Académique Documents
Professionnel Documents
Culture Documents
Administration
Systems Administration
Administering the system?
Keep the system up in a consistent
state
Monitor performance
Babysit users, make changes on their
behalf
Install, configure, upgrade, maintain
Backup, restore, disaster recovery
Sysadmins
System administration handled by
various people
Full time dedicated sysadmins on site
Remote services
Generic IT personnel
That user that seems to know what
theyre doing
Privilege Hierarchy
Want to divide system privilege by
account
First step is file level permissions
Default permissions limit end users in
what configuration files they can read
and which programs they can run
The Superuser
By default, one account has elevated
privileges to issue any command,
access any file, and perform every
function
Superuser, a.k.a. root
Technically, can change to anything
but dont
Superuser Privileges
What usually works best is short
periods of superuser privilege, only
when necessary
Obtain privileges, complete task,
relenquish privileges
Most common ways are su and sudo
Can also use the setuid/setgid method
(Ch. 4), but not recommended
su
Short for substitute or switch user
Syntax: su [options] [username]
If username is omitted, root is assumed
sudo
Allows you to issue a single command as
another user
Syntax:
sudo [options] [-u user] command
Again, if no user specified, root assumed
New shell opened with users privileges
Specified command executed
Shell exited
sudoers
Must configure a user to run commands
as another user when using sudo
Permissions stored in /etc/sudoers
Use utility visudo to edit this file (run as
root)
Permissions granted to users or groups,
to certain commands or all, and with or
without password being required
System Operation
Booting, cont
Boot loader selects and loads an OS
kernel
Kernel stored as an compiled image file
Kernel loads modules for hardware and
software functions
Interrupts, device management,
memory management, paging
Last thing kernel does is call init
init
First non-kernel code loaded
Process number 1
Acts as parent to all other processes
on system
Handles starting services and
programs
Based on runlevel, runs the
appropriate scripts
Runlevels
A set of defined system states that init can
bring the system into (varies on distro)
0: Halt/shutdown
1: Single user mode
2: Multiuser mode
3: Multiuser mode with networking
4: Not used
5: Multiuser mode with networking and GUI
6: Reboot
Runlevels, cont
On boot, init checks /etc/inittab to
see what runlevel to bring system to
To change runlevel after boot
telinit runlevel
shutdown/halt/reboot
Scripts
Scripts, cont
In each runlevel directory, there are
symbolic links to scripts in
/etc/rc.d/init.d
The name of the link is crucial
Starting with S means start in this runlevel
Starting with K means kill in this runlevel
After S/K, there is an order number
Start ascending
Kill descending
Notes
What weve described is the
traditional Linux init/boot process
Different distros do things differently
launchd in Mac OS X
Upstart in Ubuntu Linux
Initng in Debian, Gentoo, others
Runlevel 1
Console only no terminals
Very minimal environment
Some filesystems might not be
mounted
Maintenance of filesystems
Fixing configuration errors
Disaster recovery
Multiuser Mode
Runlevels 2-5
Runlevel 2 allows terminal logins
Runlevel 3 allows remote terminal logins
Runlevel 5 enable X11 graphical
environment
Runlevels 3 and 5 are the most common
levels for day-to-day operations
Scheduling
Linux systems uses the Cron system for
time-based job scheduling
Allows users to schedule jobs to run
Allows sysadmins to run jobs and batch
processes
Different distros implement the
structures differently
Most use /etc/crontab as primary set
of instructions
Sometimes other files are used, like
/var/spool/cron/*
crontab
Each line schedules a job
Syntax:
* * * * * command
First field is minutes (0-59)
Second field is hours (0-23)
Third is day of the month (1-31)
Fourth is month of year (1-12)
Fifth is day of week (0-6, starting with
Sun)
Filesystem Management
A Linux installation can be comprised
of many different filesystems
Each filesystem (except for swap) is
connected to the filesystem hierarchy
at a specific point in the tree
This is referred to as the mount point
A sysadmin uses mount, umount and
/etc/fstab to manage these mounts
mount
Syntax (most commonly):
mount t type device directory
Associates a device (partition, CD-ROM,
etc) formatted with a particular type of
filesystem with a specified directory in
the hierarchy
Requires root privileges to mount in
most cases
mount with no arguments displays list of
mounted filesystems
umount
Syntax:
umount directory | device
Removes that association
Cannot umount if device is still being
accessed (i.e. open files)
Again, most likely requires root
privileges
fstab
For filesystems that should be mounted
on boot every time, put them in
/etc/fstab
Basically a tab delimited file that
contains the command line parameters
youd give to mount
Device
Mount point (directory)
FS type
Options (Readonly, attributes, etc)
Filesystem Integrity
Filesystem problems? Corrupt files?
Forced into single user mode to fix
errors?
fsck
Syntax:
fsck [options] t type filesystem
Again, usually need root permissions
Also, filesystem should NOT be mounted
while running fsck can cause damage
Installing Software
The open source movement has
provided an enormous volume of
freely available programs
Two primary methods of installing
programs
By source
By package manager
Installing by Source
Download source code
Usually comes in a compressed tar
archive (.tar.gz or similar)
Extract source code
Configure the installation (usually
./configure)
Then compile (make)
Then copy into filesystem (make
install)
Package Managers
There are a wide variety of package
managers available for different Linux
distributions
In turn, there are several different types of
packages available for each of these
managers
Packages are an archived version of the
source code
Often tailored to a specific architecture or
distribution
RPM
Red Hat Package Manager
Package format and manager
created by Red Hat developers
Used widely by Red Hat, Red Hatbased distros, and many others
System maintains a local RPM
database to maintain consistency
and track installs
RPM, cont
Many different utilities for managing RPMs
rpm: command line package manager for
installing/removing/configuring packages
up2date: command line package
manager that fetches packages from
internet and resolves dependencies
yum, yast: similar to up2date
Many GUI frontends available to these
utilities
deb
Debian package format
Used in Debian Linux and its
derivatives such as Ubuntu and
Knoppix
Contains compressed binary data
and metadata
Again, usually specific to a distro and
an architecture
deb cont
dpkg: Debian package manager, for
installing/removing/configuring
packages
apt: Advanced Package Tool, for
installing and configuring packages
from online sources. Also does
dependency resolution
Again, graphical front ends available
for each of these
User Administration
User configuration stored in
/etc/passwd
File got its name because it originally
contained passwords as well
Security problem too many processes
need to read passwd
A shadow file used now instead (more in a
sec)
passwd
jsmith:x:1001:1001:Joe Smith,Rm27,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/bash
passwd, cont
Originally passwd contained a users
password information
How it works
User picks a password
A random number is generated (called the
salt)
The salt and the password is passed into a
hash function (a one-way cryptographic
algorithm)
The salt and result are stored in ASCII
passwd, cont
Problem user-level programs need to
read passwd
Get user name, location
Home directory, shell
passwd, cont
Original salt was 12-bit ... 4096 possibilities
Many early users used bad passwords
Dictionary words
shadow
Wasnt acceptable to have passwd
world readable if it contained hashes
So salted hashes moved to a new file
/etc/shadow
Format similar to passwd, one user
per line
Readable only by root
shadow, cont
jsmith:$1$CzzxUSse$bKJL9wAns39vlxQlBZ8wd/:13744:0:99999:7:::
shadow, cont
Fourth is days until password is eligible
to be changed
Fifth is days before change is required
Sixth is days before expiration to warn
Seventh is days before account expires
Eighth is days since epoch when
account expires
Ninth is unused/reserved
Adding Users
If you really wanted to, edit
/etc/passwd by hand
Some distributions have graphical or
simplified ways to add users
Most widely available however is
command line utility useradd
Deleting Users
Modifying Users
Syntax: usermod [options]
username
Options are pretty much identical to
those of useradd
Also, -l to change the users login
name
And G to list additional groups to
add user to
Group Management
Daemons as Users
For the most part, Linux daemons (services)
each run as a unique user account
Provides additional security by segregating
processes and files
Running daemons as root usually a bad idea
Accounts usually created automatically and
assigned passwords
Usually disabled from logging into system
Networking
Linux is a powerful networking
operating system
Much of it developed in tandem with
the Internet
Ability to work as a client, server, or
network device
Proxies, firewalls, routers, bridges, etc
Networking, cont
Overall networking usually governed
by /etc/rc.d/init.d/network
Invoked in runlevels 3 and 5 usually
Network device/interface
configurations in either
/etc/sysconfig/networking or in
/etc/sysconfig/network-scripts
Can either edit manually, or use
utilities to manage
ifconfig
Displays or alters network device configs
Syntax:
ifconfig interface [options]
With no options, shows interfaces config
If interface omitted as well, show all
configs
Options include flags, IP address, subnet
mask, etc
route
Display or change routing
In simple configurations, mostly used
to set default gateway
Syntax:
route [options] [add/delete] [target]
hostname
Used to set/display the computers
network name
Depending on what protocols your
network uses, may also need to look at
domainname
dnsdomainname
Interfaces
By default, wired ethernet interfaces
are found as ethX, with X starting at 0
These are aliases to the actual
physical adapter and driver
To enable an interface:
ifup interface
To disable an interface:
ifdown interface
Interfaces, cont
Other types of interfaces exist
ppp, slip, atm, etc
Networking
As with most things, GUI tools available
Similar to TCP/IP configuration in
Windows
More advanced operations (bridging,
NAT/IP Masquerading, advanced routing)
take a little more configuration
Default firewall software is iptables or
ipchains
Network Shares
Samba SMB/CIFS
CUPS
NFS
Kernel Modification
Vast majority of Linux kernel releases
incredibly stable
New features/improvements
Bug fixes
Modules vs. in kernel
We need to recompile
Kernel Compilation
Kernel Compilation
Now we have the kernel in place
But we need the info necessary to
launch init
We need an initial filesystem loaded so
that init has what is necessary to load
devices and other filesystems
(including /)
So we use a temporary, memory
contained filesystem a RAM disk