Upload
omayio
View
15
Download
2
Tags:
Embed Size (px)
DESCRIPTION
This document gives the basics to linux system administration
Citation preview
INTRO TO LINUX SYSTEMS ADMINISTRATION
SYSTEMS ADMINISTRATION Administering the system? Keep the system up in a consistent state Monitor performance Babysit users, make changes on their behalf Install, configure, upgrade, maintain Backup, restore, disaster recovery
SYSADMINS System administration handled by various
people Full time dedicated sysadmins on site Remote services Generic ‘IT’ personnel That user that seems to know what they’re doing
Can be a skill set central to a career path, or a means to an end
PRIVILEGE HIERARCHY Want to divide system privilege by account First step is file level permissions
Default permissions limit end users in what configuration files they can read and which programs they can run
Next level is within system programs Limit certain functions to only users with
‘elevated’ privileges
THE SUPERUSER By default, one account has elevated
privileges to issue any command, access any file, and perform every function
Superuser, a.k.a. root Technically, can change to anything – but don’t
User and group number 0
THE SUPERUSER, CONT Must limit use of root
Inexperienced users can cause serious harm Use of root for non-privileged tasks unnecessary
and can be open to attack Security and privacy violations – root can look at
anyone’s files Limit what root can do remotely Ensure a strong password
SUPERUSER PRIVILEGES What usually works best is short periods of
superuser privilege, only when necessary Obtain privileges, complete task, relenquish
privileges Most common ways are su and sudo Can also use the setuid/setgid method (Ch.
4), but not recommended
SU Short for substitute or switch user Syntax: su [options] [username]
If username is omitted, root is assumed After issuing command, prompted for that
user’s password A new shell opened with the privileges of that
user Once done issuing commands, must type exit
SUDO Allows you to issue a single command as
another user Syntax: sudo [options] [-u user] command
Again, if no user specified, root assumed New shell opened with user’s privileges Specified command executed Shell exited
SUDOERS Must configure a user to run commands as
another user when using sudo Permissions stored in /etc/sudoers Use utility visudo to edit this file (run as
root) Permissions granted to users or groups, to
certain commands or all, and with or without password being required
OTHER PERMISSIONS MODELS Some Linux distributions such as Ubuntu
obscure away the root account altogether By default the end user doesn’t know the
root password Can’t login as root Can’t su
Must rely on sudo (and the graphical gksudo) to obtain privilege, along with ‘Unlock’ functions in GUI
SYSTEM OPERATION Booting the system Runlevels Modes Shutting down the system
BOOTING THE SYSTEM Power on, POST, hardware initialization Boot device selected by BIOS/user interaction Master boot record of boot device read Initializes the bootloader
lilo (LInux LOader) grub (GRand Unified Bootloader)
BOOTING, CONT Boot loader selects and loads an OS kernel Kernel stored as an compiled image file Kernel loads modules for hardware and
software functions Interrupts, device management, memory
management, paging Last thing kernel does is call init
INIT First non-kernel code loaded Process number 1 Acts as parent to all other processes on
system Handles starting services and programs Based on runlevel, runs the appropriate
scripts
RUNLEVELS A set of defined system states that init can
bring the system into (varies on distro) 0: Halt/shutdown 1: Single user mode 2: Multiuser mode 3: Multiuser mode with networking 4: Not used 5: Multiuser mode with networking and GUI 6: Reboot
RUNLEVELS, CONT On boot, init checks /etc/inittab to see what
runlevel to bring system to To change runlevel after boot
telinit runlevel shutdown/halt/reboot
Any time the runlevel changes, init consults a set of scripts to determine what to stop/start
SCRIPTS Init works with run command (rc) scripts Found in /etc/rc.d All scripts housed in /etc/rc.d/init.d Each script takes a parameter for changing
operation (start/stop/halt/reboot) Each runlevel has it’s own directory
/etc/rc.d/rcN.d
SCRIPTS, CONT In each runlevel directory, there are symbolic
links to scripts in /etc/rc.d/init.d The name of the link is crucial
Starting with S means start in this runlevel Starting with K means kill in this runlevel After S/K, there is an order number
Start ascending Kill descending
NOTES What we’ve described is the traditional Linux
init/boot process Different distros do things differently
launchd in Mac OS X Upstart in Ubuntu Linux Initng in Debian, Gentoo, others
The classic init is called System V init
SINGLE USER MODE Runlevel 1 Console only – no terminals Very minimal environment Some filesystems might not be mounted Maintenance of filesystems Fixing configuration errors Disaster recovery
MULTIUSER MODE Runlevels 2-5 Runlevel 2 allows terminal logins Runlevel 3 allows remote terminal logins Runlevel 5 enable X11 graphical environment Runlevels 3 and 5 are the most common
levels for day-to-day operations
SHUTTING DOWN THE SYSTEM Syntax:shutdown [options] time [message] Time: XX:XX or +X or NOW -k: don’t really shutdown, just send message -r: reboot -h: halt -c: cancel a shutdown
halt: calls shutdown –h reboot: calls shutdown -r
SCHEDULING Linux systems uses the Cron system for time-
based job scheduling Allows users to schedule jobs to run Allows sysadmins to run jobs and batch
processes Different distros implement the structures
differently Most use /etc/crontab as primary set of
instructions Sometimes other files are used, like /var/spool/cron/*
CRONTAB Each line schedules a job Syntax:
* * * * * command First field is minutes (0-59) Second field is hours (0-23) Third is day of the month (1-31) Fourth is month of year (1-12) Fifth is day of week (0-6, starting with Sun)
FILESYSTEM MANAGEMENT A Linux installation can be comprised of
many different filesystems Each filesystem (except for swap) is
connected to the filesystem hierarchy at a specific point in the tree
This is referred to as the mount point A sysadmin uses mount, umount and /etc/fstab to manage these mounts
MOUNT Syntax (most commonly):mount –t type device directory
Associates a device (partition, CD-ROM, etc) formatted with a particular type of filesystem with a specified directory in the hierarchy
Requires root privileges to mount in most cases
mount with no arguments displays list of mounted filesystems
UMOUNT Syntax:umount directory | device
Removes that association Cannot umount if device is still being
accessed (i.e. open files) Again, most likely requires root privileges
FSTAB For filesystems that should be mounted on
boot every time, put them in /etc/fstab Basically a tab delimited file that contains
the command line parameters you’d give to mount Device Mount point (directory) FS type Options (Readonly, attributes, etc)
CREATING NEW FILESYSTEMS First use fdisk device to create a partition
Similar in function to old fdisk from DOS Use ? to display commands, p to display partition
info Once partition created, must be formatted
mkfs –t type filesystem Once formatted, you can mount it
FILESYSTEM INTEGRITY Filesystem problems? Corrupt files? Forced
into single user mode to fix errors? fsck Syntax:fsck [options] –t type filesystem
Again, usually need root permissions Also, filesystem should NOT be mounted
while running fsck – can cause damage
MONITORING DISK USAGE du – disk usage on files and directories df – reports filesystem utilization lsof – list open file handles quota – configure and display user quotas
quotactl quotacheck quotaon edquota
INSTALLING SOFTWARE The open source movement has provided an
enormous volume of freely available programs
Two primary methods of installing programs By source By package manager
INSTALLING BY SOURCE Download source code Usually comes in a compressed tar archive
(.tar.gz or similar) Extract source code Configure the installation (usually ./configure)
Then compile (make) Then copy into filesystem (make install)
PACKAGE MANAGERS There are a wide variety of package
managers available for different Linux distributions
In turn, there are several different types of packages available for each of these managers
Packages are an archived version of the source code
Often tailored to a specific architecture or distribution
RPM Red Hat Package Manager Package format and manager created by Red
Hat developers Used widely by Red Hat, Red Hat-based
distros, and many others System maintains a local RPM database to
maintain consistency and track installs
RPM, CONT Many different utilities for managing RPMs rpm: command line package manager for
installing/removing/configuring packages up2date: command line package manager
that fetches packages from internet and resolves dependencies
yum, yast: similar to up2date Many GUI frontends available to these
utilities
DEB Debian package format Used in Debian Linux and it’s derivatives
such as Ubuntu and Knoppix Contains compressed binary data and
metadata Again, usually specific to a distro and an
architecture
DEB CONT dpkg: Debian package manager, for
installing/removing/configuring packages apt: Advanced Package Tool, for installing
and configuring packages from online sources. Also does dependency resolution
Again, graphical front ends available for each of these
USER ADMINISTRATION User configuration stored in /etc/passwd File got it’s name because it originally
contained passwords as well Security problem – too many processes need to
read passwd A shadow file used now instead (more in a sec)
Each line contains info for one user
PASSWDjsmith:x:1001:1001:Joe
Smith,Rm27,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/bash
First field is username Second was password – now a dummy char Third is userid (uid) Fourth is groupid (gid) Fifth is GECOS field
Full name, contact info Gen. Elec. Comprehensive OS
Sixth is user’s home directory Seventh is user’s default shell
PASSWD, CONT Originally passwd contained a user’s
password information How it works
User picks a password A random number is generated (called the salt) The salt and the password is passed into a hash
function (a one-way cryptographic algorithm) The salt and result are stored in ASCII
PASSWD, CONT Problem – user-level programs need to read passwd Get user name, location Home directory, shell
So passwd was world readable So anyone on system could see a user’s
salted hash It’s encrypted – what’s the big deal???
PASSWD, CONT Original salt was 12-bit ... 4096 possibilities Many early users used bad passwords
Dictionary words Even with 1970’s computing, it wouldn’t take
very long to try all combinations of salts and passwords through the hash function
Just wait for a match Brute force crack
SHADOW Wasn’t acceptable to have passwd world
readable if it contained hashes So salted hashes moved to a new file /etc/shadow Format similar to passwd, one user per line Readable only by root
SHADOW, CONTjsmith:$1$CzzxUSse$bKJL9wAns39vlxQlBZ8wd/:13744:0:99999:7:::
First field is username Second is the salted hash or account status
NP or ! or null for blank password LK or * for locked/disabled account !! for account with expired password
Third is days since last password change Measured from epoch (midnight UTC 1/1/1970)
SHADOW, CONT Fourth is days until password is eligible to be
changed Fifth is days before change is required Sixth is days before expiration to warn Seventh is days before account expires Eighth is days since epoch when account
expires Ninth is unused/reserved
ADDING USERS If you really wanted to, edit /etc/passwd by
hand Some distributions have graphical or
simplified ways to add users Most widely available however is command
line utility useradd
ADDING USERS, CONT Syntax: useradd [options] [-g group] [-d home] \
[-s shell] username -g to define user’s initial group -d to define user’s home directory -s to define user’s default shell Other options for expiration, using defaults,
etc
DELETING USERS Again, could just hack /etc/passwd More elegant: Syntax: userdel [-r] username -r to delete home directory and it’s contents
MODIFYING USERS Syntax: usermod [options] username Options are pretty much identical to those of
useradd Also, -l to change the user’s login name And –G to list additional groups to add user
to
GROUP MANAGEMENT Group info housed in /etc/group Similar to user management groupadd groupdel groupmod
DAEMONS AS USERS For the most part, Linux daemons (services)
each run as a unique user account Provides additional security by segregating
processes and files Running daemons as root usually a bad idea Accounts usually created automatically and
assigned passwords Usually disabled from logging into system
NETWORKING Linux is a powerful networking operating
system Much of it developed in tandem with the
Internet Ability to work as a client, server, or network
device Proxies, firewalls, routers, bridges, etc
NETWORKING, CONT Overall networking usually governed by /etc/rc.d/init.d/network
Invoked in runlevels 3 and 5 usually Network device/interface configurations in
either /etc/sysconfig/networking or in /etc/sysconfig/network-scripts
Can either edit manually, or use utilities to manage
IFCONFIG Displays or alters network device configs Syntax:
ifconfig interface [options] With no options, shows interface’s config If interface omitted as well, show all configs Options include flags, IP address, subnet
mask, etc
ROUTE Display or change routing In simple configurations, mostly used to set
default gateway Syntax:
route [options] [add/delete] [target]
With no arguments, show route table
HOSTNAME Used to set/display the computer’s network
name Depending on what protocols your network
uses, may also need to look at domainname dnsdomainname
Especially important for Internet-accessible systems
Can be defined in /etc/sysconfig/network
INTERFACES By default, wired ethernet interfaces are
found as ethX, with X starting at 0 These are aliases to the actual physical
adapter and driver To enable an interface:
ifup interface To disable an interface:
ifdown interface
INTERFACES, CONT Other types of interfaces exist
ppp, slip, atm, etc Management of them work similarly Wireless interfaces a bit different
Use iwconfig to manage these and display info Has the additional options for frequency,
encryption, channel, passphrases, etc
NETWORKING As with most things, GUI tools available Similar to TCP/IP configuration in Windows More advanced operations (bridging, NAT/IP
Masquerading, advanced routing) take a little more configuration
Default firewall software is iptables or ipchains
NETWORK SHARES Samba SMB/CIFS CUPS NFS
KERNEL MODIFICATION Vast majority of Linux kernel releases
incredibly stable New features/improvements Bug fixes Modules vs. in kernel We need to recompile
KERNEL MODS, CONT If we just want to upgrade to a newer kernel
release, there are a couple of options Can download and install new kernel
packages (RPM, deb, etc) Pre-compiled, and most package managers
do all the work Or the manual way …
Necessary to do any real customization
KERNEL COMPILATION First, need to get kernel source code www.kernel.org Current mainline branch is 2.6 For legacy systems/apps, 2.4 is still available Usually a tar.gz or tar.bz2 Copy to either a temp location, or maybe /usr/src/kernel/
KERNEL COMPILATION, CONT Once you have the compressed archive,
uncompress and extract contents Should make a directory named after the
kernel release i.e. linux-2.6.31.6/
Now go into that directory Should see lots of directories for different
aspects of the system, and a Makefile
KERNEL COMPILATION, CONT Now we need to configure kernel
Select options Choose which items should be modules vs. in
kernel itself To import in the previous system config
make oldconfig The config is stored in the .config file
KERNEL COMPILATION, CONT Want to configure from scratch? Or further
customize? A few different methods
make menuconfig (ncurses) make xconfig (X11 Qt) make gconfig (X11 Gtk)
All basically do the same thing – make selections
KERNEL COMPILATION, CONT Once you’ve done the config and saved it,
time to compile make Will take a while Lots of info will scroll by Don’t worry about warnings, it’s cool Errors would be bad though
KERNEL COMPILATION, CONT Once kernel itself is compiled, must compile
the kernel modules make modules Once that’s done, we need to install the
modules into the correct location in the filesystem
make modules_install
KERNEL COMPILATION, CONT Now we need to install the kernel into the
right spot make install This moves three things to /boot
The system map (symbol lookup in memory) The config The kernel image (vmlinuz)
vm = virtual memory support (from UNIX days) z = compressed
KERNEL COMPILATION Now we have the kernel in place But we need the info necessary to launch init We need an initial filesystem loaded so that
init has what is necessary to load devices and other filesystems (including /)
So we use a temporary, memory contained filesystem – a RAM disk
KERNEL COMPILATION, CONT So we need to create an initrd – a RAM Disk
for init to work with before the real filesystems is mounted
So go to /boot mkinitrd –o initrd.img-<kern-ver> Makes an image of the necessary filesystem
components for that version of the kernel
KERNEL COMPILATION, CONT Now all the pieces are in place One last step – tell the bootloader about it Edit /boot/grub/menu.lst Basically just copy the block from the current
running kernel, change the version info, and you’re done
In most cases, you can usually instead just issue update-grub, but should still check
KERNEL COMPILATION, CONT Example grub block
title Red Hat Enterprise Linux ES (2.6.9-5.ELsmp)root (hd0,0) kernel /boot/vmlinuz root=/dev/hdb1 ro initrd /boot/initrd.img-2.6.25savedefaultboot
KERNEL COMPILATION, CONT Now you can reboot and try it out Check the grub menu for the new kernel you
installed and select it System should boot fine and everything
should work Panic? Reboot, select old kernel, boot into it Retrace your steps, debug kernel, etc