed packages. The rpm -q foo
command will print the package name, version, and release number of the installed package foo:

# rpm -q foo
foo-2.0-1
#

Note

Notice that we used the package name foo. To query a package, you will need to replace
foo with the actual package name.

Instead of specifying the package name, you can use the following options with -q to specify the
package(s) you want to query. These are called Package Specification Options.

24
• -a queries all currently installed packages.
• -f <file> will query the package which owns <file>. When specifying a file, you must
specify the full path of the file (for example, /usr/bin/ls).
• -p <packagefile> queries the package <packagefile>.

There are a number of ways to specify what information to display about queried packages. The
following options are used to select the type of information for which you are searching. These
are called Information Selection Options.

• -i displays package information including name, description, release, size, build date,
install date, vendor, and other miscellaneous information.
• -l displays the list of files that the package contains.
• -s displays the state of all the files in the package.
• -d displays a list of files marked as documentation (man pages, info pages, READMEs,
etc.).
• -c displays a list of files marked as configuration files. These are the files you change
after installation to adapt the package to your system (for example, sendmail.cf,
passwd, inittab, etc.).

For the options that display lists of files, you can add -v to the command to display the lists in a
familiar ls -l format.

Verifying
Verifying a package compares information about files installed from a package with the same
information from the original package. Among other things, verifying compares the size, MD5
sum, permissions, type, owner, and group of each file.

The command rpm -V verifies a package. You can use any of the Package Selection Options
listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -
V foo, which verifies that all the files in the foo package are as they were when they were
originally installed. For example:

• To verify a package containing a particular file:

rpm -Vf /bin/vi

• To verify ALL installed packages:

rpm -Va

• To verify an installed package against an RPM package file:

25
rpm -Vp foo-1.0-1.i386.rpm

• This command can be useful if you suspect that your RPM databases are corrupt.

If everything verified properly, there will be no output. If there are any discrepancies they will be
displayed. The format of the output is a string of eight characters (a c denotes a configuration
file) and then the file name. Each of the eight characters denotes the result of a comparison of
one attribute of the file to the value of that attribute recorded in the RPM database. A single . (a
period) means the test passed. The following characters denote failure of certain tests:

• 5 — MD5 checksum
• S — file size
• L — symbolic link
• T — file modification time
• D — device
• U — user
• G — group
• M — mode (includes permissions and file type)
• ? — unreadable file

If you see any output, use your best judgment to determine if you should remove or reinstall the
package, or fix the problem in another way.

local YUM repo

How to create a local YUM repo

You will need an utility, named createrepo. Its RPM package exists in Fedora Extras. To install
it, just run as root:

# yum install createrepo

Then, put all your custom RPM packages in a directory. Assuming that this directory is
/mnt/fc_local_repo/, you can create all the necessary metadata for your local repository by
running the following command as root or as the user that owns the directory:

# createrepo /mnt/fc_local_repo/

That’s it! Your local YUM repository is ready.

Keep in mind that every time you put any new RPMs in that directory or remove any old RPMs,
you will need to run the above command again, so that the repository metadata gets updated.

26
Add your local repo to the list

The next thing you need to do is to add your local repository to your list of repos, so that yum
knows where to find it. This info is kept in the /etc/yum.repos.d/ directory. As root, create a
new text file in this directory, name it fedora-local.repo (you can use any name you like, but
remember to add the extension .repo), and add the following info in it:

[localrepo]
name=Fedora Core $releasever - My Local Repo
baseurl=file:///mnt/fc_local_repo/
enabled=1
gpgcheck=0
#gpgkey=file:///path/to/you/RPM-GPG-KEY

As you can see, we used the protocol file:/// in the baseurl option. This assumes that the
local repo exists in the local machine. If it exists in another machine of your internal network,
feel free to use any other protocol in order to tell yum where to find your local repository, For
example you can use http://, ftp://, smb:// etc.

In the above example, the GPG key check is disabled (gpgcheck=0). If you sign your packages,
you can set this to "1" and uncomment the following line (gpgkey=...). This contains the path
to your public key, so that YUM can verify the package signatures.

You can have as many local YUM repositories as you like.

Other uses of a local repository

Using a local repository does not only serve as a place for your custom RPMs. You can perfectly
save some bandwidth by downloading all the released fedora updates in that repo and use this to
update all the systems of your internal network. This will save bandwidth and time.

Network

How can we found the ip address?

- ifconfig

How to find gateway?

- netstat –nr

27
How to configure ip address?

- system-config-network
- You can also enter the parameters in /etc/sysconfig/network-scripts/ifcfg-eth0
file
(remember eth0 stands for 1st Lan Card similarly eth1 for 2nd Lan card)

How do we enter dns server address?

- open /etc/resolve.conf

example of resolve.conf

nameserver 4.2.2.2

nameserver 172.16.0.10

Where is the hosts file?

- /etc/hosts

Init process

Getty

getty short for "get teletype", is a Unix program running on a host computer that manages
physical or virtual terminals (tty). When it detects a connection, it prompts for a username and
runs the 'login' program to authenticate the user.

Originally, on traditional Unix systems, getty handled connections to serial terminals (often
teletype machines) connected to a host computer. The 'tty' part of the name stands for teletype,
but has come to mean any type of text terminal. One getty process serves one terminal. In some
systems, for example Solaris, getty was replaced by ttymon.

Personal computers running Unix-like operating systems, even if they do not provide any remote
login services, may still use getty as a means of logging in on a local virtual console.

28
Instead of the 'login' program getty may also be set up by the system administrator to run any
other program, for example a PPP daemon to provide dial-up Internet access.

PC Boot and Linux Init Process:

1. BIOS: The Basic Input/Output System is the lowest level interface between the
computer and peripherals.
The BIOS performs integrity checks on memory and seeks instructions on the
Master Boor Record (MBR) on the floppy drive or hard drive.
2. The MBR points to the boot loader (GRUB or LILO: Linux boot loader).
3. Boot loader (GRUB or LILO) will then ask for the OS label which will identify which
kernel to run and where it is located (hard drive and partition specified). The
installation process requires to creation/identification of partitions and where to
install the OS. GRUB/LILO are also configured during this process. The boot loader
then loads the Linux operating system.
4. Kernel executes init program. Init is the root/parent of all processes executing
on Linux.
5. The first processes that init starts is a script /etc/rc.d/rc.sysinit
6. Based on the appropriate run-level, scripts are executed to start various
processes to run the system and make it functional.

The Linux Init Processes:

The init process is the last step in the boot procedure and identified by process id "1". Init is
responsible for starting system processes as defined in the /etc/inittab file. Init typically will
start multiple instances of "getty" which waits for console logins which spawn one's user shell
process. Upon shutdown, init controls the sequence and processes for shutdown. The init process
is never shut down. It is a user process and not a kernel system process although it does run as
root.

When you modify inittab, the change is only temporary because each time the kernel is
relinked, a new inittab file is created. To change the initialization procedure
permanently, you must also modify the source from which the inittab file is recreated. To
add a new entry, append it to the /etc/conf/cf.d/init.base file. To modify an entry,
locate and edit the existing entry in /etc/conf/cf.d/init.base or in one of the other
component files in the /etc/conf/init.d directory.

Inittab

29
The inittab file describes which processes are started at bootup and during normal operation
(e.g. /etc/init.d/boot, /etc/init.d/rc, gettys...). init(8) distinguishes multiple runlevels, each of
which can have its own set of processes that are started. Valid runlevels are 0-6 plus A, B, and C
for ondemand entries. An entry in the inittab file has the following format:

id:runlevels:action:process

Lines beginning with '#' are ignored.

id

is a unique sequence of 1-4 characters which identifies an entry in inittab (for versions of
sysvinit compiled with the old libc5 (< 5.2.18) or a.out libraries the limit is 2 characters).

Note: traditionally, for getty and other login processes, the value of the id field is kept
the same as the suffix of the corresponding tty, e.g. 1 for tty1. Some ancient login
accounting programs might expect this, though I can't think of any.

runlevels

lists the runlevels for which the specified action should be taken.

action

describes which action should be taken.

process

specifies the process to be executed. If the process field starts with a '+'
character, init will not do utmp and wtmp accounting for that process. This is
needed for gettys that insist on doing their own utmp/wtmp housekeeping. This is
also a historic bug.

The runlevels field may contain multiple characters for different runlevels. For example,
123 specifies that the process should be started in runlevels 1, 2, and 3. The runlevels for
ondemand entries may contain an A, B, or C. The runlevels field of sysinit, boot, and
bootwait entries are ignored.

When the system runlevel is changed, any running processes that are not specified for the new
runlevel are killed, first with SIGTERM , then with SIGKILL .

Valid actions for the action field are:

respawn

The process will be restarted whenever it terminates (e.g. getty).

30
wait

The process will be started once when the specified runlevel is entered and init will wait for its
termination.

once

The process will be executed once when the specified runlevel is entered.

boot

The process will be executed during system boot. The runlevels field is ignored.

bootwait

The process will be executed during system boot, while init waits for its
termination (e.g. /etc/rc). The runlevels field is ignored.

off

This does nothing.

ondemand

A process marked with an ondemand runlevel will be executed whenever the


specified ondemand runlevel is called. However, no runlevel change will occur
(ondemand runlevels are 'a', 'b', and 'c').

initdefault

An initdefault entry specifies the runlevel which should be entered after system
boot. If none exists, init will ask for a runlevel on the console. The process field is
ignored.

sysinit

The process will be executed during system boot. It will be executed before any
boot or bootwait entries. The runlevels field is ignored.

powerwait

The process will be executed when the power goes down. Init is usually informed
about this by a process talking to a UPS connected to the computer. Init will wait
for the process to finish before continuing.

powerfail

31
As for powerwait, except that init does not wait for the process's completion.

powerokwait

This process will be executed as soon as init is informormed that the power has
been restored.

powerfailnow

This process will be executed when init is told that the battery of the external UPS
is almost empty and the power is failing (provided that the external UPS and the
monitoring process are able to detect this condition).

ctrlaltdel

The process will be executed when init receives the SIGINT signal. This means that
someone on the system console has pressed the CTRL-ALT-DEL key combination.
Typically one wants to execute some sort of shutdown either to get into single-
user level or to reboot the machine.

kbrequest

The process will be executed when init receives a signal from the keyboard
handler that a special key combination was pressed on the console keyboard.

The documentation for this function is not complete yet; more documentation can be
found in the kbd-x.xx packages (most recent was kbd-0.94 at the time of this writing).
Basically you want to map some keyboard combination to the "KeyboardSignal" action.
For example, to map Alt-Uparrow for this purpose use the following in your keymaps
file: alt keycode 103 = KeyboardSignal

# inittab This file describes how the INIT process should set up

# the system in a certain run-level.

# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>

# Modified for RHS Linux by Marc Ewing and Donnie Barnes

# Default runlevel. The runlevels used by RHS are:

# 0 - halt (Do NOT set initdefault to this)

# 1 - Single user mode

32
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)

# 3 - Full multiuser mode

# 4 - unused

# 5 - X11

# 6 - reboot (Do NOT set initdefault to this)

id:5:initdefault:

# System initialization.

si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0

l1:1:wait:/etc/rc.d/rc 1

l2:2:wait:/etc/rc.d/rc 2

l3:3:wait:/etc/rc.d/rc 3

l4:4:wait:/etc/rc.d/rc 4

l5:5:wait:/etc/rc.d/rc 5

l6:6:wait:/etc/rc.d/rc 6

# Trap CTRL-ALT-DELETE

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few minutes

# of power left. Schedule a shutdown for 2 minutes from now.

# This does, of course, assume you have powerd installed and your

# UPS connected and working correctly.

pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.

pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"

33
# Run gettys in standard runlevels

1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2

3:2345:respawn:/sbin/mingetty tty3

4:2345:respawn:/sbin/mingetty tty4

5:2345:respawn:/sbin/mingetty tty5

6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5

x:5:respawn:/etc/X11/prefdm -nodaemon

Schedule tasks on Linux using crontab


If you've got a website that's heavy on your web server, you might want to run some processes
like generating thumbnails or enriching data in the background. This way it can not interfere with
the user interface. Linux has a great program for this called cron. It allows tasks to be
automatically run in the background at regular intervals. You could also use it to automatically
create backups, synchronize files, schedule updates, and much more. Welcome to the wonderful
world of crontab.

Crontab
The crontab (cron derives from chronos, Greek for time; tab stands for table) command, found in
Unix and Unix-like operating systems, is used to schedule commands to be executed
periodically. To see what crontabs are currently running on your system, you can open a terminal
and run:

sudo crontab -l

To edit the list of cronjobs you can run:

sudo crontab -e

This wil open a the default editor (could be vi or pico, if you want you can change the default
editor) to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are
saved into crontab. Cronjobs are written in the following format:

* * * * * /bin/execute/this/script.sh

Scheduling explained

34
As you can see there are 5 stars. The stars represent different date parts in the following order:

1. minute (from 0 to 59)


2. hour (from 0 to 23)
3. day of month (from 1 to 31)
4. month (from 1 to 12)
5. day of week (from 0 to 6) (0=Sunday)

Execute every minute

If you leave the star, or asterisk, it means every. Maybe that's a bit unclear. Let's use the the
previous example again:

* * * * * /bin/execute/this/script.sh

They are all still asterisks! So this means execute /bin/execute/this/script.sh:

1. every minute
2. of every hour
3. of every day of the month
4. of every month
5. and every day in the week.

In short: This script is being executed every minute. Without exception.

Execute every Friday 1AM

So if we want to schedule the script to run at 1AM every Friday, we would need the following
cronjob:

0 1 * * 5 /bin/execute/this/script.sh

Get it? The script is now being executed when the system clock hits:

1. minute: 0
2. of hour: 1
3. of day of month: * (every day of month)
4. of month: * (every month)
5. and weekday: 5 (=Friday)

Execute on weekdays 1AM

So if we want to schedule the script to run at 1AM every Friday, we would need the following
cronjob:

0 1 * * 1-5 /bin/execute/this/script.sh

35
Get it? The script is now being executed when the system clock hits:

1. minute: 0
2. of hour: 1
3. of day of month: * (every day of month)
4. of month: * (every month)
5. and weekday: 1-5 (=Monday til Friday)

Execute 10 past after every hour on the 1st of every month

Here's another one, just for practicing

10 * 1 * * /bin/execute/this/script.sh

Fair enough, it takes some getting used to, but it offers great flexibility.

Neat scheduling tricks


What if you'd want to run something every 10 minutes? Well you could do this:

0,10,20,30,40,50 * * * * /bin/execute/this/script.sh

But crontab allows you to do this as well:

*/10 * * * * /bin/execute/this/script.sh

Which will do exactly the same. Can you do the the math? ;)

Special words
If you use the first (minute) field, you can also put in a keyword instead of a number:

@reboot Run once, at startup


@yearly Run once a year "0 0 1 1 *"
@annually (same as @yearly)
@monthly Run once a month "0 0 1 * *"
@weekly Run once a week "0 0 * * 0"
@daily Run once a day "0 0 * * *"
@midnight (same as @daily)
@hourly Run once an hour "0 * * * *

Leave the rest of the fields empty so this would be valid:

@daily /bin/execute/this/script.sh

Storing the crontab output

36
By default cron saves the output of /bin/execute/this/script.sh in the user's mailbox (root in this
case). But it's prettier if the output is saved in a separate logfile. Here's how:

*/10 * * * * /bin/execute/this/script.sh 2>&1 >> /var/log/script_output.log

Explained

Linux can report on different levels. There's standard output (STDOUT) and standard errors
(STDERR). STDOUT is marked 1, STDERR is marked 2. So the following statement tells Linux
to store STDERR in STDOUT as well, creating one datastream for messages & errors:

2>&1

Now that we have 1 output stream, we can pour it into a file. Where > will overwrite the file,
>> will append to the file. In this case we'd like to to append:

>> /var/log/script_output.log

Mailing the crontab output


By default cron saves the output in the user's mailbox (root in this case) on the local system. But
you can also configure crontab to forward all output to a real email address by starting your
crontab with the following line:

MAILTO="yourname@yourdomain.com"

Mailing the crontab output of just one cronjob

If you'd rather receive only one cronjob's output in your mail, make sure this package is installed:

aptitude install mailx

And change the cronjob like this:

*/10 * * * * /bin/execute/this/script.sh 2>&1 | mail -s "Cronjob ouput"


yourname@yourdomain.com

Trashing the crontab output


Now that's easy:

*/10 * * * * /bin/execute/this/script.sh 2>&1 > /dev/null

Just pipe all the output to the null device, also known as the black hole. On Unix-like operating
systems, /dev/null is a special file that discards all data written to it.

37
FTP Server

The File Transfer Protocol (FTP) is used as one of the most common means of copying files
between to Hosts. FTP relies on a pair of TCP ports to get the job done. It operates in two
connection channels as I'll explain:

FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to
those commands will go over the control connection, but any data sent back (such as "ls"
directory lists or actual file data in either direction) will go over the data connection.

FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between
the client and server.

In addition to these channels, there are several varieties of FTP.

Types of FTP
From a networking perspective, the two main types of FTP are active and passive. In active FTP,
the FTP server initiates a data transfer connection back to the client. For passive FTP, the
connection is initiated from the FTP client. These are illustrated in Figure.

Figure :Active And Passive FTP Illustrated

38
From a user management perspective there are also two types of FTP: regular FTP in which files
are transferred using the username and password of a regular user FTP server, and anonymous
FTP in which general access is provided to the FTP server using a well known universal login
method.

Take a closer look at each type.

Active FTP

The sequence of events for active FTP is:

1. Your client connects to the FTP server by establishing an FTP control connection
to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this
connection.
2. Whenever the client requests data over the control connection, the server
initiates data transfer connections back to the client. The source port of these
data transfer connections is always port 20 on the server, and the destination
port is a high port (greater than 1024) on the client.
3. Thus the ls listing that you asked for comes back over the port 20 to high port
connection, not the port 21 control connection.

FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it
selects port 20 as it's source port (not a random high port that's greater than 1024) and connects
back to the client on a random high port that has been pre-negotiated on the port 21 control
connection.

Active FTP may fail in cases where the client is protected from the Internet via many to one
NAT (masquerading). This is because the firewall will not know which of the many servers
behind it should receive the return connection.

Passive FTP

Passive FTP works differently:

1. Your client connects to the FTP server by establishing an FTP control connection
to port 21 of the server. Your commands such as ls and get are sent over that
connection.
2. Whenever the client requests data over the control connection, the client
initiates the data transfer connections to the server. The source port of these
data transfer connections is always a high port on the client with a destination
port of a high port on the server.

Passive FTP should be viewed as the server never making an active attempt to connect to the
client for FTP data transfers. Because client always initiates the required connections, passive
FTP works better for clients protected by a firewall.

39
As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to
accommodate both forms when deciding upon a security policy for your FTP server.

Regular FTP

By default, the VSFTPD package allows regular Linux users to copy files to and from their home
directories with an FTP client using their Linux usernames and passwords as their login
credentials.

VSFTPD also has the option of allowing this type of access to only a group of Linux users,
enabling you to restrict the addition of new files to your system to authorized personnel.

The disadvantage of regular FTP is that it isn't suitable for general download distribution of
software as everyone either has to get a unique Linux user account or has to use a shared
username and password. Anonymous FTP allows you to avoid this difficulty.

Anonymous FTP

Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown
remote users. Common uses include downloading software updates and MP3s and uploading
diagnostic information for a technical support engineers' attention. Unlike regular FTP where
you login with a preconfigured Linux username and password, anonymous FTP requires only a
username of anonymous and your email address for the password. Once logged in to a VSFTPD
server, you automatically have access to only the default anonymous FTP directory (/var/ftp in
the case of VSFTPD) and all its subdirectories.

VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file
which you'll see later.

Basic Setup

To disable anonymous login and to enable local users login and give them write
permissions:

Code:

# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable
TLS/SSL/FTPS
local_enable=YES

# Write permissions
write_enable=YES

40
To chroot users

To jail/chroot users (not the vsftpd service), there are three choices. Search for
"chroot_local_users" on the file and consider one of the following:

Code:

# 1. All users are jailed by default:


chroot_local_user=YES
chroot_list_enable=NO

# 2. Just some users are jailed:


chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.

# 3. Just some users are "free":


chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.

To deny (or allow) just some users to login

To deny some users to login, add the following options in the end of the file:

Code:

userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users

In the file /etc/vsftpd.denied_users add the username of the users that can't login. One
username per line.

To allow just some users to login:

Code:

41
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users

In the file /etc/vsftpd.allowed_users add the username of the users that can login.

The not allowed users will get an error that they can't login before they type their
password.

TLS/SSL/FTPS

NOTE: you definitely have to use this if you connect from the Internet.

To use vsftpd with encryption (it's safer), change or add the following options (some
options aren't on the original config file, so add them):

Code:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990

How to create SSL/TLS certificates

42
Additional Options

Here are some other available options. The values are examples:

Code:

# Show hidden files and the "." and ".." folders.


# Useful to not write over hidden files:
force_dot_files=YES

# Hide the info about the owner (user and group) of the files.
hide_ids=YES

# Connection limit for each IP:


max_per_ip=2

# Maximum number of clients:


max_clients=20

What is fstab and why it's useful


fstab is a configuration file that contains information of all the partitions and storage devices in
your computer. The file is located under /etc, so the full path to this file is /etc/fstab.

/etc/fstab contains information of where your partitions and storage devices should be
mounted and how. If you can't access your Windows partition from Linux, aren't able to mount
your CD or write to your floppy as a normal user, or have problems with your CD-RW, you
probably have a misconfigured /etc/fstab file. So, you can usually fix your mounting
problems by editing your fstab file.

/etc/fstab is just a plain text file, so you can open and edit it with any text editor you're
familiar with. However, note that you must have the root privileges before editing fstab. So, in
order to edit the file, you must either log in as root or use the su command to become root.

Overview of the file


Of course everybody has a bit different /etc/fstab file because the partitions, devices and their
properties are different on different systems. But the basic structure of fstab is always the same.
Here's an example of the contents of /etc/fstab:

43
/dev/hda2 / ext2 defaults 11

/dev/hdb1 /home ext2 defaults 12

/dev/cdrom /media/cdrom auto ro,noauto,user,exec 0 0

/dev/fd0 /media/floppy auto rw,noauto,user,sync 0 0

proc /proc proc defaults 00

/dev/hda1 swap swap pri=42 00

What does all this gibberish mean? As you see, every line (or row) contains the information of
one device or partition. The first column contains the device name, the second one its mount
point, third its filesystem type, fourth the mount options, fifth (a number) dump options, and
sixth (another number) filesystem check options. Let's take a closer look at this stuff.

1st and 2nd columns: Device and default mount point


The first and second columns should be pretty straightforward. They tell the mount command
exactly the same things that you tell mount when you mount stuff manually: what is the device or
partition, and what is the mount point. The mount point specified for a device in /etc/fstab is
its default mount point. That is the directory where the device will be mounted if you don't
specify any other mount point when mounting the device.

Like you already learned from the Mounting tuXfile, most Linux distros create special
directories for mount points. Most distros create them under /mnt, but some (at least SuSE)
under /media. As you probably noticed when looking at the example fstab, I use SuSE's mount
points as an example.

What does all this mean? If I type the following command:


$ mount /dev/fd0
... my floppy will be mounted in /media/floppy, because that's the default mount point
specified in /etc/fstab. If there is no entry for /dev/fd0 in my fstab when I issue the
command above, mount gets very confused because it doesn't know where to mount the floppy.

You can freely change the default mount points listed in /etc/fstab if you're not satisfied with
the defaults your distro has given you. Just make sure the mount point is a directory that already
exists on your system. If it doesn't, simply create it.

Some partitions and devices are also automatically mounted when your Linux system boots up.
For example, have a look at the example fstab above. There are lines that look like this:

44
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /home ext2 defaults 1 2

As you've learned, these lines mean that /dev/hda2 will be mounted to / and /dev/hdb1 to
/home. This is done automatically when your Linux system boots up... if it wouldn't, you'd have
a hard time using your cool Linux system because all the programs you use are in / and you
wouldn't be able to run them if / wasn't mounted! But how does the system know where you
want to mount /dev/hda2 and /dev/hdb1? By looking at the /etc/fstab file of course.

3rd column: Filesystem type


The third column in /etc/fstab specifies the filesystem type of the device or partition. Many
different filesystems are supported but we'll take a look at the most common ones only.

ext2 and ext3 Very likely your Linux partitions are Ext3. Ext2 used to be the standard filesystem
for Linux, but these days, Ext3 and ReiserFS are usually the default filesystems for almost every
new Linux distro. Ext3 is a newer filesystem type that differs from Ext2 in that it's journaled,
meaning that if you turn the computer off without properly shutting down, you shouldn't lose any
data and your system shouldn't spend ages doing filesystem checks the next time you boot up.

reiserfs Your Linux partitions may very well be formatted as ReiserFS. Like Ext3, ReiserFS is a
journaled filesystem, but it's much more advanced than Ext3. Many Linux distros (including
SuSE) have started using ReiserFS as their default filesystem for Linux partitions.

swap The filesystem name is self-explanatory. The filesystem type "swap" is used in your swap
partitions.

vfat and ntfs Your USB stick is most likely formatted as Vfat (more widely known as FAT32).
Your Windows partitions are probably either Vfat or NTFS. The 9x series (95, 98, ME) all use
Vfat, and the NT series (NT, 2000, XP, Vista, 7) use NTFS but they may be formatted as Vfat,
too.

auto No, this isn't a filesystem type :-) The option "auto" simply means that the filesystem type
is detected automatically. If you take a look at the example fstab above, you'll see that the
floppy and CD-ROM both have "auto" as their filesystem type. Why? Their filesystem type may
vary. One floppy might be formatted for Windows and the other for Linux's Ext2. That's why it's
wise to let the system automatically detect the filesystem type of media such as floppies and
cdroms.

45
4th column: Mount options
The fourth column in fstab lists all the mount options for the device or partition. This is also the
most confusing column in the fstab file, but knowing what some of the most common options
mean, saves you from a big headache. Yes, there are many options available, but I'll take a look
at the most widely used ones only. For more information, check out the man page of mount.

auto and noauto With the auto option, the device will be mounted automatically (at bootup,
just like I told you a bit earlier, or when you issue the mount -a command). auto is the default
option. If you don't want the device to be mounted automatically, use the noauto option in
/etc/fstab. With noauto, the device can be mounted only explicitly.

user and nouser These are very useful options. The user option allows normal users to mount
the device, whereas nouser lets only the root to mount the device. nouser is the default, which
is a major cause of headache for new Linux users. If you're not able to mount your cdrom,
floppy, Windows partition, or something else as a normal user, add the user option into
/etc/fstab.

exec and noexec exec lets you execute binaries that are on that partition, whereas noexec
doesn't let you do that. noexec might be useful for a partition that contains binaries you don't
want to execute on your system, or that can't even be executed on your system. This might be the
case of a Windows partition.

exec is the default option, which is a good thing. Imagine what would happen if you accidentally
used the noexec option with your Linux root partition...

ro Mount the filesystem read-only.

rw Mount the filesystem read-write. Again, using this option might cure the headache of many
new Linux users who are tearing their hair off because they can't write to their floppies,
Windows partitions, or something else.

sync and async How the input and output to the filesystem should be done. sync means it's done
synchronously. If you look at the example fstab, you'll notice that this is the option used with
the floppy. In plain English, this means that when you, for example, copy a file to the floppy, the
changes are physically written to the floppy at the same time you issue the copy command.

However, if you have the async option in /etc/fstab, input and output is done asynchronously.
Now when you copy a file to the floppy, the changes may be physically written to it long time
after issuing the command. This isn't bad, and may sometimes be favorable, but can cause some
nasty accidents: if you just remove the floppy without unmounting it first, the copied file may
not physically exist on the floppy yet!

46
async is the default. However, it may be wise to use sync with the floppy, especially if you're
used to the way it's done in Windows and have a tendency to remove floppies before unmounting
them first.

defaults Uses the default options that are rw, suid, dev, exec, auto, nouser, and async.

5th and 6th columns: Dump and fsck options


Dump and, uh, what options? Well, dump is a backup utility and fsck is a filesystem check
utility. I won't discuss them in great length here (they would both need their own tuXfile), but I'll
mention them, because otherwise you'd spend the rest of the day wondering what on God's green
Earth do these things mean.

The 5th column in /etc/fstab is the dump option. Dump checks it and uses the number to
decide if a filesystem should be backed up. If it's zero, dump will ignore that filesystem. If you
take a look at the example fstab, you'll notice that the 5th column is zero in most cases.

The 6th column is a fsck option. fsck looks at the number in the 6th column to determine in
which order the filesystems should be checked. If it's zero, fsck won't check the filesystem.

Example /etc/fstab entries


As an example, we'll take a look at a couple of fstab entries that have been a source of endless
frustration for new Linux users: floppy and CD-ROM (although these days floppies aren't that
important anymore).

/dev/fd0 /media/floppy auto rw,noauto,user,sync 0 0

This line means that the floppy is mounted to /media/floppy by default and that its filesystem
type is detected automatically. This is useful because the type of the floppy may wary. Note
especially the rw and user options: they must be there if you want to be able to mount and write
to the floppy as a normal user. If you have trouble with this, check your fstab file to see if these
options are there. Also note the sync option. It can be async just as well, but it's sync because of
reasons discussed a bit earlier.

/dev/cdrom /media/cdrom auto ro,noauto,user,exec 0 0

Note, again, the user option that enables you to mount the CD as a normal user. The CD-ROM
has the ro option because it's no use mounting a CD-ROM read-write because you wouldn't be
able to write to it anyway. Also note the exec option. It's especially useful if you'd like to be able
to execute something from your CD.

47
Also note that the noauto option is used with the floppy and CD-ROM. This means that they
won't be automatically mounted when your Linux system boots up. This is useful for removable
media, because sometimes there won't be any floppy or CD-ROM when you boot up your
system, so there isn't any reason to try to mount something that doesn't even exist.

Network Filesystems (NFS)

NFS (Network File System) allows hosts to mount partitions on a remote system and use them as
though they are local file systems. This allows the system administrator to store resources in a
central location on the network, providing authorized users continuous access to them.

Two versions of NFS are currently in use. NFS version 2 (NFSv2), which has been around for
several years, is widely supported by various operating systems. NFS version 3 (NFSv3) has
several more features, including a variable file handle size and better error reporting. Red Hat
Linux supports both NFSv2 and NFSv3, and uses NFSv3 by default when connecting with a
server that supports it.

How to configure NFS?

Open /etc/exports

Enter following line

/home 192.168.0.13(rw,nohide)

Save and exit

Issue the following commands

exportfs

48
service nfs restart

On client pc simply mount it by following command

- mount 192.168.0.2:/home /mnt/home

General Options

exportfs understands the following export options:

secure

This option requires that requests originate on an internet port less than IPPORT_RESERVED
(1024). This option is on by default. To turn it off, specify insecure.

rw

Allow both read and write requests on this NFS volume. The default is to disallow any request
which changes the filesystem. This can also be made explicit by using the ro option.

async

This option allows the NFS server to violate the NFS protocol and reply to requests before any
changes made by that request have been committed to stable storage (e.g. disc drive).

Using this option might improve performance with version 2 only, but at the cost that an
unclean server restart (i.e. a crash) can cause data to be lost or corrupted.

sync

Reply to requests only after the changes have been committed to stable storage (see async
above).

no_wdelay

This option has no effect if async is also set. The NFS server will normally delay
committing a write request to disc slightly if it suspects that another related write
request may be in progress or may arrive soon. This allows multiple write requests
to be committed to disc with the one operation which can improve
performance. If an NFS server received mainly small unrelated requests, this

49
behaviour could actually reduce performance, so no_wdelay is available to turn
it off. The default can be explicitly requested with the wdelay option.

nohide

This option is based on the option of the same name provided in IRIX NFS. Normally, if a server
exports two filesystems one of which is mounted on the other, then the client will have to mount
both filesystems explicitly to get access to them. If it just mounts the parent, it will see an empty
directory at the place where the other filesystem is mounted. That filesystem is "hidden".

Setting the nohide option on a filesystem causes it not to be hidden, and an


appropriately authorised client will be able to move from the parent to that filesystem
without noticing the change.

However, some NFS clients do not cope well with this situation as, for instance, it is then
possible for two files in the one apparent filesystem to have the same inode number.

The nohide option is currently only effective on single host exports. It does not work reliably
with netgroup, subnet, or wildcard exports.

This option can be very useful in some situations, but it should be used with due care, and only
after confirming that the client system copes with the situation effectively.

The option can be explicitly disabled with hide.

crossmnt

This option is similar to nohide but it makes it possible for clients to move from the
filesystem marked with crossmnt to exported filesystems mounted on it. Thus
when a child filesystem "B" is mounted on a parent "A", setting crossmnt on "A"
has the same effect as setting "nohide" on B.

subtree_check

This option enables subtree checking, which does add another level of security,
but can be unreliability in some circumstances.

If a subdirectory of a filesystem is exported, but the whole filesystem isn't then whenever
a NFS request arrives, the server must check not only that the accessed file is in the
appropriate filesystem (which is easy) but also that it is in the exported tree (which is
harder). This check is called the subtree_check.

In order to perform this check, the server must include some information about the
location of the file in the "filehandle" that is given to the client. This can cause problems
with accessing files that are renamed while a client has them open (though in many
simple cases it will still work).

50
subtree checking is also used to make sure that files inside directories to which only root
has access can only be accessed if the filesystem is exported with no_root_squash (see
below), even if the file itself allows more general access.

As a general guide, a home directory filesystem, which is normally exported at the root
and may see lots of file renames, should be exported with subtree checking disabled. A
filesystem which is mostly readonly, and at least doesn't see many file renames (e.g. /usr
or /var) and for which subdirectories may be exported, should probably be exported with
subtree checks enabled.

This type of subtree checking is disabled by default.

insecure_locks

no_auth_nlm

This option (the two names are synonymous) tells the NFS server not to require
authentication of locking requests (i.e. requests which use the NLM protocol).
Normally the NFS server will require a lock request to hold a credential for a user
who has read access to the file. With this flag no access checks will be
performed.

Early NFS client implementations did not send credentials with lock requests, and many
current NFS clients still exist which are based on the old implementations. Use this flag if
you find that you can only lock files which are world readable.

The default behaviour of requiring authentication for NLM requests can be explicitly
requested with either of the synonymous auth_nlm, or secure_locks.

no_acl

On some specially patched kernels, and when exporting filesystems that support ACLs, this
option tells nfsd not to reveal ACLs to clients, so they will see only a subset of actual
permissions on the given file system. This option is safe for filesystems used by NFSv2 clients
and old NFSv3 clients that perform access decisions locally. Current NFSv3 clients use the
ACCESS RPC to perform all access decisions on the server. Note that the no_acl option only has
effect on kernels specially patched to support it, and when exporting filesystems with ACL
support. The default is to export with ACL support (i.e. by default, no_acl is off).

mountpoint=path

mp

This option makes it possible to only export a directory if it has successfully been mounted. If no
path is given (e.g. mountpoint or mp) then the export point must also be a mount point. If it isn't
then the export point is not exported. This allows you to be sure that the directory underneath a

51
mountpoint will never be exported by accident if, for example, the filesystem failed to mount due
to a disc error.

If a path is given (e.g. mountpoint=/path or mp=/path) then the nominted path must
be a mountpoint for the exportpoint to be exported.

fsid=num

This option forces the filesystem identification portion of the file handle and file
attributes used on the wire to be num instead of a number derived from the
major and minor number of the block device on which the filesystem is mounted.
Any 32 bit number can be used, but it must be unique amongst all the exported
filesystems.

This can be useful for NFS failover, to ensure that both servers of the failover pair use the
same NFS file handles for the shared filesystem thus avoiding stale file handles after
failover.

Some Linux filesystems are not mounted on a block device; exporting these via NFS
requires the use of the fsid option (although that may still not be enough).

The value 0 has a special meaning when use with NFSv4. NFSv4 has a concept of a root
of the overall exported filesystem. The export point exported with fsid=0 will be used as
this root.

refer=path@host[+host][:path@host[+host]]

A client referencing the export point will be directed to choose from the given list
an alternative location for the filesystem. (Note that the server currently needs to
have a filesystem mounted here, generally using mount --bind, although it is not
actually exported.)

User ID Mapping

nfsd bases its access control to files on the server machine on the uid and gid provided
in each NFS RPC request. The normal behavior a user would expect is that she can
access her files on the server just as she would on a normal file system. This requires that
the same uids and gids are used on the client and the server machine. This is not always
true, nor is it always desirable.

Very often, it is not desirable that the root user on a client machine is also treated as root when
accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-
called anonymous or nobody uid. This mode of operation (called 'root squashing') is the default,
and can be turned off with no_root_squash.

52
By default, exportfs chooses a uid and gid of 65534 for squashed access. These values can also
be overridden by the anonuid and anongid options. Finally, you can map all user requests to the
anonymous uid by specifying the all_squash option.

Here's the complete list of mapping options:

root_squash

Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not
apply to any other uids that might be equally sensitive, such as user bin.

no_root_squash

Turn off root squashing. This option is mainly useful for diskless clients.

all_squash

Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP
directories, news spool directories, etc. The opposite option is no_all_squash,
which is the default setting.

anonuid and anongid

These options explicitly set the uid and gid of the anonymous account. This
option is primarily useful for PC/NFS clients, where you might want all requests
appear to be from one user. As an example, consider the export entry for
/home/joe in the example section below, which maps all requests to uid 150
(which is supposedly that of user joe).

Example
# sample /etc/exports file
/ master(rw) trusty(rw,no_root_squash)
/projects proj*.local.domain(rw)
/usr *.local.domain(ro) @trusted(rw)
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
/pub (ro,insecure,all_squash)
The first line exports the entire filesystem to machines master and trusty. In addition to
write access, all uid squashing is turned off for host trusty. The second and third entry
show examples for wildcard hostnames and netgroups (this is the entry '@trusted'). The
fourth line shows the entry for the PC/NFS client discussed above. Line 5 exports the
public FTP directory to every host in the world, executing all requests under the nobody
account. The insecure option in this entry also allows clients with NFS implementations
that don't use a reserved port for NFS.

53
Squid
Why Squid? Why only five minutes?

There are many great tools that Squid has to offer, but when I need to redirect http traffic to a
caching server for performance increases or security, squid’s my pick. Squid has built in proxy
and caching tools that are simple, yet effective.

I recently used Squid for a secure subnet that did not allow outgoing port 80 http access to
external IP addresses. Many organizations will block external port 80 access at the router level.
This is a great way to eliminate a huge security hole, but a headache when a systems
administrator needs to reach the outside world temporarily to download a file. Another scenario:
redirect all computers in a home network to a local caching server to increase website query
performance and save on bandwidth.

The situations described above are when the five minute Squid configuration comes in very
handy. All requests for external http access can be handled by squid through a simple proxy
configuration on each client machine. Sounds complicated? It isn’t. Let’s get into the details
next.

Install
On a Red Hat® Enterprise Linux® or Fedora™ Core operating system, it is easy to check if
Squid is installed using the rpm system. Type the command:

rpm -q squid

If Squid is already installed, you will get a response similar to:

squid-2.5.STABLE6-3.4E.12

If Squid isn’t installed, then you can use Yum to install it. Thanks to Yum the installation is quite
easy.

Just type at a command line:

yum install squid

If you happen to have downloaded the rpm you can also type something like:

rpm -ivh squid-2.5.STABLE6-3.4E.12.i386.rpm

54
Configure
Squid’s main configuration file lives in /etc/squid/squid.conf. The 3,339 line configuration file is
intimidating, but the good news is that it is very simple to setup a proxy server that forward http,
https, and ftp requests to Squid on the default port of 3128 and caches the data.

Back up the configuration file


It is always good policy to backup a configuration file before you edit it. If you haven’t been
burned yet, you haven’t edited enough configuration files. Make a backup from the command
line or the gui and rename the original file something meaningful. I personally like to append a
bck.datestamp. For example:

cp /etc/squid/squid.conf /etc/squid/squid.conf.bck.02052007

If it is the original configuration file you might choose to do:

cp /etc/squid/squid.conf /etc/squid/squid.conf.org.02052007

Edit the file


Open /etc/squid/squid.conf with your favorite text editor. I use vim, but nano is a good
beginner’s command line text editor. If you do use nano, make sure you use the nano –nowrap
option to turn off line wrapping when editing things like configuration files. A gui editor like
Gedit will also work.

Five minute configuration


There are many fancy options for squid that we will not enable, specifically acls (access control
lists) or authentication. We are going to set up a caching proxy server with no access control.
This server would be suitable for a home network behind a firewall.

The default squid configuration is almost complete, but a few small changes should be made.
You will need to either find and uncomment entries, or modify existing uncommented lines in
the squid configuration file. Use your favorite text editor or a text find to quickly locate these
lines:

visible_hostname machine-name
http_port 3128
cache_dir ufs /var/spool/squid 1000 16 256
cache_access_log /var/log/squid/access.log

In the acl section near the bottom add:

55
acl intranet 192.168.0.0/24
http_access allow intranet

Let me explain what each of these six lines means:

visible_hostname – Create this entry and set this to the hostname of the machine. To find the
hostname, use the command hostname. Not entering a value may cause squid to fail as it may not
be able to automatically determine the fully qualified hostname of your machine.

http_port 3128 – Uncomment this line but there is no need to edit it unless you want to change
the default port for http connections.

cache_dir ufs /var/spool/squid 1000 15 256 – Uncomment this line. You may want to append a
zero to the value 100 which will make the cache size 1000MB instead of 100MB. The last two
values stand for the default folder depth the cache will create on the top and subdirectories
respectively. They do not need modification.

cache_access_log – Uncomment this line. This is where all requests to the proxy server will get
logged.

acl intranet 192.168.0.0/24 – This entry needs to be added. It should correspond to whatever
your local network range is. For example, if your Fedora server is 192.168.2.5 then the entry
should be acl intranet 192.168.2.0/24

http_access allow intranet – This allows the acl named intranet to use the proxy server. Make
sure to put allow directives above the last ‘http_access deny all’ entry, as it will overide any
allow directives below it.

Turning on squid
Enable the proper run levels:

chkconfig squid on

Start the service:

service squid start

Verify that squid isrunning:

service squid status

Note, if you have problems starting squid, open a separate shell and run:

tail -f /var/log/messages

Then start the squid service in your original window:

56
service squid start

The tail command should show an error for squid that can help you solve the problem. One
common error is that the swap (cache) directory doesn’t exist. To solve this problem, run squid
with the -z option to automatically create the directories:

/usr/sbin/squid -z

Make sure that squid has write permission to the swap directory or this command won’t work.

Configuring the clients


If you are using Firefox or Mozilla you will need to add the proxy server as follows:

Go to Preferences>Network>Settings

Add the name of your new proxy server and port 3128 to the http proxy field (under manual
configuration).

Open a shell to your proxy server so you can observe the log file being written to. Use tail, as
before:

tail -f /var/log/squid/access.log

Now surf the web through your proxy server. You should see entries flying by in real time as you
surf different http addresses. Congratulations, you now have a caching proxy server setup!

Squid
Why Squid? Why only five minutes?

There are many great tools that Squid has to offer, but when I need to redirect http traffic to a
caching server for performance increases or security, squid’s my pick. Squid has built in proxy
and caching tools that are simple, yet effective.

I recently used Squid for a secure subnet that did not allow outgoing port 80 http access to
external IP addresses. Many organizations will block external port 80 access at the router level.
This is a great way to eliminate a huge security hole, but a headache when a systems
administrator needs to reach the outside world temporarily to download a file. Another scenario:
redirect all computers in a home network to a local caching server to increase website query
performance and save on bandwidth.

57
The situations described above are when the five minute Squid configuration comes in very
handy. All requests for external http access can be handled by squid through a simple proxy
configuration on each client machine. Sounds complicated? It isn’t. Let’s get into the details
next.

Install
On a Red Hat® Enterprise Linux® or Fedora™ Core operating system, it is easy to check if
Squid is installed using the rpm system. Type the command:

rpm -q squid

If Squid is already installed, you will get a response similar to:

squid-2.5.STABLE6-3.4E.12

If Squid isn’t installed, then you can use Yum to install it. Thanks to Yum the installation is quite
easy.

Just type at a command line:

yum install squid

If you happen to have downloaded the rpm you can also type something like:

rpm -ivh squid-2.5.STABLE6-3.4E.12.i386.rpm

Configure
Squid’s main configuration file lives in /etc/squid/squid.conf. The 3,339 line configuration file is
intimidating, but the good news is that it is very simple to setup a proxy server that forward http,
https, and ftp requests to Squid on the default port of 3128 and caches the data.

Back up the configuration file


It is always good policy to backup a configuration file before you edit it. If you haven’t been
burned yet, you haven’t edited enough configuration files. Make a backup from the command
line or the gui and rename the original file something meaningful. I personally like to append a
bck.datestamp. For example:

cp /etc/squid/squid.conf /etc/squid/squid.conf.bck.02052007

If it is the original configuration file you might choose to do:

cp /etc/squid/squid.conf /etc/squid/squid.conf.org.02052007

58
Edit the file
Open /etc/squid/squid.conf with your favorite text editor. I use vim, but nano is a good
beginner’s command line text editor. If you do use nano, make sure you use the nano –nowrap
option to turn off line wrapping when editing things like configuration files. A gui editor like
Gedit will also work.

Five minute configuration


There are many fancy options for squid that we will not enable, specifically acls (access control
lists) or authentication. We are going to set up a caching proxy server with no access control.
This server would be suitable for a home network behind a firewall.

The default squid configuration is almost complete, but a few small changes should be made.
You will need to either find and uncomment entries, or modify existing uncommented lines in
the squid configuration file. Use your favorite text editor or a text find to quickly locate these
lines:

visible_hostname machine-name
http_port 3128
cache_dir ufs /var/spool/squid 1000 16 256
cache_access_log /var/log/squid/access.log

In the acl section near the bottom add:

acl intranet 192.168.0.0/24


http_access allow intranet

Let me explain what each of these six lines means:

visible_hostname – Create this entry and set this to the hostname of the machine. To find the
hostname, use the command hostname. Not entering a value may cause squid to fail as it may not
be able to automatically determine the fully qualified hostname of your machine.

http_port 3128 – Uncomment this line but there is no need to edit it unless you want to change
the default port for http connections.

cache_dir ufs /var/spool/squid 1000 15 256 – Uncomment this line. You may want to append a
zero to the value 100 which will make the cache size 1000MB instead of 100MB. The last two
values stand for the default folder depth the cache will create on the top and subdirectories
respectively. They do not need modification.

cache_access_log – Uncomment this line. This is where all requests to the proxy server will get
logged.

59
acl intranet 192.168.0.0/24 – This entry needs to be added. It should correspond to whatever
your local network range is. For example, if your Fedora server is 192.168.2.5 then the entry
should be acl intranet 192.168.2.0/24

http_access allow intranet – This allows the acl named intranet to use the proxy server. Make
sure to put allow directives above the last ‘http_access deny all’ entry, as it will overide any
allow directives below it.

Turning on squid
Enable the proper run levels:

chkconfig squid on

Start the service:

service squid start

Verify that squid isrunning:

service squid status

Note, if you have problems starting squid, open a separate shell and run:

tail -f /var/log/messages

Then start the squid service in your original window:

service squid start

The tail command should show an error for squid that can help you solve the problem. One
common error is that the swap (cache) directory doesn’t exist. To solve this problem, run squid
with the -z option to automatically create the directories:

/usr/sbin/squid -z

Make sure that squid has write permission to the swap directory or this command won’t work.

Configuring the clients


If you are using Firefox or Mozilla you will need to add the proxy server as follows:

Go to Preferences>Network>Settings

Add the name of your new proxy server and port 3128 to the http proxy field (under manual
configuration).

60
Open a shell to your proxy server so you can observe the log file being written to. Use tail, as
before:

tail -f /var/log/squid/access.log

Now surf the web through your proxy server. You should see entries flying by in real time as you
surf different http addresses. Congratulations, you now have a caching proxy server setup!

The Linux Logical Volume Manager


• Introduction
• Basic LVM commands
• Differences between LVM1 and LVM2

Storage technology plays a critical role in increasing the performance, availability, and manageability of Linux
servers. One of the most important new developments in the Linux 2.6 kernel—on which the Red Hat® Enterprise
Linux® 4 kernel is based—is the Linux Logical Volume Manager, version 2 (or LVM 2). It combines a more
consistent and robust internal design with important new features including volume mirroring and clustering, yet it is
upwardly compatible with the original Logical Volume Manager 1 (LVM 1) commands and metadata. This article
summarizes the basic principles behind the LVM and provides examples of basic operations to be performed with it.

Introduction
Logical volume management is a widely-used technique for deploying logical rather than physical storage. With
LVM, "logical" partitions can span across physical hard drives and can be resized (unlike traditional ext3 "raw"
partitions). A physical disk is divided into one or more physical volumes (Pvs), and logical volume groups (VGs)
are created by combining PVs as shown in Figure 1. LVM internal organization. Notice the VGs can be an aggregate
of PVs from multiple physical disks.

61
Figure 1. LVM internal organization

Figure 2. Mapping logical extents to physical extents shows how the logical volumes are mapped onto physical
volumes. Each PV consists of a number of fixed-size physical extents (PEs); similarly, each LV consists of a
number of fixed-size logical extents (LEs). (LEs and PEs are always the same size, the default in LVM 2 is 4 MB.)
An LV is created by mapping logical extents to physical extents, so that references to logical block numbers are
resolved to physical block numbers. These mappings can be constructed to achieve particular performance,
scalability, or availability goals.

62
Figure 2. Mapping logical extents to physical extents

For example, multiple PVs can be connected together to create a single large logical volume as shown in Figure 3.
LVM linear mapping. This approach, known as a linear mapping, allows a file system or database larger than a
single volume to be created using two physical disks. An alternative approach is a striped mapping, in which stripes
(groups of contiguous physical extents) from alternate PVs are mapped to a single LV, as shown in Figure 4. LVM
striped mapping. The striped mapping allows a single logical volume to nearly achieve the combined performance of
two PVs and is used quite often to achieve high-bandwidth disk transfers.

Figure 3. LVM linear mapping

63
Figure 4. LVM striped mapping (4 physical extents per stripe)

Through these different types of logical-to-physical mappings, LVM can achieve four important advantages over
raw physical partitions:

1. Logical volumes can be resized while they are mounted and accessible by the database
or file system, removing the downtime associated with adding or deleting storage from a
Linux server
2. Data from one (potentially faulty or damaged) physical device may be relocated to
another device that is newer, faster or more resilient, while the original volume remains
online and accessible
3. Logical volumes can be constructed by aggregating physical devices to increase
performance (via disk striping) or redundancy (via disk mirroring and I/O multipathing)
4. Logical volume snapshots can be created to represent the exact state of the volume at
a certain point-in-time, allowing accurate backups to proceed simultaneously with
regular system operation

Basic LVM commands


Initializing disks or disk partitions
To use LVM, partitions and whole disks must first be converted into physical volumes (PVs) using the pvcreate
command. For example, to convert /dev/hda and /dev/hdb into PVs use the following commands:

pvcreate /dev/hda
pvcreate /dev/hdb

If a Linux partition is to be converted make sure that it is given partition type 0x8E using fdisk, then use
pvcreate:

pvcreate /dev/hda1

Creating a volume group

64
Once you have one or more physical volumes created, you can create a volume group from these PVs using the
vgcreate command. The following command:

vgcreate volume_group_one /dev/hda /dev/hdb

creates a new VG called volume_group_one with two disks, /dev/hda and /dev/hdb, and 4 MB PEs. If
both /dev/hda and /dev/hdb are 128 GB in size, then the VG volume_group_one will have a total of
2**16 physical extents that can be allocated to logical volumes.

Additional PVs can be added to this volume group using the vgextend command. The following commands
convert /dev/hdc into a PV and then add that PV to volume_group_one:

pvcreate /dev/hdc
vgextend volume_group_one /dev/hdc

This same PV can be removed from volume_group_one by the vgreduce command:

vgreduce volume_group_one /dev/hdc

Note that any logical volumes using physical extents from PV /dev/hdc will be removed as well. This raises the
issue of how we create an LV within a volume group in the first place.

Creating a logical volume


We use the lvcreate command to create a new logical volume using the free physical extents in the VG pool.
Continuing our example using VG volume_group_one (with two PVs /dev/hda and /dev/hdb and a total
capacity of 256 GB), we could allocate nearly all the PEs in the volume group to a single linear LV called
logical_volume_one with the following LVM command:

lvcreate -n logical_volume_one --size 255G volume_group_one

Instead of specifying the LV size in GB we could also specify it in terms of logical extents. First we use
vgdisplay to determine the number of PEs in the volume_group_one:

vgdisplay volume_group_one | grep "Total PE"

which returns

Total PE 65536

65
Then the following lvcreate command will create a logical volume with 65536 logical extents and fill the
volume group completely:

lvcreate -n logical_volume_one -l 65536 volume_group_one

To create a 1500MB linear LV named logical_volume_one and its block device special file
/dev/volume_group_one/logical_volume_one use the following command:

lvcreate -L1500 -n logical_volume_one volume_group_one

The lvcreate command uses linear mappings by default.

Striped mappings can also be created with lvcreate. For example, to create a 255 GB large logical volume with
two stripes and stripe size of 4 KB the following command can be used:

lvcreate -i2 -I4 --size 255G -n logical_volume_one_striped volume_group_one

It is possible to allocate a logical volume from a specific physical volume in the VG by specifying the PV or PVs at
the end of the lvcreate command. If you want the logical volume to be allocated from a specific physical volume
in the volume group, specify the PV or PVs at the end of the lvcreate command line. For example, this
command:

lvcreate -i2 -I4 -L128G -n logical_volume_one_striped volume_group_one


/dev/hda /dev/hdb

creates a striped LV named logical_volume_one that is striped across two PVs (/dev/hda and /dev/hdb)
with stripe size 4 KB and 128 GB in size.

An LV can be removed from a VG through the lvremove command, but first the LV must be unmounted:

umount /dev/volume_group_one/logical_volume_one
lvremove /dev/volume_group_one/logical_volume_one

Note that LVM volume groups and underlying logical volumes are included in the device special file directory tree
in the /dev directory with the following layout:

/dev/<volume_group_name>/<logical_volume_name>

so that if we had two volume groups myvg1 and myvg2 and each with three logical volumes named lv01, lv02,
lv03, six device special files would be created:

66
/dev/myvg1/lv01
/dev/myvg1/lv02
/dev/myvg1/lv03
/dev/myvg2/lv01
/dev/myvg2/lv02
/dev/myvg2/lv03

Extending a logical volume


An LV can be extended by using the lvextend command. You can specify either an absolute size for the extended
LV or how much additional storage you want to add to the LVM. For example:

lvextend -L120G /dev/myvg/homevol

will extend LV /dev/myvg/homevol to 12 GB, while

lvextend -L+10G /dev/myvg/homevol

will extend LV /dev/myvg/homevol by an additional 10 GB. Once a logical volume has been extended, the
underlying file system can be expanded to exploit the additional storage now available on the LV. With Red Hat
Enterprise Linux 4, it is possible to expand both the ext3fs and GFS file systems online, without bringing the system
down. (The ext3 file system can be shrunk or expanded offline using the ext2resize command.) To resize
ext3fs, the following command

ext2online /dev/myvg/homevol

will extend the ext3 file system to completely fill the LV, /dev/myvg/homevol, on which it resides.

The file system specified by device (partition, loop device, or logical volume) or mount point must currently be
mounted, and it will be enlarged to fill the device, by default. If an optional size parameter is specified, then this size
will be used instead.

Differences between LVM1 and LVM2

The new release of LVM, LVM 2, is available only on Red Hat Enterprise Linux 4 and later kernels. It is upwardly
compatible with LVM 1 and retains the same command line interface structure. However it uses a new, more
scalable and resilient metadata structure that allows for transactional metadata updates (that allow quick recovery
after server failures), very large numbers of devices, and clustering. For Enterprise Linux servers deployed in
mission-critical environments that require high availability, LVM2 is the right choice for Linux volume
management. Table 1. A comparison of LVM 1 and LVM 2 summarizes the differences between LVM1 and LVM2
in features, kernel support, and other areas.

67
Features LVM1 LVM2

RHEL AS 2.1 support No No

RHEL 3 support Yes No

RHEL 4 support No Yes

Transactional metadata for fast recovery No Yes

Shared volume mounts with GFS No Yes

Cluster Suite failover supported Yes Yes

Striped volume expansion No Yes

Max number PVs, LVs 256 PVs, 256 LVs 2**32 PVs, 2**32 LVs

Max device size 2 Terabytes 8 Exabytes (64-bit CPUs)

Volume mirroring support No Yes, in Fall 2005

Table 1. A comparison of LVM 1 and LVM 2

68