INTRO TO LINUX SYSTEMS ADMINISTRATION

SYSTEMS ADMINISTRATION Administering the system? Keep the system up in a consistent state Monitor performance Babysit users, make changes on their behalf Install, configure, upgrade, maintain Backup, restore, disaster recovery

SYSADMINS System administration handled by various

people Full time dedicated sysadmins on site Remote services Generic ‘IT’ personnel That user that seems to know what they’re doing

Can be a skill set central to a career path, or a means to an end

PRIVILEGE HIERARCHY Want to divide system privilege by account First step is file level permissions

Default permissions limit end users in what configuration files they can read and which programs they can run

Next level is within system programs Limit certain functions to only users with

‘elevated’ privileges

THE SUPERUSER By default, one account has elevated

privileges to issue any command, access any file, and perform every function

Superuser, a.k.a. root Technically, can change to anything – but don’t

User and group number 0

THE SUPERUSER, CONT Must limit use of root

Inexperienced users can cause serious harm Use of root for non-privileged tasks unnecessary

and can be open to attack Security and privacy violations – root can look at

anyone’s files Limit what root can do remotely Ensure a strong password

SUPERUSER PRIVILEGES What usually works best is short periods of

superuser privilege, only when necessary Obtain privileges, complete task, relenquish

privileges Most common ways are su and sudo Can also use the setuid/setgid method (Ch.

4), but not recommended

SU Short for substitute or switch user Syntax: su [options] [username]

If username is omitted, root is assumed After issuing command, prompted for that

user’s password A new shell opened with the privileges of that

user Once done issuing commands, must type exit

SUDO Allows you to issue a single command as

another user Syntax: sudo [options] [-u user] command

Again, if no user specified, root assumed New shell opened with user’s privileges Specified command executed Shell exited

SUDOERS Must configure a user to run commands as

another user when using sudo Permissions stored in /etc/sudoers Use utility visudo to edit this file (run as

root) Permissions granted to users or groups, to

certain commands or all, and with or without password being required

OTHER PERMISSIONS MODELS Some Linux distributions such as Ubuntu

obscure away the root account altogether By default the end user doesn’t know the

root password Can’t login as root Can’t su

Must rely on sudo (and the graphical gksudo) to obtain privilege, along with ‘Unlock’ functions in GUI

SYSTEM OPERATION Booting the system Runlevels Modes Shutting down the system

BOOTING THE SYSTEM Power on, POST, hardware initialization Boot device selected by BIOS/user interaction Master boot record of boot device read Initializes the bootloader

lilo (LInux LOader) grub (GRand Unified Bootloader)

BOOTING, CONT Boot loader selects and loads an OS kernel Kernel stored as an compiled image file Kernel loads modules for hardware and

software functions Interrupts, device management, memory

management, paging Last thing kernel does is call init

INIT First non-kernel code loaded Process number 1 Acts as parent to all other processes on

system Handles starting services and programs Based on runlevel, runs the appropriate

scripts

RUNLEVELS A set of defined system states that init can

bring the system into (varies on distro) 0: Halt/shutdown 1: Single user mode 2: Multiuser mode 3: Multiuser mode with networking 4: Not used 5: Multiuser mode with networking and GUI 6: Reboot

RUNLEVELS, CONT On boot, init checks /etc/inittab to see what

runlevel to bring system to To change runlevel after boot

telinit runlevel shutdown/halt/reboot

Any time the runlevel changes, init consults a set of scripts to determine what to stop/start

SCRIPTS Init works with run command (rc) scripts Found in /etc/rc.d All scripts housed in /etc/rc.d/init.d Each script takes a parameter for changing

operation (start/stop/halt/reboot) Each runlevel has it’s own directory

/etc/rc.d/rcN.d

SCRIPTS, CONT In each runlevel directory, there are symbolic

links to scripts in /etc/rc.d/init.d The name of the link is crucial

Starting with S means start in this runlevel Starting with K means kill in this runlevel After S/K, there is an order number

Start ascending Kill descending

NOTES What we’ve described is the traditional Linux

init/boot process Different distros do things differently

launchd in Mac OS X Upstart in Ubuntu Linux Initng in Debian, Gentoo, others

The classic init is called System V init

SINGLE USER MODE Runlevel 1 Console only – no terminals Very minimal environment Some filesystems might not be mounted Maintenance of filesystems Fixing configuration errors Disaster recovery

MULTIUSER MODE Runlevels 2-5 Runlevel 2 allows terminal logins Runlevel 3 allows remote terminal logins Runlevel 5 enable X11 graphical environment Runlevels 3 and 5 are the most common

levels for day-to-day operations

SHUTTING DOWN THE SYSTEM Syntax:shutdown [options] time [message] Time: XX:XX or +X or NOW -k: don’t really shutdown, just send message -r: reboot -h: halt -c: cancel a shutdown

halt: calls shutdown –h reboot: calls shutdown -r

SCHEDULING Linux systems uses the Cron system for time-

based job scheduling Allows users to schedule jobs to run Allows sysadmins to run jobs and batch

processes Different distros implement the structures

differently Most use /etc/crontab as primary set of

instructions Sometimes other files are used, like /var/spool/cron/*

CRONTAB Each line schedules a job Syntax:

* * * * * command First field is minutes (0-59) Second field is hours (0-23) Third is day of the month (1-31) Fourth is month of year (1-12) Fifth is day of week (0-6, starting with Sun)

FILESYSTEM MANAGEMENT A Linux installation can be comprised of

many different filesystems Each filesystem (except for swap) is

connected to the filesystem hierarchy at a specific point in the tree

This is referred to as the mount point A sysadmin uses mount, umount and /etc/fstab to manage these mounts

MOUNT Syntax (most commonly):mount –t type device directory

Associates a device (partition, CD-ROM, etc) formatted with a particular type of filesystem with a specified directory in the hierarchy

Requires root privileges to mount in most cases

mount with no arguments displays list of mounted filesystems

UMOUNT Syntax:umount directory | device

Removes that association Cannot umount if device is still being

accessed (i.e. open files) Again, most likely requires root privileges

FSTAB For filesystems that should be mounted on

boot every time, put them in /etc/fstab Basically a tab delimited file that contains

the command line parameters you’d give to mount Device Mount point (directory) FS type Options (Readonly, attributes, etc)

CREATING NEW FILESYSTEMS First use fdisk device to create a partition

Similar in function to old fdisk from DOS Use ? to display commands, p to display partition

info Once partition created, must be formatted

mkfs –t type filesystem Once formatted, you can mount it

FILESYSTEM INTEGRITY Filesystem problems? Corrupt files? Forced

into single user mode to fix errors? fsck Syntax:fsck [options] –t type filesystem

Again, usually need root permissions Also, filesystem should NOT be mounted

while running fsck – can cause damage

MONITORING DISK USAGE du – disk usage on files and directories df – reports filesystem utilization lsof – list open file handles quota – configure and display user quotas

quotactl quotacheck quotaon edquota

INSTALLING SOFTWARE The open source movement has provided an

enormous volume of freely available programs

Two primary methods of installing programs By source By package manager

INSTALLING BY SOURCE Download source code Usually comes in a compressed tar archive

(.tar.gz or similar) Extract source code Configure the installation (usually ./configure)

Then compile (make) Then copy into filesystem (make install)

PACKAGE MANAGERS There are a wide variety of package

managers available for different Linux distributions

In turn, there are several different types of packages available for each of these managers

Packages are an archived version of the source code

Often tailored to a specific architecture or distribution

RPM Red Hat Package Manager Package format and manager created by Red

Hat developers Used widely by Red Hat, Red Hat-based

distros, and many others System maintains a local RPM database to

maintain consistency and track installs

RPM, CONT Many different utilities for managing RPMs rpm: command line package manager for

installing/removing/configuring packages up2date: command line package manager

that fetches packages from internet and resolves dependencies

yum, yast: similar to up2date Many GUI frontends available to these

utilities

DEB Debian package format Used in Debian Linux and it’s derivatives

such as Ubuntu and Knoppix Contains compressed binary data and

metadata Again, usually specific to a distro and an

architecture

DEB CONT dpkg: Debian package manager, for

installing/removing/configuring packages apt: Advanced Package Tool, for installing

and configuring packages from online sources. Also does dependency resolution

Again, graphical front ends available for each of these

USER ADMINISTRATION User configuration stored in /etc/passwd File got it’s name because it originally

contained passwords as well Security problem – too many processes need to

read passwd A shadow file used now instead (more in a sec)

Each line contains info for one user

PASSWDjsmith:x:1001:1001:Joe

Smith,Rm27,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/bash

First field is username Second was password – now a dummy char Third is userid (uid) Fourth is groupid (gid) Fifth is GECOS field

Full name, contact info Gen. Elec. Comprehensive OS

Sixth is user’s home directory Seventh is user’s default shell

PASSWD, CONT Originally passwd contained a user’s

password information How it works

User picks a password A random number is generated (called the salt) The salt and the password is passed into a hash

function (a one-way cryptographic algorithm) The salt and result are stored in ASCII

PASSWD, CONT Problem – user-level programs need to read passwd Get user name, location Home directory, shell

So passwd was world readable So anyone on system could see a user’s

salted hash It’s encrypted – what’s the big deal???

PASSWD, CONT Original salt was 12-bit ... 4096 possibilities Many early users used bad passwords

Dictionary words Even with 1970’s computing, it wouldn’t take

very long to try all combinations of salts and passwords through the hash function

Just wait for a match Brute force crack

SHADOW Wasn’t acceptable to have passwd world

readable if it contained hashes So salted hashes moved to a new file /etc/shadow Format similar to passwd, one user per line Readable only by root

SHADOW, CONTjsmith:$1$CzzxUSse$bKJL9wAns39vlxQlBZ8wd/:13744:0:99999:7:::

First field is username Second is the salted hash or account status

NP or ! or null for blank password LK or * for locked/disabled account !! for account with expired password

Third is days since last password change Measured from epoch (midnight UTC 1/1/1970)

SHADOW, CONT Fourth is days until password is eligible to be

changed Fifth is days before change is required Sixth is days before expiration to warn Seventh is days before account expires Eighth is days since epoch when account

expires Ninth is unused/reserved

ADDING USERS If you really wanted to, edit /etc/passwd by

hand Some distributions have graphical or

simplified ways to add users Most widely available however is command

line utility useradd

ADDING USERS, CONT Syntax: useradd [options] [-g group] [-d home] \

[-s shell] username -g to define user’s initial group -d to define user’s home directory -s to define user’s default shell Other options for expiration, using defaults,

etc

DELETING USERS Again, could just hack /etc/passwd More elegant: Syntax: userdel [-r] username -r to delete home directory and it’s contents

MODIFYING USERS Syntax: usermod [options] username Options are pretty much identical to those of

useradd Also, -l to change the user’s login name And –G to list additional groups to add user

to

GROUP MANAGEMENT Group info housed in /etc/group Similar to user management groupadd groupdel groupmod

DAEMONS AS USERS For the most part, Linux daemons (services)

each run as a unique user account Provides additional security by segregating

processes and files Running daemons as root usually a bad idea Accounts usually created automatically and

assigned passwords Usually disabled from logging into system

NETWORKING Linux is a powerful networking operating

system Much of it developed in tandem with the

Internet Ability to work as a client, server, or network

device Proxies, firewalls, routers, bridges, etc

NETWORKING, CONT Overall networking usually governed by /etc/rc.d/init.d/network

Invoked in runlevels 3 and 5 usually Network device/interface configurations in

either /etc/sysconfig/networking or in /etc/sysconfig/network-scripts

Can either edit manually, or use utilities to manage

IFCONFIG Displays or alters network device configs Syntax:

ifconfig interface [options] With no options, shows interface’s config If interface omitted as well, show all configs Options include flags, IP address, subnet

mask, etc

ROUTE Display or change routing In simple configurations, mostly used to set

default gateway Syntax:

route [options] [add/delete] [target]

With no arguments, show route table

HOSTNAME Used to set/display the computer’s network

name Depending on what protocols your network

uses, may also need to look at domainname dnsdomainname

Especially important for Internet-accessible systems

Can be defined in /etc/sysconfig/network

INTERFACES By default, wired ethernet interfaces are

found as ethX, with X starting at 0 These are aliases to the actual physical

adapter and driver To enable an interface:

ifup interface To disable an interface:

ifdown interface

INTERFACES, CONT Other types of interfaces exist

ppp, slip, atm, etc Management of them work similarly Wireless interfaces a bit different

Use iwconfig to manage these and display info Has the additional options for frequency,

encryption, channel, passphrases, etc

NETWORKING As with most things, GUI tools available Similar to TCP/IP configuration in Windows More advanced operations (bridging, NAT/IP

Masquerading, advanced routing) take a little more configuration

Default firewall software is iptables or ipchains

NETWORK SHARES Samba SMB/CIFS CUPS NFS

KERNEL MODIFICATION Vast majority of Linux kernel releases

incredibly stable New features/improvements Bug fixes Modules vs. in kernel We need to recompile

KERNEL MODS, CONT If we just want to upgrade to a newer kernel

release, there are a couple of options Can download and install new kernel

packages (RPM, deb, etc) Pre-compiled, and most package managers

do all the work Or the manual way …

Necessary to do any real customization

KERNEL COMPILATION First, need to get kernel source code www.kernel.org Current mainline branch is 2.6 For legacy systems/apps, 2.4 is still available Usually a tar.gz or tar.bz2 Copy to either a temp location, or maybe /usr/src/kernel/

KERNEL COMPILATION, CONT Once you have the compressed archive,

uncompress and extract contents Should make a directory named after the

kernel release i.e. linux-2.6.31.6/

Now go into that directory Should see lots of directories for different

aspects of the system, and a Makefile

KERNEL COMPILATION, CONT Now we need to configure kernel

Select options Choose which items should be modules vs. in

kernel itself To import in the previous system config

make oldconfig The config is stored in the .config file

KERNEL COMPILATION, CONT Want to configure from scratch? Or further

customize? A few different methods

make menuconfig (ncurses) make xconfig (X11 Qt) make gconfig (X11 Gtk)

All basically do the same thing – make selections

KERNEL COMPILATION, CONT Once you’ve done the config and saved it,

time to compile make Will take a while Lots of info will scroll by Don’t worry about warnings, it’s cool Errors would be bad though

KERNEL COMPILATION, CONT Once kernel itself is compiled, must compile

the kernel modules make modules Once that’s done, we need to install the

modules into the correct location in the filesystem

make modules_install

KERNEL COMPILATION, CONT Now we need to install the kernel into the

right spot make install This moves three things to /boot

The system map (symbol lookup in memory) The config The kernel image (vmlinuz)

vm = virtual memory support (from UNIX days) z = compressed

KERNEL COMPILATION Now we have the kernel in place But we need the info necessary to launch init We need an initial filesystem loaded so that

init has what is necessary to load devices and other filesystems (including /)

So we use a temporary, memory contained filesystem – a RAM disk

KERNEL COMPILATION, CONT So we need to create an initrd – a RAM Disk

for init to work with before the real filesystems is mounted

So go to /boot mkinitrd –o initrd.img-<kern-ver> Makes an image of the necessary filesystem

components for that version of the kernel

KERNEL COMPILATION, CONT Now all the pieces are in place One last step – tell the bootloader about it Edit /boot/grub/menu.lst Basically just copy the block from the current

running kernel, change the version info, and you’re done

In most cases, you can usually instead just issue update-grub, but should still check

KERNEL COMPILATION, CONT Example grub block

title Red Hat Enterprise Linux ES (2.6.9-5.ELsmp)root (hd0,0) kernel /boot/vmlinuz root=/dev/hdb1 ro initrd /boot/initrd.img-2.6.25savedefaultboot

KERNEL COMPILATION, CONT Now you can reboot and try it out Check the grub menu for the new kernel you

installed and select it System should boot fine and everything

should work Panic? Reboot, select old kernel, boot into it Retrace your steps, debug kernel, etc