Configuring NFS for Use in the Heartbeat Cluster

The Heartbeat cluster is now configured the right way. To get the NFS server running properly, however, some minimal additional configuration is required. Most important is that the directory var lib nfs, which is used by default for file locking by NFS, is replaced with a location on the shared disk. If you don't do that, file locks can't migrate when the NFS service is migrated. The best way to make information about file locks available at the other server is by making var lib nfs, a...

Monitoring Device Attributes

Another use of the ip tool is to show only device attributes. You can do that with the ip link show command. This command shows only usage statistics for the device you have specified and no address information. Figure 13-12 shows an example of the output of this command. Figure 13-12. The ip link show command shows statistics about device usage. Figure 13-12. The ip link show command shows statistics about device usage. The information displayed by ip link show is rather similar to the...

Managing Password Expiry with passwd

Another nice feature that not many people are aware of is the password expiry feature. This feature allows you to manage the maximum amount of days that a user can use the same password. The passwd command has four options to manage password expiry -n min You can use this rarely used option to set the minimum amount of days that a user must use a password. If this option is not used, a user can change the password at anytime. -x max You can use this option to set the maximum amount of days that...

Using tcpdump

Tcpdump is a straightforward tool it does exactly what its name indicates it will do it dumps TCP packets on the console of your machine. That way, you can see all packets received by the network board of your server scrolling by on the screen. By default it will just show the first 96 bytes of every packet, but if you need more details, you can start it with -v or even with -vv so that it will be more verbose. Figure 13-19 shows what it looks like if you run the command with the -v option. 16...

Optimizing Squid Performance

On a heavily used network, Squid has a lot of work to do. Therefore, it is important to use some parameters to handle web traffic in the most efficient way. Table 25-3 gives an overview of performance-related parameters. Table 25-3. Performance-Related Squid Tags This specifies the maximum HTTP header Squid will accept. Since HTTP headers shouldn't exceed 10KB, the default value of 10KB is fine in most scenarios. Use this tag to set a maximum size for the body of an HTTP packet. Setting this...

Adding a Network Card Manually

To add a network card manually, click the Add button, as shown in Figure 13-3. You can now see the Manual Network Card Configuration screen (as shown in Figure 13-4). From here, you can select all the properties of the network card. The easiest way to start is to click the Select from List button. If you click this button, a list of available network cards appears. From this list, you can select the network card that is in your server to make its configuration easier. If the network card you...

Installing GRUB

You have two ways of installing GRUB manually and from YaST. If you are not afraid of editing the boot grub menu.lst file by hand, you don't need to use YaST. Just edit it, and the changes will be applied automatically. If GRUB hasn't been written to the master boot sector of your system before, you can install it by using the grub-install command, followed by the device on which you want to install it. For example, use grub-install dev sda to install it on the sda device. Tip Before starting...

Working with YaST and Its Configuration Files

True, YaST is a graphical management utility, but like most graphical management utilities on Linux, it just writes information to plain-text configuration files. This is also the case for YaST. It is, however, hard to tell what configuration files YaST is writing to, because not one but many configuration files are written to. For example, when creating users, the user accounts are written to the configuration file etc passwd when configuring the hosts file, the file etc hosts is written and...

Working with Access Control Lists

Up to now, you have read about the basic model to apply permissions on a generic Linux system. When you use an advanced file system such as ReiserFS, it is possible to add some options to the default model of working with permissions in the Linux environment by using the ACL mechanism. In the following sections, you will learn how you can apply this technique to allow for a more flexible security mechanism. The main reason for the development of the Linux ACL system was to compensate for the...

Starting Stopping and Testing the Apache Web Server

The core of the Apache web server is the httpd process. This process is started from the script etc init.d apache2 the easiest way to activate Apache using this script from the command line is to use the rcapache2 start command. When this command finishes without errors, your web server is up and running. You can check to see whether it's running with the ps aux grep http command as you can see in Listing 22-1, this command shows that different instances of the Apache web server are ready and...

Unmounting Devices

On a Linux system, a device not only has to be mounted, but when you want to disconnect the device from your computer, you have to dismount it as well. For this purpose, you can use the umount command. This command can work with two arguments either the name of the device or the name of the directory where the device is mounted. So, umount dev cdrom and umount media cdrom will both work. When using the umount command, you may encounter the message Device is busy and end up with a failing...

Using dd to Make a Backup

Another useful command that is related to file system backups is the dd command. The abbreviation stands for convert and copy (cc), but because cc was already some other command (the C compiler), the name of the utility became dd.The purpose of dd is to convert and copy files byte by byte. The command is written to get its input from the STDIN and write its output to the STDOUT, but by using the arguments if (input file) and of (output file), you can use it to copy files from and to anywhere....

The LDAP Hierarchy

OpenLDAP stores its information in objects. These are, for example, the entities that use the network such as users. These objects have attributes that determine the information that can be attached to an object. For example, the full name and the password of a user are also known as the user attributes. The object types are also known as object classes (so user linda is an object, and user is the object class). The attributes that can be used by the objects, as well as the object classes...

Using the ip Tool to Specify the Default Gateway

If you know what information has to be entered when defining a route, it is easy to do it with either the route or the ip tool. The syntax has only minor differences. To set the default gateway to 192.168.1.254 using the ip tool, use the ip route add default via 192.168.1.254 command. This command makes sure all packets sent to on-local destinations go through 192.168.1.254. Likewise, you can delete the default route with ip route del default. It doesn't really matter whether you use route or...

Monitoring App Armors Status

You can use a few commands to monitor AppArmor's status from the command line. First, the rcapparmor status command gives you a generic overview of current AppArmor activity. Listing 32-2 gives an overview of the output generated by this command. Listing 32-2. Displaying Current AppArmor Activity with apparmor status 6 processes have profiles in enforce mode. 0 processes have profiles in complain mode. Now when you know that AppArmor is protecting some processes, you probably want to find out...

Executing Once with at

The cron mechanism executes commands automatically at a regular basis. If you want to execute a command just once, at is the solution you need. The at mechanism consists of different parts The at service atd. Make sure it is started if you want to schedule commands to run once it is not started by default. Use insserv atd to make sure it starts the next time you reboot your server. The files etc at.allow and etc at.deny that can be used to specify which users can and cannot schedule commands...

Managing CUPS

Several options are at your disposal for managing a CUPS environment. At the most fundamental level are the configuration files where you can configure the printers and can manage access restrictions. Although you can edit these with any standard editor, more accessible methods are also available The lpadmin command is a flexible command-line utility that you can use for print server configuration. You can access CUPS's web interface at http yourserver 631 it offers options for managing all...

Securing Your NTP Server

If your server is connected to the Internet, it may be interesting to notice that you can set some restrictions. If no restrictions are applied and port 123 is not blocked on the firewall, the entire world can access your NTP server. In case you don't like that idea, you can add some lines to the ntp.conf file, as shown in Listing 20-3. Listing 20-3. Applying Security Restrictions to Your NTP Time Server restrict default noquery notrustnomodify restrict 127.0.0.1 restrict 192.168.0.0 mask...

Managing Xen Networking

One of the hardest parts to understand when working with Xen is networking. The difficulty is that Xen offers so many options to connect the network card of a virtual machine to the network card of the domain-0 machine. By default, bridging is used. With bridging, you basically connect the virtual network adapter directly to the network. This means that the virtual machine needs an IP address in the same range as the IP address of the real network adapter in the eth0 domain. Each network...

Adding Swap Space on the

In rare situations, you may find that you are running out of swap space. If that happens, it is useful to know how to add a swap file by hand. Using swap files is not an ideal solution, because swap files are slower than swap partitions. Since it is better than running out of memory completely, though, it is better than doing nothing. To add swap space by hand, proceed as follows 1. Use the dd command to create a file that can be used for swapping. Specify the size of the file you want to...

Creating Partitions with YaST

YaST is a convenient tool to create partitions and assign file systems to them. The next steps show how to do this 1. Start YaST. From the System menu, select Partitioner. This starts the module you can use to manage partitions and volumes on the storage devices of your server. 2. On the warning dialog box that pops up, click Yes to continue. 3. As shown in Figure 8-3, the Expert Partitioner opens. It will give an overview of all the devices that already exist. In the Expert Partitioner, the...

Assigning IPv6 Addresses in SUSE Linux Enterprise Server

On SUSE Linux Enterprise Server, you can use the ip tools as well as the ifconfig tools to configure an IPv6 address. All required kernel modules are loaded by default, so with regard to that, you don't need to do any extra work. These are some examples of how to configure IPv6 on your server ifconfig eth0 inet6 add command configures ethO with an IPv6 address that is an aggregatable global unicast address. Note that the second part of the address assigned here is the IEEE EIA-64 ID of the...

Setting the Quota for Users and Groups

Now that the quota databases have been created, it is time to start the real work. You can now apply the quota for all users and groups on your system. To do this, you use the edquota command. This command will use the editor vi to create a temporary file. In this file, you can create the soft limit and the hard limit you want to apply for your users and groups. If you want to apply a soft limit of 100,000 blocks for a user called florence and a hard limit of 110,000 blocks, you have to follow...

Using rsync to Synchronize Files

Where dd is useful to create a backup of a complete device and tar is useful to create backups based on file system information, the rsync command is useful if you want to synchronize two directories. The main advantage of rsync is that it looks only at files that have changes since the last time that rsync was active, and it thus copies just them. A simple example of how you can do that is to use rsync etc temp this will first copy the complete contents of etc to temp, and the next time the...

Combining SSH with VNC

In the previous section, you learned how to install over SSH or VNC. It is also possible to combine the two of them. In this section, you will learn how to use a VNC session over SSH. The advantage By default, VNC does not use any encryption. By combining VNC technology with SSH, you can perform a safe remote installation over VNC. Then use VNC over SSH, and apply the following steps 1. Boot the machine you want to install from its installation CD. 2. On the boot prompt of the machine you want...

Understanding How a Mail Solution Works

If you want to build a mail server that can handle e-mail for a complete network, you need to understand the three agents that process Internet e-mail Mail transfer agent (MTA) This is the software that sends e-mail that it receives from the client's e-mail software to the recipient's MTA. This recipient MTA will send the e-mail to an MDA (described next). Some well-known MTAs are Postfix, Sendmail, and Qmail. The Simple Mail Transfer Protocol (SMTP) is an example of a protocol that an MTA can...

Using Redirection

Where piping is the system used to send the result of a command to another command, redirection sends the result of a command to a file. This file can be a text file, but it can also be a special file like a device file. An easy example of redirection appears in the command ls -l > list_of_files. In this command, the > sign will make sure to cause the output of ls to be redirected to the file list_of_files. Now the interesting part of this command is what will happen when list_of_files...

Working with Secure Shell

Basically, SSH is a suite of tools that consists of three main programs and a daemon. The name of the daemon is sshd, and it runs by default on your SUSE server. The commands are ssh, scp, and sftp. The first, ssh, establishes a secured remote session. Let's say that it is like telnet but then secured with cryptography. The second, scp, is a useful command you can use to copy files to and from another server. The third, sftp, is an FTP client interface. By using it, you can establish a secured...

Security and Users

This menu has programs to secure your server. In it, you will find six applications. CA Management. The CA Management program allows you to configure a certificate authority (CA). This software makes it possible for you to grant PKI certificates on the network. These certificates are used for securing communications between clients and network services such as the web server. In Chapter 21 you can learn how to set up a certificate authority for your network. Common Server Certificate. Every...

Configuring a CUPS Print Server

Although in most organizations printers are connected to a dedicated print server, it is possible to configure SUSE Linux Enterprise Server as a print server. When choosing this option, you can choose between the two protocols that are available for printing the traditional LPD-based printing solution and the modern Common Unix Print Server (CUPS) solution. In this chapter, I discuss the CUPS solution since it offers some significant improvements as compared to the older LPD-based system. One...

Working with Logical Volumes

Working with fixed-size partitions has one major disadvantage. Imagine a situation where on a system with multiple partitions, you are running out of available disk space on one partition but more than enough disk space is still available on another partition. When using fixed-size partitions, you can't really do anything. However, if you use logical volumes, you can easily resize the logical volumes and the file systems that sit on them to make some more space. Therefore, for a flexible...

Working with Directories

Since files are normally organized in directories, it is important to know how to handle these directories. This involves a few commands cd Use this command to change the current working directory. When using cd, make sure to use the proper syntax. Names of commands and directories are case sensitive therefore, bin is not the same as BIN. pwd The pwd command stands for print working directory. Often the command prompt will be configured to display the present location, but this isn't always the...

Enabling VNC via xinetd

Using the remote administration option from YaST is one way to enable VNC. There is also another way that offers some more advantages, and that is to enable VNC via xinetd. Since xinetd is the subject of the next chapter I will not cover the details of this configuration here. You should, however, know that there are some advantages when using xinetd to configure access to VNC. The most important of these is that some more access control is possible. When combining xinetd with TCP Wrapper, you...

Using ls to List Files

To manage files on your server, you must first know what files are available. For this purpose, you can use the ls command. If you just use ls to show the contents of a given directory, it will display a list of files. These files, however, have properties as well. For example, every file has a user who is the owner of the file, some permissions, a size that is stored in the file system, and more. To see this information, use ls -l. Apart from -l, ls has many other useful options, such as -d....

Tuning Access to Services with TCP Wrapper

If a service runs from xinetd, you can secure it with TCP Wrapper, which is a service that is implemented in the tcpd process and that you can use to restrict access to services. Stated in a more general way, if a service is using the libwrap.so library module, the service can be secured with TCP Wrapper. Since xinetd is using this module, you can secure it this way. You can also secure other services that aren't started with xinetd but do use this library with TCP Wrapper. To check whether a...

Methods of Name Resolving

DNS is not the only solution you can use for name resolving. Other solutions are available as well. I'll explain two of them here the etc hosts file and Sun's Network Information System (NIS). Before DNS was introduced, every host needed to keep its own file where IP addresses were mapped to names. In those days, the Internet was still a small network, so this was doable (although the administrator had to ensure these files were updated properly). Today such a mechanism still exists in the form...

Using nmap to Check Service Availability on Remote Servers

Netstat is a cool tool, but it works only on the host where you run the command. Sometimes, to find out why you cannot connect to a given service on a given host, you would like to know whether the service you want to connect to is available at all. To do that, you can use the nmap command. nmap is an expert tool that helps you find out what services are offered by another host if used properly, it can even do that in stealth mode so the owner of that host will never know you were there. You...

Using ext2

The extended file system version 2 has long been the de facto standard for Linux. It was the first stable file system that offered all the elements of a POSIX file system. However, these days a feature known as journaling has become an important option, which ext2 doesn't offer. Note POSIX stands for portable operating system Interface for Unix. If any element running on Linux or any other Unix version is POSIX compliant, this means it will run without problems on any flavor of Unix. In a...

Note The POSIX standard defines common standards for Linux and Unix operating systems POSIX capabilities include all

Basically, if an application is started as root and it has an AppArmor profile, the AppArmor profile determines what the application can do and doesn't care that the user is logged in as root. An AppArmor profile contains rules, which define the capabilities that the application can have and the permissions to files for the application. Listing 32-1 gives an example of how these are applied in the default profile for xinetd. You can find this example profile in etc apparmor profiles extras...

Setting the IP Address

Like the ifconfig tool, the ip tool can assign an IP address to a device. To do this, you could use a command like ip address add 10.0.0.10 16 brd + dev eth0.This command would set the IP address to 10.0.0.10 for eth0. With this IP address, a 16-bit subnet mask is used, which is indicated by the 16 directly after the IP address that needs to be set. The broadcast address is calculated automatically, which is indicated with the brd + construction. Once you have set the IP address with the ip...

Working with LDAP Authentication

Maintaining a separate password file to specify the names of users who can access certain directories on your web server is not the most practical way of implementing decent web server security. It is much more useful if you can maintain the user database somewhere external. One but by far not the only option you can use for this purpose is LDAP authentication. Now, Apache is not aware of any LDAP server by itself fortunately, it isn't that hard to teach Apache that it should use LDAP for...

Understanding Your RAID Options

Before setting up a software RAID, it is useful to refresh the options a little. In RAID, hard drives are bundles to offer better speed and fault tolerance. The following RAID options are available in SUSE Linux Enterprise Server 10 RAID 0 In RAID 0, which is also referred to as disk striping, different hard disks are working together to offer better performance. In RAID 0 two disks are bundled so that data can be written synchronously on both hard disks. This dramatically increases the speed...

Getting Email with POP3 Using Qpopper

Especially if you want to set up a simple POP3 server, Qpopper is an excellent choice. The reason is that it is easy to set up, and it offers everything you may expect from a POP3 server. Usually, it is installed by default on your SUSE Linux Enterprise Server 10 server. Since Qpopper is ordinarily started from xinetd, you need to modify the appropriate xinetd configuration file, etc xinetd.d qpopper. Listing 16-9 shows an example of its contents. Listing 16-9. Example of the etc xinetd.d...

The Configuration File varlibdhcpetcdhcpdconf

The main configuration file for the DHCP server is var lib dhcp etc dhcpd.conf. (Ifyou thought it should be etc dhcpd.conf, read the The Start-up File etc sysconfig dhcpd section about etc sysconfig dhcpd later in this chapter.) In this file, you'll find everything except start-up parameters for the DHCP server are configured. In Listing 24-1, you can see an example configuration file that contains some of the most important options from the example file that is copied to your server after...

Working with Virtual Hosts

If you are installing the Apache web server to host several small sites, then virtual hosts will be useful. Working with virtual hosts allows you to serve several sites from one instance of the Apache web server. For example, you could host www.mydomain.com,www.yourdomain.com, and www.some-oneelsesdomain.com on the same machine. To make this work, you need to set up DNS, though. You can find more details about this in Chapter 23. When working with virtual hosts, the following process takes...

Tip Having trouble accessing a server on a newly configured machine Doublecheck the subnetmask if both machines are

Although it is unlikely to just change overnight, a network check should always include a check of the routing table and DNS information. You probably already know how to do it, but just to be sure, here are the instructions check the routing table with the route -n or ip route show command, and make sure a default route is present. After that, look in the configuration file etc resolv.conf to verify that it is referring to the correct DNS server. Listing 34-1 shows what output you might expect...

Configuring a Network Card with ifconfig

Configuring a network board with the ifconfig command is relatively easy. Just add the name of the network board you want to configure followed by the IP address you want to use on that network board for example, use ifconfig eth0 192.168.1.125. This command will configure eth0 with a default class C subnet mask. If you need something other than a default subnet mask, you need to specify this. An example of this is the command ifconfig eth0 172.16.13.13 netmask 255.255.255.0 broadcast...

Installing a Print Client from YaST

One of the nice features of a CUPS print environment is the browsing feature. This allows a printer to discover for itself what other printers are present on the network. When browsing is enabled, the CUPS server uses broadcasts to send printer information to other clients on the network. When the server is configured to broadcast its information on the network, the client can discover the printers offered by the server automatically on the network. The following steps show how to set this up...

Basic Elements of a Shell Script

Some elements should occur in all shell scripts. I'll cover these elements in this section The shebang that all shell scripts start with Some lines of comment to explain what you are doing The commands that form the body of the shell script An exit code to tell the shell from which the script was executed about the success or failure of the script As you now know, every shell script should start with the shebang. After that, it is a good idea to add some lines of comment, explaining what the...

Using Heartbeat for High Availability

Configuring Heartbeat for high availability can be a daunting task. In this section, I will describe the process of creating a Heartbeat resource with the NFS server as an example. You'll learn how to do it with Heartbeat 1 in this section I'll cover creating Heartbeat resources with version 2 in the Configuring a Heartbeat 2-Style Cluster with YaST section. Note Two versions of Heartbeat show significant differences. In this chapter, I'll start explaining how to configure a cluster based on...

Using chmod to Change Permissions

You can use the chmod command to set permissions on existing files. You can use this command by the user root or the owner of a file to change permissions of files or directories. You can use the chmod command in two ways an absolute way or a relative way. When using chmod in a relative way, you specify the entity that permissions are granted to (user, group, or others), followed by the +, -, or operator and then followed by the permissions you want to apply. In absolute mode, a numeric value...

Managing Authentication PAM

Usually, on a user login on a Linux workstation, the local user database in the Linux files etc passwd and etc shadow is checked. In a network environment, however, the login program must often fetch the required information from somewhere else, for example in an LDAP directory service such as OpenLDAP or Novell eDirectory. But how are you going to tell the login program That's where the Pluggable Authentication Modules (PAM) feature comes in. PAM makes the login procedure on your workstation...

Using Commands for User Management

If you want to add users from the command line, useradd is the command to use. Some other commands are available as well. The following are the most important commands used to manage the user environment useradd Use this for adding users to the local authentication system. usermod Use this to modify properties for existing users. userdel Use this to delete users properly from a system. Using useradd is simple. In its basic form, useradd just takes the name of a user as its argument for example,...

The System Menu

High Availability The High Availability option configures Linux heartbeat clustering. You'll learn more about this in Chapter 32. LVM Logical Volume Manager (LVM) is a system that allows you to work with logical volumes as opposed to physical allocated partitions on your server. In Chapter 8, you'll learn how to create and manage logical volumes on a SUSE Linux Enterprise Server 10 server. Languages Dozens of different languages are available, although you should be aware that you cannot apply...

Configuring the Network Interface with YaST

As with most services on SUSE Linux Enterprise Server 10, configuring the network interface starts with YaST. From YaST, you can configure different types of network cards (see Figure 13-1) For a server, configuring the network card is the most important task you can perform from this interface since the network card connects the server to the rest of the network. ISDN and modem connections are legacy options that are not used often anymore, and when a server is connected to a DSL connection,...

Performance Tuning Your Web Server

If you are running a busy web server, it makes sense to do some performance tuning. The default settings are for web servers with an average workload. If you are hosting a busy web server, the performance parameters may need some tuning. The file to do this is the etc apache2 server-tuning. conf file. In this file, you can use the following options to tune the performance of your web server StartServers This setting specifies the number of Apache processes that should always be started. The...

Testing Connectivity

After configuring a network card, you want to make sure it is working the way it should work. To do this, the ping command is one of your best options. It's easy to use just enter the command followed by the name or address of the host you want to test connectivity to, for example ping www.novell.com. This will force ping to start uninterrupted output you can interrupt it by using the Ctrl+C key sequence. Using ping in a clever way, you can test a lot with it. I recommend using it in a certain...

Creating Shell Login Scripts

When a user logs in to a system, the configuration file etc profile is used. In this generic shell script, which can be considered a login script, environment settings for users are issued. Also, you can include commands that need to be issued when the user first logs in to a server. The file etc profile is a generic file processed by all users logging in to the system. It also has a user-specific version that can be created in the home directory of the user. The name of this user-specific...

The Zone Files

The zone files of your DNS server are stored in the directory var lib named. Some generic files are in var lib named itself (such as the zone files for localhost and the list of name servers of the root domain in the root.hint file), the zone files of the master server are in the subdirectory master, and the zone files for the slave server are in the subdirectory slave. In Listing 23-4 you can see what the zone file for example.com looks like. Listing 23-4. Contents of the example.com Zone File...

Using YaST to Tune the Initial Boot Procedure

It's one thing to tune the boot procedure of your server manually, but you can do it in other ways. One convenient way to specify what should be started and what shouldn't is to use YaST. In YaST, select System > System Services (Runlevel). On the System Services (Runlevel) Details screen that opens, select the Expert Mode radio button. This opens the screen shown in Figure 10-8. Assign system e run levels by selecting 1he list enlry ot 1he respective service 1hen checking or unchecking 1he...

Configuring Shared Storage with the Distributed Replicated Block Device

A simple and stable shared storage solution for the Heartbeat cluster is the Distributed Replicated Block Device (DRBD). The advantage is that you don't need to purchase an external storage device because you can use a local partition or existing disk on the cluster nodes. This section will discuss how to configure a shared storage device using DRBD. The setup discussed in this section assumes a two-node cluster where DRBD is used. One of these servers is configured as the master node that has...

Using Flow Control

Up to now, you haven't read much about how you can make the execution of commands conditional so a command is executed only if a certain condition has been met. The technique to enable this in shell scripts is known as flow control. Bash offers many options to use flow control in scripts if Use if to execute commands only if certain conditions are met. To tune how if works, you can use else to indicate what should happen if the condition isn't met. case Use case to work with options. This...

Understanding syslogngconf

To understand how syslog-ng works, you must understand the message path. In syslog-ng, this consists of one or more sources, one or more filtering rules, and one or more destinations. Typically, this definition of the source provides an interface to the legacy syslog mechanism in which a process sends its log information to the dev log device. By defining these source devices, syslog-ng knows where it has to look for incoming messages. On SUSE Linux Enterprise Server, in syslog-ng.conf the...

Performing Calculations in Scripts

Bash offers some options that allow you to perform calculations from scripts. Of course, you are not likely to use them as a replacement for your spreadsheet program, but performing simple calculations from Bash can be useful. You can use calculation options, for example, to execute a command a number of times or to make sure a counter is used when a command executes successfully. The script in Listing 27-15 gives an example of how you can use counters. Listing 27-15. Using a Counter in a...

Storing Routing Information

When you enter information such as the default gateway that should be used from the command line, it will be lost the next time you reboot your server. To make sure the information is persistent after a reboot, you can store it in the etc sysconfig network routes file. This file is read every time the network is activated. The entry used in this file to store the default route is not complex You don't need anything else to specify the default route. The first entry in the routes file gives the...

Configuring an NTP Client

The first thing to do when configuring an NTP client is to make sure the time is more or less right. This is because when there is a difference of more than 1,024 seconds, NTP will consider the time source insane and will refuse to synchronize time with it. Therefore, it is recommended you synchronize time on the NTP client manually before continuing. To make a manual time synchronization, the ntpdate command is useful you can use it to get time once only from another server offering NTP...

Organization of the DNS Hierarchy

The most important advantage offered by DNS is that it is organized in a hierarchical way. This makes the system scalable because it can be extended by simply adding another branch to the treelike hierarchy. On top of the hierarchy are the root servers. These servers have one purpose only, and that's to provide information about the top-level domains (TLDs). Some fixed domain names are used for top-level domains, such as .com, .org, and .info, and top-level domains exist for all countries, such...

Setting Up Reversed DNS with YaST

If you know how to set up a normal DNS zone with YaST, you can set up a zone for reversed DNS. Basically, the procedure is the same as the procedure for setting up normal DNS just a few items need to be handled differently. In the following procedure, you'll learn how to set up reversed DNS. The procedure illustrates how to do this on a DNS server that is already configured as you'll see, this opens a different interface than the one you saw when creating the master DNS Server for a regular...

Creating Certificates and a Certificate Authority with YaST

In YaST, under Security and Users, you'll find two options to manage certificates. The option CA Management helps you create your own CA. The option Common Server Certificate manages the properties of the certificate that is installed on your server by default. Note that it isn't always necessary to do something with these options a CA and a server certificate are created automatically when installing your server. When these default objects need adjustment, then you need these YaST programs....

Using OpenSSL for Encrypted Connections

By default, the Apache web server sends all its traffic unencrypted. Therefore, if someone is listening with a sniffer and you send sensitive information, they could capture and read that information. To protect against this, you can use SSL encryption. In Chapter 21 you can read all about this encryption technique therefore, in this chapter I won't go through the entire process of creating certificates and signing them. I'll just discuss how to create a test certificate and use that with the...

Managing Users Mailboxes

The first step in managing user mailboxes is to add users to the system. These users are regular Linux users who are added to etc passwd (or any other authentication mechanism OpenLDAP would work as well, for example). These users don't need a home directory, since all they use is their mailboxes that are stored in var lib imap. Also, no shell is needed. However, the users do need the ability to reset their passwords. Therefore, make sure usr bin passwd is specified as the default shell. After...

Making It Executable

Now that you have created your shell script, it is time to do something with it. Different options exist to execute your shell script Activate it as an argument of your shell. Source the script. Make it executable, and run it. If you just need to check that the script works, the easiest way to test it is as the argument of the shell. This means that from your shell, you start a new shell that starts the script for you. If the name of your script is hello, for example, you can start the script...

Automating Backups with cron

The tar and rsync utilities are useful for creating backups. If you want to apply them in a useful way, you have to make sure they are executed on a regular basis. A good solution to make sure that happens is to use cron for that purpose. Cron comes from the Greek word for time (chronos) and on your server is a process that makes sure that jobs are executed at regular intervals. cron consists of two distinguished parts a cron daemon with the name crond and some related cron configuration files....

Booting a Rescue System

In some situations, the GRUB boot menu isn't good enough, such as when your boot loader is broken and you do not see a GRUB boot prompt at all. In that case, it is useful to know that you can start a rescue system from the installation CD or DVD of SUSE Linux Enterprise Server. One of the options in the menu that is displayed when booting from the installation media is Rescue System (see Figure 34-6). This option will boot a minimized version of SUSE Linux Enterprise Server, designed to help...

Using Default ACLs

On a directory, you can apply a default ACL. When using a default ACL, you can specify the permissions that new files and directories will get when they are created in a given directory. Therefore, you can consider the default ACLs to be a umask setting that is applied on a directory only. If a directory has a default ACL, all files will get the permissions specified in the default ACL. Also, subdirectories will get the permissions from the default ACL, and these permissions will be set as...

Securing the Proxy with ACLs

Based on the settings specified previously, you must be able to configure a working Squid proxy cache. No security features, however, have been implemented so far. Squid offers advanced security options. Connections can be allowed or denied based on the time of day, the source address, the destination address, the requesting user, and more. For all these options, the administrator has to use access control lists (ACLs). The acl tag specifies a group to which access can be denied or allowed in...

Using YaST to Set Up an MTA

In this chapter, you have learned how to set up a mail server manually. You can also use YaST for easily configuring a mail server. You should, however, be aware that YaST offers limited options to tune your mail server. For complete control of what happens, you still need to hack the configuration files manually. If you are planning on using YaST, you have to meet one condition. You do need the OpenLDAP server to be installed and active as well. This doesn't really make sense, but if the...

Specifying Log Files and Cache Directories

Some tags are available to specify where logging should occur by default. Also, you can specify the structure used on the hard drive of your server to cache files. By default, in the cache directory, a subdirectory structure is used for caching files. This subdirectory structure is used like an index. The default settings are for average systems if your Squid proxy is used frequently, you should consider configuring these tags with a value that is much higher. Table 25-2 lists the tags related...

Using the ip Tool

You can use the ifconfig tool to display information about the configuration of a network card, but it is not the only tool available. A more flexible (but also more difficult to use) tool is the ip tool. This tool can work with many options to manage virtually all aspects of the network connection. What exactly you want to do with the ip tool is determined by the first option you use after the command. This first option is a reference to the object, and for each object there are different ways...

Using Generic TCP Port Forwarding

X is the only service for which port forwarding is hard-coded in the SSH software. For everything else, you need to do it by hand, using the -L or the -R option. Refer to the example in Figure 18-2. The example network shown in Figure 18-2 has three nodes. Node AMS is the node where the administrator is working. ATL is the node in the middle. AMS has a direct connection to ATL but not to SLC, which is behind a firewall. ATL, however, does have a direct connection, not hindered by any firewall,...

Using VNC for Remote Access to Graphical Screens

Enabling VNC is easy the YaST Remote Administration option in the Network Services section allows you to set up VNC access quickly. As shown in Figure 18-3, this module gives access to two choices Allow Remote Administration and Do Not Allow Remote Administration. Want to enable remote administration for your server Just click Allow Remote Administration, and you are almost there. If you have an active firewall protecting your server, don't forget to select Open Port in Firewall. This option is...

Configuring iSCSI

DRBD is one solution to create a shared storage device on SUSE Linux Enterprise Server. Another solution that doesn't involve expensive hardware is iSCSI. iSCSI support is included in SUSE Linux Enterprise Server as well. In this section, you'll learn how to set it up with YaST. In an iSCSI configuration, the system has two vital parts. First, the iSCSI target software is a service that needs to be activated and gives access to a shared disk device on the machine where it runs. This can, for...

Setting Default Behavior

The configuration of xinetd happens in two places. First, the etc xinetd.conf file contains generic settings. It can, however, contain service-specific settings, but that's not the default way to go on SUSE Linux Enterprise Server. Every service has its own configuration file in etc xinetd.d. In this section, you'll look at the default settings you can apply in etc xinetd.conf. Listing 19-1 shows the default contents of this file. Listing 19-1. Default Settings in etc xinetd.conf Copyright (c)...

Working with Symbolic Links

A symbolic link is a link that refers to the name of a file. The most important advantage is that you can use it to refer to a file that is anywhere. Even if the file is on a server at the other side of the world, the symbolic link will still work. The most important disadvantage is that the symbolic link depends on the original file. If the original file is removed, the symbolic link will no longer work. To create a symbolic link, use the ln command with the option -s. When using the ln...

Designing a Partition Layout

If you are performing a default installation, YaST will create one partition and mount that as the root of your server. On that partition, all files will be stored. It will also create a swap partition that is used for swap purposes. Although this solution works well for general needs, it is not the best solution available. Storing all files on the same device has some disadvantages A service that goes mad could fill the entire device by accident, thus disabling critical services by accident....

Restricting Access to Users and Groups

CUPS allows you to set up an environment where you can manage access on specific resources for users and groups on your system. This goes for generic resources, such as the management capabilities, but also for specific printers. To set up this feature, you need to configure the access restrictions in the CUPS configuration file where you want to apply the access restriction. Next, depending on the method you are using, you need to create user and group accounts as well. The first step for...

Configuring the Master Daemon

In this modular service, one daemon manages all other binary components (as discussed earlier in this chapter) of the Postfix server the master daemon usr lib postfix master. This is the first process that is started when activating the rcpostfix script. To do its work, the master daemon reads its configuration file, etc postfix master.cf, where all Postfix processes have an entry that specifies how they should be managed. Listing 16-1 shows an example of the top...

Using YaST to Configure the NFS Client

As an alternative to doing everything from the command line, you can use YaST to configure the NFS client as well 1. From YaST, select Network Services > NFS Client. 2. On the NFS Client Configuration screen (see Figure 15-3), click Add to add a new NFS share. Figure 15-3. Click Add to insert a new NFS share to your client configuration. Figure 15-3. Click Add to insert a new NFS share to your client configuration. 3. On the screen that you see in Figure 15-4, enter the following options NFS...

Terminating Processes

In your work as an administrator, you will need to terminate processes occasionally because they are misbehaving. When you are terminating a process, you will send it a predefined signal. In general, the three important signals are SIGHUP, SIGKILL, and SIGTERM. If you send the first of these signals to a process, it doesn't really terminate the process but will just force it to reread its configuration files. This is a useful signal to make sure that changes you have made to configuration files...

Tip Want to check or tune the configuration of the Ethernet bridge used by Xen Use brctl For example the brctl show

If you want to set up network routing, you need two other scripts as well. First, the network-route script must be activated to create the virtual router device. Next, the vif-route script makes sure that each of the virtual network interfaces is added to the virtual router device. If you want to use routing by default instead of bridging, change the etc xen xend-config.sxp file accordingly. In this file, you'll find the following commented lines (network-script network-route) (vif-script...

Creating Shared Resources by Editing the haresources File

Now that you have configured the generic parameters for the Heartbeat software, it is time to define the shared resources on the network. In Heartbeat 1, you can do this in the configuration file etc ha.d haresources. This technique does still work in Heartbeat 2, but if using the haresources file, you can't use any advanced Heartbeat 2 options such as support for multiple nodes. To keep it simple to start, you can now read how to configure shared Heartbeat services using the Heartbeat 1...

Editing the Sample Configuration Files

To make it easier for you to configure the Heartbeat software, some example configuration files are provided when installing the software. An easy way to get started is by copying these configuration files to the directory etc ha.d on both servers. You can find these files in the directory usr share doc packages heartbeat. To complete this step, you need three files authkeys This file secures communications between nodes with authentication keys. ha.cf This is the main configuration file in...

Performing a Remote Installation with SSH

Your first option to perform a remote installation is to use SSH to perform an installation. When booting an SSH installation server starting from CD1, you need to add some options to the boot options. As an alternative, you can also add these boot options to the defaults file on the TFTP PXE boot server, but to keep things simple, in the following steps I will discuss how to add the SSH installation options when starting to install from a CD 1. Boot the server you want to use from its...

Integrating DHCP and DNS

If you want clients to be accessible by their names, you need to tell the DNS server when the DHCP server has handed out a new IP address to the client. To make this work, you need to configure the configuration files for both DNS and DHCP. You first need to create a cryptographic key that can be used to authorize the update. You can generate this key with the dnssec-keygen command dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns This command will generate two keys in the current directory. Part...

Using YaST Hardware Information

If you need access to information about the hardware in use on your server, the YaST Hardware Information utility is a good starting point. You can open this utility by selecting YaST > Hardware > Hardware Information. When starting this utility, you will notice that it takes some time to load. This is because the utility is probing your system to see what hardware is present at the moment you are running the utility. As a result of this probing activity, a screen opens that displays all...

Using ldapsearch to Query the Directory

Once your Directory has been populated with many entries, you sometimes may want to check whether a certain entry has really been created successfully. To do that, you can use the ldapsearch command. To use it with simple authentication, just use the command ldapsearch -x. This command will query your LDAP server and show what objects it finds in the container that is specified as the search base in the etc ldap.conf file. Note that you don't need to enter a password, because anyone (even...

Managing Postfix Components

The Postfix mail server consists of several components. First, on SUSE Linux Enterprise Server, you find the rc-script you can use to start it. This is the script rcpostfix, which is a link to the etc init.d postfix shell script that is used to manage the Postfix server. The rcpostfix script listens to all common arguments that can be used on most rc-scripts status Displays the current status of the server reload Tells Postfix to reread its configuration files after changes have been applied...

Using Advanced LVM Features

One of the cool features of logical volumes is that some advanced options are available. For example, you can resize the volume, and it is possible to work with snapshots as well. In the next two sections, you will learn how to accomplish these tasks. When resizing logical volumes, you should be aware that it always is a two-step procedure. The volume and the file system that is used on the volume both need to be resized. You should also be aware that not all file systems can be resized without...

Working with Hard Links

Every file on a Linux system has an inode. This inode keeps the complete administration of the file. This includes a list of all the blocks that have to be read when the file is opened and other relevant administrative information, such as the permissions set to the file, the user and group owner, and the access time, creation time, and modification time that are set on all the files on your system. In fact, your computer works with inodes filenames are only a convenience for humans, who tend...

Why You Shouldnt Use TCP Wrapper

If a service listens to tcpd, you can build an efficient protection for it. However, this protection is far from perfect. The most important problem is that the service is used only for certain kinds of services. The line ALL ALL in etc hosts.deny could, however, give you a false sense of security, letting you think everything is secure now. A much better way to implement protection for your server is by using the SUSE firewall, which is based on iptables. This is a firewall solution that works...