Gnu Linux Administration

Here are some general administration tasks that I find useful to remember.

First see the section on RPM to learn how to install and update software. .

See more sections on Gnu/Linux .


Books

Most of the books you want are free from http://www.linuxdoc.org/ as HOWTO's. Don't assume that you can get something better in the bookstore. Many Linux books in the bookstore are simply bound copies of the publicly available documents.

"Running Linux" from O'Reilly press is the best overall book for anyone getting ready to install Linux for the first time and start playing with it.

As a quick reference, you may prefer a copy of O'Reilly's "Linux in a Nutshell", with concise summaries of all administrative commands. Read it through because many standard Unix commands have great new options. Many new commands become essential.

To understand your Unix system better, get the new edition of "Unix System Administration Handbook," by Nemeth, Snyder, Seebass, and Hein, from Prentice Hall. The new edition covers Linux, and explains where other systems differ. This book is superior to any book specifically for Linux.

For help, I prefer IRC (Internet Relay Chat) on a freenode.net server. See http://www.freenode.net/


A few administration commands


Network service configuration

Redhat configures their network services during boot with the script /etc/rc.d/init.d/network, which gets network parameters from /etc/sysconfig/network and calls scripts in /etc/sysconfig/network-scripts/. See ifcfg-eth0 and ifcfg-lo. Static routes can be specified in /etc/sysconfig/static-routes.

Check the active ip address of eth0 with ifconfig. After changing the address, reset with /sbin/ifdown eth0; /sbin/ifup eth0 or more drastically /sbin/service network restart.

Identify cluster hostnames most simply by specifying IP addresses in /etc/hosts. Use the same file for all nodes, including the mayor.

Make sure you do not have a protocol mismatch with mii-tool -v eth0. Duplex mode mismatches will hurt performance.

Here are examples of my network files on various types of systems.

All use the same /etc/sysconfig/network-scripts/ifcfg-lo
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback

If you use DNS, then specify your domain, preferred nameserver lookup order, and default domain completions in /etc/resolv.conf:
nameserver 111.111.138.22
nameserver 111.111.138.25
nameserver 111.111.88.36
search foo.com denver.foo.com etc.foo.com

If you are using NIS, then specify the NIS server for each domain in /etc/yp.conf on a line like
domain denver.foo.com server denadmin01
domain denver.foo.com server denadmin02

To export a local disk, add a line to /etc/exports, like
/export/d01     *(rw)

Restart nfs with
$ sudo service nfs restart

Exceptionally slow network performance may be due to using half rather than full duplex. Check
$ sudo ethtool eth0


Installing a distribution

Try to get the most recent possible release of any particular distribution. The improvements you see with a new release will be much greater than any differences you find between distributions. Desktops continue to improve greatly.

Once I find the iso's on a mirror, I download with a script like
S="ftp://distro.someplace.org/pub/linux/distributions/fedora/linux/core/2/i386/iso/"
P="me@myaddress.com"
for f in \
 MD5SUM \
 FC2-i386-disc1.iso \
 FC2-i386-disc2.iso \
 FC2-i386-disc3.iso \
 FC2-i386-disc4.iso \
; do 
       wget $S$f
done 

(curl is an advanced alternative to wget.)

Performing a clean install has gotten so easy that it doesn't seems worth documenting. Use a default workstation install, then use rpm to add additional features from your disks or iso images. See the section on RPM elsewhere on this page.

On RedHat and Fedora, both yum and up2date are great ways to upgrade your system quickly. Locate on the web a /etc/yum.conf that points to Fedora mirrors. You can upgrade all installed Fedora packages with yum update -y. (I prepend sudo to avoid logging in as root.) If you have registered with the RedHat network, then you can upgrade everything with up2date --nox -u. These commands also install new packages if you know the name of the new package.

Most yum-based systems come preconfigured to check a few reliable repositories. Check /etc/yum.repos.d/ to see which are checked by your system.

For CentOS, I add access to RPMForge, following these directions: https://rpmrepo.org/RPMforge/Using

More repos are tracked here: http://wiki.centos.org/Repositories

Many good rpm's are here: http://dag.wieers.com/rpm/ but they are also available through RPMForge.

Create a list of available packages with yum list all | tee yum.txt

Some collections can be installed as a group: sudo yum -y groupinstall "X Software Development"

If you are reinstalling or upgrading, then keep a backup copy of the entire /etc directory on another machine. You may want to compare configuration files later, particularly for the network connection.

You are asked a small number of questions during installation. If you forget your answers, you can find most of them again in in /etc/sysconfig.

On redhat systems, there are tools in /usr/bin/redhat-config-* or /usr/bin/system-config-* for configuring specific devices.

See what pci devices were detected with lspci.

Check the X configuration with xdpyinfo or look in /etc/X11/XF86Config*. Check your specified video card driver in /etc/sysconfig/hwconf and /proc/pci.

Change your mouse after installation by running /usr/sbin/mouseconfig. Check the configuration file /etc/sysconfig/mouse. /dev/mouse points to the device file for the mouse.

You can change your default desktop easily with switchdesk. This only adds a .Xclients-default to your home directory, to be used by .Xclients. Look in /etc/X11/xinit to see the system defaults.

Your sound may default to a low level. Try adjusting with aumix. Your menu should also contain volume controls.

Dual boots are really not worth the trouble, unless you are stuck with a laptop. I prefer to run one OS per machine and connect them with a hub.

I prefer three partitions: one big partition for root /, one smaller partition for /home, and a swap partition that is about 2.5 times the size of the resident memory. A separate partition for /home will allow a fresh installation without reconstructing the home directory. Installs do a good job of defaulting these partitions.

§    Boot floppies

If you need to make a boot floppy for a really old Microsoft box, put in the first CD, and try
C:\> d:
D:\> cd \dosutils
D:\dosutils> rawrite
Enter disk image source file name: ..\images\bootdisk.img
Enter target diskette drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :

Recent kernels are too large to fit on a boot floppy. If you have an older machine that will not boot from CD, then first install an older minimal linux so that you have a boot loader. Then copy the kernel vmlinuz and initrd.img onto your /boot partition from your newer install CD. Modify /etc/grub.conf or the equivalent lilo file to boot from it.

§    Time servers

Most distributions allow you to specify the name of a time server and be done with it.

Here are nitty gritty details if you must customize that behavior.

If you are on a network with time servers, add their hostnames, on one line separated by spaces, to /etc/ntp/step-tickers, like foohost barhost bazhost. Or modify the server and fudge lines in /etc/ntp.conf with a specific server name like:
server foohost
fudge foohost stratum 10

Start the service with chkconfig ntpd on. See that it is running with chkconfig --list.

On redhat, the /etc/ntp.conf file may direct you to use the gui application dateconfig, or your changes will be lost.

Restart the time server with /etc/rc.d/rc3.d/S26ntpd restart or whatever path is appropriate on your machine.

Synchronize once with another host by typing
$ ntpdate ntp.nasa.gov
or
$ ntpdate time.nist.gov

If you don't use time servers, you can reset your hardware clock with
$ hwclock --set --date="5/15/02 19:00:00"

Use the two digit year, even though we've already passed into the next millenium. (A four digit year will put you in a strange century.) To avoid upsetting running processes, your clock does not reset until the next reboot. Always use local time.


Devices

§    CD readers and writers

First of all, to eject your CDROM, type eject. If your CDROM is not visible, try mounting it with mount /mnt/cdrom

Make a CDROM image (ISO9660) from a file system with
mkisofs -r -J /my/dir/ > image.iso

(This is faster than specifying the file with -o).

With Gnome, I can right click on the iso and specify "Write to CD".

With a recent kernel, you can easily record from the command line with.
cdrecord -v speed=2 dev=/dev/cdwriter -data image.iso

You'll need to use sudo or run as root.

If this doesn't work, you can identify your CD-R device, and burn the iso with
$ cdrecord -scanbus
  1,0,0   100) 'HITACHI ' 'DVD-ROM GD-5000 ' '0212' Removable CD-ROM
  1,1,0   101) 'SONY    ' 'CD-RW  CRX220E1 ' '6YS1' Removable CD-ROM
  ...
$ cdrecord -v speed=2 dev=1,1,0 -data image.iso

Tools for reading music cd's include cdparanoia, readcd, and gnome-cd -unique -device /dev/cdrom -play. Play a dvd with vlc or mplayer. Write or copy a music CD with xcdroast which is a GUI wrapper for cdrecord and other utilities.

Most of these will play an audio CD digitally, without an audio cable connected to your CDROM. For example, right click on the xmms menu for "Options" and "Preferences." Select the "Audio I/O Plugins" tab. Highlight "CD Audio Player" in the panel of "Input plugins" then hit the "Configure" button. Switch the radio button for "Play Mode" from "Analog" to "Digital audio extraction." Hit all the Ok buttons on your way out. Right click again on the xmms panel, select "Play File", point at /mnt/cdrom, and hit the forward play button.

§    USB mass storage device

Most systems now will automatically recognize and mount USB memory sticks automatically. If yours is not mounted, then look at /var/log/messages to see if the device was seen at all. If so, then you just need to solve the problem of mounting.

Look at the rules in /etc/udev/rules.d and see if any apply to your USB stick. Rules usually key off a product name and vendor string. You can see what your stick reports by running lsusb -v. From there, find the rule that udev should use to mount it. You may have a heretofore unrecognized stick.

If automounting will not work, then you can still mount by hand.

Plug it in to a USB port. Install sg3_utils. Scan raw SCSI devices and determine the real SCSI device.
root$ sg_scan -i
/dev/sg0: scsi0 channel=0 id=0 lun=0
    IBM-ESXS  ST318305LW    !#  B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg1: scsi0 channel=0 id=1 lun=0
    IBM-ESXS  ST318305LW    !#  B244 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg2: scsi2 channel=0 id=0 lun=0 [em]
    M-Sys     Dell Memory Key   4.50 [rmb=1 cmdq=0 pqual=0 pdev=0x0] 
root$ sg_map
/dev/sg0  /dev/sda
/dev/sg1  /dev/sdb
/dev/sg2  /dev/sdc

From this, I see that the memory key is on /dev/sdc. /dev/sdc1 specifies the first, and usually only, partition.

To mount this, first create a mount point, then mount
sudo mkdir /mnt/flash
sudo mount -o defaults /dev/sdc1 /mnt/flash

Or you can add a line to /etc/fstab, so you can mount and write as any user. You'll need to see what options are supported, as these change over time.

To examine, change, and format partitions.
root$ fdisk /dev/sdc
root$ mkfs -t vfat /dev/sdc1

See more at http://vic.gedris.org/linux-UsbMassStorage/ , http://www.linux-usb.org/ , and http://www.cs.sfu.ca/~ggbaker/personal/cf-linux

§    Wrong USB speed

A device that refuses to mount might be using a faster USB 2 protocol than supported by the device. The log message should mention a new high speed USB device using ehci_hcd and address ...

There still seem to be intermittent problems mounting these, even when the device supports USB2. Try reloading the appropriate kernel module:
sync
sudo modprobe ehci_hcd

For some reason, this often triggers the correct remounting of all USB2 devices.

For extra emphasis, you can first remove the module: sudo rmmod ehci_hcd, which first causes all USB devices to be mounted at the lower speed. Then add the module back.

For NTFS, install the following packages: fuse, dkms, dkms-fuse, fuse-ntfs-3g Mount and unmount with the following.
mkdir /mnt/ntfs
ntfs-3g /dev/sdc1 /mnt/ntfs        # read-write
ntfs-3g /dev/sdc1 /mnt/ntfs -o ro  # read only
umount /mnt/ntfs

§    USB Mass Storage is too slow

You should get around 1Mb/sec transfer rate with flash memory. First find out what device your flash is attached to with df /media/usbdisk. Then check the raw device transfer rate with sudo hdparm -t /dev/sda1. If the hardware is fast, and your file copies are much slower, then your problem is software. Look at lsmod while the flash is attached, and be sure you are using usb_storage instead of the slower ub. See that the proper module is loaded with lsmod | egrep ehci_hcd. Look at sudo lsusb -v | less to see that you are using USB 2 instead of 1. You should also see ehci_hcd listed after the kernel. If these are all right, then you may be better off disabling syncing during writes. See if the usb drive shows up with mount | grep sync. See if sync is specified in /etc/fstab for the usb drive. If so, disable it in /etc/fstab or by examining man fstab-sync. A copy may appear to occur instantaneously, but much of the file may be cached in memory. You still need to sync from the command line to finish the write, but this should occur at near the maximum rate for a single write. Finally, as usual, umount /media/usbdisk before disconnecting.

An external hard drive is much easier to handle. Mine came as nfts. I formatted to a Linux filesystem like this.
root$ mkfs -t ext4 /dev/sdc1

If you want to delete or add partitions, you can use fdisk
root$ fdisk /dev/sdc1

§    EncFS

EncFS is an excellent way to encrypt files that you may carry around with you on a portable USB drive.

Most of what you need to know can be found at http://www.arg0.net/encfs

If you have permission problems, add yourself to the fuse group in /etc/groups and
sudo chgrp fuse /usr/bin/fusermount
sudo chmod 4755 /usr/bin/fusermount

Make sure the fuse modele is loaded with
lsmod | grep fuse
modprobe fuse

§    Digital cameras

For digital cameras, try http://www.gphoto.org/ .

§    CUPS Printer

Set up a cups printer by modifying the ServerName in /etc/cups/client.conf. See which printers are available with lpstat -t and print with lp -d PRINTER_NAME file

Set default printer options like this: lpoptions -o sides=two-sided-long-edge

See more on cups at http://localhost:631/ .


Security

Check your system for rootkit vulnerabilities by installing rkhunter and chkrootkit.

For firewalls, the best single reference is the book "Linux Firewalls" by Robert L. Ziegler, from New Riders press.

I now use a hardware firewall, and don't rely on the built-in packet filtering of iptables. Do not connect to the internet until you have some firewall in place.

Distributions should all now have a simple interface that let you manipulate the rules of the underlying iptables. Look for it on your menu bar. In the past, I exported only ssh and let iptables to block all other connections on all other ports. Use ssh and scp instead of telnet and ftp for your own use.

See what packet filtering you have turned on with iptables --list either with sudo or as root.

See what services are running (at various runlevels) with chkconfig --list or more directly
/sbin/service --status-all | grep running

Disable services you don't need. Anyone able to connect to these ports can for weaknesses like buffer overflows in these services. Useless daemons also waste resources.

Stop services with
/sbin/service sendmail stop

And prevent a service from being started at your runlevel by removing the startup script, such as
rm /etc/rc.d/rc3.d/S80sendmail

You can manipulate the symbolic links in the runlevel directory by using chkconfig.

See what services are running (at various runlevels) with chkconfig --list'.

Disable with chkconfig sendmail off.

See what ports you have open for TCP services with
netstat -pta | grep LISTEN

Match ports to services by looking at /etc/services and /etc/protocols.

Check your machine for vulnerabilities at sites that will scan your ports, like http://grc.com/ . Then look at your log files in /var/log/messages* to see the ignored packets. Use nslookup IP_ADDRESS and tracepath IP_ADDRESS to see where the packets came from.

Scan your own ports with nmap, which you can get from http://www.insecure.org/nmap/ This will label the available ports for you. Use the flags nmap -sT -P0 (IP_ADDRESS) if you are able to scan your machine from an unpriviledged domain.

§    SSH

SSH is usually installed and functional with a default install.

Provide automatic access for one machine at a time. Set up a custom configuration by copying cp /etc/ssh/ssh_config $HOME/.ssh/config and editing. My defaults use dsa, so I run ssh-keygen -t dsa and provide a passphrase. This creates a id_dsa and id_dsa.pub in $HOME/.ssh. Copy the public key in id_dsa.pub into /$HOME/.ssh/authorized_keys on a remote machine. You can do this with ssh-copy-id -i $HOME/.ssh/id_dsa.pub remote_host. Now go to that remote machine and ssh back. It should ask for your passphrase instead of your password. If not, your configuration files are not compatible with your choice of keys and protocol. Try creating keys for rsa and rsa1 too. Add them all to authorized_keys

When it works, then you can now start a user agent to manage your login. Try this
$ ssh-agent | grep -v echo | tee ~/.myssh
$ ssh-add
Enter passphrase for /home/me/.ssh/id_dsa:
Identity added: /home/me/.ssh/id_dsa (/home/me/.ssh/id_dsa)
$ ssh-add -l

The first command starts an agent and saves two environment variables SSH_AUTH_SOCK and SSH_AGENT_PID in a file ~/.myssh

Now any shell can source this file and ssh to authorized hosts without typing a password.

Naturally I put the above commands in a script. I run it once after rebooting a machine.

In my .bashrc file, I source this file
if [ -f "$HOME/.myssh" ] ; then 
  . $HOME/.myssh
fi


Bill Harlan, 2002-2007


Return to parent directory.