SUSE Linux Enterprise Server Guide

Adding Swap Space on the

In rare situations, you may find that you are running out of swap space. If that happens, it is useful to know how to add a swap file by hand. Using swap files is not an ideal solution, because swap files are slower than swap partitions. Since it is better than running out of memory completely, though, it is better than doing nothing. To add swap space by hand, proceed as follows 1. Use the dd command to create a file that can be used for swapping. Specify the size of the file you want to...

Installing a Server Automatically with AutoYaST

If you just need to install a few servers, it will be no problem to go through the installation procedure manually for each of the servers. However, if you need to configure many servers, it can be rather cumbersome to do so by hand, and the server configurations may not be consistent throughout the organization. In that case, AutoYaST can be a good option. With AutoYaST, it is possible to clone all the current settings of a system and write them to a configuration file. This configuration file...

Using YaST to Set Up an MTA

In this chapter, you have learned how to set up a mail server manually. You can also use YaST for easily configuring a mail server. You should, however, be aware that YaST offers limited options to tune your mail server. For complete control of what happens, you still need to hack the configuration files manually. If you are planning on using YaST, you have to meet one condition. You do need the OpenLDAP server to be installed and active as well. This doesn't really make sense, but if the...

Configuring a DHCP Server from YaST

As is often the case on SUSE Linux Enterprise Server, the easiest way to configure a DHCP server is from YaST. In this section, you will learn how to configure a DHCP server from YaST. Before you start, make sure no other DHCP servers are already in use on the segment where you want to configure your DHCP server if another DHCP server is active, you'll never know with which DHCP server you are communicating. To configure a DHCP server from YaST, follow these steps 1. In YaST, click Network...

Creating EVMS Volumes

Evms Program Log Example

LVM is one way of creating logical volumes. Another method is available as well the Enterprise Volume Manager System (EVMS). EVMS is the correct choice if you want to use logical volumes in a cluster environment. This volume manager is completely cluster aware, and it sits as a shell above other techniques such as LVM and has the option to create software RAID devices (see Setting Up Software RAID later in this chapter). Therefore, EVMS is the way to go if you need to combine several techniques...

Working with the Bash History

Bash Editor History

Bash's history mechanism helps you remember the last commands you used. By default, Bash remembers the last 1,000 commands for any user. You can see an overview of these commands when using the history command from the Bash command line. This command shows a list of all the recently used commands. From this list, you can restart a command as well. If, for example, in the list of commands you see command number 51, you can easily run this command again by using its number preceded by an...

Installing GRUB

Grub Customizer Device Map

You have two ways of installing GRUB manually and from YaST. If you are not afraid of editing the boot grub menu.lst file by hand, you don't need to use YaST. Just edit it, and the changes will be applied automatically. If GRUB hasn't been written to the master boot sector of your system before, you can install it by using the grub-install command, followed by the device on which you want to install it. For example, use grub-install dev sda to install it on the sda device. Tip Before starting...

Setting Default Behavior

The configuration of xinetd happens in two places. First, the etc xinetd.conf file contains generic settings. It can, however, contain service-specific settings, but that's not the default way to go on SUSE Linux Enterprise Server. Every service has its own configuration file in etc xinetd.d. In this section, you'll look at the default settings you can apply in etc xinetd.conf. Listing 19-1 shows the default contents of this file. Listing 19-1. Default Settings in etc xinetd.conf Copyright (c)...

Configuring the SUSE Firewall with YaST

On all Linux systems, firewall functionality is implemented with the netfilter package in the kernel. Since it is integrated in the Linux kernel, the netfilter firewall is fast and, if set up properly, can compete with many firewall appliances. In fact, many routers use a tuned Linux kernel to do fire-walling anyway. You can manage the netfilter package with a rather complex command iptables. Because it is complex, on many servers no firewall is active at all many people are just not sure how...

Creating LVM Volumes

Screenshots Zebra Software

Like all file system management tasks in SUSE Linux Enterprise Server, you can use YaST to create LVM volumes, but as an alternative, some command-line utilities are available as well. In the next section, you can read how to accomplish this task from YaST in the section after that, you will learn how to do it with the command-line utilities. Then, you can read about some advanced LVM features. The easiest way to create logical volumes is to use YaST. In the next steps, you will learn how to...

Creating Shared Resources by Editing the haresources File

Now that you have configured the generic parameters for the Heartbeat software, it is time to define the shared resources on the network. In Heartbeat 1, you can do this in the configuration file etc ha.d haresources. This technique does still work in Heartbeat 2, but if using the haresources file, you can't use any advanced Heartbeat 2 options such as support for multiple nodes. To keep it simple to start, you can now read how to configure shared Heartbeat services using the Heartbeat 1...

Creating the Rules

Based on this information, you should be able to create some basic rules. Let's assume you have a server that has only one NIC. On this NIC, you want to allow requests to the web server to come in and replies to go out. Also, you want to allow SSH traffic. For the rest, you don't need anything else. Like any other netfilter configuration, you would start this configuration by creating some policies. The following will make sure that no packet comes in or out of your server iptables -P FORWARD...

Creating Partitions with fdisk

YaST works well in creating partitions, but it is not the only method you can use. As an alternative, you can create partitions from the command line with fdisk, cfdisk, or any other tool that is made for this purpose. Sometimes this is even the recommended way, because the command-line utilities give access to many more options than YaST. If you choose to create partitions this way, you should know that after creating the partition, you need to make a file system on it. The next steps outline...

Processing Outbound Mail

Being the MTA, Postfix is responsible as well for processing outbound mail. Basically, all outbound messages are placed in the incoming queue first. From there, the mail is picked up by the queue manager (qmgr) and placed in the active queue as soon as there are no other mails in that. Next, the trivial rewrite daemon determines where the mail should go it can be for a local user, for a user on the Internet, or for a Unix user who uses UUCP to come get the mail (the latter is somewhat...

Configuring the Master Daemon

In this modular service, one daemon manages all other binary components (as discussed earlier in this chapter) of the Postfix server the master daemon usr lib postfix master. This is the first process that is started when activating the rcpostfix script. To do its work, the master daemon reads its configuration file, etc postfix master.cf, where all Postfix processes have an entry that specifies how they should be managed. Listing 16-1 shows an example of the top...

Monitoring App Armors Status

You can use a few commands to monitor AppArmor's status from the command line. First, the rcapparmor status command gives you a generic overview of current AppArmor activity. Listing 32-2 gives an overview of the output generated by this command. Listing 32-2. Displaying Current AppArmor Activity with apparmor status 6 processes have profiles in enforce mode. 0 processes have profiles in complain mode. Now when you know that AppArmor is protecting some processes, you probably want to find out...

Using the mount Command Options

The mount command offers many options. Some of these are rather advanced. For example, to perform the mount using the backup of file administration in the superblock that ordinarily sits on block 8193, you can use the following command mount -o sb 8193 dev somefilesystem somedirectory These, however, are options you would use only in the case of an emergency. Some other more advanced options are really useful for example, when troubleshooting your server, you can boot it with a read-only file...

Configuring a Simple Postfix Mail Server

Enough settings, parameters, and variables for now. The interesting question is, what work do you really need to do to enable a simple Postfix mail server In this scenario, the simple mail server would need to send mail to the Internet for local users only. It would also be able to receive mail from the Internet, destined for users on the local domain. The following steps describe how to send mail to other servers on the Internet. To make this procedure as easy as possible, you will read next...

Setting Up the Master Server with YaST

To set up the master service with YaST, follow these steps 1. In YaST, select Network Services > DNS Server. This starts the DNS server installation program. 2. On the first screen of the DNS installation program (see Figure 23-2), you can specify how to handle forwarders. Remember, a forwarder is a server that all the queries are sent to that cannot be handled by your DNS server. You might, for example, refer to the DNS server of your Internet provider as a forwarder. Be aware, however, that...

Using Init and etcinittab

Once the kernel has loaded and mounted the device where the root directory of your server is stored, the init process is the next to load. This process is the mother of all processes, as you will learn later in this book. init is also responsible for everything that happens in the system initialization procedure from now on. To do its work, init reads its configuration file, etc inittab. From there, it learns what else it needs to do. Two of the major tasks handled by init are the initial boot...

Rotating Log Files

Logging is good, but if your system writes too many log files, this can become problematic log files that are not controlled may fill up your server's file system completely. As a solution, you can configure the logrotate service. The logrotate service runs as a daily cron job and checks its configuration files to see whether any rotation has to occur. In these configuration files, you can configure when a new log file should be opened and, if that happens, what exactly should happen to the old...

Using chmod in Absolute Mode

Although chmod's relative mode is easy to work with if you just want to set or change one permission, it can get complicated if you need to change more than that. In that case, the absolute mode is more useful. In the absolute mode, you work with numeric values to determine the permissions you need. For example, you can use chmod 1764 somefile to change the permissions on a given file. Of these four numbers, the first refers to the special permissions SUID, SGID, and sticky bit the second...

Adding a Network Card Manually

To add a network card manually, click the Add button, as shown in Figure 13-3. You can now see the Manual Network Card Configuration screen (as shown in Figure 13-4). From here, you can select all the properties of the network card. The easiest way to start is to click the Select from List button. If you click this button, a list of available network cards appears. From this list, you can select the network card that is in your server to make its configuration easier. If the network card you...

Setting Up the NFS Server Configuration Files by Hand

If you want to manage the NFS server by hand, you use two configuration files. First, you use the etc exports file to configure all the NFS shares you want to offer from your NFS server. Second, you use the etc sysconfig nfs file to provide a couple of parameters to the NFS server that determine the way the server offers its services. The file etc exports defines the NFS shares. The generic structure of the lines where this happens is as follows In this, directory is the name of the directory...

Understanding syslogngconf

To understand how syslog-ng works, you must understand the message path. In syslog-ng, this consists of one or more sources, one or more filtering rules, and one or more destinations. Typically, this definition of the source provides an interface to the legacy syslog mechanism in which a process sends its log information to the dev log device. By defining these source devices, syslog-ng knows where it has to look for incoming messages. On SUSE Linux Enterprise Server, in syslog-ng.conf the...

Using ifup ifdown and Related Tools

To make managing a network board easy, the ifup and ifdown tools were created. Using these tools is simple call the tool followed by the name of the network board you want to manage. For example, ifup eth0 will start network card eth0, and ifdown eth0 will stop it. In addition to ifup and ifdown, you can use some useful related tools ifstatus shows the state of a network interface (see Figure 13-9). ifrenew renews the DHCP lease on a network card. ifprobe checks whether the configuration for an...

Performing a Remote Installation with SSH

Your first option to perform a remote installation is to use SSH to perform an installation. When booting an SSH installation server starting from CD1, you need to add some options to the boot options. As an alternative, you can also add these boot options to the defaults file on the TFTP PXE boot server, but to keep things simple, in the following steps I will discuss how to add the SSH installation options when starting to install from a CD 1. Boot the server you want to use from its...

Understanding the proc File System

The proc directory is an interface that a user can use to communicate to the kernel. The directory proc is activated at an early stage in the boot procedure. To make it accessible, a special file system is used, the proc file system. In proc, the kernel creates files that give status information about the process activity and generic kernel activity. For the overall status of the operating system, some generic files such as cpuinfo and modules are created to indicate what processes are doing...

Using Advanced LVM Features

One of the cool features of logical volumes is that some advanced options are available. For example, you can resize the volume, and it is possible to work with snapshots as well. In the next two sections, you will learn how to accomplish these tasks. When resizing logical volumes, you should be aware that it always is a two-step procedure. The volume and the file system that is used on the volume both need to be resized. You should also be aware that not all file systems can be resized without...

Loading Modules Manually

You can manage modules by hand as well. The following commands are involved when managing modules manually lsmod This command lists all the modules that are currently loaded. In this list, it also displays the current status of the module. The output of lsmod is given in four columns (as shown in Listing 26-1). The first column mentions the name of the module. The second column shows its size. In the third column, a 1 or a 0 indicates whether the module currently is used, and the last column...

Tuning Process Activity

If something is not OK on your server, you want to know. So before you can do any process management, you need to tune process activity. Linux has an excellent tool that allows you to see exactly what's happening on your server the top utility. It is easy to start the top utility just type top. When it starts, you will see something like Figure 11-2. top - 21 42 05 up B 21, 3 users, load average 0.05, 0.05, 0.05 Tasks 76 total, 1 running, 75 sleeping, 0 stopped, 0 zombie Cpu s 2.3 us, 1.0 sy,...

Setting Process Priority

Killing a process may be a solution for improving the performance of your server, but what if you just need the process In that case, renicing it may be an option. To understand what the commands nice and renice are doing, you first need to look at the way the process scheduler is working. On a busy system, there is a process queue. All processes are sitting in the process queue and get some CPU cycles one by one. So if there are three processes named process-a, process-b, and process-c, they...

Creating the Share

The second step in configuring a Samba server is configuring the share. For this purpose, Samba works with a configuration file with the name etc samba smb.conf. In this configuration file, almost the complete Samba server is configured, including general options as well as shares. Listing 15-3 shows an example of the complete configuration file as it is used after a default installation of the Samba server on SUSE Linux Enterprise Server. I won't discuss it line by line here the purpose is...

Adding Items to the Desktop

Adding items to the desktop can be easy enough select the item you want to add from the Nautilus browser, and drag and drop it on the graphical desktop. This automatically creates a shortcut if you have all the necessary rights to the desktop and the item you want to put on the desktop. You can also right-click somewhere on the desktop, and from the pop-up menu select Create Folder, Create Launcher, or Create Document. In the window that pops up (see Figure 2-13), enter all the information that...

Using the NFS Server

You use the NFS server to share files between Unix and Linux servers. Almost every version of Unix and Linux has native NFS support, but if it isn't present by default, it is easy to set up. Like other filesharing protocols, NFS is particularly useful when certain directories must be stored on a central location in the network. You can, for example, use it for access to shared home directories make sure the home directory is stored somewhere centrally on a server, and let users access it when...

Using OpenSSL for Encrypted Connections

By default, the Apache web server sends all its traffic unencrypted. Therefore, if someone is listening with a sniffer and you send sensitive information, they could capture and read that information. To protect against this, you can use SSL encryption. In Chapter 21 you can read all about this encryption technique therefore, in this chapter I won't go through the entire process of creating certificates and signing them. I'll just discuss how to create a test certificate and use that with the...

Installing a Print Client from YaST

One of the nice features of a CUPS print environment is the browsing feature. This allows a printer to discover for itself what other printers are present on the network. When browsing is enabled, the CUPS server uses broadcasts to send printer information to other clients on the network. When the server is configured to broadcast its information on the network, the client can discover the printers offered by the server automatically on the network. The following steps show how to set this up...

Restricting Access to Users and Groups

CUPS allows you to set up an environment where you can manage access on specific resources for users and groups on your system. This goes for generic resources, such as the management capabilities, but also for specific printers. To set up this feature, you need to configure the access restrictions in the CUPS configuration file where you want to apply the access restriction. Next, depending on the method you are using, you need to create user and group accounts as well. The first step for...

Applying Restrictions to Printers from YaST

CUPS provides different kinds of resources. As an administrator, it is possible to restrict access to these resources. These access restrictions are written to the cupsd.conf configuration file and have the same format as you may be used to from access restrictions on a web server. Different resources are available each of these resources is available as a subdirectory of the CUPS root. For example, http yourserver 631 provides access to the CUPS server document root, and http yourserver 631...

Configuring the cron Service

The cron service is activated by default. It checks its configuration files every minute to see whether something needs to be done. The cron process looks for configuration at different locations The generic file etc crontab can contain lines that tell cron when to execute a given command. This file is not edited usually on SUSE Linux Enterprise Server. In the directory etc cron.d, an administrator can put a file that defines what should happen and when it should happen. Every user can have...

Updating Software

A commercial Linux server such as SUSE Linux Enterprise Server offers the ability to subscribe to updates. To be safe from all possible threats to your server, it is mandatory to have a server that is consistently running the latest stable software. To use the update mechanism available in SUSE Linux Enterprise Server 10, you must be registered with Novell. This requires you to purchase the SUSE Linux Enterprise Server product. Tip If you want to test SUSE Linux Enterprise Server, you can get a...

Using Generic TCP Port Forwarding

X is the only service for which port forwarding is hard-coded in the SSH software. For everything else, you need to do it by hand, using the -L or the -R option. Refer to the example in Figure 18-2. The example network shown in Figure 18-2 has three nodes. Node AMS is the node where the administrator is working. ATL is the node in the middle. AMS has a direct connection to ATL but not to SLC, which is behind a firewall. ATL, however, does have a direct connection, not hindered by any firewall,...

Using netstat to Check Your Server

If you want to know what services are available on your server, and what exactly these services are doing, the netstat command is an excellent choice. netstat has many options to see the most useful information offered by it, use the -patune options. These options have the following meanings -p makes sure you see information about programs connected to ports. -a will show you everything there is to show. -u shows information for UDP ports. -n makes sure that IP addresses are not translated into...

Before Configuring the Firewall

Before even thinking about configuring a firewall on your server, you should think about the services the server offers. What sense does it make to block port 524 in your firewall if you don't need services on that port at all Therefore, before you start, make sure all the services you don't really need are disabled see Chapter 10 for more details on how to do that . The following is a short checklist that you can use to make sure all the services you don't really need are not available. After...

Creating Partitions with YaST

YaST is a convenient tool to create partitions and assign file systems to them. The next steps show how to do this 1. Start YaST. From the System menu, select Partitioner. This starts the module you can use to manage partitions and volumes on the storage devices of your server. 2. On the warning dialog box that pops up, click Yes to continue. 3. As shown in Figure 8-3, the Expert Partitioner opens. It will give an overview of all the devices that already exist. In the Expert Partitioner, the...

Configuring SSH

In an SSH environment, a node can be a client and a server at the same time. So as you can imagine, both of these aspects have a configuration file. The client is configured in etc ssh ssh_config, and the server has its configuration in etc ssh sshd_config. Setting options for the server isn't hard to understand just set them in etc ssh sshd_config. For the client settings, however, the situation is more complicated, because you have several ways of overwriting the default client settings etc...

Configuring Postfix from the etcsysconfig files

If you want to configure Postfix by modifying the etc sysconfig files, you must change at least two settings to etc sysconfig mail You must enter the DNS domain name in the variable FROM_HEADER. This is because MTAs will do a check on the DNS domain from which they are receiving mail. If the domain is not valid, the mail message will be rejected. Postfix must be told to listen to messages coming in from other servers. For this purpose, set the variable SMTPD_LISTEN_REMOTE to yes. If you don't...

Configuring the OpenLDAP Server During Installation

When you are installing your server, just after configuring the network card, a certificate authority and OpenLDAP server are automatically set up. The LDAP server is created, based on the DNS information you have entered while configuring the network board. If, for example, you have used mydomain.com as the DNS setting for your server, the LDAP Directory is created with the container dc mydomain,dc com. A root user with the name of cn Administrator,dc mydomain,dc com is created, and the LDAP...

Registering Services

For a service, you have different ways to register with an SLP SA Dynamically using the slptool utility Statically via etc slp.reg Statically via files in etc slp.reg.d Of these options, the most common method for registering services is to use one of the configuration files. If a service needs to be registered from a script dynamically when the service is starting, you can use the slptool utility. When registering a service with slptool, you need to provide a URL as the argument. In Listing...

The Role of Cluster Aware File Systems

Apart from the issue of the shared storage device, a cluster-aware file system might also be necessary. Whether you need such a solution depends on the kind of cluster you are using an active-active or active-passive cluster solution. In an active-active cluster, different nodes in the cluster provide redundancy to each other for a given service, where the given service is already active on those servers. For instance, this is a common situation for web servers hosting several virtual servers....

Configuring OCFS2 in an Active Active Cluster Environment

The previous procedure taught you how to create an iSCSI device that can be shared amongst different hosts at the same time. To complete the procedure, you can now create a file system on it. You can choose from different file systems that are available in SUSE Linux Enterprise Server 10. The first choice you have to make is whether this will be a cluster file system or a nonclustered file system. If it is a nonclustered file system such as ext3 or Reiser, you should be aware that only one node...

Configuring xinetd with YaST

The easiest way to configure xinetd is by using YaST. The module to configure xinetd is called Network Services, and you can find it in the YaST menu item Network Services. By default, you will find that xinetd is disabled. That's a good thing from a security perspective, so start by selecting Enable. Now, as shown in Figure 19-1, the xinetd services are no longer disabled, and you can manage each individual service. The list of currently available services gives an overview of all the services...

Crashes and Core Dumps

If things are really getting out of hand on your server and the server crashes, creating memory core dumps can be useful. Novell support can analyze the core dump to find out what really happened to your server at the moment that it went wrong. By default, nothing will happen when a crash occurs. Memory dumps can be written to a local directory on your server, but alternatively they can be written to a server on the network as well. Be aware that if you choose the latter option, it may take a...

Working with LDAP Authentication

Maintaining a separate password file to specify the names of users who can access certain directories on your web server is not the most practical way of implementing decent web server security. It is much more useful if you can maintain the user database somewhere external. One but by far not the only option you can use for this purpose is LDAP authentication. Now, Apache is not aware of any LDAP server by itself fortunately, it isn't that hard to teach Apache that it should use LDAP for...

Using Other Tools to Monitor System Activity

Although this is not the only tool you can use for process monitoring, top is the most important tool. Some other tools are available as well. In this section, I'll give you a short overview of some of these other tools uptime This tool shows how long the server has been up and gives details about the load average. free Use this tool to show information about memory usage. From the GNOME graphical desktop, you can also start the GNOME System Monitor to display detailed information about your...

Installing SUSE Linux Enterprise Server

This chapter teaches you everything you need to know to properly install SUSE Linux Enterprise Server 10. Meeting the Installation Requirements Before you can start installing SUSE Linux Enterprise Server 10, you need a computer that meets the minimal requirements. The following are the minimal system requirements A CPU that runs at 1GHz or better 4GB of available disk space Although such a configuration would be fine in a test lab, you may think it is rather minimal. Indeed, if you're planning...

Configuring Shared Storage with the Distributed Replicated Block Device

A simple and stable shared storage solution for the Heartbeat cluster is the Distributed Replicated Block Device (DRBD). The advantage is that you don't need to purchase an external storage device because you can use a local partition or existing disk on the cluster nodes. This section will discuss how to configure a shared storage device using DRBD. The setup discussed in this section assumes a two-node cluster where DRBD is used. One of these servers is configured as the master node that has...

Reading the Boot Messages

When SUSE Linux Enterprise Server starts, you'll see a lot of messages scrolling by on the screen of your server. These messages are generated by the kernel and indicate whether everything is going well. Unfortunately, the messages scroll by way too fast for you to be able to read what's happening. Fortunately, you have two ways to monitor what has happened when your system has finished booting. The first method to get more information about the boot procedure is to use the dmesg command on the...

Network Services

The Network Services menu, as shown in Figure 3-12, provides access to a lot of utilities that you can use to set up network services. Note You can configure most network services from the Network Services screen in YaST, but not all of them. For some services, it is still required that you tune the associated configuration files the hard way. In the following list, I briefly explain each service. You will also find a reference to the chapter where the given service is discussed in more detail....

Adding Services to a Runlevel Manually

As you learned earlier when reading about boot scripts, you can add services to a runlevel manually as well. You can use any of the following three methods to do this You can create a symbolic link by hand. You can use the insserv command. You can use the chkconfig command. In the following sections, you will learn about all three methods. Creating Links to Add Services to the Runlevel The basic way to add services to a runlevel is by manually creating a symbolic link. After all, this is what...

Booting a Rescue System

In some situations, the GRUB boot menu isn't good enough, such as when your boot loader is broken and you do not see a GRUB boot prompt at all. In that case, it is useful to know that you can start a rescue system from the installation CD or DVD of SUSE Linux Enterprise Server. One of the options in the menu that is displayed when booting from the installation media is Rescue System (see Figure 34-6). This option will boot a minimized version of SUSE Linux Enterprise Server, designed to help...

Note To run an operating system from an image file it must have been prepared to run in a Xen environment if you plan

Select Run an OS Installation Program, and then click Next to start the installation. Figure 31-3. Select Run an OS Installation Program, and then click Next to start the installation. 4. Now you'll see the Virtual Machine (Installation Settings) screen (see Figure 31-4). On this screen, you can change the installation environment. Tune the environment as needed, and then click Next to continue and start the installation. The following options are available AutoYaST Use this option...

Note In this section Ill explain how to set up DHCP to support a PXE environment Read Chapter 23 for more generic

With your editor, open the configuration file etc dhcpd.conf, and add the three lines shown in Listing 35-1 to your existing configuration. Make sure you add them to the right position in the etc dhcpd.conf configuration file you may, for example, add this to the network declaration on your DHCP server. Use the example code lines in Listing 35-1, but make sure to modify them to reflect your network settings. The listing uses the following options next-server This is an important option it...

Creating LDIF Files

To add, delete, or modify information in the LDAP Directory, you use the Lightweight Directory Interchange Format LDIF . As an administrator, you need to create a file in LDIF and then add the content of the file to the Directory using the ldapadd command. LDIF files can contain entries for multiple objects, so you don't need to create an LDIF file for each record you want to add. It is important that in the LDIF file, you specify the distinguished name first for each entry. Listing 17-3 shows...

Using ldapsearch to Query the Directory

Once your Directory has been populated with many entries, you sometimes may want to check whether a certain entry has really been created successfully. To do that, you can use the ldapsearch command. To use it with simple authentication, just use the command ldapsearch -x. This command will query your LDAP server and show what objects it finds in the container that is specified as the search base in the etc ldap.conf file. Note that you don't need to enter a password, because anyone (even...

Monitoring Protocol Activity with IPTraf

IPTraf is not installed by default, so make sure it is installed check Chapter 9 for more details before you try to launch it from the command line with the iptraf command. As shown in Figure 13-17, IPTraf uses a menu interface. In this interface, several menu options are available IP Traffic Monitor From this option, you can tell IPTraf to monitor what's happening on the network interfaces in your server. You can select one particular network interface, but it is possible to check all the...

Using Postfix Management Tools

Managing Postfix is not only about creating the configuration files in the correct syntax. Some management tools are available as well. These administration tools all run from the command line. Next you will find an overview of the most important tools newaliases Use this tool to generate the database file etc aliases.db from the file etc aliases. mailq This lists all e-mail in the mail queue that has not yet been sent. postalias This is the same as newaliases. postcat This displays the...

Methods of Name Resolving

DNS is not the only solution you can use for name resolving. Other solutions are available as well. I'll explain two of them here the etc hosts file and Sun's Network Information System (NIS). Before DNS was introduced, every host needed to keep its own file where IP addresses were mapped to names. In those days, the Internet was still a small network, so this was doable (although the administrator had to ensure these files were updated properly). Today such a mechanism still exists in the form...

Using tcpdump

Tcpdump is a straightforward tool it does exactly what its name indicates it will do it dumps TCP packets on the console of your machine. That way, you can see all packets received by the network board of your server scrolling by on the screen. By default it will just show the first 96 bytes of every packet, but if you need more details, you can start it with -v or even with -vv so that it will be more verbose. Figure 13-19 shows what it looks like if you run the command with the -v option. 16...

Setting Up DHCP Failover

If you need to make sure your DHCP server is always available, you can use the DHCP internal failover feature. This feature allows you to set up two and no more than that DHCP servers to use a shared address pool. Of these address pools, if both servers are operational, both can use about half of the available addresses. If one of the servers fails, the other server can take over immediately. In a failover configuration, one server is primary, and the other is secondary. You also need to make...

Installing a Linux CUPS Client

To install Linux as a CUPS client, you need to decide how you want to do that. If the Linux client doesn't have any printers it connects to locally, you can perform a CUPS client-only installation. If the CUPS client also has to connect to local printers, you can use the browsing feature, which you learned about earlier in this chapter, to connect to the CUPS print server. In the following steps, you will learn how to perform a CUPS client-only installation. Be aware that in this procedure you...

Working with Symbolic Links

A symbolic link is a link that refers to the name of a file. The most important advantage is that you can use it to refer to a file that is anywhere. Even if the file is on a server at the other side of the world, the symbolic link will still work. The most important disadvantage is that the symbolic link depends on the original file. If the original file is removed, the symbolic link will no longer work. To create a symbolic link, use the ln command with the option -s. When using the ln...

Unmounting Devices

On a Linux system, a device not only has to be mounted, but when you want to disconnect the device from your computer, you have to dismount it as well. For this purpose, you can use the umount command. This command can work with two arguments either the name of the device or the name of the directory where the device is mounted. So, umount dev cdrom and umount media cdrom will both work. When using the umount command, you may encounter the message Device is busy and end up with a failing...

Managing Postfix Components

The Postfix mail server consists of several components. First, on SUSE Linux Enterprise Server, you find the rc-script you can use to start it. This is the script rcpostfix, which is a link to the etc init.d postfix shell script that is used to manage the Postfix server. The rcpostfix script listens to all common arguments that can be used on most rc-scripts status Displays the current status of the server reload Tells Postfix to reread its configuration files after changes have been applied...

Using ACLs to Grant Permissions to More Than One Object

When mounting a device, there is normally no space to store ACL information. Therefore, you must specify, for all devices where you want to use ACLs, that ACLs have to be enabled for that device only then can you set ACLs. If you want to use them, you must check in the configuration file etc fstab, which is used for the automatic mounting of all the file systems on your server, that ACL support is enabled. For instance, if ACL support for the device dev sdal is enabled, you will find a line...

Managing Users Mailboxes

The first step in managing user mailboxes is to add users to the system. These users are regular Linux users who are added to etc passwd (or any other authentication mechanism OpenLDAP would work as well, for example). These users don't need a home directory, since all they use is their mailboxes that are stored in var lib imap. Also, no shell is needed. However, the users do need the ability to reset their passwords. Therefore, make sure usr bin passwd is specified as the default shell. After...

Understanding the Concept of Runlevels

When starting a server, you probably need the server to be fully functional. Sometimes, however, for troubleshooting a server, you need to start with only a few services loaded, instead of loading all services. Linux meets this need with runlevels. By default, seven runlevels determine exactly what is happening when your server boots one of them. Listing 10-4 shows how these runlevels are defined in etc inittab. Listing 10-4. Defining Runlevels in inittab runlevel 0 is System halt (Do not use...

Troubleshooting from the GRUB Boot Prompt

The tips discussed so far will help you if you still have a running server. Sometimes you don't because something goes wrong in the start-up procedure. If that's the case, you need to change the way your server starts. The GRUB boot prompt see Figure 34-4 is a helpful tool to do that. SUSE Linux Enterprise Server 10 Failsafe SUSE Linux Enterprise Server 10 Failsafe Figure 34-4. To change the way your server boots, the GRUB boot screen is a useful aid. By default, your server will display the...

Configuring FTP for Authorized Users

For some environments, the option to configure an FTP server for authorized users is an important one imagine, for example, that you are hosting websites for other users. In that case, your customers need to be able to upload content to their sites and FTP is the most appropriate way to do so. Setting up such an environment with pure-ftpd is really easy just two lines are needed in the pure-ftpd.conf configuration file Of course, this would require your users to exist on your local system...

Working with etchostsallow and etchostsdeny

TCP Wrapper works with two configuration files to determine whether access is allowed. The names of these files are etc hosts.allow and etc hosts.deny. The first lists all the hosts that can access a service the latter lists the hosts for whom access is denied. TCP Wrapper always first reads the etc hosts.allow file. If the host that tries to connect is in there, access is allowed. If the name of the hosts is not in etc hosts.allow, the TCP Wrapper checks etc hosts.deny. If the host is in...

Tuning and Monitoring the NFS Server

I'll now talk about tuning the NFS server. You can use two useful commands to tune how the NFS server works. First, the rpcinfo -p command lists all the services that currently are registered at the portmapper service on your NFS server. If for any reason you cannot connect to the NFS server, this is a good check to see whether it is running properly. Next, the showmount -e command lists all the file systems that are exported by a remote server. It typically is a utility that you would run from...

Using procinfo

One option to view information in the proc file system is to monitor the individual files in it. As an alternative, you can use procinfo. The procinfo command displays information from the proc file system nicely. When used without options, procinfo shows you information about memory usage, CPU load, swap activity, and IRQ usage see Listing 28-6 for an example. You can also use several options with procinfo to indicate exactly what information you'd like to see. Listing 28-6. Example procinfo...

Understanding How SLP Works

The essence of how the Service Location Protocol works is that active services are registered on the network. This registration happens at the service agent (SA). Ordinarily, every server on the network has an SA that provides information about the services it is hosting. Services register only at their local SA therefore, the SA on server 2 is ignorant of the services registered by the SA on server 1. On the computer that needs a service, SLP uses the user agent (UA). At first thought, you may...

Configuring OpenSLP from YaST

Once again, YaST offers the easiest interface to configure the OpenSLP server. To do this, you need the module slp-server, which you can start directly by using the command yast slp-server. This starts the interface shown in Figure 33-1. Figure 33-1. YaST offers an easy-to-use interface to set up an SLP server. Figure 33-1. YaST offers an easy-to-use interface to set up an SLP server. In the YaST interface, three different tabs are available. On the tab Global SLP Configuration, you can specify...

Using chmod in Relative Mode

When working in relative mode, you have to use the following values for the permissions that are available Read r Write w Execute x SUID u+s SGID g+s Sticky bit t The relative mode is useful when changing permissions that apply to everyone. For example, you can easily make a script file executable by using chmod +x myscript. Because u, g, or o are not used in this command to refer to the entity the permissions are applied to, the file will be made executable for everyone. You can, however, be...

Browsing Available Services

When working with SLP, the only thing that really matters is that the services on your network can use it to get access to the SLP-offered services they require. For this purpose, some services have an option that allows them to connect to a service that is registered with an SLP service. An example of this is the installation program on any version of SUSE Linux 10 that allows you to use SLP to connect to an installation server. Apart from these options, as an administrator, you may want to...

Applying File Attributes

When working with permissions, there is always a combination between a user or group object and the permissions these user or group objects have on a file or directory. An alternative method of securing files on a Linux system is by working with attributes. Attributes do their work, regardless of the user who accesses the file. Of course, there is a difference the owner of a file can set file attributes, whereas other users (except for root) cannot do that. For file attributes as well, an...

Managing CUPS Print Queues

CUPS offers a lot of tools from the command line that you can use to manage print jobs and queues. If you have worked with older Unix print systems, I have good news for you CUPS works with tools from the Berkeley Unix dialect as well as the System V Unix dialect. Since they are more common, in the following sections I will focus on the Berkeley tools. To create a print job from the command line, you need the lpr tool. With this tool, you can send a file directly to a printer. In its most basic...

Managing Xen from the Command Line

Managing Xen from the command line involves two skills tuning the configuration file and working with the xm tool. Both are explained in the next two sections. Every Xen domain has its own configuration file. Typically, you can find these configuration files in etc xen vm. For this example, you'll start with the configuration file for the virtual machine that was created in Listing 31-3. Listing 31-3. Xen Domain Configuration File BTN etc xen vm cat vm1 bootloader ' usr lib xen boot...

Configuring the OpenLDAP Server

The etc openldap slapd.conf file is the main configuration file for your LDAP server. Because some of the more advanced settings can be configured only from this file, you should be aware of how it is organized. You can see its contents in Listing 17-1. Listing 17-1. The etc openldap slapd.conf File See slapd.conf 5 for details on configuration options. This file should NOT be world readable. Define global ACLs to disable default read access. Do not enable referrals until AFTER you have a...

Using the Powertweak Utility

To make tuning your system a little easier, SUSE Linux Enterprise Server comes with the Power-tweak utility (see Figure 28-2). For example, some of the tweaks I described earlier can be performed from Powertweak as well. You can start this utility from the YaST > System interface. Figure 28-2. The Powertweak utililty allows you to access some powerful system performance-related settings from a graphical menu interface. Figure 28-2. The Powertweak utililty allows you to access some powerful...

Working with the GRUB Configuration File

GRUB has a configuration file that defines all the options from the boot menu. This text file is boot grub menu.lst. In this file, you can specify the different boot options on your server. Listing 10-1 shows the code that usually appears in the GRUB configuration file. This code comes from an installation where Xen (see Chapter 31) was also installed. Listing 10-1. Example GRUB menu.lst File color white blue black light-gray default 0 timeout 8 Don't change this comment - YaST2 identifier...

Managing the xinetd Daemon

The xinetd service is implemented by the daemon process xinetd. This process has a script in etc init.d that allows you to start and stop this process automatically. Be aware that by default xinetd is not activated, so if you want to use it, enable it first with the insserv xinetd command. Using this command makes sure that xinetd starts automatically the next time you boot your server in other words, it doesn't start it immediately after you issue insserv xinetd. To start it immediately, use...

Compressing the Archive

The tar utility is a great utility for creating backups. However, by default it will not compress the backup. If you want to compress the backups you make with tar, you can choose from three options -z This compresses the backup with the gzip utility. This utility offers a great balance between speed and compression ratio. -Z This uses the zip utility. Speed is good, but the compression ratio is not optimal. -j This uses the bzip2 utility. This utility compresses about 10 percent more than gzip...

Tuning the Samba Configuration File

The first step in setting up a domain environment is to configure the Samba configuration file properly. In Listing 15-8, you can see the settings required in the etc samba smb.conf global section. Listing 15-8. Samba Domain Controller Settings netbios name STN workgroup UK security user passdb backend ldapsam ldap HTR.mydomain.com Let's look at the different parameters used in this example. Table 15-5 summarizes how to use all the parameters that haven't been covered earlier. Table 15-5....

Tuning Access to Services with TCP Wrapper

If a service runs from xinetd, you can secure it with TCP Wrapper, which is a service that is implemented in the tcpd process and that you can use to restrict access to services. Stated in a more general way, if a service is using the libwrap.so library module, the service can be secured with TCP Wrapper. Since xinetd is using this module, you can secure it this way. You can also secure other services that aren't started with xinetd but do use this library with TCP Wrapper. To check whether a...

Note The POSIX standard defines common standards for Linux and Unix operating systems POSIX capabilities include all

Basically, if an application is started as root and it has an AppArmor profile, the AppArmor profile determines what the application can do and doesn't care that the user is logged in as root. An AppArmor profile contains rules, which define the capabilities that the application can have and the permissions to files for the application. Listing 32-1 gives an example of how these are applied in the default profile for xinetd. You can find this example profile in etc apparmor profiles extras...

Using nmblookup to Test Samba Naming

To test whether Samba name services are fully operational, you can use the nmblookup command. For example, the command nmblookup lax would search the network for a host with the NetBIOS name lax and return its IP address. To return the IP address of the given host name, the utility first uses a NetBIOS broadcast on the local network. If no WINS server is configured, it wouldn't go any further. If NetBIOS nodes are present on other networks as well, a WINS server must be configured to manage the...

Managing Users with YaST

In the previous sections, you learned how to add users from the command line. I also discussed what files are modified when doing so. You have some other options as well, and the best of these is of course SUSE's all-round configuration tool YaST. The following steps show how to create a user with YaST 1. From YaST, select the Security and Users option, and next select User Management. This will list all users who currently exist on your system. 2. To create a new user, select the Add option....

Starting the Services

Three different services are involved with the Samba software on SUSE Linux Enterprise Server 10 smbd This process allows for the actual file sharing. nmbd This provides NetBIOS naming services, allowing Windows clients to work with their own naming mechanism. This service, for example, allows you to browse the network neighborhood and find all the Samba services as well. winbind This allows you to bind your SUSE environment to a Windows environment where Active Directory is used. With it, you...