エディッション 8
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Commandsysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directorycommandcat testfile command to view the contents of a file, named testfile, in the current working directory.
file name.bashrc file in your home directory contains bash shell definitions and aliases for your own use.
/etc/fstab file contains information about different system devices and file systems.
webalizer RPM if you want to use a Web server log file analysis program.
ls コマンドを入力し、次に文字を入力し、最後に Tab キーを押してください。ターミナルがディレクトリ内のその文字で始まるファイルのリストを表示します。
computer outputls command displays the contents of a directory. For example:
Desktop about.html logs paulwesterberg.png Mail backupfiles mail reports
prompt$
#
[stephen@maturin stephen]$
leopard login:
user inputtext is displayed in this style:
text command at the boot: prompt.
<replaceable><version-number> is displayed in this style:
/usr/src/kernels/<version-number>/, where <version-number> is the version and type of kernel installed on this system.
/usr/share/doc/ contains additional documentation for packages installed on your system.
http://bugzilla.redhat.com/bugzilla/) against the component Deployment_Guide.
parted utility to manage partitions and access control lists (ACLs) to customize file permissions.
目次
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/usr/ partition as read-only. This second point is important because the directory contains common executables and should not be changed by users. Also, since the /usr/ directory is mounted as read-only, it can be mounted from the CD-ROM or from another machine via a read-only NFS mount.
/boot/ Directory/boot/ directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly.
/boot/ directory. Doing so renders the system unbootable.
/dev/ Directory/dev/ directory contains device nodes that either represent devices that are attached to the system or virtual devices that are provided by the kernel. These device nodes are essential for the system to function properly. The udev daemon takes care of creating and removing all these device nodes in /dev/.
/dev directory and subdirectories are either character (providing only a serial stream of input/output) or block (accessible randomly). Character devices include mouse, keyboard, modem while block devices include hard disk, floppy drive etc. If you have GNOME or KDE installed in your system, devices such as external drives or cds are automatically detected when connected (e.g via usb) or inserted (e.g via CD or DVD drive) and a popup window displaying the contents is automatically displayed. Files in the /dev directory are essential for the system to function properly.
/dev| File | Description |
|---|---|
| /dev/hda | The master device on primary IDE channel. |
| /dev/hdb | The slave device on primary IDE channel. |
| /dev/tty0 | The first virtual console. |
| /dev/tty1 | The second virtual console. |
| /dev/sda | The first device on primary SCSI or SATA channel. |
| /dev/lp0 | The first parallel port. |
/etc/ Directory/etc/ directory is reserved for configuration files that are local to the machine. No binaries are to be placed in /etc/. Any binaries that were once located in /etc/ should be placed into /sbin/ or /bin/.
/etc are the X11/ and skel/:
/etc |- X11/ |- skel/
/etc/X11/ directory is for X Window System configuration files, such as xorg.conf. The /etc/skel/ directory is for "skeleton" user files, which are used to populate a home directory when a user is first created. Applications also store their configuration files in this directory and may reference them when they are executed.
/lib/ Directory/lib/ directory should contain only those libraries needed to execute the binaries in /bin/ and /sbin/. These shared library images are particularly important for booting the system and executing commands within the root file system.
/media/ Directory/media/ directory contains subdirectories used as mount points for removable media such as usb storage media, DVDs, CD-ROMs, and Zip disks.
/mnt/ Directory/mnt/ directory is reserved for temporarily mounted file systems, such as NFS file system mounts. For all removable media, please use the /media/ directory. Automatically detected removable media will be mounted in the /media directory.
/mnt ディレクトリをインストールプログラムで使用しないで下さい。
/opt/ Directory/opt/ directory provides storage for most application software packages.
/opt/ directory creates a directory bearing the same name as the package. This directory, in turn, holds files that otherwise would be scattered throughout the file system, giving the system administrator an easy way to determine the role of each file within a particular package.
sample is the name of a particular software package located within the /opt/ directory, then all of its files are placed in directories inside the /opt/sample/ directory, such as /opt/sample/bin/ for binaries and /opt/sample/man/ for manual pages.
/opt/ directory, giving that large package a way to organize itself. In this way, our sample package may have different tools that each go in their own sub-directories, such as /opt/sample/tool1/ and /opt/sample/tool2/, each of which can have their own bin/, man/, and other similar directories.
/proc/ Directory/proc/ directory contains special files that either extract information from or send information to the kernel. Examples include system memory, cpu information, hardware configuration etc.
/proc/ and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, refer to 4章The proc File System.
/sbin/ Directory/sbin/ directory stores executables used by the root user. The executables in /sbin/ are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says:
/sbincontains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in/bin. Programs executed after/usr/is known to be mounted (when there are no problems) are generally placed into/usr/sbin. Locally-installed system administration programs should be placed into/usr/local/sbin.
/sbin/:
arp,clock,halt,init,fsck.*,grub,ifconfig,mingetty,mkfs.*,mkswap,reboot,route,shutdown,swapoff,swapon
/srv/ Directory/srv/ directory contains site-specific data served by your system running Red Hat Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the /home/ directory.
/sys/ Directory/sys/ directory utilizes the new sysfs virtual file system specific to the 2.6 kernel. With the increased support for hot plug hardware devices in the 2.6 kernel, the /sys/ directory contains information similarly held in /proc/, but displays a hierarchical view of specific device information in regards to hot plug devices.
/usr/ Directory/usr/ ディレクトリは、複数のマシンで共有することのできるファイル用です。通常、/usr/ディレクトリは独自のパーティション上にあり、読み込み専用でマウントされます。最小限、以下のディレクトリ群を /usr/ のサブディレクトリとする必要があります:
/usr |- bin/ |- etc/ |- games/ |- include/ |- kerberos/ |- lib/ |- libexec/ |- local/ |- sbin/ |- share/ |- src/ |- tmp -> ../var/tmp/
/usr/ directory, the bin/ subdirectory contains executables, etc/ contains system-wide configuration files, games is for games, include/ contains C header files, kerberos/ contains binaries and other Kerberos-related files, and lib/ contains object files and libraries that are not designed to be directly utilized by users or shell scripts. The libexec/ directory contains small helper programs called by other programs, sbin/ is for system administration binaries (those that do not belong in the /sbin/ directory), share/ contains files that are not architecture-specific, src/ is for source code.
/usr/local/ DirectoryThe/usr/localhierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in/usr.
/usr/local/ directory is similar in structure to the /usr/ directory. It has the following subdirectories, which are similar in purpose to those in the /usr/ directory:
/usr/local |- bin/ |- etc/ |- games/ |- include/ |- lib/ |- libexec/ |- sbin/ |- share/ |- src/
/usr/local/ directory is slightly different from that specified by the FHS. The FHS says that /usr/local/ should be where software that is to remain safe from system software upgrades is stored. Since software upgrades can be performed safely with RPM Package Manager (RPM), it is not necessary to protect files by putting them in /usr/local/. Instead, the /usr/local/ directory is used for software that is local to the machine.
/usr/ directory is mounted as a read-only NFS share from a remote host, it is still possible to install a package or program under the /usr/local/ directory.
/var/ Directory/usr/ as read-only, any programs that write log files or need spool/ or lock/ directories should write them to the /var/ directory. The FHS states /var/ is for:
...variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files.
/var/ directory:
/var
|- account/
|- arpwatch/
|- cache/
|- crash/
|- db/
|- empty/
|- ftp/
|- gdm/
|- kerberos/
|- lib/
|- local/
|- lock/
|- log/
|- mail -> spool/mail/
|- mailman/
|- named/
|- nis/
|- opt/
|- preserve/
|- run/
+- spool/
|- at/
|- clientmqueue/
|- cron/
|- cups/
|- exim/
|- lpd/
|- mail/
|- mailman/
|- mqueue/
|- news/
|- postfix/
|- repackage/
|- rwho/
|- samba/
|- squid/
|- squirrelmail/
|- up2date/
|- uucp
|- uucppublic/
|- vbox/
|- tmp/
|- tux/
|- www/
|- yp/messages and lastlog, go in the /var/log/ directory. The /var/lib/rpm/ directory contains RPM system databases. Lock files go in the /var/lock/ directory, usually in directories for the program using the file. The /var/spool/ directory has subdirectories for programs in which data files are stored.
/var/lib/rpm/ directory. For more information on RPM, refer to the chapter 11章RPMによるパッケージ管理.
/var/cache/yum/ directory contains files used by the Package Updater, including RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to 14章Product Subscriptions and Entitlements.
/etc/sysconfig/ directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. Refer to 30章The sysconfig Directory for more information about what is within this directory and the role these files play in the boot process.
mount Commandmount or umount command respectively. This chapter describes the basic usage of these commands, and covers some advanced topics such as moving a mount point or creating shared subtrees.
mount command with no additional arguments:
mountdeviceondirectorytypetype(options)
sysfs, tmpfs, and others. To display only the devices with a certain file system type, supply the -t option on the command line:
mount-ttype
mount command to list the mounted file systems, see 例2.1「Listing Currently Mounted ext3 File Systems」.
ext3 File Systems/ and /boot partitions are formatted to use ext3. To display only the mount points that use this file system, type the following at a shell prompt:
~]$ mount -t ext3
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
/dev/vda1 on /boot type ext3 (rw)mount command in the following form:
mount[option…]devicedirectory
mount command is run, it reads the content of the /etc/fstab configuration file to see if the given file system is listed. This file contains a list of device names and the directory in which the selected file systems should be mounted, as well as the file system type and mount options. Because of this, when you are mounting a file system that is specified in this file, you can use one of the following variants of the command:
mount[option…]directorymount[option…]device
root, you must have permissions to mount the file system (see 「Specifying the Mount Options」).
mount detects the file system automatically. However, there are certain file systems, such as NFS (Network File System) or CIFS (Common Internet File System), that are not recognized, and need to be specified manually. To specify the file system type, use the mount command in the following form:
mount-ttypedevicedirectory
mount command. For a complete list of all available file system types, consult the relevant manual page as referred to in 「Installed Documentation」.
| Type | Description |
|---|---|
ext2
|
The ext2 file system.
|
ext3
|
The ext3 file system.
|
iso9660
|
The ISO 9660 file system. It is commonly used by optical media, typically CDs.
|
jfs
|
The JFS file system created by IBM.
|
nfs
|
The NFS file system. It is commonly used to access files over the network.
|
nfs4
|
The NFSv4 file system. It is commonly used to access files over the network.
|
ntfs
|
The NTFS file system. It is commonly used on machines that are running the Windows operating system.
|
udf
|
The UDF file system. It is commonly used by optical media, typically DVDs.
|
vfat
|
The FAT file system. It is commonly used on machines that are running the Windows operating system, and on certain digital media such as USB flash drives or floppy disks.
|
/dev/sdc1 device and that the /media/flashdisk/ directory exists, you can mount it to this directory by typing the following at a shell prompt as root:
~]# mount -t vfat /dev/sdc1 /media/flashdiskmount-ooptions
mount will incorrectly interpret the values following spaces as additional parameters.
| Option | Description |
|---|---|
async
| Allows the asynchronous input/output operations on the file system. |
auto
|
Allows the file system to be mounted automatically using the mount -a command.
|
defaults
|
Provides an alias for async,auto,dev,exec,nouser,rw,suid.
|
exec
| Allows the execution of binary files on the particular file system. |
loop
| Mounts an image as a loop device. |
noauto
|
Disallows the automatic mount of the file system using the mount -a command.
|
noexec
| Disallows the execution of binary files on the particular file system. |
nouser
|
Disallows an ordinary user (that is, other than root) to mount and unmount the file system.
|
remount
| Remounts the file system in case it is already mounted. |
ro
| Mounts the file system for reading only. |
rw
| Mounts the file system for both reading and writing. |
user
|
Allows an ordinary user (that is, other than root) to mount and unmount the file system.
|
/media/cdrom/ directory exists, you can mount the image to this directory by running the following command as root:
~]# mount -o ro,loop Fedora-14-x86_64-Live-Desktop.iso /media/cdrommount command implements the --bind option that provides a means for duplicating certain mounts. Its usage is as follows:
mount--bindold_directorynew_directory
mount--rbindold_directorynew_directory
mount--make-sharedmount_point
mount--make-rsharedmount_point
mount--make-slavemount_point
mount--make-rslavemount_point
/media directory to appear in /mnt as well, but you do not want any mounts in the /mnt directory to be reflected in /media. To do so, as root, first mark the /media directory as 「shared」:
~]#mount --bind /media /media~]#mount --make-shared /media
/mnt, but mark it as 「slave」:
~]#mount --bind /media /mnt~]#mount --make-slave /mnt
/media also appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdromEFI GPL isolinux LiveOS
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type: :
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-privatemount_point
mount--make-rprivatemount_point
root:
~]#mount --bind /media /media~]#mount --make-shared /media~]#mount --bind /media /mnt
/mnt directory as 「private」, type:
~]# mount --make-private /mnt/media appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdrom~]#
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type:
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-unbindablemount_point
mount--make-runbindablemount_point
/media directory from being shared, as root, type the following at a shell prompt:
~]#mount --bind /media /media~]#mount --make-unbindable /media
~]# mount --bind /media /mnt
mount: wrong fs type, bad option, bad superblock on /media/,
missing code page or other error
In some cases useful info is found in syslog - try
dmesg | tail or somount--moveold_directorynew_directory
/mnt/userdirs/, as root, you can move this mount point to /home by using the following command:
~]# mount --move /mnt/userdirs /home~]#ls /mnt/userdirs~]#ls /homejill joe
umount command:
umountdirectoryumountdevice
root, you must have permissions to unmount the file system (see 「Specifying the Mount Options」). See 例2.9「Unmounting a CD」 for an example usage.
umount command will fail with an error. To determine which processes are accessing the file system, use the fuser command in the following form:
fuser-mdirectory
/media/cdrom/ directory, type:
~]$ fuser -m /media/cdrom
/media/cdrom: 1793 2013 2022 2435 10532c 10672c/media/cdrom/ directory, type the following at a shell prompt:
~]$ umount /media/cdromman 8 mount — The manual page for the mount command that provides a full documentation on its usage.
man 8 umount — The manual page for the umount command that provides a full documentation on its usage.
man 5 fstab — The manual page providing a thorough description of the /etc/fstab file format.
e2fsck program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.
mkfs.
e2label.
tune2fs allows you to convert an ext2 filesystem to ext3.
tune2fs を使用する前と後には、常に e2fsck ユーティリティを使用してファイルシステムをチェックして下さい。Red Hat Enterprise Linux の デフォルトインストールは全てのファイルシステムに ext3 を使用しています。
ext2 ファイルシステムから ext3 へ変換するには、 root でログインしてターミナルで次のようにタイプします:
tune2fs -j <block_device><block_device> contains the ext2 filesystem you wish to convert.
/dev/mapper/VolGroup00-LogVol02.
/dev/hdbX, where hdb is a storage device name and X is the partition number.
df command to display mounted file systems.
/dev/mapper/VolGroup00-LogVol02
mkinitrd program. For information on using the mkinitrd command, type man mkinitrd. Also, make sure your GRUB configuration loads the initrd.
umount /dev/mapper/VolGroup00-LogVol02tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02e2fsck -y /dev/mapper/VolGroup00-LogVol02mount -t ext2 /dev/mapper/VolGroup00-LogVol02 /mount/point/mount/point をパーティションのマウントポイントで置き換えます。
.journal file at the root level of the partition by changing to the directory where it is mounted and typing:
rm -f .journal/etc/fstab file.
proc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/proc/ directory — also called the proc file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system.
/proc/ directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the /proc/ directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
/proc/ directory contains another type of file called a virtual file. It is for this reason that /proc/ is often referred to as a virtual file system.
/proc/interrupts, /proc/meminfo, /proc/mounts, and /proc/partitions provide an up-to-the-moment glimpse of the system's hardware. Others, like the /proc/filesystems file and the /proc/sys/ directory provide system configuration information and interfaces.
/proc/ide/ contains information for all physical IDE devices. Likewise, process directories contain information about each running process on the system.
cat, more, or less commands on files within the /proc/ directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type cat /proc/cpuinfo to receive output similar to the following:
processor : 0 vendor_id : AuthenticAMD cpu family : 5 model : 9 model name : AMD-K6(tm) 3D+ Processor stepping : 1 cpu MHz : 400.919 cache size : 256 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr bogomips : 799.53
/proc/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci, apm, free, and top.
/proc/ directory are readable only by the root user.
/proc/ directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the /proc/sys/ subdirectory.
echo command and a greater than symbol (>) to redirect the new value to the file. For example, to change the hostname on the fly, type:
echo www.example.com > /proc/sys/kernel/hostname cat /proc/sys/net/ipv4/ip_forward returns either a 0 or a 1. A 0 indicates that the kernel is not forwarding network packets. Using the echo command to change the value of the ip_forward file to 1 immediately turns packet forwarding on.
/proc/sys/ subdirectory is /sbin/sysctl. For more information on this command, refer to 「Using the sysctl Command」
/proc/sys/ subdirectory, refer to 「 /proc/sys/ 」.
proc File System/proc/ directory.
/proc/apm apm command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following:
1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ?
apm -v command on such a system results in output similar to the following:
APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery
apm is able do little more than put the machine in standby mode. The apm command is much more useful on laptops. For example, the following output is from the command cat /proc/apm on a laptop while plugged into a power outlet:
1.16 1.2 0x03 0x01 0x03 0x09 100% -1 ?
apm file changes to something like the following:
1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min
apm -v command now yields more useful data, such as the following:
APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52)
/proc/buddyinfo DMA row references the first 16 MB on a system, the HighMem row references all memory greater than 4 GB on a system, and the Normal row references all memory in between.
/proc/buddyinfo:
Node 0, zone DMA 90 6 2 1 1 ... Node 0, zone Normal 1650 310 5 0 0 ... Node 0, zone HighMem 2 0 0 1 1 ...
/proc/cmdline /proc/cmdline file looks like the following:
ro root=/dev/VolGroup00/LogVol00 rhgb quiet 3
ro on the kernel boot line overrides any instances of rw.
/proc/cmdline output, the root filesystem image is located on the first logical volume (LogVol00) of the first LVM volume group (VolGroup00). On a system not using Logical Volume Management, the root file system might be located on /dev/sda1 or /dev/sda2, meaning on either the first or second partition of the first SCSI or SATA disk drive, depending on whether we have a separate (preceding) boot or swap partition on that drive.
/etc/inittab shows that the default runlevel is set to 5 with a line like this:
id:5:initdefault:
/proc/cpuinfo /proc/cpuinfo:
processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Xeon(TM) CPU 2.40GHz stepping : 7 cpu MHz : 2392.371 cache size : 512 KB physical id : 0 siblings : 2 runqueue : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips : 4771.02
processor — Provides each processor with an identifying number. On systems that have one processor, only a 0 is present.
cpu family — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386. Because some RPM packages are compiled for each of these particular architectures, this value also helps users determine which packages to install.
model name — Displays the common name of the processor, including its project name.
cpu MHz — Shows the precise speed in megahertz for the processor to the thousandths decimal place.
cache size — Displays the amount of level 2 memory cache available to the processor.
siblings — Displays the number of sibling CPUs on the same physical CPU for architectures which use hyper-threading.
flags — Defines a number of different qualities about the processor, such as the presence of a floating point unit (FPU) and the ability to process MMX instructions.
/proc/crypto /proc/crypto file looks like the following:
name : sha1 module : kernel type : digest blocksize : 64 digestsize : 20 name : md5 module : md5 type : digest blocksize : 64 digestsize : 16
/proc/devices Character devices: 1 mem 4 /dev/vc/0 4 tty 4 ttyS 5 /dev/tty 5 /dev/console 5 /dev/ptmx 7 vcs 10 misc 13 input 29 fb 36 netlink 128 ptm 136 pts 180 usb Block devices: 1 ramdisk 3 ide0 9 md 22 ide1 253 device-mapper 254 mdp
/proc/devices includes the major number and name of the device, and is broken into two major sections: Character devices and Block devices.
/usr/share/doc/kernel-doc-<version>/Documentation/devices.txt/proc/dma /proc/dma files looks like the following:
4: cascade
/proc/execdomains 0-0 Linux [kernel]
PER_LINUX execution domain, different personalities can be implemented as dynamically loadable modules.
/proc/fb /proc/fb for systems which contain frame buffer devices looks similar to the following:
0 VESA VGA
/proc/filesystems /proc/filesystems file looks similar to the following:
nodev sysfs nodev rootfs nodev bdev nodev proc nodev sockfs nodev binfmt_misc nodev usbfs nodev usbdevfs nodev futexfs nodev tmpfs nodev pipefs nodev eventpollfs nodev devpts ext2 nodev ramfs nodev hugetlbfs iso9660 nodev mqueue ext3 nodev rpc_pipefs nodev autofs
nodev are not mounted on a device. The second column lists the names of the file systems supported.
mount command cycles through the file systems listed here when one is not specified as an argument.
/proc/interrupts /proc/interrupts looks similar to the following:
CPU0 0: 80448940 XT-PIC timer 1: 174412 XT-PIC keyboard 2: 0 XT-PIC cascade 8: 1 XT-PIC rtc 10: 410964 XT-PIC eth0 12: 60330 XT-PIC PS/2 Mouse 14: 1314121 XT-PIC ide0 15: 5195422 XT-PIC ide1 NMI: 0 ERR: 0
CPU0 CPU1 0: 1366814704 0 XT-PIC timer 1: 128 340 IO-APIC-edge keyboard 2: 0 0 XT-PIC cascade 8: 0 1 IO-APIC-edge rtc 12: 5323 5793 IO-APIC-edge PS/2 Mouse 13: 1 0 XT-PIC fpu 16: 11184294 15940594 IO-APIC-level Intel EtherExpress Pro 10/100 Ethernet 20: 8450043 11120093 IO-APIC-level megaraid 30: 10432 10722 IO-APIC-level aic7xxx 31: 23 22 IO-APIC-level aic7xxx NMI: 0 ERR: 0
XT-PIC — This is the old AT computer interrupts.
IO-APIC-edge — The voltage signal on this interrupt transitions from low to high, creating an edge, where the interrupt occurs and is only signaled once. This kind of interrupt, as well as the IO-APIC-level interrupt, are only seen on systems with processors from the 586 family and higher.
IO-APIC-level — Generates interrupts when its voltage signal is high until the signal is low again.
/proc/iomem 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-07ffffff : System RAM 00100000-00291ba8 : Kernel code 00291ba9-002e09cb : Kernel data e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01 e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP e5000000-e57fffff : Matrox Graphics, Inc. MGA G200 AGP e8000000-e8ffffff : PCI Bus #01 e8000000-e8ffffff : Matrox Graphics, Inc. MGA G200 AGP ea000000-ea00007f : Digital Equipment Corporation DECchip 21140 [FasterNet] ea000000-ea00007f : tulip ffff0000-ffffffff : reserved
/proc/ioports /proc/ioports provides a list of currently registered port regions used for input or output communication with a device. This file can be quite long. The following is a partial listing:
0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : fpu 0170-0177 : ide1 01f0-01f7 : ide0 02f8-02ff : serial(auto) 0376-0376 : ide1 03c0-03df : vga+ 03f6-03f6 : ide0 03f8-03ff : serial(auto) 0cf8-0cff : PCI conf1 d000-dfff : PCI Bus #01 e000-e00f : VIA Technologies, Inc. Bus Master IDE e000-e007 : ide0 e008-e00f : ide1 e800-e87f : Digital Equipment Corporation DECchip 21140 [FasterNet] e800-e87f : tulip
/proc/kcore /proc/ files, kcore displays a size. This value is given in bytes and is equal to the size of the physical memory (RAM) used plus 4 KB.
gdb, and is not human readable.
/proc/kcore virtual file. The contents of the file scramble text output on the terminal. If this file is accidentally viewed, press Ctrl+C to stop the process and then type reset to bring back the command line prompt.
/proc/kmsg /sbin/klogd or /bin/dmesg.
/proc/loadavg uptime and other commands. A sample /proc/loadavg file looks similar to the following:
0.20 0.18 0.12 1/80 11206
/proc/locks /proc/locks file for a lightly loaded system looks similar to the following:
1: POSIX ADVISORY WRITE 3568 fd:00:2531452 0 EOF 2: FLOCK ADVISORY WRITE 3517 fd:00:2531448 0 EOF 3: POSIX ADVISORY WRITE 3452 fd:00:2531442 0 EOF 4: POSIX ADVISORY WRITE 3443 fd:00:2531440 0 EOF 5: POSIX ADVISORY WRITE 3326 fd:00:2531430 0 EOF 6: POSIX ADVISORY WRITE 3175 fd:00:2531425 0 EOF 7: POSIX ADVISORY WRITE 3056 fd:00:2548663 0 EOF
FLOCK signifying the older-style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks from the lockf system call.
ADVISORY or MANDATORY. ADVISORY means that the lock does not prevent other people from accessing the data; it only prevents other attempts to lock it. MANDATORY means that no other access to the data is permitted while the lock is held. The fourth column reveals whether the lock is allowing the holder READ or WRITE access to the file. The fifth column shows the ID of the process holding the lock. The sixth column shows the ID of the file being locked, in the format of MAJOR-DEVICE:MINOR-DEVICE:INODE-NUMBER /proc/mdstat /proc/mdstat looks similar to the following:
Personalities : read_ahead not set unused devices: <none>
md device is present. In that case, view /proc/mdstat to find the current status of mdX RAID devices.
/proc/mdstat file below shows a system with its md0 configured as a RAID 1 device, while it is currently re-syncing the disks:
Personalities : [linear] [raid1] read_ahead 1024 sectors md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU] unused devices: <none>
/proc/meminfo /proc/ directory, as it reports a large amount of valuable information about the systems RAM usage.
/proc/meminfo virtual file is from a system with 256 MB of RAM and 512 MB of swap space:
MemTotal: 255908 kB MemFree: 69936 kB Buffers: 15812 kB Cached: 115124 kB SwapCached: 0 kB Active: 92700 kB Inactive: 63792 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255908 kB LowFree: 69936 kB SwapTotal: 524280 kB SwapFree: 524280 kB Dirty: 4 kB Writeback: 0 kB Mapped: 42236 kB Slab: 25912 kB Committed_AS: 118680 kB PageTables: 1236 kB VmallocTotal: 3874808 kB VmallocUsed: 1416 kB VmallocChunk: 3872908 kB HugePages_Total: 0 HugePages_Free: 0 Hugepagesize: 4096 kB
free, top, and ps commands. In fact, the output of the free command is similar in appearance to the contents and structure of /proc/meminfo. But by looking directly at /proc/meminfo, more details are revealed:
MemTotal — Total amount of physical RAM, in kilobytes.
MemFree — The amount of physical RAM, in kilobytes, left unused by the system.
Buffers — The amount of physical RAM, in kilobytes, used for file buffers.
Cached — The amount of physical RAM, in kilobytes, used as cache memory.
SwapCached — The amount of swap, in kilobytes, used as cache memory.
Active — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes.
Inactive — The total amount of buffer or page cache memory, in kilobytes, that are free and available. This is memory that has not been recently used and can be reclaimed for other purposes.
HighTotal and HighFree — The total and free amount of memory, in kilobytes, that is not directly mapped into kernel space. The HighTotal value can vary based on the type of kernel used.
LowTotal and LowFree — The total and free amount of memory, in kilobytes, that is directly mapped into kernel space. The LowTotal value can vary based on the type of kernel used.
SwapTotal — The total amount of swap available, in kilobytes.
SwapFree — The total amount of swap free, in kilobytes.
Dirty — The total amount of memory, in kilobytes, waiting to be written back to the disk.
Writeback — The total amount of memory, in kilobytes, actively being written back to the disk.
Mapped — The total amount of memory, in kilobytes, which have been used to map devices, files, or libraries using the mmap command.
Slab — The total amount of memory, in kilobytes, used by the kernel to cache data structures for its own use.
Committed_AS — The total amount of memory, in kilobytes, estimated to complete the workload. This value represents the worst case scenario value, and also includes swap memory.
PageTables — The total amount of memory, in kilobytes, dedicated to the lowest page table level.
VMallocTotal — The total amount of memory, in kilobytes, of total allocated virtual address space.
VMallocUsed — The total amount of memory, in kilobytes, of used virtual address space.
VMallocChunk — The largest contiguous block of memory, in kilobytes, of available virtual address space.
HugePages_Total — The total number of hugepages for the system. The number is derived by dividing Hugepagesize by the megabytes set aside for hugepages specified in /proc/sys/vm/hugetlb_pool. This statistic only appears on the x86, Itanium, and AMD64 architectures.
HugePages_Free — The total number of hugepages available for the system. This statistic only appears on the x86, Itanium, and AMD64 architectures.
Hugepagesize — The size for each hugepages unit in kilobytes. By default, the value is 4096 KB on uniprocessor kernels for 32 bit architectures. For SMP, hugemem kernels, and AMD64, the default is 2048 KB. For Itanium architectures, the default is 262144 KB. This statistic only appears on the x86, Itanium, and AMD64 architectures.
/proc/misc 63 device-mapper 175 agpgart 135 rtc 134 apm_bios
/proc/modules /proc/modules file output:
/sbin/lsmod command.
nfs 170109 0 - Live 0x129b0000 lockd 51593 1 nfs, Live 0x128b0000 nls_utf8 1729 0 - Live 0x12830000 vfat 12097 0 - Live 0x12823000 fat 38881 1 vfat, Live 0x1287b000 autofs4 20293 2 - Live 0x1284f000 sunrpc 140453 3 nfs,lockd, Live 0x12954000 3c59x 33257 0 - Live 0x12871000 uhci_hcd 28377 0 - Live 0x12869000 md5 3777 1 - Live 0x1282c000 ipv6 211845 16 - Live 0x128de000 ext3 92585 2 - Live 0x12886000 jbd 65625 1 ext3, Live 0x12857000 dm_mod 46677 3 - Live 0x12833000
Live, Loading, or Unloading are the only possible values.
oprofile.
/proc/mounts rootfs / rootfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 none /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
/etc/mtab, except that /proc/mount is more up-to-date.
ro) or read-write (rw). The fifth and sixth columns are dummy values designed to match the format used in /etc/mtab.
/proc/mtrr /proc/mtrr file may look similar to the following:
reg00: base=0x00000000 ( 0MB), size= 256MB: write-back, count=1 reg01: base=0xe8000000 (3712MB), size= 32MB: write-combining, count=1
/proc/mtrr file can increase performance more than 150%.
/usr/share/doc/kernel-doc-<version>/Documentation/mtrr.txt/proc/partitions major minor #blocks name 3 0 19531250 hda 3 1 104391 hda1 3 2 19422585 hda2 253 0 22708224 dm-0 253 1 524288 dm-1
major — The major number of the device with this partition. The major number in the /proc/partitions, (3), corresponds with the block device ide0, in /proc/devices.
minor — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition.
#blocks — Lists the number of physical disk blocks contained in a particular partition.
name — The name of the partition.
/proc/pci /proc/pci can be rather long. A sampling of this file from a basic system looks similar to the following:
Bus 0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff]. Bus 0, device 1, function 0: PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 3). Master Capable. Latency=64. Min Gnt=128. Bus 0, device 4, function 0: ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 2). Bus 0, device 4, function 1: IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 1). Master Capable. Latency=32. I/O at 0xd800 [0xd80f]. Bus 0, device 4, function 2: USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 1). IRQ 5. Master Capable. Latency=32. I/O at 0xd400 [0xd41f]. Bus 0, device 4, function 3: Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 2). IRQ 9. Bus 0, device 9, function 0: Ethernet controller: Lite-On Communications Inc LNE100TX (rev 33). IRQ 5. Master Capable. Latency=32. I/O at 0xd000 [0xd0ff]. Bus 0, device 12, function 0: VGA compatible controller: S3 Inc. ViRGE/DX or /GX (rev 1). IRQ 11. Master Capable. Latency=32. Min Gnt=4.Max Lat=255.
lspci -vb/proc/slabinfo /proc/slabinfo file manually, the /usr/bin/slabtop program displays kernel slab cache information in real time. This program allows for custom configurations, including column sorting and screen refreshing.
/usr/bin/slabtop usually looks like the following example:
Active / Total Objects (% used) : 133629 / 147300 (90.7%) Active / Total Slabs (% used) : 11492 / 11493 (100.0%) Active / Total Caches (% used) : 77 / 121 (63.6%) Active / Total Size (% used) : 41739.83K / 44081.89K (94.7%) Minimum / Average / Maximum Object : 0.01K / 0.30K / 128.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 44814 43159 96% 0.62K 7469 6 29876K ext3_inode_cache 36900 34614 93% 0.05K 492 75 1968K buffer_head 35213 33124 94% 0.16K 1531 23 6124K dentry_cache 7364 6463 87% 0.27K 526 14 2104K radix_tree_node 2585 1781 68% 0.08K 55 47 220K vm_area_struct 2263 2116 93% 0.12K 73 31 292K size-128 1904 1125 59% 0.03K 16 119 64K size-32 1666 768 46% 0.03K 14 119 56K anon_vma 1512 1482 98% 0.44K 168 9 672K inode_cache 1464 1040 71% 0.06K 24 61 96K size-64 1320 820 62% 0.19K 66 20 264K filp 678 587 86% 0.02K 3 226 12K dm_io 678 587 86% 0.02K 3 226 12K dm_tio 576 574 99% 0.47K 72 8 288K proc_inode_cache 528 514 97% 0.50K 66 8 264K size-512 492 372 75% 0.09K 12 41 48K bio 465 314 67% 0.25K 31 15 124K size-256 452 331 73% 0.02K 2 226 8K biovec-1 420 420 100% 0.19K 21 20 84K skbuff_head_cache 305 256 83% 0.06K 5 61 20K biovec-4 290 4 1% 0.01K 1 290 4K revoke_table 264 264 100% 4.00K 264 1 1056K size-4096 260 256 98% 0.19K 13 20 52K biovec-16 260 256 98% 0.75K 52 5 208K biovec-64
/proc/slabinfo that are included into /usr/bin/slabtop include:
OBJS — The total number of objects (memory blocks), including those in use (allocated), and some spares not in use.
ACTIVE — The number of objects (memory blocks) that are in use (allocated).
USE — Percentage of total objects that are active. ((ACTIVE/OBJS)(100))
OBJ SIZE — The size of the objects.
SLABS — The total number of slabs.
OBJ/SLAB — The number of objects that fit into a slab.
CACHE SIZE — The cache size of the slab.
NAME — The name of the slab.
/usr/bin/slabtop program, refer to the slabtop man page.
/proc/stat /proc/stat, which can be quite long, usually begins like the following example:
cpu 259246 7001 60190 34250993 137517 772 0 cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433 ctxt 12547729 btime 1093631447 processes 130523 procs_running 1 procs_blocked 0 preempt 5651840 cpu 209841 1554 21720 118519346 72939 154 27168 cpu0 42536 798 4841 14790880 14778 124 3117 cpu1 24184 569 3875 14794524 30209 29 3130 cpu2 28616 11 2182 14818198 4020 1 3493 cpu3 35350 6 2942 14811519 3045 0 3659 cpu4 18209 135 2263 14820076 12465 0 3373 cpu5 20795 35 1866 14825701 4508 0 3615 cpu6 21607 0 2201 14827053 2325 0 3334 cpu7 18544 0 1550 14831395 1589 0 3447 intr 15239682 14857833 6 0 6 6 0 5 0 1 0 0 0 29 0 2 0 0 0 0 0 0 0 94982 0 286812 ctxt 4209609 btime 1078711415 processes 21905 procs_running 1 procs_blocked 0
cpu — Measures the number of jiffies (1/100 of a second for x86 systems) that the system has been in user mode, user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively. The IRQ (hardirq) is the direct response to a hardware event. The IRQ takes minimal work for queuing the "heavy" work up for the softirq to execute. The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently. The total for all CPUs is given at the top, while each individual CPU is listed below with its own statistics. The following example is a 4-way Intel Pentium Xeon configuration with multi-threading enabled, therefore showing four physical processors and four virtual processors totaling eight processors.
page — The number of memory pages the system has written in and out to disk.
swap — The number of swap pages the system has brought in and out.
intr — The number of interrupts the system has experienced.
btime — The boot time, measured in the number of seconds since January 1, 1970, otherwise known as the epoch.
/proc/swaps /proc/swaps may look similar to the following:
Filename Type Size Used Priority /dev/mapper/VolGroup00-LogVol01 partition 524280 0 -1
/proc/ directory, /proc/swaps provides a snapshot of every swap file name, the type of swap space, the total size, and the amount of space in use (in kilobytes). The priority column is useful when multiple swap files are in use. The lower the priority, the more likely the swap file is to be used.
/proc/sysrq-trigger echo command to write to this file, a remote root user can execute most System Request Key commands remotely as if at the local terminal. To echo values to this file, the /proc/sys/kernel/sysrq must be set to a value other than 0. For more information about the System Request Key, refer to 「 /proc/sys/kernel/ 」.
/proc/uptime /proc/uptime is quite minimal:
350735.47 234388.90
/proc/version gcc in use, as well as the version of Red Hat Enterprise Linux installed on the system:
Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004
/proc/ /proc/ directory.
/proc/ directory contains a number of directories with numerical names. A listing of them may be similar to the following:
dr-xr-xr-x 3 root root 0 Feb 13 01:28 1 dr-xr-xr-x 3 root root 0 Feb 13 01:28 1010 dr-xr-xr-x 3 xfs xfs 0 Feb 13 01:28 1087 dr-xr-xr-x 3 daemon daemon 0 Feb 13 01:28 1123 dr-xr-xr-x 3 root root 0 Feb 13 01:28 11307 dr-xr-xr-x 3 apache apache 0 Feb 13 01:28 13660 dr-xr-xr-x 3 rpc rpc 0 Feb 13 01:28 637 dr-xr-xr-x 3 rpcuser rpcuser 0 Feb 13 01:28 666
/proc/ process directory vanishes.
cmdline — Contains the command issued when starting the process.
cwd — A symbolic link to the current working directory for the process.
environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
exe — A symbolic link to the executable of this process.
fd — A directory containing all of the file descriptors for a particular process. These are given in numbered links:
total 0 lrwx------ 1 root root 64 May 8 11:31 0 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 1 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 2 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 3 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 4 -> socket:[7774817] lrwx------ 1 root root 64 May 8 11:31 5 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 6 -> socket:[7774829] lrwx------ 1 root root 64 May 8 11:31 7 -> /dev/ptmx
maps — A list of memory maps to the various executables and library files associated with this process. This file can be rather long, depending upon the complexity of the process, but sample output from the sshd process begins like the following:
08048000-08086000 r-xp 00000000 03:03 391479 /usr/sbin/sshd 08086000-08088000 rw-p 0003e000 03:03 391479 /usr/sbin/sshd 08088000-08095000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 0000000 03:03 293205 /lib/ld-2.2.5.so 40013000-40014000 rw-p 00013000 03:03 293205 /lib/ld-2.2.5.so 40031000-40038000 r-xp 00000000 03:03 293282 /lib/libpam.so.0.75 40038000-40039000 rw-p 00006000 03:03 293282 /lib/libpam.so.0.75 40039000-4003a000 rw-p 00000000 00:00 0 4003a000-4003c000 r-xp 00000000 03:03 293218 /lib/libdl-2.2.5.so 4003c000-4003d000 rw-p 00001000 03:03 293218 /lib/libdl-2.2.5.so
mem — The memory held by the process. This file cannot be read by the user.
root — A link to the root directory of the process.
stat — The status of the process.
statm — The status of the memory in use by the process. Below is a sample /proc/statm file:
263 210 210 5 0 205 0
status — The status of the process in a more readable form than stat or statm. Sample output for sshd looks similar to the following:
Name: sshd State: S (sleeping) Tgid: 797 Pid: 797 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: VmSize: 3072 kB VmLck: 0 kB VmRSS: 840 kB VmData: 104 kB VmStk: 12 kB VmExe: 300 kB VmLib: 2528 kB SigPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 8000000000001000 SigCgt: 0000000000014005 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 00000000fffffeff
S (sleeping) or R (running)), user/group ID running the process, and detailed data regarding memory usage.
/proc/self/ /proc/self/ directory is a link to the currently running process. This allows a process to look at itself without having to know its process ID.
/proc/self/ directory produces the same contents as listing the process directory for that process.
/proc/bus/ /proc/bus/ by the same name, such as /proc/bus/pci/.
/proc/bus/ vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as 001, which contain binary files.
/proc/bus/usb/ subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them. The following is a sample listing of a /proc/bus/usb/ directory:
total 0 dr-xr-xr-x 1 root root 0 May 3 16:25 001 -r--r--r-- 1 root root 0 May 3 16:25 devices -r--r--r-- 1 root root 0 May 3 16:25 drivers
/proc/bus/usb/001/ directory contains all devices on the first USB bus and the devices file identifies the USB root hub on the motherboard.
/proc/bus/usb/devices file:
T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 1.00 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev= 0.00 S: Product=USB UHCI Root Hub S: SerialNumber=d400 C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=255ms
/proc/driver/ rtc which provides output from the driver for the system's Real Time Clock (RTC), the device that keeps the time while the system is switched off. Sample output from /proc/driver/rtc looks like the following:
rtc_time : 16:21:00 rtc_date : 2004-08-31 rtc_epoch : 1900 alarm : 21:16:27 DST_enable : no BCD : yes 24hr : yes square_wave : no alarm_IRQ : no update_IRQ : no periodic_IRQ : no periodic_freq : 1024 batt_status : okay
/usr/share/doc/kernel-doc-<version>/Documentation/rtc.txt.
/proc/fs cat /proc/fs/nfsd/exports displays the file systems being shared and the permissions granted for those file systems. For more on file system sharing with NFS, refer to 20章NFS(ネットワークファイルシステム).
/proc/ide/ /proc/ide/ide0 and /proc/ide/ide1. In addition, a drivers file is available, providing the version number of the various drivers used on the IDE channels:
ide-floppy version 0.99. newide ide-cdrom version 4.61 ide-disk version 1.18
/proc/ide/piix file which reveals whether DMA or UDMA is enabled for the devices on the IDE channels:
Intel PIIX4 Ultra 33 Chipset. ------------- Primary Channel ---------------- Secondary Channel ------------- enabled enabled ------------- drive0 --------- drive1 -------- drive0 ---------- drive1 ------ DMA enabled: yes no yes no UDMA enabled: yes no no no UDMA enabled: 2 X X X UDMA DMA PIO
ide0, provides additional information. The channel file provides the channel number, while the model identifies the bus type for the channel (such as pci).
/dev/ directory. For instance, the first IDE drive on ide0 would be hda.
/proc/ide/ directory.
cache — The device cache.
capacity — The capacity of the device, in 512 byte blocks.
driver — The driver and version used to control the device.
geometry — The physical and logical geometry of the device.
media — The type of device, such as a disk.
model — The model name or number of the device.
settings — A collection of current device parameters. This file usually contains quite a bit of useful, technical information. A sample settings file for a standard IDE hard disk looks similar to the following:
name value min max mode ---- ----- --- --- ---- acoustic 0 0 254 rw address 0 0 2 rw bios_cyl 38752 0 65535 rw bios_head 16 0 255 rw bios_sect 63 0 63 rw bswap 0 0 1 r current_speed 68 0 70 rw failures 0 0 65535 rw init_speed 68 0 70 rw io_32bit 0 0 3 rw keepsettings 0 0 1 rw lun 0 0 7 rw max_failures 1 0 65535 rw multcount 16 0 16 rw nice1 1 0 1 rw nowerr 0 0 1 rw number 0 0 3 rw pio_mode write-only 0 255 w unmaskirq 0 0 1 rw using_dma 1 0 1 rw wcache 1 0 1 rw
/proc/irq/ /proc/irq/prof_cpu_mask file is a bitmask that contains the default values for the smp_affinity file in the IRQ directory. The values in smp_affinity specify which CPUs handle that particular IRQ.
/proc/irq/ directory, refer to the following installed documentation:
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/net/ /proc/net/ directory:
arp — Lists the kernel's ARP table. This file is particularly useful for connecting a hardware address to an IP address on a system.
atm/ directory — The files within this directory contain Asynchronous Transfer Mode (ATM) settings and statistics. This directory is primarily used with ATM networking and ADSL cards.
dev — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more.
dev_mcast — Lists Layer2 multicast groups on which each device is listening.
igmp — Lists the IP multicast addresses which this system joined.
ip_conntrack — Lists tracked network connections for machines that are forwarding IP connections.
ip_tables_names — Lists the types of iptables in use. This file is only present if iptables is active on the system and contains one or more of the following values: filter, mangle, or nat.
ip_mr_cache — Lists the multicast routing cache.
ip_mr_vif — Lists multicast virtual interfaces.
netstat — Contains a broad yet detailed collection of networking statistics, including TCP timeouts, SYN cookies sent and received, and much more.
psched — Lists global packet scheduler parameters.
raw — Lists raw device statistics.
route — Lists the kernel's routing table.
rt_cache — Contains the current routing cache.
snmp — List of Simple Network Management Protocol (SNMP) data for various networking protocols in use.
sockstat — Provides socket statistics.
tcp — Contains detailed TCP socket information.
tr_rif — Lists the token ring RIF routing table.
udp — Contains detailed UDP socket information.
unix — Lists UNIX domain sockets currently in use.
wireless — Lists wireless interface data.
/proc/scsi/ /proc/ide/ directory, but it is for connected SCSI devices.
/proc/scsi/scsi, which contains a list of every recognized SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available.
Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 06 Lun: 00 Vendor: ARCHIVE Model: Python 04106-XXX Rev: 7350 Type: Sequential-Access ANSI SCSI revision: 02 Host: scsi2 Channel: 00 Id: 06 Lun: 00 Vendor: DELL Model: 1x6 U2W SCSI BP Rev: 5.35 Type: Processor ANSI SCSI revision: 02 Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: MegaRAID Model: LD0 RAID5 34556R Rev: 1.01 Type: Direct-Access ANSI SCSI revision: 02
/proc/scsi/, which contains files specific to each SCSI controller using that driver. From the previous example, aic7xxx/ and megaraid/ directories are present, since two drivers are in use. The files in each of the directories typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver. Each controller can report a different type and amount of information. The Adaptec AIC-7880 Ultra SCSI host adapter's file in this example system produces the following output:
Adaptec AIC7xxx driver version: 5.1.20/3.2.4
Compile Options:
TCQ Enabled By Default : Disabled
AIC7XXX_PROC_STATS : Enabled
AIC7XXX_RESET_DELAY : 5
Adapter Configuration:
SCSI Adapter: Adaptec AIC-7880 Ultra SCSI host adapter
Ultra Narrow Controller PCI MMAPed
I/O Base: 0xfcffe000
Adapter SEEPROM Config: SEEPROM found and used.
Adaptec SCSI BIOS: Enabled
IRQ: 30
SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255
Interrupts: 33726
BIOS Control Word: 0x18a6
Adapter Control Word: 0x1c5f
Extended Translation: Enabled
Disconnect Enable Flags: 0x00ff
Ultra Enable Flags: 0x0020
Tag Queue Enable Flags: 0x0000
Ordered Queue Tag Flags: 0x0000
Default Tag Queue Depth: 8
Tagged Queue By Device array for aic7xxx
host instance 1: {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255}
Actual queue depth per device for aic7xxx host instance 1: {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}
Statistics:
(scsi1:0:5:0) Device using Narrow/Sync transfers at 20.0 MByte/sec, offset 15
Transinfo settings: current(12/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 0 (0 reads and 0 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 0 0 0 0 0
(scsi1:0:6:0) Device using Narrow/Sync transfers at 10.0 MByte/sec, offset 15
Transinfo settings: current(25/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 132 (0 reads and 132 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 1 131 0 0 0/proc/sys/ /proc/sys/ directory is different from others in /proc/ because it not only provides information about the system but also allows the system administrator to immediately enable and disable kernel features.
/proc/sys/ directory. Changing the wrong setting may render the kernel unstable, requiring a system reboot.
/proc/sys/.
-l option at the shell prompt. If the file is writable, it may be used to configure the kernel. For example, a partial listing of /proc/sys/fs looks like the following:
-r--r--r-- 1 root root 0 May 10 16:14 dentry-state -rw-r--r-- 1 root root 0 May 10 16:14 dir-notify-enable -r--r--r-- 1 root root 0 May 10 16:14 dquot-nr -rw-r--r-- 1 root root 0 May 10 16:14 file-max -r--r--r-- 1 root root 0 May 10 16:14 file-nr
dir-notify-enable and file-max can be written to and, therefore, can be used to configure the kernel. The other files only provide feedback on current settings.
/proc/sys/ file is done by echoing the new value into the file. For example, to enable the System Request Key on a running kernel, type the command:
echo 1 > /proc/sys/kernel/sysrqsysrq from 0 (off) to 1 (on).
/proc/sys/ configuration files contain more than one value. To correctly send new values to them, place a space character between each value passed with the echo command, such as is done in this example:
echo 4 2 45 > /proc/sys/kernel/acctecho command disappear when the system is restarted. To make configuration changes take effect after the system is rebooted, refer to 「Using the sysctl Command」.
/proc/sys/ directory contains several subdirectories controlling different aspects of a running kernel.
/proc/sys/dev/ cdrom/ and raid/. Customized kernels can have other directories, such as parport/, which provides the ability to share one parallel port between multiple device drivers.
cdrom/ directory contains a file called info, which reveals a number of important CD-ROM parameters:
CD-ROM information, Id: cdrom.c 3.20 2003/12/17 drive name: hdc drive speed: 48 drive # of slots: 1 Can close tray: 1 Can open tray: 1 Can lock tray: 1 Can change speed: 1 Can select disk: 0 Can read multisession: 1 Can read MCN: 1 Reports media changed: 1 Can play audio: 1 Can write CD-R: 0 Can write CD-RW: 0 Can read DVD: 0 Can write DVD-R: 0 Can write DVD-RAM: 0 Can read MRW: 0 Can write MRW: 0 Can write RAM: 0
/proc/sys/dev/cdrom, such as autoclose and checkmedia, can be used to control the system's CD-ROM. Use the echo command to enable or disable these features.
/proc/sys/dev/raid/ directory becomes available with at least two files in it: speed_limit_min and speed_limit_max. These settings determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks.
/proc/sys/fs/ binfmt_misc/ directory is used to provide kernel support for miscellaneous binary formats.
/proc/sys/fs/ include:
dentry-state — Provides the status of the directory cache. The file looks similar to the following:
57411 52939 45 0 0 0
dquot-nr — Lists the maximum number of cached disk quota entries.
file-max — Lists the maximum number of file handles that the kernel allocates. Raising the value in this file can resolve errors caused by a lack of available file handles.
file-nr — Lists the number of allocated file handles, used file handles, and the maximum number of file handles.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with file systems that only support 16-bit group and user IDs.
super-max — Controls the maximum number of superblocks available.
super-nr — Displays the current number of superblocks in use.
/proc/sys/kernel/ acct — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:
4 2 30
cap-bound — Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.
/lib/modules/<kernel-version>/build/include/linux/capability.h.
ctrl-alt-del — Controls whether Ctrl+Alt+Delete gracefully restarts the computer using init (0) or forces an immediate reboot without syncing the dirty buffers to disk (1).
domainname — Configures the system domain name, such as example.com.
exec-shield — Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.
0 — Disables Exec Shield.
1 — Enables Exec Shield. This is the default value.
exec-shield-randomize — Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.
0 — Disables randomization of Exec Shield. This may be useful for application debugging purposes.
1 — Enables randomization of Exec Shield. This is the default value. Note: The exec-shield file must also be set to 1 for exec-shield-randomize to be effective.
hostname — Configures the system hostname, such as www.example.com.
hotplug — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of /sbin/hotplug should not be changed unless testing a new program to fulfill this role.
modprobe — Sets the location of the program used to load kernel modules. The default value is /sbin/modprobe which means kmod calls it to load the module when a kernel thread calls kmod.
msgmax — Sets the maximum size of any message sent from one process to another and is set to 8192 bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in msgmax would increase RAM requirements for the system.
msgmnb — Sets the maximum number of bytes in a single message queue. The default is 16384.
msgmni — Sets the maximum number of message queue identifiers. The default is 16.
osrelease — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
ostype — Displays the type of operating system. By default, this file is set to Linux, and this value can only be changed by changing the kernel source and recompiling.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.
panic — Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to 0, which disables automatic rebooting after a panic.
printk — This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order:
0 — Kernel emergency. The system is unusable.
1 — Kernel alert. Action must be taken immediately.
2 — Condition of the kernel is considered critical.
3 — General kernel error condition.
4 — General kernel warning condition.
5 — Kernel notice of a normal but significant condition.
6 — Kernel informational message.
7 — Kernel debug-level messages.
printk file:
6 4 1 7
random/ directory — Lists a number of values related to generating random numbers for the kernel.
rtsig-max — Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is 1024.
rtsig-nr — Lists the current number of POSIX real-time signals queued by the kernel.
sem — Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.
shmall— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is 2097152.
shmmax — Sets the largest shared memory segment size allowed by the kernel. By default, this value is 33554432. However, the kernel supports much larger values than this.
shmmni — Sets the maximum number of shared memory segments for the whole system. By default, this value is 4096.
sysrq — Activates the System Request Key, if this value is set to anything other than zero (0), the default.
<system request code> . Replace <system request code> with one of the following system request codes:
r — Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys).
k — Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from init and not a Trojan copy designed to capture usernames and passwords.
b — Reboots the kernel without first unmounting file systems or syncing disks attached to the system.
c — Crashes the system without first unmounting file systems or syncing disks attached to the system.
o — Shuts off the system.
s — Attempts to sync disks attached to the system.
u — Attempts to unmount and remount all file systems as read-only.
p — Outputs all flags and registers to the console.
t — Outputs a list of processes to the console.
m — Outputs memory statistics to the console.
0 through 9 — Sets the log level for the console.
e — Kills all processes except init using SIGTERM.
i — Kills all processes except init using SIGKILL.
l — Kills all processes using SIGKILL (including init). The system is unusable after issuing this System Request Key code.
h — Displays help text.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt for more information about the System Request Key.
sysrq-key — Defines the key code for the System Request Key (84 is the default).
sysrq-sticky — Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:
0 — Alt+SysRq and the system request code must be pressed simultaneously. This is the default value.
1 — Alt+SysRq must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in /proc/sys/kernel/sysrq-timer elapses.
sysrq-timer — Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is 10.
tainted — Indicates whether a non-GPL module is loaded.
0 — No non-GPL modules are loaded.
1 — At least one module without a GPL license (including modules with no license) is loaded.
2 — At least one module was force-loaded with the command insmod -f.
threads-max — Sets the maximum number of threads to be used by the kernel, with a default value of 2048.
version — Displays the date and time the kernel was last compiled. The first field in this file, such as #3, relates to the number of times a kernel was built from the source base.
/proc/sys/net/ ethernet/, ipv4/, ipx/, and ipv6/. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
/proc/sys/net/ directories are discussed.
/proc/sys/net/core/ directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
message_burst — Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is 50.
message_cost — Sets a cost on every warning message. The higher the value of this file (default of 5), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.
message_burst and message_cost are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging.
netdev_max_backlog — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is 300.
optmem_max — Configures the maximum ancillary buffer size allowed per socket.
rmem_default — Sets the receive socket buffer default size in bytes.
rmem_max — Sets the receive socket buffer maximum size in bytes.
wmem_default — Sets the send socket buffer default size in bytes.
wmem_max — Sets the send socket buffer maximum size in bytes.
/proc/sys/net/ipv4/ directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
/proc/sys/net/ipv4/ directory:
icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, and icmp_timeexeed_rate — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of 0 removes any delay and is not a good idea.
icmp_echo_ignore_all and icmp_echo_ignore_broadcasts — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of 0 allows the kernel to respond, while a value of 1 ignores the packets.
ip_default_ttl — Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
ip_forward — Permits interfaces on the system to forward packets to one other. By default, this file is set to 0. Setting this file to 1 enables network packet forwarding.
ip_local_port_range — Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
tcp_syn_retries — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
tcp_retries1 — Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of 3.
tcp_retries2 — Sets the number of permitted re-transmissions of TCP packets. Default of 15.
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ ip-sysctl.txt/proc/sys/net/ipv4/ directory.
/proc/sys/net/ipv4/ directory and each covers a different aspect of the network stack. The /proc/sys/net/ipv4/conf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /proc/sys/net/ipv4/conf/default/ subdirectory) and settings that override all special configurations (in the /proc/sys/net/ipv4/conf/all/ subdirectory).
/proc/sys/net/ipv4/neigh/ directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
/proc/sys/net/ipv4/route/. Unlike conf/ and neigh/, the /proc/sys/net/ipv4/route/ directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as max_size, max_delay, and min_delay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the flush file.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/sys/vm/ /proc/sys/vm/ directory:
block_dump — Configures block I/O debugging when enabled. All read/write and block dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation. All output when block_dump is enabled can be retrieved via dmesg. The default value is 0.
block_dump is enabled at the same time as kernel debugging, it is prudent to stop the klogd daemon, as it generates erroneous disk activity caused by block_dump.
dirty_background_ratio — Starts background writeback of dirty data at this percentage of total memory, via a pdflush daemon. The default value is 10.
dirty_expire_centisecs — Defines when dirty in-memory data is old enough to be eligible for writeout. Data which has been dirty in-memory for longer than this interval is written out next time a pdflush daemon wakes up. The default value is 3000, expressed in hundredths of a second.
dirty_ratio — Starts active writeback of dirty data at this percentage of total memory for the generator of dirty data, via pdflush. The default value is 40.
dirty_writeback_centisecs — Defines the interval between pdflush daemon wakeups, which periodically writes dirty in-memory data out to disk. The default value is 500, expressed in hundredths of a second.
laptop_mode — Minimizes the number of times that a hard disk needs to spin up by keeping the disk spun down for as long as possible, therefore conserving battery power on laptops. This increases efficiency by combining all future I/O processes together, reducing the frequency of spin ups. The default value is 0, but is automatically enabled in case a battery on a laptop is used.
/usr/share/doc/kernel-doc-<version>/Documentation/laptop-mode.txt
lower_zone_protection — Determines how aggressive the kernel is in defending lower memory allocation zones. This is effective when utilized with machines configured with highmem memory space enabled. The default value is 0, no protection at all. All other integer values are in megabytes, and lowmem memory is therefore protected from being allocated by users.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt
max_map_count — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 65536 is appropriate.
min_free_kbytes — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free. The VM uses this number to compute a pages_min value for each lowmem zone in the system. The default value is in respect to the total memory on the machine.
nr_hugepages — Indicates the current number of configured hugetlb pages in the kernel.
/usr/share/doc/kernel-doc-<version>/Documentation/vm/hugetlbpage.txt
nr_pdflush_threads — Indicates the number of pdflush daemons that are currently running. This file is read-only, and should not be changed by the user. Under heavy I/O loads, the default value of two is increased by the kernel.
overcommit_memory — Configures the conditions under which a large memory request is accepted or denied. The following three modes are available:
0 — The kernel performs heuristic memory over commit handling by estimating the amount of memory available and failing requests that are blatantly invalid. Unfortunately, since memory is allocated using a heuristic rather than a precise algorithm, this setting can sometimes allow available memory on the system to be overloaded. This is the default setting.
1 — The kernel performs no memory over commit handling. Under this setting, the potential for memory overload is increased, but so is performance for memory intensive tasks (such as those executed by some scientific software).
2 — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in /proc/sys/vm/overcommit_ratio. This setting is best for those who desire less risk of memory overcommitment.
overcommit_ratio — Specifies the percentage of physical RAM considered when /proc/sys/vm/overcommit_memory is set to 2. The default value is 50.
page-cluster — Sets the number of pages read in a single attempt. The default value of 3, which actually relates to 16 pages, is appropriate for most systems.
swappiness — Determines how much a machine should swap. The higher the value, the more swapping occurs. The default value, as a percentage, is set to 60.
/usr/share/doc/kernel-doc-<version>/Documentation/, which contains additional information.
/proc/sysvipc/ msg), semaphores (sem), and shared memory (shm).
/proc/tty/ drivers file is a list of the current tty devices in use, as in the following example:
serial /dev/cua 5 64-127 serial:callout serial /dev/ttyS 4 64-127 serial pty_slave /dev/pts 136 0-255 pty:slave pty_master /dev/ptm 128 0-255 pty:master pty_slave /dev/ttyp 3 0-255 pty:slave pty_master /dev/pty 2 0-255 pty:master /dev/vc/0 /dev/vc/0 4 0 system:vtmaster /dev/ptmx /dev/ptmx 5 2 system /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty unknown /dev/vc/%d 4 1-63 console
/proc/tty/driver/serial file lists the usage statistics and status of each of the serial tty lines.
ldiscs file, and more detailed information is available within the ldisc/ directory.
/proc/<PID>/ /proc/sys/vm/panic_on_oom. When set to 1 the kernel will panic on OOM. A setting of 0 instructs the kernel to call a function named oom_killer on an OOM. Usually, oom_killer can kill rogue processes and the system will survive.
/proc/sys/vm/panic_on_oom.
~]#cat /proc/sys/vm/panic_on_oom1 ~]#echo 0 > /proc/sys/vm/panic_on_oom~]#cat /proc/sys/vm/panic_on_oom0
oom_killer score. In /proc/<PID>/ there are two tools labelled oom_adj and oom_score. Valid scores for oom_adj are in the range -16 to +15. To see the current oom_killer score, view the oom_score for the process. oom_killer will kill processes with the highest scores first.
oom_killer will kill it.
~]#cat /proc/12465/oom_score79872 ~]#echo -5 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score78
oom_killer for that process. In the example below, oom_score returns a value of 0, indicating that this process would not be killed.
~]#cat /proc/12465/oom_score78 ~]#echo -17 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score0
badness() is used to determine the actual score for each process. This is done by adding up 'points' for each examined process. The process scoring is done in the following way:
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities have their scores reduced.
oom_adj file.
oom_score value will most probably be a non-privileged, recently started process that, along with its children, uses a large amount of memory, has been 'niced', and handles no raw I/O.
sysctl Command/sbin/sysctl command is used to view, set, and automate kernel settings in the /proc/sys/ directory.
/proc/sys/ directory, type the /sbin/sysctl -a command as root. This creates a large, comprehensive list, a small portion of which looks something like the following:
net.ipv4.route.min_delay = 2 kernel.sysrq = 0 kernel.sem = 250 32000 32 128
/proc/sys/net/ipv4/route/min_delay file is listed as net.ipv4.route.min_delay, with the directory slashes replaced by dots and the proc.sys portion assumed.
sysctl command can be used in place of echo to assign values to writable files in the /proc/sys/ directory. For example, instead of using the command
echo 1 > /proc/sys/kernel/sysrqsysctl command as follows:
~]# sysctl -w kernel.sysrq="1"
kernel.sysrq = 1/proc/sys/ is helpful during testing, this method does not work as well on a production system as special settings within /proc/sys/ are lost when the machine is rebooted. To preserve custom settings, add them to the /etc/sysctl.conf file.
init program runs the /etc/rc.d/rc.sysinit script. This script contains a command to execute sysctl using /etc/sysctl.conf to determine the values passed to the kernel. Any values added to /etc/sysctl.conf therefore take effect each time the system boots.
proc file system.
proc file system is installed on the system by default.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt — Contains assorted, but limited, information about all aspects of the /proc/ directory.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt — An overview of System Request Key options.
/usr/share/doc/kernel-doc-<version>/Documentation/sysctl/ — A directory containing a variety of sysctl tips, including modifying values that concern the kernel (kernel.txt), accessing file systems (fs.txt), and virtual memory use (vm.txt).
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt — A detailed overview of IP networking options.
/) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
/dev/hda and /dev/hdb) to illustrate the creation of simple RAID 1 and RAID 0 configurations, and detail how to create a simple RAID configuration by implementing multiple RAID devices.
/boot partition as a software RAID device, leaving the root partition (/), /home, and swap as regular file systems. 図5.4「RAID 1 Partitions Ready, Pre-Device and Mount Point Creation」 shows successfully allocated space for the RAID 1 configuration (for /boot), which is now ready for RAID device and mount point creation:
/boot, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a separate RAID partition of /boot, and you are making a RAID partition for the root file system (that is, /), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).
/), home partition (/home), or swap.
/proc/mdstat special file. To list these devices, display the content of this file by typing the following at a shell prompt:
cat/proc/mdstat
root:
mdadm--querydevice…
mdadm--detailraid_device…
mdadm--examinecomponent_device…
mdadm --detail command displays information about a RAID device, mdadm --examine only relays information about a RAID device as it relates to a given component device. This distinction is particularly important when working with a RAID device that itself is a component of another RAID device.
mdadm --query command, as well as both mdadm --detail and mdadm --examine commands allow you to specify multiple devices at once.
/dev/md0 is a RAID device by typing the following at a shell prompt:
~]# mdadm --query /dev/md0
/dev/md0: 125.38MiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
/dev/md0: No md super block found, not an md component.~]# mdadm --detail /dev/md0
/dev/md0:
Version : 0.90
Creation Time : Tue Jun 28 16:05:49 2011
Raid Level : raid1
Array Size : 128384 (125.40 MiB 131.47 MB)
Used Dev Size : 128384 (125.40 MiB 131.47 MB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Thu Jun 30 17:06:34 2011
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
UUID : 49c5ac74:c2b79501:5c28cb9c:16a6dd9f
Events : 0.6
Number Major Minor RaidDevice State
0 3 1 0 active sync /dev/hda1
1 3 65 1 active sync /dev/hdb1~]$ cat /proc/mdstat
Personalities : [raid0] [raid1]
md0 : active raid1 hdb1[1] hda1[0]
128384 blocks [2/2] [UU]
md1 : active raid0 hdb2[1] hda2[0]
1573888 blocks 256k chunks
md2 : active raid0 hdb3[1] hda3[0]
19132928 blocks 256k chunks
unused devices: <none>root:
mdadm--createraid_device--level=level--raid-devices=numbercomponent_device…
mdadm(8) manual page.
~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sdb /dev/sdb1/dev/md3 as a new RAID level 1 array from /dev/sda1 and /dev/sdb1, run the following command:
~]# mdadm --create /dev/md3 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
mdadm: array /dev/md3 started.root:
mdadmraid_device--failcomponent_device
mdadmraid_device--removecomponent_device
mdadmraid_device--addcomponent_device
/dev/md3, with the following layout (that is, the RAID device created in 例5.2「Creating a new RAID device」):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdb1 device as faulty:
~]# mdadm /dev/md3 --fail /dev/sdb1
mdadm: set /dev/sdb1 faulty in /dev/md3~]# mdadm /dev/md3 --remove /dev/sdb1
mdadm: hot removed /dev/sdb1~]# mdadm /dev/md3 --add /dev/sdb1
mdadm: added /dev/sdb1root:
mdadmraid_device--addcomponent_device
mdadm--growraid_device--raid-devices=number
/dev/md3, with the following layout (that is, the RAID device created in 例5.2「Creating a new RAID device」):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdc, has been added and has exactly one partition. To add it to the /dev/md3 array, type the following at a shell prompt:
~]# mdadm /dev/md3 --add /dev/sdc1
mdadm: added /dev/sdc1/dev/sdc1 as a spare device. To change the size of the array to actually use it, type:
~]# mdadm --grow /dev/md3 --raid-devices=3root:
mdadm--stopraid_device
mdadm--removeraid_device
mdadm--zero-superblockcomponent_device…
/dev/md3, with the following layout (that is, the RAID device created in 例5.4「Extending a RAID device」):
~]# mdadm --detail /dev/md3 | tail -n 4
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1
2 8 33 2 active sync /dev/sdc1~]# mdadm --stop /dev/md3
mdadm: stopped /dev/md3/dev/md3 device by running the following command:
~]# mdadm --remove /dev/md3~]# mdadm --zero-superblock /dev/sda1 /dev/sdb1 /dev/sdc1mdadm command only apply to the current session, and will not survive a system restart. At boot time, the mdmonitor service reads the content of the /etc/mdadm.conf configuration file to see which RAID devices to start. If the software RAID was configured during the graphical installation process, this file contains directives listed in 表5.1「Common mdadm.conf directives」 by default.
| Option | Description |
|---|---|
ARRAY
|
Allows you to identify a particular array.
|
DEVICE
|
Allows you to specify a list of devices to scan for a RAID component (for example, 「/dev/hda1」). You can also use the keyword
partitions to use all partitions listed in /proc/partitions, or containers to specify an array container.
|
MAILADDR
| Allows you to specify an email address to use in case of an alert. |
ARRAY lines are presently in use regardless of the configuration, run the following command as root:
mdadm--detail--scan
/etc/mdadm.conf file. You can also display the ARRAY line for a particular device:
mdadm--detail--briefraid_device
mdadm--detail--briefraid_device>>/etc/mdadm.conf
/etc/mdadm.conf contains the software RAID configuration created during the system installation:
# mdadm.conf written out by anaconda DEVICE partitions MAILADDR root ARRAY /dev/md0 level=raid1 num-devices=2 UUID=49c5ac74:c2b79501:5c28cb9c:16a6dd9f ARRAY /dev/md1 level=raid0 num-devices=2 UUID=76914c11:5bfa2c00:dc6097d1:a1f4506d ARRAY /dev/md2 level=raid0 num-devices=2 UUID=2b5d38d0:aea898bf:92be20e2:f9d893c5
/dev/md3 device as shown in 例5.2「Creating a new RAID device」, you can make it persistent by running the following command:
~]# mdadm --detail --brief /dev/md3 >> /etc/mdadm.confmdadm man page — A manual page for the mdadm utility.
mdadm.conf man page — A manual page that provides a comprehensive list of available /etc/mdadm.conf configuration options.
| Amount of RAM in the System | Recommended Amount of Swap Space |
|---|---|
| 4GB of RAM or less | a minimum of 2GB of swap space |
| 4GB to 16GB of RAM | a minimum of 4GB of swap space |
| 16GB to 64GB of RAM | a minimum of 8GB of swap space |
| 64GB to 256GB of RAM | a minimum of 16GB of swap space |
| 256GB to 512GB of RAM | a minimum of 32GB of swap space |
free and cat /proc/swaps commands to verify how much and where swap is in use.
/dev/VolGroup00/LogVol01 is the volume you want to extend):
swapoff -v /dev/VolGroup00/LogVol01lvm lvresize /dev/VolGroup00/LogVol01 -L +256Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to add):
lvm lvcreate VolGroup00 -n LogVol02 -L 256Mmkswap /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
swapon -vacat /proc/swapsfree
count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536mkswap /swapfileswapon /swapfile/etc/fstab to include the following entry:
/swapfile swap swap defaults 0 0
cat /proc/swaps or free.
/dev/VolGroup00/LogVol01 is the volume you want to reduce):
swapoff -v /dev/VolGroup00/LogVol01lvm lvreduce /dev/VolGroup00/LogVol01 -L -512Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to remove):
swapoff -v /dev/VolGroup00/LogVol02lvm lvremove /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
cat /proc/swapsfree
partedparted を使用してユーザーができること
parted パッケージは Red Hat Enterprise Linux をインストールする際に含まれます。 parted を起動するには、 root としてログインしシェルプロンプトでコマンド parted /dev/sda を入力します (/dev/sdaumount command and turn off all the swap space on the hard drive with the swapoff command.
parted commands」 contains a list of commonly used parted commands. The sections that follow explain some of these commands and arguments in more detail.
parted commands| コマンド | 説明 |
|---|---|
check
| ファイルシステムの簡単なチェックを行う |
cp
|
1つのパーティションから別のパーティションへファイルシステムをコピーする。 転送元と 転送先の部分はそれぞれのパーティションのマイナー番号。
|
help
| 使用可能なコマンドの一覧を表示する |
mklabel
| パーティションテーブル用にディスクラベルを作成する |
mkfs
|
ファイルシステムの種類タイプのファイルシステムを作成する
|
mkpart
| パーティションを作成して、新規のファイルシステムは作成しない |
mkpartfs
| パーティションを作成して、指定のファイルシステムを作成する |
move
| パーティションを移動する |
name
| Mac及びPC98ディスクラベル専用のパーティションに名前を付ける |
print
| パーティションテーブルを表示する |
quit
|
Quit parted
|
rescue start-mb end-mb
|
失われたパーティションをstart-mbから end-mbに救出する
|
resize
|
パーティションサイズを 開始-mbから終了-mbへ変更する
|
rm
| パーティションを削除する |
select
| 設定するデバイスを別に選択する |
set
|
パーティションにフラグを設定する。 状態は オンまたはオフ。
|
toggle [
|
パーティション NUMBER 上の FLAG の状態を切り替える
|
unit
|
デフォルトのユニットを UNIT に設定する
|
parted, use the command print to view the partition table. A table similar to the following appears:
Model: ATA ST3160812AS (scsi) Disk /dev/sda: 160GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 32.3kB 107MB 107MB primary ext3 boot 2 107MB 105GB 105GB primary ext3 3 105GB 107GB 2147MB primary linux-swap 4 107GB 160GB 52.9GB extended root 5 107GB 133GB 26.2GB logical ext3 6 133GB 133GB 107MB logical ext3 7 133GB 160GB 26.6GB logical lvm
number. For example, the partition with minor number 1 corresponds to /dev/sda1. The Start and End values are in megabytes. Valid Type are metadata, free, primary, extended, or logical. The Filesystem is the file system type, which can be any of the following:
Filesystem に値が表示されない場合、 そのファイルシステムのタイプは不明ということになります。
parted, where /dev/sda is the device on which to create the partition:
parted /dev/sdaprintmkpart primary ext3 1024 2048mkpartfs command instead, the file system is created after the partition is created. However, parted does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use mkpart and create the file system with the mkfs command as described later.
print command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
cat /proc/partitionsmkfs -t ext3 /dev/sda6/dev/sda6 and you want to label it /work:
e2label /dev/sda6 /workmkdir /work/etc/fstab/etc/fstab file to include the new partition. The new line should look similar to the following:
LABEL=/work /work ext3 defaults 1 2
LABEL= followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command man fstab.
defaults, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
mount /workparted, where /dev/sda is the device on which to remove the partition:
parted /dev/sdaprintrm. For example, to remove the partition with minor number 3:
rm 3print command to confirm that it is removed from the partition table. You should also view the output of
cat /proc/partitions/etc/fstab file. Find the line that declares the removed partition, and remove it from the file.
parted, where /dev/sda is the device on which to resize the partition:
parted /dev/sdaprintresize command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
resize 3 1024 2048print command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
df to make sure the partition was mounted and is recognized with the new size.
lvm help at a command prompt.
LVM commands| コマンド | 説明 |
|---|---|
dumpconfig
| 有効な設定をダンプする |
formats
| 利用可能なメタデータ形式をリストする |
help
| ヘルプコマンドを表示する |
lvchange
| 論理ボリュームの属性を変更する |
lvcreate
| 論理ボリュームを作成する |
lvdisplay
| 論理ボリュームに関する情報を表示する |
lvextend
| 論理ボリュームにスペースを追加する |
lvmchange
| Due to use of the device mapper, this command has been deprecated |
lvmdiskscan
| 物理ボリュームとして使用できるデバイスをリストする |
lvmsadc
| アクティビティデータを収集する |
lvmsar
| アクティビティレポートを作成する |
lvreduce
| 論理ボリュームのサイズを削減する |
lvremove
| システムから論理ボリュームを削除する |
lvrename
| 論理ボリュームの名前を変更する |
lvresize
| 論理ボリュームのサイズを変更する |
lvs
| 論理ボリュームに関する情報を表示する |
lvscan
| ボリュームグループ内のすべての論理ボリュームをリストする |
pvchange
| 物理ボリュームの属性を変更する |
pvcreate
| LVMにより使用する物理ボリュームを初期化する |
pvdata
| 物理ボリュームに対するディスク上のメタデータを表示する |
pvdisplay
| 物理ボリュームのさまざまな属性を表示する |
pvmove
| エクステントをある物理ボリュームから別の物理ボリュームに移動する |
pvremove
| 物理ボリュームからLVMラベルを削除する |
pvresize
| ボリュームグループにより使用されている物理ボリュームのサイズを変更する |
pvs
| 物理ボリュームに関する情報を表示する |
pvscan
| すべての物理ボリュームをリストする |
segtypes
| 利用可能なセグメントタイプをリストする |
vgcfgbackup
| ボリュームグループ設定をバックアップする |
vgcfgrestore
| ボリュームグループ設定を復元する |
vgchange
| ボリュームグループ属性を変更する |
vgck
| ボリュームグループの整合性をチェックする |
vgconvert
| ボリュームグループメタデータ形式を変更する |
vgcreate
| ボリュームグループを作成する |
vgdisplay
| ボリュームグループ情報を表示する |
vgexport
| ボリュームグループをシステムから登録解除する |
vgextend
| 物理ボリュームを論理グループに追加する |
vgimport
| エクスポートされたボリュームグループをシステムに登録する |
vgmerge
| 論理グループをマージする |
vgmknodes
| /dev/にボリュームグループデバイスの特別なファイルを作成する |
vgreduce
| ボリュームグループから物理ボリュームを削除する |
vgremove
| ボリュームグループを削除する |
vgrename
| ボリュームグループの名前を変更する |
vgs
| ボリュームグループに関する情報を表示する |
vgscan
| すべてのボリュームグループを検索する |
vgsplit
| 新しいボリュームグループに物理ボリュームを移動する |
version
| ソフトウェアおよびドライバのバージョン情報を表示する |
quota RPM must be installed to implement disk quotas. /etc/fstab file.
/etc/fstab file. Add the usrquota and/or grpquota options to the file systems that require quotas:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 . . .
/home file system has both user and group quotas enabled.
/home partition was created during the installation of Red Hat Enterprise Linux. The root (/) partition can be used for setting quota policies in the /etc/fstab file.
usrquota and/or grpquota options, remount each file system whose fstab entry has been modified. If the file system is not in use by any process, use one of the following methods:
umount command followed by the mount command to remount the file system.(See the man page for both umount and mount for the specific syntax for mounting and unmounting various filesystem types.)
mount -o remount <file-system> command (where <file-system> /home file system, the command to issue is mount -o remount /home.
quotacheck command.
quotacheck command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
aquota.user and aquota.group) on the file system, use the -c option of the quotacheck command. For example, if user and group quotas are enabled for the /home file system, create the files in the /home directory:
quotacheck -cug /home-cオプションは、容量制限が有効な各ファイルシステムの為に容量制限ファイルが作成される様に指定します。-uオプションはユーザー容量制限のチェックを指定し、-gオプションはグループ容量制限のチェックを指定します。
-uも-gも指定されていない場合、 ユーザー容量制限ファイルだけが作成されます。-gだけが 指定してある場合は、グループ容量制限ファイルのみが作成されます。
quotacheck -avuga — 全ての容量制限有効な ローカルマウントのファイルシステムをチェックする
v — 容量制限のチェックが進むのと共に 詳細進行状態を表示する
u — ユーザーディスク容量制限情報をチェック
g — グループディスク容量制限情報をチェック
quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as /home.
edquota command.
edquota username/etc/fstab for the /home partition (/dev/VolGroup00/LogVol02 in the example below) and the command edquota testuser is executed, the following is shown in the editor configured as the default for the system:
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 0 0 37418 0 0
EDITOR environment variable is used by edquota. To change the editor, set the EDITOR environment variable in your ~/.bash_profile file to the full path of the editor of your choice.
inodes column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
quota testuserdevel group (the group must exist prior to setting the group quota), use the command:
edquota -g develDisk quotas for group devel (gid 505): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440400 0 0 37418 0 0
quota -g develquotaoff -vaug-u か -g のどちらのオプションも指定されていない場合、ユーザー容量制限のみが無効になります。また -g だけが指定されている場合、グループ容量制限のみが無効になります。-v を付けるとコマンドが実行される時に詳細のステータス情報を表示するようになります。
quotaon command with the same options.
quotaon -vaug/home, use the following command:
quotaon -vug /home-u か -g のどちらのオプションも指定されていない場合は、ユーザー容量制限のみが有効になります。 -g のみが指定されている場合は、グループ容量制限のみが有効になります。
repquota utility. For example, the command repquota /home produces this output:
*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 36 0 0 4 0 0
kristin -- 540 0 0 125 0 0
testuser -- 440400 500000 550000 37418 0 0-aを使用):
repquota -a-- displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a + appears in place of the corresponding -; the first - represents the block limit, and the second represents the inode limit.
grace columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, none appears in its place.
quotacheck include:
/etc/cron.daily/ or /etc/cron.weekly/ directory—or schedule one using the crontab -e command—that contains the touch /forcequotacheck command. This creates an empty forcequotacheck file in the root directory, which the system init script looks for at boot time. If it is found, the init script runs quotacheck. Afterward, the init script removes the /forcequotacheck file; thus, scheduling this file to be created periodically with cron ensures that quotacheck is run during the next reboot.
cron.
quotacheck is to (re-)boot the system into single-user mode to prevent the possibility of data corruption in quota files and run:
~]# quotaoff -vaug /<file_system>~]# quotacheck -vaug /<file_system>~]# quotaon -vaug /<file_system>
quotacheck on a machine during a time when no users are logged in, and thus have no open files on the file system being checked. Run the command quotacheck -vaug <file_system> ; this command will fail if quotacheck cannot remount the given <file_system> as read-only. Note that, following the check, the file system will be remounted read-write.
quotacheck on a live file system mounted read-write is not recommended due to the possibility of quota file corruption.
cron.
acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
cp and mv commands copy or move any ACLs associated with files and directories.
mount -t ext3 -o acl <device-name> <partition>mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work/etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
--with-acl-supportオプションに対応しているため、 ACLは認識されます。Samba共有に接続又はマウントする時に、 特別なフラグは必要ありません。
no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m <rules> <files><rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:<uid>:<perms>g:<gid>:<perms>m:<perms>o:<perms><perms>) must be a combination of the characters r, w, and x for read, write, and execute.
setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
setfacl -m u:andrius:rw /project/somefile-x option and do not specify any permissions:
setfacl -x <rules> <files>setfacl -x u:500 /project/somefiled: before the rule and specify a directory instead of a file name.
/share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /sharegetfacl command. In the example below, the getfacl is used to determine the existing ACLs for a file.
getfacl home/john/picture.png# file: home/john/picture.png # owner: john # group: john user::rw- group::r-- other::r--
[john@main /]$ getfacl home/sales/
# file: home/sales/
# owner: john
# group: john
user::rw-
user:barryg:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask::rwx
default:other::r-xtar and dump commands do not backup ACLs.
star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to 表9.1「Command Line Options for star」 for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
star| オプション | 説明 |
|---|---|
-c
| アーカイブファイルを作成します。 |
-n
|
ファイルを抽出しないで下さい。ファイル抽出の影響を確認するため、 -xを併して使用して下さい。
|
-r
| アーカイブのファイルを置換します。ファイルはアーカイブファイルの最後の 方に書き込まれています。同じパスとファイル名を持つファイルを 全て置換して下さい。 |
-t
| アーカイブファイルの内容を表示します。 |
-u
| アーカイブファイルを更新します。 ファイルがアーカイブに存在しない場合、 又はファイルがアーカイブ内の同名ファイルより新しい場合はアーカイブの最後の方に書き込まれています。このオプションはこのオプションは、アーカイブがバックスペース可能な 非ブロックテープ又はファイルの場合のみ使用できます。 |
-x
|
アーカイブからファイルを抽出します。 -U及びファイルシステム の関連ファイルより古いアーカイブのファイルと併して使用された場合は、 ファイルは抽出されません。
|
-help
| 重要性が最も高いオプションを表示します。 |
-xhelp
| 重要性が最も低いオプションを表示します。 |
-/
| アーカイブよりファイルを抽出する際に、ファイル名の部分にある スラッシュを外さないようにして下さい。 デフォルトでは、ファイルが抽出された際にスラッシュが取り除かれます。 |
-acl
| ファイル又はディレクトリの作成、抽出中に関連ACLをアーカイブ又は復元します。 |
ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.
acl man page — Description of ACLs
getfacl man page — Discusses how to get file access control lists
setfacl man page — Explains how to set file access control lists
star man page — Explains more about the star utility and its many options
/boot partition. The /boot partition cannot be on a logical volume group because the boot loader cannot read it. If the root (/) partition is on a logical volume, create a separate /boot partition which is not a part of a volume group.
/home and / and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the volume group, and partitions that are logical volumes can be increased in size.
system-config-lvm utility to create your own LVM configuration post-installation. The next two sections focus on using Disk Druid during installation to complete this task. The third section introduces the LVM utility (system-config-lvm) which allows you to manage your LVM volumes in X windows or graphically.
/dev/sda and /dev/sdb) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
/boot partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (/dev/sda1). Bootable partitions cannot reside on LVM logical volumes.
VolGroup00) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (/dev/sda2), and the entire second drive (/dev/sdb1) are allocated to the volume group.
LogVol00 and LogVol01) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned to LogVol01, and the remainder is allocated to the root file system, LogVol00.
/home or /var, so that each file system has its own independent quota configuration limits.
/boot Partition
/boot partition cannot reside on an LVM volume because the GRUB boot loader cannot read it.
/boot Partition Displayed
/boot Partition Displayed
/, /home, and swap space. Remember that /boot cannot be a logical volume. To add a logical volume, click the button in the Logical Volumes section. A dialog window as shown in 図10.10「Creating a Logical Volume」 appears.
system-config-lvmsystem-config-lvm from a terminal.
/boot - (Ext3) file system. Displayed under 'Uninitialized Entities'. (DO NOT initialize this partition). LogVol00 - (LVM) contains the (/) directory (312 extents). LogVol02 - (LVM) contains the (/home) directory (128 extents). LogVol03 - (LVM) swap (28 extents).
/dev/hda2 while /boot was created in /dev/hda1. The system also consists of 'Uninitialized Entities' which are illustrated in 図10.17「Uninitialized Entities」. The figure below illustrates the main window in the LVM utility. The logical and the physical views of the above configuration are illustrated below. The three logical volumes exist on the same physical volume (hda2).
/ (root) directory, this task will not be successful as the volume cannot be unmounted.
/boot. Uninitialized entities are illustrated below.
/dev/hda6 was selected as illustrated below.
/mnt/backups. This is illustrated in the figure below.
rpm -qd lvm2 — This command shows all the documentation available from the lvm package, including man pages.
lvm help — This command shows all LVM commands available.
目次
rpm package. For the end user, RPM makes system updates easy. Installing, uninstalling, and upgrading RPM packages can be accomplished with short commands. RPM maintains a database of installed packages and their files, so you can invoke powerful queries and verifications on your system. If you prefer a graphical interface, you can use the Package Management Tool to perform many RPM commands. Refer to 12章Package Management Tool for details.
.tar.gz files.
rpm --help or man rpm. You can also refer to 「その他のリソース」 for more information on RPM.
foo-1.0-1.i386.rpm. The file name includes the package name (foo), version (1.0), release (1), and architecture (i386). To install a package, log in as root and type the following command at a shell prompt:
rpm -ivh foo-1.0-1.i386.rpmrpm -Uvh foo-1.0-1.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [100%]
error: V3 DSA signature: BAD, key ID 0352860f
error: Header V3 DSA signature: BAD, key ID 0352860f
NOKEY such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
rpm -ivh instead. Refer to 42章カーネルをアップグレードする for details.
Preparing... ########################################### [100%] package foo-1.0-1 is already installed
--replacepkgs option, which tells RPM to ignore the error:
rpm -ivh --replacepkgs foo-1.0-1.i386.rpmPreparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20
--replacefiles option:
rpm -ivh --replacefiles foo-1.0-1.i386.rpmerror: Failed dependencies:
bar.so.2 is needed by foo-1.0-1
Suggested resolutions:
bar-2.0.20-3.i386.rpmrpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [ 50%] 2:bar ########################################### [100%]
-q --whatprovides option combination to determine which package contains the required file.
rpm -q --whatprovides bar.so.2--nodepsオプションを使用します。
rpm -e foofoo, not the name of the original package file foo-1.0-1.i386.rpm. To uninstall a package, replace foo with the actual package name of the original package.
error: Failed dependencies: foo is needed by (installed) bar-2.0.20-3.i386.rpm
--nodeps option.
rpm -Uvh foo-2.0-1.i386.rpmfoo package. Note that -U will also install a package even when there are no previous versions of the package installed.
-U option for installing kernel packages, because RPM replaces the previous kernel package. This does not affect a running system, but if the new kernel is unable to boot during your next restart, there would be no other kernel to boot instead.
-i option adds the kernel to your GRUB boot menu (/etc/grub.conf). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
saving /etc/foo.conf as /etc/foo.conf.rpmsave
package foo-2.0-1 (which is newer than foo-1.0-1) is already installed
--oldpackage option:
rpm -Uvh --oldpackage foo-1.0-1.i386.rpmrpm -Fvh foo-1.2-1.i386.rpmrpm -Fvh *.rpm/var/lib/rpm/, and is used to query what packages are installed, what versions each package is, and any changes to any files in the package since installation, among others.
-q option. The rpm -q package name command displays the package name, version, and release number of the installed package package name rpm -q foo to query installed package foo might generate the following output:
foo-2.0-1
-q to further refine or qualify your query:
-a — queries all currently installed packages.
-f <filename> — queries the RPM database for which package owns f<filename> . When specifying a file, specify the absolute path of the file (for example, rpm -qf /bin/ls ).
-p <packagefile> — queries the uninstalled package <packagefile> -i displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
-l displays the list of files that the package contains.
-s displays the state of all the files in the package.
-d displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).
-c displays a list of files marked as configuration files. These are the files you edit after installation to adapt and customize the package to your system (for example, sendmail.cf, passwd, inittab, etc.).
-v to the command to display the lists in a familiar ls -l format.
rpm -V verifies a package. You can use any of the Verify Options listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -V foo, which verifies that all the files in the foo package are as they were when they were originally installed. For example:
rpm -Vf /usr/bin/foo/usr/bin/foo is the absolute path to the file used to query a package.
rpm -Varpm -Vp foo-1.0-1.i386.rpmc denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (.) means the test passed. The following characters denote specific discrepancies:
5 — MD5 checksum
S — file size
L — symbolic link
T — file modification time
D — device
U — user
G — group
M — mode (includes permissions and file type)
? — unreadable file
<rpm-file> is the file name of the RPM package):
rpm -K --nosignature <rpm-file><rpm-file>: md5 OK-K with -Kvv in the command.
xのファイルについても同様に 解読、認証を行うことが可能です。
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaserpm -qa gpg-pubkey*gpg-pubkey-37017186-45761324
rpm -qi followed by the output from the previous command:
rpm -qi gpg-pubkey-37017186-45761324<rpm-file> with the filename of the RPM package):
rpm -K <rpm-file>md5 gpg OK. This means that the signature of the package has been verified, and that it is not corrupt.
rpm -Varpm -qf /usr/bin/ggvggv-2.6.0-2
/usr/bin/paste. You would like to verify the package that owns that program, but you do not know which package owns paste. Enter the following command,
rpm -Vf /usr/bin/pasterpm -qdf /usr/bin/free/usr/share/doc/procps-3.2.3/BUGS /usr/share/doc/procps-3.2.3/FAQ /usr/share/doc/procps-3.2.3/NEWS /usr/share/doc/procps-3.2.3/TODO /usr/share/man/man1/free.1.gz /usr/share/man/man1/pgrep.1.gz /usr/share/man/man1/pkill.1.gz /usr/share/man/man1/pmap.1.gz /usr/share/man/man1/ps.1.gz /usr/share/man/man1/skill.1.gz /usr/share/man/man1/slabtop.1.gz /usr/share/man/man1/snice.1.gz /usr/share/man/man1/tload.1.gz /usr/share/man/man1/top.1.gz /usr/share/man/man1/uptime.1.gz /usr/share/man/man1/w.1.gz /usr/share/man/man1/watch.1.gz /usr/share/man/man5/sysctl.conf.5.gz /usr/share/man/man8/sysctl.8.gz /usr/share/man/man8/vmstat.8.gz
rpm -qip crontabs-1.10-7.noarch.rpmName : crontabs Relocations: (not relocatable) Version : 1.10 Vendor: Red Hat, Inc. Release : 7 Build Date: Mon 20 Sep 2004 05:58:10 PM EDT Install Date: (not installed) Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
crontabs RPM installs. You would enter the following:
rpm -qlp crontabs-1.10-5.noarch.rpm/etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /usr/bin/run-parts
rpm --help — This command displays a quick reference of RPM parameters.
man rpm — The RPM man page gives more detail about RPM parameters than the rpm --help command.
rpm command does.
rpm -e --nodeps or rpm -U --nodeps can.
system-config-packages or pirut at shell prompt.
).
) appears beside its checkbox. This indicates that the package is queued for download and installation. You can select multiple packages to download and install; once you have made your selection, click the button.
). This indicates that the package is queued for removal; you can also select multiple packages to be removed at the same time. Once you have selected the packages you want to remove, click the button.
yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5.8 uses yum to fetch packages and install RPMs.
up2date is now deprecated in favor of yum (Yellowdog Updater Modified). The entire stack of tools which installs and updates software in Red Hat Enterprise Linux 5.8 is now based on yum. This includes everything, from the initial installation via Anaconda to host software management tools like pirut.
yum also allows system administrators to configure a local (i.e. available over a local network) repository to supplement packages provided by Red Hat. This is useful for user groups that use applications and packages that are not officially supported by Red Hat.
yum repository also saves bandwidth for the entire network. Further, clients that use local yum repositories do not need to be registered individually to install or update the latest packages from Red Hat Network.
createrepo package:
~]# yum install createrepo/mnt/local_repo for example).
createrepo on that directory (for example, createrepo /mnt/local_repo). This will create the necessary metadata for your Yum repository.
yum Commandsyum commands are typically run as yum <command> <package name/s> . By default, yum will automatically attempt to check all configured repositories to resolve all package dependencies during an installation/upgrade.
yum commands. For a complete list of available yum commands, refer to man yum.
yum install <package name/s> yum update <package name/s> yum will attempt to update all installed packages.
--obsoletes option is used (i.e. yum --obsoletes <package name/s> , yum will process obsolete packages. As such, packages that are obsoleted across updates will be removed and replaced accordingly.
yum check-update yum returns a list of all package updates from all repositories if any are available.
yum remove <package name/s> yum provides <file name> yum search <keyword> yum localinstall <absolute path to package name/s> yum to install a package located locally in the machine.
yum Optionsyum options are typically stated before specific yum commands; i.e. yum <options> <command> <package name/s> . Most of these options can be set as default using the configuration file.
yum options. For a complete list of available yum options, refer to man yum.
-y -t yum to be "tolerant" of errors with regard to packages specified in the transaction. For example, if you run yum update package1 package2 and package2 is already installed, yum will continue to install package1.
--exclude=<package name> yum yum is configured through /etc/yum.conf. The following is an example of a typical /etc/yum.conf file:
[main] cachedir=/var/cache/yum keepcache=0 debuglevel=2 logfile=/var/log/yum.log distroverpkg=redhat-release tolerant=1 exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 metadata_expire=1800 [myrepo] name=RHEL 5 $releasever - $basearch baseurl=http://local/path/to/yum/repository/ enabled=1
/etc/yum.conf file is made up of two types of sections: a [main] section, and a repository section. There can only be one [main] section, but you can specify multiple repositories in a single /etc/yum.conf.
[main] Options[main] section is mandatory, and there must only be one. For a complete list of options you can use in the [main] section, refer to man yum.conf.
[main] section.
cachedir yum should store its cache and database files. By default, the cache directory of yum is /var/cache/yum.
keepcache=<1 or 0> keepcache=1 instructs yum to keep the cache of headers and packages after a successful installation. keepcache=1 is the default.
reposdir=<absolute path to directory of .repo files> .repo files are located. .repo files contain repository information (similar to the [repository] section of /etc/yum.conf).
yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for each transaction. Refer to 「 [repository] Options」 for more information about options you can use for both the [repository] section and .repo files.
reposdir is not set, yum uses the default directory /etc/yum.repos.d.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
[main] section of the /etc/yum.conf file, it sets the GPG checking rule for all repositories. However, you can also set this on individual repositories instead; i.e., you can enable GPG checking on one repository while disabling it on another.
assumeyes=<1 or 0> yum should prompt for confirmation of critical actions. The default if assumeyes=0, which means yum will prompt you for confirmation.
assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
tolerant=<1 or 0> tolerant=1), yum will be tolerant of errors on the command line with regard to packages. This is similar to the yum command line option -t.
tolerant=0 (not tolerant).
exclude=<package name/s> retries=<number of retries> yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 6.
[repository] Options[repository] section of the /etc/yum.conf file contains information about a repository yum can use to find packages during package installation, updating and dependency resolution. A repository entry takes the following form:
[repository ID] name=repository namebaseurl=url, file or ftp://path to repository
.repo files (for example, rhel5.repo). The format of repository information placed in .repo files is identical with the [repository] of /etc/yum.conf.
.repo files are typically placed in /etc/yum.repos.d, unless you specify a different repository path in the [main] section of /etc/yum.conf with reposdir=. .repo files and the /etc/yum.conf file can contain multiple repository entries.
repository ID]name=repository name baseurl=http, file or ftp://path repodatadirectory of a repository is located. If the repository is local to the machine, use baseurl=file://path to local repository . If the repository is located online using HTTP, use baseurl=http://link . If the repository is online and uses FTP, use baseurl=ftp://link .
baseurl line by prepending it as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a username of "user" and a password os "password", then the baseurl link can be specified as baseurl=http://user:password@www.example.com/repo/.
man yum.conf.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
gpgkey=URL yum needs a public key to verify a package and the required key was not imported into the RPM database.
yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless you set assumeyes=1 (in the [main] section of /etc/yum.conf) or -y (in a yum transaction).
exclude=<package name/s> exclude option in the [main] section of /etc/yum.conf. However, it only applies to the repository in which it is specified.
includepkgs=<package name/s> exclude. When this option is set on a repository, yum will only be able to see the specified packages in that repository. By default, all packages in a repository are visible to yum.
yum Variablesyum commands and yum configuration files (i.e. /etc/yum.conf and .repo files).
$releasever distroverpkg. This defaults to the version of the redhat-release package.
$arch os.uname() in Python.
$basearch $arch=i686 then $basearch=i386.
$YUM0-9 yum to unit content delivery with subscription management. The Subscription Manager handles only the subscription-system associations. yum or other package management tools handle the actual content delivery. 13章YUM (Yellowdog Updater Modified) describes how to use yum.
yum plug-ins that come with the Subscription Manager tools.
root because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.
firstboot process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
yum service through the Red Hat Subscription Manager yum plug-in.
yum.
root.
[root@server1 ~]# subscription-manager-gui
subscription-manager tool. This tools has the following format:
[root@server1 ~]# subscription-manager command [options]subscription-manager help and manpage have more information.
| Command | Description |
|---|---|
| register | Registers or identifies a new system to the subscription service. |
| unregister | Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service. |
| subscribe | Allocates a specific subscription to the machine. |
| redeem | Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information. |
| refresh |
Pulls the latest entitlement data from the server. Normally, the system polls the entitlement server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The refresh command checks with the entitlement server right then, outside the normal interval.
|
| unsubscribe | Removes a specific subscription or all subscriptions from the machine. |
| list | Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine. |
| identity | Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate. |
| facts | Lists the system information, like the release version, number of CPUs, and other architecture information. |
| clean |
Removes all of the subscription and identity data from the local system, without affecting the consumer information in the subscription service. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The clean command is useful in cases where the local entitlement information is corrupted or lost somehow, and the system will be reregistered using the register --consumerid=EXISTING_ID command.
|
| orgs, repos, environments | Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure. |
libvirt-rhsm, checks VMWare, KVM, and Xen processes and then relays that information to Subscription Manager and any configured subscription service (Certificate-based Red Hat Network or a local Subscription Asset Manager). Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.
system type of consumer.
system, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the domain type. domain-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)
system consumer and added to the inventory individually.
domain entitlements apply to the behavior of the entire server group, not to any one system.
domain entitlements using the Red Hat Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.
subscription-manager-gui
rhsm.conf configuration file points to the local subscription service (in the hostname parameter) and the local content server (in the baseurl parameter). The Subscription Manager configuration is described in 「Configuring the Subscription Service」.
subscription-manager-gui
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command. For example:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
cert.pem file directly into the /etc/pki/consumer directory. For example:
cp /tmp/downloads/cert.pem /etc/pki/consumer
register command with the user account information required to authenticate to the Certificate-Based Red Hat Network (the credentials used to access subscription service or the Customer Portal). When the system is successfully authenticated, it echoes back the newly-assigned consumer ID and the user account name which registered it.
register options are listed in 表14.2「register Options」.
[root@server1 ~]# subscription-manager register --username admin-example --password secret
7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example (the new consumer UUID and the account used for registration)--org option in addition to the username and password. The given user must also have the access permissions to add systems to that organization. (See 「Working with Subscription Asset Manager」 for information about organizations and Subscription Asset Manager.)
[root@server1 ~]# subscription-manager register --username admin-example --password secret--org="IT Department"7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example(the new consumer UUID and the account used for registration)
[root@server1 ~]# subscription-manager register --username admin-example --password secret --org="IT Department" --environment=Dev1,ITallregister command returns a Remote Server error.
register command has an option, --autosubscribe, which allows the system to be registered to the subscription service and immediately subscribed to the subscription which best matches its architecture in a single step.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --autosubscribe--activationkey option.
--org option, but in multi-org environments, the --org option is required. The organization is not defined as part of the activation key. See 「Working with Subscription Asset Manager」 for information about activation keys and Subscription Asset Manager.
# subscription-manager register --activationkey=1234abcd --org="IT Dept"| Options | Description | Required |
|---|---|---|
| --username=name | Gives the content server user account name. | Required |
| --password=password | Gives the password for the user account. | Required |
| --org=name | Gives the organization to which to join the system. | Required, except for hosted environments |
| --environment=name | Registers the consumer to an environment within an organization. | Optional |
| --name=machine_name | Sets the name of the consumer (machine) to register. This defaults to be the same as the hostname. | Optional |
| --autosubscribe | Automatically subscribes this system to the best-matched compatible subscription. This is good for automated setup operations, since the system can be configured in a single step. | Optional |
| --activation_key | Applies existing subscriptions as part of the registration process. The subscriptions are pre-assigned by a vendor or by a systems administrator using Subscription Asset Manager. | Optional |
| --force | Registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered. | Optional |
unregister command. This removes the system's entry from the subscription service, unsubscribes it from any subscriptions, and, locally, deletes its identity and entitlement certificates.
unregister.
[root@server1 ~]# subscription-manager unregister
register command. This command passes the original UUID for a system to issue a request to the subscription service to receive a new certificate using the same UUID. This essentially renews its previous registration.
register command uses the original ID to identify itself to the subscription service and restore its previous subscriptions.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --consumerid=7d133d55-876f-4f47-83eb-0ee931cb0a97
| Options | Description | Required |
|---|---|---|
| --consumerid | Gives the consumer UUID used by an existing consumer. The system's consumer entry must exist in the Red Hat subscription service for the reregister operation to succeed. | Required |
| --username=name | Gives the content server user account name. | Optional |
| --password=password | Gives the password for the user account. | Optional |
rhn-migrate-classic-to-rhsm
install-num-migrate-to-rhsm
[root@server ~]# yum install subscription-manager-migration subscription-manager-migration-datarhn-migrate-classic-to-rhsm script.
rhn-migrate-classic-to-rhsm script has this syntax:
rhn-migrate-classic-to-rhsm [--force|--cli-only|--help|--no-auto]
[root@server ~]# subscription-manager facts --list | grep migr migration.classic_system_id: 09876 migration.migrated_from: rhn_hosted_classic
rhn-migrate-classic-to-rhsm tool migrates the system profile and then opens the Subscription Manager GUI so that administrators can assign subscriptions to the system.
[root@server ~]# rhn-migrate-classic-to-rhsm RHN Username: jsmith@example.com Password:
Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5
/etc/pki/product directory.
List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !!
Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
Attempting to register system to Certificate-based RHN ... The system has been registered with id: abcd1234 System server.example.com successfully registered to Certificate-based RHN. Launching the GUI tool to manually subscribe the system ...
rhn-migrate-classic-to-rhsm can automatically subscribe the system to matching subscriptions.
--cli-only option tells the rhn-migrate-classic-to-rhsm to register the system with the autosubscribe option, so all of the migration process occurs in the command line.
[root@server ~]# rhn-migrate-classic-to-rhsm --cli-only RHN Username: jsmith@example.com Password: .... Attempting to auto-subscribe to appropriate subscriptions ... Installed Product Current Status: ProductName: Red Hat Enterprise Linux Desktop Status: Subscribed Please visit https://access.redhat.com/management/consumers/abcd1234 to view the details, and to make changes if necessary.
rhn-migrate-classic-to-rhsm tool can be used simply to unregister a system from RHN Classic. This still copies over the product certificates for the classic channels to configure the system in the style of certificate-based subscriptions, but it does not register the machine with subscription service.
--no-auto option.
[root@server ~]# rhn-migrate-classic-to-rhsm --no-auto RHN Username: jsmith@example.com Password: Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5 List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !! Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
rhn-migrate-classic-to-rhsm uses the information in /etc/sysconfig/rhn/systemid to get the previous registration information and map channels to certificates. If a system is disconnected, it may not have a systemid file.
/etc/sysconfig/rhn/install-num file.
[root@server ~]# python /usr/lib/python2.4/site-packages/instnum.py da3122afdb7edd23 Product: RHEL Client Type: Installer Only Options: Eval FullProd Workstation Allowed CPU Sockets: Unlimited Allowed Virtual Instances: Unlimited Package Repositories: Client Workstation key: 14299426 "da3122" checksum: 175 "af" options: 4416 "Eval FullProd Workstation" socklimit: -1 "Unlimited" virtlimit: -1 "Unlimited" type: 2 "Installer Only" product: 1 "client" {"Workstation": "Workstation", "Base": "Client"}
install-num-migrate-to-rhsm script identifies the channels that a disconnected system is subscribed to and then copies in the appropriate product certificates. Simply run the command:
[root@server ~]# install-num-migrate-to-rhsm/etc/pki/product directory.
[root@server ~]# subscription-manager facts --list | grep migr migration.migrated_from: install_number
/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt) uses simple keys to map the values:
channel_name:product_name-hash-product_cert.pem
rhel-i386-client-workstation-5: Client-Workstation-i386-b0d4c042-6e31-45a9-bd94-ff0b82e43b1a-71.pem
.pem and the product certificate is copied into the /etc/pki/product directory. For the rhel-i386-client-workstation-5, this migrates to the 71.pem product certificate (the last two digits of the mapping).
jbappplatform-4.3.0-fp-i386-server-5-rpm: none
subscription-manager-gui
subscription-manager-gui
--pool option.
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567
subscribe command are listed in 表14.4「subscribe Options」.
list command:
[root@server1 ~]# subscription-manager list --available
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20--auto option (which is analogous to the --autosubscribe option with the register command).
[root@server1 ~]# subscription-manager subscribe --auto
| Options | Description | Required |
|---|---|---|
| --pool=pool-id | Gives the ID for the subscription to subscribe the machine to. |
Required, unless --auto is used
|
| --auto | Automatically subscribes the system to the best-match subscription or subscriptions. | Optional |
| --quantity | Subscribes multiple counts of an entitlement to the system. This is used to cover subscriptions that define a count limit, like using two 2-socket server subscriptions to cover a 4-socket machine. | Optional |
unsubscribe command with the --all unsubscribes the system from every product and subscription pool it is currently subscribed to.
[root@server1 ~]# subscription-manager unsubscribe --all
unsubscribe command to remove only that product subscription.
cert.pem file or by using the list command. For example:
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: High availability (cluster suite)
ContractNumber: 0
SerialNumber: 11287514358600162
Active: True
Begins: 2010-09-18
Expires: 2011-11-18--serial option to specify the certificate.
[root@server1 ~]# subscription-manager unsubscribe --serial=11287514358600162
--quantity option. The quantity taken applies to the product in the --pool option:
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567 --quantity=2
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the subscription certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
subscription-manager-gui
.pem file of the product certificate.
subscription-manager-gui
redeem command, with an email address to send the redemption email to when the process is complete.
# subscription-manager redeem --email=jsmith@example.com# subscription-manager redeem --email=jsmith@example.com --org="IT Dept"
list command to display different areas of the subscriptions and products on the system.
| Option | Description |
|---|---|
| --installed (or nothing) |
Lists all of the installed and subscribed product on the system. If no option is given with list, it is the same as using the --installed argument.
|
| --consumed | Lists all of the subscriptions allocated to the system. |
| --available [--all] |
Using --available alone lists all of the compatible, active subscriptions for the system. Using --available --all lists all options, even ones not compatible with the system or with no more available quantities.
|
| --ondate=YYYY-MM-DD |
Shows subscriptions which are active and available on the specified date. This is only used with the --available option. If this is not used, then the command uses the current date.
|
| --installed | Lists all of the products that are installed on the system (and whether they have a subscription) and it lists all of the product subscriptions which are assigned to the system (and whether those products are installed). |
list command shows all of the subscriptions that are currently allocated to the system by using the --consumed option.
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
ContractNumber: 1458961
SerialNumber: 171286550006020205
Active: True
Begins: 2009-01-01
Expires: 2011-12-31list command shows all of the subscriptions that are compatible with and available to the system using the --available option. To include every subscription the organization has — both the ones that are compatible with the system and others for other platforms — use the --all option with the --available. The --ondate option shows only subscriptions which are active on that date, based on their activation and expiry dates.
[root@server1 ~]# subscription-manager list --available --all
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20
ProductName: RHEL Workstation
ProductId: MKT-rhel-workstation-mkt
PoolId: 5e09a31f95885cc4
Quantity: 10
Expires: 2011-09-20
[snip]--installed option correlates the products that are actually installed on the system (and their subscription status) and the products which could be installed on the system based on the assigned subscriptions (and whether those products are installed).
[root@server1 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux
Status: Not Subscribed
Expires:
Subscription:
ContractNumber:
AccountNumber:
ProductName: Awesome OS Server
Status: Not Installed
Expires: 2012-02-20
Subscription: 54129829316535230
ContractNumber: 39
AccountNumber: 12331131231
yum. Subscription Manager has its own yum plug-ins: product-id for subscription-related information for products and subscription-manager which is used for the content repositories.
baseurl parameter of the rhsm.conf file.
[root@server ~]# yum repolist all repo id repo name status rhel-5-server Red Hat Enterprise Linux 5Server - enabled: 1,749 rhel-5-server-beta Red Hat Enterprise Linux 5Server Be enabled: 869 rhel-5-server-optional-rpms Red Hat Enterprise Linux 5Server Op disabled rhel-5-server-supplementary Red Hat Enterprise Linux 5Server Su disabled
rhel-5-server-optional-rpms and rhel-5-server-supplementary, respectively.
yum-config-manager command:
[root@server ~]# yum-config-manager --enable rhel-5-server-optional-rpms
yum. This uses the --enablerepo repo_name option. For example:
# yum install rubygems --enablerepo=rhel-5-server-optional-rpms Loaded plugins:product-id, refresh-packagekit,subscription-managerUpdating Red Hat repositories. ....
yum is described in 13章YUM (Yellowdog Updater Modified).
[root@server ~]# subscription-manager list
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Status: Not Subscribed
Expires:
SerialNumber:
ContractNumber:
AccountNumber:
rhsmcertd. This daemon checks the certificate validity dates daily. If a subscription is within 24 hours of expiring, then Subscription Manager will check for any available compatible subscriptions and automatically re-subscribes the system, much like auto-subscribing during registration.
autoheal parameter to the Subscription Manager configuration.
vim /etc/rhsm/rhsm.conf
[rhsmcertd] area, add the autoheal line, and set the value to true.
[rhsmcertd]
certFrequency = 240
healFrequency = 1440
autoheal = trueconfig command:
[root@server1 ~]# subscription-manager config --rhsmcertd.autoheal=true
healFrequency parameter to zero means that Subscription Manager simply uses the default time setting.
# vim /etc/rhsm/rhsm.conf
[rhsmcertd] section, set the healFrequency parameter to the time, in minutes, to check for changed subscriptions.
[rhsmcertd] certFrequency = 240 healFrequency = 1440
rhsmcertd daemon to reload the configuration.
# service rhsmcertd start
hostname parameter in the [server] area in the rhsm.conf configuration file. The content delivery network URL is configured in the baseurl parameter in the [rhsm] area. These values can be reset using the config command. For example:
[root@server1 ~]# subscription-manager config --server.hostname=sam.example.com --rhsm.baseurl=sam.example.com
config command is covered in 「Using the config Command」.
orgs, environments, and repos commands list the organization, environment, and repository information for the system, depending on the organization and environments it belongs to.
[root@server1 ~]# subscription-manager orgs --username=jsmith --password=secret
+-------------------------------------------+
admin Organizations
+-------------------------------------------+
OrgName: Admin Owner
OrgKey: admin
OrgName: Dev East
OrgKey: deveast
OrgName: Dev West
OrgKey: devwest
[root@server1 ~]# subscription-manager environments --username=jsmith --password=secret --org=admin
+-------------------------------------------+
Environments
+-------------------------------------------+
Name: Locker
Description: None
Name: Dev
Description:
Name: Prod
Description:
[root@server1 ~]# subscription-manager repos --list
+----------------------------------------------------------+
Entitled Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
RepoName: never-enabled-content
RepoId: never-enabled-content
RepoUrl: https://content.example.com/repos/optional
Enabled: 0
RepoName: always-enabled-content
RepoId: always-enabled-content
RepoUrl: https://content.example.com/repos/dev
Enabled: 1
RepoName: content
RepoId: content-label
RepoUrl: https://content.example.com/repos/prod
Enabled: 1.pem file.
https://access.redhat.com/
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
refresh command updates all of the subscription information that is available to the consumer. This removes expired subscriptions and adds new subscriptions to the list. This does not subscribe the machine, but it does pull in the newest data for administrators to use.
[root@server1 ~]# subscription-manager refresh
rhsm.conf configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.
| File or Directory | Description |
|---|---|
| /etc/rhsm | The primary Red Hat Subscription Manager configuration directory. |
| /etc/rhsm/rhsm.conf | The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI. |
| /etc/rhsm/facts |
Any user-defined JSON files that override or add system facts to determine entitlement compatibility. Any facts files must end in .facts.
|
| /var/lib/rhsm/cache/installed_products.json | A master list of installed products, which is sent by Subscription Manager to a hosted content service, such as Subscription Asset Manager. |
| /var/lib/rhsm/facts/facts.facts | The default system facts filed, gathered by the Subscription Manager. |
| /var/lib/rhsm/packages/ | The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager. |
| /var/log/rhsm | The Red Hat Subscription Manager log directory. |
| /var/log/rhsm/rhsm.log | The log for the Red Hat Subscription Manager tools. |
| /var/log/rhsm/rhsmcertd.log |
The log for the Red Hat Subscription Manager daemon, rhsmcertd.
|
| /etc/pki/consumer | The directory which contains the identity certificates used by the system to identify itself to the subscription service. |
| /etc/pki/consumer/cert.pem | The base-64 consumer identity certificate file. |
| /etc/pki/consumer/key.pem | The base-64 consumer identity key file. |
| /etc/pki/entitlement | The directory which contains the entitlement certificates for the available subscriptions. |
/etc/pki/product/product_serial#.pem
| The product certificates for installed software products. |
| /var/run/subsys/rhsm | Runtime files for Red Hat Subscription Manager |
| /etc/init.d/rhsmcertd | The subscription certificate daemon. |
| /etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced | Files to run daily checks and notifications for subscription validity. |
| /etc/yum/pluginconf.d/rhsmplugin.conf |
The configuration file to include the Red Hat Subscription Manager plug-in in the yum configuration.
|
| /usr/share/rhsm | All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks. |
| /usr/share/rhsm/gui | All of the Python script and image files used to render the Red Hat Subscription Manager GUI. |
rhsm.conf. This file configures several important aspects of how Red Hat Subscription Manager interacts with both entitlements and content services:
rhsm.conf file is divided into three sections. Two major sections defined the subscription service ([server]) and content and product delivery ([rhsm]). The third section relates to the rhsmcertd daemon. Each assertion is a simple attribute= value pair. Any of the default values can be edited; all possible attributes are present and active in the default rhsm.conf file.
# Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440
| Parameter | Description | Default Value |
|---|---|---|
| [server] Parameters | ||
| hostname | Gives the IP address or fully-qualified domain name of the subscription service. | subscription.rhn.redhat.com |
| prefix | Gives the directory, in the URL, to use to connect to the subscription service. | /subscription |
| port | Gives the port to use to connect to the subscription service. | 443 |
| insecure | Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service. | 0 |
| ssl_verify_depth | Sets how far back in the certificate chain to verify the certificate. | 3 |
| proxy_hostname | Gives the hostname of the proxy server. This is required. | |
| proxy_port | Gives the port of the proxy server. This is required. | |
| proxy_user | Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| proxy_password | Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| ca_cert_dir | Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection. | /etc/rhsm/ca |
| [rhsm] Parameters | ||
| baseurl | Gives the full URL to access the content delivery system. | https://cdn.redhat.com |
| repo_ca_cert | Identifies the default CA certificate to use to set the yum repo configuration. | %(ca_cert_dir)sredhat-uep.pem |
| showIncompatiblePools |
Sets whether to display subscription pools which are not compatible with the system's architecture but which have been purchased by an organization. By default, Subscription Manager only displays subscriptions which are compatible with, and therefore available to, the system.
This parameter only applies to the Subscription Manager GUI. Incompatible subscriptions can be displayed in the CLI by using the
--all option with the list command.
| 0 |
| productCertDir | Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager. | /etc/pki/product |
| consumerCertDir | Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager. | /etc/pki/consumer |
| entitlementCertDir | Sets the directory where the entitlement certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own entitlement certificate. | /etc/pki/entitlement |
| [rhsmcertd] Parameters | ||
| certFrequency | Sets the interval, in minutes, to check and update entitlement certificates used by Subscription Manager. | 240 |
| healFrequency | Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products. | 240 |
subscription-manager has a subcommand that can change the rhsm.conf configuration file. Almost all of the connection information used by Subscription Manager to access the subscription server, content server, and any proxies is set in the configuration file, as well as general configuration parameters like the frequency Subscription Manager checks for entitlements updates. There are major divisions in the rhsm.conf file, such as [server] which is used to configure the subscription server. When changing the Subscription Manager configuration, the settings are identified with the format section.parameter and then the new value. For example:
server.hostname=newsubscription.example.com
config command:
[root@server1 ~]# subscription-manager config --section.parameter=newValue
[root@server1 ~]# subscription-manager config --server.hostname=subscription.example.com
rhsm.conf file parameters are listed in 表14.7「rhsm.conf Parameters」. This is most commonly used to change connection settings:
config command also has a --remove option. This deletes the the current value for the parameter without supplying a new parameter. A blank value tells Subscription Manager to use any default values that are set for that parameter rather than a user-defined value. For example:
[root@server1 ~]# subscription-manager config --remove=rhsm.certFrequency The default value for rhsm.certFrequency will now be used.
[root@server1 ~]# subscription-manager config --remove=server.proxy You have removed the value in section server for parameter proxy.
subscription-manager-gui
rhsm.conf file; this is the same as configuring it in the Subscription Manager GUI. The proxy configuration is stored and used for every connection between the subscription service and the local system.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the HTTP proxy. All parameters are described in 表14.7「rhsm.conf Parameters」. There are four parameters directly related to the proxy:
proxy_hostname for the IP address or fully-qualified domain name of the proxy server; this is required.
proxy_hostname argument blank means that no HTTP proxy is used.
proxy_port for the proxy server port.
proxy_user for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
proxy_password for the password for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
[server] # an http proxy server to use proxy_hostname = proxy.example.com # port for http proxy server proxy_port = 443 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password =
subscription-manager.
| Argument | Description | Required for a Proxy Connection? |
|---|---|---|
| --proxy | Gives the proxy server to connect to, in the format hostname:port. | Yes |
| --proxyuser | Gives the username to use to authenticate. This is only required if user authentication is required. | No |
| --proxypass | Gives the password to use with the user account. This is only required if user authentication is required. | No |
subscription-manager operation. For example:
[root@server1 ~]# subscription-manager subscribe --pool=ff8080812bc382e3012bc3845ca000cb --proxy=proxy.example.com:8443 --proxyuser=jsmith --proxypass=secret
rhsm.conf file. The subscription service connection settings are in the [server] section of the configuration file.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the subscription service connection. All parameters are described in 表14.7「rhsm.conf Parameters」. There are three parameters directly related to the connection:
hostname for the IP address or fully-qualified domain name of the machine
prefix for the subscription service directory
port for the subscription service port
[server] hostname=entitlements.server.example.com prefix=/candlepin port=8443
vim /etc/rhsm/rhsm.conf
baseurl directive in the [rhsm] section. This is the full URL to the service.
[rhsm] # Content base URL: baseurl= http://content.example.com/content
vim /etc/rhsm/rhsm.conf
[server] section that relate to a secure connection. All parameters are described in 表14.7「rhsm.conf Parameters」. There are three parameters directly related to the connection:
insecure to set whether to use a secure (0) or insecure (1) connection
ca_cert_dir for the directory location for the CA certificate for authentication and verification
port for the subscription service port; this should be an SSL port if a secure connection is required
[server]
port=8443
insecure = 1
ca_cert = /etc/rhsm/carhsmcertd, runs as a service on the system. The daemon, by default, starts with the system, and it can be started, stopped, or checked with the service command.
service rhsmcertd status rhsmcertd (pid 13084) is running...
chkconfig」. When a system reboots, some services can be automatically restarted. chkconfig also defines startup settings for different run levels of the server.
chkconfig. By default, the Red Hat Subscription Manager daemon, rhsmcertd, is configured to run at levels 3, 4, and 5, so that the service is started automatically when the server reboots.
chkconfig. For example, to enable run level 2:
chkconfig --level 2345 rhsmcertd on
rhsmcertd from the start list, change the run level settings off:
chkconfig --level 2345 rhsmcertd off
service and chkconfig settings.
system-config-services package must be installed for the wizard to be available.
rhsmcertd item in the list of services on the left, and then edit the service as desired.
/var/log/rhsm directory:
rhsm.log shows every invocation and result of running the Subscription Manager GUI or CLI
rhsmcertd.log shows every time a new certificate is generated, which happens on a schedule defined by the certFrequency parameter in the rhsm.conf file.
rhsm.log log contains the sequence of every Python call for every operation invoked through the Subscription Manager tools. Each entry has this format:
YYYY-MM-DD HH:MM:SS,process_id [MESSAGE_TYPE] call python_script response
rhsm.log relates to the Python script or function that was called, there can be multiple log entries for a single operation.
2010-10-01 17:27:57,874 [INFO] _request() @connection.py:97 - status code: 200 2010-10-01 17:27:57,875 [INFO] perform() @certlib.py:132 - updated: Total updates: 0 Found (local) serial# [] Expected (UEP) serial# [] Added (new) <NONE> Deleted (rogue): <NONE> Expired (not deleted): <NONE> Expired (deleted): <NONE> 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:193 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/pki/CA/candlepin.pem, insecure = True 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:196 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
rhsmcertd.log file are much simpler. The log only records when the rhsmcertd daemon starts or stops and every time a certificate is updated.
Fri Oct 1 13:27:44 2010: started: interval = 240 minutes Fri Oct 1 13:27:50 2010: certificates updated
--all option:
[root@server1 ~]# subscription-manager list --available --all
rhsm.conf configuration file.
vim /etc/rhsm/rhsm.conf
showIncompatiblePools directive in the [rhsm] section. A value of 0 shows only compatible entitlements.
[rhsm]
# Content base URL:
showIncompatiblePools = 1/etc/redhat-release or /etc/sysconfig. In both the Red Hat Subscription Manager GUI and CLI, the facts are represented as simple attribute: value pairs.
subscription-manager-gui
facts with the --list option.
[root@server1 ~]# subscription-manager facts --list cpu.architecture: i686 cpu.core(s)_per_socket: 4 cpu.cpu(s): 4 cpu.cpu_family: 6 cpu.cpu_mhz: 2000.010 cpu.cpu_op-mode(s): 32-bit, 64-bit cpu.cpu_socket(s): 1 cpu.l1d_cache: 32K cpu.l1i_cache: 32K cpu.l2_cache: 6144K cpu.model: 23 cpu.stepping: 6 cpu.thread(s)_per_core: 1 cpu.vendor_id: GenuineIntel cpu.virtualization: VT-x distribution.id: Santiago distribution.name: Red Hat Enterprise Linux Workstation distribution.version: 5 dmi.baseboard.manufacturer: IBM dmi.baseboard.product_name: Server Blade ... [snip] ...
--update option with the facts command.
[root@server1 ~]# subscription-manager facts --update
/var/lib/rhsm/facts/facts.facts. These facts are stored as attribute: value pairs, in a comma-separated list.
{"fact1": "value1","fact2": "value2"}/etc/rhsm/facts directory. These JSON files can override existing facts or even add new facts to be used by the subscription service.
vim /etc/rhsm/facts/my-example.facts {"uname.machine": "x86","kernel_version": "2.6.32","physical_location": "MTV colo rack 5"}
identity command. Although not required, using the --force option will require the username and password and will cause the Subscription Manager to prompt for the credentials if they are not passed in the command:
[root@server1 ~]# subscription-manager identity --regenerate --force Username: jsmith@example.com Password: Identity certificate has been regenerated.
identity command to return the current UUID. The UUID is the Current identity is value.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: server1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059a
list --installed command with the command-line tools.
rhsmcertd, checks the system periodically — once when it is first registered and then when it runs a refresh operation every four hours — to get the most current list of installed products. When the system is registered and then whenever there is a change to the package list, Subscription Manager sends an updated package profile to the subscription service.
/var/lib/rhsm/packages/.
subscription-manager script. Information like the consumer ID or subscription pool ID is pulled up and referenced automatically in the Red Hat Subscription Manager UI, but it has to be entered manually in the command line.
| Information | Description | Operations Used In | Find It In ... |
|---|---|---|---|
| Consumer ID | A unique identifier for each system that is registered to the subscription service. | identity |
The simplest method is to use the identity command to return the current UUID.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: consumer-1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059aThe Subject CN element of the identity certificate for the system, /etc/pki/consumer/cert.pem. The UUID can also be returned by using openssl to pretty-print the certificate.
openssl x509 -text -in /etc/pki/consumer/cert.pem Certificate: ... snip ... Subject: CN=7d133d55 876f 4f47 83eb 0ee931cb0a97 |
| Pool ID | An identifier for a specific set of subscriptions. This set is created when subscriptions are purchased. Whenever a system needs to subscribe to a product, it references a pool ID to identify which purchased set of subscriptions to use. | subscribe |
The PoolID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: Red Hat Enterprise Linux, Standard (up to 2 sockets) 3 year ProductId: MCT0346F3 PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 2 Expires: 2011-02-28 |
| Product certificate serial number | The identification used for a specific, installed product. A certificate with a unique serial number is generated when a product is installed; this serial number is used to identify that specific product installation when managing subscriptions. | unsubscribe |
The SerialNumber line in the product subscription information. This can be returned by running list --consumed.
[root@server1 ~]# subscription-manager list --consumed +-----------------------------+ Consumed Product Subscriptions +-----------------------------+ ProductName: High availability (cluster suite) ContractNumber: 0 SerialNumber: 11287514358600162 .... |
| Product ID | The internal identifier used to identify a type of product. |
The ProductID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server ... snip ... |
.pem formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
openssl or pk12util can be used to extract and view information from these certificates, in a pretty-print format. The product- and subscription-related information is extracted and viewable in the Red Hat Subscription Manager GUI or command-line tools.
| Certificate Type | Description | Default Location |
|---|---|---|
| Consumer Identity Certificate | Used to identify the system (consumer) to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the consumer. | /etc/pki/consumer |
| Entitlement Certificate | Contains a list of products that are available to a system to install, based on the subscriptions that the system has been subscribed to. The entitlement certificate defines the software products, the content delivery location, and validity dates. The presence of an entitlement certificate means that the system has consumed one of the quantities from the subscription. | /etc/pki/entitlement |
| Product Certificate | Contains the information about a product after it has been installed. |
/etc/pki/product/product_serial#.pem
|
| CA Certificate | A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSl to connect to the subscription service. | /etc/rhsm/ca/candlepin-ca.pem |
| Satellite Certificate | An XML-formatted certificate which contains a product list. This is used by local Satellite 5.x systems, not the newer subscription service. |
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1430 (0x596)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=entitlement.server.example.com, C=US, L=Raleigh
Validity
Not Before: Oct 6 16:32:05 2010 GMT
Not After : Oct 6 23:59:59 2011 GMT
Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71:
8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e:
0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8:
4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72:
fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9:
8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df:
1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3:
68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36:
9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29:
79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63:
3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64:
4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9:
35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95:
a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85:
6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76:
fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae:
36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41:
4d:85
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Authority Key Identifier:
keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82
DirName:/CN=entitlement.server.example.com/C=US/L=Raleigh
serial:D6:CE:78:B1:56:9C:37:41
X509v3 Subject Key Identifier:
66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DirName:/CN=admin-example
Signature Algorithm: sha1WithRSAEncryption
0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2:
bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58:
56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea:
8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00:
f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46:
47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57:
ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b:
ca:5f*.pem file stored in the entitlement certificates directory, /etc/pki/entitlement. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:da:6c:06:90:7f:ff
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=candlepin1.devlab.phx1.redhat.com, C=US, L=Raleigh
Validity
Not Before: Oct 8 17:55:28 2010 GMT
Not After : Oct 2 23:59:59 2011 GMT
Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...1.3.6.1.4.1.2312.9.2.product_#.config_#: ..config_value
2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
1.3.6.1.4.1.2312.9. The subsequent numbers identify different subscription areas:
.2. is the product-specific information
.1. is the subscription information
.4. contains the contract information, like its ID number and start and end dates
.5. contains the consumer information, like the consumer ID which installed a product
content repository type
1.3.6.1.4.1.2312.9.2.30393.1:
..yum
product
1.3.6.1.4.1.2312.9.2.30393.1.1:
.HRed Hat Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
channel name
1.3.6.1.4.1.2312.9.2.30393.1.2:
.Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
vendor
1.3.6.1.4.1.2312.9.2.30393.1.5:
..Red Hat
download URL
1.3.6.1.4.1.2312.9.2.30393.1.6:
.Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
key download URL
1.3.6.1.4.1.2312.9.2.30393.1.7:
.2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
flex quantity
1.3.6.1.4.1.2312.9.2.30393.1.4:
..0
quantity
1.3.6.1.4.1.2312.9.2.30393.1.3:
..25
repo enabled setting
1.3.6.1.4.1.2312.9.2.30393.1.8:
..1*.pem file stored in the entitlement certificates directory, /etc/pki/product/product_serial#.pem. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. As with entitlement tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
name argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"), the start and end dates for the entitlement (name="issued" and name="expires"), or the entitlement itself. A system entitlement uses the name argument to set the service being entitled; every content entitlement is set as a name="channel-family" type, with the specific product identified in an additional family argument.
name argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot" field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
<rhn-cert-field name="slots">119</rhn-cert-field>
name argument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-server family, while a specific Virtualization Server subscription provides an additional rhel-server-vt family..
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-* family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv family.
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
目次
/etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
/etc/hosts 127.0.0.1) as localhost.localdomain. For more information, refer to the hosts man page.
/etc/resolv.conf resolv.conf man page.
/etc/sysconfig/network /etc/sysconfig/network」.
/etc/sysconfig/network-scripts/ifcfg-<interface-name> /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion.
ifcfg-<name> , where <name> refers to the name of the device that the configuration file controls.
ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-eth<X> files (where <X> is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETWORK=10.0.1.0 NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
system-config-network) is an easy way to make changes to the various network interface configuration files (refer to 16章ネットワーク設定 for detailed instructions on using this tool).
BONDING_OPTS=<parameters> /etc/sysconfig/network-scripts/ifcfg-bond<N> (see 「チャンネルボンディングインターフェース」). These parameters are identical to those used for bonding devices in /sys/class/net/<bonding device>/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
BONDING_OPTS in ifcfg-<name> , do not use /etc/modprobe.conf to specify options for the bonding device.
BOOTPROTO=<protocol> <protocol> none — No boot-time protocol should be used.
bootp — The BOOTP protocol should be used.
dhcp — The DHCP protocol should be used.
BROADCAST=<address> <address> ipcalc.
DEVICE=<name> <name> DHCP_HOSTNAME=<name> <name>DNS{1,2}=<address> <address> /etc/resolv.conf if the PEERDNS directive is set to yes.
ETHTOOL_OPTS=<options> <options> ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"
ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
autoneg off option. This needs to be stated first, as the option entries are order-dependent.
GATEWAY=<address> <address> is the IP address of the network router or gateway device (if any).
HOTPLUG=<answer> <answer> is one of the following:
yes — This device should be activated when it is hot-plugged (this is the default option).
no — This device should not be activated when it is hot-plugged.
HOTPLUG=no option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
HWADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should not be used in conjunction with MACADDR.
IPADDR=<address> <address> LINKDELAY=<time> <time> is the number of seconds to wait for link negotiation before configuring the device.
MACADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should not be used in conjunction with HWADDR.
MASTER=<bond-interface> <bond-interface> SLAVE directive.
NETMASK=<mask> <mask> NETWORK=<address> <address> ipcalc.
ONBOOT=<answer> <answer> yes — This device should be activated at boot-time.
no — This device should not be activated at boot-time.
PEERDNS=<answer> <answer> yes — Modify /etc/resolv.conf if the DNS directive is set. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SLAVE=<answer> <answer> yes — This device is controlled by the channel bonding interface specified in the MASTER directive.
no — This device is not controlled by the channel bonding interface specified in the MASTER directive.
MASTER directive.
SRCADDR=<address> <address> USERCTL=<answer> <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec1, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec1.
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X
X.X.X.X はパブリックにルート可能な目的地 IPsec ルータの IP アドレスです。
DST=<address> <address> is the IP address of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations.
DSTNET=<network> <network> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
SRC=<address> <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.
SRCNET=<network> <network> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
TYPE=<interface-type> <interface-type> is IPSEC. Both applications are part of the ipsec-tools package.
/usr/share/doc/initscripts-<version-number>/sysconfig.txt (replace <version-number> with the version of the initscripts package installed) for configuration parameters.
racoon IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If racoon is used to automatically manage key encryption, the following options are required:
IKE_METHOD=<encryption-method> <encryption-method> is either PSK, X509, or GSSAPI. If PSK is specified, the IKE_PSK parameter must also be set. If X509 is specified, the IKE_CERTFILE parameter must also be set.
IKE_PSK=<shared-key> <shared-key> is the shared, secret value for the PSK (preshared keys) method.
IKE_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the host.
IKE_PEER_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the remote host.
IKE_DNSSEC=<answer> <answer> is yes. The racoon daemon retrieves the remote host's X.509 certificate via DNS. If a IKE_PEER_CERTFILE is specified, do not include this parameter.
setkey man page. For more information about racoon, refer to the racoon and racoon.conf man pages.
bonding kernel module and a special network interface called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/sysconfig/network-scripts/ directory called ifcfg-bond<N> , replacing <N> with the number for the interface, such as 0.
DEVICE= directive must be bond<N> , replacing <N> with the number for the interface.
ifcfg-bond0:
DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="<bonding parameters separated by spaces>"MASTER= and SLAVE= directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
eth0 and eth1 may look like the following example:
DEVICE=eth<N>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no<N> with the numerical value for the interface.
/etc/modprobe.conf:
alias bond<N> bonding<N> with the number of the interface, such as 0.
/etc/modprobe.conf file. Instead, specify them as a space-separated list in the BONDING_OPTS="<bonding parameters>" directive in the ifcfg-bond<N> interface file.
debug parameter, which cannot be used on a per-device basis, and which should therefore be specified in /etc/modprobe.conf as follows:
options bonding debug=1
ifcfg-<if-name>:<alias-value> naming scheme.
ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
ifcfg-<if-name>-<clone-name> . While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called eth0, may look similar to this:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user:
USERCTL=yes
eth0 interface using the /sbin/ifup eth0-user command because the configuration options from ifcfg-eth0 and ifcfg-eth0-user are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
ifcfg-ppp<X> <X> is a unique number corresponding to a specific interface.
wvdial, the Network Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit this file manually.
ifcfg-ppp0 file:
DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600
ifcfg-sl0.
DEFROUTE=<answer> <answer> yes — Set this interface as the default route.
no — Do not set this interface as the default route.
DEMAND=<answer> <answer> yes — This interface allows pppd to initiate a connection when someone attempts to use it.
no — A connection must be manually established for this interface.
IDLETIMEOUT=<value> <value> INITSTRING=<string> <string> LINESPEED=<value> <value> 57600, 38400, 19200, and 9600.
MODEMPORT=<device> <device> MTU=<value> <value> 576 results in fewer packets dropped and a slight improvement to the throughput for a connection.
NAME=<name> <name> PAPNAME=<name> <name> PERSIST=<answer> <answer> yes — This interface should be kept active at all times, even if deactivated after a modem hang up.
no — This interface should not be kept active at all times.
REMIP=<address> <address> WVDIALSECT=<name> <name> /etc/wvdial.conf. This file contains the phone number to be dialed and other important information for the interface.
ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo, should never be edited manually. Doing so can prevent the system from operating correctly.
ifcfg-irlan0 ifcfg-plip0 ifcfg-tr0 /etc/sysconfig/network-scripts/ directory: /sbin/ifdown and /sbin/ifup.
ifup and ifdown interface scripts are symbolic links to scripts in the /sbin/ directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
ifup eth0ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
/etc/rc.d/init.d/functions and /etc/sysconfig/network-scripts/network-functions. Refer to 「ネットワーク機能ファイル」 for more information.
/etc/sysconfig/network-scripts/ directory:
ifup-aliases ifup-ippp and ifdown-ippp ifup-ipsec and ifdown-ipsec ifup-ipv6 and ifdown-ipv6 ifup-ipx ifup-plip ifup-plusb ifup-post and ifdown-post ifup-ppp and ifdown-ppp ifup-routes ifdown-sit and ifup-sit ifup-sl and ifdown-sl ifup-wireless /etc/sysconfig/network-scripts/ directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
/sbin/service command on the network service (/etc/rc.d/init.d/network), as illustrated the following command:
service network <action><action> can be either start, stop, or restart.
service network statusroute command to display the IP routing table.
/etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives.
default viaX.X.X.Xdevinterface
X.X.X.X is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway.
X.X.X.X/XviaX.X.X.Xdevinterface
X.X.X.X/X is the network number and netmask for the static route. X.X.X.X and interface are the IP address and interface for the default gateway respectively. The X.X.X.X address does not have to be the default gateway IP address. In most cases, X.X.X.X will be an IP address in a different subnet, and interface will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
default via 192.168.0.1 dev eth0 10.10.10.0/24 via 192.168.0.1 dev eth0 172.16.1.0/24 via 192.168.0.1 dev eth0
10.10.10.0/24 via 10.10.10.1 dev eth1
ifup command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "X.X.X.X" is a garbage.', where X.X.X.X is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=X.X.X.XNETMASK0=X.X.X.XGATEWAY0=X.X.X.X
ADDRESS0=X.X.X.X is the network number for the static route.
NETMASK0=X.X.X.X is the netmask for the network number defined with ADDRESS0=X.X.X.X .
GATEWAY0=X.X.X.X is the default gateway, or an IP address that can be used to reach ADDRESS0=X.X.X.X
route-eth0 file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.0.1 ADDRESS1=172.16.1.0 NETMASK1=255.255.255.0 GATEWAY1=192.168.0.1
ADDRESS0, ADDRESS1, ADDRESS2, and so on.
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1
/etc/sysconfig/network-scripts/network-functions file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
/etc/sysconfig/network-scripts/network-functions-ipv6 file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
/usr/share/doc/initscripts-<version>/sysconfig.txt /usr/share/doc/iproute-<version>/ip-cref.ps ip command, which can be used to manipulate routing tables, among other things. Use the ggv or kghostview application to view this file.
/etc/hosts file used to store additional hostnames and IP address combinations.
system-config-network at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running; otherwise, the text-based version is displayed.
system-config-network-cmd --help as root to view all of the options.
Modem as shown in 図16.7「Modem Device」.
system-config-network がローカルホスト上で開始されると、その時はもう1つの X11 アプリケーションを開始することが出来ません。その場合、再ログインして新しいデスクトップセッションを開く必要があります。
/etc/hosts file. This file contains IP addresses and their corresponding hostnames.
/etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the /etc/hosts file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts file.
/etc/hosts file, go to the Hosts tab, click the button on the toolbar, provide the requested information, and click OK. Select > or press Ctrl+S to save the changes to the /etc/hosts file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
localhost entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
/etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the /etc/hosts file.
eth0_office, so that it can be recognized more easily. Once you have finished editing your new profile, make sure to save it by clicking from the menu. If you forget to save after creating a profile, that profile will be lost.
eth0_office in a profile called Office and want to activate the logical device if the profile is selected, uncheck the eth0 device and check the eth0_office device.
eth0.
eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
netprofile=<profilename> option. For example, if the system uses GRUB as the boot loader and /boot/grub/grub.conf contains:
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.9-5.EL.img<profilename> is the name of the profile to be activated at boot time):
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \
netprofile=<profilename> \ rhgb quiet
initrd /initrd-2.6.9-5.EL.imgsystem-control-network) to select a profile and activate it. The activate profile section only appears in the Network Device Control interface if more than the default Common interface exists.
<profilename> with the name of the profile):
system-config-network-cmd --profile <profilename> --activateeth0 —to use a static IP address (DHCP does not work with aliases), go to the Devices tab and click . Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as eth0:1.
eth0 device. Notice the eth0:1 device — the first alias for eth0. The second alias for eth0 would have the device name eth0:2, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the button.
/sbin/ifconfig. The output should show the device and the device alias with different IP addresses:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0 collisions:475 txqueuelen:100 RX bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base address:0x9000 eth0:1 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x9000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
/tmp/network-config, execute the following command as root:
system-config-network-cmd -e > /tmp/network-configsystem-config-network-cmd -i -c -f /tmp/network-config-i オプションはデータのインポートで、 -c オプションはインポートの前に既存の設定を消去するという意味です。 -f オプションは、インポートするファイルが以下の通りであることを指定します。
httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
xinetd and the services in the /etc/rc.d/init.d hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
xinetd services can not be started, stopped, or restarted using this program.
chkconfigxinetd services can not be started, stopped, or restarted using this utility.
/etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.
iptables to configure an IP firewall. If you are a new Linux user, note that iptables may not be the best solution for you. Setting up iptables can be complicated, and is best tackled by experienced Linux system administrators.
iptables is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, iptables can provide it for you. Refer to 「Netfilter と IPTables」 and 「IPTables の使い方」 for more information about iptables.
system-config-securitylevel), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
/etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
/etc/inittab file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the names imply, hosts.allow contains a list of rules that allow clients to access the network services controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow file takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to hosts_access in section 5 of the man pages (man 5 hosts_access) for details.
xinetdxinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.
xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.
xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable an xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. You can edit any of the xinetd configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig. For a list of network services controlled by xinetd, review the contents of the /etc/xinetd.d directory with the command ls /etc/xinetd.d.
/etc/rc.d/init.d directory are started at boot time (for runlevels 3, 4, and 5) and which xinetd services are enabled. It also allows you to start, stop, and restart SysV services as well as reload xinetd.
system-config-services at a shell prompt (for example, in an XTerm or a GNOME terminal).
/etc/rc.d/init.d directory as well as the services controlled by xinetd. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an xinetd service, the status window shows whether the service is currently running. If the service is controlled by xinetd, the status window displays the phrase xinetd service.
xinetd service, the action buttons are disabled because they cannot be started or stopped individually.
xinetd service by checking or unchecking the checkbox next to the service name, you must select > from the pulldown menu (or the button above the tabs) to reload xinetd and immediately enable/disable the xinetd service that you changed. xinetd is also configured to remember the setting. You can enable/disable multiple xinetd services at a time and save the changes when you are finished.
rsync to enable it in runlevel 3 and then save the changes. The rsync service is immediately enabled. The next time xinetd is started, rsync is still enabled.
xinetd services, xinetd is reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
xinetd service to start at boot time for the currently selected runlevel, check the box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting > from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
httpd service from checked to unchecked and then select , the runlevel 3 configuration changes so that httpd is not started at boot time. However, runlevel 3 is not reinitialized, so httpd is still running. Select one of following options at this point:
httpd service — Stop the service by selecting it from the list and clicking the button. A message appears stating that the service was stopped successfully.
telinit x (where x is the runlevel number; in this example, 3.). This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately.
httpd service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the httpd service running.
xinetd-managed service on or off. You can also use ntsysv to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the --level option. For example, the command ntsysv --level 345 configures runlevels 3, 4, and 5.
xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
chkconfigchkconfig command can also be used to activate and deactivate services. The chkconfig --list command displays a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd.
chkconfig --list command is used to query a service managed by xinetd, it displays whether the xinetd service is enabled (on) or disabled (off). For example, the command chkconfig --list rsync returns the following output:
rsync on
rsync is enabled as an xinetd service. If xinetd is running, rsync is enabled.
chkconfig --list to query a service in /etc/rc.d, that service's settings for each runlevel are displayed. For example, the command chkconfig --list httpd returns the following output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn nscd off in runlevels 3, 4, and 5, use the following command:
chkconfig --level 345 nscd offxinetd are immediately affected by chkconfig. For example, if xinetd is running while rsync is disabled, and the command chkconfig rsync on is executed, then rsync is immediately enabled without having to restart xinetd manually. Changes for other services do not take effect immediately after using chkconfig. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
ntsysv, chkconfig, xinetd, and xinetd.conf.
man 5 hosts_access — The man page for the format of host access control files (in section 5 of the man pages).
xinetd webpage. It contains sample configuration files and a more detailed list of features.
named サービスとしても知られています。これは、 Services Configuration Tool (system-config-service) を通じて 管理することができます。
bob.sales.example.com
.). In this example, com defines the top level domain for this FQDN. The name example is a sub-domain under com, while sales is a sub-domain under example. The name furthest to the left, bob, identifies a specific machine hostname.
/usr/sbin/named daemon. BIND also includes an administration utility called /usr/sbin/rndc. More information about rndc can be found in 「Using rndc 」.
/etc/named.conf named daemon
/var/named/ directorynamed working directory which stores zone, statistic, and cache files
bind-chroot パッケージをインストールしている場合、 BIND サービスは、 /var/named/chroot 環境内で動作します。全ての設定ファイルはそこへ移動されます。その状態で、 named.conf は /var/named/chroot/etc/named.conf に置かれることになります。
caching-nameserver パッケージをインストールしている場合、デフォルトの設定ファイルは /etc/named.caching-nameserver.conf です。このデフォルト設定を変えるには、 /etc/named.conf 内に自己のカスタム設定ファイルを作成します。再起動の後では BIND は、デフォルト設定ファイルではなく、 /etc/named.conf のカスタムファイルを使用します。
/etc/named.conf named.conf file is a collection of statements using nested options surrounded by opening and closing ellipse characters, { }. Administrators must be careful when editing named.conf to avoid syntax errors as many seemingly minor errors prevent the named service from starting.
named.conf file is organized similar to the following example:
<statement-1>["<statement-1-name>"] [<statement-1-class>] {<option-1>;<option-2>;<option-N>; };<statement-2>["<statement-2-name>"] [<statement-2-class>] {<option-1>;<option-2>;<option-N>; };<statement-N>["<statement-N-name>"] [<statement-N-class>] {<option-1>;<option-2>;<option-N>; };
/etc/named.conf:
acl Statementacl statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.
acl statement takes the following form:
acl<acl-name>{<match-element>; [<match-element>; ...] };
<acl-name> with the name of the access control list and replace <match-element> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or IP network notation (such as 10.0.1.0/24) is used to identify the IP addresses within the acl statement.
any — Matches every IP address
localhost — Matches any IP address in use by the local system
localnets — Matches any IP address on any network to which the local system is connected
none — Matches no IP addresses
options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
options statement to define how they are treated by the nameserver:
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
};black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access.
include Statementinclude statement allows files to be included in a named.conf file. In this way, sensitive configuration data (such as keys) can be placed in a separate file with restrictive permissions.
include statement takes the following form:
include "<file-name>"<file-name> is replaced with an absolute path to a file.
options Statementoptions statement defines global server configuration options and sets defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more.
options statement takes the following form:
options {
<option>;
[<option>; ...]
};<option> directives are replaced with a valid option.
allow-query allow-recursion allow-query, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.
blackhole directory named working directory if different from the default value, /var/named/.
forwarders forward forwarders directive.
first — Specifies that the nameservers listed in the forwarders directive be queried before named attempts to resolve the name itself.
only — Specifies that named does not attempt name resolution itself in the event that queries to nameservers specified in the forwarders directive fail.
listen-on named listens for queries. By default, all interfaces are used.
listen-on directive:
options {
listen-on { 10.0.1.1; };
};10.0.1.1) are accepted.
notify named notifies the slave servers when a zone is updated. It accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
pid-file named.
root-delegation-only root-delegation-only example specifies an exclude list of TLDs from whom undelegated responses are expected and trusted:
options {
root-delegation-only exclude { "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id";
"lu"; "lv"; "md"; "ms"; "museum"; "name"; "no"; "pa";
"pf"; "se"; "sr"; "to"; "tw"; "us"; "uy"; };
};statistics-file named statistics are saved to the /var/named/named.stats file.
bind.conf man page for more details.
zone Statementzone statement defines the characteristics of a zone, such as the location of its configuration file and zone-specific options. This statement can be used to override the global options statements.
zone statement takes the following form:
zone<zone-name><zone-class>{<zone-options>; [<zone-options>; ...] };
<zone-name> is the name of the zone, <zone-class> is the optional class of the zone, and <zone-options> is a list of options characterizing the zone.
<zone-name> attribute for the zone statement is particularly important. It is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file.
caching-nameserver パッケージをインストールしている場合、デフォルトの設定ファイルは /etc/named.rfc1912.zones の中になります。
zone statement defines the namespace for example.com, use example.com as the <zone-name> so it is placed at the end of hostnames within the example.com zone file.
zone statement options include the following:
allow-query allow-transfer allow-update named service.
file named working directory that contains the zone's configuration data.
masters type slave.
notify named notifies the slave servers when a zone is updated. This directive accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
type delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
forward — Forwards all requests for information about this zone to other nameservers.
hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
slave — Designates the nameserver as a slave server for this zone. Also specifies the IP address of the master nameserver for the zone.
zone-statistics named to keep statistics concerning this zone, writing them to either the default location (/var/named/named.stats) or the file listed in the statistics-file option in the server statement. Refer to 「他のステートメントタイプ」 for more information about the server statement.
zone Statements/etc/named.conf file of a master or slave nameserver involves adding, modifying, or deleting zone statements. While these zone statements can contain many options, most nameservers require only a small subset to function efficiently. The following zone statements are very basic examples illustrating a master-slave nameserver relationship.
zone statement for the primary nameserver hosting example.com (192.168.0.1):
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also tells named not to allow any other hosts to update.
zone statement for example.com is slightly different from the previous example. For a slave server, the type is set to slave and in place of the allow-update line is a directive telling named the IP address of the master server.
zone statement for example.com zone:
zone "example.com" {
type slave;
file "example.com.zone";
masters { 192.168.0.1; };
};zone statement configures named on the slave server to query the master server at the 192.168.0.1 IP address for information about the example.com zone. The information that the slave server receives from the master server is saved to the /var/named/example.com.zone file.
named.conf:
controls rndc command to administer the named service.
/etc/named.conf 」 to learn more about how the controls statement is structured and what options are available.
key "<key-name>" rndc command. Two options are used with key:
algorithm <algorithm-name> — The type of algorithm used, such as dsa or hmac-md5.
secret "<key-value>" — The encrypted key.
/etc/rndc.conf 」 for instructions on how to write a key statement.
logging channel option within the logging statement, a customized type of log can be constructed — with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when named is restarted.
named logs standard messages to the syslog daemon, which places them in /var/log/messages. This occurs because several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
server named should respond to remote nameservers, especially with regard to notifications and zone transfers.
transfer-format option controls whether one resource record is sent with each message (one-answer) or multiple resource records are sent with each message (many-answers). While many-answers is more efficient, only newer BIND nameservers understand it.
trusted-keys view "<view-name>" match-clients option specifies the IP addresses that apply to a particular view. Any options statement may also be used within a view, overriding the global options already configured for named. Most view statements contain multiple zone statements that apply to the match-clients list. The order in which view statements are listed is important, as the first view statement that matches a particular client's IP address is used.
view statement.
named.conf:
// — When placed at the beginning of a line, that line is ignored by named.
# — When placed at the beginning of a line, that line is ignored by named.
/* and */ — When text is enclosed in these tags, the block of text is ignored by named.
named working directory (/var/named/) by default. Each zone file is named according to the file option data in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
bind-chroot パッケージをインストールしている場合は、 BIND サービスは /var/named/chroot 環境内で動作します。全ての設定ファイルはそこに移動されます。その状態で、ゾーンファイルは /var/named/chroot/var/named 内で見つけることができます。
;) in zone files.
$) followed by the name of the directive. They usually appear at the top of the zone file.
$INCLUDE named to include another zone file in this zone file at the place where the directive appears. This allows additional zone settings to be stored apart from the main zone file.
$ORIGIN
$ORIGIN example.com.
.) are appended with example.com.
$ORIGIN directive is unnecessary if the zone is specified in /etc/named.conf because the zone name is used as the value for the $ORIGIN directive by default.
$TTL A
<host> IN A <IP-address> <host> value is omitted, then an A record points to a default IP address for the top of the namespace. This system is the target for all non-FQDN requests.
A record examples for the example.com zone file:
server1 IN A 10.0.1.3 IN A 10.0.1.5
example.com are pointed to 10.0.1.3 or 10.0.1.5.
CNAME named that any requests sent to the <alias-name> should point to the host, <real-name>. CNAME records are most commonly used to point to services that use a common naming scheme, such as www for Web servers.
<alias-name> IN CNAME <real-name> A record binds a hostname to an IP address, while a CNAME record points the commonly used www hostname to it.
server1 IN A 10.0.1.5 www IN CNAME server1
MX
IN MX <preference-value> <email-server-name>
<preference-value> allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The MX resource record with the lowest <preference-value> is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
<email-server-name> may be a hostname or FQDN.
IN MX 10 mail.example.com. IN MX 20 mail2.example.com.
mail.example.com email server is preferred to the mail2.example.com email server when receiving email destined for the example.com domain.
NSNS record:
IN NS <nameserver-name>
<nameserver-name> should be an FQDN.
IN NS dns1.example.com. IN NS dns2.example.com.
PTRPTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to 「逆引き名前解決ゾーンファイル」 for more examples of PTR records in use.
SOASOA resource record is the first resource record in a zone file.
SOA resource record:
@ IN SOA<primary-name-server><hostmaster-email>(<serial-number><time-to-refresh><time-to-retry><time-to-expire><minimum-TTL>)
@ symbol places the $ORIGIN directive (or the zone's name, if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record. The hostname of the primary nameserver that is authoritative for this domain is the <primary-name-server> directive, and the email of the person to contact about this namespace is the <hostmaster-email> directive.
<serial-number> directive is a numerical value incremented every time the zone file is altered to indicate it is time for named to reload the zone. The <time-to-refresh> directive is the numerical value slave servers use to determine how long to wait before asking the master nameserver if any changes have been made to the zone. The <serial-number> directive is a numerical value used by the slave servers to determine if it is using outdated zone data and should therefore refresh it.
<time-to-retry> directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering. If the master has not replied to a refresh request before the amount of time specified in the <time-to-expire> directive elapses, the slave servers stop responding as an authority for requests concerning that namespace.
<minimum-TTL> directive is the amount of time other nameservers cache the zone's information. However, in BIND 9, the <minimum-TTL> directive defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (3H).
M), hours (H), days (D), and weeks (W). The table in 表18.1「他の時間単位と比較した秒数」 shows an amount of time in seconds and the equivalent time in another format.
| 秒 | 他の時間単位 |
|---|---|
60
|
1M
|
1800
|
30M
|
3600
|
1H
|
10800
|
3H
|
21600
|
6H
|
43200
|
12H
|
86400
|
1D
|
259200
|
3D
|
604800
|
1W
|
31536000
|
365D
|
SOA resource record might take when it is populated with real values.
@ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day
$ORIGIN example.com. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; ; IN NS dns1.example.com. IN NS dns2.example.com. dns1 IN A 10.0.1.1 IN AAAA aaaa:bbbb::1 dns2 IN A 10.0.1.2 IN AAAA aaaa:bbbb::2 ; ; @ IN MX 10 mail.example.com. IN MX 20 mail2.example.com. mail IN A 10.0.1.5 IN AAAA aaaa:bbbb::5 mail2 IN A 10.0.1.6 IN AAAA aaaa:bbbb::6 ; ; ; This sample zone file illustrates sharing the same IP addresses ; for multiple services: ; services IN A 10.0.1.10 IN AAAA aaaa:bbbb::10 IN A 10.0.1.11 IN AAAA aaaa:bbbb::11 ftp IN CNAME services.example.com. www IN CNAME services.example.com. ; ;
SOA values are used. The authoritative nameservers are set as dns1.example.com and dns2.example.com, which have A records that tie them to 10.0.1.1 and 10.0.1.2, respectively.
MX records point to mail and mail2 via A records. Since the mail and mail2 names do not end in a trailing period (.), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com. Through the related A resource records, their IP addresses can be determined.
www.example.com (WWW), are pointed at the appropriate servers using a CNAME record.
zone statement in the named.conf similar to the following:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
PTR resource records are used to link the IP addresses to a fully qualified domain name.
PTR record:
<last-IP-digit> IN PTR <FQDN-of-system> <last-IP-digit> is the last number in an IP address which points to a particular system's FQDN.
10.0.1.1 through 10.0.1.6 are pointed to corresponding FQDNs. It can be located in /var/named/example.com.rr.zone.
$ORIGIN 1.0.10.in-addr.arpa. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; @ IN NS dns1.example.com. ; 1 IN PTR dns1.example.com. 2 IN PTR dns2.example.com. ; 5 IN PTR server1.example.com. 6 IN PTR server2.example.com. ; 3 IN PTR ftp.example.com. 4 IN PTR ftp.example.com.
zone statement in the named.conf file similar to the following:
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};
zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
rndc rndc which allows command line administration of the named daemon from the localhost or a remote host.
named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
bind-chroot パッケージをインストールしている場合、 BIND サービスは /var/named/chroot 環境の中で動作します。全ての 設定ファイルはそこへ移動され、その状態で、 rndc.conf ファイルは /var/named/chroot/etc/rndc.conf 内に置かれます。
rndc ユーティリティが chroot 環境で実行されないため、 /etc/rndc.conf は /var/named/chroot/etc/rndc.conf への symlink であることに注意して下さい。
/etc/named.conf rndc to connect to a named service, there must be a controls statement in the BIND server's /etc/named.conf file.
controls statement, shown in the following example, allows rndc to connect from the localhost.
controls {
inet 127.0.0.1
allow { localhost; } keys { <key-name>; };
};
named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> specifies a name in the key statement within the /etc/named.conf file. The next example illustrates a sample key statement.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-value> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>
<key-value> area can be found in the <key-file-name> /etc/named.conf is world-readable, it is advisable to place the key statement in a separate file, readable only by root, and then use an include statement to reference it. For example:
include "/etc/rndc.key";
named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
query-source (and query-source-v6) directive, or one randomly chosen at startup. When a static query source port is used, TXID offers insufficient protection against spoofed replies and allows an attacker to efficiently perform cache-poisoning attacks. To address this issue, BIND was updated to allow the use of a randomly-selected source port for each DNS query, making it more difficult for an attacker to spoof replies, when the query packets cannot be detected. A security update [3] was released for all the affected Red Hat Enterprise Linux versions. Additionally, the default configuration provided by the caching-nameserver package was updated to no longer specify a fixed query source port.
53 as a query source port, and only allow DNS queries from that port on the firewall.
/etc/rndc.conf key is the most important statement in /etc/rndc.conf.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.
/etc/named.conf, add the following lines to /etc/rndc.conf.
options {
default-server localhost;
default-key "<key-name>";
};
rndc configuration file can also specify different keys for different servers, as in the following example:
server localhost {
key "<key-name>";
};
/etc/rndc.conf file.
/etc/rndc.conf file, refer to the rndc.conf man page.
rndc command takes the following form:
rndc <options> <command> <command-options>
rndc on a properly configured localhost, the following commands are available:
halt — Stops the named service immediately.
querylog — Logs all queries made to this nameserver.
refresh — Refreshes the nameserver's database.
reload — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.
reload command.
stats — Dumps the current named statistics to the /var/named/named.stats file.
stop — Stops the server gracefully, saving any dynamic update and Incremental Zone Transfers (IXFR) data before exiting.
/etc/rndc.conf file. The following options are available:
-c <configuration-file> — Specifies the alternate location of a configuration file.
-p <port-number> — Specifies a port number to use for the rndc connection other than the default port 953.
-s <server> — Specifies a server other than the default-server listed in /etc/rndc.conf.
-y <key-name> — Specifies a key other than the default-key option in /etc/rndc.conf.
rndc man page.
named to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
view statement in named.conf, BIND can present different information depending on which network a request originates from.
view statement uses the match-clients option to match IP addresses or entire networks and give them special options and zone data.
A6 zone records.
lwresd lightweight resolver daemon on all network clients. This daemon is a very efficient, caching-only nameserver which understands the new A6 and DNAME records used under IPv6. Refer to the lwresd man page for more information.
/etc/named.conf file.
named to refuse to start.
.) in zone files after all FQDNs and omit them on hostnames.
named appends the name of the zone or the $ORIGIN value to complete it.
named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible. For important security information regarding fixed UDP source ports, refer to 「Firewall Blocking Communication」
<version-number> with the version of bind installed on the system:
/usr/share/doc/bind-<version-number>/ /usr/share/doc/bind-<version-number>/arm/ /usr/share/doc/bind-<version-number>/draft/ /usr/share/doc/bind-<version-number>/misc/ migration document for specific changes they must make when moving to BIND 9. The options file lists all of the options implemented in BIND 9 that are used in /etc/named.conf.
/usr/share/doc/bind-<version-number>/rfc/ man rndc — Explains the different options available when using the rndc command to control a BIND nameserver.
man named — Explores assorted arguments that can be used to control the BIND nameserver daemon.
man lwresd — Describes the purpose of and options available for the lightweight resolver daemon.
man named.conf — A comprehensive list of options available within the named configuration file.
man rndc.conf — A comprehensive list of options available within the rndc configuration file.
telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
openssh) as well as the OpenSSH server (openssh-server) and client (openssh-clients) packages. Note, the OpenSSH packages require the OpenSSL package (openssl) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
openssh-server package is required and is dependent on the openssh package.
/etc/ssh/sshd_config. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default sshd_config, read the sshd man page for a list of the keywords that can be defined in the configuration file.
/sbin/service sshd start. To stop the OpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to start automatically at boot time, refer to 17章サービスへのアクセスの制御 for information on how to manage services.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ssh_host*key* files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
telnet
rsh
rlogin
vsftpd
chkconfig, the ncurses-based program /usr/sbin/ntsysv, or the Services Configuration Tool (system-config-services) graphical application. All of these tools require root level access.
chkconfig, /usr/sbin/ntsysv, and the Services Configuration Tool, refer to 17章サービスへのアクセスの制御.
ssh, scp, and sftp) and one for the server daemon (sshd).
/etc/ssh/ directory:
moduli — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
ssh_config — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (~/.ssh/config).
sshd_config — The configuration file for the sshd daemon.
ssh_host_dsa_key — The DSA private key used by the sshd daemon.
ssh_host_dsa_key.pub — The DSA public key used by the sshd daemon.
ssh_host_key — The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_key.pub — The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_rsa_key — The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
ssh_host_rsa_key.pub — The RSA public key used by the sshd for version 2 of the SSH protocol.
~/.ssh/ directory:
authorized_keys — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
id_dsa — Contains the DSA private key of the user.
id_dsa.pub — The DSA public key of the user.
id_rsa — The RSA private key used by ssh for version 2 of the SSH protocol.
id_rsa.pub — The RSA public key used by ssh for version 2 of the SSH protocol
identity — The RSA private key used by ssh for version 1 of the SSH protocol.
identity.pub — The RSA public key used by ssh for version 1 of the SSH protocol.
known_hosts — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
known_hosts file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files.
openssh-clients and openssh packages installed on the client machine.
ssh Commandssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.netssh to a remote machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts) as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
ssh username@penguin.example.netssh -l username penguin.example.net.
ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostname command. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc/usr/share/doc will be displayed, and you will return to your local shell prompt.
scp Commandscp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp.
scp <localfile> username@tohostname:<remotefile><localfile> specifies the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname-maillog. For the remote system, if you do not have a preceding /, the path will be relative to the home directory of username, typically /home/username/.
shadowman to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowmanshadowman to /home/username/shadowman on penguin.example.net. Alternately, you can leave off the final shadowman in the scp command.
scp username@tohostname:<remotefile> <newlocalfile><remotefile> specifies the source including path, and <newlocalfile> specifies the destination including path.
downloads/ to an existing directory called uploads/ on the remote machine penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/sftp Commandsftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.com. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the sftp man page for a list of these commands. To read the man page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
-Y オプションを使用して SSH サーバーに接続し、ローカルマシン上の X プログラムを開くだけのことです。
ssh -Y <user>@example.comsystem-config-printer &ssh -L local-port:remote-hostname:remote-port username@hostnamemail.example.com using POP3 through an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.commail.example.com server.
mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
ssh -L 1100:mail.example.com:110 other.example.comother.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new mail. Note, when using this technique only the connection between the client system and other.example.com SSH server is secure.
No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.
ssh, scp, or sftp to connect to a remote machine, you can generate an authorization key pair.
~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys, ~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
.ssh directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
ssh-keygen -t rsa~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_rsa.pub. The private key is written to ~/.ssh/id_rsa. Never distribute your private key to anyone.
.ssh directory using the following command:
chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI」. If you are not running the X Window System, skip to 「Configuring ssh-agent」.
ssh-keygen -t dsa~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_dsa.pub. The private key is written to ~/.ssh/id_dsa. It is important never to give anyone the private key.
.ssh directory with the following command:
chmod 755 ~/.ssh~/.ssh/id_dsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI」. If you are not running the X Window System, skip to 「Configuring ssh-agent」.
ssh-keygen -t rsa1~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
~/.ssh/identity.pub. The private key is written to ~/.ssh/identity. Do not give anyone the private key.
.ssh directory and your key with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub.
~/.ssh/identity.pub into the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys does not exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine.
ssh-agent with a GUI」. If you are not running GNOME, skip to 「Configuring ssh-agent」.
ssh-agent with a GUIssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the gnome-ssh-askpass package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session. If you are not using GNOME, refer to 「Configuring ssh-agent」.
gnome-ssh-askpass installed; you can use the command rpm -q openssh-askpass to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
/usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click to exit the program.
ssh, scp, or sftp.
ssh-agentssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to 「Configuring ssh-agent with a GUI」), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
exec /usr/bin/ssh-agent $SHELLssh-addssh, scp, sftp, sshd, and ssh-keygen man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
portmap, rpc.lockd, and rpc.statd daemons. NFSv4 listens on the well-known TCP port 2049, which eliminates the need for portmap interaction. The mounting and locking protocols have been incorporated into the V4 protocol which eliminates the need for interaction with rpc.lockd and rpc.statd. The rpc.mountd daemon is still required on the server, but is not involved in any over-the-wire operations.
-p command line option that can set the port, making firewall configuration easier.
/etc/exports, to determine whether the client is allowed to access any of the exported file systems. Once access is granted, all file and directory operations are available to the user.
rpc.nfsd process now allow binding to any specified port during system start up. However, this can be error prone if the port is unavailable or conflicts with another daemon.
portmap service. To share or mount NFS file systems, the following services work together, depending on which version of NFS is implemented:
nfs — (/sbin/service nfs start) starts the NFS server and the appropriate RPC processes to service requests for shared NFS file systems.
nfslock — (/sbin/service nfslock start) is a mandatory service that starts the appropriate RPC processes to allow NFS clients to lock files on the server.
portmap — accepts port reservations from local RPC services. These ports are then made available (or advertised) so the corresponding remote RPC services access them. portmap responds to requests for RPC services and sets up connections to the requested RPC service.
rpc.mountd — This process receives mount requests from NFS clients and verifies the requested file system is currently exported. This process is started automatically by the nfs service and does not require user configuration.
rpc.nfsd — Allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.
rpc.lockd — allows NFS clients to lock files on the server. If rpc.lockd is not started, file locking will fail. rpc.lockd implements the Network Lock Manager (NLM) protocol. This process corresponds to the nfslock service. This is not used with NFSv4.
rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This process is started automatically by the nfslock service and does not require user configuration. This is not used with NFSv4.
rpc.rquotad — This process provides user quota information for remote users. This process is started automatically by the nfs service and does not require user configuration.
rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.
mount command. The format of the command is as follows:
mount -t <nfs-type> -o <options> <host>:</remote/export> </local/directory><nfs-type> with either nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Replace <options> with a comma separated list of options for the NFS file system (refer to 「Common NFS Mount Options」 for details). Replace <host> with the remote host, </remote/export> with the remote directory being mounted, and </local/directory> with the local directory where the remote file system is to be mounted.
mount man page for more details.
mount command, the file system must be remounted manually after the system is rebooted. Red Hat Enterprise Linux offers two methods for mounting remote file systems automatically at boot time: the /etc/fstab file or the autofs service.
/etc/fstab/etc/fstab file. The /etc/fstab file is referenced by the netfs service at boot time, so lines referencing NFS shares have the same effect as manually typing the mount command during the boot process. Each line in this file must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab file.
/etc/fstab is as follows:
<server>:</remote/export> </local/directory> <nfs-type> <options> 0 0<server></remote/export></local/directory><nfs-type>nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Finally, replace <options> with a comma separated list of options for the NFS file system (see 「Common NFS Mount Options」 for details). Note that the mount point must exist before /etc/fstab is read, otherwise the mount fails.
/etc/fstab line to mount an NFS export:
server:/usr/local/pub /pub nfs defaults 0 0
/etc/fstab on the client system, type the command mount /pub at a shell prompt, and the mount point /pub is mounted from the server. The mount point /pub must exist on the client machine before this command can be executed.
/etc/fstab configuration file and its contents, refer to the fstab manual page.
autofs/etc/fstab is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to many systems at one time, overall system performance can be affected. An alternative to /etc/fstab is to use the kernel-based automount utility. An automounter consists of two components. One is a kernel module that implements a file system, while the other is a user-space daemon that performs all of the other functions. The automount utility can mount and unmount NFS file systems automatically (on demand mounting) therefore saving system resources. The automount utility can be used to mount other file systems including AFS, SMBFS, CIFS and local file systems.
autofs uses /etc/auto.master (master map) as its default primary configuration file. This can be changed to use another supported network source and name using the autofs configuration (in /etc/sysconfig/autofs) in conjunction with the Name Service Switch mechanism. An instance of the version 4 daemon was run for each mount point configured in the master map and so it could be run manually from the command line for any given mount point. This is not possible with version 5 because it uses a single daemon to manage all configured mount points, so all automounts must be configured in the master map. This is in line with the usual requirements of other industry standard automounters. Mount point, hostname, exported directory, and options can all be specified in a set of files (or other supported network sources) rather than configuring them manually for each host. Please ensure that you have the autofs package installed if you wish to use this service.
autofs version 5?/net/<host>" as a multi-mount map entry. When using the "-hosts" map, an 'ls' of "/net/<host>" will mount autofs trigger mounts for each export from <host> and mount and expire them as they are accessed. This can greatly reduce the number of active mounts needed when accessing a server with a large number of exports.
/etc/sysconfig/autofs) provides a mechanism to specify the autofs schema that a site implements, thus precluding the need to determine this via trial and error in the application itself. In addition, authenticated binds to the LDAP server are now supported, using most mechanisms supported by the common LDAP server implementations. A new configuration file has been added for this support: /etc/autofs_ldap_auth.conf. The default configuration file is self-documenting, and uses an XML format.
nsswitch) configuration./- /tmp/auto_dcthon /- /tmp/auto_test3_direct /- /tmp/auto_test4_direct
autofs Configuration/etc/auto.master, also referred to as the master map which may be changed as described in the introduction section above. The master map lists autofs-controlled mount points on the system, and their corresponding configuration files or network sources known as automount maps. The format of the master map is as follows:
<mount-point> <map-name> <options>
mount-point is the autofs mount point such as /home.
map-name is the name of a map source which contains a list of mount points, and the file system location from which those mount points should be mounted. The syntax for a map entry is described below.
options if supplied, will apply to all entries in the given map provided they don't themselves have options specified. This behavior is different from autofs version 4 where the options where cumulative. This has been changed to meet our primary goal of mixed environment compatibility.
/etc/auto.master file:
~]$ cat /etc/auto.master
/home /etc/auto.misc<mount-point> [<options>] <location>
<mount-point> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<mount-point> above) may be followed by a space separated list of offset directories (sub directory names each beginning with a "/") making them what is known as a mutli-mount entry.
~]$ cat /etc/auto.misc
payroll -fstype=nfs personnel:/dev/hda3
sales -fstype=ext3 :/dev/hda4sales and payroll from the server called personnel). The second column indicates the options for the autofs mount while the third column indicates the source of the mount. Following the above configuration, the autofs mount points will be /home/payroll and /home/sales. The -fstype= option is often omitted and is generally not needed for correct operation.
service autofs startservice autofs restart/home/payroll/2006/July.sxc, the automount daemon automatically mounts the directory. If a timeout is specified, the directory will automatically be unmounted if the directory is not accessed for the timeout period.
/sbin/service/autofs statusautofs Common Tasks/etc/nsswitch.conf file has the following directive:
automount: files nis
auto.master map file contains the following:
/home auto.home
auto.home map contains the following:
beth fileserver.example.com:/export/home/beth joe fileserver.example.com:/export/home/joe * fileserver.example.com:/export/home/&
/etc/auto.home does not exist.
/etc/auto.master map:
/home /etc/auto.home2 +auto.master
/etc/auto.home2 map contains the entry:
* labserver.example.com:/export/home/&
/home will contain the contents of /etc/auto.home2 instead of the NIS auto.home map.
auto.home map with a few entries, create a /etc/auto.home file map, and in it put your new entries and at the end, include the NIS auto.home map. Then the /etc/auto.home file map might look similar to:
mydir someserver:/export/mydir +auto.home
auto.home map listed above, an ls of /home would now give:
~]$ ls /home
beth joe mydirautofs knows not to include the contents of a file map of the same name as the one it is reading and so moves on to the next map source in the nsswitch configuration.
openldap package should be installed automatically as a dependency of the automounter. To configure LDAP access, modify /etc/openldap/ldap.conf. Ensure that BASE and URI are set appropriately for your site. Please also ensure that the schema is set in the configuration.
rfc2307bis. To use this schema it is necessary to set it in the autofs configuration (/etc/sysconfig/autofs) by removing the comment characters from the schema definition. For example:
DEFAULT_MAP_OBJECT_CLASS="automountMap" DEFAULT_ENTRY_OBJECT_CLASS="automount" DEFAULT_MAP_ATTRIBUTE="automountMapName" DEFAULT_ENTRY_ATTRIBUTE="automountKey" DEFAULT_VALUE_ATTRIBUTE="automountInformation"
automountKey replaces the cn attribute in the rfc2307bis schema. An LDIF of a sample configuration is described below:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.master)) # requesting: ALL # # auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: top objectClass: automountMap automountMapName: auto.master # extended LDIF # # LDAPv3 # base <automountMapName=auto.master,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # /home, auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: automount cn: /home automountKey: /home automountInformation: auto.home # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.home)) # requesting: ALL # # auto.home, example.com dn: automountMapName=auto.home,dc=example,dc=com objectClass: automountMap automountMapName: auto.home # extended LDIF # # LDAPv3 # base <automountMapName=auto.home,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # foo, auto.home, example.com dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: foo automountInformation: filer.example.com:/export/foo # /, auto.home, example.com dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: / automountInformation: filer.example.com:/export/&
<mount-point> <maptype1> <mapname1> <options1> -- <maptype2> <mapname2> <options2> -- ...
/home file /etc/auto.home -- nis auto.home/etc/nsswitch.conf must list:
automount: files nis
/etc/auto.master should contain:
/home auto.home
/etc/auto.home should contain:
<entries for the home directory> +auto.home
/etc/auto.home and the nis auto.home map are combined.
/etc/nsswitch.conf. The map is read if it exists and its contents are merged into one large auto.master map.
nsswitch.conf is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used. Consider the following example:
/etc/nsswitch.conf: automount: files nis
/etc/auto.master: /home /etc/auto.home +auto.master
auto.master and the NIS-based auto.master. However, because included map entries are only allowed in file maps, there is no way to include both an NIS auto.master and an LDAP auto.master.
auto.master.ldap we could also add "+auto.master.ldap" to the file based master map and provided that "ldap" is listed as a source in our nsswitch configuration it would also be included.
mount commands, /etc/fstab settings, and autofs.
hard or soft — Specifies whether the program using a file via an NFS connection should stop and wait (hard) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error (soft).
hard is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified.
soft is specified, the user can set an additional timeo=<value> option, where <value>intr — Allows NFS requests to be interrupted if the server goes down or cannot be reached.
nfsvers=2 or nfsvers=3 — Specifies which version of the NFS protocol to use. This is useful for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest supported version by the kernel and mount command. This option is not supported with NFSv4 and should not be used.
noacl — Turns off all ACL processing. This may be needed when interfacing with older versions of Red Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not compatible with older systems.
nolock — Disables file locking. This setting is occasionally required when connecting to older NFS servers.
noexec — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non-Linux file system via NFS containing incompatible binaries.
nosuid — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
port=num — Specifies the numeric value of the NFS server port. If num0 (the default), then mount queries the remote host's portmapper for the port number to use. If the remote host's NFS daemon is not registered with its portmapper, the standard NFS port number of TCP 2049 is used instead.
rsize=num and wsize=num — These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the default values for both parameters is set to 32768.
sec=mode — Specifies the type of security to utilize when authenticating an NFS connection.
sec=sys is the default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS operations.
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also has the most performance overhead involved.
tcp — Specifies for the NFS mount to use the TCP protocol.
udp — Specifies for the NFS mount to use the UDP protocol.
mount and nfs man pages.
portmap service must be running. To verify that portmap is active, type the following command as root:
service portmap statusportmap service is running, then the nfs service can be started. To start an NFS server, as root type:
service nfs startnfslock also has to be started for both the NFS client and server to function properly. To start NFS locking as root type: /sbin/service nfslock start. If NFS is set to start at boot, please ensure that nfslock also starts by running chkconfig --list nfslock. If nfslock is not set to on, this implies that you will need to manually run the /sbin/service nfslock start each time the computer starts. To set nfslock to automatically start on boot, type the following command in a terminal chkconfig nfslock on.
service nfs stoprestart option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS.
service nfs restartcondrestart (conditional restart) option only starts nfs if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service nfs condrestartservice nfs reloadnfs service does not start automatically at boot time. To configure the NFS to start up at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to 17章サービスへのアクセスの制御 for more information regarding these tools.
system-config-nfs), manually editing its configuration file (/etc/exports), or using the /usr/sbin/exportfs command.
system-config-nfs in a terminal. The NFS Server Configuration tool window is illustrated below.
/tmp.
insecure.
insecure_locks.
no_subtree_check.
sync. If this is not selected, the async option is used.
no_wdelay.
nohide option on or off. When the nohide option is off, nested directories are revealed. The clients can therefore navigate through a filesystem from the parent without noticing any changes.
mountpoint option which allows a directory to be exported only if it has been mounted.
fsid=X option. This is mainly used in a clustered setup. Using a consistent filesystem ID in all clusters avoids having stale NFS filehandles.
no_root_squash.
all_squash.
anonuid.
anongid.
/etc/exports.bak. The new configuration is written to /etc/exports.
/etc/exports configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
/etc/exports and using the /usr/sbin/exportfs command to export NFS file systems.
/etc/exports file controls what directories the NFS server exports. Its format is as follows:
directoryhostname(options)
sync or async (sync is recommended). If sync is specified, the server does not reply to requests before the changes made by the request are written to the disk.
/misc/export speedy.example.com(sync)
speedy.example.com to mount /misc/export with the default read-only permissions, but,
/misc/export speedy.example.com(rw,sync)
speedy.example.com to mount /misc/export with read/write privileges.
/etc/exports file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)
speedy.example.com read-write access and denies all other users. The second line grants users from speedy.example.com read-only access (the default) and allows the rest of the world read-write access.
/etc/exports, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
service nfs reload/etc/sysconfig/nfs configuration file to control which ports the required RPC services run on. Refer to and read 「/etc/sysconfig/nfs」 for instructions on how to configure a firewall to allow NFS.
*.example.com includes one.example.com but does not include one.two.example.com.
a.b.c.d/zを使います。ここで、 a.b.c.dは、ネットワークであり、 zは、ネットマスク内のビットの数字です。 (例えば、192.168.0.0/24). もう1つの認識されている形式は a.b.c.d/netmaskで、ここで a.b.c.dがネットワークで、 netmaskはネットマスクです。 (例えば、 192.168.100.8/255.255.255.0)。
@group-nameの形をしており、ここで group-nameは NISネットグループ名のことです。
/etc/exports Configuration File/etc/exports file controls which file systems are exported to remote hosts and specifies options. Blank lines are ignored, comments can be made by starting a line with the hash mark (#), and long lines can be wrapped with a backslash (\). Each exported file system should be on its own individual line, and any lists of authorized hosts placed after an exported file system must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. Valid host types are gss/krb5, gss/krb5i, and gss/krb5p.
<export><host1>(<options>)<hostN>(<options>)...
<export> with the directory being exported, replace <host1> with the host or network to which the export is being shared, and replace <options> with the options for that host or network. Additional hosts can be specified in a space separated list.
* or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.
*.example.com as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both *.example.com and *.*.example.com must be specified.
192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
@<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.
/etc/exports file only specifies the exported directory and the hosts permitted to access it, as in the following example:
/exported/directory bob.example.com
bob.example.com can mount /exported/directory/. Because no options are specified in this example, the following default NFS options take effect:
ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.
wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.
root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=<uid-value>,anongid=<gid-value>), where <uid-value><gid-value>no_acl option when exporting the file system.
rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports which overrides two default options:
/another/exported/directory 192.168.0.3(rw,sync)
192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed.
exports man page for details on these lesser used options.
/etc/exports file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.
/home bob.example.com(rw) /home bob.example.com (rw)
bob.example.com read/write access to the /home directory. The second line allows users from bob.example.com to mount the directory as read-only (the default), while the rest of the world can mount it read/write.
exportfs Command/etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.
/usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
/usr/sbin/exportfs:
-r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.
-a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.
-o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. Refer to 「The /etc/exports Configuration File」 for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
-i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.
-u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r.
-v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.
/usr/sbin/exportfs command, it displays a list of currently exported file systems.
/usr/sbin/exportfs command, refer to the exportfs man page.
exportfs with NFSv4exportfs command is used in maintaining the NFS table of exported file systems. When typed in a terminal with no arguments, the exportfs command shows all the exported directories.
MOUNT protocol, which was used with the NFSv2 and NFSv3 protocols, the mounting of file systems has changed.
fsid=0 option.
mkdir /exportsmkdir /exports/optmkdir /exports/etcmount --bind /usr/local/opt /exports/optmount --bind /usr/local/etc /exports/etcexportfs -o fsid=0,insecure,no_subtree_check gss/krb5p:/exportsexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/optexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/etc
--bind option which creates unbreakable links.
/home /home/sam /home/john /home/joe
/home *(rw,fsid=0,sync)
mount server:/home /mnt/homels /mnt/home/joe
mount -t nfs4 server:/ /mnt/homels /mnt/home/joe
server:/home" and "server:/". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an fsid=0. The fsid=0 signals the NFS server that this export is the root.
/ *(ro,fsid=0) /home *(rw,sync,nohide)
mount server:/home /mnt/home" and "mount -t nfs server:/home /mnt/home" will work as expected.
portmap service via TCP wrappers. Access to ports used by portmap, rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules with iptables.
portmap, refer to 「IPTables」.
rpc.svcgssd and rpc.gssd inter operate, refer to http://www.citi.umich.edu/projects/nfsv4/gssd/.
su - command to become a user who could access particular files via the NFS share.
nfsnobody account. Never turn off root squashing.
all_squash option, which makes every user accessing the exported file system take the user ID of the nfsnobody user.
portmapportmap service for backward compatibility.
portmapper maps RPC services to the ports they are listening on. RPC processes notify portmap when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts portmap on the server with a particular RPC program number. The portmap service redirects the client to the proper port number so it can communicate with the requested service.
portmap to make all connections with incoming client requests, portmap must be available before any of these services start.
portmap service uses TCP wrappers for access control, and access control rules for portmap affect all RPC-based services. Alternatively, it is possible to specify access control rules for each of the NFS RPC daemons. The man pages for rpc.mountd and rpc.statd contain information regarding the precise syntax for these rules.
portmapportmap provides coordination between RPC services and the port numbers used to communicate with them, it is useful to view the status of current RPC services using portmap when troubleshooting. The rpcinfo command shows each RPC-based service with port numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
portmap, issue the following command as root:
rpcinfo -pprogram vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 3 udp 32774 nlockmgr 100021 4 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100021 3 tcp 34437 nlockmgr 100021 4 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 836 mountd 100005 1 tcp 839 mountd 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd
portmap is unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present in rpcinfo output, restarting NFS causes the service to correctly register with portmap and begin working. For instructions on starting NFS, refer to 「Starting and Stopping NFS」.
rpcinfo command. Refer to the rpcinfo man page for more information.
-o udp option to mount when mounting the NFS-exported file system on the client system.
/etc/fstab file (client side), and automatically via autofs configuration files, such as /etc/auto.master and /etc/auto.misc (server side with NIS).
mount -o udp shadowman.example.com:/misc/export /misc/local/etc/fstab (client side):
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr,udp
myproject -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52
-o udpオプションが指定されない場合は、NFSエクスポートされたファイルシステムはTCP経由でアクセスされます。
NFS stale file handles messages.
/usr/share/doc/nfs-utils-<version-number>/ — Replace <version-number> with the version number of the NFS package installed. This directory contains a wealth of information about the NFS implementation for Linux, including a look at various NFS configurations and their impact on file transfer performance.
man mount — Contains a comprehensive look at mount options for both NFS server and client configurations.
man fstab — Gives details for the format of the /etc/fstab file used to mount file systems at boot-time.
man nfs — Provides details on NFS-specific file system export and mount options.
man exports — Shows common options used in the /etc/exports file when exporting NFS file systems.
smbd, nmbd, and winbindd). Two services (smb and windbind) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it.
smbdsmbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
smbd daemon is controlled by the smb service.
nmbdnmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.
nmbd daemon is controlled by the smb service.
winbinddwinbind service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this manual.
smb: in the File > Open Location bar of Nautilus to view the workgroups.
<servername> and <sharename> with the appropriate values):
smb://<servername>/<sharename>mount -t cifs -o <username>,<password> //<servername>/<sharename> /mnt/point/<sharename> from <servername> in the local directory /mnt/point/. For more information about mounting a samba share, refer to man mount.cifs.
/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
/etc/samba/ directory. Any changes to these files not made using the application are preserved.
system-config-samba RPM package installed. To start the Samba Server Configuration Tool from the desktop, go to the (on the Panel) > > > or type the command system-config-samba at a shell prompt (for example, in an XTerm or a GNOME terminal).
workgroup and server string options in smb.conf.
security option. Select one of the following types of authentication.
net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the Kerberos Realm field.
EXAMPLE.COM.
/etc/krb5.conf file.
encrypted passwords option. Refer to 「暗合化されたパスワード」 for more information about encrypted Samba passwords.
guest account option.
/etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command service smb restart.
smb.conf file:
workgroup =WORKGROUPNAMEserver string =BRIEF COMMENT ABOUT SERVER
WORKGROUPNAME をこのマシンが属する Windows ワークグループ名とリプレイスしてください。 BRIEF COMMENT ABOUT SERVER はオプションで、 Samba システムについての Windows のコメントとして使用されます。
smb.conf file (after modifying it to reflect your needs and your system):
[sharename] comment =Insert a comment herepath =/home/share/valid users =tfox carolepublic = no writable = yes printable = no create mask = 0765
tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.
service smb startnet join command before starting the smb service.
service smb stoprestart オプションは Samba を停止してから開始するのに便利です。Samba の設定ファイルを編集してからその設定変更を有効にする最も確実な方法です。再起動オプションはもともと動作していなかったデーモンも起動するので注意してください。
service smb restartcondrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective.
service smb condrestartsmb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command as root:
service smb reloadsmb service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to 17章サービスへのアクセスの制御 for more information regarding these tools.
smb.conf File/etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
smb.conf file for a successful configuration.
smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Documentation Samba Server path = /export read only = Yes guest only = Yes
smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.
force user) and group (force group) in the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes
smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share printcap name = cups disable spools= Yes show add printer wizard = No printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = Yes show add printer wizard = No printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.
[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
smb.conf file on the member server
/etc/krb5.conf file, on the member server
kinit administrator@EXAMPLE.COMkinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to 「Kerberos」.
net ads join -S windows1.example.com -U administrator%passwordwindows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
security = ads and not security = user is used, a local password backend such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.
smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes
smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
smb.conf file, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password-S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the smb.conf file instead of it being stated explicitly.
tdbsam tdbsam password database backend. Planned to replace the aging smbpasswd backend, tdbsam has numerous improvements that are explained in more detail in 「Samba のアカウント情報データベース」. The passdb backend directive controls which backend is to be used for the PDC.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/scripts
browseable = No
read only = No
# For profiles to work, create a user directory under the
# path shown.
mkdir -p /var/lib/samba/profiles/john
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
browseable = No
guest ok = Yes
profile acls = Yes
# Other resource shares ... ...tdbsam follow these steps:
smb.conf file as shown in the example above.
smbpasswd -a root
Provide the password here.smb service.
groupadd -f usersgroupadd -f nobodygroupadd -f ntadmins
net groupmap add ntgroup="Domain Users" unixgroup=usersnet groupmap add ntgroup="Domain Guests" unixgroup=nobodynet groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U roottdbsam authentication backend. LDAP is recommended in these cases.
security = user directive is not listed in the smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
smb.conf, the security = user directive that sets user-level security is:
[GLOBAL] ... security = user ...
smb.conf:
[GLOBAL] ... security = domain workgroup = MARKETING ...
smb.conf, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
smb.conf, the following directives enable Samba to operate in server security mode:
[GLOBAL] ... encrypt passwords = Yes security = server password server = "NetBIOS_of_Domain_Controller" ...
/etc/passwd type backends. With a plain text backend, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
smbpasswdsmbpasswd backend utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd backend lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd backend is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam backend solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution.
ldapsam_compat ldapsam_compat backend allows continued OpenLDAP support for use with upgraded versions of Samba. This option normally used when migrating to Samba 3.0.
tdbsam tdbsam backend provides an ideal database backend for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam backend includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.
tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
ldapsam ldapsam backend provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP slurpd daemon. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises.
/usr/share/doc/samba-<version>/LDAP/samba.schema has changed. This file contains the attribute syntax definitions and objectclass definitions that the ldapsam backend will need in order to function properly.
ldapsam backend for your Samba server, you will need to configure slapd to include this schema file. Refer to 「The /etc/openldap/schema/ Directory」 for directions on how to do this.
ldapsam バックエンドを使用したい場合は、 openldap-server パッケージをインストールする必要があります。
mysqlsam mysqlsam backend uses a MySQL-based database backend. This is useful for sites that already implement MySQL. At present, mysqlsam is now packed in a module separate from Samba, and as such is not officially supported by Samba.
/etc/hosts) or DNS, must be used.
smb.conf for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.
smb.conf file in which the Samba server is serving as a WINS server:
[global] wins support = Yes
smb.conf Settingssmb.conf configuration for CUPS support:
[global] load printers = Yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba/print printer = IBMInfoP browseable = No public = Yes guest ok = Yes writable = No printable = Yes printer admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john
print$ share contains printer drivers for clients to access if not available locally. The print$ share is optional and may not be required depending on the organization.
browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.
findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
findsmb as any valid user on a system:
~]# findsmb
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25 VERVE [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26 STATION22 [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45 TREK +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94 PIXEL [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137 MOBILE001 [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141 JAWS +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159 FRED +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192 LEGION *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205 NANCYN +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The <protocol> ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003 uses rpc. If the protocol is omitted, net automatically tries to determine it.
wakko:
~]# net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name Type Description
---------- ---- -----------
data Disk Wakko data share
tmp Disk Wakko tmp share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)wakko:
~]# net -l user -S wakko
root password:
User name Comment
-----------------------------
andriusb Documentation
joe Marketing
lisa Salesnmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
~]# nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>pdbedit program manages accounts located in the SAM database. All backends are supported including smbpasswd, LDAP, NIS+, and the tdb database library.
~]#pdbedit -a kristinnew password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -v -L kristinUnix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -Landriusb:505: joe:503: lisa:504: kristin:506: ~]#pdbedit -x joe~]#pdbedit -Landriusb:505: lisa:504: kristin:506:
rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls program modifies Windows ACLs on files and directories shared by the Samba server.
smbclient program is a versatile UNIX client which provides functionality similar to ftp.
smbcontrol <options> <destination> <messagetype> <parameters>
smbcontrol program sends control messages to running smbd or nmbd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered.
smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.
smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.
smbstatus program displays the status of current connections to a Samba server.
smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible.
testparm program checks the syntax of the smb.conf file. If your smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
~]#testparmLoad smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions<enter># Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [tmp] comment = Wakko tmp path = /tmp guest only = Yes [html] comment = Wakko www path = /var/www/html force user = andriusb force group = users read only = No guest only = Yes
wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work.
/usr/share/doc/samba-<version-number>/ — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation.
dhcp package contains an ISC DHCP server. First, install the package as the superuser:
~]# yum install dhcpdhcp package creates a file, /etc/dhcpd.conf, which is merely an empty configuration file:
~]# cat /etc/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample/usr/share/doc/dhcp-<version>/dhcpd.conf.sample. You should use this file to help you configure /etc/dhcpd.conf, which is explained in detail below.
/var/lib/dhcpd/dhcpd.leases to store the client lease database. Refer to 「リースデータベース」 for more information.
ddns-update-style ad-hoc;
ddns-update-style interim;
dhcpd.conf man page for details about the different modes.
service dhcpd restart.
omshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-name, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}shared-network declaration as shown in 例22.2「共有ネットワーク宣言」. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}hardware ethernet parameter within a host declaration. As demonstrated in 例22.5「DHCP を使用した静的 IP アドレス」, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample /etc/dhcpd.conf<version-number> is the DHCP version number).
dhcp-options man page.
/var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
/sbin/service dhcpd start. To stop the DHCP server, use the command /sbin/service dhcpd stop.
/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p <portnum> — Specifies the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to 「DHCP リレーエージェント」 for details.
-f — Runs the daemon as a foreground process. This is mostly used for debugging.
-d — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf <filename> — Specifies the location of the configuration file. The default location is /etc/dhcpd.conf.
-lf <filename> — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcpd/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
service dhcrelay start.
/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network file should contain the following line:
NETWORKING=yes
NETWORKING variable must be set to yes if you want networking to start at boot time.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)
PEERDNS=<answer> , where <answer> yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SRCADDR=<address> , where <address> USERCTL=<answer> , where <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
dhclient and dhclient.conf man pages.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces:
DHCPDARGS="eth0 eth1";
eth0, eth1, and eth2 -- and it is only desired that the DHCP daemon listens on eth0, then only specify eth0 in /etc/sysconfig/dhcpd:
DHCPDARGS="eth0";
/etc/dhcpd.conf file, for a server that has two network interfaces, eth0 in a 10.0.0.0/24 network, and eth1 in a 172.16.0.0/24 network. Multiple subnet declarations allow different settings to be defined for multiple networks:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; }
subnet 10.0.0.0 netmask 255.255.255.0 subnet declaration is required for every network your DHCP server is serving. Multiple subnets require multiple subnet declarations. If the DHCP server does not have a network interface in a range of a subnet declaration, the DHCP server does not serve that network.
subnet declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: No subnet declaration for eth0 (0.0.0.0). dhcpd: ** Ignoring requests on eth0. If this is not what dhcpd: you want, please write a subnet declaration dhcpd: in your dhcpd.conf file for the network segment dhcpd: to which interface eth1 is attached. ** dhcpd: dhcpd: dhcpd: Not configured to listen on any interfaces!
option subnet-mask 255.255.255.0; option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same.
option routers 10.0.0.1; option routers option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
range 10.0.0.5 10.0.0.15; range option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
dhcpd.conf(5) man page.
/etc/dhcpd.conf, the DHCP daemon fails to start.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/dhcpd.conf example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; } host example0 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 10.0.0.20; } host example1 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 172.16.0.20; }
host example0 host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations.
host declarations, and as such, this name can anything, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name for each host declaration, otherwise the DHCP daemon fails to start. Systems are identified by the hardware ethernet option, not the name in the host declaration.
hardware ethernet 00:1A:6B:6A:2E:0B; hardware ethernet option identifies the system. To find this address, run the ifconfig command on the desired system, and look for the HWaddr address.
fixed-address 10.0.0.20; fixed-address option assigns a valid IP address to the system specified by the hardware ethernet option. This address must be outside the IP address pool specified with the range option.
option statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
/etc/dhcpd.conf line 20: semicolon expected. dhcpd: } dhcpd: ^ dhcpd: /etc/dhcpd.conf line 38: unexpected end of file dhcpd: dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
host interface0 {
hardware ethernet 00:1a:6b:6a:2e:0b;
fixed-address 10.0.0.18;
}
host interface1 {
hardware ethernet 00:1A:6B:6A:27:3A;
fixed-address 10.0.0.18;
}
interface0 is the first network interface, and interface1 is the second interface. The different hardware ethernet options identify each interface.
host declarations, remembering to:
fixed-address for the network the host is connecting to.
host declaration unique.
host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: /etc/dhcpd.conf line 31: host interface0: already exists dhcpd: } dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host interface0 declarations defined in /etc/dhcpd.conf.
dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Explains how to configure the DHCP leases file; includes some examples.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-<version>/ — Contains sample files, README files, and release notes for current versions of the DHCP service.
/etc/httpd/conf/httpd.conf) to aid those who require a custom configuration or need to convert a configuration file from the older Apache HTTP Server 1.3 format.
LoadModule line will need to be updated.
mod_userdir module will only act on requests if you provide a UserDir directive indicating a directory name. If you wish to maintain the procedures used in version 2.0, add the directive UserDir public_html in your configuration file.
httpd.conf file adding the necessary mod_ssl directives. Use apachectl start as apachectl startssl is unavailable in version 2.2. You can view an example of SSL configuration for httpd in conf/extra/httpd-ssl.conf.
service httpd configtest which will detect configuration errors.
/etc/httpd/conf/httpd.conf.rpmnew and the original version 1.3 httpd.conf is left untouched. It is entirely up to you whether to use the new configuration file and migrate the old settings to it, or use the existing file as a base and modify it to suit; however, some parts of the file have changed more than others and a mixed approach is generally the best. The stock configuration files for both version 1.3 and 2.0 are divided into three sections.
/etc/httpd/conf/httpd.conf file is a modified version of the newly installed default and a saved a copy of the original configuration file is available, it may be easiest to invoke the diff command, as in the following example (logged in as root):
diff -u httpd.conf.orig httpd.conf | lessrpm2cpio and cpio commands, as in the following example:
rpm2cpio apache-<version-number>.i386.rpm | cpio -i --make<version-number> with the version number for the apache package.
apachectl configtestBindAddress and Port directives no longer exist; their functionality is now provided by a more flexible Listen directive.
Port 80 was set in the 1.3 version configuration file, change it to Listen 80 in the 2.0 configuration file. If Port was set to some value other than 80, then append the port number to the contents of the ServerName directive.
Port 123 ServerName www.example.com
Listen123 ServerName www.example.com:123
prefork, worker, and perchild. Currently only the prefork and worker MPMs are available, although the perchild MPM may be available at a later date.
prefork MPM. The prefork MPM accepts the same directives as Apache HTTP Server 1.3, so the following directives may be migrated directly:
StartServers
MinSpareServers
MaxSpareServers
MaxClients
MaxRequestsPerChild
worker MPM implements a multi-process, multi-threaded server providing greater scalability. When using this MPM, requests are handled by threads, conserving system resources and allowing large numbers of requests to be served efficiently. Although some of the directives accepted by the worker MPM are the same as those accepted by the prefork MPM, the values for those directives should not be transferred directly from an Apache HTTP Server 1.3 installation. It is best to instead use the default values as a guide, then experiment to determine what values work best.
worker MPM, create the file /etc/sysconfig/httpd and add the following directive:
HTTPD=/usr/sbin/httpd.worker
AddModule and ClearModuleList directives no longer exist. These directives where used to ensure that modules could be enabled in the correct order. The Apache HTTP Server 2.0 API allows modules to specify their ordering, eliminating the need for these two directives.
LoadModule lines are no longer relevant in most cases.
LoadModule lines for modules packaged in their own RPMs (mod_ssl, php, mod_perl, and the like) are no longer necessary as they can be found in their relevant files within the /etc/httpd/conf.d/ directory.
HAVE_XXX definitions are no longer defined.
httpd.conf contains the following directive:
Include conf.d/*.conf
mod_perl, php, and mod_ssl).
ServerType — The Apache HTTP Server can only be run as ServerType standalone making this directive irrelevant.
AccessConfig and ResourceConfig — These directives have been removed as they mirror the functionality of the Include directive. If the AccessConfig and ResourceConfig directives are set, replace them with Include directives.
Include directives should be placed at the end of the httpd.conf, with the one corresponding to ResourceConfig preceding the one corresponding to AccessConfig. If using the default values, include them explicitly as conf/srm.conf and conf/access.conf files.
<VirtualHost> container. Values here also provide defaults for any <VirtualHost> containers defined.
UserDir MappingUserDir directive is used to enable URLs such as http://example.com/~bob/ to map to a subdirectory within the home directory of the user bob, such as /home/bob/public_html/. A side-effect of this feature allows a potential attacker to determine whether a given username is present on the system. For this reason, the default configuration for Apache HTTP Server 2.0 disables this directive.
UserDir mapping, change the directive in httpd.conf from:
UserDir disable
UserDir public_htmlAgentLog
RefererLog
RefererIgnore
CustomLog and LogFormat directives.
FancyIndexing directive has now been removed. The same functionality is available through the FancyIndexing option within the IndexOptions directive.
VersionSort option to the IndexOptions directive causes files containing version numbers to be sorted in a more natural way. For example, httpd-2.0.6.tar appears before httpd-2.0.36.tar in a directory index page.
ReadmeName and HeaderName directives have changed from README and HEADER to README.html and HEADER.html.
CacheNegotiatedDocs directive now takes the argument on or off. Existing instances of CacheNegotiatedDocs should be replaced with CacheNegotiatedDocs on.
ErrorDocument directive, the message should be enclosed in a pair of double quotation marks ", rather than just preceded by a double quotation mark as required in Apache HTTP Server 1.3.
ErrorDocument 404 "The document was not found
ErrorDocument setting to Apache HTTP Server 2.0, use the following structure:
ErrorDocument 404 "The document was not found"
ErrorDocument directive example.
<VirtualHost> containers should be migrated in the same way as the main server section as described in 「メインサーバーの設定」.
/etc/httpd/conf.d/ssl.conf.
mod_include. This opens up a tremendous number of possibilities with regards to how modules can be combined to achieve a specific goal.
mod_perl). Under Apache HTTP Server 2.0, the request is initially handled by the core module — which serves static files — and is then filtered by mod_perl.
PATH_INFO directive is used for a document which is handled by a module that is now implemented as a filter, as each contains trailing path information after the true file name. The core module, which initially handles the request, does not by default understand PATH_INFO and returns 404 Not Found errors for requests that contain such information. As an alternative, use the AcceptPathInfo directive to coerce the core module into accepting requests with PATH_INFO.
AcceptPathInfo on
suexec Modulemod_suexec module uses the SuexecUserGroup directive, rather than the User and Group directives, which is used for configuring virtual hosts. The User and Group directives can still be used in general, but are deprecated for configuring virtual hosts.
<VirtualHost vhost.example.com:80> User someone Group somegroup </VirtualHost>
<VirtualHost vhost.example.com:80> SuexecUserGroup someone somegroup </VirtualHost>
mod_ssl Modulemod_ssl has been moved from the httpd.conf file into the /etc/httpd/conf.d/ssl.conf file. For this file to be loaded, and for mod_ssl to work, the statement Include conf.d/*.conf must be in the httpd.conf file as described in 「Dynamic Shared Object (DSO) のサポート」.
ServerName directives in SSL virtual hosts must explicitly specify the port number.
<VirtualHost _default_:443> # General setup for the virtual host ServerName ssl.example.name ... </VirtualHost>
<VirtualHost _default_:443>
# General setup for the virtual host
ServerName ssl.host.name:443
...
</VirtualHost>SSLLog and SSLLogLevel directives have been removed. The mod_ssl module now obeys the ErrorLog and LogLevel directives. Refer to ErrorLog and LogLevel for more information about these directives.
mod_proxy Module<Proxy> block rather than a <Directory proxy:>.
mod_proxy has been split out into the following three modules:
mod_cache
mod_disk_cache
mod_mem_cache
mod_proxy module, but it is advisable to verify each directive before migrating any cache settings.
mod_include Modulemod_include module is now implemented as a filter and is therefore enabled differently. Refer to 「モジュールと Apache HTTP Server 2.0」 for more about filters.
AddType text/html .shtml AddHandler server-parsed .shtml
AddType text/html .shtml
AddOutputFilter INCLUDES .shtmlOptions +Includes directive is still required for the <Directory> container or in a .htaccess file.
mod_auth_dbm and mod_auth_db Modulesmod_auth_db and mod_auth_dbm, which used Berkeley Databases and DBM databases respectively. These modules have been combined into a single module named mod_auth_dbm in Apache HTTP Server 2.0, which can access several different database formats. To migrate from mod_auth_db, configuration files should be adjusted by replacing AuthDBUserFile and AuthDBGroupFile with the mod_auth_dbm equivalents, AuthDBMUserFile and AuthDBMGroupFile. Also, the directive AuthDBMType DB must be added to indicate the type of database file in use.
mod_auth_db configuration for Apache HTTP Server 1.3:
<Location /private/> AuthType Basic AuthName "My Private Files" AuthDBUserFile /var/www/authdb require valid-user </Location>
<Location /private/> AuthType Basic AuthName "My Private Files"AuthDBMUserFile/var/www/authdbAuthDBMType DBrequire valid-user </Location>
AuthDBMUserFile directive can also be used in .htaccess files.
dbmmanage Perl script, used to manipulate username and password databases, has been replaced by htdbm in Apache HTTP Server 2.0. The htdbm program offers equivalent functionality and, like mod_auth_dbm, can operate a variety of database formats; the -T option can be used on the command line to specify the format to use.
dbmmanage to htdbm」 shows how to migrate from a DBM-format database to htdbm format using dbmmanage.
dbmmanage to htdbm| Action | dbmmanage コマンド (1.3) | 相当する htdbm コマンド (2.0) |
|---|---|---|
| ユーザーをデータベースに追加 (特定パスワードを使用) |
dbmmanage authdb add username password
|
htdbm -b -TDB authdb username password
|
| ユーザーをデータベースに追加 (パスワードを要求) |
dbmmanage authdb adduser username
|
htdbm -TDB authdb username
|
| データベースからユーザーを削除 |
dbmmanage authdb delete username
|
htdbm -x -TDB authdb username
|
| データベース内のユーザーの一覧 |
dbmmanage authdb view
|
htdbm -l -TDB authdb
|
| パスワードの確認 |
dbmmanage authdb check username
|
htdbm -v -TDB authdb username
|
-m and -s options work with both dbmmanage and htdbm, enabling the use of the MD5 or SHA1 algorithms for hashing passwords, respectively.
htdbm, the -c option must be used.
mod_perl Modulemod_perl has been moved from httpd.conf into the file /etc/httpd/conf.d/perl.conf. For this file to be loaded, and hence for mod_perl to work, the statement Include conf.d/*.conf must be included in httpd.conf as described in 「Dynamic Shared Object (DSO) のサポート」.
Apache:: in httpd.conf must be replaced with ModPerl::. Additionally, the manner in which handlers are registered has been changed.
mod_perl configuration:
<Directory /var/www/perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Directory>
mod_perl for Apache HTTP Server 2.0:
<Directory /var/www/perl>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
</Directory>mod_perl 1.x should work without modification with mod_perl 2.x. XS modules require recompilation and may require minor Makefile modifications.
mod_python Modulemod_python has moved from httpd.conf to the /etc/httpd/conf.d/python.conf file. For this file to be loaded, and hence for mod_python to work, the statement Include conf.d/*.conf must be in httpd.conf as described in 「Dynamic Shared Object (DSO) のサポート」.
httpd.conf into the file /etc/httpd/conf.d/php.conf. For this file to be loaded, the statement Include conf.d/*.conf must be in httpd.conf as described in 「Dynamic Shared Object (DSO) のサポート」.
register_globals to On in the file /etc/php.ini.
mod_authz_ldap Modulemod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module. Refer to the mod_auth_ldap module documentation online at http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for details on the status of this module.
/etc/httpd/conf.d/authz_ldap.conf file configures the mod_authz_ldap module.
/usr/share/doc/mod_authz_ldap-<version>/index.html (replacing <version> with the version number of the package) or http://authzldap.othello.ch/ for more information on configuring the mod_authz_ldap third party module.
httpdhttpd package, review the Apache HTTP Server's documentation available online at http://httpd.apache.org/docs/2.2/.
httpd RPM installs the /etc/init.d/httpd script, which can be accessed using the /sbin/service command.
httpd using the apachectl control script sets the environmental variables in /etc/sysconfig/httpd and starts httpd. You can also set the environment variables using the init script.
apachectl control script as root type:
apachectl starthttpd using /sbin/service httpd start. This starts httpd but does not set the environment variables. If you are using the default Listen directive in httpd.conf, which is port 80, you will need to have root privileges to start the apache server.
apachectl stophttpd using /sbin/service httpd stop. The restart option is a shorthand way of stopping and then starting the Apache HTTP Server.
apachectl restartservice httpd restartErrorLog if it encounters an error while starting.
httpd service does not start automatically at boot time. If you would wish to have Apache startup at boot time, you will need to add a call to apachectl in your startup files within the rc.N directory. A typical file used is rc.local. As this starts Apache as root, it is recommended to properly configure your security and authentication before adding this call.
httpd service to start up at boot time, using an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program.
apachectl statusmod_status however needs to be enabled in your httpd.conf configuration file for this to work. For more details on mod_status can be found on http://httpd.apache.org/docs/2.2/mod/mod_status.html.
/etc/httpd/conf/httpd.conf configuration file for the Apache HTTP Server. It does not use the old srm.conf or access.conf configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections. To start the HTTD Configuration Tool, click on System > Administration > Server Settings > HTTP.
/etc/httpd/conf/httpd.conf configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.
DocumentRoot and cgi-bin directories.
ServerName directive in httpd.conf. The ServerName directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
ServerAdmin directive in httpd.conf. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
Listen directive in httpd.conf. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
httpd can be started as a regular user.
DirectoryIndex directive. The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
http://www.example.com/this_directory/, they are going to get either the DirectoryIndex page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the DirectoryIndex directive and returns the first one it finds.
If it does not find any of these files and if Options Indexes is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose to display the default short error message. Choose to redirect the client to an external URL and enter a complete URL, including the http://, in the Location field. Choose to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
404.html, copy 404.html to DocumentRoot/../error/404.htmlDocumentRoot is the Document Root directory that you have defined (the default is /var/www/html/). If the Document Root is left as the default location, the file should be copied to /var/www/error/404.html. Then, choose as the Behavior for 404 - Not Found error code and enter /error/404.html as the .
ServerAdmin directive.
mod_ssl enables encryption of the HTTP protocol over SSL. SSL (Secure Sockets Layer) protocol is used for communication and encryption over TCP/IP networks. The SSL tab enables you to configure SSL for your server. To configure SSL you need to provide the path to your:
SSLCertificateFile directive which points the path to the PEM (Privacy Enhanced Mail)-encoded server certificate file.
SSLCertificateKeyFile directive which points the path to the PEM-encoded server private key file.
SSLCertificateChainFile directive which points the path to the certificate file containing all the server's chain of certificates.
SSLOptions with the following options:
SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAIN_n where n is a number 0,1,2,3,4... These files are used for more certificate checks by CGI scripts.
SSLRequireSSL and SSLRequire directives indicate access is forbidden.
mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis.
/var/log/httpd/access_log file and the error log to the /var/log/httpd/error_log file.
TransferLog directive.
LogFormat directive. Refer to http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat for details on the format of this directive.
ErrorLog directive.
LogLevel directive.
HostnameLookups directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.
mod_env module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.
MAXNUM to 50, click the button inside the Set for CGI Script section, as shown in 図23.8「Environment Variables」, and type MAXNUM in the Environment Variable text field and 50 in the Value to set text field. Click to add it to the list. The Set for CGI Scripts section configures the SetEnv directive.
env at a shell prompt. Click the button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click to add it to the list. The Pass to CGI Scripts section configures the PassEnv directive.
UnsetEnv directive.
<Directory> directive.
Options directive within the <Directory> directive. You can configure the following options:
#exec and #include commands in CGI scripts.
DirectoryIndex (such as index.html) exists in the requested directory.
Order directive with the left-hand side options. The Order directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:
all to allow access to all hosts.
192.168.1.0/255.255.255.0
10.3.0.0/16
.htaccess file take precedence.
httpd.conf/etc/httpd/conf/httpd.conf. The httpd.conf file is well-commented and mostly self-explanatory. The default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.
/etc/httpd/conf/httpd.conf and then either reload, restart, or stop and start the httpd process as outlined in 「Starting and Stopping httpd」.
httpd.conf, make a copy the original file. Creating a backup makes it easier to recover from mistakes made while editing the configuration file.
httpd.conf to verify there are no typos.
/var/log/httpd/error_log. The error log may not be easy to interpret, depending on your level of expertise. However, the last entries in the error log should provide useful information.
httpd.conf. These descriptions are not exhaustive. For more information, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/.
mod_ssl directives, refer to the documentation online at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html.
AccessFileName names the file which the server should use for access control information in each directory. The default is .htaccess.
AccessFileName directive, a set of Files tags apply access control to any file beginning with a .ht. These directives deny Web access to any .htaccess files (or other files which begin with .ht) for security reasons.
Action specifies a MIME content type and CGI script pair, so that when a file of that media type is requested, a particular CGI script is executed.
FancyIndexing as an IndexOptions parameter, the AddDescription directive can be used to display user-specified descriptions for certain files or file types in a server generated directory listing. The AddDescription directive supports listing specific files, wildcard expressions, or file extensions.
AddEncoding names file name extensions which should specify a particular encoding type. AddEncoding can also be used to instruct some browsers to uncompress certain files as they are downloaded.
AddHandler maps file extensions to specific handlers. For example, the cgi-script handler can be matched with the extension .cgi to automatically treat a file ending with .cgi as a CGI script. The following is a sample AddHandler directive for the .cgi extension.
AddHandler cgi-script .cgi
cgi-bin to function in any directory on the server which has the ExecCGI option within the directories container. Refer to Directory for more information about setting the ExecCGI option for a directory.
AddHandler directive is used to process server-parsed HTML and image-map files.
AddIcon specifies which icon to show in server generated directory listings for files with certain extensions. For example, the Web server is set to show the icon binary.gif for files with .bin or .exe extensions.
compressed.gif icon next to MIME encoded x-compress and x-gzip files in server generated directory listings.
text.gif next to files with a mime-type of text, in server generated directory listings.
AddLanguage associates file name extensions with specific languages. This directive is useful for Apache HTTP Servers which serve content in multiple languages based on the client Web browser's language settings.
AddType directive to define or override a default MIME type and file extension pairs. The following example directive tells the Apache HTTP Server to recognize the .tgz file extension:
AddType application/x-tar .tgz
Alias setting allows directories outside the DocumentRoot directory to be accessible. Any URL ending in the alias automatically resolves to the alias' path. By default, one alias for an icons/ directory is already set up. An icons/ directory can be accessed by the Web server, but the directory is not in the DocumentRoot.
Allow specifies which client can access a given directory. The client can be all, a domain name, an IP address, a partial IP address, a network/netmask pair, and so on. The DocumentRoot directory is configured to Allow requests from all, meaning everyone has access.
AllowOverride directive sets whether any Options can be overridden by the declarations in an .htaccess file. By default, both the root directory and the DocumentRoot are set to allow no .htaccess overrides.
BrowserMatch directive allows the server to define environment variables and take appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses BrowserMatch to deny connections to specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
#) from the beginning of the line is sufficient. The following, however, is a list of some of the more important cache-related directives.
CacheEnable — Specifies whether the cache is a disk, memory, or file descriptor cache. By default CacheEnable configures a disk cache for URLs at or below /.
CacheRoot — Specifies the name of the directory containing cached files. The default CacheRoot is the /var/httpd/proxy/ directory.
CacheSize — Specifies how much space the cache can use in kilobytes. The default CacheSize is 5 KB.
CacheMaxExpire — Specifies how long HTML documents are retained (without a reload from the originating Web server) in the cache. The default is 24 hours (86400 seconds).
CacheLastModifiedFactor — Specifies the creation of an expiry (expiration) date for a document which did not come from its originating server with its own expiry set. The default CacheLastModifiedFactor is set to 0.1, meaning that the expiry date for such documents equals one-tenth of the amount of time since the document was last modified.
CacheDefaultExpire — Specifies the expiry time in hours for a document that was received using a protocol that does not support expiry times. The default is set to 1 hour (3600 seconds).
NoProxy — Specifies a space-separated list of subnets, IP addresses, domains, or hosts whose content is not cached. This setting is most useful for Intranet sites.
CacheNegotiatedDocs is set to on, this function is disabled and proxy servers are allowed to cache such documents.
CustomLog identifies the log file and the log file format. By default, the access log is recorded to the /var/log/httpd/access_log file while errors are recorded in the /var/log/httpd/error_log file.
CustomLog format is the combined log file format, as illustrated here:
remotehost rfc931 user date "request" status bytes referrer user-agentDefaultIcon specifies the icon displayed in server generated directory listings for files which have no other icon specified. The unknown.gif image file is the default.
DefaultType sets a default content type for the Web server to use for documents whose MIME types cannot be determined. The default is text/plain.
Deny works similar to Allow, except it specifies who is denied access. The DocumentRoot is not configured to Deny requests from anyone by default.
<Directory /path/to/directory> and </Directory> tags create a container used to enclose a group of configuration directives which apply only to a specific directory and its subdirectories. Any directive which is applicable to a directory may be used within Directory tags.
/), using the Options (refer to Options) and AllowOverride (refer to AllowOverride) directives. Under this configuration, any directory on the system which needs more permissive settings has to be explicitly given those settings.
Directory container is configured for the DocumentRoot which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there.
Directory container can be also be used to configure additional cgi-bin directories for server-side applications outside of the directory specified in the ScriptAlias directive (refer to ScriptAlias for more information).
Directory container must set the ExecCGI option for that directory.
/home/my_cgi_directory, add the following Directory container to the httpd.conf file:
<Directory /home/my_cgi_directory> Options +ExecCGI </Directory>
AddHandler directive must be uncommented to identify files with the .cgi extension as CGI scripts. Refer to AddHandler for instructions on setting AddHandler.
DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
example/this_directory/, they get either the DirectoryIndex page, if it exists, or a server-generated directory list. The default for DirectoryIndex is index.html and the index.html.var type map. The server tries to find either of these files and returns the first one it finds. If it does not find one of these files and Options Indexes is set for that directory, the server generates and returns a listing, in HTML format, of the subdirectories and files within the directory, unless the directory listing feature is turned off.
DocumentRoot is the directory which contains most of the HTML files which are served in response to requests. The default DocumentRoot, for both the non-secure and secure Web servers, is the /var/www/html directory. For example, the server might receive a request for the following document:
http://example.com/foo.html/var/www/html/foo.htmlDocumentRoot so that it is not shared by the secure and the non-secure Web servers, refer to 「仮想ホスト」.
ErrorDocument directive associates an HTTP response code with a message or a URL to be sent back to the client. By default, the Web server outputs a simple and usually cryptic error message when an error occurs. The ErrorDocument directive forces the Web server to instead output a customized message or page.
".
ErrorLog specifies the file where server errors are logged. By default, this directive is set to /var/log/httpd/error_log.
ExtendedStatus directive controls whether Apache generates basic (off) or detailed server status information (on), when the server-status handler is called. The server-status handler is called using Location tags. More information on calling server-status is included in Location.
Group is set to apache.
HeaderName names the file which, if it exists in the directory, is prepended to the start of server generated directory listings. Like ReadmeName, the server tries to include it as an HTML document if possible or in plain text if not.
HostnameLookups can be set to on, off, or double. If HostnameLookups is set to on, the server automatically resolves the IP address for each connection. Resolving the IP address means that the server makes one or more connections to a DNS server, adding processing overhead. If HostnameLookups is set to double, the server performs a double-reverse DNS look up adding even more processing overhead.
HostnameLookups is set to off by default.
IfDefine tags surround configuration directives that are applied if the "test" stated in the IfDefine tag is true. The directives are ignored if the test is false.
IfDefine tags is a parameter name (for example, HAVE_PERL). If the parameter is defined, meaning that it is provided as an argument to the server's start-up command, then the test is true. In this case, when the Web server is started, the test is true and the directives contained in the IfDefine tags are applied.
<IfModule> and </IfModule> tags create a conditional container which are only activated if the specified module is loaded. Directives within the IfModule container are processed under one of two conditions. The directives are processed if the module contained within the starting <IfModule> tag is loaded. Or, if an exclamation point ! appears before the module name, the directives are processed only if the module specified in the <IfModule> tag is not loaded.
ServerRoot.
mod_ssl, mod_perl, and php, the following directive must be included in Section 1: Global Environment of httpd.conf:
Include conf.d/*.conf
IndexIgnore lists file extensions, partial file names, wildcard expressions, or full file names. The Web server does not include any files which match any of those parameters in server generated directory listings.
IndexOptions controls the appearance of server generated directing listings, by adding icons, file descriptions, and so on. If Options Indexes is set (refer to Options), the Web server generates a directory listing when the Web server receives an HTTP request for a directory without an index.
DirectoryIndex directive (usually, index.html). If an index.html file is not found, Apache HTTP Server creates an HTML directory listing of the requested directory. The appearance of this directory listing is controlled, in part, by the IndexOptions directive.
FancyIndexing. This means that a user can re-sort a directory listing by clicking on column headers. Another click on the same header switches from ascending to descending order. FancyIndexing also shows different icons for different files, based upon file extensions.
AddDescription option, when used in conjunction with FancyIndexing, presents a short description for the file in server generated directory listings.
IndexOptions has a number of other parameters which can be set to control the appearance of server generated directories. The IconHeight and IconWidth parameters require the server to include HTML HEIGHT and WIDTH tags for the icons in server generated webpages. The IconsAreLinks parameter combines the graphical icon with the HTML link anchor, which contains the URL link target.
KeepAlive sets whether the server allows more than one request per connection and can be used to prevent any one client from consuming too much of the server's resources.
Keepalive is set to off. If Keepalive is set to on and the server becomes very busy, the server can quickly spawn the maximum number of child processes. In this situation, the server slows down significantly. If Keepalive is enabled, it is a good idea to set the KeepAliveTimeout low (refer to KeepAliveTimeout for more information about the KeepAliveTimeout directive) and monitor the /var/log/httpd/error_log log file on the server. This log reports when the server is running out of child processes.
KeepAliveTimeout sets the number of seconds the server waits after a request has been served before it closes the connection. Once the server receives a request, the Timeout directive applies instead. The KeepAliveTimeout directive is set to 15 seconds by default.
LanguagePriority sets precedence for different languages in case the client Web browser has no language preference set.
Listen command identifies the ports on which the Web server accepts incoming requests. By default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the /etc/httpd/conf.d/ssl.conf file which defines any secure servers) to port 443 for secure Web communications.
httpd can be started as a regular user.
Listen directive can also be used to specify particular IP addresses over which the server accepts connections.
LoadModule is used to load Dynamic Shared Object (DSO) modules. More information on the Apache HTTP Server's DSO support, including instructions for using the LoadModule directive, can be found in 「モジュールを追加する」. Note, the load order of the modules is no longer important with Apache HTTP Server 2.0. Refer to 「Dynamic Shared Object (DSO) のサポート」 for more information about Apache HTTP Server 2.0 DSO support.
<Location> and </Location> tags create a container in which access control based on URL can be specified.
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
LogFormat directive configures the format of the various Web server log files. The actual LogFormat used depends on the settings given in the CustomLog directive (refer to CustomLog).
CustomLog directive is set to combined:
%h (remote host's IP address or hostname) HostnameLookups is set to on, the client hostname is recorded unless it is not available from DNS.
%l (rfc931) %u (authenticated user) %t (date) %r (request string) %s (status) %b (bytes) %\"%{Referer}i\" (referrer) %\"%{User-Agent}i\" (user-agent) LogLevel sets how verbose the error messages in the error logs are. LogLevel can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info, or debug. The default LogLevel is warn.
MaxKeepAliveRequests is set to 100 by default, which should be appropriate for most situations.
NameVirtualHost directive associates an IP address and port number, if necessary, for any name-based virtual hosts. Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.
NameVirtualHost configuration directive and add the correct IP address. Then add additional VirtualHost containers for each virtual host as is necessary for your configuration.
Options directive controls which server features are available in a particular directory. For example, under the restrictive parameters specified for the root directory, Options is only set to the FollowSymLinks directive. No features are enabled, except that the server is allowed to follow symbolic links in the root directory.
DocumentRoot directory, Options is set to include Indexes and FollowSymLinks. Indexes permits the server to generate a directory listing for a directory if no DirectoryIndex (for example, index.html) is specified. FollowSymLinks allows the server to follow symbolic links in that directory.
Options statements from the main server configuration section need to be replicated to each VirtualHost container individually. Refer to VirtualHost for more information.
Order directive controls the order in which allow and deny directives are evaluated. The server is configured to evaluate the Allow directives before the Deny directives for the DocumentRoot directory.
PidFile names the file where the server records its process ID (PID). By default the PID is listed in /var/run/httpd.pid.
<Proxy *> and </Proxy> tags create a container which encloses a group of configuration directives meant to apply only to the proxy server. Many directives which are allowed within a <Directory> container may also be used within <Proxy> container.
#) from the beginning of the <IfModule mod_proxy.c> line, the ProxyRequests, and each line in the <Proxy> stanza. Set the ProxyRequests directive to On, and set which domains are allowed access to the server in the Allow from directive of the <Proxy> stanza.
ReadmeName names the file which, if it exists in the directory, is appended to the end of server generated directory listings. The Web server first tries to include the file as an HTML document and then tries to include it as plain text. By default, ReadmeName is set to README.html.
Redirect can be used to map the file location to a new URL. The format is as follows:
Redirect /<old-path>/<file-name>http://<current-domain>/<current-path>/<file-name>
<old-path> with the old path information for <file-name> and <current-domain> and <current-path> with the current domain and path information for <file-name>.
<file-name> at the old location is automatically redirected to the new location.
mod_rewrite module included with the Apache HTTP Server. For more information about configuring the mod_rewrite module, refer to the Apache Software Foundation documentation online at http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html.
ScriptAlias directive defines where CGI scripts are located. Generally, it is not good practice to leave CGI scripts within the DocumentRoot, where they can potentially be viewed as text documents. For this reason, a special directory outside of the DocumentRoot directory containing server-side executables and scripts is designated by the ScriptAlias directive. This directory is known as a cgi-bin and is set to /var/www/cgi-bin/ by default.
cgi-bin/ directory. For instructions on doing so, refer to AddHandler and Directory.
ServerAdmin directive to the email address of the Web server administrator. This email address shows up in error messages on server-generated Web pages, so users can report a problem by sending email to the server administrator.
ServerAdmin is set to root@localhost.
ServerAdmin is to set it to webmaster@example.com. Once set, alias webmaster to the person responsible for the Web server in /etc/aliases and run /usr/bin/newaliases.
ServerName specifies a hostname and port number (matching the Listen directive) for the server. The ServerName does not need to match the machine's actual hostname. For example, the Web server may be www.example.com, but the server's hostname is actually foo.example.com. The value specified in ServerName must be a valid Domain Name Service (DNS) name that can be resolved by the system — do not make something up.
ServerName directive:
ServerName www.example.com:80
ServerName, be sure the IP address and server name pair are included in the /etc/hosts file.
ServerRoot directive specifies the top-level directory containing website content. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers.
ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default.
ServerSignature can be set to EMail which adds a mailto:ServerAdmin HTML tag to the signature line of auto-generated responses. ServerSignature can also be set to Off to stop Apache from sending out its version number and module information. Please also check the ServerTokens settings.
ServerTokens directive determines if the Server response header field sent back to clients should include details of the Operating System type and information about compiled-in modules. By default, ServerTokens is set to Full which sends information about the Operating System type and compiled-in modules. Setting the ServerTokens to Prod sends the product name only and is recommended as many hackers check information in the Server header when scanning for vulnerabilities. You can also set the ServerTokens to Min (minimal) or to OS (operating system).
SuexecUserGroup directive, which originates from the mod_suexec module, allows the specification of user and group execution privileges for CGI programs. Non-CGI requests are still processed with the user and group specified in the User and Group directives.
SuexecUserGroup directive replaced the Apache HTTP Server 1.3 configuration of using the User and Group directives inside the configuration of VirtualHosts sections.
Timeout defines, in seconds, the amount of time that the server waits for receipts and transmissions during communications. Timeout is set to 300 seconds by default, which is appropriate for most situations.
TypesConfig names the file which sets the default list of MIME type mappings (file name extensions to content types). The default TypesConfig file is /etc/mime.types. Instead of editing /etc/mime.types, the recommended way to add MIME type mappings is to use the AddType directive.
AddType, refer to AddType.
on, this directive configures the Apache HTTP Server to reference itself using the value specified in the ServerName and Port directives. When UseCanonicalName is set to off, the server instead uses the value used by the requesting client when referring to itself.
UseCanonicalName is set to off by default.
User directive sets the username of the server process and determines what files the server is allowed to access. Any files inaccessible to this user are also inaccessible to clients connecting to the Apache HTTP Server.
User is set to apache.
UserDir is the subdirectory within each user's home directory where they should place personal HTML files which are served by the Web server. This directive is set to disable by default.
public_html in the default configuration. For example, the server might receive the following request:
http://example.com/~username/foo.html/home/username/public_html/foo.html/home/username/ is the user's home directory (note that the default path to users' home directories may vary).
public_html directories (0755 also works). Files that are served in a users' public_html directories must be set to at least 0644.
<VirtualHost> and </VirtualHost> tags create a container outlining the characteristics of a virtual host. The VirtualHost container accepts most configuration directives.
VirtualHost container is provided in httpd.conf, which illustrates the minimum set of configuration directives necessary for each virtual host. Refer to 「仮想ホスト」 for more information about virtual hosts.
/etc/httpd/conf.d/ssl.conf.
/etc/httpd/conf.d/ssl.conf file can be configured to enable secure Web communications using SSL and TLS.
SetEnvIf sets environment variables based on the headers of incoming connections. It is not solely an SSL directive, though it is present in the supplied /etc/httpd/conf.d/ssl.conf file. It's purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser. This setting is necessary for certain browsers that do not reliably shut down the SSL connection.
IfModule container is necessary to define the server-pool for the MPM in use.
prefork and worker MPMs.
MaxClients sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system. For busy servers this value should be set to a high value. The server's default is set to 150 regardless of the MPM in use. However, it is not recommended that the value for MaxClients exceeds 256 when using the prefork MPM.
MaxRequestsPerChild sets the total number of requests each child server process serves before the child dies. The main reason for setting MaxRequestsPerChild is to avoid long-lived process induced memory leaks. The default MaxRequestsPerChild for the prefork MPM is 4000 and for the worker MPM is 0.
prefork MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server processes based on the number of incoming requests. The server checks the number of servers waiting for a request and kills some if there are more than MaxSpareServers or creates some if the number of servers is less than MinSpareServers.
MinSpareServers value is 5; the default MaxSpareServers value is 20. These default settings should be appropriate for most situations. Be careful not to increase the MinSpareServers to a large number as doing so creates a heavy processing load on the server even when traffic is light.
worker MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server threads based on the number of incoming requests. The server checks the number of server threads waiting for a request and kills some if there are more than MaxSpareThreads or creates some if the number of servers is less than MinSpareThreads.
MinSpareThreads value is 25; the default MaxSpareThreads value is 75. These default settings should be appropriate for most situations. The value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild, else the Apache HTTP Server automatically corrects it.
StartServers directive sets how many server processes are created upon startup. Since the Web server dynamically kills and creates server processes based on traffic load, it is not necessary to change this parameter. The Web server is set to start 8 server processes at startup for the prefork MPM and 2 for the worker MPM.
http-manual package is installed, documentation about DSOs can be found online at http://localhost/manual/mod/.
LoadModule directive within /etc/httpd/conf/httpd.conf. If the module is provided by a separate package, the line must appear within the modules configuration file in the /etc/httpd/conf.d/ directory. Refer to LoadModule for more information.
http.conf, Apache HTTP Server must be reloaded or restarted, as referred to in 「Starting and Stopping httpd」.
httpd-devel package which contains the include files, the header files, as well as the APache eXtenSion (/usr/sbin/apxs) application, which uses the include files and the header files to compile DSOs.
/usr/sbin/apxs to compile the module sources outside the Apache source tree. For more information about using the /usr/sbin/apxs command, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/dso.html as well as the apxs man page.
/usr/lib/httpd/modules/ directory. For RHEL platforms using default-64-bit userspace (x86_64, ia64, ?) this path will be /usr/lib64/httpd/modules/. Then add a LoadModule line to the httpd.conf, using the following structure:
LoadModule <module-name> <path/to/module.so><module-name> is the name of the module and <path/to/module.so> is the path to the DSO.
httpd.conf as an example.
#NameVirtualHost *:80 # #<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost>
NameVirtualHost line by removing the hash mark (#) and replace the asterisk (*) with the IP address assigned to the machine.
<VirtualHost> container.
<VirtualHost> line, change the asterisk (*) to the server's IP address. Change the ServerName to a valid DNS name assigned to the machine, and configure the other directives as necessary.
<VirtualHost> container is highly customizable and accepts almost every directive available within the main server configuration.
Listen directive in the global settings section of /etc/httpd/conf/httpd.conf file.
httpd」 for further instructions.
mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
httpdhttpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_sslmod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
opensslopenssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the navigation bar.
/etc/pki/tls/private/server.key/etc/pki/tls/certs/server.crthttpsd.key) and certificate (httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/server.keymv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/server.crt
service httpd startcd command to change to the /etc/pki/tls/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
rm private/server.keyrm certs/server.crt
crypto-utils package contains the genkey utility which you can use to generate keys as the name implies. To create your own private key, please ensure the crypto-utils package is installed. You can view more options by typing man genkey in your terminal. Assuming you wish to generate keys for www.example.com using the genkey utility, type in the following command in your terminal:
genkey www.example.commake based process is no longer shipped with RHEL 5. This will start the genkey graphical user interface. The figure below illustrates the first screen. To navigate, use the keyboard arrow and tab keys. This windows indicates where your key will be stored and prompts you to proceed or cancel the operation. To proceed to the next step, select Next and press the Return (Enter) key.
genkey www.example.com on a server that already has an existing key pair for the particular hostname, an error message will be displayed as illustrated below. You need to delete your existing key file as indicated to generate a new key pair.
/etc/pki/tls/certs/www.example.com.crt
/etc/httpd/conf.d/ssl.conf. Change the SSLCertificateFile and SSLCertificateKey lines to be.
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.keyNote that the 「www.example.com」 part should match the argument passed on the
genkey command.
mod_ssl.
vsftpd.
vsftpd — A fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux. The remainder of this chapter focuses on vsftpd.
vsftpdvsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
vsftpd has three primary aspects:
libcap library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the directory /var/ftp/ is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
vsftpd deals with requests:
vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
vsftpdvsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to vsftpd configuration:
/etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the /sbin/service command to start, stop, or reload vsftpd. Refer to 「Starting and Stopping vsftpd」 for more information about using this script.
/etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to the FTP server. For more information, refer to 「PAM(Pluggable Authentication Modules)」.
/etc/vsftpd/vsftpd.conf — The configuration file for vsftpd. Refer to 「vsftpd Configuration Options」 for a list of important options contained within this file.
/etc/vsftpd.ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others.
/etc/vsftpd.user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd.ftpusers.
/var/ftp/ — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.
vsftpdvsftpd RPM installs the /etc/rc.d/init.d/vsftpd script, which can be accessed using the /sbin/service command.
service vsftpd startservice vsftpd stoprestart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
service vsftpd restartcondrestart (conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service vsftpd condrestartvsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to 17章サービスへのアクセスの制御 for more information regarding these tools.
vsftpdvsftpd is by running multiple copies of the daemon, each with its own configuration file.
vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. The first copy must be run using the vsftpd initscripts, as outlined in 「Starting and Stopping vsftpd」. This copy uses the standard configuration file, /etc/vsftpd/vsftpd.conf.
/etc/vsftpd/ directory, such as /etc/vsftpd/vsftpd-site-2.conf. Each configuration file must be readable and writable only by root. Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:
listen_address=N.N.N.NN.N.N.N with the unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.
vsftpd daemon must be launched from a root shell prompt using the following command:
vsftpd /etc/vsftpd/<configuration-file> [amp ]<configuration-file> with the unique name for the server's configuration file, such as /etc/vsftpd/vsftpd-site-2.conf.
anon_root
local_root
vsftpd_log_file
xferlog_file
vsftpd's configuration file, refer to 「vsftpd Configuration Options」.
/etc/rc.local file.
vsftpd Configuration Optionsvsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator's needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:
<directive>=<value>
<directive> with a valid directive and <value> with a valid value.
<directive>, equal symbol, and the <value> in a directive.
#) and are ignored by the daemon.
vsftpd.conf.
vsftpd, refer to 「サーバーセキュリティ」.
/etc/vsftpd/vsftpd.conf. All directives not explicitly found within vsftpd's configuration file are set to their default value.
vsftpd daemon.
listen — When enabled, vsftpd runs in stand-alone mode. Red Hat Enterprise Linux sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
NO.
listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.
NO.
session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). Refer to 「PAM(Pluggable Authentication Modules)」 for more information. If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
YES.
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames anonymous and ftp are accepted.
YES.
banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
/etc/vsftpd.banned_emails.
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the /etc/vsftpd.banned_emails are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.
NO.
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
vsftpd displays its standard banner.
local_enable — When enabled, local users are allowed to log into the system.
YES.
pam_service_name — Specifies the PAM service name for vsftpd.
ftp. On Red Hat Enterprise Linux 5.8, this option is set to vsftpd in the configuration file.
tcp_wrappers — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the VSFTPD_LOAD_CONF option can be used to load different configuration files based on the IP address being requested by the client.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
YES.
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
/etc/vsftpd.user_list and is created during installation.
anonymous_enable directive must be set to YES.
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
NO.
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
NO.
anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
YES.
ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.
ftp.
no_anon_password — When enabled, the anonymous user is not asked for a password.
NO.
secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
/etc/vsftpd.email_passwords. The file format is one password per line, with no trailing white spaces.
NO.
local_enable directive must be set to YES.
chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.
YES.
chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
NO.
chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
/etc/vsftpd.chroot_list.
chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
NO.
chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
NO.
guest_username — Specifies the username the guest user is mapped to.
ftp.
local_root — Specifies the directory vsftpd changes to after a local user logs in.
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
022.
passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within /etc/passwd.
NO.
user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf.
dirlist_enable — When enabled, users are allowed to view directory lists.
YES.
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.
NO.
hide_ids — When enabled, all directory listings show ftp as the user and group for each file.
NO.
message_file — Specifies the name of the message file when using the dirmessage_enable directive.
.message.
text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
NO.
use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
NO.
download_enable — When enabled, file downloads are permitted.
YES.
chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
NO.
chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
root.
write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.
YES.
vsftpd's logging behavior.
dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).
NO.
log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.
NO.
syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.
NO.
vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
/var/log/vsftpd.log.
xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
/var/log/xferlog.
xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Red Hat Enterprise Linux. However, this setting means that connections to the server are not logged.
vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES.
wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash mark (#), or delete the line entirely.
vsftpd interacts with the network.
accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
60.
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
0, which does not limit the transfer rate.
connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
60.
data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
300.
ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
20.
idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
300.
listen_address — Specifies the IP address on which vsftpd listens for network connections.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to 「Starting Multiple Copies of vsftpd」 for more information about multihomed FTP servers.
listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to 「Starting Multiple Copies of vsftpd」 for more information about multihomed FTP servers.
listen_port — Specifies the port on which vsftpd listens for network connections.
21.
local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
0, which does not limit the transfer rate.
max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
0, which does not limit connections.
max_per_ip — Specifies the maximum of clients allowed to connected from the same source IP address.
0, which does not limit connections.
pasv_address — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.
pasv_enable — When enabled, passive mode connects are allowed.
YES.
pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the highest passive port range. The value must not exceed 65535.
pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the lowest passive port range. The value must not be lower 1024.
pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.
NO.
port_enable — When enabled, active mode connects are allowed.
YES.
vsftpd, refer to the following resources.
/usr/share/doc/vsftpd-<version-number>/ directory — Replace <version-number> with the installed version of the vsftpd package. This directory contains a README with basic information about the software. The TUNING file contains basic performance tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.
vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
man vsftpd — Describes available command line options for vsftpd.
man vsftpd.conf — Contains a detailed list of options available within the configuration file for vsftpd.
man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny.
vsftpd project page is a great place to locate the latest documentation and to contact the author of the software.
/usr/sbin/sendmail) is the default SMTP program under Red Hat Enterprise Linux. However, a simpler mail server application called Postfix (/usr/sbin/postfix) is also available.
/usr/lib/cyrus-imapd/pop3d and is provided by the cyrus-imapd package. When using a POP server, email messages are downloaded by email client applications. By default, most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
ipop3s service or by using the /usr/sbin/stunnel program. Refer to 「通信のセキュリティ」 for more information.
/usr/lib/cyrus-imapd/imapd and is provided by the cyrus-imapd package. When using an IMAP mail server, email messages remain on the server where users can read or delete them. IMAP also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
imaps service, or by using the /usr/sbin/stunnel program. Refer to 「通信のセキュリティ」 for more information.
imap-login and pop3-login daemons which implement the IMAP and POP3 protocols are included in the dovecot package. The use of IMAP and POP is configured through dovecot; by default dovecot runs only IMAP. To configure dovecot to use POP:
/etc/dovecot.conf to have the line:
protocols = imap imaps pop3 pop3s
service dovecot restartchkconfig dovecot ondovecot only reports that it started the IMAP server, but also starts the POP3 server.
dovecot configuration file /etc/pki/dovecot/dovecot-openssl.conf as you prefer. However in a typical installation, this file does not require modification.
/etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem.
/usr/share/doc/dovecot-1.0/examples/mkcert.sh script which creates the dovecot self signed certificates. The certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot (/sbin/service dovecot restart).
dovecot can be found online at http://www.dovecot.org.
mail or Procmail.
mutt.
/usr/sbin/sendmail.
/etc/mail/sendmail.cf. Avoid editing the sendmail.cf file directly. To make configuration changes to Sendmail, edit the /etc/mail/sendmail.mc file, back up the original /etc/mail/sendmail.cf, and use the following alternatives to generate a new configuration file:
/etc/mail (make all -C /etc/mail) to create a new /etc/mail/sendmail.cf configuration file. All other generated files in /etc/mail (db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by service sendmail start | restart | reload if the make package is installed.
m4 macro processor to create a new /etc/mail/sendmail.cf.
/etc/mail/ directory including:
access — Specifies which systems can use Sendmail for outbound email.
domaintable — Specifies domain name mapping.
local-host-names — Specifies aliases for the host.
mailertable — Specifies instructions that override routing for particular domains.
virtusertable — Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
/etc/mail/, such as access, domaintable, mailertable and virtusertable, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command:
makemap hash /etc/mail/<name> < /etc/mail/<name>
<name> is replaced with the name of the configuration file to convert.
example.com domain delivered to bob@other-example.com
, add the following line to the virtusertable file:
@example.com bob@other-example.com
virtusertable.db file must be updated using the following command as root:
makemap hash /etc/mail/virtusertable < /etc/mail/virtusertablevirtusertable.db file containing the new configuration.
/etc/mail/sendmail.cf file.
sendmail.cf file, it is a good idea to create a backup copy.
/etc/mail/sendmail.mc file as the root user. When finished, use the m4 macro processor to generate a new sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cfm4 macro processor is installed with Sendmail but is part of the m4 package.
/etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. The easiest way to do this is to type the following command:
service sendmail restartsendmail.cf file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the /etc/mail/sendmail.mc file, and either change the address specified in the Addr= option of the DAEMON_OPTIONS directive from 127.0.0.1 to the IP address of an active network device or comment out the DAEMON_OPTIONS directive all together by placing dnl at the beginning of the line. When finished, regenerate /etc/mail/sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf/etc/mail/sendmail.mc file must be reconfigured and a new /etc/mail/sendmail.cf must be generated.
/usr/share/sendmail-cf/README file before editing any files in the directories under the /usr/share/sendmail-cf directory, as they can affect the future configuration of /etc/mail/sendmail.cf files.
mail.example.com that handles all of their email and assigns a consistent return address to all outgoing mail.
user@example.com instead of user@host.example.com.
/etc/mail/sendmail.mc:
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`bigcorp.com.')dnl MASQUERADE_DOMAIN(`bigcorp.com.')dnl MASQUERADE_AS(bigcorp.com)dnl
sendmail.cf using m4, this configuration makes all mail from inside the network appear as if it were sent from bigcorp.com.
x.edu) to accept messages from one party (y.com) and sent them to a different party (z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the /etc/mail/relay-domains file and restart Sendmail.
/etc/mail/access file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
badspammer.com ERROR:550 "Go away and do not spam us anymore" tux.badspammer.com OK 10.0 RELAY
badspammer.com is blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the tux.badspammer.com sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
/etc/mail/access.db is a database, use makemap to activate any changes. Do this using the following command as root:
makemap hash /etc/mail/access < /etc/mail/access/usr/share/sendmail-cf/README for more information and examples.
aliases and virtusertables, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
/etc/mail/sendmail.mc to include the following:
LDAPROUTE_DOMAIN('yourdomain.com')dnl
FEATURE('ldap_routing')dnl/usr/share/sendmail-cf/README for detailed LDAP routing configuration instructions and examples.
/etc/mail/sendmail.cf file by running m4 and restarting Sendmail. Refer to 「一般的な Sendmail 設定変更」 for instructions.
/usr/sbin/postfix. This daemon launches all related processes needed to handle mail delivery.
/etc/postfix/ directory. The following is a list of the more commonly used files:
access — Used for access control, this file specifies which hosts are allowed to connect to Postfix.
aliases — A configurable list required by the mail protocol.
main.cf — The global Postfix configuration file. The majority of configuration options are specified in this file.
master.cf — Specifies how Postfix interacts with various processes to accomplish mail delivery.
transport — Maps email addresses to relay hosts.
/etc/postfix/main.cf file does not allow Postfix to accept network connections from a host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to 「Postfix の基本的な設定」.
/etc/postfix/ directory, it may be necessary to restart the postfix service for the changes to take effect. The easiest way to do this is to type the following command:
service postfix restart/etc/postfix/main.cf file with a text editor, such as vi.
mydomain line by removing the hash mark (#), and replace domain.tld with the domain the mail server is servicing, such as example.com.
myorigin = $mydomain line.
myhostname line, and replace host.domain.tld with the hostname for the machine.
mydestination = $myhostname, localhost.$mydomain line.
mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server.
inet_interfaces = all line.
inet_interfaces = localhost line.
postfix service.
/etc/postfix/main.cf. Additional resources including information about LDAP and SpamAssassin integration are available online at http://www.postfix.org/.
.fetchmailrc file in the user's home directory.
.fetchmailrc file, Fetchmail checks for email on a remote server and downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
.fetchmailrc file is much easier. Place any desired configuration options in the .fetchmailrc file for those options to be used each time the fetchmail command is issued. It is possible to override these at the time Fetchmail is run by specifying that option on the command line.
.fetchmailrc file contains three classes of configuration options:
.fetchmailrc file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
.fetchmailrc file by the use of a special option verb, poll or skip, that precedes any of the server information. The poll action tells Fetchmail to use this server option when it is run, which checks for email using the specified user options. Any server options after a skip action, however, are not checked unless this server's hostname is specified when Fetchmail is invoked. The skip option is useful when testing configurations in .fetchmailrc because it only checks skipped servers when specifically invoked, and does not affect any currently working configurations.
.fetchmailrc file looks similar to the following example:
set postmaster "user1" set bouncemail poll pop.domain.com proto pop3 user 'user1' there with password 'secret' is user1 here poll mail.domain2.com user 'user5' there with password 'secret2' is user1 here user 'user7' there with password 'secret3' is user1 here
postmaster option) and all email errors are sent to the postmaster instead of the sender (bouncemail option). The set action tells Fetchmail that this line contains a global option. Then, two email servers are specified, one set to check using POP3, the other for trying various protocols to find one that works. Two users are checked using the second server option, but all email found for any user is sent to user1's mail spool. This allows multiple mailboxes to be checked on multiple servers, while appearing in a single MUA inbox. Each user's specific information begins with the user action.
.fetchmailrc file. Omitting the with password '<password>' section causes Fetchmail to ask for a password when it is launched.
fetchmail man page explains each option in detail, but the most common ones are listed here.
set action.
daemon <seconds> — Specifies daemon-mode, where Fetchmail stays in the background. Replace <seconds> with the number of seconds Fetchmail is to wait before polling the server.
postmaster — Specifies a local user to send mail to in case of delivery problems.
syslog — Specifies the log file for errors and status messages. By default, this is /var/log/maillog.
.fetchmailrc after a poll or skip action.
auth <auth-type> — Replace <auth-type> with the type of authentication to be used. By default, password authentication is used, but some protocols support other types of authentication, including kerberos_v5, kerberos_v4, and ssh. If the any authentication type is used, Fetchmail first tries methods that do not require a password, then methods that mask the password, and finally attempts to send the password unencrypted to authenticate to the server.
interval <number> — Polls the specified server every <number> port <port-number> — Replace <port-number> with the port number. This value overrides the default port number for the specified protocol.
proto <protocol> — Replace <protocol> with the protocol, such as pop3 or imap, to use when checking for messages on the server.
timeout <seconds> — Replace <seconds> with the number of seconds of server inactivity after which Fetchmail gives up on a connection attempt. If this value is not set, a default of 300 seconds is assumed.
user option (defined below).
fetchall — Orders Fetchmail to download all messages in the queue, including messages that have already been viewed. By default, Fetchmail only pulls down new messages.
fetchlimit <number> — Replace <number> with the number of messages to be retrieved before stopping.
flush — Deletes all previously viewed messages in the queue before retrieving new messages.
limit <max-number-bytes> — Replace <max-number-bytes> with the maximum size in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
password '<password>' — Replace <password> with the user's password.
preconnect "<command>" — Replace <command> with a command to be executed before retrieving messages for the user.
postconnect "<command>" — Replace <command> with a command to be executed after retrieving messages for the user.
ssl — Activates SSL encryption.
user "<username>" — Replace <username> with the username used by Fetchmail to retrieve messages. This option must precede all other user options.
fetchmail command mirror the .fetchmailrc configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the .fetchmailrc file.
fetchmail command with other options for a particular purpose. It is possible to issue command options to temporarily override a .fetchmailrc setting that is causing an error, as any options specified at the command line override configuration file options.
fetchmail command can supply important information.
--configdump — Displays every possible option based on information from .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option.
-s — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the fetchmail command.
-v — Executes Fetchmail in verbose mode, displaying every communication between Fetchmail and remote email servers.
-V — Displays detailed version information, lists its global options, and shows settings to be used with each user, including the email protocol and authentication method. No email is retrieved for any users when using this option.
.fetchmailrc file.
-a — Fetchmail downloads all messages from the remote email server, whether new or previously viewed. By default, Fetchmail only downloads new messages.
-k — Fetchmail leaves the messages on the remote email server after downloading them. This option overrides the default behavior of deleting messages after downloading them.
-l <max-number-bytes> — Fetchmail does not download any messages over a particular size and leaves them on the remote email server.
--quit — Quits the Fetchmail daemon process.
.fetchmailrc options can be found in the fetchmail man page.
/bin/mail command to send email containing log messages to the root user of the local system.
sendmail is the default MTA. The Mail Transport Agent Switcher allows for the selection of either sendmail, postfix, or exim as the default MTA for the system.
system-switch-mail RPM package must be installed to use the text-based version of the Mail Transport Agent Switcher program. If you want to use the graphical version, the system-switch-mail-gnome package must also be installed. system-switch-mail at a shell prompt (for example, in an XTerm or GNOME terminal).
system-switch-mail-nox.
mail. Both of the applications are considered LDAs and both move email from the MTA's spool file into the user's mailbox. However, Procmail provides a robust filtering system.
mail command, consult its man page.
/etc/procmailrc or of a .procmailrc file (also called an rc file) in the user's home directory invokes Procmail whenever an MTA receives a new message.
rc file. If a message matches a recipe, then the email is placed in a specified file, is deleted, or is otherwise processed.
/etc/procmailrc and rc files in the /etc/procmailrcs directory for default, system-wide, Procmail environmental variables and recipes. Procmail then searches for a .procmailrc file in the user's home directory. Many users also create additional rc files for Procmail that are referred to within the .procmailrc file in their home directory.
rc files exist in the /etc/ directory and no .procmailrc files exist in any user's home directory. Therefore, to use Procmail, each user must construct a .procmailrc file with specific environment variables and rules.
.procmailrc in the following format:
<env-variable>="<value>"
<env-variable> <value> DEFAULT — Sets the default mailbox where messages that do not match any recipes are placed.
DEFAULT value is the same as $ORGMAIL.
INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user's .procmailrc file.
.procmailrc file may look like this:
MAILDIR=$HOME/Msgs INCLUDERC=$MAILDIR/lists.rc INCLUDERC=$MAILDIR/spam.rc
INCLUDERC line with a hash mark character (#).
LOCKSLEEP — Sets the amount of time, in seconds, between attempts by Procmail to use a particular lockfile. The default is eight seconds.
LOCKTIMEOUT — Sets the amount of time, in seconds, that must pass after a lockfile was last modified before Procmail assumes that the lockfile is old and can be deleted. The default is 1024 seconds.
LOGFILE — The file to which any Procmail information or error messages are written.
MAILDIR — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory.
ORGMAIL — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location.
/var/spool/mail/$LOGNAME is used.
SUSPEND — Sets the amount of time, in seconds, that Procmail pauses if a necessary resource, such as swap space, is not available.
SWITCHRC — Allows a user to specify an external file containing additional Procmail recipes, much like the INCLUDERC option, except that recipe checking is actually stopped on the referring configuration file and only the recipes on the SWITCHRC-specified file are used.
VERBOSE — Causes Procmail to log more information. This option is useful for debugging.
LOGNAME, which is the login name; HOME, which is the location of the home directory; and SHELL, which is the default shell.
procmailrc man page.
:0<flags>: <lockfile-name>*<special-condition-character><condition-1>*<special-condition-character><condition-2>*<special-condition-character><condition-N><special-action-character><action-to-perform>
<flags> <lockfile-name> * character can further control the condition.
<action-to-perform> { }, that are performed on messages which match the recipe's conditions. Nesting blocks can be nested inside one another, providing greater control for identifying and performing actions on messages.
A — Specifies that this recipe is only used if the previous recipe without an A or a flag also matched this message.
a — Specifies that this recipe is only used if the previous recipe with an A or a flag also matched this message and was successfully completed.
B — Parses the body of the message and looks for matching conditions.
b — Uses the body in any resulting action, such as writing the message to a file or forwarding it. This is the default behavior.
c — Generates a carbon copy of the email. This is useful with delivering recipes, since the required action can be performed on the message and a copy of the message can continue being processed in the rc files.
D — Makes the egrep comparison case-sensitive. By default, the comparison process is not case-sensitive.
E — While similar to the A flag, the conditions in the recipe are only compared to the message if the immediately preceding the recipe without an E flag did not match. This is comparable to an else action.
e — The recipe is compared to the message only if the action specified in the immediately preceding recipe fails.
f — Uses the pipe as a filter.
H — Parses the header of the message and looks for matching conditions. This occurs by default.
h — Uses the header in a resulting action. This is the default behavior.
w — Tells Procmail to wait for the specified filter or program to finish, and reports whether or not it was successful before considering the message filtered.
W — Is identical to w except that "Program failure" messages are suppressed.
procmailrc man page.
:) after any flags on a recipe's first line. This creates a local lockfile based on the destination file name plus whatever has been set in the LOCKEXT global environment variable.
* character at the beginning of a recipe's condition line:
! — In the condition line, this character inverts the condition, causing a match to occur only if the condition does not match the message.
< — Checks if the message is under a specified number of bytes.
> — Checks if the message is over a specified number of bytes.
! — In the action line, this character tells Procmail to forward the message to the specified email addresses.
$ — Refers to a variable set earlier in the rc file. This is often used to set a common mailbox that is referred to by various recipes.
| — Starts a specified program to process the message.
{ and } — Constructs a nesting block, used to contain additional recipes to apply to matching messages.
grep man page.
:0: new-mail.spool
LOCKEXT environment variable. No condition is specified, so every message matches this recipe and is placed in the single spool file called new-mail.spool, located within the directory specified by the MAILDIR environment variable. An MUA can then view messages in this file.
rc files to direct messages to a default location.
:0 * ^From: spammer@domain.com /dev/null
spammer@domain.com are sent to the /dev/null device, deleting them.
/dev/null for permanent deletion. If a recipe inadvertently catches unintended messages, and those messages disappear, it becomes difficult to troubleshoot the rule.
/dev/null.
:0: * ^(From|CC|To).*tux-lug tuxlug
tux-lug@domain.com mailing list are placed in the tuxlug mailbox automatically for the MUA. Note that the condition in this example matches the message if it has the mailing list's email address on the From, CC, or To lines.
~/.procmailrc file:
INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc
/etc/mail/spamassassin/spamassassin-default.rc contains a simple Procmail rule that activates SpamAssassin for all incoming email. If an email is determined to be spam, it is tagged in the header as such and the title is prepended with the following pattern:
*****SPAM*****
:0 Hw * ^X-Spam-Status: Yes spam
spam.
spamd) and client application (spamc). Configuring SpamAssassin this way, however, requires root access to the host.
spamd daemon, type the following command as root:
service spamassassin startsystem-config-services), to turn on the spamassassin service. Refer to 17章サービスへのアクセスの制御 for more information about initscript utilities.
~/.procmailrc file. For a system-wide configuration, place it in /etc/procmailrc:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
mutt.
mutt offer SSL-encrypted email sessions.
/etc/pki/tls/certs/ directory and type the following commands as root:
rm -f cyrus-imapd.pem make cyrus-imapd.pem/etc/pki/tls/certs/ directory, and type the following commands as root:
rm -f ipop3d.pem make ipop3d.pemimapd.pem and ipop3d.pem files before issuing each make command.
/sbin/service xinetd restart command to restart the xinetd daemon which controls imapd and ipop3d.
stunnel command can be used as an SSL encryption wrapper around the standard, non-secure daemons, imapd or pop3d.
stunnel program uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
/etc/pki/tls/certs/ directory, and type the following command:
make stunnel.pemstunnel command to start the imapd mail daemon using the following command:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapdpop3d using the stunnel command, type the following command:
/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3dstunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel-<version-number> / directory, where <version-number> is the version number for stunnel.
sendmail and sendmail-cf packages.
/usr/share/sendmail-cf/README — Contains information on m4, file locations for Sendmail, supported mailers, how to access enhanced features, and more.
sendmail and aliases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail /etc/mail/aliases file.
/usr/share/doc/postfix-<version-number> — Contains a large amount of information about ways to configure Postfix. Replace <version-number> with the version number of Postfix.
/usr/share/doc/fetchmail-<version-number> — Contains a full list of Fetchmail features in the FEATURES file and an introductory FAQ document. Replace <version-number> with the version number of Fetchmail.
/usr/share/doc/procmail-<version-number> — Contains a README file that provides an overview of Procmail, a FEATURES file that explores every program feature, and an FAQ file with answers to many common configuration questions. Replace <version-number> with the version number of Procmail.
procmail — Provides an overview of how Procmail works and the steps involved with filtering email.
procmailrc — Explains the rc file format used to construct recipes.
procmailex — Gives a number of useful, real-world examples of Procmail recipes.
procmailsc — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message.
/usr/share/doc/spamassassin-<version-number>/ — Contains a large amount of information pertaining to SpamAssassin. Replace <version-number> with the version number of the spamassassin package.
.procmailrc files and use Procmail scoring to decide if a particular action should be taken.
/etc/openldap/schema/ directory. For more information, refer to 「The /etc/openldap/schema/ Directory」.
[<id>] dn: <distinguished name> <attrtype>: <attrvalue> <attrtype>: <attrvalue> <attrtype>: <attrvalue>
<attrtype>: <attrvalue> pairs as needed. A blank line indicates the end of an entry.
<attrtype> and <attrvalue> pairs must be defined in a corresponding schema file to use this information.
< and a > is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <id>. The <id> is a number determined by the application used to edit the entry.
openldap — Contains the libraries necessary to run the OpenLDAP server and client applications.
openldap-clients — Contains command line tools for viewing and modifying directories on an LDAP server.
openldap-servers — Contains the servers and other utilities necessary to configure and run an LDAP server.
openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (/usr/sbin/slurpd).
slapd daemon is the standalone LDAP server while the slurpd daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The slurpd daemon is only used when dealing with multiple LDAP servers.
openldap-servers package installs the following utilities into the /usr/sbin/ directory:
slapadd — Adds entries from an LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file, ldif-input/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapslapcat — Pulls entries from an LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called ldif-outputslapindex — Re-indexes the slapd directory based on the current content. This tool should be run whenever indexing options within /etc/openldap/slapd.conf are changed.
slappasswd — Generates an encrypted user password value for use with ldapmodify or the rootpw value in the slapd configuration file, /etc/openldap/slapd.conf. Execute the /usr/sbin/slappasswd command to create the password.
slapd by issuing the /sbin/service ldap stop command before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk.
openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
ldapadd — Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a.
ldapdelete — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
ldapmodify — Modifies entries in an LDAP directory, accepting input via a file or standard input.
ldappasswd — Sets the password for an LDAP user.
ldapsearch — Searches for entries in an LDAP directory using a shell prompt.
ldapcompare — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
ldapwhoami — Opens a connection to an LDAP server, binds, and performs a whoami operation.
ldapmodrdn — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
nss_ldap package provides the following modules (where <version> refers to the version of libnss_ldap in use):
/lib/libnss_ldap-<version>.so
/lib/security/pam_ldap.so
nss_ldap package provides the following modules for Itanium or AMD64 architectures:
/lib64/libnss_ldap-<version>.so
/lib64/security/pam_ldap.so
libnss_ldap-<version>.so module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the Nameservice Switch (NSS) interface of glibc. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
php-ldap package adds LDAP support to the PHP4 HTML-embedded scripting language via the /usr/lib/php4/ldap.so module. This module allows PHP4 scripts to access information stored in an LDAP directory.
mod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at http://www.apache.org/ for details on the status of this module.
/etc/openldap/ directory. The following is a brief list highlighting the most important directories and files:
/etc/openldap/ldap.conf — This is the configuration file for all client applications which use the OpenLDAP libraries such as ldapsearch, ldapadd, Sendmail, Evolution, and Gnome Meeting.
/etc/openldap/slapd.conf — This is the configuration file for the slapd daemon. Refer to 「Editing /etc/openldap/slapd.conf」 for more information.
/etc/openldap/schema/ directory — This subdirectory contains the schema used by the slapd daemon. Refer to 「The /etc/openldap/schema/ Directory」 for more information.
nss_ldap package is installed, it creates a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. Refer to 「システムが OpenLDAP を使用して認証を実行するように設定する」 for more information.
/etc/openldap/schema/ Directory/etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. The /etc/openldap/schema/redhat/ directory holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux.
/etc/openldap/slapd.conf using include lines, as shown in this example:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema
local.schema file in the /etc/openldap/schema/ directory. Reference this new schema within slapd.conf by adding the following line below the default include schema lines:
include /etc/openldap/schema/local.schema
local.schema file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the local.schema file.
openldap, openldap-servers, and openldap-clients RPMs.
/etc/openldap/slapd.conf file to specify the LDAP domain and server. Refer to 「Editing /etc/openldap/slapd.conf」 for more information.
slapd with the command:
service ldap startchkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to 17章サービスへのアクセスの制御.
ldapadd.
ldapsearch to determine if slapd is accessing the information correctly.
/etc/openldap/slapd.confslapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.
suffix line names the domain for which the LDAP server provides information and should be changed from:
suffix "dc=your-domain,dc=com"
suffix "dc=example,dc=com"
rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:
rootdn "cn=root,dc=example,dc=com"
rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
slappasswd/etc/openldap/slapd.conf on one of the rootpw lines and remove the hash mark (#).
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2urootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
/etc/openldap/slapd.conf and refer to the man page for slapd.conf.
rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).
/usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.
/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapopenldap-servers package.
openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
/etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization. Refer to 「Editing /etc/openldap/slapd.conf」 for instructions about editing slapd.conf.
/etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf must be edited to use LDAP.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf by hand, add ldap to the appropriate lines.
passwd: files ldap shadow: files ldap group: files ldap
system-config-authentication) and select Enable LDAP Support under the Authentication tab. For more about configuring PAM, refer to 「PAM(Pluggable Authentication Modules)」 and the PAM man pages.
/usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "example";$DEFAULT_BASE = "dc=example,dc=com";
README and the migration-tools.txt files in the /usr/share/openldap/migration/ directory provide more details on how to migrate the information.
| 既存のネームサービス | LDAP は動作しているか | 使用するスクリプト |
|---|---|---|
/etc flat files
| yes |
migrate_all_online.sh
|
/etc flat files
| no |
migrate_all_offline.sh
|
| NetInfo | yes |
migrate_all_netinfo_online.sh
|
| NetInfo | no |
migrate_all_netinfo_offline.sh
|
| NIS (YP) | yes |
migrate_all_nis_online.sh
|
| NIS (YP) | no |
migrate_all_nis_offline.sh
|
/usr/sbin/slapcat -l ldif-output. This outputs an LDIF file called ldif-output/usr/sbin/slapadd -l ldif-output.
/usr/share/docs/openldap-<versionnumber>/ directory — Contains a general README document and miscellaneous information.
man ldapadd — Describes how to add entries to an LDAP directory.
man ldapdelete — Describes how to delete entries within an LDAP directory.
man ldapmodify — Describes how to modify entries within an LDAP directory.
man ldapsearch — Describes how to search for entries within an LDAP directory.
man ldappasswd — Describes how to set or change the password of an LDAP user.
man ldapcompare — ldapcompare ツールの使用法を説明しています。
man ldapwhoami — ldapwhoami ツールの使用法を説明しています。
man ldapmodrdn — エントリの RDN を修正する方法を説明しています。
man slapd — Describes command line options for the LDAP server.
man slurpd — Describes command line options for the LDAP replication server.
man slapadd — Describes command line options used to add entries to a slapd database.
man slapcat — Describes command line options used to generate an LDIF file from a slapd database.
man slapindex — Describes command line options used to regenerate an index based upon the contents of a slapd database.
man slappasswd — Describes command line options used to generate user passwords for LDAP directories.
man ldap.conf — Describes the format and options available within the configuration file for LDAP clients.
man slapd.conf — Describes the format and options available within the configuration file referenced by both the LDAP server applications (slapd and slurpd) and the LDAP administrative tools (slapadd, slapcat, and slapindex).
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
ypbind package must be installed for this option to work. If NIS support is enabled, the portmap and ypbind services are started and are also enabled to start at boot time.
openldap-clients package must be installed for this option to work.
hesiod package must be installed for this option to work.
man hesiod を使用して、 man ページを参照してください。 LHS と RHS の詳細については、 hesiod.conf の man ページ (man hesiod.conf) も参照できます。
krb5-server package must be installed, and Kerberos must be configured properly.
winbind should use. For more information about domain controllers, please refer to 「Domain Controller」.
winbindd daemon uses the value chosen here to to specify the login shell for that user.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to 「Kerberos」.
openldap-clients package must be installed for this option to work.
pam_pkcs11 and coolkey packages must be installed for this option to work. For more information about smart cards, refer to 「サポートされているスマートカード」 under 「Single Sign-on (SSO)」.
nscd) and configure it to start at boot time.
nscd package must be installed for this option to work. For more information about nscd, refer to its man page using the command man nscd.
/etc/shadow file instead of /etc/passwd. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system.
shadow-utils package must be installed for this option to work. For more information about shadow passwords, refer to 「シャドウパスワード」.
authconfig man page or by typing authconfig --help at a shell prompt.
| オプション | 説明 |
|---|---|
--enableshadow
| シャドウパスワードを有効にする |
--disableshadow
| シャドウパスワードを解除する |
--enablemd5
| MD5 パスワードを有効にする |
--disablemd5
| MD5 パスワードを解除する |
--enablenis
| NIS を有効にする |
--disablenis
| NIS を解除する |
--nisdomain=
| NIS ドメインを指定する |
--nisserver=
| NIS サーバーを指定する |
--enableldap
| ユーザー情報の LDAP を有効にする |
--disableldap
| ユーザー情報の LDAP を解除する |
--enableldaptls
| LDAP で TLS の使用を有効にする |
--disableldaptls
| LDAP で TLS の使用を解除する |
--enableldapauth
| 認証の LDAP を有効にする |
--disableldapauth
| 認証の LDAP を解除する |
--ldapserver=
| LDAP サーバーを指定する |
--ldapbasedn=
| LDAP 基本 DN を指定する |
--enablekrb5
| Kerberos を有効にする |
--disablekrb5
| Kerberos を解除する |
--krb5kdc=
| Kerberos の KDC を指定する |
--krb5adminserver=
| Kerberos の管理サーバーを指定する |
--krb5realm=
| Kerberos の realm を指定する |
--enablekrb5kdcdns
| Kerberos KDC の検索に DNS の使用を有効にする |
--disablekrb5kdcdns
| Kerberos KDC の検索に DNS の使用を無効にする |
--enablekrb5realmdns
| Kerberos realm の検索に DNS の使用を有効にする |
--disablekrb5realmdns
| Kerberos realm の検索に DNS の使用を無効にする |
--enablesmbauth
| SMB を有効にする |
--disablesmbauth
| SMB を解除する |
--smbworkgroup=
| SMB のワークグループを指定する |
--smbservers=
| SMB のサーバーを指定する |
--enablewinbind
| デフォルトでユーザー情報に対する winbind を有効にする |
--disablewinbind
| デフォルトでユーザー情報に対する winbind を無効にする |
--enablewinbindauth
| デフォルトで認証に対する winbindauth を有効にする |
--disablewinbindauth
| デフォルトで認証に対する winbindauth を無効にする |
--smbsecurity=
| Samba 及び winbind に使用するセキュリティモード |
--smbrealm=
|
Default realm for Samba and winbind when security=ads
|
--smbidmapuid=
| winbind がドメインまたは ADS ユーザーに割り当てる UID の範囲 |
--smbidmapgid=
| winbind がドメインまたは ADS ユーザーに割り当てる GID の範囲 |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| winbind ユーザーがホームとするディレクトリ |
--winbindtemplateprimarygroup=
| winbind ユーザーが最初のグループとするグループ |
--winbindtemplateshell=
| winbind ユーザーがデフォルトのログインシェルとするシェル |
--enablewinbindusedefaultdomain
| ユーザー名にドメインのないユーザーはドメインユーザーであると winbind に仮定させる |
--disablewinbindusedefaultdomain
| ユーザー名にドメインのないユーザーはドメインユーザーではないと winbind に仮定させる |
--winbindjoin=
| winbind ドメインまたは ADS realm をこの administrator として今すぐに参加させる |
--enablewins
| ホスト名の解決に WINS を有効にする |
--disablewins
| ホスト名の解決に WINS を無効にする |
--enablehesiod
| Hesiod を有効にする |
--disablehesiod
| Hesiod を解除する |
--hesiodlhs=
| Hesiod LHS を指定する |
--hesiodrhs=
| Hesiod RHS を指定する |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--kickstart
| ユーザーインターフェースを表示しない |
--probe
| ネットワークデフォルトを調査して表示する |
.conf file. The default file is /etc/sssd/sssd.conf, although alternative files can be passed to SSSD by using the -c option with the sssd command:
# sssd -c /etc/sssd/customfile.conf
[domain/LDAP]. The configuration file uses simple key = value lines to set the configuration. Comment lines are set by either a hash sign (#) or a semicolon (;)
[section] # Comment line key1 = val1 key10 = val1,val2
service command or the /etc/init.d/sssd script can start SSSD. For example:
# service sssd start
chkconfig command:
[root@server ~]# chkconfig sssd on
sssd.conf file. on sections. The [sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
sssd_nss module. This is configured in the [nss] section of the configuration.
sssd_pam PAM module. This is configured in the [pam] section of the configuration.
monitor, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
lookup family order option in the sssd.conf configuration file.
sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[nss] section, change any of the NSS parameters. These are listed in 表28.1「SSSD [nss] Configuration Parameters」.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| enum_cache_timeout | integer | Specifies how long, in seconds, sssd_nss should cache requests for information about all users (enumerations). |
| entry_cache_nowait_percentage | integer |
Specifies how long sssd_nss should return cached entries before refreshing the cache. Setting this to zero (0) disables the entry cache refresh.
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
entry_cache_timeout value. The default value is 50%.
|
| entry_negative_timeout | integer | Specifies how long, in seconds, sssd_nss should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries. |
| filter_users, filter_groups | string |
Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as root.
|
| filter_users_in_groups | Boolean |
Sets whether users listed in the filter_users list appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, this value defaults to TRUE, which filters the group member lists.
|
sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
/etc/pam.d/system-auth-ac file, which is symlinked to /etc/pam.d/system-auth. Any changes made to /etc/pam.d/system-auth are overwritten the next time that authconfig is run.
/etc/pam.d/system-auth symlink.
[root@server ~]# rm /etc/pam.d/system-auth rm: remove symbolic link `/etc/pam.d/system-auth'? y
/etc/pam.d/system-auth-local file. One easy way to do this is simply to copy the /etc/pam.d/system-auth-ac file.
[root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
/etc/pam.d/system-auth-local file and /etc/pam.d/system-auth.
[root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
/etc/pam.d/system-auth-local file, and add all of the SSSD modules to the PAM configuration:
#%PAM-1.0 ... auth sufficient pam_sss.so use_first_pass auth required pam_deny.so ... account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so ... password sufficient pam_sss.so use_authtok password required pam_deny.so ... session sufficient pam_sss.so session required pam_unix.so
include statements, as necessary.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[pam] section, change any of the PAM parameters. These are listed in 表28.2「SSSD [pam] Configuration Parameters」.
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| offline_credentials_expiration | integer |
Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_attempts | integer |
Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_delay | integer |
Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
|
jsmith in the ldap.example.com domain and jsmith in the ldap.otherexample.com domain. SSSD allows requests using fully-qualified domain names, so requesting information for jsmith@ldap.example.com returns the the proper user account. Specifying only the username returns the user for whichever domain comes first in the lookup order.
filter_users option, which excludes the specified users from being returned in a search.
| Identification Provider | Authentication Provider |
|---|---|
| LDAP | LDAP |
| LDAP | Kerberos |
| proxy | LDAP |
| proxy | Kerberos |
| proxy | proxy |
domains = LOCAL,Name[domain/Name] id_provider =typeauth_provider =typeprovider_specific = valueglobal = value
| Parameter | Value Format | Description |
|---|---|---|
| id_provider | string |
Specifies the data provider identity backend to use for this domain. The supported identity backends are:
|
| auth_provider | string |
Sets the authentication provider used for the domain. The default value for this option is the value of id_provider. The supported authentication providers are ldap, ipa, krb5 (Kerberos), proxy, and none.
|
| min_id,max_id | integer |
Optional. Specifies the UID and GID range for the domain. If a domain contains entries that are outside that range, they are ignored. The default value for min_id is 1; the default value for max_id is 0, which is unlimited.
重要
The default min_id value is the same for all types of identity provider. If LDAP directories are using UID numbers that start at one, it could cause conflicts with users in the local /etc/passwd file. To avoid these conflicts, set min_id to 1000 or higher as possible.
|
| enumerate | Boolean |
Optional. Specifies whether to list the users and groups of a domain. Enumeration means that the entire set of available users and groups on the remote source is cached on the local machine. When enumeration is disabled, users and groups are only cached as they are requested.
警告
When enumeration is enabled, reinitializing a client results in a complete refresh of the entire set of available users and groups from the remote source. Similarly, when SSSD is connected to a new server, the entire set of available users and groups from the remote source is pulled and cached on the local machine. In a domain with a large number of clients connected to a remote source, this refresh process can harm the network performance because of frequent queries from the clients. If the set of available users and groups is large enough, it degrades client performance as well.
false, which disables enumeration.
|
| cache_credentials | Boolean |
Optional. Specifies whether to store user credentials in the local SSSD domain database cache. The default value for this parameter is false. Set this value to true for domains other than the LOCAL domain to enable offline authentication.
|
| entry_cache_timeout | integer | Optional. Specifies how long, in seconds, SSSD should cache positive cache hits. A positive cache hit is a successful query. |
| use_fully_qualified_names | Boolean |
Optional. Specifies whether requests to this domain require fully-qualified domain names. If set to true, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name. Restricting requests to fully-qualified user names allows SSSD to differentiate between domains with users with conflicting usernames.
If
use_fully_qualified_names is set to false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.
SSSD can only parse names based on the domain name, not the realm name. The same name can be used for both domains and realms, however.
|
sssd-ldap(5).
| Parameter | Description |
|---|---|
| ldap_uri | Gives a comma-separated list of the URIs of the LDAP servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. This can be detected from the DNS SRV records if it is not given. |
| ldap_search_base | Gives the base DN to use for performing LDAP user operations. |
| ldap_tls_reqcert |
Specifies how to check for SSL server certificates in a TLS session. There are four options:
|
| ldap_tls_cacert |
Gives the full path and file name to the file that contains the CA certificates for all of the CAs that SSSD recognizes. SSSD will accept any certificate issued by these CAs.
This uses the OpenLDAP system defaults if it is not given explicitly.
|
| ldap_referrals |
Sets whether SSSD will use LDAP referrals, meaning forwarding queries from one LDAP database to another. SSSD supports database-level and subtree referrals. For referrals within the same LDAP server, SSSD will adjust the DN of the entry being queried. For referrals that go to different LDAP servers, SSSD does an exact match on the DN. Setting this value to true enables referrals; by default, referrals are enabled.
|
| ldap_schema |
Sets what version of schema to use when searching for user entries. This can be either rfc2307 or rfc2307bis. The default is rfc2307.
In RFC 2307, group objects use a multi-valued attribute,
memberuid, which lists the names of the users that belong to that group. In RFC 2307bis, group objects use the member attribute, which contains the full distinguished name (DN) of a user or group entry. RFC 2307bis allows nested groups usning the member attribute. Because these different schema use different definitions for group membership, using the wrong LDAP schema with SSSD can affect both viewing and managing network resources, even if the appropriate permissions are in place.
For example, with RFC 2307bis, all groups are returned when using nested groups or primary/secondary groups.
$ id uid=500(myserver) gid=500(myserver) groups=500(myserver),510(myothergroup)
If SSSD is using RFC 2307 schema, only the primary group is returned.
This setting only affects how SSSD determines the group members. It does not change the actual user data.
|
| ldap_search_timeout |
Sets the time, in seconds, that LDAP searches are allowed to run before they are canceled and cached results are returned. This defaults to five when the enumerate value is false and defaults to 30 when enumerate is true.
When an LDAP search times out, SSSD automatically switches to offline mode.
|
| ldap_network_timeout | Sets the time, in seconds, SSSD attempts to poll an LDAP server after a connection attempt fails. The default is six seconds. |
| ldap_opt_timeout | Sets the time, in seconds, to wait before aborting synchronous LDAP operations if no response is received from the server. This option also controls the timeout when communicating with the KDC in case of a SASL bind. The default is five seconds. |
sssd.conf file. For example:
domains = LOCAL,LDAP1,AD,PROXYNIS
ldap_uri option:
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls option to use Start TLS and then ldap_tls_cacert to identify the CA certificate which issued the SSL server certificates.
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
cacertdir_rehash function to create the appropriate symlinks.
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 server. [domain/AD] description = LDAP domain with AD server enumerate = false ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server. [domain/AD] description = LDAP domain with AD server ; debug_level = 9 enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/test.cer ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group
ldap_uri option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the subject alternative name field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.
-signkey) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnf configuration file to include the server's IP address under the [ v3_ca ] section:
subjectAltName = IP:10.0.0.10
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
-extensions option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section.
old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
krb5_kpasswd option to specify where the password changing service is running or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC to change the password.
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap-tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = 192.168.1.1, kerberos.example.com krb5_realm = EXAMPLE.COM krb5_kpasswd = kerveros.admin.example.com krb5_auth_timeout = 15
| Parameter | Description |
|---|---|
| chpass_provider | Specifies which service to use for password change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to krb5. |
| krb5_server |
Gives a comma-separated list of IP addresses or hostnames of Kerberos servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection.
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.
|
| krb5_realm | Identies the Kerberos realm served by the KDC. |
| krb5_lifetime | Requests a Kerberos ticket with the specified lifetime in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renewable_lifetime | Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renew_interval | Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled. |
| krb5_store_password_if_offline |
Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is false, which does not store passwords.
|
| krb5_kpasswd | Lists alternate Kerberos kadmin servers to use if the change password service is not running on the KDC. |
| krb5_ccname_template |
Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported:
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX |
| krb5_ccachedir |
Specifies the directory to store credential caches. This can be templatized, using the same tokens as krb5_ccname_template, except for %d and %P. If %u, %U, %p, or %h are used, then SSSD creates a private directory for each user; otherwise, it creates a public directory.
|
| krb5_auth_timeout | Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds. |
| Parameter | Description |
|---|---|
| proxy_pam_target |
Specifies the target to which PAM must proxy as an authentication provider.. The PAM target is a file containing PAM stack information in the default PAM directory, /etc/pam.d/.
This is used to proxy an authentication provider.
重要
Ensure that the proxy PAM stack does not recursively include pam_sss.so.
|
| proxy_lib_name |
Specifies which existing NSS library to proxy identity requests through.
This is used to proxy an identity provider.
|
proxy_lib_name parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
proxy_pam_target parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
sssdpamproxy, so create a /etc/pam.d/sssdpamproxy file and load the PAM/LDAP modules:
auth required pam_frprint.so account required pam_frprint.so password required pam_frprint.so session required pam_frprint.so
proxy_pam_target for the authentication PAM module and proxy_lib_name for the service, like NIS or LDAP.
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
/etc/pam.d/sssdproxyldap file which requires the pam_ldap.so module:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/nslcd.conf file, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:
uid nslcd gid ldap uri ldaps://ldap.example.com:636 base dc=example,dc=com ssl on tls_cacertdir /etc/openldap/cacerts
simple_allow_users and simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
[domain/example.com] access_provider = simple simple_allow_users = jsmith,bjensen simple_allow_groups = itgroup
simple as an access provider.
ldap_access_filter) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
authorizedService attribute.
/etc/sssd/sssd.conf file. The servers are listed in order of preference. This list can contain any number of servers.
ldap_uri = ldap://ldap0.example.com, ldap://ldap1.example.com, ldap://ldap2.example.com
ldap://ldap0.example.com, is the primary server. If this server fails, SSSD first attempts to connect to ldap1.example.com and then ldap2.example.com.
_service._protocol._domain TTL priority weight port hostname
/var/lib/sss/db/ directory.
exampleldap, the cache file is named cache_exampleldap.ldb.
resolv.conf file. This file is typically only read once, and so any changes made to this file are not automatically applied. This can cause NFS locking to fail on the machine where the NSCD service is running, unless that service is manually restarted.
/etc/nscd.conf file and rely on the SSSD cache for the passwd, group, and netgroup entries.
/etc/nscd.conf file:
enable-cache hosts yes enable-cache passwd no enable-cache group no enable-cache netgroup no
/var/log/sssd/ directory. SSSD produces a log file for each domain, as well as an sssd_pam.log and an sssd_nss.log file.
/var/log/secure file logs authentication failures and the reason for the failure.
debug_level parameter for each section in the sssd.conf file for which to product extra logs. For example:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
debug_level = 9# sssd -d4 [sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf file and create at least one domain.
[sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf file and configure at least one service provider.
services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
# service sssd status
[nss] section of the /etc/sssd/sssd.conf file. Especially check the filter_users and filter_groups attributes.
/etc/nsswitch.conf file.
use_fully_qualified_domains attribute to TRUE in the /etc/sssd/sssd.conf file. This differentiates between different users in different domains with the same name.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok option is correctly configured in your /etc/pam.d/system-auth file.
目次
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directoryhalt, poweroff, and reboot.
/etc/inittab specifies that your system is set to shutdown and reboot in response to a Ctrl+Alt+Del key combination used at the console. To completely disable this ability, comment out the following line in /etc/inittab by putting a hash mark (#) in front of it:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
-a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
-a flag tells shutdown to look for the /etc/shutdown.allow file.
shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using Ctrl+Alt+Del . The format of the shutdown.allow file is a list of usernames, one per line, like the following:
stephen jack sophie
shutdown.allow file, the users stephen, jack, and sophie are allowed to shutdown the system from the console using Ctrl+Alt+Del . When that key combination is used, the shutdown -a command in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead.
shutdown.allow, refer to the shutdown man page.
rm -f /etc/security/console.apps/*poweroff, halt, and reboot, which are accessible from the console by default.
rm -f /etc/security/console.apps/poweroffrm -f /etc/security/console.apps/haltrm -f /etc/security/console.apps/reboot
pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
:0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
/etc/security/console.perms.d/50-default.perms の中で定義されています。ファイルやデバイスの権限を編集するには、指定のファイルやデバイスのための好みの設定を含めた新しいデフォルトファイルを /etc/security/console.perms.d/ に作成することが推奨されています。新しいデフォルトファイルの名前は、 50-default.perms をオーバーライドするために、 50 よりも大きな数字で始まる必要があります (例えば、 51-default.perms) 。
/etc/security/console.perms.d/ に 51-default.perms という新しいファイルを作成します。
touch /etc/security/console.perms.d/51-default.permsperms ファイル、 50-default.perms を開いてください。はじめのセクションは、以下と似たような行で device classes を定義します。
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*<cdrom> refers to the CD-ROM drive. To add a new device, do not define it in the default 50-default.perms file; instead, define it in 51-default.perms. For example, to define a scanner, add the following line to 51-default.perms:
<scanner>=/dev/scanner /dev/usb/scanner*
/dev/scanner is really your scanner and not some other device, such as your hard drive.
/etc/security/console.perms.d/50-default.perms の2番目のセクションが、以下と似たような行でこれを定義します。
<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk
51-default.perms にある下記のような行を追加してください。
<console> 0600 <scanner> 0600 root
/dev/scanner device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root, and still has the permissions 0600 (now readable and writable by root only).
50-default.perms ファイルを、 決して 編集しないでください。デバイスの権限が既に定義されている 50-default.perms を編集するには、 51-default.perms のデバイスに必要な権限定義を追加してください。これは 50-default.perms で設定されている、いかなる権限もオーバーライドします。
/sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, perform the following steps:
foo program, to the /usr/bin/consolehelper application:
cd /usr/binln -s consolehelper foo
/etc/security/console.apps/foo:
touch /etc/security/console.apps/foofoo service in /etc/pam.d/. An easy way to do this is to copy the PAM configuration file of the halt service, and then modify the copy if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo/usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions.
pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.
pam package. To enable this feature, add the following lines to your PAM configuration file in etc/pam.d/:
auth include config-util account include config-util session include config-util
/etc/pam.d/system-config-* configuration files. Note that these lines must be added below any other auth sufficient session optional lines in your PAM configuration file.
pam_timestamp is successfully authenticated from the Applications (the main menu on the panel), the
icon is displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears.
floppy Groupfloppy group. Add the user(s) to the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group:
gpasswd -a fred floppyfred is able to access the system's diskette drive from the console.
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directory/etc/sysconfig/ directory contains a variety of system configuration files for Red Hat Enterprise Linux.
/etc/sysconfig/ directory, their function, and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
/etc/sysconfig/ Directory/etc/sysconfig/ directory. Files not listed here, as well as extra file options, are found in the /usr/share/doc/initscripts-<version-number>/sysconfig.txt file (replace <version-number> with the version of the initscripts package). Alternatively, looking through the initscripts in the /etc/rc.d/ directory can prove helpful.
/etc/sysconfig/ directory, then the corresponding program may not be installed.
/etc/sysconfig/amd/etc/sysconfig/amd file contains various parameters used by amd; these parameters allow for the automatic mounting and unmounting of file systems.
/etc/sysconfig/apmd/etc/sysconfig/apmd file is used by apmd to configure what power settings to start/stop/change on suspend or resume. This file configures how apmd functions at boot time, depending on whether the hardware supports Advanced Power Management (APM) or whether the user has configured the system to use it. The apm daemon is a monitoring program that works with power management code within the Linux kernel. It is capable of alerting users to low battery power on laptops and other power-related settings.
/etc/sysconfig/arpwatch/etc/sysconfig/arpwatch file is used to pass arguments to the arpwatch daemon at boot time. The arpwatch daemon maintains a table of Ethernet MAC addresses and their IP address pairings. By default, this file sets the owner of the arpwatch process to the user pcap and sends any messages to the root mail queue. For more information regarding available parameters for this file, refer to the arpwatch man page.
/etc/sysconfig/authconfig/etc/sysconfig/authconfig file sets the authorization to be used on the host. It contains one or more of the following lines:
USEMD5=<value>, where <value>yes — MD5 is used for authentication.
no — MD5 is not used for authentication.
USEKERBEROS=<value>, where <value>yes — Kerberos is used for authentication.
no — Kerberos is not used for authentication.
USELDAPAUTH=<value>, where <value>yes — LDAP is used for authentication.
no — LDAP is not used for authentication.
/etc/sysconfig/autofs/etc/sysconfig/autofs file defines custom options for the automatic mounting of devices. This file controls the operation of the automount daemons, which automatically mount file systems when you use them and unmount them after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.
/etc/sysconfig/autofs file may contain the following:
LOCALOPTIONS="<value>", where <value> is a string for defining machine-specific automount rules. The default value is an empty string ("").
DAEMONOPTIONS="<value>", where <value> is the timeout length in seconds before unmounting the device. The default value is 60 seconds ("--timeout=60").
UNDERSCORETODOT=<value>, where <value> is a binary value that controls whether to convert underscores in file names into dots. For example, auto_home to auto.home and auto_mnt to auto.mnt. The default value is 1 (true).
DISABLE_DIRECT=<value>, where <value> is a binary value that controls whether to disable direct mount support, as the Linux implementation does not conform to the Sun Microsystems' automounter behavior. The default value is 1 (true), and allows for compatibility with the Sun automounter options specification syntax.
/etc/sysconfig/clock/etc/sysconfig/clock file controls the interpretation of values read from the system hardware clock.
UTC=<value>, where <value>true or yes — The hardware clock is set to Universal Time.
false or no — The hardware clock is set to local time.
ARC=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
SRM=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
ZONE=<filename> — The time zone file under /usr/share/zoneinfo that /etc/localtime is a copy of. The file contains information such as:
ZONE="America/New York"
ZONE パラメータは Time and Date Properties Tool (system-config-date) によって読みこまれますので、手動で編集してもシステムタイムゾーンは変更できません。
CLOCKMODE=<value>, where <value>GMT — The clock is set to Universal Time (Greenwich Mean Time).
ARC — The ARC console's 42-year time offset is in effect (for Alpha-based systems only).
/etc/sysconfig/desktop/etc/sysconfig/desktop file specifies the desktop for new users and the display manager to run when entering runlevel 5.
DESKTOP="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME desktop environment.
KDE — Selects the KDE desktop environment.
DISPLAYMANAGER="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME Display Manager.
KDE — Selects the KDE Display Manager.
XDM — Selects the X Display Manager.
/etc/sysconfig/dhcpd/etc/sysconfig/dhcpd file is used to pass arguments to the dhcpd daemon at boot time. The dhcpd daemon implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP and BOOTP assign hostnames to machines on the network. For more information about what parameters are available in this file, refer to the dhcpd man page.
/etc/sysconfig/exim/etc/sysconfig/exim file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for exim to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
DAEMON=<value>, where <value>yes — exim should be configured to listen to port 25 for incoming mail. yes implies the use of the Exim's -bd options.
no — exim should not be configured to listen to port 25 for incoming mail.
QUEUE=1h which is given to exim as -q$QUEUE. The -q option is not given to exim if /etc/sysconfig/exim exists and QUEUE is empty or undefined.
/etc/sysconfig/firstboot/sbin/init program calls the etc/rc.d/init.d/firstboot script, which in turn launches the Setup Agent. This application allows the user to install the latest updates as well as additional applications and documentation.
/etc/sysconfig/firstboot file tells the Setup Agent application not to run on subsequent reboots. To run it the next time the system boots, remove /etc/sysconfig/firstboot and execute chkconfig --level 5 firstboot on.
/etc/sysconfig/gpm/etc/sysconfig/gpm file is used to pass arguments to the gpm daemon at boot time. The gpm daemon is the mouse server which allows mouse acceleration and middle-click pasting. For more information about what parameters are available for this file, refer to the gpm man page. By default, the DEVICE directive is set to /dev/input/mice.
/etc/sysconfig/hwconf/etc/sysconfig/hwconf file lists all the hardware that kudzu detected on the system, as well as the drivers used, vendor ID, and device ID information. The kudzu program detects and configures new and/or changed hardware on a system. The /etc/sysconfig/hwconf file is not meant to be manually edited. If edited, devices could suddenly show up as being added or removed.
/etc/sysconfig/i18n/etc/sysconfig/i18n file sets the default language, any supported languages, and the default system font. For example:
LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16"
/etc/sysconfig/init/etc/sysconfig/init file controls how the system appears and functions during the boot process.
BOOTUP=<value>, where <value>color — The standard color boot display, where the success or failure of devices and services starting up is shown in different colors.
verbose — An old style display which provides more information than purely a message of success or failure.
RES_COL=<value>, where <value>MOVE_TO_COL=<value>, where <value>RES_COL line via the echo -en command.
SETCOLOR_SUCCESS=<value>, where <value>echo -en command. The default color is set to green.
SETCOLOR_FAILURE=<value>, where <value>echo -en command. The default color is set to red.
SETCOLOR_WARNING=<value>, where <value>echo -en command. The default color is set to yellow.
SETCOLOR_NORMAL=<value>, where <value>echo -en.
LOGLEVEL=<value>, where <value>syslogd daemon overrides this setting once started.
PROMPT=<value>, where <value>yes — Enables the key check for interactive mode.
no — Disables the key check for interactive mode.
/etc/sysconfig/ip6tables-config/etc/sysconfig/ip6tables-config file stores information used by the kernel to set up IPv6 packet filtering at boot time or whenever the ip6tables service is started.
ip6tables rules. Rules also can be created manually using the /sbin/ip6tables command. Once created, add the rules to the /etc/sysconfig/ip6tables file by typing the following command:
service ip6tables saveip6tables, refer to 「IPTables」.
/etc/sysconfig/iptables-config/etc/sysconfig/iptables-config file stores information used by the kernel to set up packet filtering services at boot time or whenever the service is started.
iptables rules. The easiest way to add rules is to use the Security Level Configuration Tool (system-config-securitylevel) application to create a firewall. These applications automatically edit this file at the end of the process.
/sbin/iptables command. Once created, add the rule(s) to the /etc/sysconfig/iptables file by typing the following command:
service iptables saveiptables, refer to 「IPTables」.
/etc/sysconfig/irda/etc/sysconfig/irda file controls how infrared devices on the system are configured at startup.
IRDA=<value>, where <value>yes — irattach runs and periodically checks to see if anything is trying to connect to the infrared port, such as another notebook computer trying to make a network connection. For infrared devices to work on the system, this line must be set to yes.
no — irattach does not run, preventing infrared device communication.
DEVICE=<value>, where <value>/dev/ttyS2.
DONGLE=<value>, where <value>actisys+.
DISCOVERY=<value>, where <value>yes — Starts irattach in discovery mode, meaning it actively checks for other infrared devices. This must be turned on for the machine to actively look for an infrared connection (meaning the peer that does not initiate the connection).
no — Does not start irattach in discovery mode.
/etc/sysconfig/keyboard/etc/sysconfig/keyboard file controls the behavior of the keyboard. The following values may be used:
KEYBOARDTYPE="sun|pc" where sun means a Sun keyboard is attached on /dev/kbd, or pc means a PS/2 keyboard connected to a PS/2 port.
KEYTABLE="<file>", where <file>KEYTABLE="us". The files that can be used as keytables start in /lib/kbd/keymaps/i386 and branch into different keyboard layouts from there, all labeled <file>.kmap.gz/lib/kbd/keymaps/i386 that matches the KEYTABLE setting is used.
/etc/sysconfig/kudzu/etc/sysconfig/kuzdu file triggers a safe probe of the system hardware by kudzu at boot time. A safe probe is one that disables serial port probing.
SAFE=<value>, where <value>yes — kuzdu does a safe probe.
no — kuzdu does a normal probe.
/etc/sysconfig/named/etc/sysconfig/named file is used to pass arguments to the named daemon at boot time. The named daemon is a Domain Name System (DNS) server which implements the Berkeley Internet Name Domain (BIND) version 9 distribution. This server maintains a table of which hostnames are associated with IP addresses on the network.
ROOTDIR="</some/where>", where </some/where>named runs. This chroot environment must first be configured. Type info chroot for more information.
OPTIONS="<value>", where <value>named except -t. In place of -t, use the ROOTDIR line above.
named man page. For detailed information on how to configure a BIND DNS server, refer to 18章Berkeley Internet Name Domain (BIND). By default, the file contains no parameters.
/etc/sysconfig/network/etc/sysconfig/network file is used to specify information about the desired network configuration. The following values may be used:
NETWORKING=<value>, where <value>yes — Networking should be configured.
no — Networking should not be configured.
HOSTNAME=<value>, where <value>hostname.expample.com, but can be whatever hostname is necessary.
GATEWAY=<value>, where <value>GATEWAYDEV=<value>, where <value>eth0. Configure this option if you have multiple interfaces on the same subnet, and require one of those interfaces to be the preferred route to the default gateway.
NISDOMAIN=<value>, where <value>NOZEROCONF=<value>, where setting <value>true disables the zeroconf route.
/etc/sysconfig/nfs/etc/sysconfig/nfs file to control which ports the required RPC services run on.
/etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables (alternatively, if the file exists, un-comment and change the default entries as required):
MOUNTD_PORT=xx with an unused port number.
STATD_PORT=xx with an unused port number.
LOCKD_TCPPORT=xx with an unused port number.
LOCKD_UDPPORT=xx with an unused port number.
/var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs restart the NFS service by running the service nfs restart command. Run the rpcinfo -p command to confirm the changes.
MOUNTD_PORT="x"
STATD_PORT="x"
LOCKD_TCPPORT="x"
LOCKD_UDPPORT="x"
/etc/sysconfig/ntpd/etc/sysconfig/ntpd file is used to pass arguments to the ntpd daemon at boot time. The ntpd daemon sets and maintains the system clock to synchronize with an Internet standard time server. It implements version 4 of the Network Time Protocol (NTP). For more information about what parameters are available for this file, use a Web browser to view the following file: /usr/share/doc/ntp-<version>/ntpd.htm (where <version> is the version number of ntpd). By default, this file sets the owner of the ntpd process to the user ntp.
/etc/sysconfig/radvd/etc/sysconfig/radvd file is used to pass arguments to the radvd daemon at boot time. The radvd daemon listens for router requests and sends router advertisements for the IP version 6 protocol. This service allows hosts on a network to dynamically change their default routers based on these router advertisements. For more information about available parameters for this file, refer to the radvd man page. By default, this file sets the owner of the radvd process to the user radvd.
/etc/sysconfig/samba/etc/sysconfig/samba file is used to pass arguments to the smbd and the nmbd daemons at boot time. The smbd daemon offers file sharing connectivity for Windows clients on the network. The nmbd daemon offers NetBIOS over IP naming services. For more information about what parameters are available for this file, refer to the smbd man page. By default, this file sets smbd and nmbd to run in daemon mode.
/etc/sysconfig/selinux/etc/sysconfig/selinux file contains the basic configuration options for SELinux. This file is a symbolic link to /etc/selinux/config.
/etc/sysconfig/sendmail/etc/sysconfig/sendmail file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for the Sendmail application to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
DAEMON=<value>, where <value>yes — Sendmail should be configured to listen to port 25 for incoming mail. yes implies the use of Sendmail's -bd options.
no — Sendmail should not be configured to listen to port 25 for incoming mail.
QUEUE=1h which is given to Sendmail as -q$QUEUE. The -q option is not given to Sendmail if /etc/sysconfig/sendmail exists and QUEUE is empty or undefined.
/etc/sysconfig/spamassassin/etc/sysconfig/spamassassin file is used to pass arguments to the spamd daemon (a daemonized version of Spamassassin) at boot time. Spamassassin is an email spam filter application. For a list of available options, refer to the spamd man page. By default, it configures spamd to run in daemon mode, create user preferences, and auto-create whitelists (allowed bulk senders).
/etc/sysconfig/squid/etc/sysconfig/squid file is used to pass arguments to the squid daemon at boot time. The squid daemon is a proxy caching server for Web client applications. For more information on configuring a squid proxy server, use a Web browser to open the /usr/share/doc/squid-<version>/ directory (replace <version> with the squid version number installed on the system). By default, this file sets squid to start in daemon mode and sets the amount of time before it shuts itself down.
/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-securitylevel file contains all options chosen by the user the last time the Security Level Configuration Tool (system-config-securitylevel) was run. Users should not modify this file by hand. For more information about the Security Level Configuration Tool, refer to 「基本的なファイアウォールの設定」.
/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-selinux file contains all options chosen by the user the last time the SELinux Administration Tool (system-config-selinux) was run. Users should not modify this file by hand. For more information about the SELinux Administration Tool and SELinux in general, refer to 「SELinux への入門」.
/etc/sysconfig/system-config-users/etc/sysconfig/system-config-users file is the configuration file for the graphical application, User Manager. This file is used to filter out system users such as root, daemon, or lp. This file is edited by the > pull-down menu in the User Manager application and should never be edited by hand. For more information on using this application, refer to 「ユーザーとグループの管理」.
/etc/sysconfig/system-logviewer/etc/sysconfig/system-logviewer file is the configuration file for the graphical, interactive log viewing application, Log Viewer. This file is edited by the > pull-down menu in the Log Viewer application and should not be edited by hand. For more information on using this application, refer to 38章ログファイル.
/etc/sysconfig/tux/etc/sysconfig/tux file is the configuration file for the Red Hat Content Accelerator (formerly known as TUX), the kernel-based Web server. For more information on configuring the Red Hat Content Accelerator, use a Web browser to open the /usr/share/doc/tux-<version>/tux/index.html file (replace <version> with the version number of TUX installed on the system). The parameters available for this file are listed in /usr/share/doc/tux-<version>/tux/parameters.html.
/etc/sysconfig/vncservers/etc/sysconfig/vncservers file configures the way the Virtual Network Computing (VNC) server starts up.
VNCSERVERS=<value>, where <value>"1:fred", to indicate that a VNC server should be started for user fred on display :1. User fred must have set a VNC password using the vncpasswd command before attempting to connect to the remote VNC server.
/etc/sysconfig/xinetd/etc/sysconfig/xinetd file is used to pass arguments to the xinetd daemon at boot time. The xinetd daemon starts programs that provide Internet services when a request to the port for that service is received. For more information about available parameters for this file, refer to the xinetd man page. For more information on the xinetd service, refer to 「xinetd」.
/etc/sysconfig/ Directory/etc/sysconfig/.
apm-scripts//etc/sysconfig/apm-scripts/apmcontinue which is called at the end of the script. It is also possible to control the script by editing /etc/sysconfig/apmd.
cbq/networking/system-config-network), and its contents should not be edited manually. For more information about configuring network interfaces using the Network Administration Tool, refer to 16章ネットワーク設定.
network-scripts/ifcfg-eth0 for the eth0 Ethernet interface.
ifup and ifdown.
ifup-isdn and ifdown-isdn.
network-scripts directory, refer to 15章ネットワークインターフェース.
rhn//etc/sysconfig/ directory. The following source contains more comprehensive information.
/usr/share/doc/initscripts-<version-number>/sysconfig.txt — This file contains a more authoritative listing of the files found in the /etc/sysconfig/ directory and the configuration options available for them. The <version-number> in the path to this file corresponds to the version of the initscripts package installed.
system-config-date, system-config-time, or dateconfig at a shell prompt (for example, in an XTerm or a GNOME terminal).
system-config-keyboard at a shell prompt.
Xorg binary) listens for connections from X client applications via a network or local loopback interface. The server communicates with the hardware, such as the video card, monitor, keyboard, and mouse. X client applications exist in the user-space, creating a graphical user interface (GUI) for the user and passing user requests to the X server.
/usr/ instead of /usr/X11R6. The /etc/X11/ directory contains configuration files for X client and server applications. This includes configuration files for the X server itself, the xfs font server, the X display managers, and many other base components.
/etc/fonts/fonts.conf. For more on configuring and adding fonts, refer to 「フォント」.
system-config-display), particularly for devices that are not detected manually.
/etc/X11/xorg.conf. For information about the structure of this file, refer to 「X サーバー設定ファイル」.
kwinmetacitymetacity パッケージをインストールする必要があります。
mwmmwm) は、基本的なスタンドアローンのウィンドウマネージャです。単独で機能するように設計されているため、 GNOME や KDE と一緒に使用するべきではありません。このウィンドウマネージャを実行するには、 openmotif パッケージをインストールする必要があります。
twmxinit -e <path-to-window-manager> at the prompt.
<path-to-window-manager>which window-manager-name, where window-manager-name~]#which twm/usr/bin/twm ~]#xinit -e /usr/bin/twm
twm ウィンドウマネージャへの絶対パスを返し、 2 番目のコマンドは twm を起動します。
startx と入力してランレベル 5 で再度ログインし直すことができます。
/usr/bin/Xorg) です。関連する設定ファイルは /etc/X11/ ディレクトリに格納されています (/usr/bin/Xorg を指すシンボリックリンク — X — のため)。 X サーバーの設定ファイルは /etc/X11/xorg.conf にあります。
/usr/lib/xorg/modules/ は起動時に動的にロード可能な X サーバーのモジュールが格納されています。デフォルトでは、 X サーバーによってロードされるのは /usr/lib/xorg/modules/ にあるいくつかのモジュールのみです。
/etc/X11/xorg.conf. For more information about loading modules, refer to 「Module」.
xorg.conf/etc/X11/xorg.conf file, it is useful to understand the various sections and optional parameters available, especially when troubleshooting.
/etc/X11/xorg.conf file is comprised of many different sections which address specific aspects of the system hardware.
Section "<section-name>" line (where <section-name> is the title for the section) and ends with an EndSection line. Each section contains lines that include option names and one or more option values. These are sometimes enclosed in double quotes (").
#) are not read by the X server and are used for human-readable comments.
/etc/X11/xorg.conf file accept a boolean switch which turns the feature on or off. Acceptable boolean values are:
1, on, true, or yes — Turns the option on.
0, off, false, or no — Turns the option off.
/etc/X11/xorg.conf file. More detailed information about the X server configuration file can be found in the xorg.conf man page.
ServerFlagsServerFlags section contains miscellaneous global X server settings. Any settings in this section may be overridden by options placed in the ServerLayout section (refer to 「ServerLayout」 for details).
ServerFlags section is on its own line and begins with the term Option followed by an option enclosed in double quotation marks (").
ServerFlags section:
Section "ServerFlags" Option "DontZap" "true" EndSection
"DontZap" "<boolean>" — When the value of <boolean> is set to true, this setting prevents the use of the Ctrl+Alt+Backspace key combination to immediately terminate the X server.
"DontZoom" "<boolean>" — When the value of <boolean> is set to true, this setting prevents cycling through configured video resolutions using the Ctrl+Alt+Keypad-Plus and Ctrl+Alt+Keypad-Minus key combinations.
ServerLayoutServerLayout section binds together the input and output devices controlled by the X server. At a minimum, this section must specify one output device and one input device. By default, a monitor (output device) and keyboard (input device) are specified.
ServerLayout section:
Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen0" 0 0 InputDevice "Mouse0" "CorePointer" InputDevice "Keyboard0" "CoreKeyboard" EndSection
ServerLayout section:
Identifier — Specifies a unique name for this ServerLayout section.
Screen — Specifies the name of a Screen section to be used with the X server. More than one Screen option may be present.
Screen entry:
Screen 0 "Screen0" 0 0
Screen entry (0) indicates that the first monitor connector or head on the video card uses the configuration specified in the Screen section with the identifier "Screen0".
Screen entry with a different number and a different Screen section identifier is necessary .
"Screen0" give the absolute X and Y coordinates for the upper-left corner of the screen (0 0 by default).
InputDevice — Specifies the name of an InputDevice section to be used with the X server.
InputDevice entries: one for the default mouse and one for the default keyboard. The options CorePointer and CoreKeyboard indicate that these are the primary mouse and keyboard.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Any options listed here override those listed in the ServerFlags section.
<option-name> with a valid option listed for this section in the xorg.conf man page.
/etc/X11/xorg.conf ファイルに複数の ServerLayout セクションを置くことができます。デフォルトでは、ただし、サーバーは一番最初に拾うセクションしか読み込みません。
ServerLayout セクションがある場合、 X セッション起動時にコマンドライン引数として指定することができます。
FilesFiles section sets paths for services vital to the X server, such as the font path. This is an optional section, these paths are normally detected automatically. This section may be used to override any automatically detected defaults.
Files section:
Section "Files" RgbPath "/usr/share/X11/rgb.txt" FontPath "unix/:7100" EndSection
Files section:
RgbPath — Specifies the location of the RGB color database. This database defines all valid color names in X and ties them to specific RGB values.
FontPath — Specifies where the X server must connect to obtain fonts from the xfs font server.
FontPath is unix/:7100. This tells the X server to obtain font information using UNIX-domain sockets for inter-process communication (IPC) on port 7100.
ModulePath — An optional parameter which specifies alternate directories which store X server modules.
Module/usr/lib/xorg/modules/ ディレクトリからロードします。
extmod
dbe
glx
freetype
type1
record
dri
ModulePath parameter in the Files section. Refer to 「Files」 for more information on this section.
Module セクションを /etc/X11/xorg.conf に追加すると、 X サーバーにデフォルトのモジュールではなくこのセクションに記載されているモジュールをロードするよう指示することになります。
Module section:
Section "Module" Load "fbdevhw" EndSectioninstructs the X server to load the
fbdevhw instead of the default modules.
Module セクションを /etc/X11/xorg.conf に追加すると、ロードしたいデフォルトモジュールの他、追加モジュールも指定する必要があります。
InputDeviceInputDevice section configures one input device for the X server. Systems typically have at least one InputDevice section for the keyboard. It is perfectly normal to have no entry for a mouse, as most mouse settings are automatically detected.
InputDevice section for a keyboard:
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbModel" "pc105"
Option "XkbLayout" "us"
EndSectionInputDevice section:
Identifier — Specifies a unique name for this InputDevice section. This is a required entry.
Driver — Specifies the name of the device driver X must load for the device.
Option — Specifies necessary options pertaining to the device.
xorg.conf にマウスを追加する場合、次のようなオプションが一般的に含まれます。
Protocol — Specifies the protocol used by the mouse, such as IMPS/2.
Device — Specifies the location of the physical device.
Emulate3Buttons — Specifies whether to allow a two-button mouse to act like a three-button mouse when both mouse buttons are pressed simultaneously.
xorg.conf man page for a list of valid options for this section.
MonitorMonitor section configures one type of monitor used by the system. This is an optional entry as well, as most monitors are now automatically detected.
Monitor section for a monitor:
Section "Monitor" Identifier "Monitor0" VendorName "Monitor Vendor" ModelName "DDC Probed Monitor - ViewSonic G773-2" DisplaySize 320 240 HorizSync 30.0 - 70.0 VertRefresh 50.0 - 180.0 EndSection
Monitor section of /etc/X11/xorg.conf. Inappropriate values can damage or destroy a monitor. Consult the monitor's documentation for a listing of safe operating parameters.
Monitor section:
Identifier — Specifies a unique name for this Monitor section. This is a required entry.
VendorName — An optional parameter which specifies the vendor of the monitor.
ModelName — An optional parameter which specifies the monitor's model name.
DisplaySize — An optional parameter which specifies, in millimeters, the physical size of the monitor's picture area.
HorizSync — Specifies the range of horizontal sync frequencies compatible with the monitor in kHz. These values help the X server determine the validity of built-in or specified Modeline entries for the monitor.
VertRefresh — Specifies the range of vertical refresh frequencies supported by the monitor, in kHz. These values help the X server determine the validity of built in or specified Modeline entries for the monitor.
Modeline — An optional parameter which specifies additional video modes for the monitor at particular resolutions, with certain horizontal sync and vertical refresh resolutions. Refer to the xorg.conf man page for a more detailed explanation of Modeline entries.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
DeviceDevice section configures one video card on the system. While one Device section is the minimum, additional instances may occur for each video card installed on the machine.
Device section for a video card:
Section "Device" Identifier "Videocard0" Driver "mga" VendorName "Videocard vendor" BoardName "Matrox Millennium G200" VideoRam 8192 Option "dpms" EndSection
Device section:
Identifier — Specifies a unique name for this Device section. This is a required entry.
Driver — Specifies which driver the X server must load to utilize the video card. A list of drivers can be found in /usr/share/hwdata/videodrivers, which is installed with the hwdata package.
VendorName — An optional parameter which specifies the vendor of the video card.
BoardName — An optional parameter which specifies the name of the video card.
VideoRam — An optional parameter which specifies the amount of RAM available on the video card in kilobytes. This setting is only necessary for video cards the X server cannot probe to detect the amount of video RAM.
BusID — An entry which specifies the bus location of the video card. On systems with only one video card a BusID entry is optional and may not even be present in the default /etc/X11/xorg.conf file. On systems with more than one video card, however, a BusID entry must be present.
Screen — An optional entry which specifies which monitor connector or head on the video card the Device section configures. This option is only useful for video cards with multiple heads.
Device sections must exist and each of these sections must have a different Screen value.
Screen entry must be an integer. The first head on the video card has a value of 0. The value for each additional head increments this value by one.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
"dpms" (for Display Power Management Signaling, a VESA standard), which activates the Service Star energy compliance setting for the monitor.
ScreenScreen section binds one video card (or video card head) to one monitor by referencing the Device section and the Monitor section for each. While one Screen section is the minimum, additional instances may occur for each video card and monitor combination present on the machine.
Screen section:
Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 16 SubSection "Display" Depth 24 Modes "1280x1024" "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubSection SubSection "Display" Depth 16 Modes "1152x864" "1024x768" "800x600" "640x480" EndSubSection EndSection
Screen section:
Identifier — Specifies a unique name for this Screen section. This is a required entry.
Device — Specifies the unique name of a Device section. This is a required entry.
Monitor — Specifies the unique name of a Monitor section. This is only required if a specific Monitor section is defined in the xorg.conf file. Normally, monitors are automatically detected.
DefaultDepth — Specifies the default color depth in bits. In the previous example, 16 (which provides thousands of colors) is the default. Only one DefaultDepth is permitted, although this can be overridden with the Xorg command line option -depth <n>,where <n>SubSection "Display" — Specifies the screen modes available at a particular color depth. The Screen section can have multiple Display subsections, which are entirely optional since screen modes are automatically detected.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
DRIDRI section specifies parameters for the Direct Rendering Infrastructure (DRI). DRI is an interface which allows 3D software applications to take advantage of 3D hardware acceleration capabilities built into most modern video hardware. In addition, DRI can improve 2D performance via hardware acceleration, if supported by the video card driver.
xorg.conf ファイルに追加するとデフォルト値を上書きします。
DRI section:
Section "DRI" Group 0 Mode 0666 EndSection
xfs.
/etc/fonts/fonts.conf configuration file, which should not be edited by hand.
~/.gtkrc.mine:
style "user-font" {
fontset = "<font-specification>"
}
widget_class "*" style "user-font"<font-specification> with a font specification in the style used by traditional X applications, such as -adobe-helvetica-medium-r-normal--*-120-*-*-*-*-*-*. A full list of core fonts can be obtained by running xlsfonts or created interactively using the xfontsel command.
/usr/share/fonts/ directory. It is a good idea to create a new subdirectory, such as local/ or similar, to help distinguish between user-installed and default fonts.
.fonts/ directory in the user's home directory.
fc-cache command to update the font information cache, as in the following example:
fc-cache <path-to-font-directory><path-to-font-directory> with the directory containing the new fonts (either /usr/share/fonts/local/ or /home/<user>/.fonts/).
fonts:/// into the Nautilus address bar, and dragging the new font files there.
.gz extension, it is compressed and cannot be used until uncompressed. To do this, use the gunzip command or double-click the file and drag the font to a directory in Nautilus.
xfs) to provide fonts to X client applications.
FontPath directive within the Files section of the /etc/X11/xorg.conf configuration file. Refer to 「Files」 for more information about the FontPath entry.
xfs server on a specified port to acquire font information. For this reason, the xfs service must be running for X to start. For more about configuring services for a particular runlevel, refer to 17章サービスへのアクセスの制御.
xfs Configuration/etc/rc.d/init.d/xfs script starts the xfs server. Several options can be configured within its configuration file, /etc/X11/fs/config.
alternate-servers — Specifies a list of alternate font servers to be used if this font server is not available. A comma must separate each font server in a list.
catalogue — Specifies an ordered list of font paths to use. A comma must separate each font path in a list.
:unscaled immediately after the font path to make the unscaled fonts in that path load first. Then specify the entire path again, so that other scaled fonts are also loaded.
client-limit — Specifies the maximum number of clients the font server services. The default is 10.
clone-self — Allows the font server to clone a new version of itself when the client-limit is hit. By default, this option is on.
default-point-size — Specifies the default point size for any font that does not specify this value. The value for this option is set in decipoints. The default of 120 corresponds to a 12 point font.
default-resolutions — Specifies a list of resolutions supported by the X server. Each resolution in the list must be separated by a comma.
deferglyphs — Specifies whether to defer loading glyphs (the graphic used to visually represent a font). To disable this feature use none, to enable this feature for all fonts use all, or to turn this feature on only for 16-bit fonts use 16.
error-file — Specifies the path and file name of a location where xfs errors are logged.
no-listen — Prevents xfs from listening to particular protocols. By default, this option is set to tcp to prevent xfs from listening on TCP ports for security reasons.
xfs is used to serve fonts over the network, remove this line.
port — Specifies the TCP port that xfs listens on if no-listen does not exist or is commented out.
use-syslog — Specifies whether to use the system error log.
xfsxfs), follow these steps:
/usr/share/fonts/local/ using the following command as root:
mkdir /usr/share/fonts/local//usr/share/fonts/local/ directory is necessary, it must be added to the xfs path using the following command as root:
chkfontpath --add /usr/share/fonts/local//usr/share/fonts/local/ directory
ttmkfdir -d /usr/share/fonts/local/ -o /usr/share/fonts/local/fonts.scalexfs font server configuration file by issuing the following command as root:
service xfs reloadstartx. The startx command is a front-end to the xinit command, which launches the X server (Xorg) and connects X client applications to it. Because the user is already logged into the system at runlevel 3, startx does not launch a display manager or authenticate users. Refer to 「ランレベル 5」 for more information about display managers.
startx command is executed, it searches for the .xinitrc file in the user's home directory to define the desktop environment and possibly other X client applications to run. If no .xinitrc file is present, it uses the system default /etc/X11/xinit/xinitrc file instead.
xinitrc script then searches for user-defined files and default system files, including .Xresources, .Xmodmap, and .Xkbmap in the user's home directory, and Xresources, Xmodmap, and Xkbmap in the /etc/X11/ directory. The Xmodmap and Xkbmap files, if they exist, are used by the xmodmap utility to configure the keyboard. The Xresources file is read to assign specific preference values to applications.
xinitrc script executes all scripts located in the /etc/X11/xinit/xinitrc.d/ directory. One important script in this directory is xinput.sh, which configures settings such as the default language.
xinitrc script attempts to execute .Xclients in the user's home directory and turns to /etc/X11/xinit/Xclients if it cannot be found. The purpose of the Xclients file is to start the desktop environment or, possibly, just a basic window manager. The .Xclients script in the user's home directory starts the user-specified desktop environment in the .Xclients-default file. If .Xclients does not exist in the user's home directory, the standard /etc/X11/xinit/Xclients script attempts to start another desktop environment, trying GNOME first and then KDE followed by twm.
GNOME — The default display manager for Red Hat Enterprise Linux, GNOME allows the user to configure language settings, shutdown, restart or log in to the system.
KDE — KDE's display manager which allows the user to shutdown, restart or log in to the system.
xdm — A very basic display manager which only lets the user log in to the system.
prefdm script determines the preferred display manager by referencing the /etc/sysconfig/desktop file. A list of options for this file is available in this file:
/usr/share/doc/initscripts-<version-number>/sysconfig.txt<version-number> is the version number of the initscripts package.
/etc/X11/xdm/Xsetup_0 file to set up the login screen. Once the user logs into the system, the /etc/X11/xdm/GiveConsole script runs to assign ownership of the console to the user. Then, the /etc/X11/xdm/Xsession script runs to accomplish many of the tasks normally performed by the xinitrc script when starting X from runlevel 3, including setting system and user resources, as well as running the scripts in the /etc/X11/xinit/xinitrc.d/ directory.
GNOME or KDE display managers by selecting it from the menu item (accessed by selecting System (on the panel) > > > ). If the desktop environment is not specified in the display manager, the /etc/X11/xdm/Xsession script checks the .xsession and .Xclients files in the user's home directory to decide which desktop environment to load. As a last resort, the /etc/X11/xinit/Xclients file is used to select a desktop environment or window manager to use in the same way as runlevel 3.
:0) and logs out, the /etc/X11/xdm/TakeConsole script runs and reassigns ownership of the console to the root user. The original display manager, which continues running after the user logged in, takes control by spawning a new display manager. This restarts the X server, displays a new login window, and starts the entire process over again.
/usr/share/doc/gdm-<version-number>/README (where <version-number> is the version number for the gdm package installed) and the xdm man page.
/usr/share/X11/doc/ — contains detailed documentation on the X Window System architecture, as well as how to get additional information about the Xorg project as a new user.
man xorg.conf — Contains information about the xorg.conf configuration files, including the meaning and syntax for the different sections within the files.
man Xorg — Describes the Xorg display server.
system-config-display at a shell prompt (for example, in an XTerm or GNOME terminal). If the X Window System is not running, a small version of X is started to run the program.
system-config-users RPM package installed. To start the User Manager from the desktop, go to System (on the panel) > > . You can also type the command system-config-users at a shell prompt (for example, in an XTerm or a GNOME terminal).
/bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory.
/etc/skel/ directory into the new home directory.
system-config-users). For more information on User Manager, refer to 「ユーザーとグループの管理」.
useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
gpasswd — Industry-standard method of administering the /etc/group file
pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
useradd are detailed in 表35.1「useradd Command Line Options」.
useradd Command Line Options| オプション | 説明 |
|---|---|
-c '<comment>'
|
<comment> can be replaced with any string. This option is generally used to specify the full name of a user.
|
-d <home-dir>
|
Home directory to be used instead of default /home/
|
-e <date>
| YYYY-MM-DD の形式でアカウントを無効にする日付を指定します。 |
-f <days>
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g <group-name>
| Group name or group number for the user's default group. The group must exist prior to being specified here. |
-G <group-list>
| ユーザーがメンバーとなる追加グループ (デフォルト以外) のグループ名とグループ番号をコンマで区切って入れます。グループはここに指定される以前から存在していなければなりません。 |
-m
| 存在しない場合に、ホームディレクトリを作成します。 |
-M
| ホームディレクトリを作成しません。 |
-n
| ユーザー用のユーザープライベートグループを作成しません。 |
-r
| UID が 500 未満のシステムアカウントを作成してホームディレクトリを作成しません。 |
-p <password>
|
The password encrypted with crypt
|
-s
|
User's login shell, which defaults to /bin/bash
|
-u <uid>
| ユーザーのユーザー ID です。固有の番号で 499 より大きい数でなければなりません。 |
groupadd:
groupadd <group-name>groupadd are detailed in 表35.2「groupadd Command Line Options」.
groupadd Command Line Options| オプション | 説明 |
|---|---|
-g <gid>
| グループのグループ ID です。固有の番号で 499 より大きい数でなければなりません。 |
-r
| GID が 500 未満のシステムグループを作成します。 |
-f
|
When used with -g <gid> and <gid> already exists, groupadd will choose another unique <gid> for the group.
|
chage command with an option from 表35.3「chage Command Line Options」, followed by the username.
chage command. For more information, see 「シャドウパスワード」.
chage Command Line Options| オプション | 説明 |
|---|---|
-m <days>
| ユーザーがパスワードを変更できる最小日数を指定します。値が 0 ならパスワードはいつでも変更が可能になります。 |
-M <days>
|
パスワードが有効である最大日数を指定します。このオプションで指定された日数と -d オプションで指定された日数の和が過去になる場合、ユーザーはこのアカウントを使用する前にパスワードを変更する必要があります。
|
-d <days>
| 1970 年 1 月 1 日から起算して指定した日数がパスワードの変更が行われた日付とします。 |
-I <days>
| パスワードが失効してからアカウントがロックされるまでのアクティブな日数を指定します。値が 0 ならパスワードが失効してもアカウントはロックされません。 |
-E <date>
| アカウントがロックされる日付を YYYY-MM-DD の形式で指定します。日付を指定する代わりに、 1970 年 1 月 1 日からの起算日数で指定することも可能です。 |
-W <days>
| ユーザーにパスワード失効の日付を警告するまでの日数を指定します。 |
-l
| Lists current account aging settings. |
chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
python command. It displays the following:
Python 2.4.3 (#1, Jul 21 2006, 08:46:09) [GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
<password> with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.):
import cryptprint crypt.crypt("<password>","<salt>")
'12CsGd8FRcMSM'.
<encrypted-password> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>" <username>usermod -p "" usernamechage -d 0 usernameuseradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd. The line has the following characteristics:
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow. The line has the following characteristics:
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group. A group with the same name as a user is called a user private group. For more information on user private groups, refer to 「新規ユーザーを追加する」.
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow. The line has the following characteristics:
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory.
juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
/etc/passwd file by an Everything installation. The groupid (GID) in this table is the primary group for the user. See 「標準的なグループ」 for a listing of standard groups.
| ユーザー | UID | GID | ホームディレクトリ | シェル |
|---|---|---|---|---|
| root | 0 | 0 |
/root
|
/bin/bash
|
| bin | 1 | 1 |
/bin
|
/sbin/nologin
|
| daemon | 2 | 2 |
/sbin
|
/sbin/nologin
|
| adm | 3 | 4 |
/var/adm
|
/sbin/nologin
|
| lp | 4 | 7 |
/var/spool/lpd
|
/sbin/nologin
|
| sync | 5 | 0 |
/sbin
|
/bin/sync
|
| shutdown | 6 | 0 |
/sbin
|
/sbin/shutdown
|
| halt | 7 | 0 |
/sbin
|
/sbin/halt
|
| 8 | 12 |
/var/spool/mail
|
/sbin/nologin
| |
| news | 9 | 13 |
/etc/news
| |
| uucp | 10 | 14 |
/var/spool/uucp
|
/sbin/nologin
|
| operator | 11 | 0 |
/root
|
/sbin/nologin
|
| games | 12 | 100 |
/usr/games
|
/sbin/nologin
|
| gopher | 13 | 30 |
/var/gopher
|
/sbin/nologin
|
| ftp | 14 | 50 |
/var/ftp
|
/sbin/nologin
|
| nobody | 99 | 99 |
/
|
/sbin/nologin
|
| rpm | 37 | 37 |
/var/lib/rpm
|
/sbin/nologin
|
| vcsa | 69 | 69 |
/dev
|
/sbin/nologin
|
| dbus | 81 | 81 |
/
|
/sbin/nologin
|
| ntp | 38 | 38 |
/etc/ntp
|
/sbin/nologin
|
| canna | 39 | 39 |
/var/lib/canna
|
/sbin/nologin
|
| nscd | 28 | 28 |
/
|
/sbin/nologin
|
| rpc | 32 | 32 |
/
|
/sbin/nologin
|
| postfix | 89 | 89 |
/var/spool/postfix
|
/sbin/nologin
|
| mailman | 41 | 41 |
/var/mailman
|
/sbin/nologin
|
| named | 25 | 25 |
/var/named
|
/bin/false
|
| amanda | 33 | 6 |
var/lib/amanda/
|
/bin/bash
|
| postgres | 26 | 26 |
/var/lib/pgsql
|
/bin/bash
|
| exim | 93 | 93 |
/var/spool/exim
|
/sbin/nologin
|
| sshd | 74 | 74 |
/var/empty/sshd
|
/sbin/nologin
|
| rpcuser | 29 | 29 |
/var/lib/nfs
|
/sbin/nologin
|
| nsfnobody | 65534 | 65534 |
/var/lib/nfs
|
/sbin/nologin
|
| pvm | 24 | 24 |
/usr/share/pvm3
|
/bin/bash
|
| apache | 48 | 48 |
/var/www
|
/sbin/nologin
|
| xfs | 43 | 43 |
/etc/X11/fs
|
/sbin/nologin
|
| gdm | 42 | 42 |
/var/gdm
|
/sbin/nologin
|
| htt | 100 | 101 |
/usr/lib/im
|
/sbin/nologin
|
| mysql | 27 | 27 |
/var/lib/mysql
|
/bin/bash
|
| webalizer | 67 | 67 |
/var/www/usage
|
/sbin/nologin
|
| mailnull | 47 | 47 |
/var/spool/mqueue
|
/sbin/nologin
|
| smmsp | 51 | 51 |
/var/spool/mqueue
|
/sbin/nologin
|
| squid | 23 | 23 |
/var/spool/squid
|
/sbin/nologin
|
| ldap | 55 | 55 |
/var/lib/ldap
|
/bin/false
|
| netdump | 34 | 34 |
/var/crash
|
/bin/bash
|
| pcap | 77 | 77 |
/var/arpwatch
|
/sbin/nologin
|
| radiusd | 95 | 95 |
/
|
/bin/false
|
| radvd | 75 | 75 |
/
|
/sbin/nologin
|
| quagga | 92 | 92 |
/var/run/quagga
|
/sbin/login
|
| wnn | 49 | 49 |
/var/lib/wnn
|
/sbin/nologin
|
| dovecot | 97 | 97 |
/usr/libexec/dovecot
|
/sbin/nologin
|
/etc/group file.
| グループ | GID | メンバー |
|---|---|---|
| root | 0 | root |
| bin | 1 | root, bin, daemon |
| daemon | 2 | root, bin, daemon |
| sys | 3 | root, bin, adm |
| adm | 4 | root, adm, daemon |
| tty | 5 | |
| disk | 6 | root |
| lp | 7 | daemon, lp |
| mem | 8 | |
| kmem | 9 | |
| wheel | 10 | root |
| 12 | mail, postfix, exim | |
| news | 13 | news |
| uucp | 14 | uucp |
| man | 15 | |
| games | 20 | |
| gopher | 30 | |
| dip | 40 | |
| ftp | 50 | |
| lock | 54 | |
| nobody | 99 | |
| users | 100 | |
| rpm | 37 | |
| utmp | 22 | |
| floppy | 19 | |
| vcsa | 69 | |
| dbus | 81 | |
| ntp | 38 | |
| canna | 39 | |
| nscd | 28 | |
| rpc | 32 | |
| postdrop | 90 | |
| postfix | 89 | |
| mailman | 41 | |
| exim | 93 | |
| named | 25 | |
| postgres | 26 | |
| sshd | 74 | |
| rpcuser | 29 | |
| nfsnobody | 65534 | |
| pvm | 24 | |
| apache | 48 | |
| xfs | 43 | |
| gdm | 42 | |
| htt | 101 | |
| mysql | 27 | |
| webalizer | 67 | |
| mailnull | 47 | |
| smmsp | 51 | |
| squid | 23 | |
| ldap | 55 | |
| netdump | 34 | |
| pcap | 77 | |
| quaggavt | 102 | |
| quagga | 92 | |
| radvd | 75 | |
| slocate | 21 | |
| wnn | 49 | |
| dovecot | 97 | |
| radiusd | 95 |
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
/usr/share/emacs/site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an emacs group, as in the following command:
groupadd emacsemacs group, type:
chown -R root.emacs /usr/share/emacs/site-lispgpasswd command:
gpasswd -a <username> emacschmod 775 /usr/share/emacs/site-lispemacs). Use the following command:
chmod 2775 /usr/share/emacs/site-lispemacs group can create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator having to change file permissions every time users write new files.
shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work.
chage
gpasswd
/usr/sbin/usermod -e or -f options
/usr/sbin/useradd -e or -f options
man chage — A command to modify password aging policies and account expiration.
man gpasswd — A command to administer the /etc/group file.
man groupadd — A command to add groups.
man grpck — A command to verify the /etc/group file.
man groupdel — A command to remove groups.
man groupmod — A command to modify group membership.
man pwck — A command to verify the /etc/passwd and /etc/shadow files.
man pwconv — A tool to convert standard passwords to shadow passwords.
man pwunconv — A tool to convert shadow passwords to standard passwords.
man useradd — A command to add users.
man userdel — A command to remove users.
man usermod — A command to modify users.
man 5 group — The file containing group information for the system.
man 5 passwd — The file containing user information for the system.
man 5 shadow — The file containing passwords and account expiration information for the system.
system-config-printer at a shell prompt.
) beside a Workgroup to expand it. From the expanded list, select a printer.
computer name/printer share. In 図36.5「SMB プリンタの追加」, the computer name is dellbox, while the printer share is r2.
guest、 Samba サーバーなら nobody が一般的なユーザー名になります。
lpq を入力します。一覧の最後の方は次のような表示なります。
lpq 出力の例Rank Owner/ID Class Job Files Size Time active user@localhost+902 A 902 sample.txt 2050 01:20:46
lpq and then use the command lprm job number. For example, lprm 902 would cancel the print job in 例36.1「lpq 出力の例」. You must have proper permissions to cancel a print job. You can not cancel print jobs that were started by other users unless you are logged in as root on the machine to which the printer is attached.
lpr sample.txt はテキストファイル sample.txt を印刷します。印刷フィルタがファイルの種類を判別し、プリンタに対応する形式に変換します。
map lpr — The manual page for the lpr command that allows you to print files from the command line.
man lprm — 印刷キューから印刷ジョブを削除するコマンドラインユーティリティのマニュアルページです。
man mpage — 1 枚の紙面に複数ページを印刷するコマンドラインユーティリティのマニュアルページです。
man cupsd — CUPS プリンタデーモンのマニュアルページです。
man cupsd.conf — CUPS プリンタデーモン設定ファイルのマニュアルページです。
man classes.conf — CUPS 用クラス設定ファイルのマニュアルページです。
locate command is updated daily. A system administrator can use automated tasks to perform periodic backups, monitor the system, run custom scripts, and more.
cron, at, and batch.
vixie-cron RPM package must be installed and the crond service must be running. To determine if the package is installed, use the rpm -q vixie-cron command. To determine if the service is running, use the command /sbin/service crond status.
/etc/crontab, contains the following lines:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly
SHELL variable tells the system which shell environment to use (in this example the bash shell), while the PATH variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the MAILTO variable. If the MAILTO variable is defined as an empty string (MAILTO=""), email is not sent. The HOME variable can be used to set the home directory to use when executing commands or scripts.
/etc/crontab file represents a task and has the following format:
minute hour day month dayofweek command
minute — any integer from 0 to 59
hour — any integer from 0 to 23
day — any integer from 1 to 31 (must be a valid day if a month is specified)
month — any integer from 1 to 12 (or the short name of the month such as jan or feb)
dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon)
command — the command to execute (the command can either be a command such as ls /proc >> /tmp/proc or the command to execute a custom script)
1-4 means the integers 1, 2, 3, and 4.
3, 4, 6, 8 indicates those four specific integers.
/<integer>. For example, 0-59/2 can be used to define every other minute in the minute field. Step values can also be used with an asterisk. For instance, the value */3 can be used in the month field to run the task every third month.
/etc/crontab file, the run-parts script executes the scripts in the /etc/cron.hourly/, /etc/cron.daily/, /etc/cron.weekly/, and /etc/cron.monthly/ directories on an hourly, daily, weekly, or monthly basis respectively. The files in these directories should be shell scripts.
/etc/cron.d/ directory. All files in this directory use the same syntax as /etc/crontab. Refer to 例37.1「crontab の例」 for examples.
# record the memory usage of the system every monday # at 3:30AM in the file /tmp/meminfo 30 3 * * mon cat /proc/meminfo >> /tmp/meminfo # run custom script the first day of every month at 4:10AM 10 4 1 * * /root/scripts/backup.sh
crontab utility. All user-defined crontabs are stored in the /var/spool/cron/ directory and are executed using the usernames of the users that created them. To create a crontab as a user, login as that user and type the command crontab -e to edit the user's crontab using the editor specified by the VISUAL or EDITOR environment variable. The file uses the same format as /etc/crontab. When the changes to the crontab are saved, the crontab is stored according to username and written to the file /var/spool/cron/username.
/etc/crontab file, the /etc/cron.d/ directory, and the /var/spool/cron/ directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed.
/etc/cron.allow and /etc/cron.deny files are used to restrict access to cron. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The cron daemon (crond) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to add or delete a cron task.
cron.allow exists, only users listed in it are allowed to use cron, and the cron.deny file is ignored.
cron.allow does not exist, users listed in cron.deny are not allowed to use cron.
/sbin/service crond start. To stop the service, use the command /sbin/service crond stop. It is recommended that you start the service at boot time. Refer to 17章サービスへのアクセスの制御 for details on starting the cron service automatically at boot time.
at command is used to schedule a one-time task at a specific time and the batch command is used to schedule a one-time task to be executed when the systems load average drops below 0.8.
at or batch, the at RPM package must be installed, and the atd service must be running. To determine if the package is installed, use the rpm -q at command. To determine if the service is running, use the command /sbin/service atd status.
at time, where timetime は次のいずれかを指定できます。
/usr/share/doc/at-<version>/timespec text file.
at command with the time argument, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D . Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D . Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first).
atq to view pending jobs. Refer to 「保留ジョブの表示」 for more information.
at command can be restricted. For more information, refer to 「at と batch へのアクセスの制御」 for details.
batch command.
batch command, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D . Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D . Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first). As soon as the load average is below 0.8, the set of commands or script is executed.
atq to view pending jobs. Refer to 「保留ジョブの表示」 for more information.
batch command can be restricted. For more information, refer to 「at と batch へのアクセスの制御」 for details.
at and batch jobs, use the atq command. The atq command displays a list of pending jobs, with each job on a line. Each line follows the job number, date, hour, job class, and username format. Users can only view their own jobs. If the root user executes the atq command, all jobs for all users are displayed.
at and batch include:
at and batch Command Line Options| オプション | 説明 |
|---|---|
-f
| コマンドやシェルスクリプトはプロンプトで指定するのではなく、ファイルから読み込む |
-m
| ジョブが完了したら、ユーザーに電子メールを送信する |
-v
| ジョブが実行される時刻を表示する |
/etc/at.allow and /etc/at.deny files can be used to restrict access to the at and batch commands. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The at daemon (atd) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to execute the at or batch commands.
at and batch commands, regardless of the access control files.
at.allow exists, only users listed in it are allowed to use at or batch, and the at.deny file is ignored.
at.allow does not exist, users listed in at.deny are not allowed to use at or batch.
at service, use the command /sbin/service atd start. To stop the service, use the command /sbin/service atd stop. It is recommended that you start the service at boot time. Refer to 17章サービスへのアクセスの制御 for details on starting the cron service automatically at boot time.
cron man page — overview of cron.
crontab man pages in sections 1 and 5 — The man page in section 1 contains an overview of the crontab file. The man page in section 5 contains the format for the file and some example entries.
/usr/share/doc/at-<version>/timespec contains more detailed information about the times that can be specified for cron jobs.
at man page — description of at and batch and their command line options.
syslogd. A list of log messages maintained by syslogd can be found in the /etc/syslog.conf configuration file.
/var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.
logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory. By default, it is configured to rotate every week and keep four weeks worth of previous log files.
Vi or Emacs. Some log files are readable by all users on the system; however, root privileges are required to read most log files.
gnome-system-log at a shell prompt.
stap.
stapprobes man page for details. All these events are named using a unified syntax that looks like dot-separated parameterized identifiers:
| Event | Description |
|---|---|
begin
| The startup of the systemtap session. |
end
| The end of the systemtap session. |
kernel.function("sys_open")
| The entry to the function named sys_open in the kernel. |
syscall.close.return
| The return from the close system call.. |
module("ext3").statement(0xdeadbeef)
| The addressed instruction in the ext3 filesystem driver. |
timer.ms(200)
| A timer that fires every 200 milliseconds. |
net/socket.c in the kernel. The kernel.function probe point lets you express that easily, since systemtap examines the kernel's debugging information to relate object code to source code. It works like a debugger: if you can name or place it, you can probe it. Use kernel.function("*@net/socket.c") for the function entries, and kernel.function("*@net/socket.c").return for the exits. Note the use of wildcards in the function name part, and the subsequent @FILENAME part. You can also put wildcards into the file name, and even add a colon (:) and a line number, if you want to restrict the search that precisely. Since systemtap will put a separate probe in every place that matches a probe point, a few wildcards can expand to hundreds or thousands of probes, so be careful what you ask for.
probe keyword introduces a probe point, or a comma-separated list of them. The following { and } braces enclose the handler for all listed probe points.
stap -v FILE. Terminate it any time with ^C. (The -v option tells systemtap to print more verbose messages during its processing. Try the -h option to see more options.)
ps ax command displays a list of current system processes, including processes owned by other users. To display the owner alongside each process, use the ps aux command. This list is a static list; in other words, it is a snapshot of what was running when you invoked the command. If you want a constantly updated list of running processes, use top as described below.
ps output can be long. To prevent it from scrolling off the screen, you can pipe it through less:
ps aux | lessps command in combination with the grep command to see if a process is running. For example, to determine if Emacs is running, use the following command:
ps ax | grep emacstop command displays currently running processes and important information about them including their memory and CPU usage. The list is both real-time and interactive. An example of output from the top command is provided as follows:
top - 15:02:46 up 35 min, 4 users, load average: 0.17, 0.65, 1.00
Tasks: 110 total, 1 running, 107 sleeping, 0 stopped, 2 zombie
Cpu(s): 41.1% us, 2.0% sy, 0.0% ni, 56.6% id, 0.0% wa, 0.3% hi, 0.0% si
Mem: 775024k total, 772028k used, 2996k free, 68468k buffers
Swap: 1048568k total, 176k used, 1048392k free, 441172k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4624 root 15 0 40192 18m 7228 S 28.4 2.4 1:23.21 X
4926 mhideo 15 0 55564 33m 9784 S 13.5 4.4 0:25.96 gnome-terminal
6475 mhideo 16 0 3612 968 760 R 0.7 0.1 0:00.11 top
4920 mhideo 15 0 20872 10m 7808 S 0.3 1.4 0:01.61 wnck-applet
1 root 16 0 1732 548 472 S 0.0 0.1 0:00.23 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.03 events/0
4 root 6 -10 0 0 0 S 0.0 0.0 0:00.02 khelper
5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
29 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
47 root 16 0 0 0 0 S 0.0 0.0 0:01.74 pdflush
50 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
30 root 15 0 0 0 0 S 0.0 0.0 0:00.05 khubd
49 root 16 0 0 0 0 S 0.0 0.0 0:01.44 kswapd0top, press the q key.
top commands」 contains useful interactive commands that you can use with top. For more information, refer to the top(1) manual page.
top commands| コマンド | 説明 |
|---|---|
| Space | すぐに表示を更新します |
| h | ヘルプ画面を表示します |
| k | プロセスを kill します。プロセスIDとそれに送るシグナルの入力が求められます。 |
| n | 表示されるプロセスの数を変更します。数値を入力するよう求められます。 |
| u | ユーザーの順に並べます。 |
| M | メモリ使用量の順に並べます。 |
| P | CPU使用率の順に並べます。 |
top, you can use the GNOME System Monitor. To start it from the desktop, select > > or type gnome-system-monitor at a shell prompt (such as an XTerm). Select the Process Listing tab.
free command displays the total amount of physical memory and swap space for the system as well as the amount of memory that is used, free, shared, in kernel buffers, and cached.
total used free shared buffers cached Mem: 645712 549720 95992 0 176248 224452 -/+ buffers/cache: 149020 496692 Swap: 1310712 0 1310712
free -m shows the same information in megabytes, which are easier to read.
total used free shared buffers cached Mem: 630 536 93 0 172 219 -/+ buffers/cache: 145 485 Swap: 1279 0 1279
free, you can use the GNOME System Monitor. To start it from the desktop, go to > > or type gnome-system-monitor at a shell prompt (such as an XTerm). Click on the Resources tab.
df command reports the system's disk space usage. If you type the command df at a shell prompt, the output looks similar to the following:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
11675568 6272120 4810348 57% / /dev/sda1
100691 9281 86211 10% /boot
none 322856 0 322856 0% /dev/shmdf -h. The -h argument stands for human-readable format. The output looks similar to the following:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
12G 6.0G 4.6G 57% / /dev/sda1
99M 9.1M 85M 10% /boot
none 316M 0 316M 0% /dev/shm/dev/shm. This entry represents the system's virtual memory file system.
du command displays the estimated amount of space being used by files in a directory. If you type du at a shell prompt, the disk usage for each of the subdirectories is displayed in a list. The grand total for the current directory and subdirectories are also shown as the last line in the list. If you do not want to see the totals for all the subdirectories, use the command du -hs to see only the grand total for the directory in human-readable format. Use the du --help command to see more options.
gnome-system-monitor at a shell prompt (such as an XTerm). Select the File Systems tab to view the system's partitions. The figure below illustrates the File Systems tab.
hwbrowser at a shell prompt. As shown in 図40.4「Hardware Browser」, it displays your CD-ROM devices, diskette drives, hard drives and their partitions, network devices, pointing devices, system devices, and video cards. Click on the category name in the left menu, and the information is displayed.
hal-device-manager. Depending on your installation preferences, the graphical menu above may start this application or the Hardware Browser when clicked. The figure below illustrates the Device Manager window.
lspci command to list all PCI devices. Use the command lspci -v for more verbose information or lspci -vv for very verbose output.
lspci can be used to determine the manufacturer, model, and memory size of a system's video card:
00:00.0 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:00.1 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:01.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04) 00:02.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 08) 00:0f.0 ISA bridge: ServerWorks OSB4 South Bridge (rev 50) 00:0f.1 IDE interface: ServerWorks OSB4 IDE Controller 00:0f.2 USB Controller: ServerWorks OSB4/CSB5 OHCI USB Controller (rev 04) 01:03.0 SCSI storage controller: Adaptec AIC-7892P U160/m (rev 02) 01:05.0 RAID bus controller: IBM ServeRAID Controller
lspci is also useful to determine the network card in your system if you do not know the manufacturer or model number.
ps --help — Displays a list of options that can be used with ps.
top manual page — Type man top to learn more about top and its many options.
free manual page — type man free to learn more about free and its many options.
df manual page — Type man df to learn more about the df command and its many options.
du manual page — Type man du to learn more about the du command and its many options.
lspci manual page — Type man lspci to learn more about the lspci command and its many options.
oprofile RPM package must be installed to use this tool.
--separate=libraryオプションを使用しないと、 共有ライブラリ のコードに対するサンプルは特定アプリケーションに帰属されません。
opreport does not associate samples for inline functions' properly — opreport uses a simple address range mechanism to determine which function an address is in. Inline function samples are not attributed to the inline function but rather to the function the inline function was inserted into.
opcontrol --reset to clear out the samples from previous runs.
oprofile package.
| コマンド | 説明 |
|---|---|
ophelp
|
Displays available events for the system's processor along with a brief description of each.
|
opimport
|
foreignバイナリ形式のサンプルデータベースファイルをシステムの native形式に変換します。 異なるアーキテクチャからサンプルデーターベース を分析する場合のみ、このオプション使用して下さい。
|
opannotate
|
Creates annotated source for an executable if the application was compiled with debugging symbols. Refer to 「Using opannotate」 for details.
|
opcontrol
|
Configures what data is collected. Refer to 「OProfileの設定」 for details.
|
opreport
|
Retrieves profile data. Refer to 「Using
opreport」 for details.
|
oprofiled
|
周期的にディスクへサンプルデーターを書き込むため、デーモンとして 実行されます。
|
opcontrol utility to configure OProfile. As the opcontrol commands are executed, the setup options are saved to the /root/.oprofile/daemonrc file.
opcontrol --setup --vmlinux=/usr/lib/debug/lib/modules/`uname -r`/vmlinuxdebuginfo package must be installed (which contains the uncompressed kernel) in order to monitor the kernel.
opcontrol --setup --no-vmlinuxoprofile kernel module, if it is not already loaded, and creates the /dev/oprofile/ directory, if it does not already exist. Refer to 「Understanding /dev/oprofile/」 for details about this directory.
oprofile module can be loaded from it.
| プロセッサ |
cpu_type
| カウンタ数 |
|---|---|---|
| Pentium Pro | i386/ppro | 2 |
| Pentium II | i386/pii | 2 |
| Pentium III | i386/piii | 2 |
| Pentium 4 (Hyper-threading 非対応) | i386/p4 | 8 |
| Pentium 4 (hyper-threading 対応) | i386/p4-ht | 4 |
| Athlon | i386/athlon | 4 |
| AMD64 | x86-64/hammer | 4 |
| Itanium | ia64/itanium | 4 |
| Itanium 2 | ia64/itanium2 | 4 |
| TIMER_INT | timer | 1 |
| IBM eServer iSeriesおよびpSeries | timer | 1 |
| ppc64/power4 | 8 | |
| ppc64/power5 | 6 | |
| ppc64/970 | 8 | |
| IBM eServer S/390およびS/390x | timer | 1 |
| IBM eServer zSeries | timer | 1 |
timer is used as the processor type if the processor does not have supported performance monitoring hardware.
timer is used, events cannot be set for any processor because the hardware does not have support for hardware performance counters. Instead, the timer interrupt is used for profiling.
timer is not used as the processor type, the events monitored can be changed, and counter 0 for the processor is set to a time-based event by default. If more than one counter exists on the processor, the counters other than counter 0 are not set to an event by default. The default events monitored are shown in 表41.3「デフォルトイベント」.
| プロセッサ | カウンタのデフォルトイベント | 説明 |
|---|---|---|
| Pentium Pro、Pentium II、Pentium III、Athlon、AMD64 | CPU_CLK_UNHALTED | The processor's clock is not halted |
| Pentium 4 (HT対応、HT非対応) | GLOBAL_POWER_EVENTS | プロセッサが停止しなかった時間 |
| Itanium 2 | CPU_CYCLES | CPU サイクル |
| TIMER_INT | (無し) | 各タイマ割り込みのサンプル |
| ppc64/power4 | CYCLES | プロセッササイクル |
| ppc64/power5 | CYCLES | プロセッササイクル |
| ppc64/970 | CYCLES | プロセッササイクル |
ls -d /dev/oprofile/[0-9]*ophelpopcontrol:
opcontrol --event=<event-name>:<sample-rate><event-name> with the exact name of the event from ophelp, and replace <sample-rate> with the number of events between samples.
cpu_type is not timer, each event can have a sampling rate set for it. The sampling rate is the number of events between each sample snapshot.
opcontrol --event=<event-name>:<sample-rate><sample-rate> with the number of events to wait before sampling again. The smaller the count, the more frequent the samples. For events that do not happen frequently, a lower count may be needed to capture the event instances.
ophelp command. The values for each unit mask are listed in hexadecimal format. To specify more than one unit mask, the hexadecimal values must be combined using a bitwise or operation.
opcontrol --event=<event-name>:<sample-rate>:<unit-mask>opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:1opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:1opcontrol --separate=<choice><choice> can be one of the following:
none — do not separate the profiles (default)
library — generate per-application profiles for libraries
kernel — generate per-application profiles for the kernel and kernel modules
all — generate per-application profiles for libraries and per-application profiles for the kernel and kernel modules
--separate=libraryを使用すると、 ライブラリ名と実行可能ファイル名がサンプルファイル名に含まれます。
oprofile is restarted.
opcontrol --startUsing log file /var/lib/oprofile/oprofiled.log Daemon started. Profiler running.
/root/.oprofile/daemonrc are used.
oprofiled, is started; it periodically writes the sample data to the /var/lib/oprofile/samples/ directory. The log file for the daemon is located at /var/lib/oprofile/oprofiled.log.
opcontrol --shutdown<name> with a unique descriptive name for the current session.
opcontrol --save=<name>/var/lib/oprofile/samples/name/ is created and the current sample files are copied to it.
oprofiled, collects the samples and writes them to the /var/lib/oprofile/samples/ directory. Before reading the data, make sure all data has been written to this directory by executing the following command as root:
opcontrol --dump/bin/bash becomes:
\{root\}/bin/bash/\{dep\}/\{root\}/bin/bash/CPU_CLK_UNHALTED.100000opreport
opannotate
oparchive can be used to address this problem.
opreportopreport tool provides an overview of all the executables being profiled.
Profiling through timer interrupt TIMER:0| samples| %| ------------------ 25926 97.5212 no-vmlinux 359 1.3504 pi 65 0.2445 Xorg 62 0.2332 libvte.so.4.4.0 56 0.2106 libc-2.3.4.so 34 0.1279 libglib-2.0.so.0.400.7 19 0.0715 libXft.so.2.1.2 17 0.0639 bash 8 0.0301 ld-2.3.4.so 8 0.0301 libgdk-x11-2.0.so.0.400.13 6 0.0226 libgobject-2.0.so.0.400.7 5 0.0188 oprofiled 4 0.0150 libpthread-2.3.4.so 4 0.0150 libgtk-x11-2.0.so.0.400.13 3 0.0113 libXrender.so.1.2.2 3 0.0113 du 1 0.0038 libcrypto.so.0.9.7a 1 0.0038 libpam.so.0.77 1 0.0038 libtermcap.so.2.0.8 1 0.0038 libX11.so.6.2 1 0.0038 libgthread-2.0.so.0.400.7 1 0.0038 libwnck-1.so.4.9.0
opreport man page for a list of available command line options, such as the -r option used to sort the output from the executable with the smallest number of samples to the one with the largest number of samples.
opreport on a Single Executableopreport:
opreport <mode> <executable><executable> must be the full path to the executable to be analyzed. <mode> must be one of the following:
-lopreport -l /lib/tls/libc-<version>.so:
samples % symbol name 12 21.4286 __gconv_transform_utf8_internal 5 8.9286 _int_malloc 4 7.1429 malloc 3 5.3571 __i686.get_pc_thunk.bx 3 5.3571 _dl_mcount_wrapper_check 3 5.3571 mbrtowc 3 5.3571 memcpy 2 3.5714 _int_realloc 2 3.5714 _nl_intern_locale_data 2 3.5714 free 2 3.5714 strcmp 1 1.7857 __ctype_get_mb_cur_max 1 1.7857 __unregister_atfork 1 1.7857 __write_nocancel 1 1.7857 _dl_addr 1 1.7857 _int_free 1 1.7857 _itoa_word 1 1.7857 calc_eclosure_iter 1 1.7857 fopen@@GLIBC_2.1 1 1.7857 getpid 1 1.7857 memmove 1 1.7857 msort_with_tmp 1 1.7857 strcpy 1 1.7857 strlen 1 1.7857 vfprintf 1 1.7857 write
-r in conjunction with the -lオプションを使用してください。
-i <symbol-name>opreport -l -i __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
samples % symbol name 12 100.000 __gconv_transform_utf8_internal
-d-l. For example, the following output is from the command opreport -l -d __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
vma samples % symbol name 00a98640 12 100.000 __gconv_transform_utf8_internal 00a98640 1 8.3333 00a9868c 2 16.6667 00a9869a 1 8.3333 00a986c1 1 8.3333 00a98720 1 8.3333 00a98749 1 8.3333 00a98753 1 8.3333 00a98789 1 8.3333 00a98864 1 8.3333 00a98869 1 8.3333 00a98b08 1 8.3333
-l オプションと変わりません。 各仮想メモリアドレスのサンプル数と、シンボルのサンプル数に対するサンプル数を百分率で 表示しています。
-x<symbol-name>session:<name>/var/lib/oprofile/samples/ directory.
~]$ opreport /ext3
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
DATA_CACHE_ACC...|DATA_CACHE_MIS...|
samples| %| samples| %|
------------------------------------
148721 100.000 1493 100.000 ext3~]# ln -s /lib/modules/`uname -r`/kernel/fs/ext3/ext3.ko /ext3
Then the detailed information can be obtained with:
~]# opreport image:/ext3 -l|more
warning: could not check that the binary file /ext3 has not been modified since the profile was taken. Results may be inaccurate.
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
samples % samples % symbol name
16728 11.2479 7 0.4689 ext3_group_sparse
16454 11.0637 4 0.2679 ext3_count_free_blocks
14583 9.8056 51 3.4159 ext3_fill_super
8281 5.5681 129 8.6403 ext3_ioctl
7810 5.2514 62 4.1527 ext3_write_info
7286 4.8991 67 4.4876 ext3_ordered_writepage
6509 4.3767 130 8.7073 ext3_new_inode
6378 4.2886 156 10.4488 ext3_new_block
5932 3.9887 87 5.8272 ext3_xattr_block_list
...opannotateopannotate tool tries to match the samples for particular instructions to the corresponding lines in the source code. The resulting files generated should have the samples for the lines at the left. It also puts in a comment at the beginning of each function listing the total samples for the function.
-g option. By default, Red Hat Enterprise Linux packages are not compiled with this option.
opannotate is as follows:
opannotate --search-dirs <src-dir> --source <executable>opannotate man page for a list of additional command line options.
/dev/oprofile//dev/oprofile/ directory contains the file system for OProfile. Use the cat command to display the values of the virtual files in this file system. For example, the following command displays the type of processor OProfile detected:
cat /dev/oprofile/cpu_type/dev/oprofile/ for each counter. For example, if there are 2 counters, the directories /dev/oprofile/0/ and dev/oprofile/1/ exist.
count — The interval between samples.
enabled — If 0, the counter is off and no samples are collected for it; if 1, the counter is on and samples are being collected for it.
event — The event to monitor.
kernel — If 0, samples are not collected for this counter event when the processor is in kernel-space; if 1, samples are collected even if the processor is in kernel-space.
unit_mask — Defines which unit masks are enabled for the counter.
user — If 0, samples are not collected for the counter event when the processor is in user-space; if 1, samples are collected even if the processor is in user-space.
cat command. For example:
cat /dev/oprofile/0/countopreport can be used to determine how much processor time an application or service uses. If the system is used for multiple services but is under performing, the services consuming the most processor time can be moved to dedicated systems.
CPU_CLK_UNHALTED event can be monitored to determine the processor load over a given period of time. This data can then be used to determine if additional processors or a faster processor might improve system performance.
oprof_start command as root at a shell prompt. To use the graphical interface, you will need to have the oprofile-gui package installed.
/root/.oprofile/daemonrc, and the application exits. Exiting the application does not stop OProfile from sampling.
oprof_start interface
vmlinux file for the kernel to monitor in the Kernel image file text field. To configure OProfile not to monitor the kernel, select No kernel image.
oprofiled daemon log includes more information.
opcontrol --separate=kernel command. If Per-application shared libs samples files is selected, OProfile generates per-application profiles for libraries. This is equivalent to the opcontrol --separate=library command.
opcontrol --dump command.
/usr/share/doc/oprofile-<version>/oprofile.html — OProfile Manual
oprofile man page — Discusses opcontrol, opreport, opannotate, and ophelp
yum command. The Package Management Tool automatically queries the Red Hat Enterprise Linux servers and determines which packages need to be updated on your machine, including the kernel. This chapter is only useful for those individuals that require manual updating of kernel packages, without using the yum command.
yum is highly recommended by Red Hat for installing upgraded kernels.
yum, refer to 14章Product Subscriptions and Entitlements.
kernel — Contains the kernel for multi-processor systems. For x86 system, only the first 4GB of RAM is used. As such, x86 systems with over 4GB of RAM should use the kernel-PAE.
kernel-devel — Contains the kernel headers and makefiles sufficient to build modules against the kernel package.
kernel-PAE (only for i686 systems) — This package offers the following key configuration option (in addition to the options already enabled for the kernel package):
kernel-hugemem package) is able to reliably address all 64GB of memory. Additionally, the Red Hat Enterprise Linux 5 PAE variant does not allow 4GB of addressable memory per-process like the Red Hat Enterprise Linux 4 kernel-hugemem variant does. However, the x86_64 kernel does not suffer from any of these limitations, and is the suggested Red Hat Enterprise Linux 5 architecture to use with large-memory systems.
kernel-PAE-devel — Contains the kernel headers and makefiles required to build modules against the kernel-PAE package.
kernel-doc — Contains documentation files from the kernel source. Various portions of the Linux kernel and the device drivers shipped with it are documented in these files. Installation of this package provides a reference to the options that can be passed to Linux kernel modules at load time.
/usr/share/doc/kernel-doc-<version>/ directory.
kernel-headers — Includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs.
kernel-xen — Includes a version of the Linux kernel which is needed to run Virtualization.
kernel-xen-devel — Contains the kernel headers and makefiles required to build modules against the kernel-xen package
kernel-source package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network. This *.src.rpm package must then be rebuilt locally using the rpmbuild command. For more information on obtaining and installing the kernel source package, refer to the latest updated Release Notes (including all updates) at http://www.redhat.com/docs/manuals/enterprise/
/sbin/mkbootdisk `uname -r` at a shell prompt.
mkbootdisk man page for more options. You can create bootable media via CD-Rs, CD-RWs, and USB flash drives, provided that your system BIOS also supports it.
rpm -qa | grep kernel at a shell prompt:
kernel-2.6.9-5.EL kernel-devel-2.6.9-5.EL kernel-utils-2.6.9-5.EL kernel-doc-2.6.9-5.EL kernel-smp-2.6.9-5.EL kernel-smp-devel-2.6.9-5.EL kernel-hugemem-devel-2.6.9-5.EL
kernel package. Refer to 「カーネルパッケージの概要」 for descriptions of the different packages.
<variant>-<version>.<arch>.rpm, where <variant> is one of either PAE, xen, and so forth. The <arch> is one of the following:
x86_64 for the AMD64 and Intel EM64T architectures
ia64 for the Intel® Itanium™ architecture
ppc64 for the IBM® eServer™ pSeries™ architecture
s390 for the IBM® S/390® architecture
s390x for the IBM® eServer™ System z® architecture
i686 for Intel® Pentium® II, Intel® Pentium® III, Intel® Pentium® 4, AMD Athlon®, and AMD Duron® systems
-i argument with the rpm command to keep the old kernel. Do not use the -U option, since it overwrites the currently installed kernel, which creates boot loader problems. For example:
rpm -ivh kernel-<kernel version>.<arch>.rpm
/etc/fstab, an initial RAM disk is needed. The initial RAM disk allows a modular kernel to have access to modules that it might need to boot from before the kernel has access to the device where the modules normally reside.
mkinitrd command. However, this step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat; in such cases, you do not need to create the initial RAM disk manually. To verify that an initial RAM disk already exists, use the command ls -l /boot to make sure the initrd-<version>.img file was created (the version should match the version of the kernel just installed).
vmlinux file are combined into one file, which is created with the addRamDisk command. This step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat, Inc.; thus, it does not need to be executed manually. To verify that it was created, use the command ls -l /boot to make sure the /boot/vmlinitrd-<kernel-version> file already exists (the <kernel-version> kernel RPM package configures the boot loader to boot the newly installed kernel (except for IBM eServer iSeries systems). However, it does not configure the boot loader to boot the new kernel by default.
/boot/grub/grub.conf contains a title section with the same version as the kernel package just installed
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=1 timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=LABEL=/
initrd /initrd-2.6.9-5.EL.img
title Red Hat Enterprise Linux (2.6.9-1.906_EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-1.906_EL ro root=LABEL=/
initrd /initrd-2.6.9-1.906_EL.img/boot/ partition was created, the paths to the kernel and initrd image are relative to /boot/.
default variable to the title section number for the title section that contains the new kernel. The count starts with 0. For example, if the new kernel is the first title section, set default to 0.
/boot/efi/EFI/redhat/elilo.conf as the configuration file. Confirm that this file contains an image section with the same version as the kernel package just installed:
prompt timeout=50 default=old image=vmlinuz-2.6.9-5.EL
label=linux
initrd=initrd-2.6.9-5.EL.img read-only
append="root=LABEL=/" image=vmlinuz-2.6.9-1.906_EL
label=old
initrd=initrd-2.6.9-1.906.img read-only
append="root=LABEL=/"default variable to the value of the label for the image section that contains the new kernel.
/etc/zipl.conf as the configuration file. Confirm that the file contains a section with the same version as the kernel package just installed:
[defaultboot] default=old target=/boot/
[linux]
image=/boot/vmlinuz-2.6.9-5.EL
ramdisk=/boot/initrd-2.6.9-5.EL.img
parameters="root=LABEL=/"
[old]
image=/boot/vmlinuz-2.6.9-1.906_EL
ramdisk=/boot/initrd-2.6.9-1.906_EL.img
parameters="root=LABEL=/"default variable to the name of the section that contains the new kernel. The first line of each section contains the name in brackets.
/sbin/zipl as root to enable the changes.
/boot/vmlinitrd-<kernel-version> file is installed when you upgrade the kernel. However, you must use the dd command to configure the system to boot the new kernel:
cat /proc/iSeries/mf/side to determine the default side (either A, B, or C).
<kernel-version> is the version of the new kernel and <side> is the side from the previous command:
dd if=/boot/vmlinitrd-<kernel-version> of=/proc/iSeries/mf/<side>/vmlinux bs=8k
/etc/aboot.conf as the configuration file. Confirm that the file contains an image section with the same version as the kernel package just installed:
boot=/dev/sda1 init-message=Welcome to Red Hat Enterprise Linux! Hit <TAB> for boot options
partition=2 timeout=30 install=/usr/lib/yaboot/yaboot delay=10 nonvram
image=/vmlinux--2.6.9-5.EL
label=old
read-only
initrd=/initrd--2.6.9-5.EL.img
append="root=LABEL=/"
image=/vmlinux-2.6.9-5.EL
label=linux
read-only
initrd=/initrd-2.6.9-5.EL.img
append="root=LABEL=/"default and set it to the label of the image stanza that contains the new kernel.
kernel-smp-unsupported-<kernel-version> and kernel-hugemem-unsupported-<kernel-version> . Replace <kernel-version> with the version of the kernel installed on the system. These packages are not installed by the Red Hat Enterprise Linux installation program, and the modules provided are not supported by Red Hat, Inc.
module-init-tools package is installed. Use these commands to determine if a module has been loaded successfully or when trying different modules for a piece of new hardware.
/sbin/lsmod displays a list of currently loaded modules. For example:
Module Size Used by tun 11585 1 autofs4 21573 1 hidp 16193 2 rfcomm 37849 0 l2cap 23873 10 hidp,rfcomm bluetooth 50085 5 hidp,rfcomm,l2cap sunrpc 153725 1 dm_mirror 29073 0 dm_mod 57433 1 dm_mirror video 17221 0 sbs 16257 0 i2c_ec 5569 1 sbs container 4801 0 button 7249 0 battery 10565 0 asus_acpi 16857 0 ac 5701 0 ipv6 246113 12 lp 13065 0 parport_pc 27493 1 parport 37001 2 lp,parport_pc uhci_hcd 23885 0 floppy 57317 1 sg 34653 0 snd_ens1371 26721 1 gameport 16073 1 snd_ens1371 snd_rawmidi 24897 1 snd_ens1371 snd_ac97_codec 91360 1 snd_ens1371 snd_ac97_bus 2753 1 snd_ac97_codec snd_seq_dummy 4293 0 snd_seq_oss 32705 0 serio_raw 7493 0 snd_seq_midi_event 8001 1 snd_seq_oss snd_seq 51633 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event snd_seq_device 8781 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq snd_pcm_oss 42849 0 snd_mixer_oss 16833 1 snd_pcm_oss snd_pcm 76485 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss snd_timer 23237 2 snd_seq,snd_pcm snd 52933 12 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer soundcore 10145 1 snd i2c_piix4 8909 0 ide_cd 38625 3 snd_page_alloc 10569 1 snd_pcm i2c_core 21697 2 i2c_ec,i2c_piix4 pcnet32 34117 0 cdrom 34913 1 ide_cd mii 5825 1 pcnet32 pcspkr 3521 0 ext3 129737 2 jbd 58473 1 ext3 mptspi 17353 3 scsi_transport_spi 25025 1 mptspi mptscsih 23361 1 mptspi sd_mod 20929 16 scsi_mod 134121 5 sg,mptspi,scsi_transport_spi,mptscsih,sd_mod mptbase 52193 2 mptspi,mptscsih
/sbin/lsmod output is less verbose and easier to read than the output from viewing /proc/modules.
/sbin/modprobe command followed by the kernel module name. By default, modprobe attempts to load the module from the /lib/modules/<kernel-version>/kernel/drivers/ subdirectories. There is a subdirectory for each type of module, such as the net/ subdirectory for network interface drivers. Some kernel modules have module dependencies, meaning that other modules must be loaded first for it to load. The /sbin/modprobe command checks for these dependencies and loads the module dependencies before loading the specified module.
modprobe e100e100 module.
/sbin/modprobe executes them, use the -v option. For example:
modprobe -v e100insmod /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Using /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Symbol version prefix 'smp_'
/sbin/insmod command also exists to load kernel modules; however, it does not resolve dependencies. Thus, it is recommended that the /sbin/modprobe command be used.
/sbin/rmmod command followed by the module name. The rmmod utility only unloads modules that are not in use and that are not a dependency of other modules in use.
rmmod e100e100 kernel module.
modinfo. Use the command /sbin/modinfo to display information about a kernel module. The general syntax is:
modinfo [options] <module>-d, which displays a brief description of the module, and -p, which lists the parameters the module supports. For a complete list of options, refer to the modinfo man page (man modinfo).
/etc/modprobe.conf file. However, it is sometimes necessary to explicitly force the loading of a module at boot time.
/etc/rc.modules file at boot time, which contains various commands to load modules. The rc.modules should be used, and not rc.local because rc.modules is executed earlier in the boot process.
foo module at boot time (as root):
echo modprobe foo >> /etc/rc.moduleschmod +x /etc/rc.modules
e100 driver with the e100_speed_duplex=4 option.
modinfo command is also useful for listing various information about a kernel module, such as version, dependencies, parameter options, and aliases.
| ハードウェア | モジュール | パラメータ |
|---|---|---|
| 3ware Storage Controller and 9000 series |
3w-xxxx.ko, 3w-9xxx.ko
| |
| Adaptec Advanced Raid Products, Dell PERC2, 2/Si, 3/Si, 3/Di, HP NetRAID-4M, IBM ServeRAID, and ICP SCSI driver |
aacraid.ko
|
nondasd — Control scanning of hba for nondasd devices. 0=off, 1=on
dacmode — Control whether dma addressing is using 64 bit DAC. 0=off, 1=on
commit — Control whether a COMMIT_CONFIG is issued to the adapter for foreign arrays. This is typically needed in systems that do not have a BIOS. 0=off, 1=on
startup_timeout — The duration of time in seconds to wait for adapter to have it's kernel up and running. This is typically adjusted for large systems that do not have a BIOS
aif_timeout — The duration of time in seconds to wait for applications to pick up AIFs before deregistering them. This is typically adjusted for heavily burdened systems.
numacb — Request a limit to the number of adapter control blocks (FIB) allocated. Valid values are 512 and down. Default is to use suggestion from Firmware.
acbsize — Request a specific adapter control block (FIB) size. Valid values are 512, 2048, 4096 and 8192. Default is to use suggestion from Firmware.
|
| Adaptec 28xx、R9xx、39xx AHA-284x、AHA-29xx、AHA-394x、AHA-398x、AHA-274x、 AHA-274xT、AHA-2842、AHA-2910B、AHA-2920C、AHA-2930/U/U2、AHA-2940/W/U/UW/AU/、 U2W/U2/U2B/、U2BOEM、AHA-2944D/WD/UD/UWD、AHA-2950U2/W/B、AHA-3940/U/W/UW/、 AUW/U2W/U2B、AHA-3950U2D、AHA-3985/U/W/UW、AIC-777x、AIC-785x、AIC-786x、 AIC-787x、AIC-788x、AIC-789x、AIC-3860 |
aic7xxx.ko
|
verbose — Enable verbose/diagnostic logging
allow_memio — Allow device registers to be memory mapped
debug — Bitmask of debug values to enable
no_probe — Toggle EISA/VLB controller probing
probe_eisa_vl — Toggle EISA/VLB controller probing
no_reset — Supress initial bus resets
extended — Enable extended geometry on all controllers
periodic_otag — Send an ordered tagged transaction periodically to prevent tag starvation. This may be required by some older disk drives or RAID arrays.
tag_info:<tag_str> — Set per-target tag depth
global_tag_depth:<int> — Global tag depth for every target on every bus
seltime:<int> — Selection Timeout (0/256ms,1/128ms,2/64ms,3/32ms)
|
| IBM ServeRAID |
ips.ko
| |
| LSI Logic MegaRAID Mailbox Driver |
megaraid_mbox.ko
|
unconf_disks — Set to expose unconfigured disks to kernel (default=0)
busy_wait — Max wait for mailbox in microseconds if busy (default=10)
max_sectors — Maximum number of sectors per IO command (default=128)
cmd_per_lun — Maximum number of commands per logical unit (default=64)
fast_load — Faster loading of the driver, skips physical devices! (default=0)
debug_level — Debug level for driver (default=0)
|
| Emulex LightPulse Fibre Channel SCSI driver |
lpfc.ko
|
lpfc_poll — FCP ring polling mode control: 0 - none, 1 - poll with interrupts enabled 3 - poll and disable FCP ring interrupts
lpfc_log_verbose — Verbose logging bit-mask
lpfc_lun_queue_depth — Max number of FCP commands we can queue to a specific LUN
lpfc_hba_queue_depth — Max number of FCP commands we can queue to a lpfc HBA
lpfc_scan_down — Start scanning for devices from highest ALPA to lowest
lpfc_nodev_tmo — Seconds driver will hold I/O waiting for a device to come back
lpfc_topology — Select Fibre Channel topology
lpfc_link_speed — Select link speed
lpfc_fcp_class — Select Fibre Channel class of service for FCP sequences
lpfc_use_adisc — Use ADISC on rediscovery to authenticate FCP devices
lpfc_ack0 — Enable ACK0 support
lpfc_cr_delay — A count of milliseconds after which an interrupt response is generated
lpfc_cr_count — A count of I/O completions after which an interrupt response is generated
lpfc_multi_ring_support — Determines number of primary SLI rings to spread IOCB entries across
lpfc_fdmi_on — Enable FDMI support
lpfc_discovery_threads — Maximum number of ELS commands during discovery
lpfc_max_luns — Maximum allowed LUN
lpfc_poll_tmo — Milliseconds driver will wait between polling FCP ring
|
| HP Smart Array | cciss.ko | |
| LSI Logic MPT Fusion | mptbase.ko mptctl.ko mptfc.ko mptlan.ko mptsas.ko mptscsih.ko mptspi.ko |
mpt_msi_enable — MSI Support Enable
mptfc_dev_loss_tmo — Initial time the driver programs the transport to wait for an rport to return following a device loss event.
mpt_pt_clear — Clear persistency table
mpt_saf_te — Force enabling SEP Processor
|
| QLogic Fibre Channel Driver | qla2xxx.ko |
ql2xlogintimeout — Login timeout value in seconds.
qlport_down_retry — Maximum number of command retries to a port that returns a PORT-DOWN status
ql2xplogiabsentdevice — Option to enable PLOGI to devices that are not present after a Fabric scan.
ql2xloginretrycount — Specify an alternate value for the NVRAM login retry count.
ql2xallocfwdump — Option to enable allocation of memory for a firmware dump during HBA initialization. Default is 1 - allocate memory.
extended_error_logging — Option to enable extended error logging.
ql2xfdmienable — Enables FDMI registrations.
|
| NCR, Symbios and LSI 8xx and 1010 | sym53c8xx |
cmd_per_lun — The maximum number of tags to use by default
tag_ctrl — More detailed control over tags per LUN
burst — Maximum burst. 0 to disable, 255 to read from registers
led — Set to 1 to enable LED support
diff — 0 for no differential mode, 1 for BIOS, 2 for always, 3 for not GPIO3
irqm — 0 for open drain, 1 to leave alone, 2 for totem pole
buschk — 0 to not check, 1 for detach on error, 2 for warn on error
hostid — The SCSI ID to use for the host adapters
verb — 0 for minimal verbosity, 1 for normal, 2 for excessive
debug — Set bits to enable debugging
settle — Settle delay in seconds. Default 3
nvram — Option currently not used
excl — List ioport addresses here to prevent controllers from being attached
safe — Set other settings to a "safe mode"
|
ethtool or mii-tool. Only after these tools fail to work should module parameters be adjusted. Module parameters can be viewed using the modinfo command.
ethtool, mii-tool, and modinfo.
| ハードウェア | モジュール | パラメータ |
|---|---|---|
| 3Com EtherLink PCI III/XL Vortex (3c590, 3c592, 3c595, 3c597) Boomerang (3c900, 3c905, 3c595) |
3c59x.ko
|
debug — 3c59x debug level (0-6)
options — 3c59x: Bits 0-3: media type, bit 4: bus mastering, bit 9: full duplex
global_options — 3c59x: same as options, but applies to all NICs if options is unset
full_duplex — 3c59x full duplex setting(s) (1)
global_full_duplex — 3c59x: same as full_duplex, but applies to all NICs if full_duplex is unset
hw_checksums — 3c59x Hardware checksum checking by adapter(s) (0-1)
flow_ctrl — 3c59x 802.3x flow control usage (PAUSE only) (0-1)
enable_wol — 3c59x: Turn on Wake-on-LAN for adapter(s) (0-1)
global_enable_wol — 3c59x: same as enable_wol, but applies to all NICs if enable_wol is unset
rx_copybreak — 3c59x copy breakpoint for copy-only-tiny-frames
max_interrupt_work — 3c59x maximum events handled per interrupt
compaq_ioaddr — 3c59x PCI I/O base address (Compaq BIOS problem workaround)
compaq_irq — 3c59x PCI IRQ number (Compaq BIOS problem workaround)
compaq_device_id — 3c59x PCI device ID (Compaq BIOS problem workaround)
watchdog — 3c59x transmit timeout in milliseconds
global_use_mmio — 3c59x: same as use_mmio, but applies to all NICs if options is unset
use_mmio — 3c59x: use memory-mapped PCI I/O resource (0-1)
|
| RTL8139, SMC EZ Card Fast Ethernet, RealTek cards using RTL8129, or RTL8139 Fast Ethernet chipsets |
8139too.ko
| |
| Broadcom 4400 10/100 PCI ethernet driver |
b44.ko
|
b44_debug — B44 bitmapped debugging message enable value
|
| Broadcom NetXtreme II BCM5706/5708 Driver |
bnx2.ko
|
disable_msi — Disable Message Signaled Interrupt (MSI)
|
| Intel Ether Express/100 ドライバー |
e100.ko
|
debug — Debug level (0=none,...,16=all)
eeprom_bad_csum_allow — Allow bad eeprom checksums
|
| Intel EtherExpress/1000 Gigabit |
e1000.ko
|
TxDescriptors — Number of transmit descriptors
RxDescriptors — Number of receive descriptors
Speed — Speed setting
Duplex — Duplex setting
AutoNeg — Advertised auto-negotiation setting
FlowControl — Flow Control setting
XsumRX — Disable or enable Receive Checksum offload
TxIntDelay — Transmit Interrupt Delay
TxAbsIntDelay — Transmit Absolute Interrupt Delay
RxIntDelay — Receive Interrupt Delay
RxAbsIntDelay — Receive Absolute Interrupt Delay
InterruptThrottleRate — Interrupt Throttling Rate
SmartPowerDownEnable — Enable PHY smart power down
KumeranLockLoss — Enable Kumeran lock loss workaround
|
| Myricom 10G driver (10GbE) |
myri10ge.ko
|
myri10ge_fw_name — Firmware image name
myri10ge_ecrc_enable — Enable Extended CRC on PCI-E
myri10ge_max_intr_slots — Interrupt queue slots
myri10ge_small_bytes — Threshold of small packets
myri10ge_msi — Enable Message Signalled Interrupts
myri10ge_intr_coal_delay — Interrupt coalescing delay
myri10ge_flow_control — Pause parameter
myri10ge_deassert_wait — Wait when deasserting legacy interrupts
myri10ge_force_firmware — Force firmware to assume aligned completions
myri10ge_skb_cross_4k — Can a small skb cross a 4KB boundary?
myri10ge_initial_mtu — Initial MTU
myri10ge_napi_weight — Set NAPI weight
myri10ge_watchdog_timeout — Set watchdog timeout
myri10ge_max_irq_loops — Set stuck legacy IRQ detection threshold
|
| NatSemi DP83815 Fastイーサネット |
natsemi.ko
|
mtu — DP8381x MTU (all boards)
debug — DP8381x default debug level
rx_copybreak — DP8381x copy breakpoint for copy-only-tiny-frames
options — DP8381x: Bits 0-3: media type, bit 17: full duplex
full_duplex — DP8381x full duplex setting(s) (1)
|
| AMD PCnet32 and AMD PCnetPCI |
pcnet32.ko
| |
| PCnet32 and PCnetPCI |
pcnet32.ko
|
debug — pcnet32 debug level
max_interrupt_work — pcnet32 maximum events handled per interrupt
rx_copybreak — pcnet32 copy breakpoint for copy-only-tiny-frames
tx_start_pt — pcnet32 transmit start point (0-3)
pcnet32vlb — pcnet32 Vesa local bus (VLB) support (0/1)
options — pcnet32 initial option setting(s) (0-15)
full_duplex — pcnet32 full duplex setting(s) (1)
homepna — pcnet32 mode for 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet
|
| RealTek RTL-8169 Gigabit Ethernet driver |
r8169.ko
|
media — force phy operation. Deprecated by ethtool (8).
rx_copybreak — Copy breakpoint for copy-only-tiny-frames
use_dac — Enable PCI DAC. Unsafe on 32 bit PCI slot.
debug — Debug verbosity level (0=none, ..., 16=all)
|
| Neterion Xframe 10GbE Server Adapter |
s2io.ko
| |
| SIS 900/701G PCI Fastイーサネット |
sis900.ko
|
multicast_filter_limit — SiS 900/7016 maximum number of filtered multicast addresses
max_interrupt_work — SiS 900/7016 maximum events handled per interrupt
sis900_debug — SiS 900/7016 bitmapped debugging message level
|
| Adaptec Starfire Ethernet driver |
starfire.ko
|
max_interrupt_work — Maximum events handled per interrupt
mtu — MTU (all boards)
debug — Debug level (0-6)
rx_copybreak — Copy breakpoint for copy-only-tiny-frames
intr_latency — Maximum interrupt latency, in microseconds
small_frames — Maximum size of receive frames that bypass interrupt latency (0,64,128,256,512)
options — Deprecated: Bits 0-3: media type, bit 17: full duplex
full_duplex — Deprecated: Forced full-duplex setting (0/1)
enable_hw_cksum — Enable/disable hardware cksum support (0/1)
|
| Broadcom Tigon3 |
tg3.ko
|
tg3_debug — Tigon3 bitmapped debugging message enable value
|
| ThunderLAN PCI |
tlan.ko
|
aui — ThunderLAN use AUI port(s) (0-1)
duplex — ThunderLAN duplex setting(s) (0-default, 1-half, 2-full)
speed — ThunderLAN port speen setting(s) (0,10,100)
debug — ThunderLAN debug mask
bbuf — ThunderLAN use big buffer (0-1)
|
| Digital 21x4x Tulip PCI Ethernet cards SMC EtherPower 10 PCI(8432T/8432BT) SMC EtherPower 10/100 PCI(9332DST) DEC EtherWorks 100/10 PCI(DE500-XA) DEC EtherWorks 10 PCI(DE450) DEC QSILVER's, Znyx 312 etherarray Allied Telesis LA100PCI-T Danpex EN-9400, Cogent EM110 |
tulip.ko
|
io io_port
|
| VIA VT86c100A Rhine-II PCIか、3043 Rhine-I D-Link DFE-930-TX PCI 10/100 のいずれかを搭載するVIA Rhine PCI Fast イーサネットカード |
via-rhine.ko
|
max_interrupt_work — VIA Rhine maximum events handled per interrupt
debug — VIA Rhine debug level (0-7)
rx_copybreak — VIA Rhine copy breakpoint for copy-only-tiny-frames
avoid_D3 — Avoid power state D3 (work-around for broken BIOSes)
|
alias and, possibly, options lines for each card in /etc/modprobe.conf.
bonding kernel module and a special network interface, called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/modprobe.conf:
alias bond<N> bonding<N> with the interface number, such as 0. For each configured channel bonding interface, there must be a corresponding entry in /etc/modprobe.conf.
miimon or arp_interval and the arp_ip_target parameters. Refer to 「bonding Module Directives」 for a list of available options and how to quickly determine the best ones for your bonded interface.
BONDING_OPTS="<bonding parameters>" directive in your bonding interface configuration file (ifcfg-bond0 for example). Parameters to bonded interfaces can be configured without unloading (and reloading) the bonding module by manipulating files in the sysfs file system.
sysfs is a virtual file system that represents kernel objects as directories, files and symbolic links. sysfs can be used to query for information about kernel objects, and can also manipulate those objects through the use of normal file system commands. The sysfs virtual file system has a line in /etc/fstab, and is mounted under /sys. All bonded interfaces can be configured dynamically by interacting with and manipulating files under the /sys/class/net/ directory.
ifcfg-bond0 and inserted SLAVE=yes and MASTER=bond0 directives in the bonded interfaces following the instructions in 「チャンネルボンディングインターフェース」, you can proceed to testing and determining the best parameters for your bonded interface.
ifconfig bond<N> up as root:
ifconfig bond0 upifcfg-bond0 bonding interface file, you will be able to see bond0 listed in the output of running ifconfig (without any options):
~]# ifconfig
bond0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 52:54:00:26:9E:F1
inet addr:192.168.122.251 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe26:9ef1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:207 errors:0 dropped:0 overruns:0 frame:0
TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70374 (68.7 KiB) TX bytes:25298 (24.7 KiB)
[output truncated]~]# cat /sys/class/net/bonding_masters
bond0/sys/class/net/bond<N>/bonding/ directory. First, the bond you are configuring must be taken down:
ifconfig bond0 downecho 1000 > /sys/class/net/bond0/bonding/miimonbalance-alb mode, you could run either:
echo 6 > /sys/class/net/bond0/bonding/modeecho balance-alb > /sys/class/net/bond0/bonding/modeifconfig bond<N> up . If you decide to change the options, take the interface down, modify its parameters using sysfs, bring it back up, and re-test.
BONDING_OPTS= directive of the /etc/sysconfig/network-scripts/ifcfg-bond<N> file for the bonded interface you are configuring. Whenever that bond is brought up (for example, by the system during the boot sequence if the ONBOOT=yes directive is set), the bonding options specified in the BONDING_OPTS will take effect for that bond. For more information on configuring bonded interfaces (and BONDING_OPTS), refer to 「チャンネルボンディングインターフェース」.
bonding module. For more in-depth information on configuring channel bonding and the exhaustive list of bonding module parameters, install the kernel-doc package and then locating and opening the included bonding.txt file:
yum -y install kernel-docnano -w $(rpm -ql kernel-doc | grep bonding.txt)
arp_interval=<time_in_milliseconds> arp_interval and arp_ip_target parameters are specified, or, alternatively, the miimon parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
mode=0 or mode=1 (the two load-balancing modes), the network switch must be configured to distribute packets evenly across the NICs. For more information on how to accomplish this, refer to /usr/share/doc/kernel-doc-<kernel_version>/Documentation/networking/bonding.txt
0 by default, which disables it.
arp_ip_target=<ip_address> [,<ip_address_2>,...<ip_address_16> ] arp_interval parameter is enabled. Up to 16 IP addresses can be specified in a comma separated list.
arp_validate=<value> none. Other valid values are active, backup, and all.
debug=<number> 0 — Debug messages are disabled. This is the default.
1 — Debug messages are enabled.
downdelay=<time_in_milliseconds> miimon parameter. The value is set to 0 by default, which disables it.
<value> slow or 0 — Default setting. This specifies that partners should transmit LACPDUs every 30 seconds.
fast or 1 — Specifies that partners should transmit LACPDUs every 1 second.
miimon=<time_in_milliseconds> ethtool <interface_name> | grep "Link detected:"<interface_name> with the name of the device interface, such as eth0, not the bond interface. If MII is supported, the command returns:
Link detected: yes
0 (the default), turns this feature off. When configuring this setting, a good starting point for this parameter is 100.
arp_interval and arp_ip_target parameters are specified, or, alternatively, the miimon parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
mode=<value> <value> is one of:
balance-rr or 0 — Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available.
active-backup or 1 — Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails.
balance-xor or 2 — Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method, the interface matches up the incoming request's MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface.
broadcast or 3 — Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces.
802.3ad or 4 — Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a switch that is 802.3ad compliant.
balance-tlb or 5 — Sets a Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave.
balance-alb or 6 — Sets an Active Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPV4 traffic. Receive load balancing is achieved through ARP negotiation.
num_unsol_na=<number> 0 - 255; the default value is 1. This option affects only the active-backup mode.
primary=<interface_name> eth0, of the primary device. The primary device is the first of the bonding interfaces to be used and is not abandoned unless it fails. This setting is particularly useful when one NIC in the bonding interface is faster and, therefore, able to handle a bigger load.
active-backup mode. Refer to /usr/share/doc/kernel-doc-<kernel-version>/Documentation/networking/bonding.txt for more information.
primary_reselect=<value> always or 0 (default) — The primary slave becomes the active slave whenever it comes back up.
better or 1 — The primary slave becomes the active slave when it comes back up, if the speed and duplex of the primary slave is better than the speed and duplex of the current active slave.
failure or 2 — The primary slave becomes the active slave only if the current active slave fails and the primary slave is up.
primary_reselect setting is ignored in two cases:
primary_reselect policy via sysfs will cause an immediate selection of the best active slave according to the new policy. This may or may not result in a change of the active slave, depending upon the circumstances
updelay=<time_in_milliseconds> miimon parameter. The value is set to 0 by default, which disables it.
use_carrier=<number> miimon should use MII/ETHTOOL ioctls or netif_carrier_ok() to determine the link state. The netif_carrier_ok() function relies on the device driver to maintains its state with netif_carrier_on/off ; most device drivers support this function.
netif_carrier_on/off .
1 — Default setting. Enables the use of netif_carrier_ok().
0 — Enables the use of MII/ETHTOOL ioctls.
netif_carrier_on/off .
xmit_hash_policy=<value> balance-xor and 802.3ad modes. Possible values are:
0 or layer2 — Default setting. This option uses the XOR of hardware MAC addresses to generate the hash. The formula used is:
(<source_MAC_address>XOR<destination_MAC>) MODULO<slave_count>
1 or layer3+4 — Uses upper layer protocol information (when available) to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves.
((<source_port>XOR<dest_port>) XOR ((<source_IP>XOR<dest_IP>) AND0xffff) MODULO<slave_count>
layer2 transmit hash policy.
2 or layer2+3 — Uses a combination of layer2 and layer3 protocol information to generate the hash.
(((<source_IP>XOR<dest_IP>) AND0xffff) XOR (<source_MAC>XOR<destination_MAC>)) MODULO<slave_count>
lsmod man page — description and explanation of its output.
insmod man page — description and list of command line options.
modprobe man page — description and list of command line options.
rmmod man page — description and list of command line options.
modinfo man page — description and list of command line options.
/usr/share/doc/kernel-doc-<version>/Documentation/kbuild/modules.txt — how to compile and use kernel modules. Note you must have the kernel-doc package installed to read this file.
kdump is an advanced crash dumping mechanism. When enabled, the system is booted from the context of another kernel. This second kernel reserves a small amount of memory, and its only purpose is to capture the core dump image in case the system crashes. Since being able to analyze the core dump helps significantly to determine the exact cause of the system failure, it is strongly recommended to have this feature enabled.
kdump service in Red Hat Enterprise Linux, and provides a brief overview of how to analyze the resulting core dump using the crash debugging utility.
kdump Servicekdump service, you must have the kexec-tools package installed. Refer to パートII「パッケージ管理」 for more information on how to install new packages in Red Hat Enterprise Linux.
kdump service: at the first boot, using the Kernel Dump Configuration graphical utility, and doing so manually on the command line. It also describes how to test the configuration to verify that everything works as expected.
kdump service.
kdump configuration screen
kdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
kdump daemon at boot time, select the Enable kdump? check box. This will enable the service for runlevels 2, 3, 4, and 5, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
kdump kernel, click the up and down arrow buttons next to the Kdump Memory field to increase or decrease the value. Notice that the Usable System Memory field changes accordingly showing you the remaining memory that will be available to the system.
system-config-kdump at a shell prompt (for example, xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password.
kdump as well as to enable or disable starting the service at boot time. When you are done, click to save the changes. The system reboot will be requested.
kdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
kdump daemon at boot time, select the Enable kdump check box. This will enable the service for runlevels 2, 3, 4, and 5, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
kdump kernel, click the up and down arrow buttons next to the New kdump Memory field to increase or decrease the value. Notice that the Usable Memory field changes accordingly showing you the remaining memory that will be available to the system.
/dev/sdb1). When you are done, click to confirm your choice.
hostname:directory form (for example, penguin.example.com:/export). Clicking the button will confirm your changes. Finally, edit the value of the Path field to customize the destination directory (for instance, cores).
username@hostname form (for example, john@penguin.example.com). Clicking the button will confirm your changes. Finally, edit the value of the Path field to customize the destination directory (for instance, /export/cores).
vmcore dump file, kdump allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is makedumpfile.
-c parameter is listed after the makedumpfile command in the Core Collector field (for example, makedumpfile -c).
-d value parameter after the makedumpfile command in the Core Collector field. The value is a sum of values of pages you want to omit as described in 表44.1「Supported filtering levels」. For example, to remove both zero and free pages, use makedumpfile -d 17.
makedumpfile for a complete list of available options.
kdump fails to create a core dump, select the appropriate option from the Default Action pulldown list. Available options are (the default action), (to reboot the system), (to present a user with an interactive shell prompt), and (to halt the system).
kdump on the Command Line~]$ su -
Password:kdump kernel, open the /boot/grub/grub.conf file in a text editor and add the crashkernel=<size>M@16M parameter to the list of kernel options as shown in 例44.1「A sample /boot/grub/grub.conf file」.
/boot/grub/grub.conf file# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda3
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-274.3.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-274.3.1.el5 ro root=/dev/sda3 crashkernel=128M@16M
initrd /initrd-2.6.18-274.3.1.el5.imgkdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB, as lower values proved to be unreliable. For more information on minimum memory requirements for Red Hat Enterprise Linux, refer to the Required minimums section of the Red Hat Enterprise Linux comparison chart.
vmcore file in the /var/crash/ directory of the local file system. To change this, open the /etc/kdump.conf configuration file in a text editor and edit the options as described below.
#path /var/crash line, and replace the value with a desired directory path. Optionally, if you wish to write the file to a different partition, follow the same procedure with the #ext3 /dev/sda3 line as well, and change both the file system type and the device (a device name, a file system label, and UUID are all supported) accordingly. For example:
ext3 /dev/sda4 path /usr/local/cores
#raw /dev/sda5 line, and replace the value with a desired device name. For example:
raw /dev/sdb1
#net my.server.com:/export/tmp line, and replace the value with a valid hostname and directory path. For example:
net penguin.example.com:/export/cores
#net user@my.server.com line, and replace the value with a valid username and hostname. For example:
net john@penguin.example.com
vmcore dump file, kdump allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is makedumpfile.
/etc/kdump.conf configuration file in a text editor, remove the hash sign (「#」) from the beginning of the #core_collector makedumpfile -c --message-level 1 line, and edit the command line options as described below.
-c parameter. For example:
core_collector makedumpfile -c
-d value parameter, where value is a sum of values of pages you want to omit as described in 表44.1「Supported filtering levels」. For example, to remove both zero and free pages, use the following:
core_collector makedumpfile -d 17 -c
makedumpfile for a complete list of available options.
| Option | Description |
|---|---|
1
| Zero pages |
2
| Cache pages |
4
| Cache private |
8
| User pages |
16
| Free pages |
kdump fails to create a core dump, the root file system is mounted and /sbin/init is run. To change this behavior, open the /etc/kdump.conf configuration file in a text editor, remove the hash sign (「#」) from the beginning of the #default shell line, and replace the value with a desired action as described in 表44.2「Supported actions」. For example:
default halt
| Option | Action |
|---|---|
reboot
| Reboot the system, losing the core in the process. |
halt
| After failing to capture a core, halt the system. |
shell
| Run the msh session from within the initramfs, allowing a user to record the core manually. |
kdump daemon at boot time, type the following at a shell prompt:
~]# chkconfig kdump on2, 3, 4, and 5. Similarly, typing chkconfig kdump off will disable it for all runlevels. To start the service in the current session, use the following command:
~]# service kdump start
No kdump initial ramdisk found. [WARNING]
Rebuilding /boot/initrd-2.6.18-194.8.1.el5kdump.img
Starting kdump: [ OK ]kdump enabled, and make sure that the service is running:
~]# service kdump status
Kdump is operational~]#echo 1 > /proc/sys/kernel/sysrq~]#echo c > /proc/sysrq-trigger
YYYY-MM-DD-HH:MM/vmcore/var/crash/ by default).
vmcore dump file, you must have the crash and kernel-debuginfo packages installed. To do so, type the following at a shell prompt:
~]# yum install --enablerepo=rhel-debuginfo crash kernel-debuginfonetdump, diskdump, xendump, or kdump. When started, it presents you with an interactive prompt very similar to the GNU Debugger (GDB).
crash /var/crash/timestamp/vmcore /usr/lib/debug/lib/modules/kernel/vmlinuxkernel version should be the same as the one that was captured by kdump. To find out which kernel you are currently running, use the uname -r command.
crash utility~]#crash /var/crash/2010-08-04-17\:55/vmcore \/usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinuxcrash 4.1.2-4.el5_5.1 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, Inc. Copyright (C) 2004, 2005, 2006 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... KERNEL: /usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinux DUMPFILE: /var/crash/2010-08-04-17:55/vmcore CPUS: 1 DATE: Wed Aug 4 17:50:41 2010 UPTIME: 00:56:53 LOAD AVERAGE: 0.47, 0.47, 0.55 TASKS: 128 NODENAME: localhost.localdomain RELEASE: 2.6.18-194.el5 VERSION: #1 SMP Tue Mar 16 21:52:43 EDT 2010 MACHINE: i686 (2702 Mhz) MEMORY: 1 GB PANIC: "SysRq : Trigger a crashdump" PID: 6042 COMMAND: "bash" TASK: f09c7000 [THREAD_INFO: e1ba9000] CPU: 0 STATE: TASK_RUNNING (SYSRQ) crash>
exit.
log command at the interactive prompt.
crash> log
Linux version 2.6.18-194.el5 (mockbuild@x86-007.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Mar 16 21:52:43 EDT 2010
BIOS-provided physical RAM map:
BIOS-e820: 0000000000010000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 000000003fff0000 (usable)
BIOS-e820: 000000003fff0000 - 0000000040000000 (ACPI data)
BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
127MB HIGHMEM available.
896MB LOWMEM available.
Using x86 segment limits to approximate NX protection
On node 0 totalpages: 262128
DMA zone: 4096 pages, LIFO batch:0
Normal zone: 225280 pages, LIFO batch:31
HighMem zone: 32752 pages, LIFO batch:7
DMI 2.5 present.
Using APIC driver default
... several lines omitted ...
SysRq : Trigger a crashdumphelp log for more information on the command usage.
bt command at the interactive prompt. You can use bt pid to display the backtrace of the selected process.
crash> bt
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
#0 [e1ba9d10] schedule at c061c738
#1 [e1ba9d28] netlink_getsockopt at c05d50bb
#2 [e1ba9d34] netlink_queue_skip at c05d40d5
#3 [e1ba9d40] netlink_sock_destruct at c05d506d
#4 [e1ba9d84] sock_recvmsg at c05b6cc8
#5 [e1ba9dd4] enqueue_task at c041eed5
#6 [e1ba9dec] try_to_wake_up at c041f798
#7 [e1ba9e10] vsnprintf at c04efef2
#8 [e1ba9ec0] machine_kexec at c0419bf0
#9 [e1ba9f04] sys_kexec_load at c04448a1
#10 [e1ba9f4c] tty_audit_exit at c0549f06
#11 [e1ba9f50] tty_audit_add_data at c0549d5d
#12 [e1ba9f84] do_readv_writev at c0476055
#13 [e1ba9fb8] system_call at c0404f10
EAX: ffffffda EBX: 00000001 ECX: b7f7f000 EDX: 00000002
DS: 007b ESI: 00000002 ES: 007b EDI: b7f7f000
SS: 007b ESP: bf83f478 EBP: bf83f498
CS: 0073 EIP: 009ac402 ERR: 00000004 EFLAGS: 00000246help bt for more information on the command usage.
ps command at the interactive prompt. You can use ps pid to display the status of the selected process.
crash> ps
PID PPID CPU TASK ST %MEM VSZ RSS COMM
0 0 0 c068a3c0 RU 0.0 0 0 [swapper]
1 0 0 f7c81aa0 IN 0.1 2152 616 init
... several lines omitted ...
6017 1 0 e39f6550 IN 1.2 40200 13000 gnome-terminal
6019 6017 0 e39f6000 IN 0.1 2568 708 gnome-pty-helpe
6020 6017 0 f0421550 IN 0.1 4620 1480 bash
6021 1 0 f7f69aa0 ?? 1.2 40200 13000 gnome-terminal
6039 6020 0 e7e84aa0 IN 0.1 5004 1300 su
> 6042 6039 0 f09c7000 RU 0.1 4620 1464 bashhelp ps for more information on the command usage.
vm command at the interactive prompt. You can use vm pid to display information on the selected process.
crash> vm
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
MM PGD RSS TOTAL_VM
e275ee40 e2b08000 1464k 4620k
VMA START END FLAGS FILE
e315d764 1fe000 201000 75 /lib/libtermcap.so.2.0.8
e315de9c 201000 202000 100073 /lib/libtermcap.so.2.0.8
c9b040d4 318000 46a000 75 /lib/libc-2.5.so
e315da04 46a000 46c000 100071 /lib/libc-2.5.so
e315d7b8 46c000 46d000 100073 /lib/libc-2.5.so
e315de48 46d000 470000 100073
e315dba8 9ac000 9ad000 8040075
c9b04a04 a2f000 a4a000 875 /lib/ld-2.5.so
c9b04374 a4a000 a4b000 100871 /lib/ld-2.5.so
e315d6bc a4b000 a4c000 100873 /lib/ld-2.5.so
e315d908 fa1000 fa4000 75 /lib/libdl-2.5.so
e315db00 fa4000 fa5000 100071 /lib/libdl-2.5.so
e315df44 fa5000 fa6000 100073 /lib/libdl-2.5.so
e315d320 ff0000 ffa000 75 /lib/libnss_files-2.5.so
e315d668 ffa000 ffb000 100071 /lib/libnss_files-2.5.so
e315def0 ffb000 ffc000 100073 /lib/libnss_files-2.5.so
e315d374 8048000 80f5000 1875 /bin/bash
c9b045c0 80f5000 80fa000 101873 /bin/bash
... several lines omitted ...help vm for more information on the command usage.
files command at the interactive prompt. You can use files pid to display files opened by the selected process.
crash> files
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
ROOT: / CWD: /root
FD FILE DENTRY INODE TYPE PATH
0 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
1 e424d8c0 d637add8 f7809b78 REG /proc/sysrq-trigger
2 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
10 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
255 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1help files for more information on the command usage.
man kdump.conf/etc/kdump.conf configuration file containing the full documentation of available options.
man kexeckexec containing the full documentation on its usage.
man crash/usr/share/doc/kexec-tools-version/kexec-kdump-howto.txtkdump and kexec installation and usage.
kexec and kdump configuration.
目次
nmapと入力し、その後スキャン するマシンのホスト名又は IP アドレスを入力することで実行できます。
nmap foo.example.comStarting nmap V. 3.50 ( www.insecure.org/nmap/ ) Interesting ports on localhost.localdomain (127.0.0.1): (The 1591 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 111/tcp open sunrpc 443/tcp open https 515/tcp open printer 950/tcp open oftep-rpc 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 71.825 seconds
| 不正アクセス | 詳細 | 注記 | |||
|---|---|---|---|---|---|
| 空白またはデフォルトのパスワード | 管理用パスワードを空白のままにしたり、製品ベンダー設定のデフォルトパスワードをそのまま使用したりすることは、ルーターやファイアウォールなどのハードウェアで最もよく見られますが、 Linux 上で動作するサービスにはデフォルトの管理者用パスワードが入っているものがあるかもしれません (Red Hat Enterprise Linux 5 では、パスワードをつけたまま出荷していません)。 |
| |||
| デフォルトの共有鍵 | 安全なサービスは時として、開発や査定テストの目的でデフォルトのセキュリティ鍵をパッケージにしていることがあります。これらの鍵を変更せずにインターネット上の実稼働環境で配置した場合、同じデフォルトの鍵を持つユーザーは 全て その共有鍵のリソースや、そこにあるすべての機密情報にアクセス権を有することになります。 |
| |||
| IP Spoofing (なりすまし) | A remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or Trojan horse to gain control over your network resources. |
| |||
| 盗聴 | 2つのノード間接続を盗聴することによりネットワーク上でそのアクティブなノード間が交わすデータを収集することです。 |
| |||
| サービスの脆弱性 | 攻撃者はインターネット上で実行するサービスの弱点や盲点を発見します。この脆弱性を利用して、攻撃者はそのシステム全体そして格納されているデータをすべて感染させ、ネットワーク上の他のシステムをも感染させる可能性があります。 |
| |||
| アプリケーションの脆弱性 | Attackers find faults in desktop and workstation applications (such as e-mail clients) and execute arbitrary code, implant Trojan horses for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network. |
| |||
| サービス停止攻撃 (DoS=Denial of Service) | Attacker or group of attackers coordinate against an organization's network or server resources by sending unauthorized packets to the target host (either server, router, or workstation). This forces the resource to become unavailable to legitimate users. |
|
/tmp/updates, and save all the downloaded packages to it.
/mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEY-redhat-releaserpm -qa gpg-pubkey*gpg-pubkey-37017186-45761324
rpm -qi command followed by the output from the previous command, as in this example:
rpm -qi gpg-pubkey-37017186-45761324rpm -K /tmp/updates/*.rpmgpg OK. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
rpm -Uvh /tmp/updates/*.rpmrpm -ivh /tmp/updates/<kernel-package><kernel-package> in the previous example with the name of the kernel RPM.
rpm -e <old-kernel-package><old-kernel-package> in the previous example with the name of the older kernel RPM.
glibc, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
lsof command as in the following example:
lsof /usr/lib/libwrap.so*tcp_wrappers package is updated.
sshd, vsftpd, and xinetd.
/sbin/service command as in the following example:
service <service-name> restart<service-name> with the name of the service, such as sshd.
xinetd Servicesxinetd super service only run when a there is an active connection. Examples of services controlled by xinetd include Telnet, IMAP, and POP3.
xinetd each time a new request is received, connections that occur after an upgrade are handled by the updated software. However, if there are active connections at the time the xinetd controlled service is upgraded, they are serviced by the older version of the software.
xinetd controlled service, upgrade the package for the service then halt all processes currently running. To determine if the process is running, use the ps command and then use the kill or killall command to halt current instances of the service.
imap packages are released, upgrade the packages, then type the following command as root into a shell prompt:
ps -aux | grep imapkill <PID>kill -9 <PID><PID> with the process identification number (found in the second column of the ps command) for an IMAP session.
killall imapdcat コマンドを使って情報を収集することができます。
grub-md5-crypt/boot/grub/grub.conf を編集します。ファイルを開き、ドキュメントのメインセクションにある timeout 行の下に次の行を追加します。
password --md5 <password-hash>/boot/grub/grub.conf ファイルの別の部分を編集する必要があります。
title 行を探して、そのすぐ下に lock という行を追加します。
title DOS lock
password 行が /boot/grub/grub.conf ファイルのメインセクションに表示されていなければなりません。これがないと、攻撃者は GRUB エディタインターフェースにアクセスして lock 行を削除できることになります。
lock 行とその後にパスワード行を付けて追加します。
title DOS lock password --md5 <password-hash>/etc/passwd file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, they can copy the /etc/passwd file to their own machine and run any number of password cracking programs against it. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
/etc/shadow ファイルに格納して、この種の攻撃を排除します。これは、 root ユーザーによってのみ読み取り可能です。
otrattw,tghwg.
7 を t の代わりに置き換えて、 @ を a の代わりに置き換えます:
o7r@77w,7ghwg.
H など。
o7r@77w,7gHwg.
passwd, which is Pluggable Authentication Manager (PAM) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the pam_cracklib.so PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as pam_passwdqc (available from http://www.openwall.com/passwdqc/) or to write a new module. For a list of available PAM modules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html. For more information about PAM, refer to 「PAM(Pluggable Authentication Modules)」.
chage コマンドとグラフィカルな User Manager (system-config-users) アプリケーションの2つがあります。
-M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command:
chage -M 90 <username><username> with the name of the user. To disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).
chage コマンドを 使用して、複数のパスワードエージングとアカウント詳細を修正することもできます。以下のコマンドを使用してインタラクティブモードに入ります:
chage <username>~]# chage davido
Changing the aging information for davido
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
~]#system-config-users 入力することもできます。
sudo or su. A setuid program is one that operates with the user ID (UID) of the program's owner rather than the user operating the program. Such programs are denoted by an s in the owner section of a long format listing, as in the following example:
-rwsr-xr-x 1 root root 47324 May 1 08:09 /bin/su
s は、大文字でも、小文字でも通用します。大文字で出た場合、背後にある権限ビットは設定されていないという意味です。
pam_console.so, some activities normally reserved only for the root user, such as rebooting and mounting removable media are allowed for the first user that logs in at the physical console (refer to 「PAM(Pluggable Authentication Modules)」 for more information about the pam_console.so module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users on their network should receive.
/sbin/nologin in the /etc/passwd file.
| 効果 | 対象外 |
|---|---|
|
Prevents access to the root shell and logs any such attempts. The following programs are prevented from accessing the root account:
|
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root account:
|
/etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to their machine as root via Telnet, which transmits the password in plain text over the network.
/etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent the root user from logging in, remove the contents of this file by typing the following command at a shell prompt as root:
echo > /etc/securettysecuretty support in the KDM, GDM, and XDM login managers, add the following line:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm
/etc/securetty ファイルは、認証までコンソールが開かないため、 OpenSSH ツールセットを使う遠隔からの root ユーザーログインは 防ぎません 。
| 効果 | 対象外 |
|---|---|
|
コンソール又は、ネットワーク経由での root アカウントへのアクセスを防止します。以下のプログラムは root アカウントへのアクセスを防止されています:
|
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are not prevented from accessing the root account:
|
/etc/ssh/sshd_config, and change the line that reads:
#PermitRootLogin yes
PermitRootLogin no
| 効果 | 対象外 |
|---|---|
|
ツールの OpenSSH セットを経由して root アクセスを防止します。以下のプログラムは root アカウントヘのアクセスを防止されています::
|
Programs that are not part of the OpenSSH suite of tools.
|
/lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. To limit root access to a system service, edit the file for the target service in the /etc/pam.d/ directory and make sure the pam_listfile.so module is required for authentication.
vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line is not necessary if the directive is on a single line):
auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
/etc/vsftpd.ftpusers ファイルを参照して、記載されているユーザーすべてに対してサービスへのアクセスを拒否するように指示します。管理者はこのファイルの名前は変更しても構いません。そして各サービスの一覧を別々に保持したり、複数のサービスへのアクセスを拒否するために1つの中央一覧を使うこともできます。
/etc/pam.d/pop や /etc/pam.d/imap 、あるいは SSH クライアント用の /etc/pam.d/ssh などの PAM 設定サービスに、似たような行を加えることができます。
| 効果 | 対象外 |
|---|---|
|
Prevents root access to network services that are PAM aware. The following services are prevented from accessing the root account:
|
PAM 認識ではないプログラムとサービス
|
su や sudo などの setuid プログラムからのアクセスのみを許可すると良いでしょう。
su コマンドsu コマンドを入力すると、ユーザーは root パスワードを求められ、認証された後で root シェルプロンプトが与えられます。
su コマンドからログインすると、ユーザーは root ユーザー であり 、システムに対して絶対的な管理アクセス権を持ちます。 [16] さらに、ユーザーが root になると、パスワードを求められることなく su コマンドを使ってシステム上の他のユーザーになることが可能になります。
usermod -G wheel <username><username> with the username you want to add to the wheel group.
system-config-users 入力することもできます。
su (/etc/pam.d/su) の PAM 設定ファイルをテキストエディタで開き、以下の行から # コメントを削除します。
auth required /lib/security/$ISA/pam_wheel.so use_uid
wheel のメンバーだけにそのプログラムの使用を許可します。
wheel グループのメンバーです。
sudo コマンドsudo コマンドでは、ユーザーに管理アクセスを与えるもう1つの方法を提供しています。信頼できるユーザーが管理コマンドに sudo を先に付けて実行すると、このユーザーは 自身の パスワードを要求されます。その後、認証され、そのコマンドが許可されれば、管理コマンドは root ユーザーで行なわれたかのように実行されます。
sudo コマンドの基本形式は次のようになります:
sudo <command><command> would be replaced by a command normally reserved for the root user, such as mount.
sudo コマンドのユーザーは、マシンから離れる前にログアウトするよう十分に気をつける必要があります。このセッティングは設定ファイルの /etc/sudoers から変更できます。
sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in 「root アクセスを禁止する」.
sudo command also provides a comprehensive audit trail. Each successful authentication is logged to the file /var/log/messages and the command issued along with the issuer's user name is logged to the file /var/log/secure.
sudo コマンドのもうひとつの利点は、管理者が必要に応じて特定コマンドに別々のユーザーアクセスを許可することができることです。
sudo 設定ファイルの /etc/sudoers を編集する管理者は、 visudo コマンドを使用してください。
visudo を入力してからユーザーの権利指定セクションで以下のような行を追加します。
juan ALL=(ALL) ALL
juan がどのホストからも sudo を使用してどのコマンドも実行できるように決めています。
sudo を設定する際に、以下のように特定コマンドを設定できます。
%users localhost=/sbin/shutdown -h now
/sbin/shutdown -h now コマンドを発行できるように決めています。
sudoers の man ページにはこのファイル用オプションの詳細一覧が記述されています。
cupsd — Red Hat Enterprise Linux 用のデフォルトの印刷サーバー
lpd — 代替の印刷サーバー
xinetd — gssftp や telnet など、従属サーバー群への接続を制御するスーパーサーバーです。
sendmail — デフォルトでは、 Sendmail Mail Transport Agent (メールトランスポートエージェント) (MTA) が有効になっていますが、 localhost からの接続のみリスニングします。
sshd — Telnet のセキュアな代替となる OpenSSH サーバー
cupsd を実行したままにしておかないようにします。 portmap についても同じです。 NFSv3 ボリュームをマウントしなかったり NIS (ypbind サービス) を使用しない場合には、 portmap は無効にしてください。
system-config-services), ntsysv, and chkconfig. For information on using these tools, refer to 17章サービスへのアクセスの制御.
netdump のようなリモートメモリダンプサービスもネットワーク上で暗号化していないメモリの内容を渡します。メモリダンプにはパスワード、ときにはデータベースのエントリや他の機密情報なども含まれていることがあります。
finger 及び rwhod のような他のサービスは、システムのユーザーに関する情報を明かしてしまいます。
rlogin、 rsh、telnet、vsftpd があります。
rlogin, rsh, and telnet) should be avoided in favor of SSH. Refer to 「セキュリティ強化された通信ツール」 for more information about sshd.
finger
authd (これは以前の Red Hat Enterprise Linux リリースではidentd と呼ばれていました。)
netdump
netdump-server
nfs
rwhod
sendmail
smb (Samba)
yppasswdd
ypserv
ypxfrd
system-config-securitylevel). This tool creates broad iptables rules for a general-purpose firewall using a control panel interface.
iptables is probably a better option. Refer to 「Firewalls」 for more information. Refer to 「IPTables」 for a comprehensive guide to the iptables command.
telnet や rsh などのように旧式で暗号化されないサービスに代わります。 OpenSSH には sshd と呼ばれるネットワークサービスと3つのコマンドラインクライアントアプリケーションが含まれます。
ssh — 安全なリモートコンソールアクセスクライアント
scp — 安全なリモートコピーコマンド
sftp — インタラクティブなファイル転送セッションを可能にする安全な pseudo-ftp クライアント
sshd service is inherently secure, the service must be kept up-to-date to prevent security threats. Refer to 「セキュリティの更新」 for more information.
xinetd と関連付けて使用すると増強されます。
xinetd to create redundancy within service access controls. Refer to 「Firewalls」 for more information about implementing firewalls with iptables commands.
xinetd.
hosts_options の man ページを参照してください。
banner オプションを使用します。
vsftpd のバナーを実行しています。まず、バナーファイルを作成します。ファイルはシステムのどこに格納されても構いませんが、デーモンと同じ名前でなければなりません。この例では、ファイル名を /etc/banners/vsftpd とし、以下の行を含みます:
220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Inappropriate use will result in your access privileges being removed.
%c トークンは、ユーザー名とホスト名、あるいはユーザー名と IP アドレスなどのさまざまなクライアント情報を供給してその接続をさらに威嚇的にします。
/etc/hosts.allow ファイルに追加します:
vsftpd : ALL : banners /etc/banners/
spawn ディレクティブを使用して、そのホストまたはネットワークからのその後の攻撃を管理者に警告することができます。
/etc/hosts.deny ファイルに以下の行を入力すると、そのネットワークからの接続試行は拒否されその試みは特別なファイルにログされます。
ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert
%d トークンは攻撃者がアクセスを試みたサービスの名前を提供します。
spawn 指令を /etc/hosts.allow ファイルに配置します。
spawn ディレクティブがシェルコマンドを実行するため、特定のクライアントがサーバーへの接続を試みた場合、特別なスクリプトを作成して管理者に知らせるか、連続のコマンドを実行するようにします。
severity オプションを介してそのサービスのログレベル上げることができます。
info フラグの代わりに emerg フラグをログファイルに配置し、接続を拒否します。
/etc/hosts.deny に配置します:
in.telnetd : ALL : severity emerg
authpriv ロギング機構を使用しますが、 info のデフォルト値から、ログメッセージを直接コンソールに置く emerg に優先度を上げます。
xinetd での trap サービス設定や如何なる xinetd サービスにでも利用可能なリソースレベルの制御の為の使用に焦点を置きます。サービスにリソース制限を設定することは Denial of Service (サービス停止攻撃) (DoS) の防御に役に立ちます。使用可能オプションの詳細一覧は xinetd と xinetd.conf の man ページをご参照下さい。
xinetd の重要機能の1つとしてグローバル no_access リストへのホスト追加機能があげられます。このリストに掲載されているホストは特定の期間、又は xinetd が再起動するまで xinetd が管理するサービスへの接続を拒否されます。これは SENSOR 属性を使用することにより達成されます。サーバーのポートスキャンを試みるホストをブロックする簡単な方法です。
SENSOR 設定の第一歩として利用予定のないサービスを選択します。この例では Telnet が使用されています。
/etc/xinetd.d/telnet ファイルを編集し、 flags の行を次の通り変更します:
flags = SENSOR
deny_time = 30
deny_time 属性に使用可能な値として、 xinetd が再起動されるまで接続を拒否する FOREVER や接続を許可しログする NEVER があります。
disable = no
SENSOR を使用することにより極悪なホストを検出し、接続を拒否することができますが、難点が 2 つほどあります:
SENSOR はステルススキャンには対応できません。
SENSOR が実行されていることを知る攻撃者は、 IP アドレスを偽造し、アクセス禁止ポートに接続することで、特定のホストに対してサービス停止攻撃を仕掛けることができます。
xinetd のもう1つの重要な機能は、その管理下のサービスが使用するリソース量を制御する能力です。
cps = <number_of_connections> <wait_period> — Limits the rate of incoming connections. This directive takes two arguments:
<number_of_connections> — The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).
<wait_period> — The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.
instances = <number_of_connections> — Specifies the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.
per_source = <number_of_connections> — Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.
rlimit_as = <number[K|M]> — Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.
rlimit_cpu = <number_of_seconds> — Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.
xinetd によるシステム過大負荷を防止します。
portmap サービスは NIS や NFS など RPC サービス向けのダイナミックなポート指定デーモンです。脆弱な認証メカニズムのうえ、管理下のサービスに広範囲なポートを指定する機能を持ち合わせているため、保護するのは困難です。
portmap を保護することは、 NFSv4 では必要ない為、単に NFSv2 と NFSv3 の実装に影響するだけです。 NFSv2 と NFSv3 サーバーを実装する予定であれば、 portmap が必要となり、以下のセクションが適用されます.
portmap サービスには内蔵の認証形式がないため、 TCP ラッパーを使用し、このサービスへアクセス可能なネットワークやホストを制限することが重要になります。
portmap サービスへのアクセスを更に規制するには、 iptables ルールをサーバーに追加し、特定ネットワークへのアクセスを規制するとよいでしょう。
sgi_fam サービスに必要) から portmap (ポート 111 でリッスン)への TCP 接続を許可する IPTables コマンドの 2 例を下記に説明しています。
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROPiptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROPypserv,--> which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
/usr/sbin/rpc.yppasswdd — yppasswdd サービスとも呼ばれます。このデーモンはユーザーの NIS パスワード変更を許可します。
/usr/sbin/rpc.ypxfrd — ypxfrd サービスとも呼ばれるデーモンで、 NIS マップをネットワーク上で転送します。
/usr/sbin/yppush — このアプリケーションは NIS データベースの変更を複数の NIS サーバーに伝搬します。
/usr/sbin/ypserv — これが NIS サーバーのデーモンです。
portmap service as outlined in 「ポートマップの保護」, then address the following issues, such as network planning.
/etc/passwd マップを確認することができます:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd/etc/shadow ファイルを入手することができます:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow/etc/shadow ファイルには NIS マップには保存されません。
o7hfawtgmhwg.domain.com のように無作為な DNS ホスト名を設定して下さい。同様に、 異なる 無作為な NIS ドメイン名を設定して下さい。これで、攻撃者による NIS サーバーへのアクセスは一層困難になります。
/var/yp/securenets ファイルを編集する/var/yp/securenets ファイルが空か、存在しない場合 (デフォルトインストールの後に相当)、 NIS はすべてのネットワークをリッスンします。最初にすることの1つは、ネットマスクとネットワークのペアをファイルに格納して、 ypserv が正当なネットワークからの要求のみに応答するようにします。
/var/yp/securenets ファイルからのエントリー例は下記の通りです:
255.255.255.0 192.168.0.0
/var/yp/securenets を作成してから始めて下さい。
rpc.yppasswdd (ユーザーにログインパスワードの変更を許可するデーモン) 以外の特定のポートに割り当てできます。他の NIS サーバーデーモンである rpc.ypxfrd と ypserv にポートを割り当てると、ファイアウォールルールの作成が可能となり、更に NIS サーバーデーモンを侵入者から守ります。
/etc/sysconfig/network に追加して下さい:
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 834 -j DROPiptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 835 -j DROPiptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 834 -j DROPiptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 835 -j DROP
/etc/shadow マップからのパスワードハッシュがネットワーク上に配信されることが、 NIS を認証に使用する場合に配慮すべき問題の1つだと言えます。侵入者が NIS ドメインにアクセスを得てネットワーク通信をかぎ回ると、ユーザー名とパスワードハッシュを密かに収集することができます。十分な時間があるとパスワードクラッキングプログラムは、貧弱なパスワードを想像できて攻撃者はネットワークの大切なアカウントにアクセス出来てしまいます。
portmap service as outlined in 「ポートマップの保護」. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. Information on portmap is still included, since Red Hat Enterprise Linux supports NFSv2 and NFSv3, both of which utilize portmap.
/etc/exports ファイル経由でエキスポートする先のファイルシステムやホストは NFS サーバーが決定します。このファイルを編集する時、無関係な空白を追加しないように気をつけて下さい。
/etc/exports ファイルにある次の行は、ホスト bob.example.com に対して読み込み/書き込み権限付で、ディレクトリ /tmp/nfs/を共有します。
/tmp/nfs/ bob.example.com(rw)
/etc/exports ファイルにある以下の行は、ホスト bob.example.com に対して読み取り専用の権限で同じディレクトリを共有します。又、 world に対してはホスト名の後の空白1つによって、読み取り/書き込み権限でディレクトリを共有します。
/tmp/nfs/ bob.example.com (rw)
showmount コマンドを使用し、設定済みの NFS の共有をチェックして、それが正しく共有していることを確認すると良いでしょう:
showmount -e <hostname>no_root_squash オプションは使用しないnfsnobody へのルートユーザーを変更します。そこで全てのルート作成によるファイルのオーナーは nfsnobody に変わり、 setuid ビットセットを持つプログラムのアップロードを阻止します。
no_root_squash is used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute.
FollowSymLinks / にはシンボリックリンクを与えないようにします。
Indexes ディレクティブUserDir ディレクティブUserDir ディレクティブはデフォルトで無効となっています。サーバーのユーザーディレクトリ閲覧を有効にするには次のディレクティブを使用して下さい:
UserDir enabled UserDir disabled root
/root/ 以外の全てのユーザーディレクトリのユーザーディレクトリ閲覧を有効にします。無効アカウントのリストにユーザーを追加する場合は、空白で区切ったユーザーのリストを UserDir disabled 行に追加して下さい。
IncludesNoExec ディレクティブは削除しないgssftpd — ネットワーク上に認証情報を配信しない、 Kerberos 認知の xinetd ベースの FTP デーモンです。
tux) — FTP 機能を持ち合わせた、カーネルスペースウェブサーバーです。
vsftpd — スタンドアローン、セキュリティー指向の FTP サービス実装です。
vsftpd FTP サービス設定のセキュリティーガイドラインは次の通りです。
vsftpd のグリーティングバナーを変更するには、次のディレクティブを /etc/vsftpd/vsftpd.conf ファイルに追加して下さい:
ftpd_banner=<insert_greeting_here><insert_greeting_here> in the above directive with the text of the greeting message.
/etc/banners/ という新しいディレクトリに格納します。この例では、 FTP 接続のバナーファイルは /etc/banners/ftp.msg になります。ファイルは下記例のように表示されます:
######### # Hello, all activity on ftp.example.com is logged. #########
220 as specified in 「TCP ラッパーと接続バナー」.
vsftpd のグリーティングファイルを参照するには、次のディレクティブを /etc/vsftpd/vsftpd.conf ファイルに追加して下さい:
banner_file=/etc/banners/ftp.msg
/etc/vsftpd/vsftpd.conf, or else every attempt to connect to vsftpd will result in the connection being closed immediately and a 500 OOPS: cannot open banner <path_to_banner_file> error message.
banner_file directive in /etc/vsftpd/vfsftpd.conf takes precedence over any ftpd_banner directives in the configuration file: if banner_file is specified, then ftpd_banner is ignored.
/var/ftp/ ディレクトリの存在が匿名アカウントを有効にします。
vsftpd パッケージをインストールします。このパッケージが匿名ユーザーに対してディレクトリツリーを設定し、匿名ユーザー用にディレクトリを読み取り専用とします。
/var/ftp/pub/ への書き込み専用ディレクトリの作成が推奨されます。
mkdir /var/ftp/pub/uploadchmod 730 /var/ftp/pub/uploaddrwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload
vsftpd で、次の行を /etc/vsftpd/vsftpd.conf ファイルに追加して下さい:
anon_upload_enable=YES
vsftpd のユーザーアカウントを無効にするには、次のディレクティブを /etc/vsftpd/vsftpd.conf に追加して下さい:
local_enable=NO
sudo privileges, the easiest way is to use a PAM list file as described in 「root アクセスを禁止する」. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
vsftpd の特定のユーザーアカウントを無効にするには /etc/vsftpd.ftpusers にユーザー名を追加して下さい。
/etc/mail/sendmail.cf by editing the /etc/mail/sendmail.mc and using the m4 command.
/etc/mail/sendmail.mc 内の次のディレクティブで制限を設定することにより、このようなアタックの効力が制限されます。
confCONNECTION_RATE_THROTTLE — 1秒毎のサーバーへの接続可能数です。デフォルトでは Sendmail による接続数制限はありません。接続制限が設定され、接続数が制限に達した場合、新しい接続は遅延されます。
confMAX_DAEMON_CHILDREN — サーバーが生成可能な子プロセスの最大数です。デフォルトでは Sendmail による子プロセス生成数の制限はありません。子プロセスの制限が設定され、生成が最大数に達した場合、新しい接続は遅延されます。
confMIN_FREE_BLOCKS — サーバーのメール受信に必要な最小フリーブロック数です。デフォルトでは 100 ブロックになっています。
confMAX_HEADERS_LENGTH — メッセージヘッダーの最大許容サイズ (バイト単位) です。
confMAX_MESSAGE_SIZE — 1メッセージの最大許容サイズ (バイト単位) です。
/var/spool/mail/ を NFS 共有ボリュームに格納しないでください。
SECRPC_GSS カーネルモジュールが UID ベースの認証を使用しないからです。しかし、 NFS 共有のボリューム上にはメールスプールディレクトリを 置かない ことが良い政策となります。
/etc/passwd ファイルの全ユーザーシェルは /sbin/nologin に設定して下さい (ルートユーザーは例外)。
netstat -an や lsof -i などのコマンドを入力し、ネットワークスタックをクエリする方法があります。プログラムがネットワークからマシーンに接続せず、何がシステム上で実行されているかを確認する方法のため、信頼性は低いと言えます。そのため、アプリケーションの置換を試みる攻撃者のいいターゲットとなってしまいます。クラッカーは不当なネットワークポートをオープンした場合、 netstat と lsof を自分の編集バージョンと入れ換えて、その侵入経路を隠そうとします。
nmap などのポートスキャナーを使用する方法があります。
nmap -sT -O localhostStarting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT Interesting ports on localhost.localdomain (127.0.0.1): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 113/tcp open auth 631/tcp open ipp 834/tcp open unknown 2601/tcp open zebra 32774/tcp open sometimes-rpc11 Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Uptime 12.857 days (since Sat Sep 11 17:16:20 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds
sunrpc が存在するため、システムが portmap を実行している状態を表示します。しかし、未知のサービスがポート 834 に存在しています。このポートが既知サービスの公式リストと関連しているかどうか調べるには次を入力して下さい:
cat /etc/services | grep 834netstat 又は lsof を使用し、ポート情報を確認して下さい。 netstat でポート 834 を確認するには、次のコマンドを使用します:
netstat -anp | grep 834tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind
netstat のオープンポートの存在は安心を与えるものです。また、 [p] オプションによって、ポートをオープンしたサービスのプロセス ID (PID) が判明します。このケースでは、オープンポートは portmap サービスと併せて使用される RPC サービスである ypbind (NIS) に属しています。
lsof コマンドはサービスとオープンポートをリンクする機能があるため、同様の情報を netstat に表示します:
lsof -i | grep 834ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)
lsof、 netstat、 nmap、 services の man ページを参照して下さい。
nss-tools パッケージがロードされていることを確認してください。
certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \-i ./ca_cert_in_base64_format.crt
/etc/pam_pkcs11/pam_pkcs11.conf ファイルを開き、以下のラインを指定してください:
enable_ocsp = false;
enable_ocsp = true;
/etc/pam_pkcs11/cn_map と呼ばれるファイルを作成してください。
cn_map ファイルに以下のエントリを追加してください:
MY.CAC_CN.123454 -> myloginid
MY.CAC_CN.123454 が Common Name だったら、 myloginid は自分の UNIX ログイン ID になります。
pklogin_finder debugpklogin_finder ツールを起動すると、証明書の有効性についての情報を出力しようとし、もしそれに成功したら、カードにある証明書からログイン ID をマップしようとします。
about:config を入力してください。
negotiate を入力してください。
.example.com 等の、認証させたいドメイン名を入力してください。
kinit を入力してください。利用可能なチケットのリストを表示するには、 klist を入力してください。以下は、これらのコマンドからの出力例を示しています:
~]$kinitPassword for user@EXAMPLE.COM: ~]$klistTicket cache: FILE:/tmp/krb5cc_10920 Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 10/26/06 23:47:54 10/27/06 09:47:54 krbtgt/USER.COM@USER.COM renew until 10/26/06 23:47:54 Kerberos 4 ticket cache: /tmp/tkt10920 klist: You have no tickets cached
export NSPR_LOG_MODULES=negotiateauth:5export NSPR_LOG_FILE=/tmp/moz.log
/tmp/moz.log にロギングされ、問題の解決の手掛かりが見つかるかもしれません。例えば:
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache found
kinit を起動する必要があることを示しています。
kinit を起動することに成功したのに認証できない場合は、ログファイルに以下のような既述が見えるかもしれません:
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database
/etc/krb5.conf ファイルの [domain_realm] セクションにあることを確認してください。例えば:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
/etc/pam.d/ ディレクトリには、 PAM 認識アプリケーションのための、 PAM 設定ファイルがあります。 PAM の初期のバージョンでは、 /etc/pam.conf ファイルが使用されていました。しかし、このファイルはあまり使用されなくなってきており、現在は /etc/pam.d/ ディレクトリが存在しない場合に限って使用されます。
<module interface><control flag><module name><module arguments>
auth — このモジュールインターフェースはその使用を認証します。例えば、パスワードの有効性を要求して、それを確証します。このインターフェースのモジュールは、グループメンバーシップや、 Kerberos チケットなどの証明書も設定できます。
account — このモジュールインターフェースは、アクセスが許可されることを確認します。例えば、ユーザーのアカウントが期限切れでないか、あるいはユーザーがその日の特定時期にログインを認められているか、をチェックします。
password — このモジュールインターフェースは、ユーザーパスワードの変更に使用されます。
session — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available.
pam_unix.so は 4 つのモジュールインターフェースをすべて提供できます。
auth required pam_unix.so
pam_unix.so module's auth interface.
reboot コマンドは、以下の PAM 設定ファイルで示してあるように、通常、数種のスタックされたモジュールを使用します:
~]# cat /etc/pam.d/reboot
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.soauth sufficient pam_rootok.so — この行は pam_rootok.so モジュールを使用して、その UID が 0 であることを確認して、現在のユーザーが root かどうかをチェックします。このテストが成功すると、他のモジュールに依存せずに、このコマンドが実行されます。テストが失敗すると次のモジュールに依託されます。
auth required pam_console.so — この行はユーザーを認証するのに pam_console.so モジュールを使用します。このユーザーがすでにコンソールでログインしている場合は、 pam_console.so は、 /etc/security/console.apps/ ディレクトリ内にサービス名 (reboot) と同じ名前を持ったファイルがあるかどうかをチェックします。そのようなファイルが存在すれば、認証は確定され、制御は次のモジュールに渡されます。
#auth include system-auth — この行はコメント化されており、プロセスされません。
account required pam_permit.so — この行は pam_permit.so モジュールを使用して、 root ユーザー、又はコンソールにログインしてシステムをリブートする人に許可を与えます。
required — 認証が続行するにはモジュールの結果は成功でなければいけません。テストがこの時点で失敗の結果を出すと、インターフェースを参照している全てのモジュールが完了するまで、ユーザーは結果報告を受け取りません。
requisite — 認可が続行するにはモジュールの結果は成功でなければいけません。但し、この時点でテストが失敗した場合、ユーザーは直ちに最初に失敗した required、 あるいは requisite モジュールテストに関するメッセージを受け取ります。
sufficient — チェックが失敗した場合、モジュールの結果は無視されます。ただし、 sufficient フラグのモジュールのチェックが成功し、 且つ 、それ以前の required フラグのモジュールがすべて成功した場合、これ以外の結果は必要とされず、ユーザーはそのサービスに対して認証されます。
optional — モジュールの結果は無視されます。認証の成功に optional フラグのモジュールが必要となるのは、そのインターフェースを参照する他のモジュールがない時だけです。
required モジュールがコールされる順序は重要ではありません。 sufficient と requisite の制御フラグでのみその順序が重要になります。
pam.d man page, and the PAM documentation, located in the /usr/share/doc/pam-<version-number>/ directory, where <version-number> is the version number for PAM on your system, describe this newer syntax in detail.
/lib64/security/ ディレクトリ下に 64ビット PAM モジュールを保存する multilib の出現により、アプリケーションがモジュールの正しいバージョンを検索する適切な libpam のバージョンにリンクされるため、そのディレクトリ名は省略されています。
pam_userdb.so モジュールは、 Berkeley DB ファイルに保存された情報を使ってユーザーを認証します。 Berkeley DB は、多くのアプリケーションに組み込まれているオープンソースのデータベースシステムです。このモジュールが db 引数を使用することによって Berkeley DB は要求されたサービスに使用するデータベースを判断できます。
pam_userdb.so line in a PAM configuration. The <path-to-file> is the full path to the Berkeley DB database file:
auth required pam_userdb.so db=<path-to-file>/var/log/secure ファイルに報告します。
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
#」マークが付加されています。
auth required pam_securetty.so — このモジュールは もし ユーザーが root としてログインを試行し、 tty ファイルが存在する場合、 /etc/securetty ファイル内にユーザーがログインした tty が一覧表示されていることを確認します。
Login incorrect のメッセージが出て失敗します。
auth required pam_unix.so nullok — このモジュールはユーザーにパスワードを要求して、 /etc/passwd に保存されている情報を使用してそのパスワードをチェックします。パスワードが存在する場合、 /etc/shadow をチェックします。
pam_unix.so module automatically detects whether the user's password is in the passwd file or the shadow file. Refer to 「シャドウパスワード」 for more information.
auth required pam_nologin.so — これが最終認証ステップです。 /etc/nologin ファイルが存在するかどうかを確認します。ファイルが存在し、ユーザーが root でない場合、認証は失敗します。
auth モジュールが失敗しても、3つの auth モジュールすべてがチェックされます。これはユーザーに、認証のどの段階で拒否されたかを悟られないようにするためです。そのような情報がアタッカーに使用可能になると、彼らにシステムをクラックする方法をたやすく類推する事を許します。
account required pam_unix.so — このモジュールで、必要なアカウントの確証が実行されます。たとえば、シャドウパスワードが有効な場合、 pam_unix.so モジュールのアカウントインターフェイスは、アカウントの期限が切れていないか、ユーザーがパスワード猶予期間内にパスワードを変更していないかをチェックします。
password required pam_cracklib.so retry=3 — パスワードの期限が切れている場合、 pam_cracklib.so モジュールのパスワードコンポーネントは新しいパスワードの要求をします。それから、新規に作成されたパスワードに対してテストを実行することにより、それがパスワードに対する辞書ベースのクラックプログラムによって簡単に判明するものでないことを確認します。
retry=3 はテストが最初に失敗した場合、ユーザーは牽強なパスワードを作成するのに2回のチャンスを与えられるように指定します。
password required pam_unix.so shadow nullok use_authtok — This line specifies that if the program changes the user's password, it should use the password interface of the pam_unix.so module to do so.
shadow instructs the module to create shadow passwords when updating a user's password.
nullok は、モジュールにユーザーがパスワードをブランク から 変更するのを許可するように指示します。さもなければ、ブランクのパスワードは固定アカウントとして取り扱われます。
use_authtok は、 PAM モジュールのスタック順の重要性を示す良い例を提供します。この引数は、モジュールに対し、ユーザーの新しいパスワードを求めないように伝えます。その代わりに、それ以前のパスワードモジュールで記録されたいかなるパスワードも受け入れます。この方法では、全ての新しいパスワードが、受け入れられる前にセキュアなパスワードとして pam_cracklib.so テストをパスしなければいけません。
session required pam_unix.so — 最後の行は、 pam_unix.so モジュールのセッションインターフェイスに対し、セッションを管理することを指示しています。このモジュールは、各セッションの始めと終りで、 /var/log/secure にユーザー名とサービスタイプのログを残します。このモジュールは他の機能の為に、他のセッションモジュールにスタックする事で補充できます。
/usr/share/doc/pam-<version-number>/ directory, where <version-number> is the version number for PAM on your system.
pam_timestamp.so モジュールを使用してユーザーに特権を 5 分間まで延長することができます。 pam_timestamp.so が有効になっている間にユーザーがターミナルから離れると、マシンを誰でもコンソールに物理的にアクセスして操作が行なえるような状態にするため、この機能の仕組みを理解しておくことが重要です。
pam_timestamp.so モジュールはデフォルトで /var/run/sudo/ ディレクトリ配下にタイムスタンプファイルを作成します。タイムスタンプファイルがすでに存在している場合は、グラフィック管理プログラムはパスワードを要求せず、代わりに、 pam_timestamp.so モジュールはタイムスタンプファイルを更新して、ユーザーに絶対的な管理アクセス権をさらに 5 分間確保します。
/var/run/sudo/<user> file. For the desktop, the relevant file is unknown:root. If it is present and its timestamp is less than five minutes old, the credentials are valid.
ssh を使用して遠隔からシステムにログインしている場合、 /sbin/pam_timestamp_check -k root コマンドを使用してタイムスタンプを破棄します。
/sbin/pam_timestamp_check -k root は特権アプリケーションを起動したのと同じターミナルから実行する必要があります。
/sbin/pam_timestamp_check -k コマンドを使用するためには、最初に pam_timestamp.so を呼び出したユーザーとしてログインする必要があります。 root でログインしてこのコマンドを発行しないでください。
pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/nullpam_timestamp_check を使用してタイムスタンプファイルを破棄する方法についての詳細は、 pam_timestamp_check の man ページを参照してください。
pam_timestamp.so モジュールはいくつか異なるディレクティブを受け取ります。以下に最もよく使われるオプションを2つあげます:
timestamp_timeout — タイムスタンプファイルが有効になっている期間を秒数で指定します。デフォルト値は 300 秒 (5分間) です。
timestampdir — タイムスタンプファイルが保存されるディレクトリを指定します。デフォルト値は /var/run/sudo です。
pam_timestamp.so module.
pam_console.so と呼ばれる、 PAM モジュールによって制御されるものです。
pam_console.so モジュールが login またはグラフィカルログインプログラム gdm と kdm と xdm によって呼び出されます。このユーザーが物理的なコンソール —コンソールユーザー と呼ばれる — でログインする最初のユーザーの場合、モジュールは通常ルートに所有される様々なデバイスの所有権をこのユーザーに許可します。このユーザーの最後のローカルセッションが終了するまで、コンソールユーザーはこれらデバイスの所有権を持ちます。このユーザーがログアウトすると、デバイスの所有権は root ユーザーに戻ります。
pam_console.so で制御されるデバイスのリストを変更することができます:
/etc/security/console.perms
/etc/security/console.perms.d/50-default.perms
50-default.perms ファイルを変更する代わりに、新しいファイルを作成 (例えば、xx-name.perms51-default.perms)。これが 50-default.perms ファイル内のデフォルトを書き変えます。
<console> and <xconsole> directives in the /etc/security/console.perms to the following values:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0 <xconsole>=:0\.[0-9] :0
<xconsole> directive entirely and change the <console> directive to the following value:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]*
/etc/security/console.apps/ ディレクトリ内で使用するように設定された特定のプログラムにアクセスを許可されます。
/sbin と /usr/sbin 内の特定のアプリケーションを実行できるようにする設定ファイルが含まれています。
/sbin/halt
/sbin/reboot
/sbin/poweroff
pam_console.so モジュールをコールします。
pam — PAM 設定ファイルの構造とその目的を含む、 PAM の適切な入門情報です。
/etc/pam.d/ ディレクトリ内の /etc/pam.conf と個別の設定ファイルの両方について説明しています。デフォルトでは、 Red Hat Enterprise Linux は /etc/pam.conf が存在している場合でも、それを無視して /etc/pam.d/ ディレクトリ内の個別設定ファイルを使用します。
pam_console — pam_console.so モジュールの目的について説明しています。また、 PAM 設定ファイルで使用するエントリの適切な構文についても触れています。
console.apps — 設定ファイルの /etc/security/console.apps 内で使用できる形式とオプションについて説明しています。この設定ファイルは、 PAM で割り当てられたコンソールユーザーがどのアプリケーションにアクセス可能かを定義します。
console.perms — PAM で割り当てられたコンソールユーザーの権限用の /etc/security/console.perms 設定ファイル内で使用できる形式とオプションを説明しています。
pam_timestamp — pam_timestamp.so モジュールについて説明しています。
/usr/share/doc/pam-<version-number> — Contains a System Administrators' Guide, a Module Writers' Manual, and the Application Developers' Manual, as well as a copy of the PAM standard, DCE-RFC 86.0, where <version-number> is the version number of PAM.
/usr/share/doc/pam-<version-number>/txts/README.pam_timestamp — Contains information about the pam_timestamp.so PAM module, where <version-number> is the version number of PAM.
iptables-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server. This service is called a super server because it controls connections to a subset of network services and further refines access control.
xinetd in controlling access to network services and reviews how these tools can be used to enhance both logging and utilization management. Refer to 「IPTables」 for information about using firewalls with iptables.
tcp_wrappers) デフォルトでインストールされ、ネットワークサービスに対しホストベースのアクセス制御を提供します。パッケージ内で最も重要なコンポーネントは /usr/lib/libwrap.a ライブラリです。一般的な表現では、 TCP でラップしたサービスは、 libwrap.a ライブラリに対してコンパイルされたものを指します。
/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.
libwrap.a library. Some such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd.
libwrap.a に対してリンクされているかどうか判定するには、 root ユーザーとして以下のコマンドを入力します:
ldd <binary-name> | grep libwrap<binary-name> with the name of the network service binary.
libwrap.a に対して リンクされていません 。
/usr/sbin/sshd は libwrap.a にリンクしていることを示しています:
~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00655000)
~]#/etc/hosts.allow
/etc/hosts.deny
/etc/hosts.allow を参照する。 — TCP ラップしたサービスは順番に /etc/hosts.allow ファイルを構文解析して、そのサービスに指定されている最初の規則を適用します。適合する規則があれば、接続を許可します。そうでなければ、次のステップへと移動します。
/etc/hosts.deny を参照する。 — TCP ラップしたサービスは順番に /etc/hosts.deny ファイルを構文解析します。適合する規則があれば、接続は拒否されます。そうでなければ、そのサービスへのアクセスは認可されます。
hosts.allow 内のアクセスの規則が最初に適用される為、これらの規則は hosts.deny 内に指定してある規則より優先されます。そのため、 hosts.allow でサービスへのアクセスが許可された場合、 hosts.deny の同じサービスに対するアクセス拒否の規則は無視されます。
hosts.allow または hosts.deny への変更は、ネットワークサービスを再開始しなくても直ちに反映されます。
/var/log/messages か /var/log/secure にログされます。また、行が逆スラッシュを使用せずに複数行にまたがる場合も同様です。次の例では、このどちらかの状況による規則違反についてのログメッセージの関連部分を表示します:
warning: /etc/hosts.allow, line 20: missing newline or line too long
/etc/hosts.allow と /etc/hosts.deny のフォーマットは全く同じです。各規則はその独自の行になければなりません。 (#) マークで始まる行、又は空白行はすべて無視されます。
<daemon list>:<client list>[:<option>:<option>: ...]
<daemon list> — A comma-separated list of process names (not service names) or the ALL wildcard. The daemon list also accepts operators (refer to 「演算子」) to allow greater flexibility.
<client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in 「演算子」 to allow greater flexibility.
<option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior.
vsftpd : .example.com
example.com ドメインのホストすべてからの FTP デーモン (vsftpd) への接続を監視するよう TCP ラッパーに指示します。この規則が hosts.allow にある場合は、その接続は許可されます。この規則が hosts.deny にある場合は、その接続は拒否されます。
sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny
sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the hosts.allow file. Refer to 「オプションフィールド」 for a more detailed look at available options.
ALL — すべてを照合します。これはデーモンリストとクライアントリストの両方に使用できます。
LOCAL — ローカルホストなど、ピリオド (.) のないホストをすべて照合します。
KNOWN — ホスト名、ホストアドレス、あるいはユーザーが既に判っているホストを照合します。
UNKNOWN — ホスト名、ホストアドレス、あるいはユーザーが不明なホストをすべて照合します。
PARANOID — ホスト名とホストアドレスが一致しないホストをすべて照合します。
KNOWN 、 UNKNOWN 、 PARANOID のそれぞれのワイルドカードは、正しい操作のために DNS サーバーを機能させることに依存しているので注意して使用してください。名前解決中で問題となると正式なユーザーがサービスへのアクセスを取得するのを阻止する可能性があります。
example.com ドメイン内のすべてのホストに適用されます:
ALL : .example.com
192.168.x.x ネットワーク内のすべてのホストに適用されます。
ALL : 192.168.
192.168.0.0 から 192.168.1.255 までのアドレス幅を持つすべてのホストに適用されます。
ALL : 192.168.0.0/255.255.254.0
3ffe:505:2:1:: から 3ffe:505:2:1:ffff:ffff:ffff:ffff までのアドレス幅内のすべてのホストに適用します:
ALL : [3ffe:505:2:1::]/64
example.com ドメイン内の全てのホストに適用されます:
ALL : *.example.com
/etc/telnet.hosts ファイルへの TCP ラッパーを対称にしています:
in.telnetd : /etc/telnet.hosts
hosts_access の man 5 ページを参照してください。
Portmap's implementation of TCP Wrappers does not support host look-ups, which means portmap can not use hostnames to identify hosts. Consequently, access control rules for portmap in hosts.allow or hosts.deny must use IP addresses, or the keyword ALL, for specifying hosts.
portmap アクセスコントロール規則への変更は、 portmap サービスを再起動させないとすぐには反映されない場合があります。
portmap に依存して運用されているので、これらの制限に気をつけて下さい。
EXCEPT を受け付けます。これはデーモンリストと規則内のクライアントリストで使用できます。
EXCEPT 演算子の使用により、同じ規則内でより幅広い照合への特別な拡張が可能になります。
hosts.allow ファイルからの例では、 cracker.example.com 以外の全ての example.com ホストからの、全てのサービスへの接続が許可されます:
ALL: .example.com EXCEPT cracker.example.com
hosts.allow ファイルからの例では、 192.168.0.x のネットワークからのクライアントは FTP 以外は、すべてのサービスを使用できます:
ALL EXCEPT vsftpd: 192.168.0.
EXCEPT 演算子の使用を避けた方が管理が楽なことが多く、これにより、他の管理者が、 EXCEPT 演算子をソートせずに、どのホストがサービスに対するアクセスを許可/拒否されるべきかを判断するのに該当ファイルをすばやく調べることができます。
severity ディレクティブを使用してログ設備と規則の優先度を簡単に変更することができます。
example.com ドメインのいずれのホストからの SSH デーモンへの接続も、 emerg の優先度を持つデフォルトの authpriv syslog 設備 (設備値が指定されていない為) にログされます。
sshd : .example.com : severity emerg
severity オプションを使用して設備を指定することもできます。次の例では、 alert の優先度を持つ local0> 設備への example.com ドメインのホストによる SSH サービス接続の試行をログします:
sshd : .example.com : severity local0.alert
local0 設備へ syslog デーモン (syslogd) がログするように設定されるまで機能しません。カスタムログ設備の設定に関する詳細については syslog.conf の man ページをお読み下さい。
allow 又は deny ディレクティブを最終オプションとして追加することで、1つの規則内で明確に許可、あるいは拒否ができるようになります。
client-1.example.com からの SSH 接続を許可しますが、 client-2.example.com からの接続を拒否します:
sshd : client-1.example.com : allow sshd : client-2.example.com : deny
hosts.allow 、又は hosts.deny に統合できるようにします。一部の管理者にとってはこの方法がアクセス規則を簡単に構成させてくれるでしょう。
spawn — シェルコマンドを子プロセスとして始動できます。このディレクティブは /usr/sbin/safe_finger の使用などのタスクを実行し、要求しているクライアントの情報を得たり、 echo コマンドを使用して特殊なログファイルを作成したりします。
example.com ドメインから Telnet サービスへアクセスを試行するクライアントは、密かに特殊なファイルにログされます:
in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h>>/var/log/telnet.log \ : allow
twist — Replaces the requested service with the specified command. This directive is often used to set up traps for intruders (also called "honey pots"). It can also be used to send messages to connecting clients. The twist directive must occur at the end of the rule line.
example.com ドメインから FTP サービスへアクセスを試行しているクライアントが echo コマンドによりメッセージを送ります:
vsftpd : .example.com \ : twist /bin/echo "421 This domain has been black-listed. Access denied!"
hosts_options の man ページを参照してください。
spawn や twist ディレクティブと一緒に使用して、関連したクライアント、サーバー、関係するプロセスの情報を提供します。
%a — Returns the client's IP address.
%A — Returns the server's IP address.
%c — ユーザー名とホスト名、又はユーザー名と IP アドレスなどのような各種のクライアントの情報を提供します。
%d — デーモンのプロセス名を提供
%h — Returns the client's hostname (or IP address, if the hostname is unavailable).
%H — Returns the server's hostname (or IP address, if the hostname is unavailable).
%n — Returns the client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N — Returns the server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p — Returns the daemon's process ID.
%s — デーモンのプロセスとサーバーのホスト又は IP アドレスなど、さまざまなタイプのサーバー情報を提供
%u — Returns the client's username. If unavailable, unknown is printed.
spawn コマンドと一緒に拡張を使用してカスタマイズログファイルの中のクライアントホストを識別しています。
sshd) への接続が example.com ドメインのホストから試行されると、 echo コマンドを実行して、クライアントのホスト名 ( %h 拡張を使用) を含む試行を特殊ファイルへログします:
sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \ : deny
example.com ドメインから FTP サービスへアクセスを試行しているクライアントは、彼らがサーバーに立ち入り禁止となったことを通知されています:
vsftpd : .example.com \ : twist /bin/echo "421 %h has been banned from this server!"
hosts_access の man ページのセクション 5 (man 5 hosts_access) または hosts_options の man ページを参照してください。
xinetd デーモンは、 FTP 、 IMAP 、 Telnet を含む人気のあるネットワークサービスのサブセットへのアクセスを制御する TCP ラップした スーパーサービス です。これは、アクセス制御、強化ロギング、結合、方向転換、リソース活用制御などの為にサービス特有の設定オプションを提供します。
xinetd によって制御されるネットワークサービスの接続をクライアントが試行する場合、スーパーサービスは要求を受け取り、すべての TCP ラッパーアクセス制御規則をチェックします。
xinetd は、そのサービスの独自のアクセス規則に従ってアクセスが許可されたかを検証します。それはさらにリソースを割り当てられないか、それが定められた規則に対して契約違反でないかをチェックします。
xinetd は、要求されたサービスのインスタンスを開始し、その接続の制御を通過させます。接続が確立されると、 xinetd はこれ以上、クライアントホストとサーバー間の通信には干渉しません。
xinetd の設定ファイルは以下のようになります:
/etc/xinetd.conf — グローバルな xinetd 設定ファイル。
/etc/xinetd.d/ — 全てのサービス特有のファイルを含んだディレクトリ。
/etc/xinetd.conf file contains general configuration settings which affect every service under xinetd's control. It is read when the xinetd service is first started, so for configuration changes to take effect, you need to restart the xinetd service. The following is a sample /etc/xinetd.conf file:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.dxinetd の次のような側面を制御します。
instances — xinetd が1度に対処できる最大の要求数を設定します。
log_type — xinetd を設定して authpriv ログ設備を使用します。これはログエントリを /var/log/secure ファイルに書き込みます。 FILE /var/log/xinetdlog のようなディレクティブを追加すると、 /var/log/ ディレクトリの中に xinetdlog と言うカスタムログファイルを作成します。
log_on_success — Configures xinetd to log successful connection attempts. By default, the remote host's IP address and the process ID of the server processing the request are recorded.
log_on_failure — xinetd を設定して、接続失敗があるかどうか又は、接続が許可されていないかどうかをログします。
cps — xinetd を設定してどのサービスにも毎秒 25 接続以上は許可しないようにします。この限度に到達した場合は、サービスは 30 秒だけ休憩します。
includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory. Refer to 「/etc/xinetd.d/ ディレクトリ」 for more information.
log_on_success and log_on_failure settings in /etc/xinetd.conf are further modified in the service-specific configuration files. More information may therefore appear in a given service's log file than the /etc/xinetd.conf file may indicate. Refer to 「ロギングオプション」 for further information.
/etc/xinetd.d/ ディレクトリ内には、 xinetd で管理されている各サービスの設定ファイルと、そのサービスに関連したファイルの名前が含まれています。 xinetd.conf の場合と同様に、このファイルは xinetd サービスが開始する時にだけ読み込まれます。変更を反映させるためには、管理者は xinetd サービスを再起動する必要があります。
/etc/xinetd.d/ ディレクトリ内のファイルのフォーマットは /etc/xinetd.conf と同じ記法を使用します。各サービスの設定が別々のファイルに格納される主な理由は、カスタマイズを簡単にすることと、他のサービスに影響を与える可能性を少なくするためです。
/etc/xinetd.d/krb5-telnet ファイルを見てみます。
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}telnet サービスのさまざまな側面を制御します:
service — サービス名を定義します。通常、 /etc/services ファイルに記載されるサービスのどれかになります。
flags — 接続の為の必要な数の属性をセットします。 REUSE は xinetd に対して Telnet 接続のソケットを再使用するように指示します。
REUSE フラッグは推奨されていません。全てのサービスは現在暗黙的に REUSE フラッグを使用します。
socket_type — ネットワークソケットのタイプを stream に設定します。
wait — サービスがシングルスレッド (yes) か又はマルチスレッド (no) かを定義します。
user — プロセスが実行に使用するユーザー ID を定義します。
server — 始動する予定のバイナリ実行ファイルを定義します。
log_on_failure — 既に xinetd.conf に定義している物に追加して、 log_on_failure 用のロギングパラメータを定義します。
disable — サービスが無効になっているか (yes) 、有効になっているか (no) を定義します。
xinetd.conf の man ページを参照してください。
xinetd で保護されているサービス用には利用できる多くの種類のディレクティブがあります。このセクションはより一般的に使用されているオプションの一部を強調して説明します。
/etc/xinetd.conf と /etc/xinetd.d/ ディレクトリ内のサービス特有の設定ファイルの両方で利用できます。
ATTEMPT — 失敗の試行があった事実をログします (log_on_failure) 。
DURATION — リモートシステムによって使用されたサービスの時間の長さをログします (log_on_success) 。
EXIT — サービスの終了ステータス、又は終結シグナルをログします (log_on_success) 。
HOST — Logs the remote host's IP address (log_on_failure and log_on_success).
PID — 要求を受けているサーバーのプロセス ID をログします (log_on_success)。
USERID — 全てのマルチスレッドシステムの為に RFC 1413 で定義された方法を使用しているリモートユーザーをログします (log_on_failure と log_on_success)。
xinetd.conf の man ページを参照して下さい。
xinetd services can choose to use the TCP Wrappers hosts access rules, provide access control via the xinetd configuration files, or a mixture of both. Refer to 「TCP ラッパーの設定ファイル」 for more information about TCP Wrappers hosts access control files.
xinetd を使用してのサービスへのアクセス制御について説明します。
xinetd の管理者が xinetd サービスを再起動した場合にのみ、アクセス制御への変更が反映されます。
xinetd を通してのアクセス制御は、 xinetd によって制御されるサービスにしか影響しません。
xinetd hosts access control differs from the method used by TCP Wrappers. While TCP Wrappers places all of the access configuration within two files, /etc/hosts.allow and /etc/hosts.deny, xinetd's access control is found in each service's configuration file in the /etc/xinetd.d/ directory.
xinetd によってサポートされています:
only_from — 特定のホストのみにサービスの使用を許可します。
no_access — リストにあるホストのサービス利用を拒否する。
access_times — 特定のサービスが利用できる時間幅を指定する。この時間幅は24時間形式で HH:MM-HH:MM の表示をする必要があります。
only_from と no_access オプションは IP アドレス又はホスト名の一覧を使用する、あるいはネットワーク全体を指定することができます。 TCP ラッパーの様に、強化ロギング設定で xinetd アクセス制御を結合することにより、それぞれの接続試行の記録を詳細に取りながら、禁止されているホストからの要求をブロックしてセキュリティを強化できます。
/etc/xinetd.d/telnet ファイルは、特定のネットワークグループからの Telnet アクセスをブロックして、許可されたユーザーにさえも、ログイン可能な時間帯を制限する為に使用できます:
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
no_access = 172.16.45.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}10.0.1.2 などの 10.0.1.0/24 ネットワークのクライアントシステムが、 Telnet サービスにアクセスを試みると、以下のようなメッセージを受け取ります:
Connection closed by foreign host.
/var/log/messages の中に記録されます。
Sep 7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)
xinetd アクセス制御と併用する場合、2つのアクセス制御メカニズム間の関係を理解することが重要です。
xinetd による処理順序を以下に示します。
xinetd デーモンは libwrap.a ライブラリコールを経由して、 TCP ラッパーホストアクセス規則にアクセスします。もし拒否の規則がクライアントホストに適合するならば、その接続は切断されます。許可の規則がクライアントホストと適合する場合、接続が xinetd に渡されます。
xinetd デーモンは、 xinetd サービスと要求されたサービスの両方の為に、自身のアクセス制御規則をチェックします。もし、拒否の規則がクライアントホストに適合する場合、接続は切断されます。その他の場合は、 xinetd は要求されたインスタンスを開始して接続の制御を渡します。
xinetd アクセス制御と併用する場合、注意が必要です。設定ミスは良からぬ結果を招くことになります。
xinetd 用のサービス設定は、サービスをある IP アドレスにバインドし、そのサービス用の要求を別の IP アドレス、ホスト名、あるいはポートへリダイレクトします。
bind オプションと共に制御されており、サービスをシステム上の IP アドレスと連結します。設定されると、 bind オプションは、正式な IP アドレスの為の要求のみをそのサービスへアクセスする許可をします。この方法で異なるサービスは異なるネットワークインターフェイスに需要ベースでバインドできます。
redirect オプションは、 IP アドレス又はホスト名とそれに続くポート番号を受け付けます。サービスを設定して、このサービス用の要求を全て指定したホストか、又はポート番号にリダイレクトできるようにします。この機能は同じシステム上のポートから別のポートへポイントする、あるいは要求を同じマシン上の別の IP アドレスへリダイレクトする、あるいは要求を全く別のシステムとポート番号へ移動する、あるいはこれらのオプションの組合せをする場合に使用できます。この様にして、システム上の特定のサービスに接続しているユーザーは、問題なく他のシステムへ回送されるようにできます。
xinetd デーモンは、リクエストを送信したクライアントマシンと実際にサービスを提供するホストが接続されている間だけ有効なプロセスを生成し、2つのシステム間でデータを転送することによって、このリダイレクトを実現します。
bind と redirect オプションの利点は、それらが一緒に使用される時にはっきりと判別できます。サービスをシステム上の特定の IP アドレスにバインドして、その後そのサービス用の要求を1番目のマシンだけが見ることができる2番目のマシンにリダイレクトすることにより、内部のシステムが全く別のネットワークの為にサービスを提供することに使用できます。別の方法として複数ホームのマシン上の特定のサービスが、既知の IP アドレスへの露呈されることを制限したり、またそのサービスの要求をその目的用に特定の設定をしたマシンへリダイレクトするのに使用できます。
service telnet
{
socket_type = stream
wait = no
server = /usr/kerberos/sbin/telnetd
log_on_success += DURATION USERID
log_on_failure += USERID
bind = 123.123.123.123
redirect = 10.0.1.13 23
}bind と redirect オプションは、マシン上の Telnet サービスがインターネットに向けた外部 IP アドレス (123.123.123.123) にバインドされていることを確定します。さらには、 123.123.123.123 に送信された Telnet サービスへの要求は2番目のネットワークアダプターを通じて、内部 IP アドレスの (10.0.1.13) にリダイレクトされ、これはファイアウォールと内部のシステムしかアクセスできないようになっています。ファイアウォールはその後、その2つのシステム間で通信をしますので、接続しているシステムは実際には別のマシンに接続されている状態でも 123.123.123.123 に接続されているように見えます。
xinetd で制御されている特定のサービスが bind と redirect オプションで設定されている場合、そのゲートウェイマシンは、外部システムとサービスを提供するように設定されている特定の内部マシン間でプロキシとして動作することができます。また、その他プロテクションとして各種の xinetd アクセス制御やロギングオプションがあります。
xinetd デーモンは、 Denial of Service (DoS) 攻撃からに対する基本的レベルの保護を追加することができます。以下のリストでは、そのような終りのない攻撃を制限できるディレクティブを表示します:
per_source — ソース IP アドレス毎のサービス用のインスタンスの最大数を定義します。これは整数のみを引数として受け付け、 xinetd.conf 内と xinetd.d/ ディレクトリのサービス特有の設定ファイル内で使用できます。
cps — 毎秒の接続最大数を定義します。このディレクティブは中間にスペースを入れた2つの整数引数を使います。1番目は1秒間に接続が許可される最大数です。2番目はサービスを再開始する時に xinetd が待機する必要のある時間の秒数です。整数のみを引数として受け付け、 xinetd.conf 内と xinetd.d/ ディレクトリのサービス特有の設定ファイル内の両方で使用できます。
max_load — サービスの CPU 使用方法とロード平均しきい値を定義します。これは引数に小数点を受け付けます。
uptime、 who、および procinfo コマンドを参照してください。
xinetd 用のリソース管理オプションがあります。また、 xinetd.conf の man ページを参照して下さい。
xinetd に関するその他の詳細はシステムドキュメントを参照するか、またはインターネットをご覧ください。
xinetd 、およびアクセス制御の追加の設定オプションを探し始めるには良い場所です。
/usr/share/doc/tcp_wrappers-<version>/ — This directory contains a README file that discusses how TCP Wrappers work and the various hostname and host address spoofing risks that exist.
/usr/share/doc/xinetd-<version>/ — This directory contains a README file that discusses aspects of access control and a sample.conf file with various ideas for modifying service-specific configuration files in the /etc/xinetd.d/ directory.
xinetd 関連の man ページ — TCP ラッパーと xinetd に関係する各種のアプリケーションや設定ファイルの man ページがいくつかあります。以下により重要と思われる man ページをリストしています:
man xinetd — xinetd の man ページ。
man 5 hosts_access — TCP ラッパーのホスト制御アクセスファイルの為の man ページ。
man hosts_options — TCP ラッパーのオプションフィールドの man ページ。
man xinetd.conf — xinetd の設定オプションをリストした man ページ。
xinetd のホームページで、設定ファイルのサンプル、全機能の一覧、役に立つ FAQ などが含まれています。
xinetd 設定ファイルを修正するさまざまな方法を詳細に説明した講習です。
/etc/passwd や /etc/shadow といった、 標準的な UNIX パスワードデータベースから、 Kerberos パスワードデータベースへとユーザーのパスワードを移行するのは、単調な作業となりえます。この移行作業を自動的に実行するメカニズムがないからです。以下のアドレスでオンライン 「Kerberos FAQ」 の中の質問番号 2.23 を参照して ください:
kinit を使用せずに、keytab ファイルから必要な鍵を取り出します。デフォルトの keytab ファイルは /etc/krb5.keytab です。 KDC 管理サーバ、/usr/kerberos/sbin/kadmind のみが、 その他のファイルを使用するサービスです。(それは /var/kerberos/krb5kdc/kadm5.keytabを使用します)。
kinitコマンドにより、ログインしている プリンシパルは最初の TGT (Ticket Granting Ticket)を取得してキャッシュに保存することができます。詳細については、kinit の man ページを 参照してください。
root[/instance]@REALM. For a typical user, the root is the same as their login ID. The instance is optional. If the principal has an instance, it is separated from the root with a forward slash ("/"). An empty string ("") is considered a valid instance (which differs from the default NULL instance), but using it can be confusing. All principals in a realm have their own key, which for users is derived from a password or is randomly set for services.
kinit プログラムで送信することもできます。
kinit program on the client then decrypts the TGT using the user's key, which it computes from the user's password. The user's key is used only on the client machine and is not transmitted over the network.
ntpd. Refer to /usr/share/doc/ntp-<version-number>/index.html for details on setting up Network Time Protocol servers (where <version-number> is the version number of the ntp package installed on your system).
/usr/share/doc/krb5-server-<version-number> for more information (where <version-number> is the version number of the krb5-server package installed on your system).
pam_krb5モジュール( pam_krb5パッケージで提供されます)がインストールされているならば、認証用に Kerberos を利用できます。pam_krb5 パッケージには、login や gdm などのサービスで、ユーザーを認証したり、ユーザーのパスワードを使って初期証明書を取得したりすることを可能にする、サンプルの設定ファイルが含まれています。ネットワークサービスに対するアクセスが、常に kerberos 化したサービス又は IMAP などの GSS-API を使用したサービスを使用して行われるならば、そのネットワークは十分に安全だと考えることができます。
ntp package for this purpose. Refer to /usr/share/doc/ntp-<version-number>/index.html (where <version-number> is the version number of the ntp package installed on your system) for details about how to set up Network Time Protocol servers, and http://www.ntp.org for more information about NTP.
krb5-libs、 krb5-server、krb5-workstationを インストールします。このマシンは特に安全が確保されることが必要です。 — できれば KDC 以外のサービスは実行しないでください。
/etc/krb5.conf と /var/keberos/krb5kdc/kdc.conf 設定ファイルを編集して realm 名とドメイン - realm のマッピングを反映します。 単純な realm なら、EXAMPLE.COM と example.com インスタンスの部分に、 正しいドメイン名 (適切な形式で大文字、小文字が 正しいか確認してください) を入れ、 KDC を kerberos.example.com から Kerberos のサーバー名に変更することで、構築できます。慣例では、全ての realm 名は大文字で、DNS ホスト名とドメイン名は小文字になっています。これら設定ファイルの形式の詳細については、該当する man ページを参照してください。
krb5_utilユーティリティを使ってデータベースを作成します:
/usr/kerberos/sbin/kdb5_util create -screate コマンドは、 Kerberos realm の鍵を格納するためのデータベースを作成します。-s スイッチは、マスターサーバー鍵を格納する stashファイルを作成を強制します。鍵を読むための stash ファイルが無い場合は、Kerberos サーバー( krb5kdc) は起動する度に、ユーザーにマスターサーバーパスワード(鍵を 再生成するのに使用) の入力を 促します。
/var/kerberos/krb5kdc/kadm5.acl ファイルを編集します。このファイルは kadmind で使用され、どのプリンシパルが Kerberos データベースに管理アクセスを持つかを決定し、また、それぞれのプリンシパルのアクセスレベルを決定します。ほとんどの企業組織では以下の様な一行で編集することができます:
*/admin@EXAMPLE.COM *
kadmind がサーバー上で起動すると、realm 内のクライアントやサーバーから kadminを実行する事で、どのユーザーもそのサービスにアクセスできます。しかし、kadm5.acl ファイルに記載されているユーザだけが、自身のパスワード変更を除き、どのような変更もデーターベースに 対して行えます。
kadmin ユーティはネットワーク上の kadmind サーバーと 通信しており、Kerberos を使って認証を処理します。このため、ネットワークを介してサーバーに接続する前に、それを管理する最初のプリンシパルが存在しなければなりません。 kadmin.local コマンドを使用して最初のプリンシパルを作成します。これは特に KDC と同じホストで使用するようになっており、認証に Kerberos を使用しません。
kadmin.localコマンドを入力します:
/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"service krb5kdc startservice kadmin startservice krb524 start
kadmin で addprinc コマンドを使用して ユーザーのためのプリンシパルを追加します。kadminとkadmin.local は KDC の コマンドラインインターフェイスです。 この中では、kadminプログラムを起動した後に addprinc などの多くのコマンドが利用できます。詳細は kadminの man ページを参照 してください。
kinit を 実行してチケットを生成し、証明書キャッシュファイルに格納します。それから、klistを使用してキャッシュ内の証明書一覧を表示します。 kdestroyを用いて、キャッシュとキャッシュ内の証明書を破棄します。
kinit attempts to authenticate using the same system login username (not the Kerberos server). If that username does not correspond to a principal in the Kerberos database, kinit issues an error message. If that happens, supply kinit with the name of the correct principal as an argument on the command line (kinit <principal>).
krb5.conf configuration file. While ssh and slogin are the preferred method of remotely logging in to client systems, Kerberized versions of rsh and rlogin are still available, though deploying them requires that a few more configuration changes be made.
krb5-libsと krb5-workstation パッケージをインストールしてください。それぞれのクライアントには、1つの有効な /etc/krb5.conf ファイルを供給してください (通常これは、KDC で使用されるのと同じ krb5.confファイルです)。
ssh or Kerberized rsh or rlogin, it must have its own host principal in the Kerberos database. The sshd, kshd, and klogind server programs all need access to the keys for the host service's principal. Additionally, in order to use the kerberized rsh and rlogin services, that workstation must have the xinetd package installed.
kadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
addprinc -randkey host/blah.example.comkadminを実行し、 kadminの中の ktaddコマンドを使って、ワークステーション用の鍵を引き出せます。
ktadd -k /etc/krb5.keytab host/blah.example.comssh — OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.
rshとrlogin — rshとrloginのKerberos 化したバージョンを 使うには、klogin、eklogin、kshell が有効でなければなりません。
krb5-telnetを有効にする必要があります。
ftpの root でプリンシパル用の鍵を作成し、引き出す必要があります。FTP サーバの完全修飾形のホスト名への事例を設定して、それから gssftp を有効にします。
cyrus-sasl-gssapiパッケージもインストールしているなら、 cyrus-imap パッケージは Kerberos 5を使用します。 cyrus-sasl-gssapi パッケージには、GSS-API 認証を サポートする Cyrus SASL プラグインが含まれています。Cyrus IMAP は cyrus のユーザーが /etc/krb5.keytab 内に適切なキーを見付けることが出来る限り、Kerberos で正しく機能して、プリンシパルの root は imap (kadminで作成)に セットされます。
cyrus-imap can be found in the dovecot package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos.
gserverは、 cvsの root で プリンシパルを使用しますが、 その他の面では CVS pserverと同じです。
foo.example.org → EXAMPLE.ORG
foo.example.com → EXAMPLE.COM
foo.hq.example.com → HQ.EXAMPLE.COM
krb5.conf. For example:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
kadmind (it is also your realm's admin server), and one or more KDCs (slave KDCs) keep read-only copies of the database and run kpropd.
krb5.conf and kdc.conf files are copied to the slave KDC.
kadmin.local from a root shell on the master KDC and use its add_principal command to create a new entry for the master KDC's host service, and then use its ktadd command to simultaneously set a random key for the service and store the random key in the master's default keytab file. This key will be used by the kprop command to authenticate to the slave servers. You will only need to do this once, regardless of how many slave servers you install.
~]#kadmin.local -r EXAMPLE.COMAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin:add_principal -randkey host/masterkdc.example.comPrincipal "host/host/masterkdc.example.com@EXAMPLE.COM" created. kadmin:ktadd host/masterkdc.example.comEntry for principal host/masterkdc.example.com with kvno 3, encryption type Triple DES cbc mode with \ HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 \ added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 \ added to keytab WRFILE:/etc/krb5.keytab. kadmin:quit
kadmin from a root shell on the slave KDC and use its add_principal command to create a new entry for the slave KDC's host service, and then use kadmin's ktadd command to simultaneously set a random key for the service and store the random key in the slave's default keytab file. This key is used by the kpropd service when authenticating clients.
~]#kadmin -p jimbo/admin@EXAMPLE.COM -r EXAMPLE.COMAuthenticating as principal jimbo/admin@EXAMPLE.COM with password. Password for jimbo/admin@EXAMPLE.COM: kadmin:add_principal -randkey host/slavekdc.example.comPrincipal "host/slavekdc.example.com@EXAMPLE.COM" created. kadmin:ktadd host/slavekdc.example.com@EXAMPLE.COMEntry for principal host/slavekdc.example.com with kvno 3, encryption type Triple DES cbc mode with \ HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \ to keytab WRFILE:/etc/krb5.keytab. kadmin:quit
kprop service with a new realm database. To restrict access, the kprop service on the slave KDC will only accept updates from clients whose principal names are listed in /var/kerberos/krb5kdc/kpropd.acl. Add the master KDC's host service's name to that file.
~]# echo host/masterkdc.example.com@EXAMPLE.COM > /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/.k5.REALM, either copy it to the slave KDC using any available secure method, or create a dummy database and identical stash file on the slave KDC by running kdb5_util create -s (the dummy database will be overwritten by the first successful database propagation) and supplying the same password.
kprop service. Then, double-check that the kadmin service is disabled.
kprop command will read (/var/kerberos/krb5kdc/slave_datatrans), and then use the kprop command to transmit its contents to the slave KDC.
~]#/usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans~]#kprop slavekdc.example.com
kinit, verify that a client system whose krb5.conf lists only the slave KDC in its list of KDCs for your realm is now correctly able to obtain initial credentials from the slave KDC.
kprop command to transmit the database to each slave KDC in turn, and configure the cron service to run the script periodically.
A.EXAMPLE.COM to access a service in the B.EXAMPLE.COM realm, both realms must share a key for a principal named krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM, and both keys must have the same key version number associated with them.
~]#kadmin -r A.EXAMPLE.COMkadmin:add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COMEnter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. kadmin:quit~]#kadmin -r B.EXAMPLE.COMkadmin:add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COMEnter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. kadmin:quit
get_principal command to verify that both entries have matching key version numbers (kvno values) and encryption types.
add_principal command's -randkey option to assign a random key instead of a password, dump the new entry from the database of the first realm, and import it into the second. This will not work unless the master keys for the realm databases are identical, as the keys contained in a database dump are themselves encrypted using the master key.
A.EXAMPLE.COM realm are now able to authenticate to services in the B.EXAMPLE.COM realm. Put another way, the B.EXAMPLE.COM realm now trusts the A.EXAMPLE.COM realm, or phrased even more simply, B.EXAMPLE.COM now trusts A.EXAMPLE.COM.
B.EXAMPLE.COM realm may trust clients from the A.EXAMPLE.COM to authenticate to services in the B.EXAMPLE.COM realm, but the fact that it does has no effect on whether or not clients in the B.EXAMPLE.COM realm are trusted to authenticate to services in the A.EXAMPLE.COM realm. To establish trust in the other direction, both realms would need to share keys for the krbtgt/A.EXAMPLE.COM@B.EXAMPLE.COM service (take note of the reversed in order of the two realms compared to the example above).
A.EXAMPLE.COM can authenticate to services in B.EXAMPLE.COM, and clients from B.EXAMPLE.COM can authenticate to services in C.EXAMPLE.COM, then clients in A.EXAMPLE.COM can also authenticate to services in C.EXAMPLE.COM, even if C.EXAMPLE.COM doesn't directly trust A.EXAMPLE.COM. This means that, on a network with multiple realms which all need to trust each other, making good choices about which trust relationships to set up can greatly reduce the amount of effort required.
service/server.example.com@EXAMPLE.COM
EXAMPLE.COM is the name of the realm.
domain_realm section of /etc/krb5.conf to map either a hostname (server.example.com) or a DNS domain name (.example.com) to the name of a realm (EXAMPLE.COM).
A.EXAMPLE.COM, B.EXAMPLE.COM, and EXAMPLE.COM. When a client in the A.EXAMPLE.COM realm attempts to authenticate to a service in B.EXAMPLE.COM, it will, by default, first attempt to get credentials for the EXAMPLE.COM realm, and then to use those credentials to obtain credentials for use in the B.EXAMPLE.COM realm.
A.EXAMPLE.COM, authenticating to a service in B.EXAMPLE.COM:
A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
A.EXAMPLE.COM and EXAMPLE.COM share a key for krbtgt/EXAMPLE.COM@A.EXAMPLE.COM
EXAMPLE.COM and B.EXAMPLE.COM share a key for krbtgt/B.EXAMPLE.COM@EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM, authenticating to a service in EVERYWHERE.EXAMPLE.COM:
SITE1.SALES.EXAMPLE.COM → SALES.EXAMPLE.COM → EXAMPLE.COM → EVERYWHERE.EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM and SALES.EXAMPLE.COM share a key for krbtgt/SALES.EXAMPLE.COM@SITE1.SALES.EXAMPLE.COM
SALES.EXAMPLE.COM and EXAMPLE.COM share a key for krbtgt/EXAMPLE.COM@SALES.EXAMPLE.COM
EXAMPLE.COM and EVERYWHERE.EXAMPLE.COM share a key for krbtgt/EVERYWHERE.EXAMPLE.COM@EXAMPLE.COM
DEVEL.EXAMPLE.COM and PROD.EXAMPLE.ORG):
DEVEL.EXAMPLE.COM → EXAMPLE.COM → COM → ORG → EXAMPLE.ORG → PROD.EXAMPLE.ORG
DEVEL.EXAMPLE.COM and EXAMPLE.COM share a key for krbtgt/EXAMPLE.COM@DEVEL.EXAMPLE.COM
EXAMPLE.COM and COM share a key for krbtgt/COM@EXAMPLE.COM
COM and ORG share a key for krbtgt/ORG@COM
ORG and EXAMPLE.ORG share a key for krbtgt/EXAMPLE.ORG@ORG
EXAMPLE.ORG and PROD.EXAMPLE.ORG share a key for krbtgt/PROD.EXAMPLE.ORG@EXAMPLE.ORG
capaths section of /etc/krb5.conf, so that clients which have credentials for one realm will be able to look up which realm is next in the chain which will eventually lead to the being able to authenticate to servers.
capaths section is relatively straightforward: each entry in the section is named after a realm in which a client might exist. Inside of that subsection, the set of intermediate realms from which the client must obtain credentials is listed as values of the key which corresponds to the realm in which a service might reside. If there are no intermediate realms, the value "." is used.
[capaths]
A.EXAMPLE.COM = {
B.EXAMPLE.COM = .
C.EXAMPLE.COM = B.EXAMPLE.COM
D.EXAMPLE.COM = B.EXAMPLE.COM
D.EXAMPLE.COM = C.EXAMPLE.COM
}A.EXAMPLE.COM realm can obtain cross-realm credentials for B.EXAMPLE.COM directly from the A.EXAMPLE.COM KDC.
C.EXAMPLE.COM realm, they will first need to obtain necessary credentials from the B.EXAMPLE.COM realm (this requires that krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM exist), and then use those credentials to obtain credentials for use in the C.EXAMPLE.COM realm (using krbtgt/C.EXAMPLE.COM@B.EXAMPLE.COM).
D.EXAMPLE.COM realm, they will first need to obtain necessary credentials from the B.EXAMPLE.COM realm, and then credentials from the C.EXAMPLE.COM realm, before finally obtaining credentials for use with the D.EXAMPLE.COM realm.
A.EXAMPLE.COM realm can obtain cross-realm credentials from B.EXAMPLE.COM realm directly. Without the "." indicating this, the client would instead attempt to use a hierarchical path, in this case:
A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
/usr/share/doc/krb5-server-<version-number>/ directory (where <version-number> is the version number of the krb5-server package installed on your system).
/usr/share/doc/krb5-workstation-<version-number>/ directory (where <version-number> is the version number of the krb5-workstation package installed on your system).
man kerberos — Kerberos システムの基本です。 証明書の働きや Kerberos チケットの発行/破棄に関する推奨が説明されています。 man ページの下部には、関連する man ページの参照番号が記載されています。
man kinit — このコマンドを使用した TGT (ticket-granting ticket) の取得とキャッシュ保存の仕方を説明しています。
man kdestroy — このコマンドを使用した kerberos 証明書の破棄の仕方を説明しています。
man klist — このコマンドを使用して、キャッシュ保存されている Kerberos 証明書の一覧表示方法を説明しています。
man kadmin — このコマンドを使用した Kerberos V5 データベースの管理方法を説明しています。
man kdb5_util — Kerberos V5 データベース上で、このコマンドを使用しての低レベル管理機能の作成/実行方法を説明しています。
man krb5kdc — Kerberos V5 KDC 用の利用できるコマンドラインオプションを説明します。
man kadmind — Kerberos V5 管理サーバー用の利用できるコマンドラインオプションを説明しています。
man krb5.conf — Kerberos V5 ライブラリ用の設定ファイル内で使用するフォーマットとオプションを説明しています。
man kdc.conf — Kerberos V5 AS とKDC 用の設定 ファイル内で利用できるフォーマットとオプションを説明しています。
racoon キーデーモンは、 IKE キー配付と交換を処理します。このデーモンに関する詳細は racoon man ページを参照してください。
ipsec-tools RPM パッケージをインストールする必要があります。 RPM パッケージには基本のライブラリ、デーモン、及び IPsec 接続の設定に役立つ設定ファイルが入っています。そして以下を含みます:
/sbin/setkey — カーネル内 IPsec のキー管理とセキュリティ属性を処理します。この実行可能ファイルは racoon キー管理デーモンにより制御されます。詳細は setkey(8) manページを参照してください。
/usr/sbin/racoon — the IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems.
/etc/racoon/racoon.conf — 接続内で使用される認証方法や暗号化アルゴリズムなど、 IPsec 接続の各種事項を設定するのに使用される racoon デーモン設定ファイルです。使用できるディレクティブの総合一覧は、 racoon.conf(5) man ページを参照してください。
system-config-network を入力して、 ネットワーク管理ツール を開始します。
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
racoon デーモンが暗号化キーを担当します。自動暗号化を使用したい場合、 ipsec-tools パッケージをインストールしなければなりません。
ifconfig <device><device> is the Ethernet device that you want to use for the VPN connection.
eth0 Link encap:Ethernet HWaddr 00:0C:6E:E8:98:1D
inet addr:172.16.44.192 Bcast:172.16.45.255 Mask:255.255.254.0inet addr: ラベルの後に続く、番号です。
service network restart
/etc/sysconfig/network-scripts/ifcfg-<nickname>
/etc/sysconfig/network-scripts/keys-<nickname>
/etc/racoon/<remote-ip>.conf
/etc/racoon/psk.txt
/etc/racoon/racoon.conf も作成されます。
/etc/racoon/racoon.conf is modified to include <remote-ip>.confipsec1 のような独自の名前。これは IPsec 接続を識別する為と、それを他のデバイスや接続と区別する為に使用されます。
racoon で自動的に生成されるキー
Key_Value01 を持つ事前共有キーを使い接続し、ユーザーは racoon で各ホスト間の認証キーを自動生成、共有することに同意しています。両方のホストユーザーはその接続名を ipsec1 にしました。
ipsec1 ですので、その結果のファイル名は /etc/sysconfig/network-scripts/ifcfg-ipsec1 になります。
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSKX.X.X.X にワークステーション B の IP アドレスを入れますが、ワークステーション B では X.X.X.X にワークステーション A の IP アドレスを入れます。起動時に接続は開始されないよう設定され (ONBOOT=no)、 認証には事前共有キーの方法を使用します (IKE_METHOD=PSK)。
/etc/sysconfig/network-scripts/keys-ipsec1 と呼ばれる、事前共有キーファイルの内容を示します。両方のワークステーションがお互いを認証するのに使います。このファイルの内容は両方のワークステーションで同じでなければならず、また、 root ユーザーのみがこのファイルの読み取り/書き込みをできる状態であるべきものです。
IKE_PSK=Key_Value01
keys-ipsec1 ファイルを変更するには、ファイルを作成してから次のコマンドを実行します:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1keys-ipsec1 ファイルを編集します。 正常な接続には、両方のキーが同じでなければなりません。
X.X.X.X.confX.X.X.X には、リモート IPsec ホストの IP アドレスを入れます)。このファイルは、 IPsec トンネルが起動されると自動的に生成されるため、直接編集しないように注意してください。
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}X.X.X.XX.X.X.X IP アドレスで識別されたリモートノードに対してのみ適用されることを定義します。
/etc/racoon/racoon.conf files should be identical on all IPsec nodes except for the include "/etc/racoon/X.X.X.X.conf" statement. This statement (and the file it references) is generated when the IPsec tunnel is activated. For Workstation A, the X.X.X.X in the include statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical racoon.conf file when the IPsec connection is activated.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf";racoon.conf ファイルには、 IPsec 設定用の定義されたパス、事前共有キー、及び証書が含まれています。 sainfo anonymous のフィールドは IPsec ノード間の第2段階 SA を 説明しています。 — IPsec 接続の性格 (使用されるサポート付暗号化アルゴリズムを含む) と交換キーの方法。次のリストは第2段階のフィールドを定義しています:
modp1024) を使用します。グループ 2 は、 1024 ビットモジュラーべき乗を使い、 これはプライベートキーが侵略されても、 以前の IPsec 送信に対する攻撃者からの解読を防止します。
ifup <nickname>tcpdump utility to view the network packets being transferred between the hosts and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:
~]# tcpdump -n -i eth0 host <targetSystem>
IP 172.16.45.107 > 172.16.44.192: AH(spi=0x0954ccb6,seq=0xbb): ESP(spi=0x0c9f2164,seq=0xbb)
ipsec1 のような独自の名前。これは IPsec 接続を識別する為と、それを他のデバイスや接続と区別する為に使用されます。
racoon で自動的に生成されるキー
system-config-network を入力して、 ネットワーク管理ツール を開始します。
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
racoon デーモンが暗号化キーを担当します。自動暗号化を使用したい場合、 ipsec-tools パッケージをインストールしなければなりません。
192.168.1.0 を入力し ipsec0 の設定には 192.168.2.0 を入力しています。
/etc/sysctl.conf and set net.ipv4.ip_forward to 1.
sysctl -p /etc/sysctl.confr3dh4tl1nux で事前共有キーを使用し、 A と B の管理者は各 IPsec ルータ間の認証キーが racoon により自動生成され共有されることに同意しています。 LAN A の管理者は IPsec 接続の名前を ipsec0 にし、 LAN B の管理者は IPsec 接続の名前を ipsec1 にしています。
ifcfg ファイルを示します。この例の接続を識別する固有名は ipsec0 ですので、そのファイルは /etc/sysconfig/network- scripts/ifcfg-ipsec0 という名前になります。
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X/etc/sysconfig/network-scripts/keys-ipsecX (X は、 0 を LAN A 用に、 1 を LAN B 用に入れる) と呼ばれる事前共有キーファイルの内容を示します。このファイルの内容は同一でなければならず、また、このファイルを読み取り/書き込みできるのは root ユーザーだけにする必要があります。
IKE_PSK=r3dh4tl1nux
keys-ipsecX ファイルを変更するには、ファイルを作成した後に次のコマンドを実行します:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1keys-ipsecX ファイルを編集します。 両方のキーが同一でなければ正しい接続はできません。
/etc/racoon/racoon.conf 設定ファイルを示します。ファイルの下部の include 行は自動的に生成されますが、 IPsec トンネルが実行中の場合のみ、現れることに注意して下さい。
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"X.X.X.X.confX.X.X.X は、リモート IPsec ルータの IP アドレスになります)。このファイルは、 IPsec トンネルが起動されると自動的に生成されるため、直接、変更しないよう注意してください。
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}/etc/sysctl.conf and set net.ipv4.ip_forward to 1.
sysctl -p /etc/sysctl.confifup ipsec0ifup を実行して呼び出された初期化スクリプトを通じてルートが自動的に作成されます。ネットワークのルート一覧を表示するには、次のコマンドを実行します。
ip route listtcpdump utility on the externally-routable device (eth0 in this example) to view the network packets being transferred between the hosts (or networks), and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, use the following command:
tcpdump -n -i eth0 host lana.example.com12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \ lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \ (ipip-proto-4)
ifup <nickname><nickname> is the nickname configured earlier, such as ipsec0.
ifdown <nickname>| 方法 | 詳細 | 長所 | 短所 | ||||||
|---|---|---|---|---|---|---|---|---|---|
| NAT | NAT (Network Address Translation) は、プライベート IP サブネットワークを 1 つのパブリック IP アドレスまたは小規模なパブリック IP アドレスの集合の後に配置して、幾つかのソースにではなく1つのソースに全ての要求を出すようなマスカレード (偽装) をします。 Linux カーネルには Netfilter カーネルサブシステムを使用するビルトインの NAT 機能があります。 |
|
| ||||||
| パケットフィルタ | パケットフィルタリングファイアウォールは、 LAN を通過する各データパケットを読み取ります。ヘッダ情報でパケットを読み込んでから処理して、ファイアウォール管理者により実践されているプログラム可能なルールに基づいてパケットをフィルタします。 Linux カーネルには Netfilter カーネルサブシステムを使ったビルトインのパケットフィルタリング機能をがあります。 |
|
| ||||||
| プロキシ | プロキシファイアウォールは、 LAN クライアントからプロキシマシンへの特定のプロトコルまたはタイプの要求すべてをフィルタします。次に、その要求をローカルクライアントに代わってインターネットに送ります。プロキシマシンは、悪意あるリモートユーザーとネットワーククライアントマシン間のバッファとして動作します。 |
|
|
IPTables ツールで制御します。
iptables 管理ツールで実装します。構文は前身である ipchains に似ているコマンドラインツールです。
ipchains は、送信元パスのフィルタリング、送信先パスのフィルタリング、送信元と送信先両方の接続ポートのフィルタリングのため複雑なルールセットを必要とします。
iptables は Netfilter サブシステムを使用してネットワーク接続、検閲、処理を強化します。 iptables は高度なログ機能、 pre- と post- のルーティング動作、ネットワークアドレス変換、ポートフォワーディング機能などをすべて1つのコマンドラインインターフェースで実現します。
iptables. For more detailed information, refer to 「IPTables」.
system-config-securitylevel
iptables rules.
/etc/sysconfig/iptables ファイルに格納されます。 無効 を選択して をクリックすると、これらの設定とファイアウォールのルールは失われます。
httpd パッケージがインストールされている必要があります。
vsftpd パッケージがインストールされている必要があります。
openssh-server パッケージがインストールされている必要があります。
telnet-server パッケージがインストールされている必要があります。
fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
iptables. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
194:tcp,631:tcp
iptables コマンドに対して変換されて /etc/sysconfig/iptables ファイルに書き込まれます。また、 iptables サービスが起動されるため、選択オプションを保存すると直ちにファイアウォールが起動されます。 ファイアウォールを無効にする を選んだ場合、 /etc/sysconfig/iptables ファイルが削除されて直ちに iptables サービスが停止します。
/etc/sysconfig/system-config-securitylevel file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptables service is not configured to start automatically at boot time. Refer to 「IPTables サービスをアクティブにする」 for more information.
iptables サービスが実行中の場合にのみファイアウォールのルールはアクティブになります。手作業でこのサービスを起動するには、次のコマンドを使用します。
service iptables restartiptables が必ず起動するようにするには、次のコマンドを使用します。
chkconfig --level 345 iptables onipchains サービスは Red Hat Enterprise Linux に含まれていません。ただし、 ipchains がインストールされている場合は (例えば、アップグレードを行いシステムに前回 ipchains がインストールされていた場合)、 ipchains サービスと iptables サービスを同時にアクティブにしないでください。 ipchains サービスが無効になっていてブート時に起動するよう設定されていないことを確認するには、次の 2 つのコマンドを使用します。
service ipchains stopchkconfig --level 345 ipchains off
iptablesを使うには、まず iptables サービスを起動します。次のコマンドを使用して iptables サービスを起動します。
service iptables startiptables サービスしか使用しない予定の場合は、 ip6tables サービスをオフにすることができます。 ip6tables サービスを解除する場合、 IPv6 ネットワークも解除するのを忘れないようにしてください。ファイアウォールと一致しないネットワークデバイスは、絶対にアクティブな状態にしないでください。
iptables を強制起動させるには、次のコマンドを使用します。
chkconfig --level 345 iptables oniptables はシステムがランレベル 3、 4、 5、のいずれかでブートすると必ず強制的に起動されます。
iptables コマンドの例では基本的なコマンドの構造を示しています。
iptables -A <chain> -j <target>-A option specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.
-j <target> option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
iptables の man ページを参照してください。
iptables チェーンはデフォルトのポリシーと、デフォルトポリシーと連携して動作する 0 またはそれ以上のルールとで構成され、ファイアウォールの全体的なルールセットを定義します。
iptables -P INPUT DROPiptables -P OUTPUT DROP
iptables -P FORWARD DROPiptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPTiptables ルールセットを作成する場合、順序が重要になります。
-I オプションを使用します。例えば、
iptables -I INPUT 1 -i lo -p all -j ACCEPTiptables がリモート SSH クライアントからの接続を受けるよう設定します。例えば、次のようなルールによりリモート SSH アクセスを許可します。
iptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables フィルタールールを持つ Network Address Translation (NAT) を使用することができます。
FORWARD と NAT のルールiptables はネットワークリソースの異常な使用を防ぐために実装できるルーティング及びフォワーディングのポリシーを提供しています。
FORWARD チェーンを使用することで管理者は LAN 内でパケットがルーティングされる場所を制御することができます。例えば、 LAN 全体にフォワーディングを許可するには (ファイアウォール/ゲートウェイが内部 IP アドレスを eth1 に持っていると仮定) 、次のルールを使用します。
iptables -A FORWARD -i eth1 -j ACCEPTiptables -A FORWARD -o eth1 -j ACCEPT
eth1 デバイス経由で全パケットを渡します。
sysctl -w net.ipv4.ip_forward=1/etc/sysctl.conf ファイルを編集します。
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
sysctl.conf ファイルヘの変更を有効にします。
sysctl -p /etc/sysctl.confiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking device (-o eth0).
-j MASQUERADE ターゲットは、あるノードのプライベート IP アドレスをファイアーウォール/ゲートウェイの 外部 IP アドレスでマスクするように指定されます。
-j DNAT ターゲットを使用して、内部サービスへの接続を要求している着信パケットがフォワードできる目的地の IP アドレスとポートを指定することができます。
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPTiptablesルールを設定することができます。 DMZ はインターネットなどの公共キャリア上でサービスを提供することを目的とした特殊なローカルサブネットワークです。
PREROUTING テーブルを使用させてパケットを適切な目的地に転送するようにさせます。
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROPiptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROPDROP ターゲットと REJECT ターゲットとの間には相異点があります。
REJECT ターゲットは、アクセスを拒否してそのサービスに接続を試行するユーザーに connection refused のエラーを返します。 DROP ターゲットは名前の通り、何の警告もせずにパケットをドロップします。
REJECT ターゲットの使用が推奨されます。
iptables 内のモジュールは 接続トラッキング と呼ばれるメソッドを使用して着信接続に関する情報を保存します。次のような接続状態を基にしてアクセスの許可や拒否をすることができます。
NEW — HTTP 要求などの新規の接続を要求しているパケット
ESTABLISHED — 既存接続の一部であるパケット
RELATED — 新規の接続を要求しているが、既存接続の一部であるパケット。例えば、 FTP は接続の確立にポート 21 を使用するが、データは別のポート上で転送される (一般的にはポート 20)。
INVALID — connection tracking 表内でのいずれの接続の一部でもないパケット。
iptables の接続トラッキングのステートフル機能を使用できます。次の例では、接続トラッキングを使用して確立済みの接続に関連したパケットのみをフォワードするルールを示しています。
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPTip6tables コマンドを使用する IPv6 ファイアウォールのルールに対応しています。 Red Hat Enterprise Linux 5 では、 IPv4 と IPv6 いずれもデフォルトで有効になっています。
ip6tables コマンド構文は、 128 ビットアドレスをサポートする点以外あらゆる面で iptables と同じです。例えば、 IPv6 対応のネットワークサーバー上の SSH 接続は以下のようなコマンドで有効にできます。
ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPTiptables command, including definitions for many command options.
iptables の man ページには、各種オプションの簡単な概要も記載されています。
iptables プロジェクトの公式ホームページです。
iptables などのオープンソースパケットフィルタリング技術を使用したネットワークとサーバーのファイアウォール構築に関する総合的な参考文献になります。ファイアウォールログの解析、ファイアウォールルールの開発、各種グラフィカルツールを使用したファイアウォールのカスタマイズなどについてのトピックが含まれています。
ipchains、及び Netfilter と iptables の両方を使ったファイアウォールの構築に関する豊富な情報が満載されています。リモートアクセスの問題や侵入検知システムなどのセキュリティ事項についても触れられています。
ipchains に依存しており、フィルタリングプロセスの各ステップでパケットに適用される規則の一覧を使用していました。バージョン 2.4 の到来により、 iptables (netfilter とも呼ばれる) が導入されました。これは ipchains と似ていますが、ネットワークパケットのフィルタリングに利用できる範囲や制御が大幅に拡張しています。
ipchains と iptables の違いを明確にして、 iptables コマンドで使用できるさまざまなオプションを説明します。また、システムを再起動する際にフィルタリング規則を保持する方法を説明しています。
iptables rules and setting up a firewall based on these rules.
iptables です。しかし、 ipchains が既に起動している場合、 iptables を使う事ができません。 ipchains がシステム起動時に存在すると、カーネルはエラーを表示し iptables の起動に失敗します。
ipchains の機能に影響を与えるものではありません。
filter — ネットワークパケットを処理するデフォルトのテーブル。
nat — 新規接続を作成するパケットの変更、及び Network Address Translation (NAT) に使用。
mangle — パケット変更の特定タイプに使用。
netfilter によってパケットに実行されるアクションに相当します。
フィルタ テーブル用の組込み型チェーンは以下のようになります:
nat テーブル用の組込み型チェーンは以下のようになります:
mangle テーブルの組込み型チェーンは以下の様になります:
/etc/sysconfig/iptables か、又は /etc/sysconfig/ip6tables ファイルに保存されます。
iptables サービスは、 Linux システムの起動時に DNS-関連のサービスの前に始まります。このことは、ファイヤーウォール規則が数値の IP アドレス (例:192.168.0.1) のみを参照すると言う意味になります。ドメイン名 (例: host.example.com) はこのような規則ではエラーを発生します。
ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.
ACCEPT、 DROP、 REJECT、 QUEUE のいずれかのデフォルトポリシーを持っています。このチェーン内の規則のどれもパケットに適応しない場合、パケットはデフォルトポリシーに従って扱われます。
iptables コマンドはこれらのテーブルを設定するだけでなく、必要であれば、新しいテーブルのセットアップもします。
ipchains と iptables は両方とも、指定規則や規則セットへの適合を基にしてパケットをフィルターする為に Linux カーネル内で動作する規則のチェーンを使用します。しかし、 iptables を使用するとより拡張性のある方法でパケットをフィルタリングできるので、管理者は複雑な作業をせずに、きめ細かい制御を行うことができます。
iptables と ipchains の重要な相違について以下の点に注意して下さい:
iptables, each filtered packet is processed using rules from only one chain rather than multiple chains. ipchains を使用してシステムに入ってきた FORWARD パケットは、 INPUT、 FORWARD、 OUTPUT の各チェーンを通らないと送信先に進めません。ところが、 iptables では、送信先がローカルシステムの場合は INPUT チェーンへ、ローカルシステムがパケットを生成した場合は OUTPUT チェーンのみにパケットが送信されます。この理由で、パケットを実際に調べる規則の中で特定のパケットを取り込む様に設計された規則を用意するのは重要なことになります。
ipchains では、チェーン内の規則に一致したパケットは DENY ターゲットに送られます。このターゲットは iptables の中では DROP に変更されなければいけません。
ipchains では、規則オプションの順序は重要ではありません。
iptables コマンドでは、もっと厳密な構文を使用します。 iptables コマンドの中のプロトコル (ICMP、TCP、UDP) は、送信元、又は送信先のポートの前で指定する必要があります。
-i オプション) では FORWARD 又は OUTPUT チェーン内でのみ使用できます。同様に発信インターフェイス (-o オプション) は FORWARD 又は OUTPUT チェーン内でのみ使用できます。
iptables コマンドを使用して作成されます。以下のようなパケットの要点が基準としてよく使用されます:
iptables 規則で使用されるオプションは、規則を有効にする為に、規則全体の目的と条件を元にして論理的にグループ化する必要があります。これ以降のセクションでは iptables コマンドによく使われるオプションを説明していきます。
iptables コマンドの構成は、次のようになります:
iptables [-t<table-name>]<command><chain-name>\<parameter-1><option-1>\<parameter-n><option-n>
<table-name> — Specifies which table the rule applies to. If omitted, the filter table is used.
<command> — Specifies the action to perform, such as appending or deleting a rule.
<chain-name> — Specifies the chain to edit, create, or delete.
<parameter>-<option> pairs — Parameters and associated options that specify how to process a packet that matches the rule.
iptables コマンドの長さと複雑性は、その目的に応じて大幅に変更可能です。
iptables -D <chain-name> <line-number>
iptables コマンドを構成する時には、幾つかのパラメータとオプションは、有効な規則を作る為に更なるパラメータとオプションが必要となることを忘れないで下さい。そうすることにより、別のパラメータを必要とするパラメータにより、キャスケード効果を創造できます。追加のオプションを必要とする全てのパラメータとオプションが全て満足された状態になるまで、規則は有効ではありません。
iptables -h と入力すると、 iptables コマンドの構成の総合一覧が表示されます。
iptables が特定の動作を行なうよう指示します。1つの iptables コマンドにつき使用できるコマンドオプションは1つだけです。ヘルプコマンドを除くすべてのコマンドは大文字で作成します。
iptables のコマンドには、次のようなものがあります:
-A — 指定されたチェーンの最後に規則を追加します。以下に説明のある -I オプションとは異り、これは正数の引数は使用しません。規則は常に指定のチェーンの最後に追加します。
-C — 指定したチェーンに追加する前に特定の規則をチェックします。このコマンドは、パラメータとオプションを追加するときにプロンプトが表示されるので、複雑な iptables 規則を作成する場合に便利です。
-D <integer> | <rule> — Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain), or by rule specification. The rule specification must exactly match an existing rule.
-E — ユーザー定義のチェーンを改名します。ユーザー定義のチェーンはデフォルトで既存チェーン以外の全てのチェーンのことです (ユーザー定義のチェーンの作成には、以下の -N オプションを参照)。これは化粧的な変更であり、テーブルの構成には影響しません。
Match not found エラーを表示します。デフォルトチェーンは改名できません。
-F — 選択したチェーンを洗浄して、そのチェーンからすべての規則を削除します。チェーンを指定しない場合は、すべてのチェーンのすべての規則が削除されます。
-h — コマンドの構成の一覧とコマンドパラメータ、オプションの簡単な説明などが表示されます。
-I [<integer>] — Inserts the rule in the specified chain at a point specified by a user-defined integer argument. If no argument is specified, the rule is inserted at the top of the chain.
-A か -I オプションを使用して規則を追加する場合に記憶しておくことが重要です。
-I を使って規則を追加する場合に重要になります。チェーンに規則を追加する時に既存の番号を指定すると、 iptables は 既存規則の 前に (又は、上に) 新しい規則を追加します。
-L — コマンドの後で指定するチェーン内にあるすべての規則を一覧表示します。チェーンとテーブルを指定しない場合は、デフォルトの filter テーブル内にあるすべてのチェーンのすべての規則が一覧表示されます。それ以外の場合は、次の構文を使用して、規則を一覧するチェーンとテーブルを指定します。
iptables -L <chain-name> -t <table-name>-L command option, which provide rule numbers and allow more verbose rule descriptions, are described in 「リストオプション」.
-N — 指定した名前で新しいチェーンを作成します。チェーン名は独自なものでなければ、エラーメッセージが表示されます。
-P — 指定したチェーンについてデフォルトのポリシーを設定します。これによって、パケットがチェーン内にあるどの規則をも満たさない場合には、 ACCEPT や DROP など指定されたターゲットに送られます。
-R — Replaces a rule in the specified chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one.
-X — 指定したチェーンを削除します。組み込まれているチェーンは削除できません。
-Z — テーブル用のすべてのチェーンのバイトとパケットカウンタを 0 にします。
iptables コマンドは、パケットフィルタリング規則を構築するためのパラメータを必要とします。
-c — 特定の規則のカウンタをリセットします。このパラメータでは、リセットするカウンタを指定するための PKTS オプションと、 BYTES オプションを受け付けます。
-d — 規則を満たすパケットの送信先ホスト名、 IP アドレス、ネットワークのどれかを設定します。ネットワークと一致する場合、以下のような IP アドレス/ネットマスク形式がサポートされます。
N.N.N.N/M.M.M.MN.N.N.N は IP アドレスの範囲であり、 M.M.M.M はネットマスクです。
N.N.N.N/MN.N.N.N は IP アドレスの範囲であり、 M はネットマスクです。
-f — 断片化されたパケットのみに規則を適用します。
! オプションを使用すると、断片化されていないパケットのみが適合するように指定できます。
-i — eth0 や ppp0 などの着信ネットワークインターフェースを設定します。 iptables では、このオプションパラメータを使用できるのは、 filter テーブルの場合は INPUT チェーンと FORWARD チェーンと共に、また nat テーブルと mangle テーブルの場合は PREROUTING チェーンと共に使用する時だけです。
! — ディレクティブをリバースします、つまり指定されたインターフェースをこの規則から除外します。
+ — 指定された文字列に一致するすべてのインターフェースを一致の対象とするワイルドカード文字です。たとえば、 -i eth+ というパラメータを指定すると、すべてのイーサネットインターフェースにこの規則が適用されますが、 ppp0 などの他のインターフェースは除外します。
-i — パラメータを使用する場合にインターフェースを指定しないと、すべてのインターフェースが対象となります。
-j — パケットが特定の規則に一致する場合に指定ターゲットにジャンプします。
ACCEPT、 DROP、 QUEUE、 RETURN があります。
iptables RPM パッケージにデフォルトでロードされているモジュールを経由して利用可能な拡張オプションもあります。そのようなモジュールには、 LOG、 MARK、 REJECT などがあります。これらのオプションと他のターゲットに関する詳細は、 iptables の man ページを参照してください。
-o — 1つの規則の為に発信ネットワークを設定します。このオプションは、 filter テーブルの OUTPUT チェーンと FORWARD チェーン、 nat テーブルと mangle テーブルの POSTROUTING チェーンのみで有効です。このパラメータは、着信ネットワークインターフェースパラメータ (-i)と同じオプションを受け付けます。
-p <protocol> — Sets the IP protocol affected by the rule. This can be either icmp, tcp, udp, or all, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the /etc/protocols file.
all" protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to "all".
-s — 送信先パラメータ(-d)と同じ構文を使用して、特定のパケットの送信元を設定します。
iptables command. For example, -p <protocol-name> enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect:
iptables -A INPUT -p icmp --icmp-type any -j ACCEPTiptables -A INPUT -p 5813 --icmp-type any -j ACCEPT
/etc/services ファイル内に提供されています。読み易い表示には、ポート番号ではなくサービス名を使用して下さい。
/etc/services ファイルを安全にします。このファイルが編集可能であると、停止しているはずのマシン上のポートを有効にするためにクラッカーがその編集を使用することができます。このマシンを安全にするには、 root として以下のコマンドを入力します:
chown root.root /etc/serviceschmod 0644 /etc/serviceschattr +i /etc/services
-p tcp) では、以下の照合オプションを使用できます:
--dport — パケットの目的地ポートをセットします。
-p tcp --dport 3000:3200 の ように2つの番号をコロン (:) で区切ります。最大の許容有効範囲は、 0:65535 です。
--dport オプションの後で感嘆符 (!) を使用して、そのネットワークサービスあるいはポートを 使用しない すべてのパケットを照合します。
/etc/services ファイルを表示します。
--destination-port 照合オプションは --dport と同じです。
--sport — --dport と同じオプションを使用して、パケットの送信元ポートを設定します。 --source-port の照合オプションは --sport と同義です。
--syn — 一般に SYNパケット と呼ばれる、通信を開始するよう設計されたすべての TCP パケットに適用されます。データペイロードを運搬するパケットはいずれも干渉されません。
--syn オプションの後に、感嘆符 (!) を使用すると、全ての非 SYN パケットが照合されます。
--tcp-flags <tested flag list> <set flag list> — Allows TCP packets that have specific bits (flags) set, to match a rule.
--tcp-flags 照合オプションは二つのパラメータを受けつけます。最初のパラメータはマスクであり、パケット内で検証されるフラグのコンマで隔離されたリストです。二番目のパラメータは照合する規則用にセットすべきフラグのコンマで隔離されたリストです。
ACK
FIN
PSH
RST
SYN
URG
ALL
NONE
iptables 規則は、 SYN フラグがセットされており、 ACK フラグと FIN フラグがセットされていない TCP パケットのみを照合します。
--tcp-flags ACK,FIN,SYN SYN
!) を --tcp-flags の後で使用すると、照合オプションの効果が逆転されます。
--tcp-option— 特定のパケットで設定できる TCP 特有のオプションを照合しようとします。感嘆符 (!) を使用すると、意味を反対にすることができます。
-p udp)では、以下の照合オプションを使用できます。
--dport — サービス名、ポート番号、ポート番号の範囲のどれかを使用して、 UDP パケットの送信先ポートを指定します。 --destination-port の照合オプションは --dport と同義となります。
--sport — サービス名、ポート番号、ポート番号の範囲などのいずれかを使用して UDP パケットの送信元ポートを指定します。 --source-port の照合オプションは --sport と同義です。
--dport と --sport のオプションに、ポート番号の範囲を指定するには、 -p tcp --dport 3000:3200 のように2つの番号をコロン (:) で区切ります。最大の許容有効範囲は、 0:65535 です。
-p icmp)、次の照合オプションが使用できます。
--icmp-type — 規則と一致する ICMP タイプの番号か名前を設定します。有効な ICMP 名の一覧は、 iptables -p icmp -h というコマンドを入力すると表示されます。
iptables コマンドでロードできるモジュールを通じて使用できます。
-m <module-name>, where <module-name> is the name of the module.
limit module — 特定の規則に照合されるパケットの数量を規制します。
LOG ターゲットと一緒に使用すると、 limit モジュールは大量の照合パケットが反覆メッセージでシステムログを満杯にしたり、システムリソースを満杯にしてしまうのを防止することができます。
LOG target.
limit モジュールは以下のようなオプションを有効にします:
--limit — Sets the maximum number of matches for a particular time period, specified as a <value>/<period>--limit 5/hour allows five rule matches per hour.
3/hour が使用されます。
--limit-burst — 一度に照合できるパケットの数を制限します。
--limit オプションと一緒に使用されるべきものです。
stateモジュール — 接続状態について照合を有効にします。
state モジュールは以下のようなオプションを有効にします:
--state — 以下の接続状態についてパケットを照合します:
ESTABLISHED — 照合パケットは確立された接続内にある他のパケットに関係関連付けられます。クライアントとサーバー間の接続を維持したい場合、この状態を受理する必要があります。
INVALID— 既知の接続に結び付けられないパケットが規則を満たします。
NEW — 照合パケットは新しい接続を作成しているか、又は以前に出現したことのないニ方向接続の一部です。新しい接続をサービスに許可したい場合、この状態を受理する必要があります。
RELATED — 照合パケットは既存の接続になんらかの関連を持つ新しい接続を開始しています。この一例は FTP であり、これは制御トラフィック (ポート21) 用に1つの接続を使用して、データ転送 (ポート20) 用に別の接続を使います。
-m state --state INVALID,NEW のようにカンマで区切ります。
macモジュール — ハードウェア MAC アドレスの照合を有効にします。
mac モジュールは以下のようなモジュールを有効にします:
--mac-source — パケットの送信元であるネットワークインターフェースカードの MAC アドレスを照合します。ある規則から MAC アドレスを除外するには、 --mac-source 照合オプションの後に感嘆符 (!) を付けます。
iptables の man ページを参照してください。
<user-defined-chain>ACCEPT — パケットがその送信先または別のチェーンに移動する ことを許可します。
DROP — パケットを送信したシステムには何も通知せずに パケットをドロップします。パケットを送信したシステムは不具合の報告も受けません。
QUEUE — ユーザースペースのアプリケーションで処理されるように パケットをキューに登録します。
RETURN — 現在のチェーン内の規則に対するパケットのチェックを停止します。 RETURNターゲットを持つパケットが別のチェーンから呼び出されたチェーンの規則を満たす場合、そのパケットは最初のチェーンに戻され、そこで規則チェックが再開されます。組み込み型のチェーンで RETURN規則を使用していてパケットが前のチェーンに戻れない場合は、現在のチェーンのデフォルトターゲットが使用されます。
LOG — 規則を満たすすべてのパケットを記録します。パケットを記録するのはカーネルなので、/etc/syslog.confファイルがこれらの記録の書き込み場所を決定します。デフォルトではこの場所は/var/log/messages ファイルです。
LOGターゲットの後に 追加オプションを使用できます。
--log-level — イベントを記録する優先レベルを設定します。優先レベルの一覧は、syslog.conf の manページを参照して ください。
--log-ip-options — IP パケットのヘッダ内で設定された オプションを記録します。
--log-prefix — ログを記録するときに、行の先頭に 29 文字までの文字列を設置します。これは、パケットの記録と共に使用する syslog フィルタを作成する場合にも便利です。
log-prefix の値に対して 後に空白を付加する必要があります。
--log-tcp-options — TCPパケットのヘッダーで設定してあるオプションをログします。
--log-tcp-sequence — パケットの TCPシーケンス番号を記録します。
REJECT — パケットを送信したシステムにエラーパケットを送り返して、パケットをドロップします。
REJECT target accepts --reject-with <type> (where <type> is the rejection type) allowing more detailed information to be returned with the error packet. The message port-unreachable is the default error type given if no other option is used. Refer to the iptables man page for a full list of <type>nat テーブルを使用した IPマスカレード、又は mangle テーブルを使用したパケット変更で役に立つものなど、その他のターゲット拡張の幾つかは、iptables の manページを参照してください。
iptables -L [<chain-name>], provides a very basic overview of the default filter table's current chains. Additional options provide more information:
-v — 各チェーンが処理したパケット数とバイト数、各規則を満たしたパケット数とバイト数、特定の規則に適用されるインターフェースなど、冗長な出力を表示します。
-x — 数値の正確な値を出力します。負荷が大きいシステムでは、特定のチェーンか、あるいは規則が処理したパケット数とバイト数の終わりに Kilobytes(キロ)、Megabytes(メガ)、Gigabytes(ギガ)を付けて表現を省略する場合があります。このオプションを指定すると、全数値が出力されます。
-n — IPアドレスとポート番号を、デフォルトのホスト名とネットワークサービスの形式ではなく数値形式で出力します。
--line-numbers — 各チェーンの規則の横にチェーン内の順序番号を出力します。このオプションは、特定の規則を削除する場合や規則を挿入する場所を探す場合に便利です。
-t <table-name> — Specifies a table name. If omitted, defaults to the filter table.
-x オプションを 含むことによるバイト表示の相違に注意して下さい。
~]#iptables -L OUTPUT -v -n -xChain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes) pkts bytes target prot opt in out source destination 1593 133812 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ~]#iptables -L OUTPUT -v -nChain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes) pkts bytes target prot opt in out source destination 1819 153K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ~]#
iptables コマンドで作成した規則は、メモリに格納されます。設定した iptables の規則を保存する前にシステムを再起動すると、すべての規則は失われます。netfilter 規則が システムの再起動後に維持されるようにするには、それを保存する必要があります。その netfilter 規則を保存するには、root で次のコマンドを入力します:
service iptables saveiptables の initscript を実行し、 /sbin/iptables-save プログラムを実行して、現在の iptables の設定を /etc/sysconfig/iptables に書き込みます。既存の /etc/sysconfig/iptables ファイルは、/etc/sysconfig/iptables.save として保存されます。
iptables init script は /sbin/iptables-restore コマンドを使うことで、/etc/sysconfig/iptables に保存されている規則を再び適用します。
iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This provides a quick way to distribute sets of iptables rules to multiple machines.
iptables-save > <filename><filename> is a user-defined name for your ruleset.
/etc/sysconfig/iptablesファイルを分配する場合は、/sbin/service iptables restart と入力して、新しい規則を有効にします。
iptables 機能を構成するテーブルとチェーンの操作に使用されるiptablescommand(/sbin/iptables) に対する iptables サービス自身を有効/無効にするのに使用されるiptables service (/sbin/iptables service) の相違に注意して下さい。
iptables を制御するための基本的な方法が 2つあります。
system-config-securitylevel) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to 「基本的なファイアウォールの設定」 for more information.
/sbin/service iptables <option> — Used to manipulate various functions of iptables using its initscript. The following options are available:
start — ファイアウォールが設定されていると(/etc/sysconfig/iptablesが存在すると言う意味)、 実行中のすべての iptables を完全に停止してから/sbin/iptables-restore コマンドを使用して起動 します。このオプションは、ipchains カーネルモジュールがロードされていない場合にのみ機能します。モジュールがロードされているかどうか チェックするには、以下のコマンドを root で入力します:
lsmod | grep ipchains/sbin/rmmod コマンドを使用して、モジュールを 削除します。
stop — ファイアウォールが実行中の場合、メモリ内のファイアウォールの規則がフラッシュされ、すべての iptable の モジュールとヘルパーがアンロードされます。
/etc/sysconfig/iptables-config 設定ファイル内の IPTABLES_SAVE_ON_STOP ディレクティブがそのデフォルト値から yes に変更されると、現在の規則は /etc/sysconfig/iptables に保存され、既存の規則はすべて /etc/sysconfig/iptables.save ファイルに移動されます。
iptables-config file.
restart — ファイアウォールを実行中の場合、メモリ内のファイアウォールの規則はフラッシュ され、 それが /etc/sysconfig/iptables に設定されていれば、 ファイアウォールが再起動されます。このオプションは ipchains カーネルモジュールがロードされない場合にのみ機能します。
/etc/sysconfig/iptables-config設定ファイル内の IPTABLES_SAVE_ON_RESTART ディレクティブがそのデフォルト値から yes に変更されると、現在の規則は /etc/sysconfig/iptables に保存されて、既存の規則はすべて /etc/sysconfig/iptables.save ファイルに移動されます。
iptables-config file.
status — ファイヤーウォールと実行中の全規則 リストの状態を表示します。
/etc/sysconfig/iptables-config file and change the value of IPTABLES_STATUS_NUMERIC to no. Refer to 「IPTables 制御スクリプトの設定ファイル」 for more information about the iptables-config file.
panic — ファイアウォールの規則をすべてフラッシュします。設定されているすべてのテーブルのポリシーは DROP にセットされます。
save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to 「IPTables 規則の保存」 for more information.
ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to 「IPTables と IPv6」.
iptables initscripts の動作は、 /etc/sysconfig/iptables-config 設定ファイルで制御されます。以下にこのファイル内に格納されているディレクティブの一覧を示します:
IPTABLES_MODULES — ファイアウォールが起動するときにロードする、追加の iptables モジュールの スペースで区切られた一覧を指定します。これには接続トラッキングと NAT ヘルパーを 含むませることができます。
IPTABLES_MODULES_UNLOAD — 再起動と停止でモジュールをアンロードします。このディレクティブは以下の値を受け付けます:
yes — デフォルトの値です。このオプションはファイアウォールの 再起動か停止の正しい状態を達成するのにセットします。
no — このオプションは netfilter モジュールのアンロードに 問題がある場合のみにセットするものです。
IPTABLES_SAVE_ON_STOP — ファイアウォールが停止されるときに、現在のファイアウォールの規則を /etc/sysconfig/iptables に保存します。このディレクティブは以下の値を受け付けます:
yes — ファイアウォールが停止されるときに、既存の規則を /etc/sysconfig/iptables に保存して、 前のバージョンを/etc/sysconfig/iptables.save に移動します。
no — デフォルトの値です。ファイアウォールが停止 されるときに既存の規則を保存しません。
IPTABLES_SAVE_ON_RESTART — ファイアウォールが再起動されるときに、現在のファイアウォール規則を保存します。 このディレクティブは次の値を受け付けます:
yes — ファイアウォールが再起動されるときに、既存の規則を /etc/sysconfig/iptables に保存して、 前のバージョンを /etc/sysconfig/iptables.save に移動します。
no — デフォルトの値です。ファイアウォールが再起動 されるときに既存の規則を保存しません。
IPTABLES_SAVE_COUNTER — すべてのチェーン及び規則にある パケットとバイトの全カウンタを保存、復元します。このディレクティブは以下の値を受け付けます:
yes — カウンタ値を保存します。
no — デフォルトの値です。カウンタの値を保存しません。
IPTABLES_STATUS_NUMERIC — ドメインやホスト名の代わりに、数値形式で IP アドレスを出力します。 このディレクティブは以下の値を受け付けます:
yes — デフォルト値です。ステータス出力内で IP アドレスのみを 返します。
no — ステータス出力内でドメインかホスト名を返します。
iptables-ipv6 パッケージがインストールされている場合、 Red Hat Enterprise Linux に収納されている netfilter は次世代の IPv6 インターネットプロトコルをフィルター できます。IPv6 netfilter を操作するためのコマンドは ip6tables です。
nat テーブル以外、iptables に使用されるディレクティブと同じです。 これは、マスカレードやポート転送などの IPv6 ネットワークアドレス変換タスクを実行するのは まだ可能ではないと言うことになります。
ip6tables 用の規則は /etc/sysconfig/ip6tables ファイルに格納されます。ip6tables initscripts で 保存された以前の規則は /etc/sysconfig/ip6tables.save ファイルに格納されます。
ip6tablesの initscript 用設定オプションは /etc/sysconfig/ip6tables-config に格納されていますが、 各ディレクティブ名はその iptables の相当名とは少々異なります。
iptables-config ディレクティブIPTABLES_MODULES:に対して、ip6tables-config ファイルでの相当物は IP6TABLES_MODULES です。
iptables を用いたパケットフィルタリングに関する追加情報は以下の情報を参照して下さい。
iptables に関する多彩な情報が収納されています。このサイトの HOWTO ドキュメントでは、基本的なネットワークの概念、カーネルのパケットフィルタリング、NAT の設定などのテーマが掲載されています。
iptables コマンドを構成する方法が含まれています。
avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server's matrix.
/selinux/ 擬似ファイル(pseudo-file) システムには、カーネル サブシステムで一般に良く使用されるコマンドが含まれています。このタイプのファイルシステムは /proc/ 擬似ファイルシステムに似ています。
/selinux/ ディレクトリのサンプル内容を 示しています:
-rw-rw-rw- 1 root root 0 Sep 22 13:14 access dr-xr-xr-x 1 root root 0 Sep 22 13:14 booleans --w------- 1 root root 0 Sep 22 13:14 commit_pending_bools -rw-rw-rw- 1 root root 0 Sep 22 13:14 context -rw-rw-rw- 1 root root 0 Sep 22 13:14 create --w------- 1 root root 0 Sep 22 13:14 disable -rw-r--r-- 1 root root 0 Sep 22 13:14 enforce -rw------- 1 root root 0 Sep 22 13:14 load -r--r--r-- 1 root root 0 Sep 22 13:14 mls -r--r--r-- 1 root root 0 Sep 22 13:14 policyvers -rw-rw-rw- 1 root root 0 Sep 22 13:14 relabel -rw-rw-rw- 1 root root 0 Sep 22 13:14 user
enforce ファイルで cat コマンドを 実行すると、強制モードの 1 かあるいは、容認モードの 0 を 表示します。
/etc/ ディレクトリ内に 置かれている関連ファイルシステムを説明しています。
/etc/sysconfig/selinux 設定ファイルsystem-config-selinux), or manually editing the configuration file (/etc/sysconfig/selinux).
/etc/sysconfig/selinux ファイルは SELinux を有効/無効にする為の、 そしてシステムでどのポリシーを強制するか、及びどのように強制するかを設定する 主要設定ファイルです。
/etc/sysconfig/selinux には、実際の設定ファイル、 /etc/selinux/config へのシンボリックリンクが含まれています。
SELINUX=enforcing|permissive|disabled — システム上の SELinux の最上レベルの状態を定義します。
enforcing — SELinux セキュリティポリシーは強制されます。
permissive — SELinux システムは警告を表示しますが、 ポリシーは強制しません。
avc: denied のメッセージを発生させます。強制モードでは、SELinux は最初の移動で 停止して、それ移行の否定メッセージの発生を止めることになります。
disabled — SELinux は完全に無効になります。SELinux hooks は カーネルから離脱して、擬似ファイルシステムは登録が消えます。
/.autorelabel を作成して、マシンを再起動することです。これにより、プロセスがシステム上で実行される前に ラベル変えがブートプロセスの非常に早期に起こることになります。この手順を使用すると、プロセスは 誤って間違えたコンテキストのファイルを作成することもなく、間違ったコンテキストで開始することも なくなることになります。
fixfiles relabel コマンドを使用して、 ファイルシステムをラベル変えすることができます。しかしこれが完了した後にでも、 システム上で間違えたコンテキストでプロセスが実行されている可能性がある為、この方法は 推奨できません。これらのプロセスは、間違えたコンテキストのままのファイルを作成する 可能性があります。
SELINUXTYPE=targeted|strict — SELinux が強制するポリシーを指定します。
targeted — ターゲットのネットワークデーモンのみが 保護されます。
dhcpd, httpd (apache.te)、 named、 nscd、 ntpd、 portmap、 snmpd、 squid、 syslogd で 保護されています。システムのその他の機能は unconfined_t ドメインで 実行されます。このドメインはセキュリティコンテキストを持ったサブジェクトとオブジェクトが 標準の Linux セキュリティを使用して運用できるようにします。
/etc/selinux/targeted/src/policy/domains/program に収納されています。これらの ファイルは Red Hat Enterprise Linux の新しいバージョンがリリースされると変更される可能性があります。
system-config-selinux).
1 disables SELinux protection for the daemon. For example, you can set dhcpd_disable_trans to 1 to prevent init, which executes apps labeled dhcpd_exec_t, from transitioning to the dhcpd_t domain.
getsebool -a コマンドを使用すると、全ての SELinux ブーリアン値を 一覧表示します。以下に SELinux ブーリアン値を設定する為の setsebool コマンドを使用した例を表示します。-P オプションを使用すると、変更が 固定されます。このオプションが無いと、ブーリアン値は再起動時に 1 に リセットされます。
setsebool -P dhcpd_disable_trans=0strict — 全てのデーモン用の完全 SELinux 保護。 セキュリティコンテキストは全てのサブジェクトとオブジェクト用に定義され、 そして各アクションはポリシー強制サーバーによってプロセスされます。
SETLOCALDEFS=0|1 — Controls how local definitions (users and booleans) are set. Set this value to 1 to have these definitions controlled by load_policy from files in /etc/selinux/<policyname>. or set it to 0 to have them controlled by semanage.
/etc/selinux/ ディレクトリ/etc/selinux/ ディレクトリは、全てのポリシーファイルの本来の配置場所である と共に、又主要設定ファイルの場所でもあります。
/etc/selinux/ ディレクトリの内容のサンプルをしめします:
-rw-r--r-- 1 root root 448 Sep 22 17:34 config drwxr-xr-x 5 root root 4096 Sep 22 17:27 strict drwxr-xr-x 5 root root 4096 Sep 22 17:28 targeted
strict/ と targeted/ は、同じ名前のポリシーファイルが含まれている特定のディレクトリです。 (strict と targeted)
/usr/sbin/setenforce — SELinux が稼動するリアルタイムでモードを 変更します。
setenforce 1 — SELinux は強制モードで実行されます。
setenforce 0 — SELinux は容認モードで実行されます。
/etc/sysconfig/selinux 内で適切な setenforce パラメータを指定するか、 あるいは、/etc/grub.conf 内でか、起動時にカーネルに パラメータ selinux=0 を渡します。
/usr/sbin/sestatus -v — SELinux を実行しているシステムの詳細状態を 表示します。以下の例では、sestatus -v 出力の一部を示しています:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Process contexts: Current context: user_u:system_r:unconfined_t:s0 Init context: system_u:system_r:init_t:s0 /sbin/mingetty system_u:system_r:getty_t:s0
/usr/bin/newrole — 新しいシェルを新しいコンテキスト、又は役割で 実行します。ポリシーが新しい役割への移行を許可する必要があります。
policycoreutils-newrole パッケージがインストールしてある場合にのみ、利用できます。
/sbin/restorecon — 適切なファイル、又はセキュリティコンテキストで 拡張属性を作ることにより、1つ、又は複数のファイルのセキュリティコンテキストを設定します。
/sbin/fixfiles — ファイルシステムにあるセキュリティコンテキストの データベースをチェック、又は修正します。
setools か policycoreutils パッケージの内容を参照して下さい。パッケージの内容を表示するには、次のコマンドを使用します:
rpm -ql <package-name>
/usr/share/doc/setools-<version-number>/ All documentation for utilities contained in the setools package. This includes all helper scripts, sample configuration files, and documentation.
<x> series of Linux kernels. This module stored PSIDs in a normal file, and SELinux was able to support more file systems. This solution was not optimal for performance, and was inconsistent across platforms. Finally, the SELinux code was integrated upstream to the 2.6.x kernel, which has full support for LSM and has extended attributes (xattrs) in the ext3 file system. SELinux was moved to using xattrs to store security context information. The xattr namespace provides useful separation for multiple security modules existing on the same system.
"security." namespace is used for security modules, and the security.selinux name is used to persistently store SELinux security labels on files. The contents of this attribute will vary depending on the file or directory you inspect and the policy the machine is enforcing.
getxattr(2) always returns the kernel's canonicalized version of the label.
ls -Z command to view the category label of a file:
~]# ls -Z gravityControl.txt
-rw-r--r-- user user user_u:object_r:tmp_t:Moonbase_Plans gravityControl.txtgefattr(1) command to view the internal category value (c10):
~]# getfattr -n security.selinux gravityControl.txt
# file: gravityControl.txt
security.selinux="user_u:object_r:tmp_t:s0:c10\000"semanage user -l command to list SELinux users:
~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_ruser_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
semanage login -a command to assign Linux users to SELinux user identities:
~]#semanage login -a james~]#semanage login -a daniel~]#semanage login -a olga
~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
james user_u s0
daniel user_u s0
root root s0-s0:c0.c1023
olga user_u s0setrans.conf file. The system administrator edits this file to manage and maintain the required categories.
chcat -L command to list the current categories:
~]# chcat -L
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh/etc/selinux/<selinuxtype>/setrans.conf file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):
~]# vi /etc/selinux/targeted/setrans.conf
s0:c0=Marketing
s0:c1=Finance
s0:c2=Payroll
s0:c3=Personnelchcat -L command to check the newly-added categories:
~]# chcat -L
s0:c0 Marketing
s0:c1 Finance
s0:c2 Payroll
s0:c3 Personnel
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHighsetrans.conf file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:
~]# service mcstrans restartchcat command to assign MCS categories to SELinux logins:
~]#chcat -l -- +Marketing james~]#chcat -l -- +Finance,+Payroll daniel~]#chcat -l -- +Personnel olga
chcat command with additional command-line arguments to list the categories that are assigned to users:
~]# chcat -L -l daniel james olga
daniel: Finance,Payroll
james: Marketing
olga: Personnel# Create a user account for the company director (Karl) ~]#useradd karl~]#passwd karlChanging password for user karl. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # Assign the user account to an SELinux login ~]#semanage login -a karl# Assign all the MCS categories to the new login ~]#chcat -l -- +Marketing,+Finance,+Payroll,+Personnel karl
chcat command to verify the addition of the new user:
~]# chcat -L -l daniel james olga karl
daniel: Finance,Payroll
james: Marketing
olga: Personnel
karl: Marketing,Finance,Payroll,Personnel[daniel@dhcp-133 ~]$ echo "Financial Records 2006" > financeRecords.txtls -Z command to check the initial security context of the file:
[daniel@dhcp-133 ~]$ ls -Z financeRecords.txt
-rw-r--r-- daniel daniel user_u:object_r:user_home_t financeRecords.txtuser_home_t) and has no categories assigned to it. We can add the required category using the chcat command. Now when you check the security context of the file, you can see the category has been applied.
[daniel@dhcp-133 ~]$chcat -- +Finance financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance financeRecords.txt
[daniel@dhcp-133 ~]$chcat -- +Payroll financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance,Payroll financeRecords.txt
[olga@dhcp-133 ~]$ cat financeRecords.txt
cat: financeRecords.txt: Permission Deniedsemanage and chcat for more information on the available options for these commands.
Sensitivity: — A hierarchical attribute such as "Secret" or "Top Secret".
Categories: — A set of non-hierarchical attributes such as "US Only" or "UFO".
user_home_t.
unconfined_t domain have an executable file with a type such as sbin_t. From an SELinux perspective, this means they are all equivalent in terms of what they can and cannot do on the system.
/usr/bin/postgres has the type postgresql_exec_t. All of the targeted daemons have their own *_exec_t type for their executable applications. In fact, the entire set of PostgreSQL executables such as createlang, pg_dump, and pg_restore have the same type, postgresql_exec_t, and they transition to the same domain, postgresql_t, upon execution.
$AUDIT_LOG file. In Red Hat Enterprise Linux, this is set to /var/log/messages. The policy is compiled into binary format for loading into the kernel security server, and each time the security server makes a decision, it is cached in the AVC to optimize performance.
init, as explained in 「The Role of Policy in the Boot Process」. Ultimately, every system operation is determined by the policy and the type-labeling of the files.
m4 macros to capture common sets of low-level rules. A number of m4 macros are defined in the existing policy, which facilitate the writing of new policy. These rules are preprocessed into many additional rules as part of building the policy.conf file, which is compiled into the binary policy.
newrole, or by requiring a new process execution in the new domain. This movement between domains is referred to as a transition.
selinux-policy-<policyname> package and supplies the binary policy file.
selinux-policy-devel package is installed.
/etc/selinux/targeted/ — this is the root directory for the targeted policy, and contains the binary tree.
/etc/selinux/targeted/policy/ — this is the location of the binary policy file policy.<xx>. In this guide, the variable SELINUX_POLICY is used for this directory.
/etc/selinux/targeted/contexts/ — this is the location of the security context information and configuration files, which are used during runtime by various applications.
/etc/selinux/targeted/contexts/files/ — contains the default contexts for the entire file system. This is referenced by restorecon when performing relabeling operations.
/etc/selinux/targeted/contexts/users/ — in the targeted policy, only the root file is in this directory. These files are used for determining context when a user logs in. For example, for the root user, the context is user_u:system_r:unconfined_t.
/etc/selinux/targeted/modules/active/booleans* — this is where the runtime Booleans are configured.
getsebool, setsebool and semanage tools to manipulate runtime Booleans.
selinux-policy-devel package includes all of the interface files used to build policy. It is recommended that people who build policy use these files to build the policy modules.
/usr/share/selinux/devel/include and has make files installed in /usr/share/selinux/devel/Makefile.
libselinux provides a number of functions that return the paths to the different configuration files and directories. This negates the need for applications to hard-code the paths, especially since the active policy location is dependent on the SELINUXTYPE setting in /etc/selinux/config.
/etc/selinux/strict.
man 3 selinux_binary_policy_pathlibselinux-devel RPM installed.
libselinux and related functions is outside the scope of this document.
init performs some essential operations early in the boot process to maintain synchronization between labeling and policy enforcement.
/sbin/init mounts /proc/, and then searches for the selinuxfs file system type. If it is present, that means SELinux is enabled in the kernel.
init does not find SELinux in the kernel, or if it is disabled via the selinux=0 boot parameter, or if /etc/selinux/config specifies that SELINUX=disabled, the boot process proceeds with a non-SELinux system.
init sets the enforcing status if it is different from the setting in /etc/selinux/config. This happens when a parameter is passed during the boot process, such as enforcing=0 or enforcing=1. The kernel does not enforce any policy until the initial policy is loaded.
/selinux/ is mounted.
init checks /selinux/policyvers for the supported policy version. The version number in /selinux/policyvers is the latest policy version your kernel supports. init inspects /etc/selinux/config to determine which policy is active, such as the targeted policy, and loads the associated file at $SELINUX_POLICY/policy.<version>.
init attempts to load the policy file if it is a previous version. This provides backward compatibility with older policy versions.
/etc/selinux/targeted/booleans are different from those compiled in the policy, init modifies the policy in memory based on the local settings prior to loading the policy into the kernel.
init then re-executes itself so that it can transition to a different domain, if the policy defines it. For the targeted policy, there is no transition defined and init remains in the unconfined_t domain.
init continues with its normal boot process.
init re-executes itself is to accommodate stricter SELinux policy controls. The objective of re-execution is to transition to a new domain with its own granular rules. The only way that a process can enter a domain is during execution, which means that such processes are the only entry points into the domains.
init, such as init_t, a method is required to change from the initial SID, such as kernel, to the correct runtime domain for init. Because this transition may need to occur, init is coded to re-execute itself after loading the policy.
init transition occurs if the domain_auto_trans(kernel_t, init_exec_t, <target_domain_t>) rule is present in the policy. This rule states that an automatic transition occurs on anything executing in the kernel_t domain that executes a file of type init_exec_t. When this execution occurs, the new process is assigned the domain <target_domain_t>init_t.
filesystem for file systems, file for files, and dir for directories. Each class has its own associated set of permissions.
filesystem class can mount, unmount, get attributes, set quotas, relabel, and so forth. The file class has common file permissions such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.
tcp_socket for TCP sockets, netif for network interfaces, and node for network nodes.
netif class, for example, can send and receive on TCP, UDP and raw sockets (tcp_recv, tcp_send, udp_send, udp_recv, rawip_recv, and rawip_send.)
unconfined_t domain except for the specific targeted daemons. Objects that are in the unconfined_t domain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
http and ntp daemons are both protected in the default targeted policy, and run in the httpd_t and ntpd_t domains, respectively. The ssh daemon, however, is not protected in this policy, and consequently runs in the unconfined_t domain.
user_u:system_r:httpd_t 25129 ? 00:00:00 httpd user_u:system_r:ntpd_t 25176 ? 00:00:00 ntpd system_u:system_r:unconfined_t 25245 ? 00:00:00 sshd
dhcpd; httpd; mysqld; named; nscd; ntpd; portmap; postgres; snmpd; squid; syslogd; and winbind.
unconfined_t type exists in every role, which significantly reduces the usefulness of roles in the targeted policy. More extensive use of roles requires a change to the strict policy paradigm, where every process runs in an individually considered domain.
system_r and object_r. The initial role is system_r, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.[20]
object_r, is an implied role and is not found in policy source. Because roles are created and populated by types using one or more declarations in the policy, there is no single file that declares all roles. (Remember that the policy itself is generated from a number of separate files.)
system_rsystem_r (28 types)
dhcpd_t
httpd_helper_t
httpd_php_t
httpd_suexec_t
httpd_sys_script_t
httpd_t
httpd_unconfined_script_t
initrc_t
ldconfig_t
mailman_cgi_t
mailman_mail_t
mailman_queue_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
pegasus_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
system_mail_t
unconfined_t
winbind_helper_t
winbind_t
ypbind_tuser_runconfined_t domain.
object_robject_r, and the role is only used as a placeholder in the label.
sysadm_rstaff_r. If this is true, use the newrole -r sysadm_r command to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain sysadm_r for compatibility:
sysadm_r (6 types)
httpd_helper_t
httpd_sys_script_t
initrc_t
ldconfig_t
ndc_t
unconfined_tuser_u identity was chosen because libselinux falls back to user_u as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.[21]
root. You may notice root as the user identity in a process's context. This occurs when the SELinux user root starts daemons from the command line, or restarts a daemon originally started by init.
system_r already had existing authorization for the daemon domains, simplifying the process. This was done because no mechanism currently exists to alias roles.
unconfined_t along with the rest of the system except the targeted daemons.
avc: denied message.
mv and cp may have unexpected results.
cp follows the default behavior of creating a new file based on the domain of the creating process and the type of the target directory. Unless there is a specific rule to set the label, the file inherits the type from the target directory.
-Z user:role:type option to specify the required label for the new file.
-p (or --preserve=mode,ownership,timestamps) option preserves the specified attributes and, if possible, additional attributes such as links.
touch bar foo ls -Z bar foo -rw-rw-r-- auser auser user_u:object_r:user_home_t bar -rw-rw-r-- auser auser user_u:object_r:user_home_t foo
cp command without any additional command-line arguments, a copy of the file is created in the new location using the default type of the creating process and the target directory. In this case, because there is no specific rule that applies to cp and /tmp, the new file has the type of the parent directory:
cp bar /tmp ls -Z /tmp/bar -rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/bar
tmp_t is the default type for temporary files.
-Z option to specify the label for the new file:
cp -Z user_u:object_r:user_home_t foo /tmp ls -Z /tmp/foo -rw-rw-r-- auser auser user_u:object_r:user_home_t /tmp/foo
mv retains the original type associated with the file. Care should be taken using this command as it can cause problems. For example, if you move files with the type user_home_t into ~/public_html, then the httpd daemon is not able to serve those files until you relabel them. Refer to 「Relabeling a File or Directory」 for more information about file labeling.
| Command | Behavior |
|---|---|
mv
|
The file retains its original label. This may cause problems, confusion, or minor insecurity. For example, the tmpwatch program running in the sbin_t domain might not be allowed to delete an aged file in the /tmp directory because of the file's type.
|
cp
|
Makes a copy of the file using the default behavior based on the domain of the creating process (cp) and the type of the target directory.
|
cp -p
| Makes a copy of the file, preserving the specified attributes and security contexts, if possible. The default attributes are mode, ownership, and timestamps. Additional attributes are links and all. |
cp -Z
|
Makes a copy of the file with the specified labels. The -Z option is synonymous with --context.
|
-Z option is equivalent to --context, and can be used with the ps, id, ls, and cp commands. The behavior of the cp command with respect to SELinux is explained in 表48.1「Behavior of mv and cp Commands」.
ps command. Most of the processes are running in the unconfined_t domain, with a few exceptions.
[user@localhost ~]$ ps auxZ LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND system_u:system_r:init_t root 1 0.0 0.1 2032 620 ? Ss 15:09 0:00 init [5] system_u:system_r:kernel_t root 2 0.0 0.0 0 0 ? S 15:09 0:00 [migration/0] system_u:system_r:kernel_t root 3 0.0 0.0 0 0 ? SN 15:09 0:00 [ksoftirqd/0] user_u:system_r:unconfined_t user 3122 0.0 0.6 6908 3232 ? S 16:47 0:01 /usr/libexec/gconfd-2 5 user_u:system_r:unconfined_t user 3125 0.0 0.1 2540 588 ? S 16:47 0:00 /usr/bin/gnome-keyring-daemon user_u:system_r:unconfined_t user 3127 0.0 1.4 33612 6988 ? Sl 16:47 0:00 /usr/libexec/gnome-settings-daemon user_u:system_r:unconfined_t user 3144 0.1 1.4 16528 7360 ? Ss 16:47 0:01 metacity --sm-client-id=default1 user_u:system_r:unconfined_t user 3148 0.2 2.9 79544 14808 ? Ss 16:47 0:03 gnome-panel --sm-client-id default2
-Z option with the id command to determine a user's security context. Note that with this command you cannot combine -Z with other options.
[root@localhost ~]# id -Z user_u:system_r:unconfined_t
-Z option with the id command to inspect the security context of a different user. That is, you can only display the security context of the currently logged-in user:
[user@localhost ~]$ id uid=501(user) gid=501(user) groups=501(user) context=user_u:system_r:unconfined_t [user@localhost ~]$ id root uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [user@localhost ~]$ id -Z root id: cannot display context when selinux not enabled or when displaying the id of a different user
-Z option with the ls command to group common long-format information. You can display mode, user, group, security context, and filename information.
cd /etc ls -Z h* -d drwxr-xr-x root root system_u:object_r:etc_t hal -rw-r--r-- root root system_u:object_r:etc_t host.conf -rw-r--r-- root root user_u:object_r:etc_t hosts -rw-r--r-- root root system_u:object_r:etc_t hosts.allow -rw-r--r-- root root system_u:object_r:etc_t hosts.canna -rw-r--r-- root root system_u:object_r:etc_t hosts.deny drwxr-xr-x root root system_u:object_r:hotplug_etc_t hotplug drwxr-xr-x root root system_u:object_r:etc_t hotplug.d drwxr-xr-x root root system_u:object_r:httpd_sys_content_t htdig drwxr-xr-x root root system_u:object_r:httpd_config_t httpd
~/public_html directories, or when writing scripts that work in directories outside of /home.
/usr/sbin/mysqld has the wrong security label, and you address this by using a relabeling operation such as restorecon, you must restart mysqld after the relabeling operation. Setting the executable file to have the correct type (mysqld_exec_t) ensures that it transitions to the proper domain when started.
chcon command to change a file to the correct type. You need to know the correct type that you want to apply to use this command. The directories and files in the following example are labeled with the default type defined for file system objects created in /home:
cd ~ ls -Zd public_html/ drwxrwxr-x auser auser user_u:object_r:user_home_t public_html/ ls -Z web_files/ -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
public_html directory, they retain the original type:
mv web_files/* public_html/ ls -Z public_html/ -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
httpd has permissions to read, presuming the Apache HTTP Server is configured for UserDir and the Boolean value httpd_enable_homedirs is enabled.
chcon -R -t httpd_user_content_t public_html/ ls -Z public_html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 1.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 2.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 3.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 4.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 5.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t index.html ls -Z public_html/ -d drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/
chcon system_u:object_r:shlib_t foo.so. Otherwise, you will receive an error about applying a partial context to an unlabeled file.
restorecon command to restore files to the default values according to the policy. There are two other methods for performing this operation that work on the entire file system: fixfiles or a policy relabeling operation. Each of these methods requires superuser privileges. Cautions against both of these methods appear in 「Relabeling a File System」.
ls -Z /tmp/
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file1
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file2
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file3
mv /tmp/{1,2,3} archives/
mv public_html/* archives/
ls -Z archives/
-rw-rw-r-- auser auser user_u:object_r:tmp_t file1
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file1.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file2
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file2.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file3
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file3.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file4.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file5.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t index.html
archives/ directory already has the default type because it was created in the user's home directory:
ls -Zd archives/ drwxrwxr-x auser auser user_u:object_r:user_home_t archives/
restorecon command to relabel the files uses the default file contexts set by the policy, so these files are labeled with the default label for their current directory.
/sbin/restorecon -R archives/ ls -Z archives/ -rw-rw-r-- auser auser system_u:object_r:user_home_t file1 -rw-rw-r-- auser auser system_u:object_r:user_home_t file1.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file2 -rw-rw-r-- auser auser system_u:object_r:user_home_t file2.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file3 -rw-rw-r-- auser auser system_u:object_r:user_home_t file3.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file4.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file5.html -rw-rw-r-- auser auser system_u:object_r:user_home_t index.html
tar or star utilities to create archives that retain SELinux security contexts. The following example uses star to demonstrate how to create such an archive. You need to use the appropriate -xattr and -H=exustar options to ensure that the extra attributes are captured and that the header for the *.star file is of a type that fully supports xattrs. Refer to the man page for more information about these and other options.
ls -Z public_html/ web_files/ public_html/: -rw-rw-r-- auser auser ...httpd_user_content_t 1.html -rw-rw-r-- auser auser ...httpd_user_content_t 2.html -rw-rw-r-- auser auser ...httpd_user_content_t 3.html -rw-rw-r-- auser auser ...httpd_user_content_t 4.html -rw-rw-r-- auser auser ...httpd_user_content_t 5.html -rw-rw-r-- auser auser ...httpd_user_content_t index.html web_files/: -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
star -xattr -H=exustar -c -f all_web.star public_html/ web_files/ star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k).
ls command with the -Z option to validate the security context:
ls -Z all_web.star -rw-rw-r-- auser auser user_u:object_r:user_home_t \ all_web.star
/tmp. If there is no specific policy to make a derivative temporary type, the default behavior is to acquire the tmp_t type.
cp all_web.star /tmp/ cd /tmp/ ls -Z all_web.star -rw-rw-r-- auser auser user_u:object_r:tmp_t all_web.star
star and it restores the extended attributes:
star -xattr -x -f all_web.star star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k). ls -Z /tmp/public_html/ /tmp/web_files/ /tmp/public_html/: -rw-rw-r-- auser auser ...httpd_sys_content_t 1.html -rw-rw-r-- auser auser ...httpd_sys_content_t 2.html -rw-rw-r-- auser auser ...httpd_sys_content_t 3.html -rw-rw-r-- auser auser ...httpd_sys_content_t 4.html -rw-rw-r-- auser auser ...httpd_sys_content_t 5.html -rw-rw-r-- auser auser ...httpd_sys_content_t index.html /tmp/web_files/: -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t \ index.html
star, the archive expands on that same path. For example, an archive made with this command restores the files to /var/log/httpd/:
star -xattr -H=exustar -c -f httpd_logs.star /var/log/httpd/
star issues a warning if the files in the path are newer than the ones in the archive.
sestatus command provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted-v option includes information about the security contexts of a series of files that are specified in /etc/sestatus.conf:
~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: user_u:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023
File contexts:
Controlling term: user_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t-b displays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
~]# sestatus -b | grep httpd | grep on$
httpd_builtin_scripting on
httpd_disable_trans on
httpd_enable_cgi on
httpd_enable_homedirs on
httpd_unified oninit process to perform the relabeling, ensuring that applications have the correct labels when they are started and that they are started in the right order. If you relabel a file system without rebooting, some processes may continue running with an incorrect context. Manually ensuring that all the daemons are restarted and running in the correct context can be difficult.
touch /.autorelabelreboot
init.rc checks for the existence of /.autorelabel. If this file exists, SELinux performs a complete file system relabel (using the /sbin/fixfiles -f -F relabel command), and then deletes /.autorelabel.
fixfiles command, or to relabel based on the RPM database:
fixfiles command:
fixfiles relabelfixfiles -R <packagename> restorefixfiles to restore contexts from packages is safer and quicker.
fixfiles on the entire file system without rebooting may make the system unstable.
fixfiles relabel prompts for approval to empty /tmp/ because it is not possible to reliably relabel /tmp/. Since fixfiles is run as root, temporary files that applications are relying upon are erased. This could make the system unstable or behave unexpectedly.
nfs_t type, which is not a type that httpd_t is allowed to execute.
nfs_t, try mounting the home directories with a different context:
mount -t nfs -o context=user_u:object_r:user_home_dir_t \fileserver.example.com:/shared/homes/ /home
httpd can execute scripts. If you do this for user home directories, it gives the Apache HTTP Server increased access to those directories. Remember that a mountpoint label applies to the entire mounted file system.
root_t, tmp_t, and usr_t that grant read access for a directory. These types are suitable for directories that do not contain any confidential information, and that you want to be widely readable. They could also be used for a parent directory of more secured directories with different contexts.
avc: denied message, there are some common problems that arise with directory traversal. For example, many programs run a command equivalent to ls -l / that is not necessary to their operation but generates a denial message in the logs. For this you need to create a dontaudit rule in your local.te file.
path=/ component. This path is not related to the label for the root file system, /. It is actually relative to the root of the file system on the device node. For example, if your /var/ directory is located on an LVM (Logical Volume Management [22]) device, /dev/dm-0, the device node is identified in the message as dev=dm-0. When you see path=/ in this example, that is the top level of the LVM device dm-0, not necessarily the same as the root file system designation /.
setenforce command to change between permissive and enforcing modes at runtime. Use setenforce 0 to enter permissive mode; use setenforce 1 to enter enforcing mode.
sestatus command displays the current mode and the mode from the configuration file referenced during boot:
~]# sestatus | grep -i mode
Current mode: permissive
Mode from config file: permissive~]#setenforce 1~]#sestatus | grep -i modeCurrent mode: enforcing Mode from config file: permissive
named daemon and SELinux, you can turn off enforcing for just that daemon.
getsebool command to get the current status of the boolean:
~]# getsebool named_disable_trans
named_disable_trans --> off~]#setsebool named_disable_trans 1~]#getsebool named_disable_transnamed_disable_trans --> on
-P option to make the change persistent across reboots.
~]# getsebool -a | grep disable.*on
httpd_disable_trans=1
mysqld_disable_trans=1
ntpd_disable_trans=1setsebool command:
setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1togglesebool <boolean_name> to change the value of a specific boolean:
~]#getsebool httpd_disable_transhttpd_disable_trans --> off ~]#togglesebool httpd_disable_transhttpd_disable_trans: active
setenforce(1), getenforce(1), and selinuxenabled(1) commands.
/etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the system boots.
~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0Disabled, Enforcing or Permissive, and then click .
Enabled to Disabled or vice versa, you need to restart the machine for the change to take effect.
/etc/sysconfig/selinux.
/etc/sysconfig/selinux:
SELINUXTYPE=<policyname><policyname> is the policy name directory under /etc/selinux/. This assumes that you have the custom policy installed. After changing the SELINUXTYPE parameter, run the following commands:
touch /.autorelabelreboot
/etc/selinux.
mount -o context= command to set a single context for an entire file system. This might be a file system that is already mounted and that supports xattrs, or a network file system that obtains a genfs label such as cifs_t or nfs_t.
httpd_sys_content_t:
mount -t nfs -o context=system_u:object_r:httpd_sys_content_t \server1.example.com:/shared/scripts /var/www/cgi
httpd and SELinux problems, reduce the complexity of your situation. For example, if you have the file system mounted at /mnt and then symbolically linked to /var/www/html/foo, you have two security contexts to be concerned with. Because one security context is of the object class file and the other of type lnk_file, they are treated differently by the policy and unexpected behavior may occur.
runcon command to run a command in a specific context. This is useful for scripting or for testing policy, but care should be taken to ensure that it is implemented correctly.
~/bin/contexttest is a user-defined script.)
runcon -t httpd_t ~/bin/contexttest -ARG1 -ARG2runcon user_u:system_r:httpd_t ~/bin/contexttestgetenforcesetenforce [ Enforcing | Permissive | 1 | 0 ]1 or Enforcing tells SELinux to enter enforcing mode. The option 0 or Permissive tells SELinux to enter passive mode. Access violations are still logged, but not prevented.
selinuxenabled0 if SELinux is enabled, and 1 if SELinux is disabled.
~]#selinuxenabled~]#echo $?0
getsebool [-a] [boolean_name]-a) or a specific boolean (<boolean_name>).
setsebool [-P] <boolean_name> value | bool1=val1 bool2=val2 ...-P option makes the changes persistent across reboots.
togglesebool boolean ...newrole command to run a new shell with the specified type and/or role. Changing roles is typically only meaningful in the strict policy; the targeted policy is generally restricted to a single role. Changing types may be useful for testing, validation, and development purposes.
newrole -r <role_r> -t <type_t> [-- [ARGS]...]ARGS are passed directly to the shell specified in the user's entry in the /etc/passwd file.
newrole command is part of the policycoreutils-newrole package, which is required if you install the strict or MLS policy. It is not installed by default in Red Hat Enterprise Linux.
audit=1 parameter to your kernel boot line, either in the /etc/grub.conf file or on the GRUB menu at boot time.
httpd is denied access to ~/public_html because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
avc: denied { getattr } for pid=2239 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dirJan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \ a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \ suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ item=0 name=/home/auser/public_html inode=921135 dev=00:00
/var/log/messages, such as /var/log/audit/audit.log.
selinux-policy-targeted-sources packages and then to create a local.te file in the /etc/selinux/targeted/src/policy/domains/misc directory. You could use the audit2allow utility to translate the AVC messages into allow rules, and then rebuild and reload the policy.
selinux-policy-XYZ.src.rpm. A further package, selinux-policy-devel, has also been added, which provides further customization functionality.
semodule.
semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. You can also use semodule to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.
semodule -l command:
~]# semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0/usr/share/selinux/targeted/ directory contains a number of policy package (*.pp) files. These files are included in the selinux-policy rpm and are used to build the policy file.
ypbind init script, which executes the setsebool command, which in turn tries to use the terminal. This is generating the following denial:
type=AVC msg=audit(1164222416.269:22): avc: denied { use } for pid=1940 comm="setsebool" name="0" dev=devpts ino=2 \
scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fdaudit2allow utility now has the ability to build policy modules. Use the following command to build a policy module based on specific contents of the audit.log file:
ausearch -m AVC --comm setsebool | audit2allow -M mysemanage
audit2allow utility has built a type enforcement file (mysemanage.te). It then executed the checkmodule command to compile a module file (mysemanage.mod). Lastly, it uses the semodule_package command to create a policy package (mysemanage.pp). The semodule_package command combines different policy files (usually just the module and potentially a file context file) into a policy package.
cat command to inspect the contents of the TE file:
~]# cat mysemanag.te
module mysemanage 1.0;
require {
class fd use;
type init_t;
type semanage_t;
role system_r;
};
allow semanage_t init_t:fd use;module command, which identifies the module name and version. The module name must be unique. If you create an semanage module using the name of a pre-existing module, the system would try to replace the existing module package with the newly-created version. The last part of the module line is the version. semodule can update module packages and checks the update version against the currently installed version.
require block. This informs the policy loader which types, classes and roles are required in the system policy before this module can be installed. If any of these fields are undefined, the semodule command will fail.
dontaudit, because semodule does not need to access the file descriptor.
semodule command to load the policy package:
~]# semodule -i mysemanage.ppmysemanage.pp) to other machines and install it using semodule.
audit2allow command outputs the commands it executed to create the policy package so that you can edit the TE file. This means you can add new rules as required or change the allow rule to dontaudit. You could then recompile and repackage the policy package to be installed again.
目次
| 改訂履歴 | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 改訂 10-0 | Thu Jul 21 2011 | |||||||||||
| ||||||||||||
| 改訂 9-0 | Thu Jan 13 2011 | |||||||||||
| ||||||||||||
| 改訂 8-0 | Thu July 30 2010 | |||||||||||
| ||||||||||||
| 改訂 7-0 | Wed Sep 30 2009 | , , | ||||||||||
| ||||||||||||
| 改訂 7-0 | Mon Sep 14 2009 | |||||||||||
| ||||||||||||
| 改訂 6-0 | Wed Sep 02 2009 | |||||||||||
| ||||||||||||
| 改訂 5-0 | Wed Jan 28 2009 | |||||||||||
| ||||||||||||