3103 Manual

www. novel l .
com Novel l Trai ni ng Servi ces

AUTHORI ZED COURSEWARE
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SUSE Linux Enterprise Server 11
Administration
Manual
3 1 0 3
Part # 100-005205-001-REV A
Version 1
Novell, Inc. Copyright 2009-CNI USE ONLY-1 HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents
or use of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
Novell, Inc., reserves the right to revise this publication and to make changes to
its content, at any time, without obligation to notify any person or entity of such
revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any
software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any
time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You agree to
comply with all export control regulations and to obtain any required licenses or
classification to export, re-export or import deliverables. You agree not to export
or re-export to entities on the current U.S. export exclusion lists or to any
embargoed or terrorist countries as specified in the U.S. export laws. You agree
to not use deliverables for prohibited nuclear, missile, or chemical biological
weaponry end uses. See the Novell International Trade Services Web page (http:/
/www.novell.com/info/exports/) for more information on exporting Novell
software. Novell assumes no responsibility for your failure to obtain any
necessary export approvals.
Copyright 2008 Novell, Inc. All rights reserved. No part of this publication
may be reproduced, photocopied, stored on a retrieval system, or transmitted
without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in
the product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/
company/legal/patents/) and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for
this and other Novell products, see the Novell Documentation Web
page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://
www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
3 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Introduction 11
SECTION 1 Enable Fundamental Network Services 17
Objective 1 Configure NFS (Network File System) 18
NFS Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
NFS Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
NFS Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Automounter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
NFS System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Exercise 1-1 Set Up and Manage Network File System (NFS). . . . . . . . . . . . . . . . . . . . . . . . . . 35
Objective 2 Configure Time on SUSE Linux Enterprise Server 11 36
Time Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Synchronize Time with hwclock or netdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
The Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Synchronize Time with NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Exercise 1-2 Configure ntpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Objective 3 Enable the Extended Internet Daemon (xinetd) 53
What xinetd Is. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configure xinetd with YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Manage xinetd Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Exercise 1-3 Configure the Internet Daemon (xinetd). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Objective 4 Enable an FTP Server 63
The Role of an FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
How FTP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Advantages of PureFTPd Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Installation of PureFTPd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuration of PureFTPd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Management of PureFTPd Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Exercise 1-4 Configure Anonymous PureFTPd Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Summary 72
SECTION 2 Manage Printing 73
Objective 1 Configure CUPS 74
When to Configure a Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Required Printing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
How to Add Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Exercise 2-1 Configure Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SUSE Linux Enterprise Server 11 Administration / Manual
Version 1 4
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Manage Print Jobs and Queues 91
Generate a Print Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Display Information on Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Cancel Print Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Manage Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configure Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Start and Stop CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Exercise 2-2 Manage Printers from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Objective 3 Understand how CUPS Works 99
Steps of the Printing Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Print Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Objective 4 Configure and Manage Print Server Access 106
Syntax of /etc/cups/cupsd.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Exercise 2-3 Manage Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Objective 5 Use the Web Interface to Manage a CUPS Server 113
Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Documentation/Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Exercise 2-4 Use the Web Interface to Manage a CUPS Server . . . . . . . . . . . . . . . . . . . . . . . . 119
Summary 120
SECTION 3 Configure and Use OpenLDAP 121
Objective 1 Describe How LDAP Works 122
How Directory Services Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
What is LDAP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
How the LDAP Directory Tree Is Structured . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Objective 2 Install and Configure OpenLDAP on SLES 11 136
Install and Configure the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Install and Configure the LDAP Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Objective 3 Add, Modify, and Delete Entries to the LDAP Directory Tree 155
Managing LDAP Users and Groups from the Shell Prompt . . . . . . . . . . . . . . . . . 155
Managing LDAP Users and Groups in YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Exercise 3-1 Configure OpenLDAP on SLE 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
5 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary 170
SECTION 4 Configure and Use Samba 173
Objective 1 Describe the Role and Function of Samba 174
SMB Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
NetBIOS Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
How SMB Communications Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
How Samba Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Objective 2 Configure a Simple File Server with Samba 178
Installing Samba on the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Using the Samba Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Configuring Samba in YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Exercise 4-1 Create a Basic Samba Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Objective 3 Configure Samba Authentication 192
Configuring the Samba User Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configuring Samba to Require User Authentication . . . . . . . . . . . . . . . . . . . . . . 198
Exercise 4-2 Configure Samba to Use LDAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . 201
Objective 4 Use Sambas Client Tools 202
Using nmblookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Using smbclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Mounting Samba Shares in the Linux File System. . . . . . . . . . . . . . . . . . . . . . . . 204
Exercise 4-3 Work with Samba Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Objective 5 Use Samba as a Domain Controller 207
How Domains Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring Samba as a Domain Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Creating Machine Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Mapping Local Linux Groups to Windows Groups . . . . . . . . . . . . . . . . . . . . . . . 216
Exercise 4-4 Configuring Samba as a Domain Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Objective 6 Integrate Samba into a Windows Domain 219
Summary 221
SECTION 5 Configure a Web Server 223
Objective 1 Set up a Basic Web Server with Apache 224
How a Web Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Installing Apache Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Using the Apache Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The Default Apache Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Objective 2 Configure Virtual Hosts 233
Understand Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Configure a Virtual Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Exercise 5-1 Configure a Virtual Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Version 1 6
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Limit Access to the Web Server 237
Limiting Access By Network Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Requiring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Exercise 5-2 Configure User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Objective 4 Configure Apache with OpenSSL 241
How SSL Encryption Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Creating a Test Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring Apache to Use SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Exercise 5-3 Configure SSL for a Virtual Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Objective 5 Install PHP 248
How PHP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Installing PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Testing the PHP Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Exercise 5-4 Install PHP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Summary 252
SECTION 6 Configure and Use IPv6 255
Objective 1 Understand IPv6 Theory 256
IPv6 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Objective 2 Configure IPv6 on SLE 11 261
IPv6 Autoconfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Setting an IPv6 Address Using YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Managing IPv6 Addresses Using the Command Line Tools . . . . . . . . . . . . . . . . 265
Connecting to Other IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Exercise 6-1 Configure IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Summary 272
SECTION 7 Perform a Health Check and Performance Tuning 273
Objective 1 Find Performance Bottlenecks 274
Analyze Processes and Processor Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Analyze Memory Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Analyze Storage Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Analyze Network Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Objective 2 Reduce System and Memory Load 286
Analyze CPU-Intensive Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Run Only Required Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Keep Your Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Optimize Swap Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Change Hardware Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Exercise 7-1 Reduce Resource Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
7 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Optimize the Storage System 291
Configure IDE Drives with hdparm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Tune Kernel Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Tune File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Objective 4 Tune the Network Performance 296
Change Kernel Network Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Change Your Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Summary 299
SECTION 8 Create Shell Scripts 301
Objective 1 Bash Basics 302
Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Bash Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Objective 2 Use Basic Script Elements 307
Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
A Simple Backup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Exercise 8-1 Create a Simple Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Objective 3 Understand Variables and Command Substitution 312
Exercise 8-2 Use Variables and Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Objective 4 Use Control Structures 316
Create Branches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Exercise 8-3 Use an if Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Create Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Exercise 8-4 Use a while Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Objective 5 Use Arithmetic Operators 325
Exercise 8-5 Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Objective 6 Read User Input 328
Exercise 8-6 Read User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Objective 7 Use Arrays 331
Exercise 8-7 Use Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Objective 8 Finalize the Course Project 334
Exercise 8-8 Use rsync to Keep Versions of Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Objective 9 Use Advanced Scripting Techniques 337
Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Exercise 8-9 Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Version 1 8
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 10 Learn about Useful Commands in Shell Scripts 341
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Use the grep and egrep Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Use the sed Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Use the test Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Summary 349
SECTION 9 Deploy SUSE Linux Enterprise 11 353
Objective 1 Introduction to AutoYaST 354
Autoinstallation Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Installation Options and Deployment Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . 355
Objective 2 Installation Server: Setup and Use 358
Set Up an Installation Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Use the Installation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Exercise 9-1 Set Up an Installation Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Objective 3 Set Up PXE Boot for Installations 371
Install and Configure tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configure pxelinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Install and Configure the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Exercise 9-2 Set Up PXE Boot for Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Objective 4 Create a Configuration File for AutoYaST 381
Exercise 9-3 Create an AutoYaST Control File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Objective 5 Perform an Automated Installation 385
Provide the Control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Boot and Install the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Exercise 9-4 Perform an Automated Installation of SUSE Linux Enterprise Server 11 . . . . . . 389
Exercise 9-5 Activate PXE Booting and Install SUSE Linux Enterprise Server (Conditional,
depending on hardware support) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Summary 391
SECTION 10 Manage Virtualization with Xen 393
Objective 1 Understand How Virtualization with Xen Works 394
Understand Virtualization Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Understand the Xen Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Objective 2 Install Xen 398
Install a Xen Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Install a Xen Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Exercise 10-1 Install a Xen Server and an Unprivileged Domain . . . . . . . . . . . . . . . . . . . . . . . . 408
Objective 3 Manage Xen Domains with Virt-Manager 409
Exercise 10-2 Change Memory Allocation of a Guest Domain. . . . . . . . . . . . . . . . . . . . . . . . . . 414
9 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Manage Xen Domains from the Command Line 415
Understand Managed and Unmanaged Domains . . . . . . . . . . . . . . . . . . . . . . . . . 415
Understand a Domain Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Use the xm Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Use the virsh Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Automate Domain Startup and Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Exercise 10-3 Automate Domain Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Objective 5 Understand Xen Networking 422
Understand Bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Understand the Xen Networking Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Exercise 10-4 Check the Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Summary 427
SECTION 11 Prepare for the Novell CLP 11 Practicum 429
Objective 1 Install a Xen Environment 430
Objective 2 Configure a Web Server 431
Objective 3 Configure a Samba File Server 432
Objective 4 Automate System Tasks 433
Version 1 10
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
11 Version 1
Introduction
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Introduction
In the SUSE Linux Enterprise Server 11 Server Administration (3103) course, you
learn the SUSE Linux Enterprise Server 11 administration skills necessary to
complete your basic SUSE Linux Enterprise Server 11 skill set.
These skills, along with those taught in the SUSE Linux Enterprise 11 Fundamentals
(3101) and SUSE Linux Enterprise 11 Administration (3102) courses, prepare you to
take the Novell Certified Linux Professional 11 (Novell CLP11) certification
practicum test.
Your student kit includes the following:
SUSE Linux Enterprise Server 11 Administration manual
SUSE Linux Enterprise Server 11 Administration workbook
SUSE Linux Enterprise Server 11 Administration course DVD
SUSE Linux Enterprise Server 11 product DVD
SUSE Linux Enterprise Desktop 11 product DVD
The SUSE Linux Enterprise Server 11 Administration course DVD contains a pre-
installed VMware image of SUSE Linux Enterprise Server 11 that you can use with
the SUSE Linux Enterprise Server 11 Administration Workbook to practice the skills
you need to take the Novell CLP 11 practicum.
NOTE: Instructions for setting up a self-study environment are in the Setup directory on the Course
DVD.
Course Objectives
This course teaches you how to perform the following SUSE Linux Enterprise Server
11 administrative tasks:
Configure Fundamental Network Services
Manage Printing
Configure and Use OpenLDAP
Configure and Use Samba
Configure a Web Server
Configure and Use IPv6
Perform a Health Check and Performance Tuning
Create Shell Scripts
Version 1 12
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Deploy SUSE Linux Enterprise 11
Manage Virtualization with XEN
These are tasks common to an experienced SUSE Linux administrator in an
enterprise environment.
The final day of class is reserved for a LiveFire exercise that provides a set of
scenarios to test your SUSE Linux Enterprise Server 11 administration skills and
prepare you to take the Novell CLP 11 Practicum.
Audience
This course is designed for those who already have experience with Linux, including
general system configuration and command line work, and seek advanced
administration skills on SUSE Linux Enterprise Server 11. It is also designed for
those who have completed the previous two courses in the Novell CLP11 curriculum
and those preparing to take the Novell CLP11 Practicum exam.
Certification and Prerequisites
This course helps you prepare for the Novell Certified Linux Professional 11 (Novell
CLP11) Practical Test, called a practicum. The Novell CLP 11 is an entry-level
certification for people interested in becoming SUSE Linux Enterprise
administrators.
As with all Novell certifications, course work is recommended. To achieve the
certification, you are required to pass the Novell CLP 11 Practicum (050-721).
The Novell CLP 11 Practicum is a hands-on, scenario-based exam where you apply
the knowledge you have learned to solve real-life problemsdemonstrating that you
know what to do and how to do it.
The practicum tests you on objectives in this course (SUSE Linux Enterprise Server
11 Administration - Course 3103) and the skills outlined in the following Novell CLP
11 courses:
SUSE Linux Enterprise 11 Fundamentals - Course 3101
SUSE Linux Enterprise 11 Administration - Course 3102
13 Version 1
Introduction
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following illustrates the training/testing path for Novell CLP 11:
Figure Intro-1 Certification Path
This course is designed for those who have intermediate-level knowledge of Linux.
They should be able to do the following:
Understand what Linux is and know about the Open Source concept
Perform a basic installation of SUSE Linux Enterprise Server 11 / SUSE Linux
Enterprise Desktop 11
Perform partitioning and file system setup and maintenance
Perform system configuration including network setup and user management
Manage software packages
Work on the command line including file management and text editing
This knowledge can be gained through the SUSE Linux Enterprise 11 Fundamentals
(Course 3101) and SUSE Linux Enterprise 11 Administration (Course 3102).
NOTE: For more information about Novell certification programs and taking the Novell CLP 11
Practicum, see (http://www.novell.com/training/certinfo/).
SUSE Linux Enterprise Server 11 Support and Maintenance
The copy of SUSE Linux Enterprise Server 11 you receive in your student kit is a
fully functioning copy of the SUSE Linux Enterprise Server 11 product.
Version 1 14
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
However, to receive official support and maintenance updates, you need to do one of
the following:
Register for a free registration/serial code that provides you with 60 days of
support and maintenance.
Purchase a copy of SUSE Linux Enterprise Server 11 from Novell (or an
authorized dealer).
You can obtain your free 60 day support and maintenance code at (http://
www.novell.com/products/server/eval.html).
NOTE: You will need to have a Novell login account to access the 60 day evaluation.
Novell Customer Center
Novell Customer Center is an intuitive, Web-based interface that helps you to manage
your business and technical interactions with Novell. Novell Customer Center
consolidates access to information, tools, and services such as the following:
Automated registration for new SUSE Linux Enterprise products
Patches and updates for all shipping Linux products from Novell
Order history for all Novell products, subscriptions, and services
Entitlement visibility for new SUSE Linux Enterprise products
Linux subscription renewal status
Subscription renewals via partners or Novell
For example, a company might have an administrator who needs to download SUSE
Linux Enterprise software updates, a purchaser who wants to review the order
history, and an IT manager who has to reconcile licensing. With Novell Customer
Center, the company can meet all these needs in one location and can give users
access rights appropriate to their roles.
You can access the Novell Customer Center at (http://www.novell.com/
customercenter).
SUSE Linux Enterprise Server 11 Online Resources
Novell provides a variety of online resources to help you configure and implement
SUSE Linux Enterprise Server 11:
(http://www.novell.com/products/server/)
This is the Novell home page for SUSE Linux Enterprise Server 11.
(http://www.novell.com/documentation/sles11/)
This is the Novell Documentation Web site for SUSE Linux Enterprise Server 11.
(http://support.novell.com/linux/)
15 Version 1
Introduction
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This is the home page for all Novell Linux support and it includes links to
support options such as Knowledgebase, downloads, and FAQs.
(http://www.novell.com/coolsolutions/)
This Web site provides the latest implementation guidelines and suggestions
from Novell on a variety of products, including SUSE Linux Enterprise.
Agenda
The following is the agenda for this five-day course:
Table Intro-1 Agenda
Scenario
The exercises in this course center around the fictional Digital Airlines Company that
has offices at various airports around the globe.
The Digital Airlines management has made the decision to migrate several back-end
services to Linux servers running SUSE Linux Enterprise Server 11.
You have already installed SUSE Linux Enterprise Server 11 before and are familiar
with administering SUSE Linux Enterprise Server 11 from YaST and from the
command line.
The migration plan includes the following:
Providing basic networking services as well as file and print services
Section Duration
Day 1 Introduction 00:30
Section 1: Configure Fundamental Network Services 04:30
Section 2: Manage Printing 01:00
Day 2 Section 2: Manage Printing 02:00
Section 3: Configure and Use OpenLDAP 03:00
Section 4: Configure and Use Samba 01:30
Day 3 Section 4: Configure and Use Samba (contd) 01:30
Section 5: Configure a Web Server 03:30
Section 6: Configure and Use IPv6 01:30
Day 4 Section 7: Perform a Health Check and Performance Tuning 01:30
Section 8: Create Shell Scripts 05:00
Day 5 Section 9: Deploy SUSE Linux Enterprise 03:00
Section 10: Manage Virtualization with XEN 02:00
Section 11: Prepare for the Novell CLP Practicum 01:30
Version 1 16
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Introducing IPv6
Automating tasks using shell scripts
Installing of desktops and servers using AutoYaST
Virtualizing with Xen
Your task is to set up a test server in the lab to enhance your skills in these areas.
Exercise Conventions
When working through an exercise, you will see conventions that indicate
information you need to enter that is specific to your server.
The following describes the most common conventions:
italicized text: This is refers to your unique situation, such as the hostname of
your server.
For example, supposing the hostname of your server is da50 and you see the
following
hostname.digitalairlines.com
You would enter
da50.digitalairlines.com
172.17.8.xx: This is the IP address that is assigned to your SUSE Linux
Enterprise Server 11.
For example, supposing your IP address is 172.17.8.50 and you see the following
172.17.8.xx
You would enter
172.17.8.50
Select: The word select is used in exercise steps with reference to menus where
you can choose between different entries, such as drop-down menus.
Enter and Type: The words enter and type have distinct meanings.
The word enter means to type text in a field or at a command line and press the
Enter key when necessary. The word type means to type text without pressing the
Enter key.
If you are directed to type a value, make sure you do not press the Enter key or
you might activate a process that you are not ready to start.
17 Version 1
Enable Fundamental Network Services
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 1 Enable Fundamental Network Services
In this section, you learn the basics of enabling some of the more commonly used
network services available in SUSE Linux Enterprise Server 11.
Objectives
1. Configure NFS (Network File System) on page 18
2. Configure Time on SUSE Linux Enterprise Server 11 on page 36
3. Enable the Extended Internet Daemon (xinetd) on page 53
4. Enable an FTP Server on page 63
Version 1 18
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Configure NFS (Network File System)
Network File System (NFS) lets you configure an NFS file server that gives users
transparent access to data and programs files on the server.
To administer NFS successfully, you need to know the following:
NFS Background on page 18
NFS Server Configuration on page 21
NFS Client Configuration on page 27
Automounter Configuration on page 32
NFS System Monitoring on page 34
NFS Background
In Linux and Unix environments, NFS is a very reliable way to provide users with
file access over the network. As a background to NFS, you need to understand the
following:
Network File System Basics on page 18
How NFS Works on page 19
NFSv4 Features on page 20
NFS Configuration Overview on page 21
Network File System Basics
NFS is designed for sharing files and directories over a network, and it requires
configuration of an NFS server (where the files and directories are located) and NFS
clients (computers that access the files and directories remotely).
File systems are exported by an NFS server, and they appear and behave on a NFS
client as if they were located on a local machine.
For example, each users home directory can be exported by an NFS server and
imported to a client, so the same home directories are accessible from every
workstation on the network.
Directories like /home/, /opt/, and /usr/ are good candidates for export via NFS.
However, othersincluding /bin/, /boot/, /dev/, /etc/, /lib/, /root/, /sbin/, /tmp/, and /
var/should be available on the local disk only.
Using NFS for home directories makes sense only with a central user management
(for instance OpenLDAP).
19 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is an example of mounting the directory /home/ (exported by the NFS
Server sun) on the computer earth:
Figure 1-1 NFS
A computer can be both an NFS server and an NFS client. It can supply file systems
over the network (export) and mount file systems from other hosts (import).
The NFS daemon is part of the kernel and only needs to be configured and then
activated. The start script is /etc/init.d/nfsserver. The kernel NFS daemon
includes file locking, which means that only one user at a time has write access to
files.
How NFS Works
NFS is an RPC (Remote Procedure Call) service. An essential component for RPC
services is rpcbind (previously called portmapper) that manages these services and
needs to be started first. The rpcbind utility is activated by default on SUSE Linux
When an RPC service starts up, it binds to a port in the system (as any other network
service), but it also communicates this port and the service it offers (such as NFS) to
rpcbind.
Because every RPC program must be registered by rpcbind when it is started, RPC
programs must be restarted each time you restart rpcbind.
Version 1 20
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following lists the services required on an NFS server:
Table 1-1 Services Required by an NFS Server
In SUSE Linux Enterprise Server 11, the NFS lock manager is started automatically
by the kernel. The /sbin/rpc.lockd program starts the NFS lock manager on
kernels that do not start it automatically.
The manual pages for the respective programs contain additional information on their
functionality.
You can use the /etc/init.d/nfsserver command to start the NFS server.
The nfsserver script passes the list of exported directories to the kernel, and then
starts or stops the daemon rpc.mountd and, using rpc.nfsd, the nfsd kernel threads.
The mount daemon (/usr/sbin/rpc.mountd) accepts each mount request and
compares it with the entries in the configuration file /etc/exports. If access is
allowed, the data is delivered to the client.
Because rpc.nfsd can start several kernel threads, the start script interprets the
variable USE_KERNEL_NFSD_NUMBER in the file /etc/sysconfig/nfs. This
variable determines the number of threads to start. By default, four server threads are
started.
NFSv4 support is activated by setting the variable NFS4_SUPPORT to yes in /
etc/sysconfig/nfs.
NFSv4 Features
NFS version 4 comes with several improvements compared to version 3. These
include:
The mount and lock protocol are now part of the NFS protocol, simplifying
firewall rules for NFS. NFS uses TCP port 2049; UDP is no longer supported.
Using Kerberos, it is possible to allow access on a per-user basis, not only based
on IP addresses or DNS names as in version 3.
Service Program (daemon) Start Script
rpcbind utility /sbin/rpcbind /etc/init.d/rpcbind
NFS server v3 /usr/sbin/rpc.nfsd
/usr/sbin/rpc.mountd
/usr/sbin/rpc.statd
/etc/init.d/nfsserver
NFS server v4 Same as version 3 plus:
NFSv4 ID <-> name mapping
daemon, /usr/sbin/rpc.idmapd
If encryption is used, /usr/sbin/
rpc.svcgssd (requires Kerberos)
/etc/init.d/nfsserver
21 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Encryption is part of the specification. While Secure-RPC allowed encryption
with version 3, it was hardly ever used.
Additional improvements concern the use of user@computername instead of
numeric IDs to identify users, ACLs, and changes in the way files are locked.
NFS Configuration Overview
The /etc/exports file on the NFS server contains all settings regarding which
directories are exported, how, and to which clients. Client-side configuration is
written to the /etc/fstab file. Both files will be covered in detail later.
Some configuration parameters for the NFS server (for instance, if version 4 and
encryption should be used) are specified in the /etc/sysconfig/nfs file.
Both the NFS server and the clients can be configured with YaST modules. You can
also modify the configuration files directly.
For the NFS server to start automatically when the computer is booted, the
corresponding symbolic links in the runlevel directories must be created. If you
configure the NFS server with YaST, this is done automatically; otherwise, you need
to create them with insserv nfsserver.
NFS Server Configuration
There are several ways you can configure an NFS server:
Configure an NFS Server with YaST on page 21
Configure an NFS Server Manually on page 24
Export a Directory Temporarily on page 26
Configure an NFS Server with YaST
To use YaST to configure the NFS server, start YaST and then select Network
Services > NFS Server. You can also start the NFS Server module directly by
entering yast2 nfs_server in a terminal window as root.
Version 1 22
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following appears:
Figure 1-2 NFS Server Configuration
Select Start in the upper part of the dialog.
The middle part is active only if the firewall is activated. In this case, you can open
the ports necessary for NFS by selecting Open Port in Firewall.
If you want to use NFS version 4, select Enable NSFv4 in the lower part of the
dialog. In this case, you have to enter an NFSv4 domain name, such as your DNS
domain name. If you do not have special requirements, you can use the suggested
localdomain domain.
Checking Enable GSS Security is useful only within an existing Kerberos
infrastructure.
23 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Continue by selecting Next. A Directories to Export dialog appears:
Figure 1-3 NFS Directories to Export
Add a directory to export by clicking Add Directory, typing in or browsing to a
directory, then clicking OK.
The following dialog appears:
Figure 1-4 NFS Export Options
Host Wild Card lets you configure the hosts that should have access to the directory.
You can define a single host, netgroups, wildcards, and IP networks. Under Options,
add options like rw or root_squash for that directory.
For details on the possible host settings, see Configure an NFS Server Manually on
page 24.
Version 1 24
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To add more hosts allowed to access a directory, select the directory and click Add
Host; to edit or delete an existing host entry for a directory, select the directory and
the host entry and click Edit or Delete.
When you finish, save the configuration by clicking Finish.
Configure an NFS Server Manually
You can configure the server from the command line by doing the following:
Check for service (daemon) availability: Make sure the nfs-kernel-server rpm
package is installed on your NFS server.
Configure the services to start at bootup: For services to be started by the /
etc/init.d/rpcbind and /etc/init.d/nfsserver scripts when the
system is booted, enter the following commands:
insserv rpcbind (activated by default)
insserv nfsserver
Define exported directories in /etc/exports: For each directory to export, one
line is needed to define which computers can access that directory with what
permissions. All subdirectories of this directory are automatically exported as
well.
The following is the general syntax of the /etc/exports file:
directory [host[(option1,option2,option3,...)]] ...
Do not put any spaces between the hostname, the parentheses enclosing the
options, and the option strings themselves.
A host can be one of the following:
A standalone computer with its name in short form (it must be possible to
resolve this with name resolution), with its Fully Qualified Domain Name
(FQDN) or its IP address.
A network, specified by an address with a netmask, or by the domain name
with a prefixed placeholder (such as *.digitalairlines.com).
Authorized computers are usually specified with their full names (including
domain name), but you can use wildcards like * or ?.
If you do not specify a host or use *, any computer can import the file system
with the given permissions.
Set permissions for exported directories in /etc/exports: You need to set
permission options for the file system to export in parenthesis after the computer
name. The most commonly used options include the following:
25 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Table 1-2 NFS Export Options
Option Meaning
bind=/path/directory This is an NFS Version 4 option. On the server, this
directory is mounted with the exported directory as mount
point using the bind mount option. On the client, the
content of the directory specified after bind= appears in
the exported directory within the pseudo-root directory
tree.
crossmnt This is an NFS Version 4 option. If you use the bind=/
path/directory option, the option crossmnt needs to
be added to the line that contains the fsid=0 option.
Without it, NFSv4 does not cross file systems.
fsid=0 This is an NFS Version 4 option. In version 4, the client is
presented with one seamless directory tree. The option
fsid=0 (or fsid=root, which is equivalent) indicates
that this exported directory is the pseudo-root of that
directory tree.
no_root_squash Does not assign user ID 65534 to user ID 0, keeping the
root permissions valid.
no_subtree_check (Default since version 1.1.0 of nfs-utils) No subtree_check
is performed.
If you specify neither subtree_check nor
no_subtree_check, a message informs you when
starting the NFS server that no_subtree_check is used.
ro File system is exported with read-only permission (default).
root_squash (Default) This ensures that the root user of the client
machine does not have root permissions on this file
system. This is achieved by assigning user ID 65534 to
users with user ID 0 (root). This user ID should be set to
nobody (which is the default).
rw File system is exported with read-write permission. The
local file permissions are not overridden.
subtree_check If a subdirectory of a file system is exported, but the whole
file system is not, then whenever an NFS request arrives,
the server must check not only that the accessed file is in
the appropriate file system but also that it is in the exported
tree. This check is called subtree check.
sync Reply to requests only after the changes have been
committed to stable storage (this is the default, but if
neither sync or async are specified, a warning appears
when starting the NFS server).
Version 1 26
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is an example of an edited /etc/exports file for NFS version 3 that
includes permissions:
#
# /etc/exports
#
/home da10(rw,sync,no_subtree_check) \
da20(rw,sync,no_subtree_check)
/srv/ftp *(ro,sync,no_subtree_check)
Whenever you want to specify different permissions for a subdirectory (such as /
home/geeko/pictures/) from an already exported directory (such as /
home/geeko/), the additional directory needs its own separate entry in /etc/
exports.
The following is an example of an edited /etc/exports file for NFS version
4 that includes permissions:
#
# /etc/exports
#
/export *(fsid=0,crossmnt,rw,sync,no_subtree_check)
/export/data *(ro,sync,no_subtree_check,bind=/data)
The /export and /data directories are separate on the server, whereas on the
client, the content of both directories appears within one directory structure. If,
for example, the client mounts the pseudo-root directory on /imports, the
content of /data from the server appears in /imports/data on the client.
Reload the configuration: The /etc/exports is read by mountd and nfsd. If
you change anything in this file, you need to reload the configuration for your
changes to take effect. You can do this by entering rcnfsserver reload
(rcnfsserver restart works as well).
Export a Directory Temporarily
You can export a directory temporarily (without editing the file /etc/exports) by
using the exportfs command:
For example, to read-only export the /software directory to all hosts in the
network 192.168.0.0/24, you would enter the following command:
exportfs -o ro,root_squash,sync 192.168.0.0/24:/software
To restore the original state, all you need to do is enter the command exportfs -
r. The /etc/exports file is reloaded and any directories not listed in the /etc/
exports file are no longer exported.
After adding directories to export in the /etc/exports file, exportfs -a
exports the additional directories.
The directories that are currently exported are listed in the /var/lib/nfs/etab
file. The content of this file is updated when you use the command exportfs.
27 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NFS Client Configuration
There are two ways you can configure NFS clients:
Configure NFS Client Access with YaST on page 27
Configure NFS Client Access from the Command Line on page 29
Configure NFS Client Access with YaST
NFS directories exported on a server can be mounted into the file system tree of a
client. The easiest way to do this is to use the YaST NFS Client module.
To use YaST to configure the NFS client, start the YaST Control Center and then
select Network Services > NFS Client. You can also start the NFS Client module
directly by entering yast2 nfs in a terminal window as root.
The NFS Client Configuration dialog appears:
Figure 1-5 NFS Client Configuration, NFS Shares
Version 1 28
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Add a directory to the list by clicking Add. The following appears:
Figure 1-6 NFS Client Configuration, Add Directory
From this dialog, you can configure how the directory exported on the server is
mounted in your file system tree. Configure the directory by doing the following:
1. Enter the NFS servers hostname, or find and select the NFS server from a list of
NFS servers on your network by selecting Choose.
2. In the Remote Directory field, type the directory exported on the NFS server
you want to mount, or find and select the available directory by selecting Select.
For directories exported using NFSv4, you have to specify the directory relative to
the NFSv4 pseudo-root directory, not the actual path on the server as with NFSv3.
Provided the server exported the pseudo-root directory with the option crossmnt,
subdirectories exported on the server are accessible within the exported tree; they do
not need to be mounted separately.
1. In the Mount Point (local) field, type the mount point in your local file tree to
mount the exported directory, or browse to and select the mount point by
selecting Browse.
2. Select NFSv4 Share if applicable.
3. In the Options field, type any options you would normally use with the mount
command.
For a list of general mount options, in a terminal window enter man 8 mount;
for a list of nfs-specific mount options, enter man 5 nfs.
4. When you finish configuring the directory, select OK.
You are returned to the NFS client configuration dialog.
29 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The NFS Client Configuration dialog also offers an NFS Settings tab:
Figure 1-7 NFS Client Configuration, NFS Settings
Here you can set the NFSv4 Domain Name and open the ports needed for NFS in the
firewall.
Save the NFS client settings by clicking OK. The settings are saved and the exported
directories are mounted in your local file system tree.
Configure NFS Client Access from the Command Line
To configure and mount NFS directories, you need to know how to do the following:
Import Directories Manually from an NFS Server on page 29
Mount NFS Directories Automatically on page 31
Import Directories Manually from an NFS Server
You can import a directory manually from an NFS server by using the mount
command. The only prerequisite is a running rpcbind (portmapper), which you can
start by entering (as root) rcrpcbind start.
The mount command automatically tries to recognize the file system (such as ext2,
ext3, or ReiserFS). However, you can also use the mount option -t to indicated the
Version 1 30
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
file system type. For NFS version 3 and earlier, the file system type is nfs; for NFS
version 4, it is nfs4.
In the following example, the file system type nfs is specified:
mount -t nfs -o options host:/directory /mountpoint
Instead of a device file, the name of the NFS server together with the directory to
import is used within the command.
The following are the most important mount options (-o) used with NFS:
soft (opposite: hard): If the attempt to access the NFS server extends beyond the
default number of tries (or the value set with the retrans= option), the mount
attempt will be aborted.
If the hard option (or neither soft nor hard) is specified, the client attempts to
mount the exported directory until it receives feedback from the server that the
attempt was successful.
If a system tries to mount an NFS file system at boot time, the hard option can
cause the boot process to hang because the process will stop at this point when it
attempts to mount the NFS directory.
For directories that are not essential for the system to function, you can use the
soft option. For directories that must be mounted (such as home directories), you
can use the hard option.
bg (default: fg): If you use the bg option, and the first attempt is unsuccessful,
all further mount attempts are run in the background.
This prevents the boot process from hanging when NFS exports are
automatically mounted, with attempts to mount the directories continuing in the
background.
rsize=n: Lets you set the number of bytes (n, positive integral multiple of 1024,
maximum 1,048,576) that NFS reads from the NFS server at one time.
If this value is not set, the client and server negotiate the highest possible value
that they both support.
The negotiated value is shown in /proc/mounts.
wsize=n: Lets you set the number of bytes (n, positive integral multiple of 1024,
maximum 1,048,576) that can be written to the NFS server.
If this value is not set, the client and server negotiate the highest possible value
that they both support.
The negotiated value is shown in /proc/mounts.
retry=n: Lets you set the number of minutes (n) an attempt can take to mount a
directory through NFS. The default value for foreground mounts is two minutes;
for background mounts it is 10000 minutes (approximately one week).
nosuid: Lets you disable any interpretation of the SUID and SGID bits on the
corresponding file system.
31 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For security reasons, always use this option for any file system that might be
susceptible to tampering.
If you do not use this option, there is a possibility that a user can obtain root
access to the local file system by putting a SUID root executable on the imported
file system.
nodev: Lets you disable any interpretation of device files in the imported file
system. We recommend that you use this option for security reasons.
Without setting this option, someone could create a device such as /dev/sda on
the NFS export, then use it to obtain write permissions for the hard disk as soon
as the file can be accessed from the client side.
exec (opposite: noexec): Lets you permit or disallow the execution of binaries
on the mounted file system.
You can use the umount command to unmount a file system. However, you can do
this only if the file system is currently not being accessed.
NOTE: For additional information on nfs, mount options, and the /etc/fstab file, in a terminal
window enter man 5 nfs, man 8 mount, or man 5 fstab.
Mount NFS Directories Automatically
To mount directories automatically when booting (such as the home directories from
a file server), you need to make corresponding entries in the /etc/fstab file.
When the system is booted, the /etc/init.d/nfs start script loads the /etc/
fstab file, which indicates which file systems are mounted, where, and with which
options.
The following is an example of an entry for an NFS mount point in the /etc/
fstab file:
da1:/training/home /home nfs soft,noexec 0 0
In this entry, the first value indicates the hostname of the NFS server (da1) and the
directory it exports (/training/home/).
The second value indicates the mount point, which is the directory in the local file
system where the exported directory should be attached (/home/).
The third value indicates the file system type (nfs). The comma-separated values
following the file system type provide NFS-specific and general mounting options.
At the end of the line, there are two numbers (0 0). The first indicates whether to
back up the file system with the help of dump (1) or not (0). The second number
configures whether the file system check is disabled (0), done on this file system with
no parallel checks (1), or parallelized when multiple disks are available on the
computer (2).
In the example, the system does neither, as both options are set to 0.
Version 1 32
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
After modifying an entry of a currently mounted file system in the /etc/fstab
file, you can have the system read the changes by entering mount -o remount /
mountpoint. To mount all file systems that are not currently mounted and do not
contain the option noauto, enter mount -a. (noauto is used with devices that are
not automatically mounted, like floppy disks.)
Automounter Configuration
When you use the method described in NFS Client Configuration on page 27 to
mount home directories, all home directories on the server are visible on the client
machines. This can make it quite hard for a user to find his own home directory. With
the automounter, only the directory needed by a user is mounted.
Another advantage of the automounter is the reduced number of actual mounts on the
server, as only those directories get mounted by clients that are actually needed.
Unlike with a static configuration in the /etc/fstab file, with the automounter,
directories are mounted automatically when needed and unmounted automatically
when not in use for some time.
The kernel-based automounter is contained in the autofs package which is part of the
default installation.
In the past, the automounter was also used to mount and unmount CD-ROMs;
however, this functionality is now integrated into the KDE or Gnome desktop
environments. The automounter remains very useful to mount and unmount
directories that are exported by file servers.
The automounter configuration consists of the general /etc/auto.master file
and files that are referenced within /etc/auto.master, such as /etc/
auto.home.
To mount the home directories exported from another server, you need the following
entry in the /etc/auto.master file:
/home /etc/auto.home
The first column lists the mount point and the second column lists the file that
contains the configuration details for this mount point.
The /etc/auto.home file could look like the following (for NFSv4 fstype would
be nfs4):
geeko -fstype=nfs,rw da1.digitalairlines.com:/home/geeko
As soon as some process accesses the local /home/geeko directory (the entry in
the first column, geeko, is appended to the directory given in the first column in the
/etc/auto.master file, /home), the local /home/geeko directory is created
and the /home/geeko directory from the server (last column) is mounted. After
some time or when the automounter is stopped, the remote directory is unmounted
and the mount point (/home/geeko in the example above) is deleted.
With several users, you would need an entry for each user. This is cumbersome, but
might be your only choice if home directories reside on several servers.
33 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
As long as all users have their home directories on one server, the automounter allows
you to simplify the configuration with the use of wildcards, as shown in the
following:
* -fstype=nfs,rw da1.digitalairlines.com:/home/&
The * in the first column denotes any directory below /home. The & in the last
column is replaced by whatever directory is accessed.
When the automounter configuration is complete, you start the automounter with
rcautofs start. To stop the automounter, use rcautofs stop. The
chkconfig autofs on command ensures the automounter is started
automatically when the system boots.
The following commands highlight how the automounter works:
When using NFS to import home directories, it is advisable to also use a network-
based user database, like NIS or LDAP. This ensures that a user has the same UID no
matter where he logs in within the network.
Instead of local map files, it is also possible to use NIS (Network Information
System) or LDAP to distribute the automounter information.
da10:~ # rcautofs start
Starting automount da10:~ # ls /home/
da10:~ # mount
...
(no automounts)
da10:~ # ls /home/geeko
.bash_history Documents .gnome2 ...
merkur2:~ # mount
...
da1.digitalairlines.com:/home/geeko on /home/geeko type nfs
(rw,nosuid,nodev,sloppy,addr=10.0.0.254,nfsvers=3,
proto=tcp,mountproto=udp)
Version 1 34
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NFS System Monitoring
Some tools are available to help you monitor the NFS system.
Enter rpcinfo -p to display information about rpcbind (portmapper). The option -p
displays all the programs registered with the portmapper, similar to the following:
The NFS server daemon registers itself to the portmapper with the name nfs. The
NFS mount daemon uses the name mountd.
You can use the showmount command to display information about the exported
directories of an NFS server.
showmount -e da1 displays the directories exported on the machine da1. The
option -a shows which computers have mounted which directories.
da10:~ # rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 4 udp 111 portmapper
100005 1 udp 42763 mountd
100005 1 tcp 49450 mountd
100005 2 udp 42763 mountd
100005 2 tcp 49450 mountd
100005 3 udp 42763 mountd
100005 3 tcp 49450 mountd
100024 1 udp 41731 status
100024 1 tcp 53770 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 46880 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 53206 nlockmgr
35 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 1-1 Set Up and Manage Network File System (NFS)
In the first part of this exercise, you create a directory named /export/
documentation, copy documents from /usr/share/doc/manual/ into it,
and export it to others using NFS.
In the second part, you create a directory named /import/docs and use it as
mount point to import the /export/documentation directory from your own
server using NFS. Create an /etc/fstab entry to mount the directory
automatically at boot time.
You wil find this exercise in the workbook.
(End of Exercise)
Version 1 36
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Configure Time on SUSE Linux Enterprise Server 11
Many network services, like directory services, as well as forensic investigations that
need to correlate log entries on different machines, rely on uniform time settings
across all computers within the network.
In order to implement uniform time settings on all computers in a network, all
computers must be able to access at least one time server so clocks will synchronize.
There are two ways of synchronizing the time on a SUSE Linux Enterprise Server:
netdate and NTP (Network Time Protocol). To configure and synchronize the time,
you need to understand the following:
Time Overview on page 36
Synchronize Time with hwclock or netdate on page 38
The Network Time Protocol (NTP) on page 40
Synchronize Time with NTP on page 43
Time Overview
In order to configure and synchronize time on a SUSE Linux Enterprise Server 11,
you need to understand the following fundamental concepts:
Hardware Clock and System Clock on page 36
GMT (UTC) and Local Time on page 37
Time Configuration Files on page 37
Hardware Clock and System Clock
There are two main clocks in a Linux system:
Hardware clock: Clock that runs independently of any control program running
in the CPU. It even runs when you turn off the server.
This clock is part of the ISA (Industry Standard Architecture) standard and is
commonly called the hardware clock. It is also called the time clock, the RTC
(Real Time Clock), the BIOS clock, or the CMOS (Complementary Metal-oxide
Semiconductor) clock.
The term hardware clock is used on Linux systems to indicate the time set by the
hwclock utility.
System time: Time kept by a clock inside the Linux kernel. It is driven by a
timer interrupt (another ISA standard).
System time is meaningful while Linux is running on the server. System time is
the number of seconds since 00:00:00 January 1, 1970 UTC (or the number of
seconds since 1969).
37 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
On a Linux server, it is the system time that is important. The hardware clock's basic
purpose is to keep time when Linux is not running.
The system time is synchronized to the hardware clock when Linux boots. After that,
Linux uses only the system time.
Once the system time is set on the Linux server, it is important that you do not use
commands such as date or netdate to adjust the system time without considering
the impact on applications and network connections.
For a Linux server connected to the Internet (or equipped with a precision oscillator
or radio clock), the best way to regulate the system clock is with ntpd.
For a standalone or intermittently connected machine, you can use adjtimex
instead to at least correct systematic drift (man adjtimex lists the options).
You can set the hardware clock (with a command such as hwclock) while the
system is running. The next time you start Linux, it will synchronize with the
adjusted time from the hardware clock.
The Linux kernel also maintains a concept of a local time zone for the system.
Some programs and parts of the Linux kernel (such as file systems) use the kernel
time zone value. An example is the vfat file system. If the kernel timezone value is
wrong, the vfat file system reports and sets the wrong time stamps on files.
However, programs that care about the time zone (perhaps because they want to
display a local time for you) almost always use a more traditional method of
determining the time zone such as using the /etc/localtime file and the files in
the /usr/share/zoneinfo/ directory.
GMT (UTC) and Local Time
On startup, Linux reads the time from the computers local hardware (CMOS) clock
and takes control of the time. The hardware clock can be set using one of the
following:
UTC (Universal Time Coordinated): This time is also referred to as GMT
(Greenwich Mean Time). For this setting, the variable HWCLOCK in the /etc/
sysconfig/clock file has the value -u.
Local time: If the hardware clock is set to the local time, the variable HWCLOCK
in the /etc/sysconfig/clock file has the value --localtime.
Choosing GMT as the hardware time makes it easier to coordinate a large number of
computers in different places (especially if the computers are located in different time
zones.)
Time Configuration Files
The current time (system time) is calculated with the help of the variable
TIMEZONE in the /etc/sysconfig/clock file, which also handles the
required changes between daylight saving time and standard time.
Version 1 38
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is an example of the settings in /etc/sysconfig/clock:
HWCLOCK="--localtime"
SYSTOHC="yes"
TIMEZONE="Europe/Berlin"
DEFAULT_TIMEZONE="US/Eastern"
By means of the variable TIMEZONE, the time configured on the local host (=
system time) is set in the /etc/localtime file, a copy of the respective timezone
file from /usr/share/zoneinfo/. The /usr/share/zoneinfo/ directory
is a database of all time zones. SYSTOHC=yes makes sure the current system
time is written to the hardware clock when the system shuts down.
NOTE: In SLES 9, there used to be a symbolic link /usr/lib/zoneinfo/localtime pointing to /etc/
localtime. This link does not exist anymore in SLES 10 and SLES 11, even though it might still be
mentioned in /etc/sysconfig/clock.
Synchronize Time with hwclock or netdate
To synchronize time between network servers with hwclock or netdate, you need to
know the following:
Use hwclock on page 38
Use netdate on page 39
Use hwclock
hwclock is a tool to access the hardware clock. You can display the current time, set
the hardware clock to a specified time, set the hardware clock to the system time, and
set the system time from the hardware clock.
You can also run hwclock periodically to insert or remove time from the hardware
clock to compensate for systematic drift (where the clock consistently gains or loses
time at a certain rate if left to run).
hwclock uses several methods to get and set hardware clock values. The normal way
is to initialize an I/O process to the device special file /dev/rtc (RTC: Real Time
Clock), which is maintained by the rtc device driver.
However, this method is not always available. The rtc driver is a relatively recent
addition to Linux and is not available on older systems.
On older systems, the method of accessing the hardware clock depends on the system
hardware.
NOTE: For additional details on how the system accesses the hardware clock and other hwclock
options, enter in a terminal window man hwclock.
39 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Some of the more commonly used options with hwclock include the following:
Table 1-3 Options of the hwclock Command
You can also view the hardware clock time by entering cat /proc/driver/
rtc.
Use netdate
To setup the system time once only, you can use the command netdate as follows:
netdate timeserver1 timeserver2 . . .
where timeserver represents a time server on the network or the Internet that offers
the time service on UDP port 37.
After querying the time servers, the netdate client compares their times with its own
time.
Time differences are then sorted into groups to determine which is the largest group
of servers with an identical time (within certain limits). The first computer in the
group is then used to update the time on the local server.
To synchronize the time to a specific external time source, you enter netdate
time_source, as in the following:
netdate ptbtime1.ptb.de
In this case, the client queries the time server at the Physikalisch-Technische
Bundesanstalt (PTB) in Braunschweig, Germany.
You then need to set the hardware clock to the system clock time by entering
hwclock --systohc or hwclock -w.
Option Description
-a or --adjust
Adds or subtracts time from the hardware clock to account for
system drift (enter man hwclock for details).
-r or --show
Displays the current time of the hardware clock. The time is
always shown in local time, even if you keep your hardware
clock set to UTC time.
-s or --hctosys
Sets the system time to the current hardware clock time. It also
sets the kernels timezone value to the local time zone as
indicated by the TZ variable.
--set --date=newdate Sets the hardware clock to the date given by the --date option.
For example:
hwclock --set --date=9/22/09 16:45:05
-v or --version
Displays the version of hwclock.
-w or --systohc
Sets the hardware clock to the current system time.
Version 1 40
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: A simple way to implement time synchronization with netdate and hwclock is to use a
script that is run regularly by cron.
The Network Time Protocol (NTP)
The disadvantage of using netdate is that it causes jumps of the system time into the
past or the future compared to the current system time. NTP provides a means to
avoid such jumps by slightly speeding or slowing system time, thus (within limits)
keeping the time continuum of the system time while adjusting it.
As the networking environment continues to expand to include mixed operating
system environments, time synchronization is becoming more dependent on NTP.
To configure NTP on SUSE Linux Enterprise Server 11, you need to understand the
following:
The Network Time Protocol on page 40
Stratum on page 40
NTP Daemon (ntpd) on page 41
NTP Terms on page 42
How the NTP Daemon Works on page 42
NOTE: For more information on NTP, visit www.ntp.org.
The Network Time Protocol
NTP is an industry standard protocol that uses UDP on port 123 to communicate
between time servers and time clients.
An NTP server uses the NTP protocol to provide time information to other servers or
to workstations on the network.
An NTP client is a computer that understands the Network Time Protocol and gets
time information from an NTP server. A time client can also, in turn, act as a time
server for other servers and client workstations on the network.
Any computers on your network with Internet access can get time from NTP servers
on the Internet. NTP synchronizes clocks to the UTC standard, the international time
standard.
NTP not only corrects the time, but it also keeps track of consistent time variations
and automatically adjusts for system time drift on the client. This reduces the network
traffic and it keeps the client clocks more stable, even when the network is down.
Stratum
NTP introduces the concept of a stratum. Stratum x is used as a designation of the
location of the servers in the NTP tree hierarchy.
41 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Stratum 1 is the first (highest) level in the hierarchy. It denotes servers that adjust
their time by means of some external reference time source (such as GPS [Global
Positioning System], an atomic clock, or radio).
Servers that synchronize their time to stratum 1 servers are denoted as stratum 2, and
those that use stratum 2 servers to synchronize their time are denoted as stratum 3,
and so on until you reach a stratum level of 16 (the maximum allowed).
Differences between stratum 2 and stratum 1 servers are normally very small and, for
the majority of users, unnoticeable.
The following figure depicts the stratum hierarchy.
Figure 1-8 Stratum Hierarchy
Generally only one server in a network communicates with an external time provider.
This reduces network traffic across geographical locations and minimizes traffic
across routers and WANs.
NTP Daemon (ntpd)
The NTP distribution in the ntp package includes ntpd, the NTP daemon. This
daemon is used by both the time server and the time client to give and to obtain time,
respectively.
The ntpd process is designed to adjust time continuously, making the time
adjustments very small.
ntpd can also limit the drift of the system clock based on historical data, even when
an external time server is unavailable.
Stratum 2
Stratum 3
Stratum 4
Stratum 1
External
Time Source
Version 1 42
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The ntpd process requires little resource overhead. This allows NTP to be easily
deployed on servers hosting other services, even if the servers are heavily loaded.
ntpd uses the following approaches to avoid sudden time changes:
Regularly corrects the local computer clock on the basis of collected correction
data.
Continuously corrects the local time with the help of time servers in the network.
Enables the management of local reference clocks, such as radio-controlled
clocks.
NTP Terms
To configure and adjust NTP, you need to understand the following terms:
Drift: During operation, ntpd measures and corrects incidental clock frequency
errors and writes the current value to a file under /var/lib/ntp/drift/.
If you start and stop ntpd, the daemon initializes the frequency from this file.
This helps prevent a potentially long interval to relearn the frequency error.
Jitter: This is the estimated time error of the peer clock (the delta between the
client and server since the last poll).
How the NTP Daemon Works
After starting the NTP Daemon, it automatically synchronizes the system time with a
time server on an ongoing basis. The correction takes place in small increments by
expanding or compressing the system time (not abruptly, as when netdate and
hwclock are used).
Transactions between the client and the server occur about once per minute,
increasing gradually to once per 17 minutes under normal conditions. Poorly
synchronized clients will tend to poll more often than well synchronized clients.
The client uses the information it gets from the server or servers to calibrate its clock.
This consists of the client determining how far its clock is off and adjusting its time to
match that of the server.
To allow clocks to quickly achieve high accuracy yet avoid overshooting the time
with large time adjustments, NTP uses a system where large adjustments occur
quickly and small adjustments occur over time.
For small time differences (less than 128 milliseconds), NTP uses a gradual
adjustment. This is called slewing. For larger time differences, the adjustment is
immediate. This is called stepping.
If the difference between system time and the reference server at the start of the NTP
daemon is larger than about 17 minutes, the NTP daemon is aborted. You can change
this behavior by starting ntpd with the option -g (the default on SLES11). This option
makes sure the system time is adjusted in one jump after the start of the daemon.
43 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If the accuracy of a clock becomes too insufficient (off by more than about 17
minutes) while NTP is running, NTP aborts the NTP daemon, with the assumption
that something has gone wrong with either the client or the server. (This behaviour is
independent of the option -g used to start the NTP daemon.)
The NTP daemon does not start if the difference .
Because NTP averages the results of several time exchanges in order to reduce the
effects of variable latency, it might take several minutes for NTP to even reach
consensus on what the average latency is.
It often takes several adjustments (and several minutes) for NTP to reach
synchronization.
In the long run, NTP tries to decrease the amount of polling it does by making the
clock on each system become more accurate.
Because of the algorithm that the NTP daemon uses, it is best to synchronize with
multiple servers to help protect the client from an incorrect or downed server. In
many environments, it is unlikely that an NTP server failure will be noticed quickly.
Synchronize Time with NTP
To synchronize network time with NTP, you need to know how to do the following:
Configure the NTP Server on page 43
Start and Stop the NTP Server on page 49
Monitor the NTP Server on page 50
Configure the NTP Server
As soon as you start ntpd on a host, it serves as an NTP server and can be queried via
NTP. You configure the NTP server either by using the YaST NTP Configuration
module, or by editing the NTP configuration files /etc/ntp.conf and /etc/sysconfig/ntp
and starting the NTP server from the command line.
Configure the NTP Server Using YaST on page 43
Configure the NTP Server Using the Command Line on page 47
Configure the NTP Server Using YaST
YaST provides an NTP Configuration module to configure the NTP daemon on your
SUSE Linux Enterprise Server 11. The server can, as client, synchronize with an
existing NTP server and act, in turn, as an NTP server to other clients.
To configure the NTP with YaST, start YaST and select Network Services > NTP
Configuration. From a terminal you can start the module directly as root by entering
yast2 ntp-client.
Version 1 44
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The Advanced NTP Configuration dialog appears.
Advanced NTP Configuration, General Settings
On the General Settings tab, you configure the NTP daemon to start each time you
boot your system by selecting Now and On Boot.
Once you select Now and On Boot, you can click the Add button. The New
Synchronization dialog appears:
Figure 1-9 NTP Configuration, New Synchronization
45 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Here you select whether you want to synchronize to a time Server, a Peer (a
specialized relationship to another machine that can act as server or as client; see /
usr/share/doc/packages/ntp-doc/ confopt.html), a Radio Clock,
or an Incoming Broadcast. Select Outgoing Broadcast if you want your server to
send broadcasts to its clients.
The dialogs that appear after selecting Next differ slightly, depending on the option
you choose. To configure the server, the following dialog appears:
Figure 1-10 NTP Configuration, NTP Server Settings
Version 1 46
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can enter the Fully Qualified Domain Name or the IP address manually, or select
Select ... > Public NTP Server and choose from a list of public NTP servers. The
dialog allows you to select a time server close to your geographical location:
Figure 1-11 NTP Configuration, Select Public NTP Server
The information in parenthesis tells you which clients the NTP server serves
according to its policy. You should choose a server that is near you and allows you to
use it.
Select your time server and click OK. The server will appear in the General Settings
overview.
47 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The Security Settings tab offers additional configuration options:
Figure 1-12 Advanced NTP Configuration, Security Settings
You can choose to run ntpd in a change root environment and open the NTP port in
the firewall if the firewall is active.
After clicking OK, the configuration is written to /etc/ntp.conf and /etc/
sysconfig/ntp, and the service is started.
Configure the NTP Server Using the Command Line
Instead of using YaST, you can edit the NTP configuration files directly. The /etc/
ntp.conf configuration file is used by the NTP daemon; variables defined in the /
etc/sysconfig/ntp file are used by the /etc/init.d/ntp start script.
When editing the /etc/ntp.conf file, you need to make sure that the following entries
exist for the local clock, which is used if the time server is not available:
server 127.127.1.0 # local clock (LCL)
fudge 127.127.1.0 stratum 10 # LCL is unsynchronized
The following server entries in /etc/ntp.conf concern the time servers that are used to
get the current time:
## Outside source of synchronized time
server timeserver1.example.com
server timeserver1.digitalairlines.com
Version 1 48
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
There are two possible methods of synchronization between the time server and the
client:
Polling: With polling, the client asks the server for the current time.
Polling starts at one-minute intervals. If the time interval is determined to be
trustworthy, the interval is reset to once every 1024 seconds.
You can set the minimum and maximum limits of the polling in /etc/ntp.conf, as
in the following:
server timeserver1.example.com minpoll 4 maxpoll 12
The minpoll and maxpoll values are interpreted as powers of 2 (in seconds). The
default settings are 6 (26 = 64 seconds) and 10 (210 = 1024 seconds),
respectively. Values between 4 and 17 are permitted.
Broadcasting: By means of broadcasting, the server sends the current time to all
clients, and the clients receive the signal through the broadcastclient
option in their ntpd.conf.
In large networks, traffic caused by polling can be significant. In this case, you
might want to configure the time server to distribute time information by sending
broadcast packets.
To do this, you need to enter the following in /etc/ntp.conf on the server (where
the IP address is the broadcast address used in the network):
broadcast 10.0.0.255
On the client:
disable auth
broadcastclient
For reasons of security, broadcast-based synchronization should be used together
with an authentication key so that the client accepts information only from
trustworthy time servers. See the documentation in authopt.html and
miscopt.html in the /usr/share/doc/packages/ntp-doc/ directory
(package ntp-doc).
You also need to include the name for the drift file and log file in /etc/ntp.conf, as in
the following:
driftfile /var/lib/ntp/drift/ntp.drift
logfile /var/log/ntp
The drift file contains information that describes how the hardware clock drifts.
When the daemon ntpd is started for the first time, this file does not exist. It takes
about 15 minutes for the daemon to gather enough information to create the file.
49 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The /etc/sysconfig/ntp file contains variables that are used to configure the
way the daemon is started, as shown in the following
## Path: Network/NTP
## Description: Network Time Protocol (NTP) server settings
## Type: string
## Default: "-g -u ntp:ntp"
#
# Additional arguments when starting ntpd. The most
# important ones would be
# -u user[:group] to make ntpd run as a user (group) other than root.
#
NTPD_OPTIONS="-g -u ntp:ntp"
## Type: yesno
## Default: yes
## ServiceRestart: ntp
#
# Shall the time server ntpd run in the chroot jail /var/lib/ntp?
#
# Each time you start ntpd with the init script, /etc/ntp.conf will be
# copied to /var/lib/ntp/etc/.
#
# The pid file will be in /var/lib/ntp/var/run/ntpd.pid.
#
NTPD_RUN_CHROOTED="yes"
If you want, for instance, to limit NTP communication to a certain interface, you
change the NTPD_OPTIONS variable:
NTPD_OPTIONS="-g -u ntp:ntp -I eth0"
Start and Stop the NTP Server
You can start the NTP daemon by entering rcntp start (or /etc/init.d/
ntp start). You can check the status of ntpd by entering rcntp status. To
stop the NTP Daemon, use rcntp stop.
In SLES 10 and earlier, the start script called the ntpdate program to initially set
the system time before starting ntpd. In SLES 11, this is no longer the case, because
the NTP daemon is now able to deal with time differences greater than 1000 seconds,
provided it is started with the option -g. The use of ntpdate is deprecated in the
current version of NTP.
If the time difference between the NTP server and its time source is greater than 1000
seconds, the time is adjusted with one jump, as shown in the following excerpt from
the /var/log/ntp log file (note the change of the system time in the last line):
da10:~ # tail -f /var/log/ntp
...
22 Jan 16:44:12 ntpd[11507]: synchronized to LOCAL(0), stratum 10
22 Jan 16:44:12 ntpd[11507]: kernel time sync status change 0001
22 Jan 16:45:16 ntpd[11507]: synchronized to 192.168.1.15, stratum 3
23 Jan 14:54:11 ntpd[11507]: time reset +78898.715082 s
Version 1 50
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: If you want to set the time of a SLES 11 machine once with no NTP daemon running, use
the sntp program as replacement for ntpdate. Enter in a terminal window man sntp to learn
about its syntax.
To start NTP automatically when the system is booted, you need to create the
symbolic links in the respective runlevel directories by entering insserv ntp.
If any changes are made to the ntp.conf file, you need to restart ntpd using the
command rcntp restart.
After the /etc/ntp.conf file has been read by ntpd, the client sends a request to
the server (its time provider), and the server sends back a time stamped response,
along with information such as its accuracy and stratum. Other computers can now, in
turn, use it as their time server.
NOTE: For time requests of other kinds (such as time servers for netdate) to be processed, the
services must be made available by means of inetd or xinetd. For this reason, the prepared entries
for daytime and time must be enabled for UDP and TCP in the configuration file of inetd or xinetd.
Monitor the NTP Server
Different tools allow you to get information on the status of the NTP server. You need
to know how to do the following:
Trace the Time Source with ntptrace on page 50
Query the NTP Daemon Status on page 51
Trace the Time Source with ntptrace
The NTP distribution includes the ntptrace program. ntptrace is an informational
tool that traces the source of time that a time consumer is receiving. It can be a useful
debugging tool.
The following is an example of ntptrace output:
The ntptrace output lists the client name, its stratum, its time offset from the local
host, the synchronization distance, and the ID of the reference clock attached to a
server, if one exists.
The synchronization distance is a measure of clock accuracy, assuming that it has a
correct time source.
da10:~ # ntptrace
localhost: stratum 3, offset 0.000723, synch distance 1.18225
tick.east.ca: stratum 2, offset 1.601143, synch distance 0.06713
tock.usask.ca: stratum 1, offset 1.712003, synch distance 0.00723,
refid TRUE
51 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Query the NTP Daemon Status
To verify that the time server is working properly, you can enter ntpq -p. The
command queries the status of the ntpd daemon and returns information similar to the
following:
Displayed information includes the following:
remote: Hostname or IP address of the time server.
refid: Type of reference source (0.0.0.0 = unknown).
st: Stratum value for the server.
when: Number of seconds since the last poll.
poll: Number of seconds between two polls.
reach: Indicates if the time server was reached in the last poll attempt. Reach
begins with the value 0 when you start ntpd.
For every successful attempt, a 1 is added to the binary register on the right. The
maximum value of 377 means that the server was reachable in the last eight
requests.
delay: Time between the ntpd request and the arrival of the answer (in
milliseconds).
offset: Difference between the reference time and the system time (in
milliseconds).
jitter: Size of the discrepancies between individual time comparisons (in
milliseconds).
An asterisk (*) in front of a server name means that this server is the current
reference server with which system time is compared. If this server cannot be
reached; then the server that is marked with a plus sign (+) is used.
da10:~ # ntpq -p
remote refid st t when poll reach delay offset jitter
====================================================================
LOCAL(0) LOCAL(0) 10 l 15 64 1 0.000 0.000 0.008
*ptb1.ptb.de .PTB. 1 u 14 64 1 27.165 2.348 0.001
ntp2.ptb.de .PTB. 1 u 13 64 1 26.159 0.726 0.001
Version 1 52
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 1-2 Configure ntpd
In this exercise, you configure your server to get time information from another
server.
You will find this exercise in the workbook.
(End of Exercise)
53 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Enable the Extended Internet Daemon (xinetd)
In this objective, you learn how to enable the extended internet daemon (xinetd) by
reviewing the following:
What xinetd Is on page 53
Configure xinetd with YaST on page 53
Manage xinetd Manually on page 55
What xinetd Is
Services can run either standalone, meaning they listen on a port themselves, or via
the super daemon xinetd. In this case, the super daemon acts as a mediator of
connection requests for a series of services. It accepts the connection requests, starts
the required service, and passes the request to the newly started server process.
If the connection between the client and the server is terminated, the server process
started by xinetd is removed from memory.
Starting services through xinetd has both advantages and disadvantages. The most
significant advantage is saving resources (especially memory), since a server process
is started only when it is needed. A disadvantage, however, is that a delay occurs
while the required service is loaded, started, and connected.
As a rule, you want to use xinetd only for services that are occasionally (not
permanently) needed on the server. Some of the services run traditionally by xinetd
include Telnet and FTP.
NOTE: For detailed information about xinetd, enter man 8 xinetd.
Configure xinetd with YaST
To configure the services mediated by xinetd, you can use the YaST Network
Services (xinetd) module. Start the YaST Control Center and then select Network
Services > Network Services (xinetd). Or open a terminal window, su - to root,
and then enter yast2 inetd.
NOTE: The YaST module to configure xinetd is called inetd. The reason for this is that in the past,
the default super daemon on SUSE Linux was inetd, not xinetd.
Version 1 54
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Enable the xinetd super daemon by selecting Enable. This activates the Currently
Available Services list. You can add, edit, or delete services in the list:
Figure 1-13 Network Service Configuration (xinetd)
NOTE: To manage the services available through xinetd (except for enabling services such as
Telnet or FTP) requires a skill set beyond the objectives of this course. This is especially true of
configuring services with Edit.
Notice that some services are off (---), while others are not installed (NI).
To configure a service, select the service and then select Toggle Status (On or Off).
If a service is not installed, it will be installed. The word On appears in the Status
column. An X appears in the Changed (Ch) column to indicate that the service has
been edited and will be changed in the system configuration.
You can change the status of all installed services to On or Off by selecting Status for
All Services > Activate All Services or Status for All Services > Deactivate All
Services.
When you finish configuring the services, save the configuration setting and start the
xinetd daemon by selecting Finish.
55 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Manage xinetd Manually
To manage xinetd manually, you need to know how to do the following:
Start, Stop, and Restart xinetd on page 55
Configure xinetd on page 55
Configure Access Control on page 59
Configure Log Files on page 61
Start, Stop, and Restart xinetd
The default installation of SUSE Linux Enterprise Server 11 includes the xinetd
package. To have the daemon automatically activated at boot, enter insserv
xinetd.
xinetd is controlled by the /etc/init.d/xinetd script. /usr/sbin/
rcxinetd is a link to this script. You can start and stop the daemon by entering
rcxinetd start or rcxinetd stop. You can find out whether the daemon is
activated or not by entering rcxinetd status.
Additionally, xinetd can be influenced by signals sent with kill or killall. The
following table lists some of the signals that can be used with xinetd:
Table 1-4 Signals Used with xinetd
Configure xinetd
The configuration of xinetd is distributed across several files. /etc/xinetd.conf lists
general options, while files in /etc/xinetd.d/ contain the configuration of specific
services provided via xinetd. These files are included into the xinetd configuration by
an include statement at the end of /etc/xinetd.conf.
Signal Number Description
SIGHUP 1 xinetd re-reads the configuration file and stops
listening on ports of services that are no longer
available and/or binds to ports now available
according to the new configuration.
SIGQUIT 3 Causes xinetd termination.
SIGUSR1 10 Causes an internal state dump (the default dump
file is /var/run/xinetd.dump).
SIGTERM 15 Terminates all running servers before terminating
xinetd.
SIGIO 29 Causes an internal consistency check to verify that
the data structures used by the program have not
been corrupted.
Version 1 56
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To configure xinetd, you need to know the following:
The File /etc/xinetd.conf on page 56
The Directory /etc/xinetd.d/ on page 57
Internal Services on page 58
chkconfig on page 59
The File /etc/xinetd.conf
In SUSE Linux Enterprise 11, the /etc/xinetd.conf file contains only general
options, no service configurations. The following is the syntax of /etc/xinetd.conf for
the default configuration parameters of xinetd:
defaults
{
key operator parameter parameter. . .
}
Operators include =, -=, and +=. Most attributes (keys) support only the operator =,
but you can include additional values to some attributes by entering += or remove
them by entering -=.
The defaults entry in the configuration file is optional and allows you to set defaults
such as the following:
defaults
{
log_type = FILE /var/log/xinetd.log
log_on_success = HOST EXIT DURATION
log_on_failure = HOST ATTEMPT
# only_from = localhost
instances = 30
cps = 50 10
}
includedir /etc/xinetd.d
The configurations for log_type and instances will be overwritten if something
else has been defined in the individual service entries. For all other attributes, the
default configurations are combined with the values set in the services.
The log_type statement can define whether (as in the example) the output is written
directly to a log file (/var/log/xinetd.log) or forwarded to the daemon syslog (such as
log_type = SYSLOG authpriv).
NOTE: If there are high security demands, you might want to consider leaving logging up to the
syslog daemon in order to prevent potential unwanted access to the xinetd log file.
The keys log_on_success and log_on_failure configure what should be
recorded in the log file, depending on whether the connection to a network service
succeeds or fails.
The key instances can be used to limit the maximum possible number of
daemons for each service, which protects the machine from either intentional or
57 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
accidental overload due to too many simultaneous connections (denial-of-service
attempts).
cps stands for connections per second. The first value (50) is the maximum number
of connections per second that can be handled. the second value (10) is the wait
period before accepting new connections after the maximum has been exceeded
(helpful in preventing Denial of Service attacks).
The directive includedir /etc/xinetd.d prompts xinetd to search all files in
the directory /etc/xinetd.d/ for the configuration of services. The same
attributes and the same syntax is used as in /etc/xinetd.conf.
The Directory /etc/xinetd.d/
In the /etc/xinetd.d/ directory, there is a separate configuration file for every service.
The main advantage of splitting the configuration in several files is improved
transparency.
The syntax for configuring network services in these files is similar to the one used
for the options in /etc/xinetd.conf above:
service service_name
{
}
The following is an example of the configuration of finger:
# default: off
# description: The finger server answers finger requests.
# Finger is a protocol that allows remote users to see
# information such as login name and login time for
# currently logged in users.
service finger
{
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/sbin/in.fingerd
server_args = -w
disable = yes
}
The significance of the keywords in the example is as follows:
Table 1-5 xinetd Configuration Parameters
Keyword Description
disable Disables the service if set to yes.
protocol Specifies the protocol (usually tcp or udp) used by the
corresponding network service. The protocol must be listed in
the /etc/protocols file.
Version 1 58
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: For a description of all possible parameters, in a terminal window enter man
xinetd.conf.
Internal Services
Certain services (such as echo, time, daytime, chargen, and discard) are provided by
xinetd itself without calling another program. These are called internal services and
are labeled in the configuration as follows:
type = INTERNAL
Without this line, xinetd assumes that external services are involved. With services
such as echo, which are both TCP- and UDP-based services, you not only specify the
respective socket_type, but you also need to identify the service in the id field in
such a way that it is properly distinguished from other services.
The following two examples show this for echo.
Echo over TCP:
# /etc/xinet.d/echo
# default: off
# description: An echo server. This is the tcp version.
service echo
{
type = INTERNAL
id = echo-stream
protocol = tcp
user = root
wait = no
disable = yes
FLAGS = IPv6 IPv4
}
Echo over UDP:
server Specifies the absolute pathname of the daemon to start.
server_args Specifies which parameters to pass to the daemon when it
starts.
socket_type Specifies the type of socket (stream, dgram, raw, or seqpacket).
user Indicates which user ID the daemon will start under. The user
name must be listed in the /etc/passwd file.
wait Specifies whether xinetd must wait for the daemon to release
the port before it can process further connection requests for the
same port (Yes: single-threaded) or not (No: multithreaded).
Keyword Description
59 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
# /etc/xinet.d/echo-udp
# default: off
# description: An echo server. This is the udp version.
service echo
{
type = INTERNAL UNLISTED
id = echo-dgram
socket_type = dgram
protocol = udp
user = root
wait = yes
disable = yes
port = 7
FLAGS = IPv6 IPv4
}
chkconfig
The chkconfig program can be used to list services covered by xinetd:
It can also be used to turn services on and off:
Configure Access Control
The xinetd daemon recognizes four parameters used to control access:
only_from: Lets you define which hosts can use which service. You can specify
IP addresses (such as 192.168.1.1, 192.168.1.0, or 192.168.), network addresses
(IP address with network mask), network names, or hostnames. For IPv6
addresses, you have to specify the complete address or a network address with
netmask.
You can define this parameter in the defaults or service section.
no_access: Lets you define which hosts are excluded from access. The
specification follows the same rules as outlined in only_from.
da10:~ # chkconfig -l
...
xinetd based services:
chargen: off
chargen-udp: off
daytime: on
daytime-udp: on
echo: off
...
da10:~ # chkconfig daytime
daytime xinetd
da10:~ # chkconfig daytime off
da10:~ #
da10:~ # chkconfig daytime
daytime off
Version 1 60
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
access_time: Lets you define when the service is available (in 24-hour format).
disabled: Lets you completely shut off a server. This also applies to logging
access attempts.
The following is an example for the attribute disabled:
disabled = finger
With this setting, the service finger is switched off completely. If a computer tries
to access the service, the attempt is not even logged.
This parameter disabled can be used only in the defaults section. (Within a
service section, the corresponding parameter to use is disable. Note the
missing d at the end!)
The following is an example for the Telnet service:
# default: off
# description: Telnet is the old login server which is
# INSECURE and should therefore not be used. Use secure
# shell (openssh). If you need telnetd not to
# "keep-alives" e.g. if it runs over an ISDN uplink,
# add "-n". See 'man telnetd' for more details.
service telnet
{
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.telnetd
server_args = -n
only_from = 192.168.0.3 192.168.0.7
only_from += 192.168.0.10 192.168.0.12
only_from += 192.168.1.0/24
no_access = 192.168.1.10
flags = IDONLY
access_times = 07:00-21:00
# disable = yes
}
These settings result in the following:
Access is permitted for machines with the following IP addresses:
192.168.0.3
192.168.0.7
192.168.0.10
192.168.0.12
192.168.1.0-255
Access is denied to the host with the IP address 192.168.1.10.
The service is available from 7:00 a.m. to 9:00 p.m.
61 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If you place high demands on access monitoring, you can tighten the security level
even more by using the INTERCEPT and IDONLY parameters in the flags entry.
If the USERID parameter was set in the log_on_access and
log_on_failure entries, IDONLY then makes sure that a connection to the
network service is permitted only when the user identification service (such as
identd) of the host requesting the network service issues the user ID.
If the INTERCEPT parameter has been entered as well, xinetd also attempts to make
sure that an authorized host is on the other end of already existing connectionsthat
the connection has not been intercepted.
However, connection monitoring does not function with multithreaded or internal
xinetd services. In addition, it puts a heavy burden on the network connection and the
performance of the network service.
Configure Log Files
Almost every hacker has to make several attempts and needs some time before
achieving success. To protect your server, you not only need hacker-resistant
software, but you also need log files that the system administrator can use to detect
unauthorized login attempts.
Because of this, it does not make sense to only deter unauthorized access attempts. To
maintain optimal system security, you also need to record failed and unauthorized
connection attempts.
To shut off a service but still retain its logging functions, configure only_from
without using any additional parameters (such as the following):
only_from =
Logging through xinetd is controlled by the log_type statement along with the
log_on_success and log_on_failure attributes.
These let you record from which host and for how long an access attempt was made,
and which user was using the service (if the remote host supports this feature).
In addition, you can also log the circumstances of how and why the network service
was used. However, even the best log does not mean much if you do not check it on a
regular basis for failed connection attempts.
Version 1 62
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 1-3 Configure the Internet Daemon (xinetd)
In the first part of this exercise, use the YaST module Network Services (xinetd) to
set up a Telnet server on your computer.
In the second part, install vsftp if it is not yet installed, and edit its configuration in /
etc/xinetd.d/ to activate the service.
(End of Exercise)
63 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Enable an FTP Server
To enable an FTP server on SLES 11 you need to understand the following:
The Role of an FTP Server on page 63
How FTP Works on page 63
Advantages of PureFTPd Server on page 64
Installation of PureFTPd on page 65
Configuration of PureFTPd on page 66
Management of PureFTPd Logs on page 70
The Role of an FTP Server
As the name indicates, the File Transfer Protocol (FTP) enables the transfer of files
from one computer to another. Today, FTP is used mainly for file transfer on the
Internet, while internal networks usually rely on NFS or SMB (Server Message
Blocks) for file transfers.
The following basic features are supported by FTP and available to the user:
Sending, receiving, deleting, and renaming files
Creating, deleting, and changing directories
Transferring data in binary or ASCII mode
An FTP server allows access after authentication against a password database. As a
rule, these are the /etc/passwd and /etc/shadow files. Other authentication
systems, such as NIS or LDAP, are possible.
The PureFTPd FTP server also supports authentication against its own password
database, which is independent from the /etc/passwd and /etc/shadow files.
In addition, guest access can be set up as anonymous FTP (aFTP). Generally, users
logging in to aFTP use anonymous or ftp as their username and use their e-mail
address as the password.
The address is normally not checked for correctness, although some servers check the
syntax and require an entry in the format user@hostname.domain. An anonymous
user is normally given access to a restricted directory tree (a chroot environment).
How FTP Works
The FTP protocol uses the TCP transport protocol. FTP uses two TCP connections
between the client and the server, one for commands and the other for data.
The first of these connections sends FTP commands from the client to the server. To
begin an FTP session, the client addresses the FTP command channel on port 21 of
the server. The client then sends its commands to the FTP server.
Version 1 64
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For the actual file transfer, or in response to certain commands like ls, FTP uses the
second TCP connection, which is created only when a file is ready for transfer (for
example, by a GET or PUT command).
There are two different types of data transfer:
Active data transfer: The FTP client offers the FTP server an unprivileged TCP
port for the data channel connection. The server then initializes the data channel
from its port 20 to the port offered by the client.
Figure 1-14 Active FTP
Passive data transfer: The FTP client informs the FTP server that it wants to
use a passive data transfer using the PASV command.
The FTP server then offers the FTP client an unprivileged TCP port for a data
channel connection and the client initializes the data channel to the port offered
by the server.
Figure 1-15 Passive FTP
Passive FTP transfer avoids the need of having to allow incoming connections on the
client. This makes it easier for firewall administrators on the client side to establish a
secure configuration.
Advantages of PureFTPd Server
A number of FTP servers for Linux are available, such as the standard FTP server,
in.ftpd; the FTP server from Washington University, wu.ftpd; proftpd; or the
PureFTPd FTP server, pure-ftpd.
PureFTPd has several features that make it stand out from other FTP servers:
Consistent use of chroot environments
Uncomplicated configuration of virtual FTP servers
65 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Virtual users independent of the system users listed in the file /etc/passwd
Configuration via command line parameters or with a configuration file
Installation of PureFTPd
You can install the PureFTPd server with the YaST Software Management module by
selecting the pure-ftpd package.
After installation, you configure the FTP server manually by editing the /etc/
pure-ftpd/pure-ftpd.conf configuration file.
You can run PureFTPd server using one of the following methods:
From the command line: Enter pure-ftpd options (such as pure-ftpd
-B -e). If you start pure-ftpd this way, no configuration file is used.
NOTE: For details on the possible pure-ftpd options, enter man pure-ftpd.
From a start script: Enter /etc/init.d/pure-ftpd start (or
rcpure-ftpd start). To stop the PureFTPd service, enter rcpure-ftpd
stop.
The /etc/pure-ftpd/pure-ftpd.conf configuration file is parsed by
the Perl script /usr/sbin/pure-config-args to translate the parameters
in the configuration file to command line options.
These options are then passed to the /usr/sbin/pure-ftpd daemon.
If you want pure-ftpd to be initialized upon startup, you need to set symbolic
links by entering the following:
insserv /etc/init.d/pure-ftpd
From xinetd: If you want to start PureFTPd via xinetd, you need to edit the /
etc/xinetd.d/pure-ftpd file and add the required options as in the
following example:
# default: off
# description: The ftpd server serves FTP connections. It uses
# normal, unencrypted usernames and passwords for authentication.
# This ftpd is the pure-ftpd.
# ** NOTE ** when using pure-ftpd from xinetd the arguments to
# control it's behaviour should be added here in this file in
# the "server_args" line since the configuration file
# /etc/pure-ftpd.conf is only for standalone pure-ftpd.
# The command "/usr/sbin/pure-config-args /etc/pure-ftpd.conf"
# will print the arguments needed for behaviour like standalone
# pure-ftpd.
service ftp
{
server = /usr/sbin/pure-ftpd
server_args = -A -i
Version 1 66
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
protocol = tcp
user = root
wait = no
disable = yes
}
Because the pure-ftpd.conf configuration file is not parsed or evaluated
when PureFTPd is started via xinetd, all the required options must be given in the
/etc/xinetd.d/pure-ftpd file as server arguments in the
server_args line.
NOTE: For details on all command line options for PureFTPd, enter
pure-ftpd --help.
Configuration of PureFTPd
To perform basic configuration tasks for the PureFTPd server, you need to know the
following:
Configure Anonymous FTP on page 66
Configure FTP with Virtual Hosts for Anonymous FTP on page 67
Configure FTP for Authorized Users on page 68
Configure FTP with Virtual Users Not Included in /etc/passwd on page 69
Configure Anonymous FTP
To configure anonymous FTP for PureFTPd, you need to have an FTP user and home
directory (such as /srv/ftp/) in the /etc/passwd file (exists by default in
SLES 11).
However (unlike other FTP servers), you do not need to create any subdirectories
(such as bin) in the home directory.
The following is an example of a simple pure-ftpd.conf file:
# Cage in every user in his home directory
ChrootEveryone yes
# Don't allow authenticated users - have a public anonymous FTP only.
AnonymousOnly yes
# Disallow anonymous users to upload new files (no = upload is allowed)
AnonymousCantUpload yes
# Fork in background
Daemonize yes
In this configuration file, it is possible to log in only as an anonymous user, regardless
of what username is given. It is not possible to change to a directory other than /
srv/ftp/ or below, and no files can be uploaded to the serveronly downloads
are possible. The server detaches from the terminal it is started in (Daemonize
yes).
67 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The equivalent command on the command line would be pure-ftpd -A -e -i
-B
If you want anonymous users to be able to upload files to the server, the configuration
file would look like the following:
ChrootEveryone yes
# Dont allow authenticated users - have a public anonymous FTP only.
AnonymousOnly yes
# Allow anonymous users to upload new files
AnonymousCantUpload no
# Disallow downloading of files owned by ftp, ie.
# files that were uploaded but not validated by a local admin.
AntiWarez yes
# Never overwrite files. When a file whose name already exists is
# uploaded, it gets automatically renamed to file.1, file.2, file.3,
...
AutoRename yes
You have to allow write access to the /sr/ftp directory, using the chown ftp /
srv/ftp command, and also have to make sure the permissions are set properly,
using the chmod 755 /srv/ftp command.
The AntiWarez option is recommended because the server could otherwise be
misused to handle undesirable (or even illegal) data.
Files uploaded to the server belong to the user ftp, but files of the user ftp cannot be
downloaded from the server because of this option. The administrator must change
the owner of the file (for instance to root) using the chown command before this is
possible.
The last line ensures that a file that might already exist is not overwritten. Instead, a
new file is created with a number on the end (such as file.1).
The equivalent command on the command line would be pure-ftpd -A -e -s
-r.
Configure FTP with Virtual Hosts for Anonymous FTP
Virtual FTP hosts allow a number of FTP sites to be hosted on one machine (such as
ftp.slc.digitalairlines.com and ftp.muc.digitalairlines.com). Each of these FTP sites
requires its own IP address, because the FTP protocol cannot handle hostnames.
For this reason, you need to assign multiple IP addresses to your network card. In
addition, you need to configure the DNS so that domain names match IP addresses
correctly.
You configure virtual hosts through the /etc/pure-ftpd/vhosts/ directory,
not by changing the /etc/pure-ftpd/pure-ftpd.conf file.
Version 1 68
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The configuration is a very simple two-step process:
1. From the command line, use the ip command to create virtual network devices,
as in the following example:
ip address add 172.17.8.80/16 brd + dev eth0
ip address add 172.17.8.81/16 brd + dev eth0
2. Create a symbolic link in /etc/pure-ftpd/vhosts/ with this IP address,
which is linked to the directory containing the files available at this IP address.
The following is an example:
cd /etc/pure-ftpd/vhosts/
ln -s /ftp/directory/of/ftp.slc.digitalairlines.com \
172.17.8.80
ln -s /ftp/directory/of/ftp.muc.digitalairlines.com \
172.17.8.81
To prevent these anonymous areas from being filled with undesired files, start
PureFTPd with the option -i. This makes it impossible for anonymous users to
upload files.
Virtual FTP servers handle only anonymous FTP users and not authorized users.
Configure FTP for Authorized Users
Configuring an FTP server for authorized users is important for those who are hosting
Web sites. Individual customers maintain their own pages in directories which they
alone have access to.
The following is an example configuration in which no anonymous FTP access is
allowed and where all users are limited to their home directory:
ChrootEveryone yes
# Disallow anonymous connections. Only allow authenticated users.
NoAnonymous yes
The equivalent command on the command line would be pure-ftpd -A -E.
To run the server in the background, add the -B option on the command line, or
Daemonize yes to the configuration file.
If you want to modify the above configuration so that certain users are not confined in
a chroot environment (for example, members of a group ftpadmin with the GID 500),
you could enter the following:
ChrootEveryone no
# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
69 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
# just comment out ChrootEveryone and TrustedGID.
TrustedGID 500
# Disallow anonymous connections. Only allow authenticated users.
NoAnonymous yes
The equivalent command on the command line would be pure-ftpd -a 500 -
E.
To run the server in the background, add the -B option on the command line, or
Daemonize yes to the configuration file.
Configure FTP with Virtual Users Not Included in /etc/passwd
PureFTPd provides a way of administering FTP users in a file of its own, similar in
structure to the /etc/passwd file.
The advantages are that PureFTP users are separated from system users and can
access the system by FTP only. A normal login is not possible if there are no
matching entries in the /etc/passwd file.
To administer PureFTPd users in a separate user database, you need to create a
system user whose UID the FTP users appear in the system:
useradd -m ftpusers
Once this is done, you can then create the FTP users with pure-pw (in the file /
etc/pure-ftpd/pureftpd.passwd) by entering the following (using user
joe as an example):
pure-pw useradd joe -u ftpusers -d /home/ftpusers/joe
You are requested to enter a password (twice) for the user.
With the help of command line options, you can specify user options such as quotas
for the number of files (-n 100), size limits in MB (-N 10), or the times when
users can log in (-z 0900-1800).
PureFTPd does not use the /etc/pure-ftpd/pureftpd.passwd ASCII file
directly, but the /etc/pure-ftpd/pureftpd.pdb binary file. This file must
be regenerated every time changes are made by entering pure-pw mkdb.
To use the special user database, you need to start PureFTPd with the option -l
puredb:/path/pureftpd.pdb. Combining this with the -j option ensures
that the home directory is created as soon as the user logs in.
pure-ftpd -j -l puredb:/etc/pure-ftpd/pureftpd.pdb
The corresponding entries in the configuration files would look like this:
Version 1 70
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
# Automatically create home directories if they are missing
CreateHomeDir yes
# PureDB user database (see README.Virtual-Users)
PureDB /etc/pure-ftpd/pureftpd.pdb
You can modify FTP users by entering pure-pw usermod and delete users by
entering pure-pw userdel.
NOTE: For additional details on using the pure-pw syntax, enter man 8 pure-pw or pure-pw
--help.
Management of PureFTPd Logs
PureFTPd sends its messages to the syslog daemon, so these messages appear in the
usual log files.
It is also possible for PureFTPd to write its own log files in various formats. The
option for this is -O format:logfile, where format can be clf (Common
Log Format, a format similar to that used by the Apache Web server), stats
(special output format, designed for log file analysis software), or w3c (special
output format parsed by most commercial log analyzers).
Suitable entries already exist in the /etc/pure-ftpd/pure-ftpd.conf
configuration file. You need to remove the comment symbol (#) to activate the entry.
The following is an example entry:
AltLog clf:/var/log/pureftpd.log
71 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 1-4 Configure Anonymous PureFTPd Access
In this exercise, you configure anonymous FTP access with the permission to upload
files.
(End of Exercise)
Version 1 72
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Configure NFS (Network File
System)
Network File System (NFS) lets you configure an NFS
file server that gives users transparent files access over
the network.
Directories to export are specified in /etc/exports. NFS
is an RPC-based service and thus needs the
portmapper (rpcbind) to function properly.
/etc/init.d/nfsserver is the script to start the
NFS server.
Directories from other servers can be imported using
the mount command or during boot according to
entries in the /etc/fstab file.
Configure Time on SUSE Linux
Enterprise Server 11
In order to implement a uniform time on all computers
in a network, all computers must have access to at
least one time server.
The ntp package contains the ntpd time server to get
the time from another time server as well as provide
time to other machines on the network via NTP.
Enable the Extended Internet
Daemon (xinetd)
The Extended Internet Daemon (xinetd) is used to start
various network services like FTP or POP3 when a
connection is made to the respective port.
The xinetd configuration is contained in the /etc/
xinetd.conf file and in individual files for the various
services in the /etc/xinetd.d/ directory.
Configuration can be done with the YaST Network
Services Module, an editor and, to a certain extent, the
chkconfig command.
Enable an FTP Server FTP is a widely used file transfer protocol. It uses two
TCP connections, one for control commands and one
for the data transfer.
There are various FTP servers available. PureFTPd
has the advantage of a flexible configuration and the
reputation of being secure.
It can be configured via a configuration file or command
line options.
73 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 2 Manage Printing
SUSE Linux Enterprise Server 11 uses CUPS (Common UNIX Printing System) to
provide print services. CUPS is based on the Internet Printing Protocol (IPP). This
protocol is supported by most printer manufacturers and operating systems. IPP is a
standardized printer protocol that enables authentication and access control.
This section covers the configuration of locally connected and remote printers, the
management of print queues using CUPS command line tools, the configuration of
CUPS as print server to make locally connected printers available to others in the
network, and access control.
Objectives
1. Configure CUPS on page 74
2. Manage Print Jobs and Queues on page 91
3. Understand how CUPS Works on page 99
4. Configure and Manage Print Server Access on page 106
5. Use the Web Interface to Manage a CUPS Server on page 113
Version 1 74
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Configure CUPS
YaST provides printer installation and configuration functionality. To configure a
printer, you need to know the following:
When to Configure a Printer on page 74
Required Printing Software on page 75
How to Add Printers on page 76
When to Configure a Printer
You can configure your printer at the following times:
During installation: If you are at the Hardware Configuration dialog during
installation (see the following figure) and your automatic detection is not correct,
select the Printer link or use the Change drop-down list:
Figure 2-1 Installation: Hardware Configuration
Note that during installation, only locally connected printers are detected
automatically and listed under Printer.
However, if you select Printer, the complete YaST printer configuration options are
at your disposal to configure local and remote printers or to configure CUPS:
75 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-2 Installation: Printer Configuration
After installation: You can change your printer configuration settings from the
YaST Control Center by selecting Hardware > Printer.
You can also start the YaST printer configuration module directly from a terminal
window with the yast2 printer command.
Required Printing Software
The following packages are needed to set up a print server:
Table 2-1 CUPS Software Components
These files are installed automatically if YaST is used for printer configuration.
Package Content
cups Provides the cupsd printer daemon.
cups-client Provides the command line printing tools.
cups-drivers Provides the PPD files for print queues.
cups-libs Should always be installed, because a number
of programs (such as Samba) are linked against
the CUPS libraries.
foomatic-filters Filter scripts used by the printer spoolers to
convert the incoming PostScript data into the
printer's native format.
Version 1 76
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
YaST also creates the symbolic links in runlevel directories to ensure that the CUPS
daemon is started automatically when booting.
Other packages required by the printing system, such as ghostscript-library, are
automatically selected during a standard installation.
How to Add Printers
There are two ways to add printers:
Add a Printer with YaST on page 76
Add a Printer from the Command Line on page 89
Add a Printer with YaST
The Printer Configuration dialog used to configure your printer is the same during
and after installation. You can access the dialog either by selecting YaST >
Hardware > Printer or by entering yast2 printer in a terminal window as root.
Figure 2-3 Printer Configuration
In the left part of the dialog, you can select different aspects of the printer
configuration. The right part of the dialog shows the configuration options available
for your selection.
77 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The left part offers the following selections:
Printer Configurations on page 77
Access Network Printer on page 80
Print via Print Server Machine on page 82
Special on page 83
Print via Network on page 84
Share Printers on page 87
Policies on page 88
Autoconfig Settings on page 88
Printer Configurations
The Printer Configurations dialog gives you an overview over the configured
printers and allows you to add, edit, or delete existing print queues.
To add a printer that does not show up in the Printer Configurations dialog, select
Add. A screen similar to the following (depending on the make of the attached
printer) appears:
Figure 2-4 Add New Printer Configuration
NOTE: If you want to change the suggested name of the new print queue, you have to do it at this
point in the Set Name box.
Version 1 78
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you click More Connections, the local connections are scanned again and any
newly detected printers are added to the page. Click OK to add them to the list of
configured printers:
Figure 2-5 Printer Configurations
In the example above, the existing printer was detected again. This might be useful if
you want to have queues for the same printer with different settings. Select the new
entry and click Edit to change the settings for this queue. Should you have no use for
the new entry, select it and click Delete.
79 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Clicking Connection Wizard in the Add New Printer Configuration dialog opens
the following dialog:
Figure 2-6 Printer Connection Wizard
Selecting an item on the left opens a new pane on the right where you can enter the
specific parameters for your choice.
Selecting an item under Directly Connected Device on the left and then clicking OK
leads to the Add New Printer Configuration dialog.
The other entries lead to slightly different dialogs:
Access Network Printer
Print Via Print Server Machine
Special
Version 1 80
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Access Network Printer
Depending on what type of network printer you select on the left, the pane on the
right lists the parameters needed to access that type of printer. The following shows
the pane for the TCP port Connection Settings:
Figure 2-7 Printer: Connection Wizard
Type the IP address of the printer and its manufacturer. To test the connection, you
can click the Test Connection button. Click OK to continue.
81 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You are returned to the Add New Printer Configuration dialog, but when
configuring a network printer, you have to manually select a driver from the list of
available drivers, as shown in the following:
Figure 2-8 Add New Printer Configuration
Select the driver for your printer and click OK. You are returned to the initial Printer
Configurations dialog with your new printer listed:
Version 1 82
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-9 Printer Configurations
Print via Print Server Machine
To access a printer that is connected to a print server, in the Connection Wizard
dialog select the type of print server your printer is connected to.
83 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The pane on the right allows you to enter the configuration values needed to access
the printer. The following shows the pane to access a CUPS server, with some values
already entered manually:
Figure 2-10 Printer: Connection Wizard
Clicking OK returns you to the Add New Printer Configuration dialog where you
can select a driver and change the queue name. Clicking OK once more returns you
to the Printer Configurations dialog with the new printer listed as a local printer.
Special
CUPS supports the IPP, LPD, SMB, IPX, and socket protocols. After selecting the
entry Specify Arbitrary Device URI, you can enter the device URI (Universal
Resource Identifier) to access printers using these protocols. See Add a Printer from
the Command Line on page 89.
IPP (Internet Printing Protocol): IPP is a relatively new protocol (since 1999)
that is based on the HTTP protocol. Compared to other protocols, it can transmit
much more job-related data.
CUPS uses IPP for the internal data transmission. This is the preferred protocol
for a forwarding queue between CUPS servers.
The port number for IPP is 631.
Device URI example: ipp://cupsserver/printers/printqueue.
Version 1 84
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
LPD (Line Printer Daemon): The LPD protocol is described in RFC 1179
(Requests For Comments can be found at (http://www.ietf.org/rfc.html)).
Because some job-related data, such as the printer queue, is sent before the actual
print data, a printer queue must be specified when configuring the LPD protocol
for data transmission.
The implementations of most printer manufacturers are flexible enough to accept
any name as the printer queue. The printer manual might indicate which name to
use (such as LPT, LPT1, or LP1).
An LPD queue can also be configured on a different Linux or UNIX host in a
network that uses the CUPS system.
The port number for an LPD service is 515.
Device URI example: lpd://host-printer/LPT1
SMB (Standard Message Block): CUPS supports printing on printers connected
to Windows shares. The protocol used for this purpose is SMB.
SMB uses port numbers 137, 138, and 139.
Device URI examples:
smb://user:password@workgroup/server/printer
smb://user:password@host/printer
smb://server/printer
IPX. This is used to print via a Novell NetWare Server.
socket. This is used to connect to a printer equipped with a network port, such as
HPs JetDirect technology.
The socket port numbers that are commonly used include 9100 and 35.
Device URI example: socket://host-printer:9100/
85 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Print via Network
The Print via Network page in the main Printer Configurations window allows you
to configure how to connect to other CUPS servers in the network.
Figure 2-11 Print via Network
CUPS servers can communicate the printers they make available using a mechanism
called browsing. The CUPS server that has printers connected sends out broadcast
packets at regular intervals publishing the available printers. A local CUPS server
makes these printers available to the local users.
Version 1 86
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-12 CUPS Broadcasts
If this function is enabled, the server broadcasts the printer information every 30
seconds. This printer information typically uses only 80 bytes per printer; therefore,
you can add a large number of servers and printers.
The Use CUPS to Print Via Network section has the following options:
Do not Receive Printer Information from Remote CUPS Servers: When this
option is selected, printers that are published by other CUPS servers using the
browsing mechanism are not made available locally.
Any printers you want to use have to be set up as described in Printer
Configurations on page 77.
Receive Printer Information from Remote CUPS Servers: When this option
is selected, the local CUPS server uses the browsing information broadcast
within the network to make printers available locally. Using the drop-down menu
under Accept Information from the Following Servers, you can limit the
servers that browsing information is accepted from.
This option is probably the most convenient, as any printers that other CUPS
servers advertise using the broadcast mechanism are available automatically.
Do All Your Printing Directly via One Remote CUPS Server: When this
option is selected, no local CUPS server is running. All print jobs are sent to the
single print server you specify in the Hostname/IP Address field.
The server name is written to the /etc/cups/client.conf file.
This choice is useful only when all printing is done via exactly one remote CUPS
server.
87 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Clicking the Connection Wizard button opens the same dialog as described in
Printer Configurations on page 77.
Share Printers
The Share Printers page n the main Printer Configurations window allows you to
configure how the CUPS server can be accessed from the network and whether or not
it advertises its available printers to the clients using browsing.
Figure 2-13 CUPS: Share Printers
There are two main options:
Deny Remote Access: When this option is selected, the CUPS server binds to
localhost (127.0.0.1) only and is not accessible from any attached network.
Allow Remote Access: Here you can decide if you only want to allow remote
access, or if you additionally want turn on browsing:
For computers within the local network: Selecting this option (and no
other) allows access on all local interfaces (eth0, eth1, etc.), but does not turn
on browsing.
Publish printers by default in the local network: This includes the
previous choice, but turns on browsing on all local interfaces as well.
Via network interfaces specified below: Instead of allowing access with or
without browsing on all local interfaces as above, you can make this choice
separately for each interface by clicking Add.
Version 1 88
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Select the interface and check Publish printers by default via the interface below if
you want to turn on browsing on this interface. Then click OK.
For Experts: Here you can define more specific limitations based on IP
addresses or networks for access and browsing.
The settings are written to the /etc/cups/cupsd.conf file.
Policies
The Policies page, accessible from the main Printer Configurations dialog, allows
you to set the error and the operation policy.
Figure 2-14 CUPS: Policies
Autoconfig Settings
The settings you make on this page determine how CUPS deals with printers when
they are connected to a USB port.
89 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-15 CUPS: Autoconfig Settings
Add a Printer from the Command Line
Besides using YaST, you can also configure CUPS with command line tools. After
collecting the information you need (such as the PPD [Postscript Printer Description]
file and the name of the device), use the lpadmin command to add a printer:
lpadmin -p queue -v device-URI -P PPD-file -E
The -p option specifies the print queue name of the printer, the -v option sets the
device URI attribute of the printer queue (seeSpecial on page 83), and the -P
option is used to specify the PPD file.
Do not use -E as the first option. For all CUPS commands, -E as the first argument
implies the use of an encrypted connection, and -E at the end enables the printer to
accept print jobs.
For example, to enable a parallel printer, enter a command similar to the following
(on one line):
lpadmin -p ps -v parallel:/dev/lp0 -P
/usr/share/cups/model/Postscript.ppd.gz -E
To enable a network printer, enter a command similar to the following (on one line):
lpadmin -p ps -v socket://10.0.0.200:9100/ -P
/usr/share/cups/model/Postscript-level1.ppd.gz -E
Version 1 90
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 2-1 Configure Printers
In this exercise, you add a local printer and print to a remote queue.
(End of Exercise)
91 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Manage Print Jobs and Queues
CUPS comes with several command line tools to start, stop, and modify print queues.
The command line tools for the CUPS printing system and their man pages are
included in the cups-client package.
The manual pages are also accessible using the CUPS Web interface. To access this
interface from SLES 11, open a browser and point to the local http page at http://
localhost:631/help/.
The CUPS tools allow you to use commands according to two different styles or
conventions:
Berkeley (these commands are identical to those used with the LPRng printing
system)
System V
Compared with Berkeley style, System V provides a somewhat more extensive range
of features for printer administration.
To manage printer queues, you need to know how to do the following:
Generate a Print Job on page 91
Display Information on Print Jobs on page 92
Cancel Print Jobs on page 93
Manage Queues on page 94
Configure Queues on page 94
Start and Stop CUPS on page 97
Print queues can also be managed via a Web interface, which is covered later in this
section.
Generate a Print Job
Use the following commands to generate a print job:
Berkeley: lpr -P queue file
System V: lp -d queue file
Example:
lpr -P color chart.ps
or:
lp -d color chart.ps
With these commands, the chart.ps file is submitted to the color queue.
If no queue is specified, the job is printed to the default queue.
Version 1 92
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The -o parameter needs to be used whenever any additional print options are
specified:
lpr -P lp -o duplex=none order.ps
or:
lp -d lp -o duplex=none order.ps
This submits the order.ps file to the lp queue and also disables duplex printing for the
corresponding device (duplex=none). To view possible options, enter lpoptions
-l -d queue (see Configure Queues on page 94).
You have to give the command in a slightly different form to print through a remote
queue:
Berkeley: lpr -P queue@server file
System V: lp -d queue -h server file
Example:
lpr -P lp -H da10.digitalairlines.com /etc/motd
or:
lp -d lp -h da10.digitalairlines.com /etc/motd
This submits the /etc/motd file to the lp queue located on the da10.digitalairlines.com
print server.
NOTE: For more information on these command line tools, enter man lpr and man lp,
Display Information on Print Jobs
Use the following commands to display print job information:
Berkeley: lpq -P queue
System V: lpstat -o queue -p printer
To display active print jobs of the default queue, use the lpq command as shown in
the following:
To list the same information in a slightly different format, use lpq -l.
geeko@da10:~ # lpq
draft is ready and printing
Rank Owner Job File(s) Total Size
active root 14 fstab 1024 bytes
93 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To display the print jobs of another queue, enter the -P queue as shown in the
following:
To display the active print jobs of all available queues, enter lpq -a as shown in the
following:
To actualize the output in a fixed interval, enter
lpq -P queue +seconds
The following shows the output of lpstat -o queue -p queue. The lpstat
-a command shows information on the accepting state:
NOTE: For more information on these commands, enter man lpq and man lpstat.
Cancel Print Jobs
Use the following commands to cancel a print job:
Berkeley: lprm -P queue jobnumber
System V: cancel [-h server] queue-jobnumber
NOTE: For more information on these commands, enter man lprm and man cancel.
geeko@da10:~ # lpq -P printer
printer is ready
no entries
geeko@da10:~ # lpq -a
no entries
da10:~ # lpstat -o draft -p draft
draft-6 root 1024 Wed Feb 4 16:06:53 2009
printer draft now printing draft-0. enabled since Wed Feb 4
16:06:53 2009
Connected to host, sending print job...
geeko@da10:~ # lpstat -a
draft accepting requests since Tue Feb 3 14:11:08 2009
ps accepting requests since Wed Feb 4 16:19:43 2009
Version 1 94
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Manage Queues
In addition to controlling single jobs in a queue, you can also control the queue itself.
Disable printing on a queue while jobs can still be sent to it by entering
cupsdisable destination.
Queues that are disabled still accept jobs for printing but won't actually print any
files until they are enabled again.
Disabling a print queue is useful if a printer malfunctions and you need time to
fix the problem.
Start printing again on a queue that is disabled by entering cupsenable
destination.
If there are any queued print jobs, they are printed after the printer is enabled.
Stop accepting print jobs on a queue by entering /usr/sbin/reject
destination.
With the /usr/sbin/reject command, the printer finishes the print jobs in the queue
but rejects any new print jobs.
This command is useful for times when you need to perform maintenance on a
printer and the printer will not be available for a significant period of time.
NOTE: lpstat -a shows information on the accepting state of the queues.
Accept print jobs again on a queue that rejected them by entering /usr/sbin/
accept destination.
By using this command, you can reset the print queue to begin accepting new
print jobs. If the queue is also disabled, actual printing starts only after enabling
the queue again.
NOTE: The commands cupsdisable, cupsenable, and reject are all links pointing to /
usr/sbin/enable.
Configure Queues
Printer-specific options that affect the physical aspects of the output are stored in the
PPD (PostScript Printer Description) file for each queue in the /etc/cups/ppd/
directory.
PPD is the computer language that describes the properties (such as resolution) and
options (such as duplex unit) of PostScript printers. These descriptions are necessary
to use the various printer options in CUPS.
During the installation of SUSE Linux Enterprise Server 11, a lot of PPD files are
pre-installed. In this way, even printers that do not have built-in PostScript support
can be used.
95 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If a PostScript printer is configured, the best approach is to get a suitable PPD file and
store it in the /usr/share/cups/model/ directory. You can then select the PPD
file during the installation. If the model does not show up, select Add Driver in the
Add New Printer Configuration dialog (Figure 2-8) and follow the simple steps to
add the PPD file to the database.
Users can see the current settings of a local queue by entering
lpoptions -p queue -l
NOTE: The sequence of options is important. If you specify -l first, the settings of the default
queue are listed, no matter what you specify after -p.
The output of this command has the following structure:
option/string: value value value ...
The * symbol in front of a value indicates the currently active setting. The
significance of some of these options is as follows:
REt/REt Setting: (Resolution Enhancement) Includes three modes to improve
the quality of dark, light, and medium print jobs.
Generally, the difference in print quality is small.
TonerDensity/Toner Density: Specifies the quantity of toner (1=little, 5=much).
Duplex/Double-Sided Printing: Disables or enables double-sided printing,
assuming that your printer supports duplex printing.
InputSlot/Media Source: If your printer has different paper trays, lets you select
the tray for your print job.
Copies/Number of Copies: Specifies the number of copies printed.
da10:~ # lpoptions -l
HalftoningAlgorithm/Halftoning Algorithm: Accurate *Standard WTS
REt/REt Setting: Dark Light *Medium Off
TonerDensity/Toner Density: 1 2 *3 4 5
Duplex/Double-Sided Printing: *DuplexNoTumble DuplexTumble None
Manualfeed/Manual Feed of Paper: Off On
InputSlot/Media Source: *Default Tray1 Tray2 Tray3 Tray4 Envelope
Manual Auto
Copies/Number of Copies: *1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ...
PageSize/Page Size: *A4 Letter 11x17 A3 A5 B5 Env10 EnvC5 EnvDL
EnvISOB5 EnvMonarch Executive Legal
PageRegion/PageRegion: A4 Letter 11x17 A3 A5 B5 Env10 EnvC5 EnvDL
EnvISOB5 EnvMonarch Executive Legal
Resolution/Resolution: 75x75dpi *150x150dpi 300x300dpi 600x600dpi
Economode/Toner Saving: *Off On
LowToner/Behaviour when Toner Low: *Continue Stop
Version 1 96
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
PageSize/Page Size: Specifies the physical size of the paper in the selected paper
tray.
PageRegion/PageRegion: Normally equals the page size.
This option is read by the PostScript interpreter.
Resolution/Resolution: Specifies the resolution used for the print queue.
Economode/Toner Saving: Used to enable economode to save toner, but the
quality of prints degrades.
LowToner/Behaviour when Toner Low: Specifies whether the printer
continues or stops printing when the toner gets low.
To change any of the options for a local queue, enter a command with the following
syntax:
lpoptions -p queue -o option=value
The following command changes the page size of the lp queue to Letter:
lpoptions -p lp -o PageSize=Letter
However, the range of users affected by the new settings varies, depending on which
user has actually changed the settings:
If a normal user (such as geeko) enters a command as above, the changes apply
only to that user and are stored in the ~/.cups/lpoptions file (in the users
home directory).
If root enters the command, changes apply to all users on the corresponding host.
They are then used as default and stored in the /etc/cups/lpoptions file.
The PPD file of the queue, however, is not modified by this.
There is a way for root to change the defaults in the PPD file of any local queue. Such
changes would apply network wide to all users submitting print jobs to the
corresponding queue.
To achieve this, enter (as root)
lpadmin -p queue -o option=value
For example, to set the default page size for the lp queue, enter
lpadmin -p lp -o PageSize=Letter
CUPS provides collections of printers called printer classes. Jobs sent to a class are
forwarded to the first available printer in the class. You can also use the lpadmin
command to
Define classes of printers or queues.
Edit such classes (by adding a queue to a class or deleting a queue from a class).
Delete classes.
97 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For example, to add a queue to a class, enter
lpadmin -p queue -c class
If the class does not exist yet, it will be automatically created.
To remove a queue from a class, enter
lpadmin -p queue -r class
If the class will be empty (with no other queues left in it) as a result of such a
command, it will be automatically deleted.
To see which queues belong to which class on a given host, look at the /etc/cups/
classes.conf file.
NOTE: For more information on all the available options of lpadmin, enter man lpadmin.
You can also get information on the commands covered above in a browser by entering the
following http location http://localhost:631/help/ (notice its a location found locally on your SLES
11 machine); and then selecting Man Pages.
Start and Stop CUPS
As the root user, you can start or stop cupsd manually with the following commands:
/etc/init.d/cups start or rccups start
/etc/init.d/cups stop or rccups stop
If you make changes manually to the /etc/cups/cupsd.conf file, you need to
restart the daemon by entering /etc/init.d/cups restart or rccups
restart.
Version 1 98
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 2-2 Manage Printers from the Command Line
In this exercise, you practice managing printer queues from the command line.
(End of Exercise)
99 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Understand how CUPS Works
To understand how CUPS works, you need to understand the following:
Steps of the Printing Process on page 99
Print Queues on page 100
Log Files on page 102
Configuration File on page 105
Steps of the Printing Process
The printing process involves the following steps:
1. A print job is submitted by a user or program.
2. The file destined for the printer is stored in a print queue, which creates two files
per print job in the /var/spool/cups/ directory
One of the file contains the actual data to print. The other one contains
information about the print job; for example, it might contain the identity of the
user who created the print job and the printer to use.
3. The cupsd printer daemon acts as the print spooler. It is responsible for watching
all print queues and for starting the filters required to convert data into the
printer-specific format.
4. The conversion of print data is done in the following way:
a. The data type is determined using the entries in /etc/cups/
mime.types
b. Subsequently, data is converted into PostScript using the program specified
in /etc/cups/mime.convs
c. After that, the pstops program (/usr/lib/cups/filter/pstops)
is used to determine the number of pages, which is written to /var/log/
cups/page_log
d. CUPS uses other filtering capabilities of pstops as needed, depending on the
options set for the print job.
For instance, the psselect option of pstops makes it possible to limit the
printout to a certain selection of pages, while the ps-n-up option of
pstops allows several pages to be printed on one sheet.
e. If the selected printer is not a PostScript printer, cupsd will start the
appropriate filter to convert data into the printer-specific format.
One of these filter programs is /usr/lib/cups/filter/
cupsomatic which, in turn, relies on ghostscript for conversion.
Filters are responsible for processing all printer-specific options, including
resolution, paper size, and others.
f. For the actual transfer of the data stream to the printer device, CUPS uses
another type of filter, or back end, depending on how the printer is connected
to the host.
Version 1 100
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
These back ends are found in the /usr/lib/cups/backend/
directory:
5. Once the print job has been transferred to the printer, the print spooler deletes the
job from the queue and starts processing the next job. When the job is deleted,
the print data file in /var/spool/cups/ is removed.
The file that has information about the print job is not deleted. The filename for the
first print job is labeled c00001. The number in each of the following print jobs is
increased by one.
The following is a schematic representation of the filtering process:
Figure 2-16 CUPS Filtering Process
Print Queues
With CUPS, printer devices are addressed using print queues. Rather than being sent
directly to the printer, print jobs are sent to a print queue associated with the device.
On a print server, each print queue is registered with its name in the /etc/cups/
printers.conf file.
Among other things, this file defines which queues the printer is addressed through,
how it is connected, and which interface it is connected to.
da10:~ # ls /usr/lib/cups/backend/
canon hpfax lpd serial socket
epson http parallel smb usb
hp ipp scsi snmp
101 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Several print queues can be defined for one printer, as in the following example:
For instance, in the case of color printers, it can be useful to have two queues, one for
black-and-white printing of text documents and one for color printing.
The following explains some entries in /etc/cups/printers.conf:
<DefaultPrinter queuename>: The entry for the default printer.
<Printer hp_draft> and <DefaultPrinter hp_normal>: The queues as defined
for the HP LaserJet 6mp printer.
State Idle: Currently, this print queue does not have any print jobs.
Accepting Yes: The queue is accepting print jobs.
JobSheets none none: Starting and ending banner will not be printed.
Each existing queue has its own configuration file, which is stored on the print server
in the /etc/cups/ppd/ directory.
These files contain settings to configure the paper size, the resolution, and other
settings.
# Printer configuration file for CUPS v1.3.9
# Written by cupsd on 2009-02-05 14:06
<DefaultPrinter hp_draft>
Info HP LaserJet 6mp Foomatic/hpijs, hpijs 2.8.7.3
DeviceURI parallel:/dev/lp0
State Idle
StateTime 1233839191
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer hp_normal>
Info HP LaserJet 6mp Foomatic/hpijs, hpijs 2.8.7.3
DeviceURI parallel:/dev/lp0
State Idle
StateTime 1233839040
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
...
Version 1 102
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
By contrast, on the client side the names of queues are registered in the /etc/
printcap file:
This file is generated and updated automatically by cupsd and is relevant for a
number of applications (such as OpenOffice.org) that use the entries in it to list the
available printers in their printer selection dialogs.
NOTE: You should not change the /etc/printcap file manually.
Log Files
The log files of CUPS are stored in the /var/log/cups/ directory.
CUPS has three log files:
The access_log File on page 102
The error_log File on page 104
The page_log File on page 104
Set the Log Level to Record Errors on page 105
For troubleshooting CUPS issues, you need to know how to
The access_log File on page 102
The error_log File on page 104
The page_log File on page 104
Set the Log Level to Record Errors on page 105
The access_log File
The access_log file lists each HTTP resource that is accessed by a Web browser or
CUPS/IPP client.
da10:~ # cat /etc/printcap
# This file was automatically generated by cupsd(8) from
# the /etc/cups/printers.conf file. All changes to this
# file will be lost.
hp_normal|HP LaserJet 6mp Foomatic/hpijs, hpijs
2.8.7.3:rm=da10.digitalairlines.com:rp=hp_normal:
hp_draft|HP LaserJet 6mp Foomatic/hpijs, hpijs
2.8.7.3:rm=da10.digitalairlines.com:rp=hp_draft:
103 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Lines in the log file look like the following:
The entries in the lines (from left to right) are explained below:
The host field contains the name of the host (in the example: localhost).
The group field always contains "-" in CUPS.
The user field contains the authenticated username of the requesting user.
If a username and password are not supplied for the request, this field contains
(as in the example).
The date-time field shows the date and time of the request in local time (in this
example: [05/Feb/2009:14:18:22 +0100]).
The format is [DD/MON/YYYY:HH:MM:SS +ZZZZ], where ZZZZ is the time
zone offset in hours and minutes from coordinated universal time (UTC).
The method field is the HTTP method used (such as GET, PUT, and POST).
The resource field is the filename of the requested resource. Possible resources
are
/
/admin/
/printers/
/jobs/
The version field is the HTTP version used by the client.
For CUPS clients, this is always HTTP/1.1.
The status field contains the HTTP result status of the request.
Usually it is 200, but other HTTP status codes are possible. For example, 401
indicates unauthorized access.
The bytes field contains the number of bytes in the request.
For POST requests, the bytes field contains the number of bytes that were
received from the client.
localhost - - [05/Feb/2009:14:18:22 +0100] "POST / HTTP/1.1" 200 416
CUPS-Get-Printers successful-ok
CUPS-Get-Classes successful-ok
CUPS-Get-Default successful-ok
localhost - - [05/Feb/2009:14:18:22 +0100] "POST /printers/hp_normal
HTTP/1.1" 200 982 Print-Job successful-ok
Version 1 104
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The error_log File
The error_log file lists messages (such as errors and warnings) from the scheduler:
The level field contains the type of message:
E: An error occurred.
W: The server was unable to perform an action.
I: Informational message.
D: Debugging message.
The date-time field contains the date and time of the entry (for example, when a
page started printing).
The format of this field is identical to the date-time field in the access_log file.
The message field contains a free-form text message.
The page_log File
The page_log file lists each page that is sent to a printer.
The printer field contains the name of the printer that printed the page (in this
example: hp_normal).
If you send a job to a printer class, this field contains the name of the printer that
was assigned the job.
The user field contains the name of the user that submitted this file for printing.
I [05/Feb/2009:14:18:22 +0100] [Job 14] Adding start banner page
"none".
I [05/Feb/2009:14:18:22 +0100] [Job 14] Adding end banner page
"none".
I [05/Feb/2009:14:18:22 +0100] [Job 14] File of type text/plain
queued by "root".
I [05/Feb/2009:14:18:22 +0100] [Job 14] Queued on "hp_normal" by
"root".
I [05/Feb/2009:14:18:22 +0100] [Job 14] Started filter /usr/lib/cups/
filter/texttops (PID 28773)
filter/pstops (PID 28774)
filter/foomatic-rip-hplip (PID 28775)
I [05/Feb/2009:14:18:22 +0100] [Job 14] Started backend /usr/lib/
cups/backend/parallel (PID 28776)
I [05/Feb/2009:14:18:24 +0100] [Job 14] Completed successfully.
hp_normal root 14 [05/Feb/2009:14:18:23 +0100] 1 1 - localhost
105 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The job-id field contains the job number of the page being printed (in this
example: 14).
The date-time field contains the date and time the page started printing.
The format of this field is identical to the date-time field in the access_log file.
The page-number field contain the number of pages (in this example: 1).
The num-pages field contains the number of copies (in this example: 1).
For printers that cannot produce copies on their own, the num-pages field will
always be 1.
The job-billing field contains a copy of the job-billing attribute provided with
the IPP create-job or print-job requests or (if none was provided).
The hostname field contains the name of the host that originated the print job (in
this example: localhost).
Set the Log Level to Record Errors
Messages from cupsd are written to the /var/log/cups/error_log file. With the default
log level info, only requests and status changes are logged to the file.
If you want errors recorded, you need to change the LogLevel option in the cupsd /
etc/cups/cupsd.conf configuration file:
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info
For debugging and troubleshooting, set the log level to debug or debug2. After
changing the configuration, restart CUPS by entering rccups restart.
Configuration File
The CUPS configuration file is /etc/cups/cupsd.conf. It has a format similar
to that of the Apache web server configuration file.
Various options are used to configure the server itself, as well as to configure
filtering, networking, browsing, and access.
Networking, browsing, and access are covered in the next objective.
Version 1 106
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Configure and Manage Print Server Access
In Objective 1, Configure CUPS on page 74, you learned how to configure CUPS
to be able to print from a local machine and how to control access to the print server
using the options provided in YaST. YaST or command line tools took care of the
underlying configuration.
In this objective, you will gain an understanding of the /etc/cups/cupsd.conf
configuration file. You will learn how to control in more detail who may use your
printer via the network. To be able to do this, you need to understand the following:
Syntax of /etc/cups/cupsd.conf on page 106
Access Restrictions on page 107
Syntax of /etc/cups/cupsd.conf
The syntax of the /etc/cups/cupsd.conf file used to configure CUPS is similar to the
Apache configuration file syntax.
The general syntax is a directive followed by a value, such as
Listen *:631
The above makes CUPS listen on all interfaces on port 631.
The following directives control the way browse packets are sent by the server:
# Show shared printers on the local network.
Browsing On
BrowseAddress @LOCAL
Browsing On turns on browsing. It needs to be accompanied by a
BrowseAddress directive specifying where browse packets should be sent. With
the value @LOCAL, browse information is sent to all local (non-point-to-point)
interfaces. Other possible values are broadcast addresses (10.0.0.255:631), IP
addresses (host.example.com), or single interfaced (@IF(name)).
The directives BrowseAllow, BrowseDeny, and BrowseOrder control how
CUPS deals with incoming browse packets. With the following configuration, browse
packets are ignored:
BrowseOrder allow,deny
BrowseAllow none
BrowseDeny all
With the following configuration, CUPS processes browse packets that arrive on the
local interfaces:
BrowseAllow @LOCAL
BrowseOrder allow,deny
107 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: All directives that can be used within the /etc/cups/cupsd.conf file are described in the
following configuration files found using a browser pointed at the following: http://localhost:631/
help/ref-cupsd-conf.html (found locally on your SLES 11 machine).
The effect of some directives can be limited by putting them within sections, such as
# Restrict access to the server...
<Location />
Order allow,deny
Allow @LOCAL
Allow 127.0.0.2
</Location>
This is mainly used to limit access to certain resources, as explained in Access
Restrictions on page 107.
Access Restrictions
You can restrict the access to various CUPS resources, based on criteria such as IP
address, user name, or group membership. You can also restrict what activities can or
cannot be performed based by different users. You can do the following:
Restrict Access Using the Location Directive on page 107
Restrict Access Using the Policy Directive on page 109
Restrict Access Using the lpadmin Command on page 111
Restrict Access Using the Location Directive
The location directive within the /etc/cups/cupsd.conf file can be used to specify
access control and authentication options for the specified HTTP resource or path.
The settings are relevant for the access to the Web interface using a Web browser
(such as http://localhost:631/printers) as well as IPP access by users printing
documents.
Common locations on the server include the following:
/ (root): The access restrictions for this resource apply for all subsequent
resources if no other restrictions are specified there.
/printers: All printers or queues.
/classes: Available printer classes (for example, all color printers).
/jobs: Print jobs on the CUPS server.
/admin: Access to the server configuration.
Here is an example:
<Location />
Order allow,deny
Allow 127.0.0.2
Allow @LOCAL
</Location>
Version 1 108
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
<Location /admin>
Order Allow,Deny
Allow 127.0.0.1
Allow 127.0.0.2
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
</Location>
The following explains the configuration directives:
Order: Defines the order of the rules and the default directive.
Allow,Deny: Default is to deny access. Allow requests from systems in an Allow
directive, unless they are also listed in a Deny directive.
Deny,Allow: Default is to allow access. Deny requests from systems in a Deny
directive, unless they are also listed in an Allow directive.
Deny From ...: Access to the resource is prohibited for the item named. You can
specify a host or domain name (host.example.com, *.example.com), an IP
address (1.2.3.4 or a:b:c:d::e), a network (10.*, 10.0.0.0/24, or IPv6 network), an
interface name (@IF(name)), or local interfaces (@LOCAL). (The word from
can also be omitted.)
Allow From ...: Access is permitted for the item named, specified as above.
AuthType. Basic uses the Linux password and group files. BasicDigest
uses the /etc/cups/passwd.md5 file for authentication; lppasswd is the utility to
add, change, and delete users and passwords in this file.
This command creates the user root in the group sys. Any user name will do, as
long it is member of the group sys. The user name does not have to exist as a
Linux user name.
NOTE: The password has to be at least six characters long and must contain at least one letter
and one number.
Require: user specifies that the authenticated user must be one of the listed
users, or a member of the listed groups. @SYSTEM refers to the groups specified
with the SystemGroup directive, usually the groups sys and root.
The resource /printers concerns all queues. You can specify access restrictions on a
per-queue basis in additional entries that might look like this one:
da10:~ # lppasswd -a root -g sys
Enter password:
Enter password again:
109 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
<Location /printers>
Order Allow,Deny
Allow From 10.0.0.0/24
Allow From 10.0.1.2
</Location>
<Location /printers/color>
Order Allow,Deny
Allow From 10.0.0.10
</Location>
In the above example, all clients belonging to network 10.0.0.0/24 and host 10.0.1.2
can print on all queues in the network, with the exception of the color queue, which
can be accessed only by the client 10.0.0.10.
Restrict Access Using the Policy Directive
While the location directive can be used to restrict or allow access to resources based
on the directory structure on the CUPS server, the policy directive within the /etc/
cups/cupsd.conf file specifies IPP operation access control limits.
Policy directives are evaluated after the location-based access control rules and,
therefore, cannot be used to allow access that is limited by a location directive. In
other words, if a location directive forbids access to a printer, it cannot be granted by
a policy directive.
Each policy contains one or more limit sections. The basic syntax looks like the
following:
<Policy name>
<Limit operation ... operation>
...
</Limit>
<Limit operation ... operation>
...
</Limit>
<Limit All>
...
</Limit>
</Policy>
Within the /etc/cups/cupsd.conf file, a default policy is defined. It consists of several
Limit sections:
DefaultPolicy default
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-
Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
Version 1 110
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The first Limit section lists job-related operations that require either the owner of a
job or a member of the system group to execute, but no authentication.
Operations are listed one after the other separated by spaces. The Require directive
specifies the user requirements, and the Order deny,allow line at the end allows
request to come from any system allowed by the Location sections.
A list of Operations can be found by pointing your browser at the following location
(found locally on your SLES 11 machine): http://localhost:631/help/ref-cupsd-
conf.html?TOPIC=References&QUERY=#LimitIPP.
The following Limit section lists printer-related operations that require
authentication:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-
Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Order deny,allow
</Limit>
The line AuthType Default turns on authentication. Only members of the
SYSTEM group can perform these operations.
Within the default policy there is another Limit section that concerns queue-related
operations:
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-
Reject-Jobs>
AuthType Default
Order deny,allow
</Limit>
Its access restrictions are the same as those for the printer-related options. They could
have been listed within one Limit section as well, but grouping them makes the
configuration easier to understand.
The last section allows all operations that have not been covered so far:
<Limit All>
Order deny,allow
</Limit>
</Policy>
You can create your own policy by creating Policy sections as above, using a name of
your choice.
You can set your own policy as default using the line
DefaultPolicy MyPolicy
111 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Using the lpadmin command, you can also use your policy for specific queues, such
as the following:
lpadmin -p color -o printer-op-policy=MyPolicy
Restrict Access Using the lpadmin Command
On the command line, you can use the lpadmin command to restrict access to queues
to specific users:
To permit printing for individual users, enter
lpadmin -p queue -u allow:user1, user2
or for a group, enter
lpadmin -p queue -u allow:@group
To prohibit printing for users or groups, enter
lpadmin -p queue -u deny:user,@group
NOTE: The commands above do not add to the existing user entries, but replace them.
To permit printing for all, enter
lpadmin -p queue -u allow:all
or
lpadmin -p queue -u deny:none
These access restrictions are written to the /etc/cups/printers.conf file, as
in the following:
<Printer printer>
...
AllowUser user1
AllowUser user2
AllowUser @users
</Printer>
Version 1 112
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 2-3 Manage Access
In this exercise, you learn how to administer access to your CUPS server.
(End of Exercise)
113 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Use the Web Interface to Manage a CUPS Server
You can access the Web interface of the CUPS server by using the Local URL http://
IP_Address:631
The main menu is shown in the following figure:
Figure 2-17 CUPS Webinterface: Welcome
The top navigation bar is available on all pages.
To manage printers and jobs or to modify the current settings, you have to
authenticate. Depending on what you want to do, you have to authenticate as the
owner of the job you want to modify or as administrator of the CUPS server (by
default, this is the root user).
NOTE: Enabling administrative access via the Web interface is described in Restrict Access Using
the Location Directive on page 107.
The navigation bar at the top includes the following tabs:
Administration on page 114
Classes on page 115
Documentation/Help on page 115
Version 1 114
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Jobs on page 116
Printers on page 117
Use the Web Interface to Manage a CUPS Server on page 119
Administration
In the Administration module (http://localhost:631/admin) you can perform all
administration tasks:
Figure 2-18 CUPS Webinterface: Administration
Printers: Here you can add and find new printers. The Manage Printers button
opens the same page as the Printers tab at the top of the page.
Classes: Here you can add a printer class. The Manage Classes button opens the
same page as the Classes tab at the top of the page.
Jobs: The Manage Jobs button opens the same page as the Jobs tab at the top of
the page.
Server: The Basic Server Settings section allows you to make specific changes
by selecting or unselecting the respective configuration options.
The Edit Configuration File button opens a dialog that allows you to edit the /
etc/cups/cupsd.conf file directly.
115 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The buttons referring to different logs open the respective logs in a browser
window.
Classes
In the Classes module (http://localhost:631/classes) you can manage existing printer
classes.
Figure 2-19 CUPS Webinterface: Classes
To add a class, select the Administration tab and click the Add Class button.
Documentation/Help
The Web interface allows you to quickly access documentation and help for different
aspects of CUPS, as shown in the following:
Version 1 116
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-20 CUPS Webinterface: Help
Jobs
In the Jobs module (http://localhost:631/jobs) you can switch between the view of
the completed jobs or the view of the active jobs.
117 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-21 CUPS Webinterface: Jobs
To switch between the two views, select Show Completed Jobs or Show Active
Jobs. Click All Jobs to view active and complete jobs.
If any jobs are in the queue, you can also
Hold the job.
Cancel the job.
The management dialog is the same as the dialog you get when you select Manage
Jobs in the Administration interface.
Printers
In the Printers module (http://localhost:631/printers), you can do the following:
Print a test page
Stop/start the printer
Reject/accept print jobs
Modify the printer configuration
Set printer options (paper size, resolution, and banner)
Delete the printer configuration
Set a printer as default printer
Set users that are allowed to print
The dialog is shown in the following:
Version 1 118
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 2-22 CUPS Webinterface: Printers
Clicking a printer entry shows information on the print jobs for that printer.
The configuration dialog is the same as the dialog you get when you select Manage
Printers in the Administration module.
119 Version 1
Manage Printing
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 2-4 Use the Web Interface to Manage a CUPS Server
In this exercise, you add a second printer via the Web front end of CUPS.
(End of Exercise)
Version 1 120
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Configure CUPS CUPS, the Common UNIX Printing System, is the
default printing system used in SUSE Linux Enterprise
Server 11.
CUPS can be used to print on local or remote printers.
The protocol used is IPP, but other protocols are also
supported.
Printers are addressed by using print queues.
The YaST module to configure CUPS can be found at
YaST Control Center > Hardware > Printer
Manage Print Jobs and Queues CUPS tools allow you to use commands according to
Berkeley (LPRng) style, such as lpr, lpq, and lprm.
System V style, such as lp, lpstat, and cancel.
To list the current settings of a local queue, enter
lpoptions -p queue -l
Understand how CUPS Works The main configuration file for CUPS is /etc/cups/
cupsd.conf.
Information on the print queues is kept in /etc/cups/
printers.conf
A configuration file for each queue is located in the /
etc/cups/ppd/ directory.
These files store settings affecting the printout through
the given queue.
The /etc/printcap file, which is created and
updated automatically, contains an entry for each of the
defined queues.
CUPS can distribute information about the available
printers to all network clients.
Configure and Manage Print Server
Access
A CUPS server can distribute information about the
available queues within the network (browsing).
Access to resources and IPP options on the CUPS
server can be restricted based on IP addresses, users,
groups, or passwords.
Use the Web Interface to Manage a
CUPS Server
You can enter the CUPS Web front end at http://
localhost:631/ or http://IP_Address:631
The Web interface allows the administration of all
aspects of CUPS, including printer management,
viewing of log files, or editing of the /etc/cups/
cupsd.conf file.
121 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 3 Configure and Use OpenLDAP
In this section, you learn how to configure the OpenLDAP service on a SLES 11
server and configure it to store user accounts.
Objectives
1. Describe How LDAP Works on page 122
2. Install and Configure OpenLDAP on SLES 11 on page 136
3. Add, Modify, and Delete Entries to the LDAP Directory Tree on page 155
Version 1 122
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Describe How LDAP Works
Before learning how to set up OpenLDAP on your server, you first need to
understand what LDAP is and how it works. In this objective, the following topics are
addressed:
How Directory Services Work on page 122
What is LDAP? on page 127
How the LDAP Directory Tree Is Structured on page 127
How Directory Services Work
Most people are familiar with directory services, such as a telephone directory.
Telephone companies provide a directory of their subscribers names, addresses, and
phone numbers that allows telephone service users to easily contact each other.
All the contact information is in one placethe phone book, which organizes the
information in alphabetical order.
Similarly, a network Directory service provides the location of network resources.
This allows network service users and administrators to easily connect to and use or
manage these network resources.
To understand the need for LDAP (Lightweight Directory Access Protocol), you first
need to understand that by default your Linux system stores its user and group
information locally in the file system.
For example, your user accounts are stored as plain text in the /etc/passwd file. A
section of it is shown below:
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
geeko:x:1000:100:Geeko Novell:/home/geeko:/bin/bash
tux:x:1001:100:Tux Novell:/home/tux:/bin/bash
Each line represents one user record. Each record is composed of several fields
separated by colons (:).
Your users passwords are not stored in the passwd file. Instead, they are stored in
encrypted format in the /etc/shadow file. The corresponding section of the
shadow file for the passwd file from the example above is shown below (password
hashes are shortened):
wwwrun:*:14306::::::
geeko:$2a$05$Eso3tbJJXTVAjUdRk0L9DODn/pgleI...xyz:14309:0:99999:7:::
tux:$2a$05$mNcSSMBMxF3eZayvZxtyH.RZZjC1WkO/...def:14309:0:99999:7:::
Likewise, your groups are saved in the /etc/group file, as shown below:
trusted:x:42:
tty:x:5:
utmp:x:22:
uucp:x:14:
uuidd:!:104:
123 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
video:x:33:geeko,tux
wheel:x:10:
www:x:8:
xok:x:41:
users:x:100:
As with the passwd file, each line in the group file represents one group record. The
record is composed of several fields separated by colons (:).
Storing your user and group information in the local file system has many
advantages. Its easy to manage and can be secured using file system access controls.
However, storing your user and group information locally also has several
drawbacks. Consider the following:
The passwd, shadow, and group files store information in a flat format. User and
group accounts cant be organized into a hierarchy that reflects your
organizations geographic locations or functional arrangement.
The files are stored in the local file system. If you have multiple servers and
workstations in your network and want to use the same users, groups, and
passwords, then you must synchronize these files to all of the other systems.
For years, this has been done by configuring the Network Information Service
(NIS) on your systems. You set up a NIS server that serves as a central repository
for all configuration information.
Other systems are set up as NIS clients that receive user, group, and
configuration information from the NIS server.
This solution functions well. However, it works only with Linux/UNIX systems.
If you have a heterogeneous network with multiple operating systems and a
variety of network services, you cant use NIS to distribute configuration
information.
A better solution would be to configure a centralized repository of user, group, and
configuration information on your network that allows the following:
A single-point of administration: You need to be able to configure your user
and group information in one location and have it automatically applied to all
systems in your network
A hierarchical structure: Instead of storing users and groups in an unordered
flat file, you need to be able to organize your information into a hierarchy
grouped and nested according to geographic location, organization, department,
team, and/or function.
Support for multiple operating systems: The central repository of user and
group information should be compatible with multiple operating systems.
Support for many types of information: The central repository should be
extensible such that it can store information other than just users and groups.
For example, network services running on servers in your network, such as DNS
and DHCP, should be able to store their configuration information in the central
repository instead of in a file in the local file system.
Version 1 124
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This allows you to quickly replace a service if its host server goes down. All you
have to do is reinstall the service on a different server and point it to the existing
configuration information in the central repository.
Support for replication: To prevent the creation of a single point of failure, the
central repository should be able to replicate its information to other servers in
the network. That way, if the server goes down, other servers can handle
information requests.
This is shown in the figure below:
Figure 3-1 Using a Central Repository of User and Group Information
In short, you need to ensure your crucial network information is organized and easily
accessible. This can be done using a Directory service that stores information in a
well structured, quickly searchable form.
All the network resource information is in one placethe Directory tree, which
organizes the physical network into a logical network representation.
A Directory is a compilation of services that provide discovery, security, storage, and
relationship management. A Directory does the following:
Enables access to resources on the entire network and not just specific servers
Provides secure access to network resources
Provides a scalable, indexed, and cacheable database (for performance)
Manages relationships between Directory entities, such as users and the
resources they access
125 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
With the global direction of the modern economy and current business practices, it is
logical and necessary that Directories, at least in their basic structural form, adhere to
certain standards.
X.500 is an International Organization for Standardization (ISO) and International
Telecommunication Union (ITU) standard that globally defines how Directory
services ought to be structured at the basic level.
To effectively understand and manage a Directory in your network, you need to
understand the components of the X.500 Directory. The following figure illustrates
the components of the X.500 Directory:
Figure 3-2 The X.500 Directory Model
The X.500 Directory standard includes seven essential components:
Directory Information Database (DIB) on page 125
Directory Information Tree (DIT) on page 126
Directory User Agent (DUA) on page 126
Directory System Agent (DSA) on page 126
Directory Access Protocol (DAP) on page 126
Directory System Protocol (DSP) on page 127
Directory Information Shadowing Protocol (DISP) on page 127
Directory Information Database (DIB)
A Directory is made up of objects that represent physical resources in the real world,
such as users. Collectively, these objects are known as the Directory Information
Database (DIB).
Each object, or entry, in the DIB has a distinguished name that uniquely identifies it.
Each entry consists of one or more attributes and each attribute has a value.
DIB
DSA
DSA
DIB
DSA
DSA
DIB
DSA
DSA
DIB DIB
Directory Information
Base (DIB)
DSA
DSA
DIB
D
i
r
e
c
t
o
r
y

S
y
s
t
e
m
P
r
o
t
o
c
o
l

(
D
S
P
)
DSA
DSA
DIB
DSA
DSA
DSA
DIB
DSA
DSA
DIB
Directory Information
Shadowing Protocol (DISP)
DSA
DSA
DIB
DSA
DSA
DSA
DIB
DSA
DSA
DSA
Directory
System Agent
(DSA)
Directory User Agent
(DUA)
D
i
r
e
c
t
o
r
y

A
c
c
e
s
s
P
r
o
t
o
c
o
l

(
D
A
P
)
Directory Information Tree (DIT)
DSA
DSA
DSA
Version 1 126
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Directory Information Tree (DIT)
The Directory Information Tree (DIT) is a tree structure that logically represents and
describes the collection of objects and the relationship of information in the DIB.
The objects are contained in a hierarchical arrangement in this tree structure. For
example, a person (object/entry) works for a company (object/entry) that is located
within a country (object/entry).
To keep the Directory organized, a set of rules is enforced to ensure that the DIB
remains stable and intact as modifications are made to it over time.
These rules are known as the Directory schema. They prevent entries from having
wrong attribute types and prevent objects from being a member of the wrong object
class.
Directory User Agent (DUA)
The X.500 specification uses a client/server approach in communicating information.
The client interacts with a server to perform specific Directory operations.
The Directory User Agent (DUA), acting as the client, is an application process that
represents each user accessing the Directory. Users are people or programs that can
read, modify, or search the Directory.
The DUA requests information from the Directory and then relays that information to
the user or program.
Directory System Agent (DSA)
The Directory System Agent (DSA) is the server side of the client/server relationship.
The DSA takes a request from a DUA, services the request, and sends replies to the
DUA. If it doesnt have the requested information, it will pass the request on to
another DSA.
The DSA consists of many different pieces, including components that communicate
with other DSAs on behalf of a DUA and components that are responsible for
replication of data between DSAs.
Directory Access Protocol (DAP)
The Directory Access Protocol (DAP) is the protocol that a DUA uses when it
communicates with a DSA to make a request of the DSA. The APIs used to access
eDirectory as well as the Lightweight Directory Access Protocol (LDAP) are
examples of a DAP.
127 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Directory System Protocol (DSP)
If a DSA cannot fulfill the request of a DUA, the DSA passes the request to another
DSA. The Directory System Protocol (DSP) provides the communication between
the two DSAs.
Directory Information Shadowing Protocol (DISP)
The DIB should be replicated to other DSAs. This improves the performance of
requests made to the Directory and provides fault tolerance with a secondary (or
backup) copy of the DIB.
In eDirectory, the process of distributing the DIB is called replication; in the X.500
specification, it is called shadowing. The Directory Information Shadowing Protocol
(DISP) performs the actual exchange of replicated information between DSAs.
In summary, directories are designed to
Store small amounts of data that doesnt change frequently.
Provide fast searching capabilities.
Provide fast read operations.
Provide cross-platform application support.
Replicate information between Directory servers.
Control access to Directory information.
What is LDAP?
Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to
access and maintain information in a Directory. An LDAP Directory can be used to
store many types of information including user, group, and service configuration
settings.
LDAP is a standardized open protocol, which ensures that many different client
applications can access the information stored in the Directory.
While there are a variety of LDAP-compliant directories that you could implement on
a Linux server (including Novell eDirectory), were going to focus on OpenLDAP in
this section.
How the LDAP Directory Tree Is Structured
An LDAP Directory uses a hierarchical tree structure. All entries (called objects) in
the Directory have a defined position within its hierarchy.
The complete path from the root of the tree to a particular entry, including the entrys
name, is called its distinguished name or DN. The DN uniquely identifies an object in
the Directory tree.
Version 1 128
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To designate an entry relative to some point in the tree (not from the root of the tree),
the objects relative distinguished name or RDN is used. Objects can be categorized
into one of two possible types:
Container objects: Container objects can contain other objects. They are like
branches within the Directory tree. Container object classes include the
following:
root: The root element of the Directory tree. In LDAP, there is no actual
object that represents the tree root.
NOTE: The tree root is also called the root entry.
dc (dcObject): Represents an element of your domain. It can represent any
part of a domain name. For example, dc=digitalairlines,dc=com.
c (country): Represents a country. For example, c=US.
o (organization): Represents an organization. For example, o=DA.
ou (organizationalUnit): Represents a division, department, team, or other
functional group within an organization.
Leaf objects: Leaf objects are like leaves at the end of tree branches. They have
no subordinate objects. Leaf objects usually represent a physical network
resource. Examples include the following:
InetOrgPerson: Represents a single user.
groupofNames: Represents a group.
Unlike a real tree, a Directory tree is inverted. The top of the Directory tree is the tree
root. The bottom of the tree are the leaf objects. The tree root can contain one of the
following objects:
c (country)
dc (domain component)
o (organization)
There are two commonly used tree strategies for defining the top of the Directory
tree.
The first uses domain component objects to define the top of the tree hierarchy.
Beneath the domain components are organizational units that define logical
groupings of Directory objects. Consider the following example:
129 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-3 Using Domain Components to Define the Top of the Tree
Notice in the figure above that dc=digitalairlines,dc=com together defines the top
layer of the tree hierarchy, not dc=com by itself.
Alternatively, you could also define the top of the tree hierarchy using country
(optional), organization, and organizational unit objects. If desired, you can create a
country object at the top of the tree and then create one or more organization objects
within the country object. You can also omit the country object and simply create an
organization object at the top of the tree.
An example of this tree design is shown in the figure below:
Figure 3-4 Using an Organization Object to Define the Top Layer of the Tree
Either strategy is acceptable. Generally speaking, administrators who have prior
experience with Microsoft Active Directory tend to favor using domain components
at the top of an OpenLDAP Directory tree.
NOTE: The use of domain components is the default structure used by OpenLDAP.
Those coming from a Novell eDirectory background tend to favor using organization
objects at the top of the tree.
Version 1 130
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When working with an LDAP Directory, you need to be familiar with the following
concepts:
Objects on page 130
Context on page 134
Naming on page 134
Objects
First, you need to be familiar with the schema. The schema defines the types of
objects that can be created in your tree (such as organizationalUnit, inetOrgPerson,
and groupOfNames) and what information is required or optional at the time the
object is created.
An object (also referred to as an entry) is a unit of information about a resource,
comparable to a record in a conventional database. Different types or categories of
objects exist. An object can represent a resource (such as a user or group), service
configuration information (such as DNS records), or an organizational element (such
as a team or department).
Several sample objects are shown in the figure below:
Figure 3-5 Sample LDAP Objects
Directory objects are defined by properties and values. A property (also referred to as
an attribute) is a category of information associated with an object. Each Directory
object consists of properties that can be used to store information about the resource.
A collection of properties defines or makes up the class of an object. For example, a
groupOfNames object differs from an inetOrgPerson object in the properties it
contains and, therefore, in how the object can be used. Object classes and properties
are defined and controlled by the schema.
A value, on the other hand, is the data contained by a specific property. For example,
an inetOrgPerson object has a property called givenName, which in turn has a value,
such as Geeko.
131 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The properties and values of the Geeko inetOrgPerson object is shown in the
following figure:
Figure 3-6 inetOrgPerson Properties and Values
Version 1 132
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The attributes and values of a groupOfNames object named Research are shown in
the following figure:
Figure 3-7 groupOfNames Object Properties and Values
Finally, the properties and values that comprise the people organizationalUnit object
are shown in the following figure:
133 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-8 organizationalUnit Object Properties and Values
Notice in the above figures that not all of the object properties are populated with
values. Some properties are mandatory, such as objectClass or uid, but others are
optional. The schema defines which properties are required and which are optional.
When creating an object, you must supply values for all mandatory properties;
otherwise, you wont be allowed to create the object.
The schema also defines the rules of containment, which specify which containers
can contain which object types.
A schema, therefore, must contain definitions of all object classes and attributes used
in the desired application scenario. There are several common schemas (described in
RFC 2252 and 2256). The LDAP RFC also defines a few commonly used Schemas
(RFC 4519). Additionally there are Schemas available for many other applications
(such as Samba, NIS, DNS, and DHCP).
It is, however, possible to create a custom schema or to use multiple schemas
complementing each other if this is required by the environment the LDAP server
operates in.
Version 1 134
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Context
Context can be defined as an objects position in the LDAP Directory tree. It is a list
of container objects leading from the object to the root of the tree. Locating an object
through the context is similar to locating a file using the directory path.
An LDAP tree cannot have multiple leaf objects with the same name in the same
container. However, a tree can have multiple leaf objects with the same name in
different containers because their context is different.
For example, in the following figure, the difference between the two BJohnson user
objects is their context. The user object on the left is in the SLC organizational unit;
the user object on the right is in the DA organization.
Figure 3-9 Understanding Context
The context for the BJohnson object on the left is ou=SLC,o=DA. The context for the
BJohnson object on the right is o=DA.
Naming
LDAP uses naming conventions to allow you to precisely identify and locate objects
in your tree. You must provide enough information to locate the object in the tree, and
you specify this information in the object name.
For example, in the preceding figure, two user objects named BJohnson exist in
separate containers in the tree. If you log in as BJohnson, which user object should be
used?
An object name identifies an object in the tree. So, in the figure above, the exact
names are different because their object names contain information that identifies
their location in the tree.
The name of each object you create in the tree consists of the following:
Name attribute type
Name value
The attribute type of the object name determines if the object will be accessed as a
container or leaf object in the tree. The value of the object is the name you enter for
the object when you create it.
DA
SLC
BJohnson
BJohnson
Login BJohnson?
135 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following name attribute types are assigned to the most common objects:
c: Country (for example, c=IR for Ireland)
o: Organization name (for example, o=DA)
ou: Organizational unit name (for example, ou=SLC)
cn: Common name of leaf objects (for example, cn=BJohnson)
An objects distinguished name (DN) is a combination of its common name and its
context. This identifies the object all the way to the top, or root, of the tree. An object
is exactly identified with a distinguished name. Two objects in the same tree cannot
have the same distinguished name.
The objects in the name are separated by commas. The names of all objects, from the
tree object to the object being named, are included in the distinguished name.
In the figure below, the distinguished name for the user object BJohnson in the
organizational unit SLC in the organization DA is cn=BJohnson,ou=SLC,o=DA. The
distinguished name for the user object BJohnson in the organization DA is
cn=BJohnson,o=DA.
Figure 3-10 Distinguished Names
A relative distinguished name (RDN), on the other hand, lists the path of objects
leading from the object being named to the container representing the current context,
or current location, in the tree.
For example, if your current context is O=DA, you could refer to each BJohnson user
object as listed below:
cn=BJohnson
cn=BJohnson,ou=SLC
When you use a relative distinguished name, LDAP must build a distinguished name
from it. This is accomplished by appending the relative distinguished name to the
current context:
RDN + Current Context = DN
DA
SLC
BJohnson
BJohnson
Login BJohnson?
Version 1 136
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Install and Configure OpenLDAP on SLES 11
With this conceptual information about LDAP in mind, you are now ready to install
and configure an LDAP server on SLES 11. The following topics are addressed in
this objective:
Install and Configure the LDAP Server on page 136
Install and Configure the LDAP Client on page 145
Install and Configure the LDAP Server
The first task you need to complete is to install the LDAP service on your SLES 11
server. To do this, complete the following:
1. In YaST, select Network Services > LDAP Server.
2. If the openldap package has not been installed on your server, you will be
prompted to install it.
If you are prompted to install the package, select Install.
When complete the following is displayed:
Figure 3-11 Configuring General LDAP Server Settings
3. In the General Settings screen, configure the following:
a. Under Start LDAP Server, select Yes to start the service.
137 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
b. If you want the LDAP server to register itself with an SLP Service Agent,
select Register at an SLP Daemon.
c. If your servers host firewall is enabled, select Open Port in Firewall.
4. Select Next.
The following screen is displayed:
Figure 3-12 Configuring LDAP Server TLS Settings
You use the TLS Settings screen to enable encryption for your LDAP
transmissions. Transport Layer Security (TLS) is a cryptographic protocol
derived from Secure Sockets Layer (SSL). It is used to encrypt data
transmissions between network hosts at the Transport layer of the OSI model.
5. Under Basic settings, enable encryption using TLS by configuring the following:
a. Verify that Enable TLS is selected.
If this option is selected, you also need to specify the certificate the server
should use for encryption.
b. Verify that Enable LDAP Over SSL (ldaps) Interface is selected.
This enables the LDAP server to accept ldaps connections on port 636.
NOTE: Clear-text LDAP communications use port 389. Secure LDAP communications
occur on port 636.
c. Verify that Use Common Server Certificate is selected.
Version 1 138
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This certificate was created when SLES 11 was initially installed. If you
want the LDAP server to use a different certificate, specify the appropriate
file names in the CA Certificate File, Certificate File, and Certificate Key
File fields.
NOTE: If the Use Common Server Certificate option is greyed out, click the Launch
CAManagement Module Button and create a CA and a common server certificate.
6. Select Next.
The Basic Database Settings screen is displayed:
Figure 3-13 Configuring LDAP Database Settings
7. Configure your database settings by doing the following:
a. In the Database Type field, select the database you want to use. You can
select from the following:
bdb: Configures the Berkeley Data Base as the LDAP servers backend.
hdb (default): Configures the Hierarchical Berkeley Data Base as the
LDAP servers backend. The hdb database is a variant of the bdb
database that uses a hierarchical database layout.
b. For the Base DN, use the default root entry or define a new one.
By default, the Base DN field is populated with your domain name defined
by domain component objects. This will be your root entry of your LDAP
Directory tree.
139 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For example, in the figure above, the root element is
dc=digitalairlines,dc=com.
c. In the Administrator DN field, enter the cn of your LDAP super user.
By default, cn=Administrator is entered.
d. Next to the Administrator DN field, verify that Append Base DN is selected.
This will place your super user at the root of the tree.
In the example above, selecting this box would yield an administrator DN of
cn=Administrator,dc=digitalairlines,dc=com.
e. In the LDAP Administrator Password and Validate Password fields, type a
password for your LDAP super user.
f. (Conditional) If you want to use this database as the default database for
OpenLDAP client tools, such as ldapsearch, select Use this Database as the
Default for OpenLDAP Clients.
Marking this option causes the SLES 11 servers host name and the base DN
entered in this screen to be written to the OpenLDAP client configuration
file (/etc/openldap/ldap.conf).
8. Select Next.
9. On the Configuration Summary screen, select Finish.
10. In YaST, select LDAP Server again.
11. Expand Global Settings; then select Allow/Disallow Features.
Version 1 140
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is displayed:
Figure 3-14 Configuring Allow/Disallow Features
12. Under Select Allow Flags, configure the features the LDAP server should allow
(as appropriate for your server and network):
LDAPv2 Bind Requests: Enables connection requests (bind requests) from
clients using the previous version of the LDAP protocol (LDAPv2).
NOTE: In LDAP, authentication information is supplied in an operation called a bind.
Anonymous Bind When Credentials Not Empty: Normally the LDAP
server denies any authentication attempts with empty credentials (DN and/or
password). Enabling this option, however, makes it possible to connect with
a password and no DN to establish an anonymous connection.
NOTE: A client that sends an LDAP request without performing a bind operation is
treated as an anonymous client.
Unauthenticated Bind When DN Not Empty: Allows connecting without
authentication (anonymously) using a DN but no password.
Unauthenticated Update Options to Process: Allows non-authenticated
(anonymous) update operations. Access is restricted according to ACLs and
other rules
141 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
13. Under Select Disallow Flags, configure the features the LDAP server should not
allow (as appropriate for your server and network):
Disable Acceptance of Anonymous Bind Requests: Disables acceptance of
anonymous bind requests.
Disable Simple Bind Authentication: Disables simple bind authentication.
Simple binds use clear-text passwords.
Disable Forcing Session to Anonymous Status upon StartTLS Operation
Receipt: Disables forcing an authenticated connection back to the
anonymous state when receiving a StartTLS operation.
Disallow the StartTLS Operation if Authenticated: Disallows the
StartTLS operation on connections that have already been authenticated.
14. Expand Databases > your root entry > Password Policy Configuration.
Figure 3-15 Enabling Password Policies
15. Enable password policy settings for your LDAP server by selecting from the
following settings:
Enable Password Policies: Allows you to specify a password policy for the
LDAP server.
Hash Clear Text Passwords: Causes clear text passwords to be hashed
before they are written to the database whenever they are added or modified.
Disclose "Account Locked" Status: Provides a meaningful error message
to bind requests for locked accounts.
Version 1 142
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: We recommend that you do not enable this option. The Locked Account error
message provides sensitive information that could be exploited by a potential attacker.
Default Policy Object DN: By default, YaST creates an object named
Default Policy in your root entry. Change this name as desired.
16. Specify your password policy settings by doing the following:
a. Select Edit Policy.
b. When prompted, type your LDAP administrators password and select OK.
The Password Change Policies tab in the Password Policy Configuration
screen is displayed:
Figure 3-16 Configuring Password Change Policies
c. On the Password Change Policies tab, configure the following:
Maximum Number of Passwords Stored in History: Determines the
maximum number of passwords stored in the password history. Saved
passwords may not be reused by the user.
User Must Change Password after Reset: Determines whether users
need to change their password after a reset by the administrator.
User Can Change Password: Determines whether users can change
their own passwords.
Old Password Required for Password Change: Requires the old
password for password changes.
Password Quality Checking: Determines whether, and to what extent,
passwords should be subject to quality checking. You can set a minimum
143 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
password length that must be met before a password is valid in the
Minimum Password Length field.
If you select Accept Uncheckable Passwords, users are allowed to use
encrypted passwords, but quality checks cannot be performed. If you opt
for Only Accept Checked Passwords, only those passwords that pass
the quality tests are accepted as valid.
d. Select the Password Aging Policies tab.
Figure 3-17 Configuring Password Aging Policies
e. Configure the following password aging policies:
Minimum Password Age: Determines the minimum password age (the
time that needs to pass between two valid password changes).
Maximum Password Age: Determines the maximum password age.
Time before Password Expiration to Issue Warning: Determines the
time between a password expiration warning and the actual password
expiration.
Allowed Uses of an Expired Password: Sets the number of
postponement uses of an expired password before the password expires
entirely.
f. Select the Lockout Policies tab.
Version 1 144
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-18 Configuring Lockout Policies
g. Configure the following lockout policies on the Lockout Policies tab:
Enable Password Locking: Enables password locking.
Bind Failures to Lock the Password: Determines the number of bind
failures that trigger a password lock.
Password Lock Duration: Determines the duration of the password
lock.
Bind Failures Cache Duration: Determines how long password
failures are kept in the cache before they are purged.
h. Select OK.
17. On the Password Policy Setting screen, select OK.
At this point, the LDAP daemon (ldap) is started on your server. The executable file
that provides this service is /usr/lib/openldap/sldapd. The daemon is
managed using the /etc/init.d/ldap init script (or its corresponding rc link).
You can use the following options with this init script:
/etc/init.d/ldap start: Starts the LDAP daemon.
/etc/init.d/ldap stop: Stops the LDAP daemon.
/etc/init.d/ldap status: Displays the status of the LDAP daemon.
After the installation and configuration is complete, the LDAP daemon is started. It is
configured to run automatically at runlevels 3 and 5.
145 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Install and Configure the LDAP Client
At this point, the LDAP Directory service has been installed on the SLES 11 server.
However, it contains only a few entries. If you were to use the YaST LDAP Browser
module to access your LDAP tree, you would see it contains only the root entry, as
shown below:
Figure 3-19 Minimal LDAP Directory Tree
In addition, your SLES server system is still configured to use only its default
authentication mechanism via PAM, such as the /etc/passwd file.
To fix this, you need to configure the LDAP client on the server and on all other
systems that will use the LDAP service for authentication. To do this, complete the
following:
1. In YaST, select Network Services > LDAP Client.
Version 1 146
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-20 Configuring the System as an LDAP Client
2. To use the OpenLDAP server for user authentication on the system, select Use
LDAP.
When you do, your /etc/nsswitch.conf configuration file will be updated
accordingly.
Prior to enabling the LDAP Client, your server was probably configured to use
the /etc/passwd, /etc/shadow, and /etc/group files to store user
accounts. In this configuration, you servers /etc/nsswitch.conf file
probably appeared similar to the following:
#
# For more information, please read the nsswitch.conf.5
# manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
147 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
After enabling the LDAP client, your system will be reconfigured to use either
local files or the LDAP directory service for user authentication. Your /etc/
nsswitch.conf file will be updated in a manner similar to the following:
#
# For more information, please read the nsswitch.conf.5
# manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat
group: files ldap
hosts: files dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
3. In the Address of LDAP Servers field, type the IP address of your LDAP server.
If your LDAP service is configured to advertise itself via SLP, you can select
Find to locate it.
4. In the LDAP Base DN field, type the root entry of your LDAP directory.
To retrieve the base DN automatically, you can select Fetch DN. YaST will
check for an LDAP database on the server specified above.
5. If TLS or SSL protected communication with the server is required, select LDAP
TLS/SSL.
6. If the LDAP server still uses LDAPv2, explicitly enable the use of this protocol
version by selecting LDAP Version 2.
Version 1 148
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
7. Select Start Automounter to mount remote directories on your client, such as a
remotely managed /home directory.
8. Select Create Home Directory on Login to have a user's home automatically
created on the first user login.
9. Select Advanced Configuration.
The Client Settings tab is displayed:
Figure 3-21 Configuring Advanced LDAP Client Settings
10. On the Client Settings tab, adjust the following settings according to your needs:
a. If the search base for users, passwords, and groups differs from the global
search base specified in the LDAP base DN, type the appropriate name
contexts in following fields.
User Map
Password Map
Group Map
These values are set in the nss_base, nss_base_shadow, and
nss_base_group attributes in the /etc/ldap.conf file.
b. From the Password Change Protocol drop-down list, specify the password
change protocol.
You can select from the following options:
clear: Changes passwords using an LDAPModify request, replacing the
userPassword value with the new clear-text password.
149 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
clear_remove_old: Changes passwords using an LDAPModify request,
first removing the userPassword value containing the old clear-text
password, and then adding the userPassword value with the new clear-
text password. This protocol is necessary for use with Novell NDS and
IBM RACF.
crypt: Changes passwords using an LDAPModify request, first
generating a one-way hash of the new password using crypt and then
replacing userPassword value with the new hashed password.
md5: Changes passwords using an LDAPModify request, first
generating a one-way hash of the new password using MD5 and then
replacing userPassword value with the new hashed password.
nds: This is an alias for clear_remove_old.
racf: This is an alias for clear_remove_old.
ad: Changes passwords using an LDAPModify request, using the Active
Directory Services Interface (ADSI) password change protocol.
exop (default): Changes passwords using the RFC 3062 password
modify extended operation (only the new password is sent).
exop_send_old: Changes passwords using the RFC 3062 password
modify extended operation (both the old and new passwords are sent).
This setting is configured in the pam_password attribute of the /etc/ldap.conf
file.
c. From the Group Member Attribute drop-down list, select the LDAP group
to use with Group Member Attribute.
The default value is member.
11. Select the Administration Settings tab.
Version 1 150
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-22 Configuring Advanced Administration Settings in the LDAP Client
12. Configure the following settings on the Administration Settings tab:
a. In the Configuration Base DN field, type the base context for storing your
user management data.
b. In the Administrator DN field, type your administrator users DN.
This DN must be identical to the rootdn value specified in /etc/openldap/
slapd.conf to enable this user to manipulate data stored on the LDAP server.
You can enter the full DN (such as cn=Administrator,dc=digitalairlines,
dc=com) or type cn=Administrator and select Append Base DN to have the
base DN added automatically.
c. Select Create Default Configuration Objects to create the basic
configuration objects required to enable user management via LDAP.
d. If your LDAP server should act as a file server for home directories across
your network, select Home Directories on This Machine.
e. Use the Password Policy section to select, add, delete, or modify the
password policies to use.
13. Configure the YaST Group and User Administration modules.
You use the YaST LDAP Client module to adapt the YaST User and Group
Administration modules to support LDAP accounts by doing the following:
a. Select Configure User Management Settings.
151 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
b. When prompted, enter your Administrator users password.
c. When prompted that the ldapconfig organizational unit doesnt exist, select
Yes to created it now.
d. Select New.
e. To create a new user configuration module, select suseUserConfiguration.
f. In the Name of New Module field, type Users; then select OK.
A table is displayed listing all attributes allowed in this module with their
assigned values:
Figure 3-23 Configuring the Users Module
Notice that the template is connected to its module using the
susedefaulttemplate attribute value, which is set to the DN of the template.
g. If you want to change an attribute, select the desired attribute; then select
Edit.
h. If you want to configure the user template, select Configure Template.
Version 1 152
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-24 Configuring the Users Template
i. To change a template attribute, select the desired attribute; then select Edit.
j. To modify the default values for new objects, use the Add, Edit, or Delete
buttons.
k. When done, select OK.
l. On the Module Configuration screen, select New.
m. To create a new group configuration module, select
suseGroupConfiguration.
n. In the Name of New Module field, type Groups; then select OK.
153 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-25 Configuring the Groups Module
Notice that the template is connected to its module using the
susedefaulttemplate attribute value, which is set to the DN of the template.
o. If you want to change an attribute, select the desired attribute; then select
Edit.
p. If you want to configure the groups template, select Configure Template.
Version 1 154
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-26 Configuring the Groups Template
q. To change a template attribute, select the desired attribute; then select Edit.
r. To modify the default values for new objects, use the Add, Edit, or Delete
buttons.
s. When done, select OK.
t. In the Module Configuration screen, select OK.
14. On the Advanced Configuration screen, select OK.
15. On the LDAP Client Configuration screen, select OK.
16. If prompted, install the pam_ldap and nss_ldap packages by selecting Install.
You can repeat this process to configure the LDAP Client on all SLES or SLED
systems that will use the LDAP server for authentication. The configuration of YaST
Group and User Administration modules has to be done only once, not on every
LDAP client.
155 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Add, Modify, and Delete Entries to the LDAP Directory Tree
In the previous objectives in this section, you learned how to install and configure the
OpenLDAP server and client on your SLE systems. However, at this point there are
no user accounts in the LDAP directory tree.
In this objective, you learn how to manage users and groups in the LDAP directory
tree. The following topics are addressed:
Managing LDAP Users and Groups from the Shell Prompt on page 155
Managing LDAP Users and Groups in YaST on page 159
Managing LDAP Users and Groups from the Shell Prompt
Just as you can add, delete, and modify local user and group accounts using command
line tools, you can also manage users and groups in the LDAP directory from the
shell prompt.
For accounts stored locally, you use the following commands to manage users and
groups from the shell prompt:
useradd: Create new user accounts.
userdel: Delete existing user accounts.
usermod: Modify an existing user account.
passwd: Modify a users password.
groupadd: Create new groups.
groupdel: Delete existing groups.
groupmod: Modify an existing group.
If you have installed and configured OpenLDAP on your servers and workstations,
you can still use these utilities to manipulate accounts stored in /etc/passwd, /
etc/shadow, and /etc/group. To use these commands to manage users in the
ldap directory, you have to use the options --service ldap -D binddn (such
as cn=Administrator,dc=digitalairlines,dc=com. You are prompted for the
password of the Administrator.
NOTE: Remember that after installing the LDAP Client, your system is configured (by default) to
use both the local files and the LDAP directory for authentication.
In addition to the above tools to manage LDAP users and groups from the shell
prompt, you can use a special set of utilities. First, you can use the ldapsearch
utility to search for entries within the LDAP directory. The syntax for using
ldapsearch is as follows:
ldapsearch -x -b search_base "(objectClass=*)"
The -b option specifies the context in the tree where the search should be performed.
The -x option enables simple authentication. The (objectClass=*) option
specifies that all objects contained in the directory should be read.
Version 1 156
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This command option can be used after the creation of a new directory tree to verify
that all entries have been recorded correctly and the server responds as desired. For
example:
ldapsearch -x -b dc=digitalairlines,dc=com
"(objectClass=*)"
When you enter this command, the tree is queried at the specified context and the
results are displayed, as shown below:
Figure 3-27 Viewing the Output of the ldapsearch Command
Notice that the output is formatted using the LDAP Data Interchange Format (LDIF),
which is a plain-text way of describing LDAP directory entries. LDIF is a standard
that defines an ASCII text file format used to import or export data to and from an
LDAP-compliant directory service.
LDIF files are commonly used to initially build a directory database or to add large
numbers of entries to a directory at the same time. LDIF files can also be used to
make changes to existing directory entries. LDIF files consist of one or more entries
separated by a blank line. Each LDIF entry consists of an optional entry ID, a
required distinguished name, one or more object classes, and multiple attribute
definitions.
The basic syntax of an LDIF file is as follows:
dn: distinguished name
changetype: type of change
objectClass: object class
attribute type: attribute value
157 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Only the DN and at least one object class definition are required. Attributes required
by object classes you define for the entry must also be defined. Other attributes and
object classes are optional. You can specify object classes and attributes in any order.
The following describes the LDIF fields shown in the previous example:
Table 3-1 LDIF Fields
For example, you could use the following LDIF file to define a user named geeko:
# geeko LDIF
dn: cn=geeko,ou=People,dc=digitalairlines,dc=com
changetype: add
objectClass: inetOrgPerson
cn: geeko
givenName: Geeko
sn: Chameleon
mail: geeko@digitalairlines.com
uid: geeko
telephoneNumber: 801-861-7000
Understanding LDIF files is important because you can use them in conjunction with
the ldapadd command to add new users to the LDAP directory from the shell
prompt. This command uses the following syntax:
ldapadd -x -D administrator_DN -W -f ldif_file
The -x option switches off SASL authentication. The -D option specifies the user
used to bind to the directory. The -W option prompts you for the administrator users
password. The -f option specifies the name of the LDIF file to import.
For example, to import an LDIF file named geeko.ldif into the LDAP directory, you
would use the following command (in one line):
ldapadd -x -D cn=Administrator,dc=digitalairlines,dc=com
-W -f geeko.ldif
Parameter Value
dn Distinguished name for the entry.
changetype Valid changetype values include add, modify, moddn, and delete.
objectClass Object class to use with this entry. Each object class defines the types of
attributes allowed or required for the entry.
attribute type Attribute to define for the entry.
attribute value Value to be assigned to the attribute type.
Version 1 158
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When done, the entry defined in the geeko.ldif file is imported (as shown on the
previous page). The output from the command is shown in the figure below:
The LDIF file used with ldapadd can contain one or many directory entries defined
within it. This allows you to, if appropriate, populate your entire LDAP directory
with one single ldapadd command.
Just as you use usermod to modify an existing local user account, you use the
ldapmodify command to modify an existing entry in the LDAP directory. As with
the ldapadd command, you run the command from the shell prompt and pass to it the
name of an LDIF file to process.
With the ldapadd command, you use the changetype: add command in the LDIF file
to specify that the entry be added to the directory. With the ldapmodify command,
however, you use the changetype: modify command in the LDIF file to indicate that
an existing entry should be modified using the attributes and values listed in the file.
For example, if you needed to change the geeko users phone number to 801-555-
7001, you could create a file similar to the following:
# geeko modify
dn: cn=geeko,ou=People,dc=digitalairlines,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: 801-555-7001
NOTE: Make sure you have no trailing white spaces at the end of the lines, as these can cause
errors.
Then you import the LDIF modify file into the LDAP directory using the following
command (in one line):
ldapmodify -x -D
cn=Administrator,dc=digitalairlines,dc=com -W -f
geeko.ldif
When you do, the following is displayed:
da1:~ # ldapadd -x -D cn=Administrator,dc=digitalairlines,dc=com \
-W -f geeko.ldif
Enter LDAP Password:
adding new entry "cn=geeko,ou=People,dc=digitalairlines,dc=com"
da1:~ #
da1:~ # # ldapmodify -x -D cn=Administrator,dc=digitalairlines,dc=com
-W -f newuser2.ldif
Enter LDAP Password:
modifying entry "cn=geeko,ou=People,dc=digitalairlines,dc=com"
da1:~ #
159 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Finally, you can delete entries from the LDAP directories using the ldapdelete
command. The syntax for this utility is similar to that used by the other LDAP shell
commands. For example, to delete the geeko user we just created, you would enter
the following (in one line):
ldapdelete -x -D
cn=Administrator,dc=digitalairlines,dc=com -W
cn=geeko,ou=People,dc=digitalairlines,dc=com
Managing LDAP Users and Groups in YaST
As with local user accounts, you can manage LDAP users and groups using YaST
modules as well as command line utilities. To do this, complete the following:
1. Start YaST, then select Security and Users > User and Group Management.
2. On the Users tab, select Set Filter > LDAP Users.
3. When prompted, enter your LDAP Administrator users password.
The following screen is displayed:
Figure 3-28 Managing Users in YaST
4. To add a new user, do the following:
a. Select Add.
The User Data tab in the New LDAP User screen is displayed:
Version 1 160
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-29 Creating a New LDAP User
b. Enter the following information about the user:
First Name
Last Name
Username
Password
c. Select the Details tab.
161 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-30 Configuring New User Details
Notice that the fields on the Details tabs are already populated for the new
user. You defined these defaults when you set up your user and group
templates earlier.
d. Select OK.
Version 1 162
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The new user is added to your list of LDAP users, as shown below:
Figure 3-31 Viewing a New LDAP User
5. To edit an existing LDAP user, select the user to be modified, then select Edit.
6. Make the appropriate changes to the User Data and Details tabs, then select OK.
7. To delete an LDAP user, select the user to be removed, then select Delete.
8. When youre done, select OK.
Managing LDAP groups is done in a similar manner. Do the following:
1. Start YaST, then select Security and Users > User and Group Management.
2. Select the Groups tab, then select Set Filter > LDAP Groups.
3. When prompted, enter your LDAP Administrator users password.
163 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
A list of your LDAP groups is displayed, as shown below:
Figure 3-32 Managing LDAP Groups
4. To add a new group, select Add.
Version 1 164
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-33 Creating a New LDAP Group
5. Enter the following information for the group:
Group Name
Group ID (should be automatically populated based on the template you
created earlier)
Password (optional)
6. In the right column, select the users you want to be members of the group.
7. Select OK.
165 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 3-34 Viewing New LDAP Groups
8. As with LDAP users, you can use the Edit and Delete options on this screen to
modify or remove an LDAP group.
9. When complete, select OK.
You can use the YaST LDAP Browser module to view the contents of your LDAP
tree graphically. To do this, complete the following:
1. Start YaST, then select Network Services > LDAP Browser.
2. (Conditional) If this is the first time you access your LDAP tree, you must
configure an LDAP connection for the LDAP Browser.
a. On the LDAP Connections screen, select Add.
b. Enter a name for the connection, then select OK.
c. Specify the following information for the connection:
LDAP Server: The IP address or DNS name of your LDAP server.
Administrator DN: The DN of your LDAP servers Administrator user.
LDAP Server Password: Your Administrator users password.
LDAP TLS: If your LDAP server uses TLS, select this option.
Version 1 166
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
An example is shown in the following:
Figure 3-35 Configuring an LDAP Connection
d. Select OK.
Your LDAP tree is displayed.
3. Double-click your root entry in the left pane.
167 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You should see your first-level container objects, as shown below:
Figure 3-36 Viewing the LDAP Tree
Version 1 168
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can use the left pane to navigate through the tree. Whenever you select an
object in the left pane, its attributes and values are displayed in the right pane.
For example, if you were to select uid=tux,ou=People,dc=digitalairlines,
dc=com, you would see the various attributes that comprise the tux user object
and its associated values in the right pane, as shown below:
Figure 3-37 Viewing an Object and Its Attributes
4. If you need to edit an attribute value, do the following:
a. Double-click the attribute in the right pane.
A window similar to the following is displayed:
Figure 3-38 Editing an Attribute Value in the LDAP Browser
b. Make the desired change, then select OK.
5. When youre done, select Close.
169 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 3-1 Configure OpenLDAP on SLE 11
In this exercise, you install and configure an LDAP server on DA1. You then
configure the LDAP client on your DA1 server and on your workstation.
(End of Exercise)
Version 1 170
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Describe How LDAP Works LDAP stands for Lightweight Directory Access
Protocol. Its a set of protocols designed to
access and maintain information in a
Directory. An LDAP Directory can be used to
store many types of information including
user, group, and service configuration
settings. LDAP is a standardized open
protocol, which ensures that many different
client applications can access the information
stored in the Directory.
A Directory is a compilation of services that
provide discovery, security, storage, and
relationship management. A Directory does
the following:
Enables access to resources on the entire
network and not just specific servers
Provides secure access to network
resources
Provides a scalable, indexed, and
cacheable database (for performance)
Manages relationships between Directory
entities, such as users and the resources
they access
An LDAP Directory uses a hierarchical tree
structure. All entries (called objects) in the
Directory have a defined position within its
hierarchy. The complete path from the root of
the tree to a particular entry, including the
entrys name, is called its distinguished name
or DN. The DN uniquely identifies an object in
the Directory tree.
Objects can be categorized into one of two
possible types:
Container Objects
Leaf Objects
When working with an LDAP Directory, you
need to be familiar with the following
concepts:
Objects
Context
Naming
171 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Install and Configure OpenLDAP on SLES 11 SLES and SLED 11 can be configured to use
an LDAP Directory service to store user
accounts and service configuration
information. To do this, you need complete the
following tasks:
1. Configure the LDAP server.
2. Configure the LDAP client.
Add, Modify, and Delete Entries to the LDAP
Directory Tree
If you have installed and configured
OpenLDAP on your servers and workstations,
you can still use your standard comman line
user management utilities to manipulate
accounts stored in /etc/passwd, /etc/
shadow, and /etc/group. To use these
commands to manage users in the ldap
directory, you have to use the options --
service ldap -D binddn
In addition, you can use a special set of user
management utilities:
ldapsearch
ldapadd
ldapmodify
YaST User Management Module
Objective Summary
Version 1 172
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
173 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 4 Configure and Use Samba
In this section, you will learn how to configure SLES 11 as file and print server for
Linux, OS X, and Windows workstations using Samba.
Objectives
1. Describe the Role and Function of Samba on page 174
2. Configure a Simple File Server with Samba on page 178
3. Configure Samba Authentication on page 192
4. Use Sambas Client Tools on page 202
5. Use Samba as a Domain Controller on page 207
6. Integrate Samba into a Windows Domain on page 219
Version 1 174
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Describe the Role and Function of Samba
Using Samba, a Linux system can be configured as a file and print server for Linux,
Mac OSX, Windows, and OS/2 workstations. Essentially, Samba allows your Linux
system to emulate a Window server. Users can access shared directories and printers
on the Linux server just as they would on a Windows server. You can configure
Samba as a domain controller. You can even join an Active Directory domain.
The key to making all of this work is the fact that Samba uses the Server Message
Block (SMB) protocol. To fully implement Samba, you need to have a solid
understanding of SMB. In this objective, you learn the following:
SMB Overview on page 174
NetBIOS Overview on page 174
How SMB Communications Work on page 176
SMB Overview
The earliest version of the SMB protocol was developed by IBM in the 1980s. The
protocol was later integrated natively into the Windows desktop and server operating
systems. SMB has also been integrated into Linux/UNIX as well. Using the Samba
package, a Linux server can also support native Windows clients.
The SMB protocol implements sharing. Shared resources, such as directories and
printers, are referenced using the Universal Naming Convention (UNC). UNC uses
the following syntax to identify a share:
\\server_name\share_name
For example, if you had a SLES 11 server named DA1 with Samba configured, you
could create a directory named /home/shared as a place for network users to store
their files. Using Samba, you could share this directory with the share name shared.
To reference the share, you would use a UNC of \\DA1\shared.
You can also use a URL to reference an SMB share, as shown below:
smb://server_name/share_name
SMB operates at the Application and Presentation layers of the OSI model. The role
of SMB is to provide clients with access to the file system and printers on a server.
SMB uses the internal security of the server file system to determine what the client
can and cannot do.
NetBIOS Overview
Because its an upper-layer protocol, SMB cant operate alone. It must be
implemented in conjunction with a middle-layer protocol. The most common
implementation is to use SMB in conjunction with Network Basic Input/Output
System (NetBIOS) protocol on top of IP.
NetBIOS was original developed in the mid-1980s and is used as the basic
networking protocol for the Windows operating system. NetBIOS operates at the
Session layer of the OSI model. As such, it has no routing capabilities. To make
175 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NetBIOS routable, you have to use it in conjunction with a Network-layer protocol,
such as IPX or IP.
This relationship is shown in the figure below:
Figure 4-1 The Relationship between SMB, NetBIOS, TCP, and IP
As you know, IP uses a numerical IP address to uniquely identify each network host.
NetBIOS, on the other hand, uses a 16-byte, 15-character alphanumeric name to
uniquely identify network hosts.
The very last byte of a NetBIOS name (called the NetBIOS Suffix) is not used for the
name value. Instead, it is used to identify the type of host. A workstation will have a
value of 00 (hex). A server will have a hex value of 20. A Primary Domain Controller
(PDC) or a Backup Domain Controller (BDC) will have a hex value of 1C.
Any given system can have both a NetBIOS name and a hostname. These two names
are completely separate. Because NetBIOS works on top of IP, you need to be able to
resolve NetBIOS names into IP addresses, just as you need to resolve hostnames and
DNS names into IP addresses.
In NetBIOS, name resolution is done using a Windows Internet Naming Service
(WINS) server. A WINS server works much like a DNS server. When a NetBIOS
computer is booted on the network, it does the following:
If a WINS server is detected on the network, the NetBIOS computer registers
itself with the server on startup.
If its NetBIOS name is not already in use, the WINS server puts the systems
name and IP address in its database. All other NetBIOS hosts can send queries to
the WINS server to resolve the NetBIOS name into an IP address.
If a WINS server is not detected, the NetBIOS computer will simply broadcast its
NetBIOS name on the network when it boots.
Version 1 176
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If another system is already using that NetBIOS name, an error will be generated
indicating that a name conflict exists.
Hosts still need to be able to resolve NetBIOS names into IP addresses. To do this
without a WINS server, a NetBIOS host that needs to contact another host sends
out a broadcast. The host with the requested NetBIOS name responds back with
its IP address.
How SMB Communications Work
When you attempt to open an SMB connection, the NetBIOS protocol is used to
establish a connection at the Session layer between the sending and receiving
systems. Once a NetBIOS session has been established, clients and servers
communicate with each other at the upper layers of the OSI model with the SMB
protocol, using Server Message Blocks (SMBs).
SMBs contain commands that establish communications and manipulate shared
directories, files, and printers. SMBs work on a command/response model. Consider
the following SMB session.
A user on a workstation needs to create a file on a server, add content to the file, and
save it. The SMB commands and responses required to do this include the following:
1. The client sends an SMBNegProt command to the server. This tells the server
which dialect of SMB it's using.
NOTE: There are many different SMB protocol versions and dialects.
2. The server sends an SMBNegProt response back to the client, agreeing on the
dialect to be used.
3. The client sends an SMBSesssetup command to the server. This SMB contains
the username and password of the user.
4. If the username and password are valid, the server responds with an
SMBSesssetup response reporting that the user is authenticated.
5. The client sends an SMBtcon command. This tells the server which share it
wants to use.
6. The server responds with an SMBtcon response, telling the client that it has been
granted permission to use the share.
7. The client sends an SMBmknew command. This SMB tells the server to create a
new file.
8. The server sends an SMBmknew response after the file has been created.
9. The client sends an SMBopen command that tells the server to open the file that
was just created.
10. The client sends an SMBread command. The server responds with the requested
file.
At this point, the user can work on the open file from the client workstation.
177 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
11. When the editing is complete, the file is saved and closed. The client sends an
SMBwriteclose command.
12. The server system writes the file to disk and closes it.
In addition to the SMBs discussed in the example above, many other commands can
be used when working with shared resources on the server, including the following:
SMBcopy: Copies files
SMBmove: Moves files
SMBsplopen: Opens a print spool for printing
How Samba Works
The Samba service on a SLES 11 system allows Samba clients to connect to shared
directories and printers on your server. You can use Samba for the following
purposes:
Provide file and print services for Samba clients (such as Windows, OSX, and
Linux workstations).
Act as a domain controller for Windows clients.
Integrate into an existing Windows domain for authentication purposes
The server side of Samba consists of two daemons:
nmbd: Handles all NetBIOS-related tasks. It also can provide a WINS server.
smbd: Provides file and print services for clients in the network.
In addition, to integrate the Samba server into a Windows environment, Samba also
provides the following services and utilities:
winbind: Integrates a Linux system into a Windows authentication system, such
as Active Directory. Essentially, it allows Windows domain users to function as
local Linux users.
nmblookup: Used for NetBIOS name resolution and testing.
smbclient: Provides access to SMB file and print services.
SLES 11 includes Samba version 3.2.7. Novell is an important contributor of the
Samba project. You can find more information about the Novell/SUSE Samba
packages and the Novell/SUSE Samba team at (http://www.opensuse.org/samba).
Version 1 178
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Configure a Simple File Server with Samba
To set up a simple file server with Samba, you need to be familiar with the following
tasks:
Installing Samba on the Server on page 178
Using the Samba Configuration File on page 179
Configuring Samba in YaST on page 185
Installing Samba on the Server
To configure a file server, the Samba packages need to be installed:
samba: Main Samba package. It contains the Samba server software.
samba-client: Contains the Samba client tools.
samba-doc (optional): Provides additional documentation about Samba.
NOTE: The samba and samba-client packages are installed by default during the installation of
SLES 11.
You can verify that the packages are installed with the rpm -q samba and rpm -
q samba-client commands. If they are installed, rpm displays the installed
version, or an error message informs you that the package is not installed.
179 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If the packages have not been installed, you can install them using the rpm
command. You can also start YaST on your server and use the Software Management
module to install the File Server pattern, as shown below:
Figure 4-2 Installing the File Server Pattern
After the packages have been installed, you can start the Samba daemons with the
following commands:
rcnmb start
rcsmb start
To start the Samba services automatically when the system is booting, enter the
following commands:
insserv nmb
insserv smb
Using the Samba Configuration File
The Samba service is configured in the /etc/samba/smb.conf file. The options
in the this file are grouped into several sections. Each section starts with a keyword in
square brackets.
In this part of the course, you learn how to set up a simple file server with Samba.
You need to be familiar with the following tasks:
Configuring General Server Options on page 180
Version 1 180
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Sharing Users Home Directories on page 181
Configuring Shares on page 182
Sharing Printers on page 183
Configuring General Server Options
The first task you need to be familiar with is configuring general server options in the
smb.conf file. The general server configuration section starts with the keyword
[global]. The following is an example of a basic global section:
[global]
workgroup = DigitalAirlines
netbios name = DA1
security = share
server string = DA1 File Server
The entries of the global section in this example are described below:
Defines the name of the workgroup or domain the Samba server will participate
in.
netbios name = DA1
Used to manually set the NetBIOS name of the Samba server. If you dont
include this parameter, the NetBIOS name will default to the servers hostname.
security = share
Determines how a client has to authenticate itself when accessing a share. This
option can have the following values:
share: Authentication is handled on a per-share basis. Each share in the
system is assigned its own password. Client systems can access the share by
simply providing the shares password. Usernames are not checked.
user: Authentication is handled on a per-user basis. An SMB client must
first authenticate with a valid username and password to the Samba server
before it is allowed to access shared resources on the server. This is the
default value if the security option isnt explicitly included in smb.conf.
server: Specifies that the client must provide a username and password
when it connects to the server. Samba contacts another SMB server in the
network to validate the password. This is usually used in a workgroup
configuration.
domain: All authentication processes are handled by a remote primary
domain controller or a backup domain controller. This value is usually used
in a domain configuration.
ads: Specifies that Samba acts as domain member of an ADS realm to
validate the username and password.
server string: Provides a description of the Samba server that will be displayed
in My Network Places for Windows clients. This text string can contain any
181 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
value you want. If you dont include this parameter, smbd will default to a a
description of Samba samba_version_number.
In addition to the above, you can also include the following global server options, if
required for your particular implementation:
encrypt passwords: Configures smbd to use encrypted passwords. This should
be enabled as every version of Windows since Windows 98 requires encrypted
passwords.
passdb backend: Identifies where Samba user accounts are stored.
wins server: Specifies the IP address of your networks WINS server.
wins support: If your network doesnt already have a WINS server on your
network, set this parameter to yes. This will enable WINS by running the nmbd
daemon on your server.
username map: Specifies a file that is used to map SMB client usernames to
local server usernames. By default, this is /etc/samba/smbusers.
NOTE: There are many other parameters that you can optionally include in the [global] section
of the smb.conf file. See the smb.conf man page to learn more.
Sharing Users Home Directories
Next, you need to know how to share users home directories. By default, the
smb.conf file is pre-configured to share user home directories in the [homes] section.
An example is shown below:
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
This section of the smb.conf file automatically shares the home directories of the
users on your server. A user can access his or her share using the following UNC:
\\server_name\username
Version 1 182
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For example, if your Linux username were rtracy and you accessed your Samba
server from a Windows workstation, you would see a share named rtracy, as shown
below:
Figure 4-3 Viewing Shared Home Directories
Configuring Shares
In addition to sharing home directories, you can also share other directories in the
servers file system. You do this by adding a share definition to the smb.conf file for
each directory on your file server that will be shared. The following example defines
a simple share:
[data]
comment = Data
path = /srv/data
read only = Yes
guest ok = Yes
The entries in this example are described below:
[data]: Defines the identifier for the share. The share in this example can be
accessed with the following UNC:
\\da1\data
comment = Data: Defines a comment that displays additional information about
the share. The comment is displayed when you browse the network with
Windows Explorer.
183 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
path = /srv/data: Sets the path in the local file system that the share points to.
Verify that the local user accounts who need access to the files in this share have
been granted the appropriate file system rights.
read only = Yes: Specifies that the client accessing the share is not allowed to
modify, delete, or create any files. This is the default value used if this parameter
is not included in the share definition.
guest ok = Yes: Specifies that a password is not required to access the share.
There many more configuration options available for defining shares in smb.conf.
Depending upon your needs, you could also include the following:
browseable: Specifies whether or not the share can be browsed in My Network
Places on Windows systems. If you dont include this parameter, a default value
of yes is assumed.
writeable: If set to yes, users may create or edit files in the shared directory, as
long as the file system permissions assigned to the directory allow it.
public: If set to yes, users can connect to the shared directory without a
password using the nobody system user account. This option is used only with
share-level security. The default value for this option is no.
valid users: Restricts access to the share to a specified list of users. Separate
usernames with a comma (,).
NOTE: There are many other parameters that you can optionally include when defining a share in
the smb.conf file. See the smb.conf man page to learn more.
Sharing Printers
You can also use Samba to share the printers configured on your SLES 11 server. This
is a signification benefit for users who use Windows workstations. By default, the
Windows operating system isnt compatible with network CUPS printers.
Using Samba, however, Windows users can send print jobs to your SLES 11 server
and have them print on your CUPS printers. Samba accepts print jobs from SMB
clients that it spools to a local spool directory. When the entire print job has been
received, Samba runs a local print command and passes the spooled file to it. The
local printing system then processes the print job and sends it to the printer.
By default, the smb.conf file is preconfigured to share all configured printers in the
[printers] section. If this section exists within the smb.conf files, users can
connect to any printer in the Samba host's printcap file. On startup, Samba creates a
printer share for every printer defined in the printcap file. The [printers] section
contains settings that are applied by default to all Samba printers on the server.
A sample [printers] section is shown below:
Version 1 184
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
The options in this file are explained below:
comment = All Printers: Causes the comment specified to be shown next to the
share in Network Neighborhood (or with the net view command).
path = /var/tmp: Defines the directory that will be used to spool print jobs.
printable = Yes: When set to Yes, this option allows client systems to create
spool files for printing in the directory defined above. This value must exist
within [printers], otherwise the Samba daemon wont start.
create mask: Sets the necessary POSIX permissions to the directory.
browseable = No: Makes the [printer] share itself invisible in the list of available
shares in Network Neighborhood. Individual shared printers, however are still
visible. This option should always be set to No if printable = yes.
In addition to the above options, you can also use the following options, as
appropriate:
guest ok = Yes: Allows anonymous guest printing to the printer. No password is
required. The guest account maps to the nobody user account and print jobs are
sent as this user. Otherwise, the user must first authenticate to the Samba service
to send a print job.
public = Yes: Performs the same function as guest ok = Yes.
read only = Yes: Allows users to spool print jobs to the directory defined, but
prevents normal write operations in this directory.
writable = No: Performs the same function as read only = Yes.
In addition to the [printers] section, you can also add several printing-related options
to the [global] section of the smb.conf file. These include the following:
load printers: If you include this parameter in your smb.conf file, all printers
defined in the /etc/printcap file will automatically be shared. If you use this
parameter, you do not need to define separate shares for your printers. Each
automatically created printer share will use the configuration options found in the
[printers] section of the smb.conf file.
printing: Defines the type of printing system that will be shared by Samba. The
possible values are CUPS, LPRNG, PLP, SYSV, AIX, HPUX, QNX, SOFTQ,
and BSD. Usually you will use CUPS for this parameter.
show add printer wizard: If set to Yes, this option causes the Add Printer icon
to appear in the Printers folder of the Samba server's share in Network
Neighborhood. The Add Printer Wizard lets you upload a printer driver to the
[print$] share and associate it with a printer.
185 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
max print jobs: Sets the maximum number of print jobs that can be active on the
Samba server at any one time.
printcap name: Tells Samba where to look for a list of available printer names.
By default, this is cups.
printer admin: Specifies a user or group (identified with @) that are allowed to
add drivers and set printer properties. The root user is always a printer admin.
NOTE: You can configure Samba to support the uploading and downloading of printer drivers. This
is done with the [print$] share in the smb.conf file. See the printing section in the /usr/
share/doc/packages/samba/Samba3-HOWTO.pdf file.
Testing the Samba Configuration
After you have configured your smb.conf file, you need to restart the Samba server
daemons for the changes to take effect. However, before doing so, you should use the
testparm command at the shell prompt to test the syntax of your Samba
configuration file. When you do, you should see output similar to the following:
In this example, no errors are found. If there were any errors in the file, the command
would display the errors grouped by configuration sections.
An interesting option for testparm is --section-name section_name, which
tests only the specified section. This can be very useful when you have a very long
smb.conf.
Configuring Samba in YaST
In addition to manually modifying the smb.conf file with a text editor, you can also
configure your Samba server using YaST.
1. Start YaST and select Network Services > Samba Server.
da1:~ # testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[users]"
Processing section "[groups]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
Version 1 186
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
A list of shares defined on the Samba server is displayed, as shown below:
Figure 4-4 Viewing Samba Shares in YaST
2. To configure your Samba servers global options, select the Identity tab.
187 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-5 Configuring the Samba Servers Identity
3. Configure the following parameters:
Workgroup or Domain Name
NetBios Hostname
WINS Server Support or Remote WINS Server
Use WINS for Hostname Resolution
4. If you need more granular control over your Samba servers configuration, select
Advanced Settings > Expert Global Settings.
Version 1 188
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you do, the following is displayed:
Figure 4-6 Configuring Expert Global Settings
In this screen, you can use the Add, Edit, or Delete buttons to add, modify, or
remove Samba global configuration options. Notice that the options displayed
are the same as those discussed earlier in this section in Configuring General
Server Options on page 180.
When done making changes, select OK.
5. To create a new share, select the Shares tab, then select Add.
189 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-7 Defining a New Share
6. Enter the following information in the New Share screen:
Share Name
Share Description
Share Type
Share Path
7. Select OK.
The share is added to the list of defined shares.
8. To enable or disable an existing share, select it from the list, then select Toggle
Status.
9. To hide system-defined shares, select Filter > Do Not Show System Shares.
When you do, only the [homes] and [groups] shares are displayed along with any
custom shares you have defined.
10. To edit an existing share, select it from the list, then select Edit.
Version 1 190
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you do, the share definition is displayed, as shown below:
Figure 4-8 Editing an Existing Share
You can use the Add, Edit, and Delete buttons to add, modify, or remove options
from the share definition. Notice that the options displayed are the same as those
discussed earlier in Configuring Shares on page 182.
When done modifying the share, select OK.
11. To delete a share, select it from the list, then select Delete.
191 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 4-1 Create a Basic Samba Share
In this exercise, you learn how to configure a basic samba share.
(End of Exercise)
Version 1 192
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Configure Samba Authentication
In the example presented in the previous objective, the [data] share is accessible on
the Samba server without supplying a username and password. In most cases, this
level of access is inappropriate.
In this objective, you learn how to configure Samba authentication. The following
topics are addressed:
Configuring the Samba User Database on page 192
Configuring Samba to Require User Authentication on page 198
Configuring the Samba User Database
The first task you need to complete is to determine where Samba user accounts will
be stored. Its important to recognize that Samba maintains its own database of user
accounts that are used to authenticate to the service.
NOTE: The user accounts in your /etc/passwd file are not directly used by Samba. However, they
can be mapped over to your Samba database of user accounts.
You have several options for storing your Samba users, including the following:
Using /etc/samba/smbpasswd on page 192
Using LDAP on page 193
Using /etc/samba/smbpasswd
By default, the /etc/samba/smbpasswd file is used by Samba to store user
accounts, but it does not have any users defined. To populate the smbpasswd file
with user accounts, you use the smbpasswd utility at the shell prompt. To do this,
complete the following:
1. Open a terminal session and switch to root using the su - command.
NOTE: If you run smbpasswd as any user other than root, it can be used to mange the
smbpasswd account only for the current user.
2. At the shell prompt, enter smbpasswd -a username.
3. When prompted, enter a password for the Samba user account.
While not required, many administrators prefer to use the same password for the
Samba user account as the Linux user account.
4. Restart the Samba daemon.
193 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Once done, the user account is added to the /etc/samba/smbpasswd file, as
shown below:
# This file is the authentication source for Samba if 'passdb backend'
# is set to 'smbpasswd' and 'encrypt passwords' is 'Yes' in the
# [global] section of /etc/samba/smb.conf
#
# See section 'passdb backend' and 'encrypt passwords' in the manual
# page of smb.conf for more information.
geeko:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:55DB0294BC42D6E1B81AE2B5C
7F2943F:[U ]:LCT-49D5D363:
To remove a user from the file, you use the smbpasswd -x username command
at the shell prompt.
To disable a user, you use the smbpasswd -d username command at the shell
prompt.
To reactivate a disabled account, you use the smbpasswd -e username
command.
To change a users Samba password, you use smbpasswd username at the shell
prompt.
The /etc/samba/smbusers file is used by Samba to map usernames from client
systems to user accounts on the local server. The following syntax is used:
unix_name = smb_name
This file is not included in the default configuration.
Using LDAP
In addition to local files, the Samba service can also be configured to store its users in
an OpenLDAP directory service. To do this, complete the following:
2. Select the LDAP Settings tab.
Version 1 194
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-9 Configuring Samba LDAP Settings
3. Select Use LDAP Password Back-End.
4. When prompted that all values will be rewritten, select Yes to continue.
The various fields in this interface are automatically populated for you using the
default values found in your servers /etc/openldap/ldap.conf file.
5. Make any changes that are necessary to the various settings.
6. Type your LDAP administrators password in the Administration Password
fields.
7. Select Test Connection.
8. If the test was successful, select OK.
9. Select OK to apply your settings.
10. Close YaST.
After making your configuration changes, several important changes are made to the
[global] section of your smb.conf file. Instead of using local files for the passwd
backend, your LDAP directory service is specified. An example is shown below:
idmap backend = ldap:ldap://127.0.0.1
ldap admin dn = cn=Administrator,dc=digitalairlines,dc=com
ldap delete dn = No
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
195 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap replication sleep = 1000
ldap ssl = Start_tls
ldap suffix = dc=digitalairlines,dc=com
ldap timeout = 5
ldap user suffix = ou=people
passdb backend = ldapsam:ldap://127.0.0.1
These configuration changes do the following:
Identify the URL of the LDAP server
Identify the dn of the LDAP administrator
Identify where user, group, and machine objects will be stored in the directory
Identify the base dn (root entry) of the LDAP directory
Likewise, the appropriate entries are added to your LDAP directory. A sample is
shown below:
Figure 4-10 Viewing Samba Objects in the LDAP Directory
In the above example, Samba was configured to use ou=people to store its user
accounts. This is the same directory where the system user accounts are stored. From
this point on, any users created on the system will automatically be Samba enabled.
Version 1 196
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
For example, in the figure below, the lmorgan user account has been created and
automatically Samba enabled.
Figure 4-11 New Users Automatically Samba Enabled
197 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
However, any user accounts that existed in the LDAP directory prior to configuring
Samba will still need to be Samba enabled. For example, in the figure below, the tux
user account has not been Samba enabled:
Figure 4-12 Samba Enabling an Existing LDAP User
You Samba enable an LDAP user using the smbpasswd command in the same
manner as was done previously. In this example, you enter smbpasswd -a tux
(as root) at the shell prompt and enter a Samba password for the user.
Version 1 198
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
After doing so, the various Samba-related properties are added to the tux user object,
as shown below:
Figure 4-13 Samba Enabled LDAP User Account
Configuring Samba to Require User Authentication
In the [data] share definition presented in the previous objective, guest access was
allowed to the share, as shown below:
[data]
comment = Data
path = /srv/data
read only = Yes
guest ok = Yes
In addition, the security option in the [global] section was set to share, as
shown below:
[global]
netbios name = DA1
security = share
This security level requires a password to be set on a per-share basis. Client system
can access the share by simply proving the shares password. Usernames are not
checked.
199 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
In most situations, you will want to reconfigure this share with a higher level of
security. In this part of this objective, you learn how to reconfigure the share such that
users must supply a valid Samba username and password to access it. The first task is
to change the security option in the [global] section in the smb.conf file to security =
user, as shown below:
[global]
netbios name = DA1
security = user
This forces users to authenticate when a client attempts to connect to the Samba
server. However, once they do, your users have access to every share defined in the
smb.conf file. Usually, this is not acceptable.
More than likely, you will want to restrict access to a given share to a specific set of
users. You can use the valid users option within the share definition to specify which
Samba users are allowed access to the share.
In the following, the guest ok option has been replaced with the valid users
option to restrict access to the [data] share to only the tux user:
[data]
comment = Data
path = /srv/data
read only = no
valid users = tux
You can specify one user or more users with this option. Multiple usernames must be
separated by commas.
Changing the read only option to a value of No makes the share writable.
You can also use groups with the valid users option. Group names must begin with @,
for example @accounting. Remember that all group members must be Samba
enabled with the smbpasswd command.
The following example configures the [data] share such that it is readable and
writable by all members of the accounting group:
[data]
comment = Accounting Data
path = /srv/data
read only = no
valid users = @accounting
force user = tux
force group = accounting
Version 1 200
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
In this example, several options have been modified or added:
valid users = @accounting: Allows all users who are in the accounting group to
access the share.
force user = tux: Forces Samba to perform all file operations in the share as the
tux user, which can be very useful. For example, using this option allows you to
set your POSIX permissions in the file system for the tux user and have those
permissions automatically applied to every other user who is allowed to access
the share.
force group = accounting: Forces the Samba server to perform all file
operations using the accounting group.
201 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 4-2 Configure Samba to Use LDAP Authentication
In this exercise, you learn how to configure Samba to store its user accounts in an
LDAP directory service.
(End of Exercise)
Version 1 202
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Use Sambas Client Tools
Although Samba is commonly used to provide Windows workstations with access to
Linux servers, Linux workstations can also access Samba shares. Samba provides a
variety of tools that you can use to access shares from a Linux system. These tools
can be used to access a Samba server or a native Windows server.
In this objective, you learn how to use these tools. The following tasks are addressed:
Using nmblookup on page 202
Using smbclient on page 202
Mounting Samba Shares in the Linux File System on page 204
Using nmblookup
With the nmblookup tool, you can resolve NetBIOS names into IP addresses. In the
following example, the IP address for the Samba server with the NetBIOS name da1
is looked up:
In the first line of the output, nmblookup states that it is querying the server name
with a broadcast to 172.17.8.255. In the second line of the output, it displays the
result of the query. In this case, the system with a NetBIOS name of DA1 has an IP
address of 172.17.8.101.
NOTE: If the system you are querying is not in the same subnet, the name cannot be resolved with a
broadcast query. Instead, nmblookup must use a WINS server to resolve the name. For more
information, see the man page for nmblookup.
Using smbclient
With the smbclient tool, you can access shares on a Samba server. It's also a very
useful tool for testing your Samba server configuration.
You can perform several tasks with smbclient.:
Browsing Shares Provided by a Samba Server on page 202
Accessing Files Provided by a Samba Server on page 203
Sending Print Jobs to Samba Printers on page 204
Browsing Shares Provided by a Samba Server
The smbclient utility can be used to display a list of shares offered by a Samba server.
To do this, enter the following command at the shell prompt:
smbclient -L //server_name
geeko@DA-SLED:~> nmblookup da1
querying da1 on 172.17.8.255
172.17.8.101 da1<00>
203 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When smbclient asks for your password, press Enter to proceed. The output of
smbclient will appear similar to the following:
The smbclient utility first displays all available shares on the Samba server. The IPC$
share provides information about the other shares available on the SMB server. The
lower part of the smbclient output provides workgroup information.
The smbclient command can be very valuable for testing purposes. After you have set
up a share, you can use smbclient to test the availability of the share.
Some shares are not browseable without authentication. In this case, you can pass a
username to smbclient, as in the following example:
smbclient -L //server_name -U username
With these options, smbclient connects to the server with the username specified and
prompts for the corresponding password.
Accessing Files Provided by a Samba Server
You can also use smbclient to access a share on a server. To do this, you need to
supply the share name along with the server name (without the -L option).
In the following example, smbclient connects to the share data on the Samba server
named da1:
smbclient //da1/data
geeko@DA-SLED:~> smbclient -L //da1
Enter geeko's password:
Domain=[DIGITALAIRLINES] OS=[Unix] Server=[Samba 3.2.7-1.3-2042-SUSE-
CODE11]
Sharename Type Comment
--------- ---- -------
profiles Disk Network Profiles Service
users Disk All users
groups Disk All groups
print$ Disk Printer Drivers
data Disk Data
IPC$ IPC IPC Service (DA1 File Server)
Domain=[DIGITALAIRLINES] OS=[Unix] Server=[Samba 3.2.7-1.3-2042-SUSE-
CODE11]
Server Comment
--------- -------
DA1 DA1 File Server
Workgroup Master
--------- -------
DIGITALAIRLINES
Version 1 204
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
A username can also be supplied with the -U option. After smbclient has connected
to a share, it displays the following prompt:
At this point, smbclient can be used like a command line FTP client. Some of the
most commonly used commands include the following:
ls: Displays the contents of the current directory.
cd: Changes to a directory.
get: Copies a file from the share to the current working directory.
put: Copies a file to the share. The share must be writable to use this command.
Sending Print Jobs to Samba Printers
You can also use smbclient to send print jobs to shared Samba printers. Use the
following syntax:
smbclient //server_name/shared_printer_name -c
file_to_print
The -c option performs the given command automatically after the connection to the
server has been established. You can also enter the print command on the smb:\
command line after you have connected to the server.
Mounting Samba Shares in the Linux File System
In addition to accessing shared files with smbclient, you can also mount a remote
Samba share into the local file system, much like an NFS export. This is done using
the mount command:
mount -t cifs //server_name/share_name /mount_point
For example:
mount -t cifs //da1/data /mnt/samba
In this example, the data share on the da1 Samba server is mounted into the /mnt/
samba directory. The -t cifs option to specifies that the resource to be mounted is an
SMB share.
If the share requires authentication, you can also supply a username as in the
following:
mount -t cifs -o username=geeko //da1/data /mnt/samba
You will be prompted for the password.
It is also possible to provide the password in the command as in the following:
mount -t cifs -o username=geeko,password=novell //da1/
data /mnt/samba
smb: \>
205 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
However, the password will be visible in the password history. If you use the /etc/
fstab file to mount the file system, the issue is similar, as every user on the system
could view the password. The solution is to provide the password in the /etc/
samba/smbfstab file that is only readable for the system administrator. The
equivalent to the above command line would look similar to the following:
# This file allows you to mount SMB/ CIFS shares during system boot
# while hiding passwords to other people than root. Use /etc/fstab for
# public available services. You have to specify at least a service
# name and a mount point. Current default vfstype is smbfs.
#
# Possible vfstypes are smbfs and cifs.
#
# The options are explained in the manual page of smbmount and
# mount.cifs.
#
# service moint-point vfstype options
//da1/data /mnt/samba cifs username=geeko,password=novell
Version 1 206
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 4-3 Work with Samba Shares
In this exercise, you access a share with smbclient and you mount a Samba share in
the file system of a Linux workstation.
(End of Exercise)
207 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Use Samba as a Domain Controller
In the preceding objectives, you have configured Samba on SLES 11 to function in a
workgroup. However, Samba can also be configured to allow your server to function
as a Windows domain controller.
To do this, you need to be familiar with the following topics and tasks:
How Domains Work on page 207
Configuring Samba as a Domain Controller on page 211
Creating Machine Accounts on page 215
Mapping Local Linux Groups to Windows Groups on page 216
How Domains Work
Before discussing how to configure Samba as a domain controller, you need to have a
basic understanding of how Windows domains work.
NOTE: A full discussion of Windows networking topics is beyond the scope of this course.
The the following topics are addressed here:
Windows Workgroups on page 207
Windows Domains on page 210
Domain Controllers on page 210
Trust Relationships on page 211
Windows Workgroups
A Windows workgroup is a logical organization of hosts that have been grouped
together on a network. A workgroup is usually confined to the network hosts on a
single network segment. A Windows workstation can be configured to participate in a
workgroup using the System applet:
Version 1 208
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-14 Setting the Workgroup
To create a workgroup, type the same name in the Workgroup field on all the
workstations and servers that will be members. Once configured, users can browse
shared resources provided by the hosts that are members of the workgroup, as shown
below:
209 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-15 Viewing Workgroup Hosts
This browsing functionality makes Windows networking much easier for users.
Instead of supplying a UNC path to a shared resource, users can browse through the
workgroup to the particular host and select the resource.
To make browsing possible, one computer system in the workgroup is elected to be
the master browser. The master browser keeps a list of all hosts and shared resources
in the workgroup.
NOTE: Browsing works with Windows domains as well as workgroups.
The master browser is sometimes referred to as the local master browser. When
systems in the workgroup are booted, they go through an election process to decide
which system will be the master browser. Using factors such as system load and the
length of time a host has been up, one system is elected to be the master browser for
the workgroup.
Master browsers are critical to the overall function of the workgroup. Without a
master browser, each individual host in the workgroup would have to query every
other host in the workgroup to identify the resources each has to share whenever he
browsed the workgroup. This would take a considerable amount of time and would
generate a lot of unnecessary network traffic.
To speed things up, the master browser alone does all the probing to discover shared
resources in the workgroup. When a user browses the workgroup, the host contacts
the master browser to get a list of shared resources.
Windows workgroups dont require a Windows server, although they arent
prevented from participating in a workgroup. Windows 9x, ME, NT, 2000, XP, Server
2003, Vista, and Server 2008 systems can all share resources in a workgroup.
Version 1 210
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Any of these systems can function as a master browser in a workgroup. In addition, a
Samba server or client on Linux can participate in a Windows workgroup. The other
Windows systems in the workgroup dont know the difference between a Linux
Samba system and other Windows hosts.
However, workgroups have a major shortcoming that limits their usefulness. Each
computer system has to maintain its own separate set of user accounts. If users want
to access resources on another system in the workgroup, they must have a user
account configured on the remote system. If users need to use resources located on
multiple systems, they must authenticate separately to each host.
If the user passwords are the same on all hosts, this process works relatively well.
However, if different usernames or passwords are used on each system, access is
denied. Keeping user accounts synchronized in a large workgroup can quickly
become a difficult administrative task.
In addition, because of the way NetBIOS uses broadcasts, it can be difficult to
implement a workgroup on a routed network.
Windows Domains
For the reasons listed above, workgroups usually arent implemented in large
organizations. Instead, most large Windows networks are configured to use domains.
A Windows domain is a logical grouping of computer systems on a network, much
like a workgroup.
Unlike a workgroup, however, a domain uses a central database of user accounts that
all systems that are members of the domain use for authentication. A single server is
configured with the user account database (the domain).
Domains overcome the weaknesses associated with workgroups. First, domains can
span multiple network segments. In addition, domains also create a single point of
administration.
Domains also eliminate the need for multiple user logins. Because access to all
resources in the domain is controlled by the domain database, users need to
authenticate only once to the domain. After they are authenticated, they can access
whatever domain resources they have access to.
NOTE: Not all Windows operating systems can participate in a domain. Windows XP Home, for
example, can participate only in a workgroup.
Domain Controllers
The system that hosts the domain database is called the domain controller. In a
Windows network, the domain controller is a Windows server that runs a service
called the Security Account Manager (SAM).
Each domain must have one or more domain controllers. On a Windows network, one
server is configured as a Primary Domain Controller (PDC). The PDC is the
authoritative source of domain data.
211 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Each domain can have only one PDC. However, for fault-tolerance purposes, more
than one domain controller should be configured. For redundancy purposes, a
Windows network can be configured with a Backup Domain Controller (BDC). A
BDC has a copy of the domain database from the PDC. If the PDC goes down, the
BDC jumps in and takes over, ensuring that the network keeps working. A domain
can have multiple BDCs.
A BDC is non-authoritative in a Windows network. You cant directly update the
domain database on a BDC. Instead, you make all changes to the PDC domain
database. The PDC then synchronizes the domain with all BDCs in the domain at
periodic intervals. A user can use either a PDC or a BDC to authenticate to the
domain.
Its also possible for a server to exist in a domain without being a PDC or a BDC. Its
called a member server.
With the winbindd daemon running on a Linux Samba server, it can participate in a
Windows domain. It can function as a PDC in a Windows NT-type network.
It can also function as a BDC if the PDC is another Samba server. However, if the
PDC is a Windows server, it cant function as a BDC. Likewise, a Samba PDC cant
interoperate with a Windows BDC. This is because Samba doesnt support SAM
replication with Windows domain controllers.
A Linux Samba server can also function as a member server in a Windows NT-style
domain.
If, however, you are using Active Directory, your options are a little more limited.
Your Linux Samba server can function only as a member server in an ADS domain
it cant be a PDC.
NOTE: ADS domain control is scheduled to be implemented in Samba version 4.
Trust Relationships
Windows trust relationships allow you to establish trust relationships between two
Windows domains to allow users in one domain to access shared resources in the
other domain. Samba supports trust relationships.
Configuring Samba as a Domain Controller
You can configure Samba as a domain controller by either manually editing /etc/
samba/smb.conf or by running the YaST Samba Server module. In this course,
we will configure Samba as a domain controller using YaST and then look at the
changes that were made to the smb.conf file.
To do this, complete the following:
2. Select the Identity tab.
Version 1 212
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 4-16 Viewing the Identity Tab
Notice in the figure above that the Samba server is not configured as a domain
controller. In this configuration, it is functioning in a simple workgroup.
3. To make the Samba server a domain controller, select either Primary (PDC) or
Backup (BDC) from the Domain Controller drop-down list.
4. Select OK.
213 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You are prompted to create a Samba administrative usernamed root, as shown
below:
Figure 4-17 Creating a Samba root User
5. In the fields provided, type a password for the Samba root user; then select OK.
6. Close YaST.
When you do, several changes are made to the /etc/samba/smb.conf file. The [global]
section from a smb.conf file that configures the Samba server as a PDC is shown
below:
[global]
netbios name = DA1
security = user
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes
idmap backend = ldap:ldap://127.0.0.1
ldap admin dn = cn=Administrator,dc=digitalairlines,dc=com
ldap delete dn = No
Version 1 214
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap replication sleep = 1000
ldap ssl = Start_tls
ldap suffix = dc=digitalairlines,dc=com
ldap timeout = 5
ldap user suffix = ou=people
passdb backend = ldapsam:ldap://127.0.0.1
wins support = Yes
add machine script = /sbin/yast /usr/share/YaST2/data/
add_machine.ycp %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
The following changes are made to the [global] section:
If the security level was set to share, it is changed to user.
add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp
%m$: Specifies the script to run to create domain machine accounts when a
system joins the domain.
domain logons = Yes: Configures Samba as a domain controller. When set to
Yes, the Samba server runs the netlogon service, which allows users to
authenticate to the domain.
domain master = Yes: When set to Yes, configures Samba as a PDC. When set
to No, configures Samba as a BDC.
local master = Yes: Allows Samba to participate in the election of the local
master browser.
os level = 65: Configures how well the Samba will do when electing a master
browser. If you omit this parameter, the Samba server is assigned an os level of
20 by default. This causes the Samba server to win out over any other Windows
systems in the workgroup or domain except for a PDC or BDC.
Setting the os level to 65 causes the Samba server to win over any other system in
a browser election.
preferred master = Yes: Configures the Samba server to be the preferred master
browser for the workgroup or domain. If set to Yes, an election will be forced
when the service is started. If domain master is also set to Yes, the Samba server
will win the election.
In addition to these changes, the following share is also added to the end of the
smb.conf file:
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
215 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
All Windows PDCs and BDCs provide a share called netlogon. Its used to store
logon scripts and group policies. Likewise, your Samba PDC or BDC should also
provide this share. By default, the path to the netlogon directory is /var/lib/
samba/netlogon/. Only root is allowed to write files to this share.
Creating Machine Accounts
Next, you need to create machine accounts for your workstations. You need a
machine account on the Samba server for each Windows workstation that is going to
be a member of the domain. The machine account is used to establish a trust
relationship and a secure connection between the domain controller and the client
system.
To create machine accounts for your workstations, do the following:
1. Using the utility of your choice, create a group in /etc/group named
machines.
2. Create a user account for the workstation in your /etc/passwd file by doing
the following:
a. Open a terminal session and switch to your root user account using the su -
command.
b. At the shell prompt, enter the following command:
useradd -g machines -d /var/lib/nobody -c comment
-s /bin/false machine_name$
This command creates a new user in /etc/passwd for the machine. The -g
machines option makes the account a member of the machines group you
created earlier. The -d option sets a null home directory for the machine
account.
The -c option adds a comment to the account. The -s option specifies a
null default shell. The account name itself must be exactly the same as the
machines NetBIOS name with a $ character appended to the end. The
account has no password assigned.
3. Samba enable the machine account by entering the following command at the
shell prompt:
smbpasswd -a -m machine_name
For example, if you had a workstation with a NetBIOS name of da-sled and
youve already created the da-sled$ user account in /etc/passwd, you would enter
the following:
da1:~ # smbpasswd -a -m da-sled
Added user da-sled$.
da1:~ #
Version 1 216
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you do, the machine account is added to your Samba account database. For
example, the da-sled account above is added to the ou=Machines container in the
LDAP directory:
Figure 4-18 Machine Account in LDAP Browser
WARNING: Doing this is the equivalent of creating a machine trust account on a Windows server
using Server Manager. Between the time you manually create the machine account until the time the
client system joins the domain, theres a risk that an intruder could join the domain using that
NetBIOS name.
Mapping Local Linux Groups to Windows Groups
With Samba configured as a PDC on your SLES 11 server, you next need to map
several local Linux groups on the PDC to groups within Samba. This is done using
the net groupmap command. Using this command, you should create two key
group mappings:
Map a local Linux group to the Domain Administrators group.
Map the local users group to the Domain Users group.
When installing Windows on a workstation, the installation program creates several
default users and groups, including the Administrators group. It provisions this group
with the privileges required to perform essential system tasks, such setting the system
date and time and managing processes running on the system. In addition, the
Administrator user is automatically made a member of the Administrators group.
217 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When a Windows system is made a member of the domain, the Domain Admins
group on the PDC is automatically added to the Administrators group on the local
workstation. Thus, every member of the Domain Admins group inherits the rights of
the local Administrators group.
You should create a new Linux group on the PDC that contains users who need
administrative rights to domain workstations. Once done, you can map the group to
the Domain Admins group by entering the following command at the shell prompt (as
root):
net groupmap set Domain Admins group_name
For example, if the name of your Linux group is Admins, you would enter:
net groupmap set Domain Admins Admins
To view the mapping, enter net groupmap list at the shell prompt. In the
example below, the Domain Admins group is mapped to the Admins group on the
PDC:
In addition, you can also map the users Linux group on the PDC to the Domain Users
group in Samba. Doing this makes all of your local Linux users members of the
Domain Users group. Enter the following command:
net groupmap set Domain Users users
Again, you can enter net groupmap list at the shell prompt to view the
mapping. An example is shown below:
DA1:~ # net groupmap list
Domain Admins (S-1-5-21-3504129146-1711875527-3885176169-3001) ->
Admins
DA1:~ #
DA1:~ # net groupmap list
Domain Admins (S-1-5-21-3504129146-1711875527-3885176169-3001) ->
Admins
Domain Users (S-1-5-21-3504129146-1711875527-3885176169-1201) ->
users
DA1:~ #
Version 1 218
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 4-4 Configuring Samba as a Domain Controller
In this exercise, you configure a Samba server as a Primary Domain Controller.
(End of Exercise)
219 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 6 Integrate Samba into a Windows Domain
SLES 11 includes the Windows Domain Membership YaST module that you can use
to integrate a Linux system into a workgroup, Windows NT domain or Active
Directory domain. This allows you to use domain user accounts to authenticate to the
Linux system.
1. Start YaST and supply your root users password.
2. In YaST, select Network Services > Windows Domain Membership.
When you start the module, the following is displayed:
Figure 4-19 The YaST Windows Domain Membership Module
3. In the Domain or Workgroup field, type the name of the domain or workgroup
you would like to add the system to.
4. Select Also Use SMB Information for Linux Authentication.
This option allows verification of passwords with the Windows server or the
Kerberos server (if joining an Active Directory domain).
5. (Optional) Select Create Home Directory on Login.
This causes local home directories to be created the first time a domain user logs
in to the system.
6. (Optional) Select Offline Authentication.
This option allows the user to log in even if the domain controller is unreachable.
However, the user must have already logged in at least once for this to work. The
Version 1 220
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
first time a user logs in, his or her credentials are stored in encrypted format
locally. These credentials are then used for authentication in the event the domain
controller is unreachable.
7. Select OK.
8. If prompted, supply the credentials of your domain controller administrator.
221 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Describe the Role and Function of Samba Using Samba, a Linux system can be
configured as a file and print server for Linux,
Mac OSX, Windows, and OS/2 workstations.
Essentially, Samba allows your Linux system
to emulate a Window server. Users can
access shared directories and printers on the
Linux server just as they would on a Windows
server.
You can configure Samba as a domain
controller. You can even join an Active
Directory domain.
The key to making all of this work is the fact
that Samba uses the Server Message Block
(SMB) protocol.
Configure a Simple File Server with Samba Before you can configure a file server, you
need to verify that the Samba packages have
been installed:
samba: The main Samba package. It
contains the Samba server software.
samba-client: Contains the Samba client
tools.
samba-doc (optional): Provides additional
documentation about Samba.
The Samba service is configured in the /
etc/samba/smb.conf file.
The options in this file are grouped into
several sections. Each section starts with a
keyword in square brackets.
Configure Samba Authentication You need to determine where Samba user
accounts will be stored.
Samba maintains its own database of user
accounts that are used to authenticate to the
service.
The user accounts in your /etc/passwd file
are not directly used by Samba. However,
they can be mapped over to your Samba
database of user accounts.
The options for storing your Samba users
include /etc/samba/smbpasswd and LDAP.
Version 1 222
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Use Sambas Client Tools Linux workstations can access Samba shares.
Samba provides a variety of tools that you can
use to access shares from a Linux system.
These tools can be used to access a Samba
server or a native Windows server.
These tools include nmblookup, smbclient,
and the mount command.
Use Samba as a Domain Controller Samba can function in a workgroup
configuration or as a domain controller.
You can configure Samba as a domain
controller by either manually editing /etc/
samba/smb.conf or by running the YaST
Samba Server module.
When you do, several changes are made to
the /etc/samba/smb.conf file. The
[global] section has the following changes
made:
If the security level was set to share, it is
changed to user.
add machine script = /sbin/yast /usr/share/
YaST2/data/add_machine.ycp %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
In addition to these changes, the
[netlogon] share is added to the end of the
smb.conf file.
Integrate Samba into a Windows Domain SLES 11 includes the Windows Domain
Membership YaST module that you can use to
integrate a Linux system into a workgroup,
Windows NT domain, or Active Directory
domain.
This allows you to use domain user accounts
to authenticate to the Linux system.
Objective Summary
223 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 5 Configure a Web Server
In this section, you learn how to install and configure the Apache Web Server on
SUSE Linux Enterprise Server 11.
Objectives
1. Set up a Basic Web Server with Apache on page 224
2. Configure Virtual Hosts on page 233
3. Limit Access to the Web Server on page 237
4. Configure Apache with OpenSSL on page 241
5. Install PHP on page 248
Version 1 224
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Set up a Basic Web Server with Apache
In this objective, you learn how to set up a basic Apache Web Server on SLES 11. To
do this, you need to be familiar with the following:
How a Web Server Works on page 224
Installing Apache Web Server on page 226
How a Web Server Works
There are a variety of Web server packages that you can use on Linux, but by far, the
most popular is the Apache Web Server. Most of the Web servers you access on the
Internet are actually running some version of Apache.
Web servers provide much of the functionality we associate with the Internet today. A
Web servers job is to send Web pages, graphics, and other files to clients requesting
them.
A Web server can transfer just about any type of file between the server and the
client. However, the most common type of file used with a Web server are Hyper-
Text Markup Language (HTML) documents. An HTML document is a text file
written using HTML markup coding that instructs the Web browser how the
information should be formatted and displayed.
A simple HTML file is shown below:
Figure 5-1 Sample HTML Document
225 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When a users Web browser receives this file from the Web server, it interprets the
marked-up text from the file and displays it on the screen. The information in the file
is reformatted and displayed according to the markup information it contains. For
example, when the file above is opened in a Web browser, it appears as shown below:
Figure 5-2 Viewing an HTML Document in a Web Browser
The files that comprise a Web site are saved in a special directory in the file system of
the system running the Web server daemon. This directory is called the document
root or root directory. The Apache Web servers document root is the /srv/www/
htdocs directory (you can configure a different directory as document root for
apache).
Communications between the Web browser and the Web server are accomplished
using the IP protocol in conjunction with the Hyper Text Transfer Protocol (HTTP).
HTTP is a request/response protocol used by the Web browser to get information
from the Web server.
The browser initiates the request by establishing a TCP/IP communication session
between the client system and the Web server, which runs on TCP port 80 by default.
The Web server then listens for the browser to tell it what information it wants. The
browser does this by sending a request message to the Web server, which responds
with the requested files.
The request message consists of the following:
Request method: Specifies the resource being requested from the server. The
HTTP protocol defines several request methods, including the following:
GET: Requests the specified resource.
POST: Submits data to the Web server to be processed
PUT: Uploads a resource to the Web server.
DELETE: Deletes a specified resource from the Web server, if permitted.
OPTIONS: Requests the HTTP methods the Web server supports.
Version 1 226
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
HTTP headers: Define the characteristics of the requested data, such as
acceptable content types, character sets, encodings, languages, etc.
Message body: This is optional.
When using a Web browser, you use a Uniform Resource Locator (URL) to access
the Web server. The URL is used by your browser to specify the exact information
you need from the Web server as well as how it is to be retrieved. The syntax for a
URL is as shown below:
protocol://domain_name_or_IP:port/directory/filename
The protocol portion of the URL specifies the protocol the browser will use to
retrieve information. When accessing a Web server, you use either the HTTP or
HTTPS protocol.
The HTTP protocol transfers information from the Web server using unencrypted
communications. This level of security may be acceptable for many Web pages, but
the transfer of sensitive information requires transmissions to be encrypted.
For sensitive information, such as credit card numbers or personal information, you
should use the HTTPS protocol. HTTPS uses standard HTTP, but it also uses the
Secure Socket Layer (SSL) protocol to encrypt the data before sending it. Only the
sender and receiver have keys that can decrypt the information.
After specifying the protocol in the URL, you next specify the domain name or IP
address of the Web server you want to access. After the address, you can optionally
specify the TCP port where the Web server is running. For example:
http://www.digitalairlines.com:81
This tells the browser to access port 81 on www.digitalairlines.com. Web browsers
default to port 80 if you dont specify a port number in the URL. Therefore, a port
number is required only if the service you are accessing is running on a port other
than 80 (HTTP) or 443 (HTTPS).
You can also specify the filename that you want to retrieve from the Web server by
appending it to the end of the URL. For example:
http://www.digitalairlines.com/index.html
This parameter is optional. Web servers are usually configured such that if no
filename is specified in the URL, it sends a filenamed index.html by default. If
you want to request a specific file, however, you need to include it in the URL.
In addition to delivering data to the Web browser, a Web server can perform tasks
such as limiting access to specific Web pages, logging access to a file, and encrypting
the connection between a server and browser.
Installing Apache Web Server
To install Apache on your SLES 11 system, you need to install the following
packages:
apache2: Basic Web server software.
227 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
apache2-prefork: Additional Apache package that influences the
multiprocessing behavior of the Web server.
apache2-example-pages: Sample HTML pages.
apache2-doc: Apache Web server documentation.
The easiest way to do this is to run YaST, access the Software Management module,
and install the Web and LAMP Server pattern. This is shown in the figure below:
Figure 5-3 Installing Apache Web Server in YaST
When you install the Web and LAMP Server pattern, YaST automatically resolves
dependencies for you and may prompt you to install one or more additional packages.
If this is the case, be sure to install the additional packages by selecting Continue.
After installing the required software, you need to start the Apache Server service on
your SLES 11 system. You do this by opening a terminal window, switching to root,
and then entering the following command at the shell prompt:
rcapache2 start
or
/etc/init.d/apache2 start
You can verify that Apache is running by entering one of the following at the shell
prompt:
rcapache2 status
Version 1 228
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
or
/etc/init.d/apache2 status
If you need to stop Apache, you can enter one of the following to stop the Web server:
rcapache2 stop
or
/etc/init.d/apache2 stop
If you want the Web server to start automatically every time the server is booted,
enter the following at the shell prompt:
insserv apache2
This command causes Apache to be automatically started at runlevels 3 and 5.
To test the Web server after installation, open a Web browser on your SLES 11 server
desktop and enter the following URL:
http://localhost
If Apache was installed correctly and the apache-example-pages package is installed,
the browser should display the following page:
Figure 5-4 Testing the Web Server
If your SLES 11 system is connected to the network, you can access the Web server
remotely from other hosts by open a browser and then accessing the following URL:
http://IP_address or DNS_name
229 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
By default, Apaches stores the documents it serves in the document root /srv/
www/htdocs. After installing Apache, the document root contains the Apache
example page shown above. The default files in the document root are shown below:
Figure 5-5 Default Web Server Files
You can replace the files in the document root directory with your own Web server
content. Simply create your own content and copy it to /srv/www/htdocs.
However, be aware that the Apache daemon must have at least read access to your
Web server content files. Apache runs as the wwwrun user on SLES 11. Therefore,
you need to make sure that wwwrun has read access to the files in the document root
directory., using the chmod command as needed.
When creating your Web server content, you can create subdirectories within the
document root. If you do, you can access those subdirectories by adding the name of
the subdirectory to your URLs:
http://server_address/subdirectory/
If a filename is not included in the URL, Apache looks for a file with the name
index.html in the specified directory.
NOTE: You can change the name of the default file in the Apache configuration files.
Using the Apache Configuration Files
The Apache Web server is configured using a variety of configuration files located in
/etc/apache2/. To configure the Apache Web server, you need to be familiar
with the following:
Location of the Apache Configuration Files on page 230
Basic Rules for Apache Configuration Files on page 230
Version 1 230
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Location of the Apache Configuration Files
The configuration of the Apache Web Server is spread among several configuration
files located in the /etc/apache2/ directory. These files are shown below:
Figure 5-6 Apache Web Server Configuration Files
The following are some of the more important Apache configuration files:
httpd.conf: The main Apache configuration file.
default-server.conf: Contains the basic Web server configuration. However,
options set in this file can be overwritten by options in other configuration files.
vhost.d/: Directory that contains configuration files for virtual hosts. You will
learn more about virtual hosts later in this section.
uid.conf: Sets the user and group ID used by Apache. By default, Apache uses
the wwwrun user and the www group.
listen.conf: Specifies the IP addresses and ports the Apache daemon is listening
on. By default, Apache listens on all interfaces on port 80.
server-tuning.conf: Used to fine tune the performance of the Apache daemon.
The default values in this file are usually appropriate for most installations.
However, if your Web server must handle a large number of simultaneous
requests, then you can adjust the values in this file to increase performance.
error.conf: Configures the behavior of Apache when a request cannot be handled
correctly.
ssl-global.conf: Configures the encryption of connections with SSL.
/etc/sysconfig/apache2. This file contains variables that are used to create
apache2 configuration files in /etc/apache2/sysconfig.d/.
Basic Rules for Apache Configuration Files
The options contained within the Apache configuration files are called directives.
Directives are case insensitive, which means that include is interpreted the same as
Include, but arguments to directives such as paths and filenames, are often case
sensitive.
231 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Directives can be grouped so that they apply only to a specific Web server directory
instead of the entire server. For example, in the following the directives are applied
only to the /srv/www/htdocs directory:
<Directory "/srv/www/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Notice in this example that the directives are nested within the <Directory /
srv/www/htdocs> and </Directory> tags, which limits their application to
only the /srv/www/htdocs directory.
You can use the # character to indicate comments in the configuration file. All lines
starting with a # are ignored by the Apache daemon.
Whenever you modify an Apache configuration file, you need to reload the Web
server to have the change applied. This is done by entering the following command at
the shell prompt (as root):
rcapache2 reload
This command forces the Apache daemon to reload its configuration files without
stopping and restarting. Some changes, such as changing the port the server listens
on, will require you to stop and restart the Apache daemon. This is done by entering
the following command at the shell prompt (as root):
rcapache2 restart
After making changes to the Apache configuration files, you can verify that your
modifications use the correct syntax by entering the following command at the shell
prompt (as root):
apache2ctl configtest
If the syntax is correct, the command displays a Syntax OK message.
The Default Apache Configuration
The default Apache Web server configuration is defined in the /etc/apache2/
default-server.conf file. A sample default-server.conf file is shown below:
DocumentRoot "/srv/www/htdocs"
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Version 1 232
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir public_html
Include /etc/apache2/mod_userdir.conf
#AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/
$2
</IfModule>
Include /etc/apache2/conf.d/*.conf
Include /etc/apache2/conf.d/apache2-manual?conf
The following table provides an overview of some of the more important directives
used in the default-server.conf file:
Table 5-1 default-server.conf Directives
In most cases, the default settings in this file are suitable for most installations and
don't need to be modified. The default-server.conf file that is installed by default
contains comments that explain the respective entries.
NOTE: An overview of all Apache directives can be found at (http://httpd.apache.org/docs/2.2/
mod/directives.html).
Directive Description
DocumentRoot Specifies the document root directory used by the Web
server.
<Directory dir_name>
/<Directory>
All directives listed within this block apply only to the
specified directory.
Options With this directive additional options can be applied to
logical blocks like directories.
AllowOverride Determines whether directives are allowed to be
overwritten by a configuration option found in a
.htaccess file in a directory.
Alias fakename realname Allows you to create an alias to a directory.
ScriptAlias Allows you to create an alias to a directory containing
scripts for dynamic content generation.
233 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Configure Virtual Hosts
Now that you understand how to configure the default Apache Web server, you are
ready to create virtual hosts. To use the virtual host feature of Apache, you need to do
the following:
Understand Virtual Hosts on page 233
Configure a Virtual Host on page 234
Understand Virtual Hosts
In its default configuration, the Apache Web server can be reached from a browser
using the following URLs:
http://localhost (from the computer where the Web server is running)
http://web_server_IP_address
http://web_server_hostname
For all of these URLs, Apache serves the files located in the document root directory.
This configuration works well for a basic Web server. However, Apache can also be
configured to host multiple virtual Web servers on the same physical server system.
These virtual Web servers are called virtual hosts.
This allows you to host Web servers for multiple domains on the same system. For
example, suppose your organization has its own domain: www.digitalairlines.com.
In addition, your organization wants to allow local subsidiaries to present themselves
with their own domain:
www.ditigalairlines-slc.com
www.digitalairlines-la.com
Using just the basic Apache configuration, you would have to set up three separate
servers to host the three domains. Fortunately, using virtual domains, you can set up a
virtual host for each domain on the same server. Each domain is accessed using its
domain name on port 80.
To access a virtual host, a separate DNS entry is needed for every virtual host on the
Apache Web server. The following outlines the steps of sending a request to the
virtual host www.ditigalairlines-slc.com:
1. The Web browser requests the IP address of the host www.ditigalairlines-slc.com
from a DNS server.
2. The browser uses the IP address to request a file from the Apache Web server
listening on the IP address of www.ditigalairlines-slc.com.
3. In the HTTP request, the browser includes the host name of the server it wants to
reach.
4. Apache uses the host name to determine the corresponding virtual host and
delivers the requested data from that host.
Version 1 234
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Configure a Virtual Host
To create a virtual host, you need to create a configuration file in the /etc/
apache2/vhosts.d/ directory. The name of the configuration file has to end
with .conf.
You can use the vhost.template file in the /etc/apache2/vhosts.d/
directory as a template for your virtual host configuration file. You need to edit the
following directives in the template:
Table 5-2 Virtual Host Directives
After customizing the virtual host file, you need to reload the Apache daemon. You
also need to make sure the DNS record for the domain has been updated so that the
virtual host domain name resolves correctly.
In addition to the above, you need to activate name-based virtual hosting in /etc/
apache2/listen.conf. Remove the comment sign in front of one the lines
starting with NameVirtualHost, as shown in the following:
...
# Use name-based virtual hosting
#
# - on a specified address / port:
#
#NameVirtualHost 12.34.56.78:80
#
# - name-based virtual hosting:
#
#NameVirtualHost *:80
ServerAdmin Type the e-mail address of the virtual host system
administrator here.
ServerName Type the host name of the virtual host as it is configured
in the DNS record.
DocumentRoot Set the document root directory of the virtual host. The
directory and the files in the directory must be readable
by the wwwrun user.
ErrorLog Type a filename for the error log.
CustomLog Type a filename for the log file.
ScriptAlias Set the ScriptAlias to a directory of your choice. The
directory must not be under the DocumentRoot of the
virtual host. If you dont need scripts for dynamic
content creation, delete this directive.
<Directory script_dir> If youve set a ScriptAlias, you have to specify the
directory which contains the script files. If you are not
using a ScriptAlias, you can delete this directive.
<Directory document_root> You need to modify the pathname of this directive to
your document root path.
235 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
#
# - on all addresses and ports. This is your best bet when you are on
# dynamically assigned IP addresses:
#
NameVirtualHost *
Version 1 236
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 5-1 Configure a Virtual Host
In this exercise, you configure a virtual host for the accounting department.
You will find this exercise, in the workbook.
(End of Exercise)
237 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Limit Access to the Web Server
By default, Apache allows Web server data access to all network hosts that can reach
the server. This configuration is appropriate for public Web servers. However, there
may be times when you need to restrict access to the content on the Web server to
specific users or hosts. This can be done in two ways:
Limiting Access By Network Address on page 237
Requiring User Authentication on page 238
Limiting Access By Network Address
If you need to limit access to Web server content to specific network hosts, you can
add directives to your configuration file that limit access based on a hosts IP address
or domain name. You can use the following directives to limit access to the Web
server based on host address:
Table 5-3 Apache Configuration File Directives for Restricting Access Based on IP Address
These directives must be added within a <Directory> block. This causes Apache
to restrict access to all data in that directory as well as its subdirectories based on the
parameters you supply.
For example, suppose you wanted to restrict access to the data in the /srv/www/
htdocs directory on the Web server to hosts on the 10.0.0.0/24 network only.
You could add the following directive:
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Directory>
The lines in the directive above do the following:
<Directory /srv/www/htdocs>: Starts the directory block. The directives
within the block apply only to the directory /srv/www/htdocs directory on
the Web server.
allow IP addresses or networks listed after this directive are
allowed to access the Web server.
deny IP addresses or networks listed after this directive are
not allowed to access the Web server.
order S
This directive sets the order in which the allow and
deny directives are evaluated.
Version 1 238
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Order deny,allow: Determines the order in which the allow and deny directives
are evaluated. You have the following options:
Deny,Allow: Deny directives are evaluated before the allow directives.
Access is allowed by default. Any client which does not match a deny
directive or does match an allow directive is allowed access to the server.
Allow,Deny: Allow directives are evaluated before the deny directives.
Access is denied by default. Any client which does not match an allow
directive or does match a deny directive is denied access to the server.
Deny from all: Deny directive is evaluated first and, in this case, access is
denied for all clients.
You can use the following options with the deny and the allow directives:
all: Applies to all hosts.
A (partial) domain-name. Applies to hosts whose names match the given
expression (such as novell.com). Only complete domain components are
matched. For example, specifying novell.com would match www.novell.com
but not foonovell.com.
A full IP address: Applies to a specific IP address (such as 10.0.0.23).
A partial IP address: Applies to IP addresses starting with the specified IP
address fragment (such as 10.0.0).
A network/netmask pair: Applies to IP addresses matching to the given
network/netmask pair (such as 10.0.0.0/255.255.255.0)
A network/CIDR specification: Applies to IP addresses matching to the
given CIDR expression (such as 10.0.0.0/24).
Allow from 10.0.0.0/24: This allow directive is evaluated after the deny
directive. In this case, hosts in the network 10.0.0.0/24 are allowed access.
</Directory>: Ends the directory block.
Requiring User Authentication
By limiting access to certain network addresses, you control the hosts that can access
the Web server. However, you have no control over who is using the host.
To rectify this, Apache also allows you to restrict access based on username. This is
called basic authentication. Basic authentication requires users to log in before they
can access the data on the Web server.
Before you can configure Apache to use basic authentication, you first have to create
user accounts for the Web server daemon. This is done using the htpasswd2
command line utility. The following command creates a password file for Apache to
use named /etc/apache2/htpasswd and adds a new user account named tux.
htpasswd2 -c /etc/apache2/htpasswd tux
When you add a user to the htpasswd file for the first time, you have to call
htpasswd2 with the -c option to initially create the file. You can use a different
239 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
location for the password file, but you have to make sure that its readable by the
wwwrun user. It also must not reside within the document root of the Web server.
The htpasswd2 utility prompts you for a password for the user as you create the
user account.
If you want to add more users, use the following command:
htpasswd2 /etc/apache2/htpasswd username
To delete a user from the password file, use the following command:
htpasswd2 -D /etc/apache2/htpasswd username
After you have created your htpasswd file and added your user accounts, you next
need to configure Apache to prompt for a password when accessing restricted data.
To do this, you need to add the following lines to the <Directory> block for the
directory that you want to restrict:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux
The directives above do the following:
AuthType Basic: Sets the authentication method, in this case to Basic
authentication.
AuthName Restricted Files: Sets the name of the authorization realm for the
directory. This realm is sent to the client so that the user knows which username
and password to use. If the realm name contains spaces, it must be enclosed in
quotation marks, as shown in the example above. It must also be accompanied by
the AuthType, Require, and AuthUserFile directives.
AuthUserFile /etc/apache2/htpasswd: Specifies the password file used for the
restricted directory.
Require user tux: Lists the users from the password file who are allowed to
access the directory. You can add more than one user by separating the
usernames with spaces, or you can use the following directive:
Require valid-user
This defines that any valid username in the password file is granted access.
NOTE: The password is transferred cleartext over the network. For critical applications, you should
configure SSL encryption. This is discussed in the next objective.
Version 1 240
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 5-2 Configure User Authentication
In this exercise, you add user authentication to your virtual host.
(End of Exercise)
241 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Configure Apache with OpenSSL
By default, the connections between the Web browser and the Web server are not
encrypted. All data is passed as clear text. Anyone running sniffer software can
capture a copy of the network packets exchanged between browser and server,
allowing them to view the transferred information.
For public Web servers, this may be an acceptable situation. However, for Web sites
that store sensitive information and require authentication, you should encrypt the
communications between the browser and the server.
The Apache daemon can be configured to use the Secure Socket Layer (SSL)
protocol to encrypt the connection. To configure an SSL encryption with an Apache
Web server, you need to be familiar with the following:
How SSL Encryption Works on page 241
Creating a Test Certificate on page 243
Configuring Apache to Use SSL on page 245
How SSL Encryption Works
SSL uses RSA keys to encrypt and decrypt data transmissions between the Apache
server and client browsers. RSA is also used by other encryption software as well,
such as Pretty Good Privacy (PGP) to encrypt e-mails and by Secure Shell (ssh) to
encrypt data transfers between two computers.
SSL encryption is based on the use of two different keys, called Public Key
Cryptographic or Asymmetric Key Cryptography:
Private key
Public key
With asymmetric encryption, the key used to encrypt data is different from the key
used to decrypt it. The private key is known only to the owner, but the public key is
freely distributed. Data is encrypted by the sender with the recipients public key and
can be decrypted only with the associated private key.
Version 1 242
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following figure depicts the encryption process:
Figure 5-7 Encrypting Data
NOTE: Actually SSL is a bit more complex than described above, as the public/private key pair is
not used to directly encrypt/decrypt the data sent, but to encrypt/decrypt another key that is used to
encrypt/decrypt the transmitted data using a symmetric encryption algorithm.
In addition to encrypting and decrypting data, public and private keys can also be
used to digitally sign data. When data is signed, an cryptographic checksum is
generated from the data. The sender then signs the checksum with his private key.
The signature can be checked by the recipient using the public key of the sender. This
allows the recipient to determine whether the data is really from the sender. The
recipient can also verify that the data has not been modified by a third party.
The following illustrates the digital signing process:
Figure 5-8 Digitally Signing Data
Public key of the
recipient
Private key of the
recipient
Recipient
This is
unencrypted
text.
Sender
Mtdte86led
8rklgBx34kl
6yPl0kUm23
This is
unencrypted
text.
Signature valid/
Signature invalid
Private key of the
sender
Public key of the
sender
Recipient
This is text..
Sender
This is text..
Signature
243 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Then encryption process described above works well; however, it has a weakness.
How can you verify who owns the public key? In other words, can you really be sure
the sender really is who they claim to be?
The solution to this problem is to use a Certificate Authority (CA) as a trusted third
party which signs the public keys with its own private keys. A public key that is
signed by a CA is also called a certificate.
You can set up your own CA or use a third-party CA. Examples of well-known third-
party CAs include organizations such VeriSign and VISA. The public keys from these
organizations are automatically installed into most popular Web browsers. By
verifying the signature with the public key of the CA, the browser can verify that the
public key from a Web server is valid.
The following describes the process of using SSL encryption with a CA to secure
Web server communications:
1. The browser identifies a URL starting with https:// as a secure connection
that should be encrypted.
The default port for HTTPS connections is 443 instead of 80 (which is used for
normal unencrypted HTTP connections).
2. The Web browser asks the server for its public RSA key (certificate).
3. The Web server sends the public key to the Web browser.
4. The Web browser verifies the key from the server with the public key of the CA
that signed the key.
5. If the key is valid, the Web browser and Web server establish a secure
connection.
You need an officially signed key to set up a secure Web server in this manner. You
can, however, also set up your own CA and sign a certificate yourself. This can be a
useful tool when testing a secure Web server.
However, be aware that if you use a self-signed certificate, most Web browsers wont
recognize your CA. Users will have to manually add your CA to their list of trusted
CAs. We recommend that you dont use self-signed certificates in a production
environment.
Creating a Test Certificate
As mentioned above, however, self-signed certificates can be very useful for testing a
secure Web site implementation. To create a test certificate, you need to complete the
following tasks:
Create an RSA Key Pair on page 244
Sign the Public Key to Create a Certificate on page 244
Version 1 244
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Create an RSA Key Pair
To create the key pair, you first need to create a file containing as many random
numbers as possible. You can generate a file of this type from the shell prompt by
entering the following command:
cat /dev/random > /tmp/random
Stop this procedure after a few minutes by pressing Ctrl+C.
The file generated should be at least a thousand bytes in size. You can speed the
gathering of random numbers by creating some activity on your computers, such as
moving the mouse, starting and stopping programs, etc.
You can now generate the key pair by entering the following command:
openssl genrsa -des3 -out server.key -rand /tmp/random
2048
During the process, you are prompted to enter a password. This password is used to
secure the private key of the key pair. The generated keys are saved together in the
server.key file.
Sign the Public Key to Create a Certificate
Next you need to sign your public key to create the certificate. This is done by
entering the following command:
openssl req -new -x509 -key server.key -out server.crt
During the process, you are prompted for the following information:
Enter pass phrase for server.key: Passphrase you chose for the server key.
Country Name (2 letter code) [AU]: Country code of your country (such as DE
for Germany).
State or Province Name (full name) [Some-State]: State or province name. You
can enter a period (.) to leave this field blank.
Locality Name (eg, city) []: Name of your city.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Name of your
company.
Organizational Unit Name (eg, section) []: Name of your organizational unit.
You can enter a period (.) to leave it blank.
Common Name (eg, YOUR name) []: Fully qualified domain name of your
system (such as www.digitalairlines.com). The certificate will be valid for this
host name only.
Email Address []: E-mail address of the administrator who is responsible for the
server.
After you have answered all questions, the server certificate is saved into the
server.crt file.
245 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Finally, copy the server.key and server.crt files to the following locations:
server.key: /etc/apache2/ssl.key/ directory.
server.crt: /etc/apache2/ssl.crt/directory.
Configuring Apache to Use SSL
After you have generated the RSA key pair and the server certificate, you next need
to configure Apache to use SSL.
First, you need to change two settings in the /etc/sysconfig/apache2 file.
Set the following variables to the appropriate values:
APACHE_START_TIMEOUT=10: Extends the start timeout of Apache so
that you have more time to enter the passphrase of the private RSA key.
APACHE_SERVER_FLAGS=SSL: Additional server flag SSL, which
defines the SSL variable when evaluating the Apache configuration files. This
enables Apache to listen on port 443 as well as port 80.
You also need to modify the server configuration files to enable SSL. This can be
accomplished by doing one of the following:
Configuring the Main Server to Use SSL Encryption on page 245
Configuring a Virtual Host to Use SSL Encryption on page 246
Configuring the Main Server to Use SSL Encryption
To configure the main server to use SSL encryption, you need to add the following
directives to the /etc/apache2/default-server.conf file (you can find
these directives and detailed explanations in the /etc/apache2/vhosts.d/
vhost-ssl.template file):
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
These directives do the following:
SSLEngine on: Enables the Apache SSL engine.
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL: Sets the details of the encryption method. The line displayed
above is the default Apache configuration.
NOTE: For more information about this directive, go to
(http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite).
Version 1 246
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SSLCertificateFile /etc/apache2/ssl.crt/server.crt: Points to the server
certificate file.
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key: Points to the server
key file.
After you make the above modifications, you need to restart Apache. When you do,
the Apache daemon prompts you for the passphrase of the server key file.
WARNING: The Apache server might not start up correctly at boot time in this configuration. This
is because it requires the passphrase for the server key. If this happens, you should disable apache2
in all run levels and then start it manually after the system has booted.
Once done, you can access the Web server host via SSL by using the URL https:/
/server_address.
Configuring a Virtual Host to Use SSL Encryption
You can also configure a virtual host to use SSL instead of the main server. To do this,
add the directives described in Configuring the Main Server to Use SSL Encryption
on page 245 to your virtual host configuration file. You also need to modify your
virtual host definition to the following:
<VirtualHost your_hostname:443>
247 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 5-3 Configure SSL for a Virtual Host
In this exercise, you add SSL encryption to a virtual host.
(End of Exercise)
Version 1 248
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Install PHP
PHP is a very popular scripting language for Web applications. In this objective, you
learn how to install PHP on SLES 11. The following topics are addressed:
How PHP Works on page 248
Installing PHP on page 249
Testing the PHP Installation on page 250
How PHP Works
PHP is a scripting language used in conjunction with the Apache Web server. it
accepts PHP code as its input and uses it to output HTML documents. Because of the
way it operates, PHP is considered a server-side scripting language, meaning the
processing of the script is done by the server running the Web server, not the client
Web browser.
To install a PHP Web application, the script files need to be copied into the document
root of the Web server. PHP files usually have an extension of .php.
A PHP application can be started by accessing the PHP file with an ULR such as
http://www.mydomain.com/application.php. The Web server then
opens the PHP file. However, instead of sending it directly to the browser, it is passed
through the PHP interpreter first.
The PHP interpreter runs the PHP script in the file and passes the dynamically
generated HTML output through the Web server to the browser. The end user never
sees the PHP application code.
The PHP interpreter is implemented as an Apache extension module. You can also
run PHP applications directly via CGI, but this is not covered in this course.
The following is an overview of the PHP architecture:
Figure 5-9 PHP Framework
249 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Installing PHP
On SLES 11, the PHP components are split into several software packages. You need
at least the following packages for a basic PHP Web application server:
PHP5: Core PHP interpreter and libraries.
apache2_mod_php5: PHP module for Apache.
If you search for php in YaSTs Software Management module, youll notice that
there are many more PHP packages available, as shown below:
Figure 5-10 PHP Packages
These modules extend the functionality of PHP. Which packages you need depends
on the requirements of the PHP application you would like to run.
The PHP interpreter has several configuration options that can be adjusted in the /
etc/php5/apache2/php.ini file. However, the default configuration should
be used in most situations. The following are a few of the options available in this
file:
memory_limit: Defines how much memory a script is allowed to use. For
complex applications, this might need to be set to a higher value. The default is 8
MB.
Version 1 250
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
max_execution_time: Sets the maximum execution time, in seconds. Complex
applications sometimes need a longer execution time. The default is 30 seconds.
display_errors: Determines whether errors or warning messages are displayed
in the HTML output. For production systems, this option should be set to Off,
while on a development system it is useful to set it to On. The default is Off.
After installing PHP packages, you have to restart Apache with the rcapache2
restart command.
Testing the PHP Installation
A PHP installation can be easily tested by creating a file somewhere in the document
root of the Web server with the following content:
<?PHP
phpinfo();
?>
This content is a simple PHP application. Calling the phpinfo() function outputs a
Web page with information on the PHP installation. When you request this file in a
Web browser, a page similar to the following is displayed:
Figure 5-11 Testing the PHP Server
251 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 5-4 Install PHP
In this exercise, you install and test PHP on SLES 11.
You will find the exercise in the workbook.
(End of Exercise)
Version 1 252
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Set up a Basic Web Server with Apache Web servers provide much of the functionality
we associate with the Internet today. A Web
servers job is to send Web pages, graphics,
and other files to clients requesting them.
A Web server can transfer just about any type
of file between the server and the client.
However, the most common type of file used
with a Web server are Hyper-Text Markup
Language (HTML) documents. An HTML
document is a text file written using HTML
mark-up coding that instructs the Web
browser how the information should be
formatted and displayed.
The easiest way to install Apache2 is to run
YaST and install the Web and LAMP Server
pattern.
Configure Virtual Hosts Apache can be configured to host multiple
virtual Web servers on the same physical
server system. These virtual Web servers are
called virtual hosts.
To create a virtual host, you need to create a
configuration file in the /etc/apache2/
vhosts.d/ directory. The name of the
configuration file has to end with .conf.
You can use the vhost.template file in the /
etc/apache2/vhosts.d/ directory as a
template for your virtual host configuration file.
Limit Access to the Web Server By default, Apache allows access to Web
server data to all network hosts that can reach
the server. This configuration is appropriate
for public Web servers.
However, there may be times when you need
to restrict access to the content on the Web
server to specific users or hosts. This can be
done in two ways:
Limiting access by network address
Requiring user authentication
253 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Configure Apache with OpenSSL By default, the connection between the Web
browser and the Web server are not
encrypted. All data is passed clear text.
Anyone running sniffer software can capture a
copy of the network packets exchanged
between browser and server, allowing them to
view the transferred information.
For Web sites that store sensitive information
and require authentication, you should
encrypt the communications between the
browser and the server.
The Apache daemon can be configured to use
the Secure Socket Layer (SSL) protocol to
encrypt the connection. To configure an SSL
encryption with an Apache Web server, you
need to be familiar with the following:
How SSL encryption works
Creating a test certificate
Configuring Apache to use SSL
Install PHP PHP is a scripting language used in
conjunction with the Apache Web server. It
accepts PHP code as its input and outputs
HTML documents.
To install a PHP Web application, the script
files need to be copied into the document root
of the Web server. PHP files usually have an
extension of .php.
A PHP application can be started by
accessing the PHP file in a ULR, such as
http://www.mydomain.com/
application.php. The Web server then
opens the PHP file. However, instead of
sending it directly to the browser, it is passed
through the PHP interpreter first.
The PHP interpreter runs the PHP script in the
file and passes the dynamically generated
HTML output through the Web server to the
browser.
You need to install at least the following
packages for a basic PHP Web application
server:
PHP5
apache2_mod_php5
Objective Summary
Version 1 254
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
255 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 6 Configure and Use IPv6
IPv6 (Internet Protocol Version 6) was designed by the Internet Engineering Task
Force (IETF) to replace the current Internet Protocol version, IPv4. IPv6 not only
overcomes the most obvious shortcoming of IPv4, the imminent shortage of available
IP addresses, but also adds improvements in other areas, like routing and network
autoconfiguration.
This section explains IPv6 and its configuration on SUSE Linux Enterprise Server 11.
Objectives
1. Understand IPv6 Theory on page 256
2. Configure IPv6 on SLE 11 on page 261
Version 1 256
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Understand IPv6 Theory
During recent years, the end of IPv4 has often been predicted, but IPv4 has proven
remarkably resilient. The use of private address ranges within private and company
networks made it possible to use the remaining IPv4 addresses in a more efficient
manner, and classless interdomain routing (CIDR) helped to slow the growth of the
size of routing tables.
However, as more and more devices become able to connect to the internet, the
limitations of IPv4 become more and more relevant. It is not a question of if the shift
to IPv6 has to happen, it is only a question of when.
Within the context of IPv6, you need to understand:
IPv6 Features on page 256
IPv6 Addresses on page 256
IPv6 Address Types on page 257
IPv6 Features
IPv6 addresses the shortcomings of IPv4 with features that include the following:
Increased address space. In IPv4, an IP address is 32 bits long, which is allows up
to about four Billion addresses. In IPv6, an IP address is 128 bits long, which
allows for a really huge number of addresses:
340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4 * 10
38
or, in the
US system, 340 undecillions).
To give you some idea of what this number means, it in theory allows about
650 * 10
21
addresses for every square meter of the surface of earth. For practical
purposes, as not every address will be used for hosts, certainly more than 1,500
addresses remain for every square meter of earths surface.
Improvements in routing capabilities.
Simplified header.
Quality of Service (QoS) capabilities.
Authentication and privacy capabilities.
Flexible transition from IPv4 to IPv6 over a longer period of time.
IPv6 Addresses
IPv6 addresses consist of 128 zeroes and ones, which is very unwieldy for humans.
To make them somewhat easier to deal with, they are represented in hexadecimal
format, with four bits (a nibble) represented by digits or characters from 0-9 and a-
f (10-15). To improve readability, a colon is inserted after every four hexadecimal
values (representing 16 bits):
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
A possible address could look like the following:
257 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
fe80:0000:0000:0000:0211:11ff:fec2:35f4
For simplification, leading zeroes in each block can be omitted, and one sequence of
16 bit blocks containing only zeroes can be replaced by ::. The above address
could, therefore, be written as follows:
fe80::211:11ff:fec2:35f4
As another example, the localhost address
0000:0000:0000:0000:0000:0000:0000:0001
can be shortened to
::1
IPv6 Address Types
IPv6 addresses can serve different purposes, such as multicast or unicast addresses.
Different leading bits, such as fe80 in one of the examples above, indicate different
types of addresses.
One interface can have more than one IPv6 address.
Similar to IPv4 addresses, IPv6 addresses can be split into network and host parts
using subnet masks. The notation is similar to the CIDR notation used with IPv4:
fe80::211:11ff:fec2:35f4/64
The corresponding network address is
fe80:0000:0000:0000:0000:0000:0000:0000
with a netmask of:
ffff:ffff:ffff:ffff:0000:0000:0000:0000
To be able to differentiate the different IPv6 address types, you need to understand
the following:
Addresses without a Specific Network Prefix on page 257
Network Addresses on page 258
Host Addresses on page 259
Addresses without a Specific Network Prefix
Addresses without a specific network prefix comprise the following:
Localhost on page 257
Unspecified Address on page 258
Localhost
The address for the loopback interface, similar to 127.0.0.1 in IPv4, is
0000:0000:0000:0000:0000:0000:0000:0001
Version 1 258
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Packets with this address as source or destination are not supposed to leave the
machine.
Unspecified Address
This is the IPv6 equivalent to 0.0.0.0 (or any) in IPv4:
0000:0000:0000:0000:0000:0000:0000:0000
or in short:
::
This address is, for instance, seen in the output of netstat:
The third colon in the output above separates the address from the port number.
Network Addresses
The network addresses are used to distinguish the following categories:
Link Local Addresses on page 258
Globally Unique Local IPv6 Unicast Addresses on page 258
Global Address Type global unicast on page 259
Link Local Addresses
Link local addresses are valid only on a link of an interface. A packet with a link local
address would not pass a router. They begin with the following (x is any hex
character, but usually 0):
fe8x (this is the only one currently in use)
fe9x
feax
febx
Such an address can be found on each IPv6-enabled interface after stateless
autoconfiguration. It is used for link communications, for instance, to find out if
anyone else is on this link or to locate a router.
Globally Unique Local IPv6 Unicast Addresses
This address type begins with fdxx. (It could also begin with fcxx, but currently this
prefix is not used.)
A part of the prefix (40 bits) is generated using a pseudo-random algorithm
(described in RFC 4193). While it is not impossible that two generated prefixes are
da10:~ # netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
259 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
equal, it is improbable. Therefore, connecting networks that were formerly
independent is not likely to cause problems, as their prefixes will be different.
The Global ID is followed by a 16-bit Subnet ID as an identifier within a site. The
following illustration, taken from RFC 4193, shows the different parts of a globally
unique local IPv6 Unicast address:
| 7 bits |1| 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+--------------------+
| Prefix |L| Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+--------------------+
NOTE: There used to be a site local address type, starting with fecx, fedx, feex, or fefx. However,
its use is deprecated in RFC 3879 and it is replaced by the above.
Global Address Type global unicast
Addresses delegated to Internet Service Providers (ISP) currently begin with
2001:
The following addresses are reserved for examples and documentations and should
be filtered on border routers to the Internet:
3fff:ffff::/32
2001:0DB8::/32
Addresses for tunneling IPv6 packets in IPv4 packets begin with
2002:
Multicast addresses start with ffxy, where x is hex number and y indicates the scope
(such as y=1: node local, y=2: link local, y=3: site local).
Depending on the host part of the address, different multicast types are addressed
(RFC 4291 / IP Version 6 Addressing Architecture):
All Nodes Address: 1. Addresses all hosts on the local node (ff01:0:0:0:0:0:0:1)
or the connected link (ff02:0:0:0:0:0:0:1).
All Routers Address: 2. Addresses all routers on the local node
(ff01:0:0:0:0:0:0:2), the connected link (ff02:0:0:0:0:0:0:2), or the local site
(ff05:0:0:0:0:0:0:2).
There are other types, like anycast addresses, that are not covered in this course.
Host Addresses
The host address can be automatically computed or set manually.
Automatically Computed Host Address on page 260
Manually Set Host Address on page 260
Version 1 260
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Automatically Computed Host Address
When automatically computed, the MAC address is used and expanded according to
the IEEE-Tutorial Extended Unique Identifier EUI-64 (http://standards.ieee.org/
regauth/oui/tutorials/EUI64.html).
For instance, with a MAC address of 00:11:11:C2:35:D4, the resulting 64-bit
interface identifier is 0211:11ff:fec2:35d4. Together with a network prefix (for
instance, one used for Globally Unique Local IPv6 Unicast Addresses), the following
IPv6 address results:
fd7b:5c7e:40bf:1234:0211:11ff:fec2:35d4
NOTE: The above way of creating the interface identifier has some privacy implications, especially
for mobile devices. When connecting to the Internet using different providers, the network part of
the address changes, while the interface identifier remains the same. This can allow tracking of the
mobile device. RFC 4941 describes ways to mitigate this issue.
Manually Set Host Address
Simpler addresses might be easier to remember and, for instance, for some servers
you might want such an address. It is possible to assign an additional address to the
interface, such as
fd7b:5c7e:40bf:1234::1
In the automatically generally set address, the seventh most significant bit (with the
count starting with 1) of the host address is set to 1 when calculating the automatic
address. It is required to set this bit to 0 when setting a host address manually. The
reason for this is, first of all, convenience, as otherwise the above address would be
fd7b:5c7e:40bf:1234:0200::1
instead of
fd7b:5c7e:40bf:1234::1
Also some other bit combinations are reserved for anycast addresses, such as all host
bits set to 0 for the subnet router.
NOTE: The Linux IPv6 HOWTO (http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/) contains
a lot more information on IPv6.
261 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Configure IPv6 on SLE 11
From the kernel to various applications, SLES 11 and SLED 11 support IPv6.
To configure IPv6 on SLE 11, you need to understand the following:
IPv6 Autoconfiguration on page 261
Setting an IPv6 Address Using YaST on page 262
Managing IPv6 Addresses Using the Command Line Tools on page 265
Connecting to Other IPv6 Addresses on page 265
IPv6 Autoconfiguration
One design goal of IPv6 was to make IP autoconfiguration easier. Even without a
DHCP server, interfaces can obtain a valid IP address.
In the context of IPv6 autoconfiguration, you need to understand the following:
Link Local Autoconfiguration on page 261
Stateless Autoconfiguration on page 262
Link Local Autoconfiguration
By default, a link local address is configured automatically for every network
interface in SLE 11:
You can use this address to test the link using ping6:
When pinging a link local address, the option -I interface is required, as every
interface has a link local address and the kernel doesnt know which one to use.
da10:~ # ip address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 100
link/ether 00:19:d1:9f:17:f4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::219:d1ff:fe9f:17f4/64 scope link
valid_lft forever preferred_lft forever
da10:~ # ping6 -I eth0 fe80::219:d1ff:fe9f:1787
PING fe80::219:d1ff:fe9f:1787(fe80::219:d1ff:fe9f:1787) from
fe80::219:d1ff:fe9f:17f4 eth0: 56 data bytes
64 bytes from fe80::219:d1ff:fe9f:1787: icmp_seq=1 ttl=64 time=5.47
ms
Version 1 262
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can detect IPv6 active hosts by using ping6 to the link local, all-node multicast
address:
Unlike in IPv4, where replies to a ping to the broadcast address can be disabled using
the /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts file, this behavior cannot be
disabled currently in IPv6, except by local IPv6 firewalling.
Stateless Autoconfiguration
To access the Internet, a host needs an IPv6 address with global scope. The steps to
obtain such an address are as follows:
1. Using its link-local address, the host sends a Solicitation Message to the ff02::2
multicast address (all routers on the local link), asking for an IPv6 prefix.
2. The router answers this Solicitation Message with an Advertisement Message
containing an address prefix for this network.
3. Using this prefix and its MAC address, the host creates an IPv6 address.
4. Using Duplicate Address Detection (DAD, RFC 4862), the host checks if the
address is already in use in the network.
If the address is unused, the host assigns the address to the NIC and activates it.
5. The client can now contact other hosts within the local network using their IPv6
addresses and, depending on the network topology, hosts outside the local
network as well.
The router distributes the network prefix and information on the default route only.
Information that goes beyond this, such as information on DNS or other routes, needs
to be added manually to the configuration or distributed using DHCP6.
da10:~ # ping6 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::219:d1ff:fe9f:17f4 eth0: 56 data
bytes
64 bytes from fe80::219:d1ff:fe9f:17f4: icmp_seq=1 ttl=64 time=0.020
ms
64 bytes from fe80::219:d1ff:fe9f:1787: icmp_seq=1 ttl=64 time=5.09
ms (DUP!)
263 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Setting an IPv6 Address Using YaST
To set an IPv6 address manually (which is necessary, for instance, on a router), you
use the same dialog in YaST that is used to set IPv4 addresses. The following shows
the dialog that appears during installation:
Figure 6-1 Network Card Setup
Type the IPv6 address in its usual format and the netmask in the CIDR notation, such
as /64, as shown in the figure above.
Version 1 264
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Select Next. The data you typed appears in the Network Settings Overview:
Network Settings Overview
Click OK to close the dialog. YaST writes the configuration information to files in /
etc/sysconfig/network/, such as the ifcfg-eth0 file.
After installation, you can reach the same dialogs by selecting Computer > YaST >
Network Devices > Network Settings.
The settings are written to the /etc/sysconfig/network/ifcfg-ethx file,
as shown below:
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR='fd7b:5c7e:40bf:1234::2/64'
MTU=''
NAME='82566DM Gigabit Network Connection'
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
NETMASK=''
265 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Managing IPv6 Addresses Using the Command Line Tools
The ip command can be used for both, IPv4 and IPv6 addresses. The following
examples demonstrate the use of the ip command for IPv6. Use the following
command to add an IPv6 address:
The current configuration is displayed using the ip address show command
(address and show can be shortened to their first letter). Adding the option -6
limits the output to IPv6 addresses:
To delete an address, use ip address delete:
The ip command is also used to view, set, and delete routes.
ip -6 route show displays the current routing table:
Connecting to Other IPv6 Addresses
If your Internet Service Provider (ISP) supplies you with an IPv4 as well as an IPv6
address, you can connect to both worlds without problems.
If you get an IPv4 address only, there are two possible approaches to connect to IPv6
addresses:
6to4-Tunneling on page 265
6in4-Tunneling on page 270
6to4-Tunneling
At the time of this writing, ISPs do not yet provide IPv6 addresses as a general
practice. However, as one of the design goals of IPv6 was to make a smooth
transition from IPv4 to IPv6 possible, you start using IPv6 immediately even if you
get only an IPv4 address from your ISP.
da10:~ # ip -6 addr add fd7b:5c7e:40bf:1234::2/64 dev eth0
da10:~ # ip -6 a s
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 100
inet6 fd7b:5c7e:40bf:1234::2/64 scope global
inet6 fe80::219:d1ff:fe9f:17f4/64 scope link
da10:~ # ip -6 add del fd7b:5c7e:40bf:1234::2/64 dev eth0
da10:~ # ip -6 ro sh dev eth0
fd7b:5c7e:40bf:1234::/64 proto kernel metric 256 mtu 1500 advmss
1440 hoplimit 4294967295
fe80::/64 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
Version 1 266
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Following the method outlined in RFC 3056, a site with a globally unique IPv4
address can be assigned a globally unique IPv6 address based on its IPv4 address.
This is considered an interim solution until the ISP assigns a native IPv6 prefix.
IPv6 addresses used for this purpose have the following format (taken from RFC
3056):
| 3 | 13 | 32 | 16 | 64 bits |
+---+------+-----------+--------+--------------------+
|FP | TLA |IPv4 Addr | SLA ID | Interface ID |
|001|0x0002| | | |
+---+------+-----------+--------+--------------------+
All such addresses, therefore, start with 2002. The abbreviations used above have the
following meaning:
FP: Format prefix
TLA: Top level aggregator
IPv4 Addr: Globally unique IPv4 address (converted to Hex format)
SLA ID: Site level aggregator ID
The other end of the tunnel needs to be capable of dealing with the packetstaking
the IPv6 packet out of the IPv4 packet and then routing it within the IPv6 network.
To facilitate the use of IPv6, the IPv4 anycast address 192.88.99.1 is used to reach the
nearest 6to4 relay router.
Depending on your network topology, you need to do one of the following:
Configure a 6to4 Tunnel on a Host on page 267
Connect the Network behind your 6to4 Gateway on page 268
Install and Configure radvd on page 268
Add a Route to Your 6to4 Gateway on page 269
267 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Configure a 6to4 Tunnel on a Host
Assuming a unique IPv4 address of 1.2.3.4, the steps to configure a 6to4 tunnel are as
follows:
1. Make sure there is a sit0 device visible in the output of ip link show; if not,
load the sit kernel module:
2. Calculate the IPv6 address corresponding to your IPv4 address.
The following command can be used:
3. Create a new tunnel device.
In the example below it is called tun6to4, but you could use some other name for
it as well:
4. Bring the interface up and set the MTU:
5. Add your local IPv6 address to the tunnel interface using a prefix length of 16:
da10:~ # ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
qlen 1000
link/ether 00:11:11:c2:35:f4 brd ff:ff:ff:ff:ff:ff
da10:~ # modprobe sit
da10:~ # ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
qlen 1000
link/ether 00:11:11:c2:35:f4 brd ff:ff:ff:ff:ff:ff
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
da10:~ # ipv4="1.2.3.4"; printf \
"2002:%02x%02x:%02x%02x::1" ècho $ipv4 | tr "." " "`
2002:0102:0304::1
da10:~ # ip tunnel add tun6to4 mode sit ttl 63 remote any \
local 1.2.3.4
da10:~ # ip link set dev tun6to4 mtu 1280 up
da10:~ # ip -6 addr add 2002:0102:0304::1/16 dev tun6to4
Version 1 268
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
6. Add a route to the global IPv6 network using the IPv4 anycast address for all
6to4 routers:
7. Test the connection using ping6 to an IPv6-enabled site.
(http://www.ipv6.org/) has a link to a list with such sites. (At the time of this
writing www.ipv6.org itself also has an IPv6 address.)
Connect the Network behind your 6to4 Gateway
If you have a second NIC on your host acting as your 6to4 gateway and want to IPv6-
enable the network connected to that NIC, there are a few additional steps you need
to take.
Install and Configure radvd
Add a Route to Your 6to4 Gateway
Install and Configure radvd
When connecting a network to the second NIC of your 6to4 gateway, that host takes
the function of a router. The Router Advertisement Daemon radvd distributes the
autoconfiguration information the clients need to configure their IPv6 addresses
automatically.
The Router Advertisement Daemon is contained in the radvd package, which can be
installed with the command yast -i radvd. Its configuration is contained in the
/etc/radvd.conf file and looks similar to the following:
interface eth0
{
AdvSendAdvert on;
# These settings cause advertisements to be sent every 3-10
# seconds. This range is good for 6to4 with a dynamic IPv4
# address, but can be greatly increased when not using 6to4
# prefixes.
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
# You can use AdvDefaultPreference setting to advertise the
# preference of the router for the purposes of default
# router determination. NOTE: This feature is still being
# specified and is not widely supported!
#
AdvDefaultPreference low;
# Disable Mobile IPv6 support
#
AdvHomeAgentFlag off;
# example of a standard prefix
#
da10:~ # ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
269 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
prefix 2002:0102:0304:1234:/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
The above example is suitable for a fixed IPv4 address. The configuration file that is
contained in the radvd package also includes an example on how to deal with
dynamic IP addresses that change every time a new connection is established with the
ISP.
Before starting radvd, it is necessary to turn on IPv6 forwarding. This is done with the
following command:
If you want IPv6 forwarding to be turned on every time the system boots, set the
variable IPV6_FORWARD in the /etc/sysconfig/sysctl file to yes:
## Type: yesno
## Default: no
#
# Runtime-configurable parameter: forward IPv6 packets.
#
IPV6_FORWARD="yes"
After IPv6 forwarding is turned on, you can start radvd using the command
rcradvd start.
Add a Route to Your 6to4 Gateway
For packets to be routed properly, the following route has to be set on your gateway
host:
1234 in the above command (and in the radvd.conf file) is the site level aggregator;
you can choose this according to your local networking needs.
NOTE: After the above steps are complete, all machines in your network can access IPv6 hosts in
the Internet and all machines in your network are accessible from the Internet using IPv6. You
should set appropriate ip6tables filter rules to prevent attacks on the hosts within your network.
In case you are connected to the Internet using a DSL connection, edit the /etc/
radvd.conf file according to the comments in that file that cover dynamic Internet
connections.
da10:~ # echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
da10:~ # ip -6 route add 2002:0102:0304:1234:/64 dev eth0
Version 1 270
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When using DSL, you can include the commands to set up the 6to4 tunnel in the /etc/
ppp/ip-up.local file:
# /etc/ppp/ip-up.local
# Build IPv6 Tunnel
/sbin/modprobe sit
# $4 contains the local IP on the ppp interface.
/sbin/ip tunnel add tun6to4 mode sit ttl 63 remote any \ local $4
/sbin/ip link set dev tun6to4 mtu 1280 up
# $4 contains the local IP on the ppp interface.
/sbin/ip -6 addr add $(printf \ "2002:%02x%02x:%02x%02x::1/16" ècho
$4 | tr "." " "`) \ dev tun6to4
/sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev \ tun6to4
# Reload Router Advertisement Daemon to make it advertise
# the new prefix.
/usr/sbin/rcradvd reload
# Set IPv6 route accordingly.
ip -6 route add $(printf "2002:%02x%02x:%02x%02x:1234::/64" ècho $4 |
tr "." " "`) dev eth0
The /etc/ppp/ip-down.local file would include the commands to take the tunnel down
when the DSL connection is disconnected:
# /etc/ppp/ip-down.local
# Take down the tun6to4 tunnel
/sbin/ip -6 route flush dev tun6to4
/sbin/ip link set dev tun6to4 down
/sbin/ip tunnel del tun6to4
6in4-Tunneling
Another approach to access IPv6-based Internet hosts is to enlist the services of a
tunnel broker. In this case, a point-to-point connection is established to the IPv6
network using an IPv4 UDP-based tunnel. The advantages of this method are that no
unique IPv4 address is required and it works from behind a NAT gateway as well.
A nonprofit provider that offers IPv6 tunnels and the needed software for various
operating systems including Linux to interested end users is http://www.sixxs.net/
(http://www.sixxs.net/).
There are certainly other providers that offer a similar service.
6in4 tunneling is not covered in this course. Before you use it, make sure that you
have the agreement of your network administrator, as building tunnels through
firewalls often violates existing security policy.
271 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 6-1 Configure IPv6
In this exercise, you configure and use different aspects of IPv6.
(End of Exercise)
Version 1 272
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Understand IPv6 Theory IPv6 addresses are 128 bits long.
Depending on the network prefix, different kinds of
address types exist, such as link local or global unicast
addresses.
The host part of the address can be set automatically,
using the MAC address of the NIC, or manually.
Configure IPv6 on SLE 11 SLE 11 supports IPv6.
In a private network, radvd allows easy assignment of
IPv6 addresses.
Even if your ISP does not assign you a native IPv6
address, 6to4 tunneling allows you to access IPv6
addresses.
273 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 7 Perform a Health Check and Performance
Tuning
In this section, you learn to analyze performance on a SUSE Linux Enterprise Server
11 system and what you can do to prevent bottlenecks.
Because of the complexity of today's IT systems and infrastructure, performance
bottlenecks are sometimes not easy to find. All components interact with each other,
and different kinds of server types require different measures to improve system
performance.
In this section, you learn about monitoring utilities that help you find the component
having performance problems. You also get some tips for solving performance
problems. Remember that the solutions for your problems need to be based on the
result of your performance analysis and depend on your system type.
No matter what measures you choose, make sure that all changes are well tested
before you enable them on the actual production system. Changes to the kernel
parameters need to be tested very carefully.
Objectives
1. Find Performance Bottlenecks on page 274
2. Reduce System and Memory Load on page 286
3. Optimize the Storage System on page 291
4. Tune the Network Performance on page 296
Version 1 274
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Find Performance Bottlenecks
If you need to tune system performance, it is usually because the system is somehow
too slow. Before you make any changes, you need to identify the bottleneck that is
causing the performance problem.
Complaints from users or customers about a slow system are normally of a general
character and do not provide detailed information about the cause of a problem.
Before you start to troubleshoot a system, you should ask for more information to
gain a better overview of the situation. The following is a list of questions that can
help you to find the performance bottleneck:
What kind of server is affected? This includes information about the hardware
and the purpose of the server.
What are the exact symptoms of the problem? The more information you
have, the more likely you are able to determine the cause of the problem.
Does the problem occur at specific times of the day or the week? For
example, performance problems might occur in the morning when people start to
work or after lunch when people return to work.
When and how did the problem start? Did the problem occur quickly or
slowly over several days or months?
Who is experiencing the problems? Does just one person have the problem or
is it a group of people who are using the same file server?
Can the problem be reproduced? This can be very helpful when you are
analyzing the system.
When you have gathered enough information, you can start to analyze the system by
doing the following;
Analyze Processes and Processor Utilization on page 274
Analyze Memory Utilization and Performance on page 275
Analyze Storage Performance on page 278
Analyze Network Utilization and Performance on page 281
Analyze Processes and Processor Utilization
When you have a performance problem, you should look at the processor utilization
first. If the processor is not fast enough to run all of your applications at a reasonable
speed, this is the bottleneck you have to work on.
One way to measure processor utilization is the system load. The load value can be
displayed with various monitoring tools such as top or uptime.
On a multiprocessing operating system like Linux, multiple processes can run
virtually simultaneously. Since one processor can run only one process at a time, the
Linux kernel splits the available processing time of a CPU into short slices that are
assigned to the running processes.
275 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To assign the CPU time, the kernel puts the running processes into a queue.
Depending on the priority of a process and the time since it was executed last, the
kernel decides which process should be executed next.
The load value is the average number of waiting processes in the process queue in a
specific amount of time. Therefore, programs like top or uptime display load
values for the last 1, 5, and 15 minutes.
On a system with a single processor, an average load value of 1 means that the full
processing capacity is used by applications and the operating system.
If the value is lower than 1, some capacity is not used. If the average value is higher
than 1, the processor is not fast enough to handle all currently running processes.
NOTE: On a multiprocessor system, the load value can be higher. As a rule of thumb, the load value
should not be higher than the number of processors installed in the system.
A process that is started on a system does not always require CPU time. Depending
on the kind of process it is running, the CPU spends quite a lot of time to waiting for
I/O processes to be finished. For example, an I/O process can be user input or data
that is read from or written to disk.
During these times, the processes are not waiting in the kernel's process queue and do
not influence the load value of a system. This means that an application can be slow,
but CPU time is not the reason for it.
The following is a list of monitoring utilities that can be used to display the current
CPU utilization and the average load values:
Table 7-1 Monitor CPU Utilization
Analyze Memory Utilization and Performance
Another bottleneck for system performance can be caused by system memory.
Applications have to be loaded into memory before they can be executed by the CPU.
Program Description
Gnome System Monitor Displays a graphical representation of the system load.
mpstat Can be used to display the utilization of each installed processor
on multiprocessor systems.
KDE System Guard Displays a graphical representation of the system load.
top Displays a sorted list of applications and the three values for the
average load values in the last 1, 5, and 15 minutes.
When you find that your system has a high load value, top can
also be very helpful to find out which application is actually
producing it.
uptime Can also be used to display the system load in the last 1, 5, and
15 minutes.
Version 1 276
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The memory is also used by the Linux kernel itself and for caching I/O operations
like network or storage access.
Memory is controlled by the memory management system of the Linux kernel. Every
application has to ask the kernel to allocate memory, and every application is allowed
to write only into its own memory space.
There are two different kinds of memory available on a Linux system:
Physical (random access): Memory that is actually installed in the system in the
form of memory bars or chips. Access to this kind of memory is usually very fast.
Swap (virtual): A Linux system should have access to at least one swap
partition. The space on this partition is used to free parts of the physical memory
by copying temporarily unused memory pages. Access to swap memory is very
slow compared to physical memory.
You can view the utilization of the physical and swap memory with the free
command. The output looks like the following:
The output contains a headline with three lines of information:
Mem: Contains information about the physical memory:
total: Total amount of available physical memory, in KBs. The number is
lower than the installed physical memory, since the kernel itself uses a small
part of the memory.
used: Amount of memory that is used for applications cached data.
free: Memory that is not used and available at the moment.
Shared/buffers/cached: More detailed information about how the memory
is used.
-/+ buffers/cache: Some of the memory on a Linux system is used to cache data
for applications or devices. Parts of this memory can be freed when it is needed
for other purposes.
The free column displays the buffer adjusted line, which shows the memory that
would be used and available if the buffer and the cache were freed.
Swap: Shows informations about the utilization of the swap memory. The
information includes the amount of total, used, and free available memory.
As accessing the hard disk is much slower than accessing physical memory, the
performance of the whole system is affected when a lot of swap space has to be used.
Usually this happens when there is not enough physical memory to perform the
desired functionality of a system. It can also happen if an application requests much
more memory than it actually needs.
da10:~ # free
total used free shared buffers cached
Mem: 1916464 1060988 855476 0 44924 778496
-/+ buffers/cache: 237568 1678896
Swap: 2104472 0 2104472
277 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
One reason for this could be an application crash, but it also happens during normal
operation, when the implementation of a program is faulty. In this case, the
application has a memory leak.
You can use the top command to find programs that use a lot of memory. By default,
top sorts the process list by CPU utilization. By typing F, n, and then pressing the
Enter key, you can change the column used for sorting to memory utilization. This
way, the top memory consumers can be found at the top of the list.
If a lot of used swap memory is displayed in free, this can indicate a performance
bottleneck caused by a lack of physical memory. But this is not always the case.
Sometimes a lot of memory is copied to the swap partition but is never touched again.
The performance of the system is affected only when the swap memory is actually
accessed.
You can use the vmstat command to display the activity of swap memory, as in
the following:
vmstat 1
The option 1 lets vmstat repeat its output every second. This way, the usage of swap
memory can be displayed over a period of time. You can terminate the program
pressing Ctrl+C.
The output of vmstat looks like the following:
The output in the columns si and so are of interest in this case. si stands for swap in,
which means that data is transferred to the main memory from the swap space. so
stands for swap out, which means that data is transferred to the swap space from the
main memory. In the example above, there is no activity for the swap space.
The first line of the output displays the average values since the system was started.
The lines that follow show the average values since the last output.
procs --------memory---------- -swap- --io-- -system- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 98 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 98 0
Version 1 278
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following output of vmstat is captured on a different system which ran out of
memory and shows a lot of activity in swap memory:
In this example, there is much more activity in the si and so columns than before. The
number displayed represents the amount of memory that is copied to or from swap
memory.
A system that shows a constant vmstat output like this has a performance
bottleneck caused by a lack of physical memory.
The following are commands and an application you can use to display memory
utilization:
Table 7-2 Monitor Memory Utilization
Analyze Storage Performance
The performance of the storage system can be an issue, especially on systems that
face heavy hard disk utilization like FTP, Web, or other kinds of file servers.
Before you analyze the hard disk performance and utilization, you should make sure
that you dont have any problems with a too high system load or a lack of physical
memory.
Systems with disk performance problems usually show a low network and CPU
utilization but a high activity of the installed disks, which is not caused by memory
paging or swapping.
In this case, you can use the vmstat command to display the activity of the disk
subsystem. You start vmstat by entering the following:
vmstat 1
procs --------memory------ -- -swap- --io-- -system- -----cpu------
0 3 167880 608 4592 93400 340 188 2588 196 1223 1315 7 3 0 90
1 3 169316 1072 4044 90352 300 1768 5968 1868 1233 1222 36 5 0 59
1 2 170268 2520 4088 89416 288 1104 1388 1224 1260 442 23 2 0 75
0 3 170652 1484 4020 90136 364 668 1844 808 1260 1142 12 3 0 85
0 4 171380 1848 3544 92424 100 868 4400 940 2491 2458 11 8 0 81
0 5 171576 1352 3504 91984 552 388 1592 388 1248 1195 15 3 0 82
Program Description
free Displays the current utilization of the physical and swap memory.
KDE System Guard Offers the capability to display memory usage. Select the
System Load tab to follow the memory usage over a period of
time.
vmstat Monitors the activity of swap memory and can also be used to
display other system parameters.
279 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The program should be started on the system when the performance problem occurs.
The following is the output of a system with almost no disk operations:
In this example, the columns of interest are bi and bo. They display the number of
blocks that are read from (bi) or written to (bo) the disk subsystem.
The following shows a system with a high utilization of the disk subsystem:
As you can see in the bo column, the system has to deal with a lot of writing activity
to the disk subsystem.
However, a lot of data read from or written to the disk does not necessarily mean that
the disk subsystem is too slow. Depending on the available disk types and the disk
configuration, a disk load that totally blocks one system can be easily handled by
another system.
A performance problem that is caused by the disk subsystem usually occurs when a
process has to wait for data being delivered from or written to the disk.
You can use the iostat command (package sysstat) to determine the average time
a program has to wait for data from the disk.
The following command displays information about the disk device /dev/sda:
iostat -x 1 /dev/sda
The option -x enables the output of some additional information. 1 sets the interval
in which iostat repeats its output to one second. The device name specifies the
disk that should be monitored. If no disk is specified on the command line, all disks
that are used by the system are monitored.
procs --------memory------- --swap-- -----io-- --system-- ---cpu---
0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 100 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 100 0
procs ---------memory------- --swap-- ----io--- --system-- ---cpu---
1 2 52 5680 6100 221688 0 0 0 36160 1273 1655 42 58 0 0
0 3 304 6896 1232 225672 0 256 4 22160 1586 1127 31 40 0 28
1 2 304 5936 1252 226540 0 0 0 28400 1487 460 15 23 0 62
1 0 304 7792 1276 224404 0 0 0 43328 1342 408 20 29 0 51
1 2 304 6256 1624 224648 0 0 0 88260 1205 439 24 42 0 35
0 2 476 6648 1672 224112 0 172 4 45452 1149 8015 29 54 0 17
0 2 476 7672 1720 223184 0 0 8 36940 1168 8310 23 44 0 33
Version 1 280
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The output of iostat looks like the following:
Every output contains two blocks of information. The first block displays information
of the CPU utilization, like top or uptime. The second block shows the
information about the requested disk device.
The first output represents the average values since the system was started. All
following lines show the average values since the last update period.
The block that displays the device information shows first some details about the
amount of data that is read from or written to the device. To find out if the disk
subsystem has a performance bottleneck, focus on the following columns:
await: Average time, in milliseconds, an application has to wait until its I/O
request is performed.
svctm: Average time, in milliseconds, that an I/O request needs to be performed.
As you can see in the iostat output on the previous page, the concerned system is not
really busy. The average await time since the system was booted (first line starting
with Device:) is 99.82 milliseconds and the average svctm time is 2.95
milliseconds.
As you can see in the last Device: line, the current disk utilization is even far below
the average with await and svctm times of 0 milliseconds.
da10:~ # iostat -x 1 /dev/sda
Linux 2.6.27.13-1-xen (da10) 05.03.2009 _i686_
avg-cpu: %user %nice %system %iowait %steal %idle
0,70 0,00 0,26 2,72 0,00 96,33
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s
avgrq-sz avgqu-sz await svctm %util
sda 1,46 58,84 7,71 10,44 146,13 556,12
38,68 1,81 99,28 2,95 5,36
0,00 0,00 0,00 0,66 0,00 99,34
sda 0,00 0,00 0,00 1,00 0,00 16,00
16,00 0,02 16,00 16,00 1,60
0,00 0,00 0,00 0,00 0,00 100,00
sda 0,00 0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00 0,00
281 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Compare this with the following output of a system with a higher I/O load:
As you can see, the average await time on this system is close to 300 milliseconds
and the svctm time is higher than before.
The following is an overview of commands that you can use to analyze disk
utilization:
Table 7-3 Monitor Disk Utilization
Analyze Network Utilization and Performance
On server systems, the network connection can be a performance bottleneck. There
are many different parameters that can interfere with the network connection.
There are different tools you can use to monitor the network utilization. We cover one
tool from Gnome and one from KDE:
Gnome System Monitor on page 282
KDE System Guard on page 282
da10:~ # iostat -x 1 /dev/sda
Linux 2.6.27.13-1-xen (da10) 05.03.2009 _i686_
0,66 0,00 0,83 5,61 0,01 93,04
sda 6,41 590,42 16,40 13,27 2532,94 4802,18
247,22 8,44 282,73 3,79 11,26
2,86 0,00 6,43 63,57 0,00 28,57
sda 49,00 5587,00 111,00 72,00 26432,00 71680,00
536,13 141,26 971,43 5,49 100,40
1,81 0,00 4,07 40,27 0,00 54,75
sda 36,00 7761,00 65,00 81,00 16168,00 81920,00
671,84 138,90 1258,77 6,88 100,40
Command Description
iostat Displays how long I/O requests from applications take.
vmstat Monitors the amount of data that is read from or written to disk.
Version 1 282
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Gnome System Monitor
The Gnome System monitor can be started by selecting Computer > More
Applications > System > Gnome System Monitor or by entering the gnome-
system-monitor command at a command line.
The network utilization can be viewed on the resources tab, as shown in the
following:
Figure 7-1 Gnome System Monitor
The other tabs offer information on the system in general, the running processes with
the possibility to send signals to the processes by right-clicking a process and
choosing from a context menu, the file system, and hardware.
KDE System Guard
The KDE System Guard can be started from the command line by typing
ksysguard.
NOTE: Although the KDE System Guard is a KDE application, it can also be used with the Gnome
Desktop. The application is included in the kdebase4-workspace package.
283 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is a screenshot of the KDE System Guard:
Figure 7-2 KDE System Guard
The default view does not show any information on the network performance. You
can, however, add sensors on a new sheet. Click New Worksheet and in the dialog
that appears, change the title of the worksheet and the number of rows and columns
as needed. The new sheet looks like the following:
Figure 7-3 KDE System Guard
On the right side of the window, you can browse the available monitoring sensors. To
monitor a network interface, browse to Network > Interfaces >
Interface_you_want_to_monitor.
Version 1 284
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Two different blocks of sensors are available:
Receiver: Information about the received network data.
Transmitter: Information about the sent network data.
The following describes some of the available sensors you can use to analyze
network problems:
Table 7-4 Network Monitoring with KDE System Guard
There is also protocol specific information under Network > Sockets.
Besides problems that are caused by the network or network setup itself, some
network services can interfere with the overall system performance. These network
services might not even be running on the same host that actually experiences
performance problems.
The following are examples of this:
DNS: Many applications or services rely on the name resolution of the DNS
system. If a DNS server is not working properly, the application is waiting for the
response, which slows down its operation.
Sensor Description
Collisions This sensor is available only for the transmitter. Collisions usually
occur more frequently when too many hosts share the same
Ethernet domain (such as hosts that are connected with a hub
instead of a switch).
Too many collisions can have a negative impact on the overall
network performance.
Data/Packets Amount of data or packets sent or received by the interface. If
performance problems occur during a high network load, the
network connection or type might be too slow for the purpose of
the server.
Dropped Packets Number of packets that are either dropped when they are
received by the host or by other network components like routers
on their way to the destination.
Too many dropped packets can have a bad influence on the
network performance. The following are some reasons for
dropped packets:
Network components are running at a different speed. For
example, the server runs at 100 Mbps, but the router at only
10 Mbps.
The network or system load of a server is too high to handle
all received network packets properly.
A network component runs with a misconfigured packet filter
that drops network packets.
Errors An error occurs when a packet is transmitted but the content of
the packet is corrupted. This can be caused by a bad physical
connection or faulty network adapters.
285 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Proxy: Applications that connect to a service using a proxy server suffer from
bad performance of this system.
NFS: Applications or services that access data that is mounted using NFS can be
blocked completely if the NFS service is not available.
The following are tools that you can use to monitor the network:
Table 7-5 Network Monitoring Tools
Program Description
ip -s link show Status of an interface as well as transmission errors.
KDE System Guard Network utilization and different kinds of transmission errors.
Traffic-vis Analyis of network connections to specific hosts. You need to
install the traffic-vis package in order to use this tool.
Version 1 286
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Reduce System and Memory Load
If you have determined that your performance problem is caused by a high system
load, you can do the following to reduce the load:
Analyze CPU-Intensive Applications on page 286
Run Only Required Software on page 286
Keep Your Software Up to Date on page 288
Optimize Swap Partitions on page 288
Change Hardware Components on page 289
Analyze CPU-Intensive Applications
A high system and memory load is often caused by a single application. You can use
the top utility to find out which process uses the most resources on your system.
Sometimes a process uses a lot of system resources because of a faulty
implementation. Usually you can determine this by restarting the process. If the
process does not use the same amount of resources after it has been restarted, a likely
cause is a faulty implementation.
In this case, you should try to get more information about the issue by searching the
Internet and the Web site of the vendor or the OpenSource project.
If the process starts to utilize the same amount of system resources after it has been
restarted, the system is probably not fast enough to run the process. Refer to Run
Only Required Software below for details on how to solve this issue.
Run Only Required Software
The easiest but most effective way to reduce the system load is to run only the
software that is required to fulfill the purpose of a system. This includes the following
methods:
Run a Server System without X on page 286
Reduce the Number of Daemon Processes on page 287
Run a Server System without X
Usually it is not necessary to run an X-Server on a server system. Most administrative
tasks, including those done in YaST, can be done on the text console or remotely with
SSH or SUSE Linux Remote Administration.
Preventing the X-Server from being started saves memory and CPU utilization. To do
so, you can switch to runlevel 3 manually by entering the following:
init 3
287 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can also set the default runlevel to 3 to boot the system to runlevel 3
automatically.
To change the default runlevel, you need to open the /etc/inittab file with a
text editor. In the file, look for a line like the following:
id:5:initdefault:
By changing 5 to 3, you can change the default runlevel from 5 (multiuser, network,
graphical login) to 3 (multiuser, network).
After the change, the line looks like the following:
id:3:initdefault:
Reduce the Number of Daemon Processes
In most cases, a server offers only a few services but some more daemons are actually
running. By reducing the number of running daemon processes, you can reduce the
processor and the memory load.
To get an overview of the current service configuration, you can use the chkconfig
command by entering the following:
chkconfig -l
The -l option lists all services and their configuration in each runlevel. For example,
the following is the output for the Apache Web server:
As you can see, apache2 is enabled for runlevels 3 and 5.
Review the list and make sure that only the needed services are running in the default
runlevel of your server. If you find a service that is not necessary, you can prevent it
from starting up at boot time by removing its start script from the init process.
Use a command like the following to remove a service from the init process:
chkconfig apache2 off
In this example, apache2 is disabled in all runlevels. To re-enable a service, use a
command like the following:
chkconfig apache2 3
In this example, apache2 is enabled in runlevel 3.
Changing the runlevel configuration does not affect the currently running instance of
a service. If you dont want to reboot your system with the new configuration, you
need to stop a running service by calling its rc script manually.
da10:~ # chkconfig -l
...
apache2 0:off 1:off 2:off 3:on 4:off 5:on 6:off
...
Version 1 288
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The command in the following example stops a running instance of apache2:
rcapache2 stop
Keep Your Software Up to Date
There are many reasons to keep your software up to date. Besides possible security
issues caused by outdated software, up-to-date software can improve performance.
Implementation errors that lead to a high utilization of system resources might be
fixed in a newer release. And newer, faster algorithms might be used.
However, there might be exceptions to the rule. For this reason, you should test new
releases carefully before using them in a production environment.
Optimize Swap Partitions
On a system with a lot of swapping, you should usually add more physical memory
(RAM) to enhance the performance. However, if you can't do so, optimizing the swap
partitions can help.
First, you should make sure that you have enough available swap space. The old rule
that you should have double the size of the physical memory as swap space is a bit
outdated but still a reasonable starting point.
The key to speeding up the swap performance is to spread swap space over several
disks. This works only on systems that have more than one installed disk.
Every swap partition has an entry in the /etc/fstab file that looks like the
following:
/dev/sda1 swap swap defaults 0 0
You can use more than one swap partition by creating partitions and adding these to /
etc/fstab, as in the following:
/dev/sda1 swap swap pri=1 0 0
/dev/sdb1 swap swap pri=1 0 0
/dev/sdc1 swap swap pri=1 0 0
In this example, three partitions are used on three different disks. The additional
parameter pri=1 assigns the same priority to all swap partitions.
With a priority 1 assigned to all swap partitions, the kernel can use the partitions in
parallel. This leads to a higher overall performance of swapping operations.
The drives that hold swap partitions should run at the same speed. If you have drives
with different speeds, you can assign the swap partitions on the faster ones a higher
priority, such as pri=10. Swap partitions with a higher priority are used first, and only
when there is no free swap space available anymore is the swap space of a partition
with lower priority used.
289 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Change Hardware Components
If the above methods to reduce the system load do not lead to a lower resource
utilization, you should consider upgrading the following hardware:
Upgrade the CPU on page 289
Upgrade the Memory on page 289
Upgrade the CPU
If your system shows a high system load but all other parameters such as memory,
network, and storage load or utilization are not significantly high, you should
consider upgrading the CPU.
However, you need to consider the following before upgrading the CPU:
Are there significantly faster CPUs available for the type of system you are using
(socket type, BIOS support)?
Are the rest of the system components fast enough for the new CPU? (Otherwise,
you could work on one bottleneck and create a new one.)
Is the system going to be replaced in the near future?
Are other, faster systems available in your organization that could be used instead
of the current system?
Depending on the answers to these questions, you might decide to replace the whole
system instead of just the CPU. In some cases, this might be even more economical
than just a CPU upgrade in the long run.
Upgrade the Memory
Upgrading the memory usually means installing more physical memory. The first
question you might ask is how much additional memory you should install.
A way to answer this question is to look at the amount of swap space that is used by
the system when the performance problems occur. Adding double the amount of used
swap space might be a good starting point. But you should also compare the cost of a
memory upgrade with the cost of installing a new system.
Remember that if you add additional physical memory, you should also add
additional swap space. However, in most cases, more than 1 GB of swap space does
not increase performance significantly.
Version 1 290
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 7-1 Reduce Resource Utilization
In this exercise, you analyze system performance and learn how to reduce the
resource utilization of a SUSE Linux Enterprise Server 11 system.
(End of Exercise)
291 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Optimize the Storage System
There are many different ways to optimize the performance of your storage systems,
including the following:
Configure IDE Drives with hdparm on page 291
Tune Kernel Parameters on page 292
Tune File System Access on page 294
Change Hardware Components on page 295
Configure IDE Drives with hdparm
You can use the hdparm tool to tune some settings of IDE hard drives. Entering the
following command displays the current settings of a drive:
In this example, the settings of the device sda are listed.
The most important setting you can change with hdparm is DMA (direct memory
access). With DMA, data from a disk can be written directly to the main memory of a
system without CPU utilization. This enhances performance in two ways:
The transfer itself is much faster than with disabled DMA
The CPU is not utilized and can be used for other tasks
By default, DMA should be enabled for IDE hard disks, as in the above example
(udma6). However, if you experience a weak disk performance, you should check the
setting. DMA can also be enabled for CD/DVD drives, which increases performance,
especially for large data transfers.
You can change the DMA value using hdparm.
NOTE: Because changing DMA or other values might cause a loss of data, back up your data first
before experimenting with it. The manual page for hdparm lists the options and the caveats.
da10:~ # hdparm -i /dev/sda
/dev/sda:
Model=ST380815AS , FwRev=3.AAA , SerialNo= 6QZ2FW3T
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
BuffType=unknown, BuffSize=8192kB, MaxMultSect=16, MultSect=?16?
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=156301488
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 *udma6
AdvancedPM=no WriteCache=enabled
Drive conforms to: Unspecified: ATA/ATAPI-1,2,3,4,5,6,7
* signifies the current active mode
Version 1 292
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
hdparm also provides an option to measure the transfer performance of a hard disk, as
in the following command for the device hda:
In this example, the disk offers a buffered disk read rate of about 74 Mbps. To achieve
valid results, you should repeat the test several time and compare the results. In
general, the test should be run at a low system and storage load.
All changes that are made with hdparm are active only until the next reboot. To make
sure hdparm commands are executed every time the system boots, you can add them
to the /etc/init.d/boot.local file.
Tune Kernel Parameters
The components of the Linux kernel that are responsible for hard disk access offer
some parameters that can be changed at runtime.
None of these parameters is saved permanently. If you want to set them every time
the system starts up, you can add a command to set a parameter in the /etc/
init.d/boot.local file.
Tunable parameters let you do the following:
Tune the IO Scheduler on page 292
Change the Read-Ahead Parameter on page 293
Change the Swappiness Parameter on page 293
Tune the IO Scheduler
Because Linux is a multitasking operating system, more than one process at a time
might need to access the hard disk.
For this reason, the Linux kernel contains a component called the I/O Scheduler. This
scheduler collects requests from the processes and hands them over to the hardware
driver that is responsible for the drive.
The SUSE Linux Enterprise Server 11 I/O Scheduler has one parameter that you can
use to tune the I/O performance. The parameter is stored in the /sys/block/
device/queue/iosched/quantum file.
The parameter determines how many I/O requests are stored in a queue before they
are handed over to the driver. By queuing the requests, the scheduler can optimize the
order of the requests.
da10:~ # hdparm -t /dev/sda
/dev/sda:
Timing buffered disk reads: 222 MB in 3.00 seconds = 73.94 MB/sec
293 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you use this parameter, there is a trade-off between data throughput and
latency. Use the following guidlines:
Lower value = Shorter latency but lower data throughput
Higher value = Longer latency but higher data throughput
The default value for SUSE Linux Enterprise Server 11 is four requests.
You can set the value of the parameter with a command similar to the following:
echo 6 > /sys/block/hda/queue/iosched/quantum
When you change the value, you should always benchmark your application to
measure the success of the change.
Changes to the I/O Scheduler parameters might not lead to performance
enhancements on general-purpose servers. However, on systems with a high disk
utilization like database servers, it can be useful to experiment with this setting.
Change the Read-Ahead Parameter
Another kernel parameter lets you determine how much data should be used for the
read-ahead. Read-ahead basically means that more data from a file is read than
requested by an application.
This is done because an application usually wants to read all data from a file, not just
the data at the beginning. You can set the read-ahead parameter in the /sys/
block/device/queue/read_ahead_kb file.
The value determines how much data (in KB) is read ahead from file. The default
value on SUSE Linux Enterprise Server 11 is 128 KB. Larger values can lead to a
better overall throughput, with the drawback of a higher latency.
You can change the value with the following command:
echo 256 > /sys/block/device/queue/read_ahead_kb
Change the Swappiness Parameter
The swappiness parameter affects both the memory and the I/O performance. It
basically determines when a system starts to swap out data to the disk, and it can be
set in the /proc/sys/vm/swappiness file.
You can set the parameter value from 0 and 100. The higher the value, the more the
system will swap. The default value for SUSE Linux Enterprise Server 11 is 60.
You can set the parameter with a command like the following:
echo 40 > /proc/sys/vm/swappiness
The parameter determines how much you value the page cache over program
memory.
Version 1 294
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Tune File System Access
To achieve a performance advantage for an application, you can control the way the
kernel accesses the file system by doing the following:
Disable atime Update on page 294
Implement File System-Dependent Tuning Options on page 294
Disable atime Update
For every file, Linux stores the following information:
When the inode was changed (ctime)
When the file content was last modified (mtime)
When the file was last accessed (atime)
To keep the atime information up to date, the kernel needs to update the atime
attribute every time a file is accessed. Updating the atime means that the kernel needs
to perform a write access, which causes additional load for the hard disk.
If the atime attribute is not important to you, you can mount a data partition with the
noatime option. This might be especially useful on laptops.
The following shows an fstab entry for the partition /dev/sda2 that uses the noatime
option:
/dev/sda2 /data ext3 acl,user_xattr,noatime 1 1
Implement File System-Dependent Tuning Options
Beside the general disk tuning options, you can also configure the file system to do
the following:
Configure the Journaling Mode of Ext3 on page 294
Mount a Reiser File System with the notail Option on page 295
Configure the Journaling Mode of Ext3
The ext3 file system offers journaling functionality. In journaling, every file system
transaction is logged in a special area of a partition, called the journal. The data in the
journal helps to restore a consistent file system in case of a system crash or a power
failure.
The ext3 file system offers three journaling modes that also affect the disk
performance:
data=journal: Logs the transaction data and the file metadata in the journal.
This is the most secure option for data security.
data=ordered: Stores only the file metadata in the journal. However, it forces
the file data to be written to disk before the metadata.
295 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This option is a good compromise between speed and reliability, and it is the
default for SUSE Linux Enterprise Server 11.
data=writeback: Fastest journaling option. Metadata is logged to the journal,
but file data is not treated in a special way. However, you still have the
advantages of a journaling file system when a crash or a power failure occurs.
You can use these options with the -o option of the mount command, or add them to
the /etc/fstab, as in the following:
/dev/sda2 /data ext3 acl,user_xattr,data=writeback 0 0
Mount a Reiser File System with the notail Option
On traditional UNIX files systems, small files or the remainder of a big file (the tail)
use a full block of the file system, although they dont really fill the block.
Reiserfs can store this data much more efficiently in the file system internal structure.
However, this costs some performance. You can use the mount notail option to
disable this feature. The drawback is a less space-efficient data storage.
You can use the notail option either with the -o option of mount or in the /etc/
fstab file, as in the following:
/dev/sda3 /data2 reiserfs acl,user_xattr,notail 0 0
Change Hardware Components
If all of the above-mentioned options do not improve disk performance, you might
need to consider upgrading your hardware.
From a performance perspective, a true SCSI hardware RAID system might be the
best choice. But upgrading to a newer IDE or SCSI disk can produce some of the
same results.
However, you have to compare the costs and the estimated advantages of an upgrade
with the purchase of a new system. A hardware upgrade always has the risk of
creating a new performance bottleneck somewhere else in the system.
Version 1 296
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Tune the Network Performance
There are several different approaches to tuning the network performance of your
Linux system. Because of the nature of networks, this sometimes includes not only
your system but the whole network infrastructure.
The following are two ways you can tune network performance:
Change Kernel Network Parameters on page 296
Change Your Network Environment on page 297
Change Kernel Network Parameters
The Linux kernel lets you change some network parameters during runtime. This
makes sense on systems that have to deal with a lot of parallel connections (such as
Web servers).
The parameters can be set with the sysctl command. To use this command, you
have to be the root user, because changing kernel parameters is not permitted for
regular users.
The most important command line parameter of sysctl is -w. With this option, you
can write a value into a kernel configuration parameter.
You can also access the kernel parameters from the proc file system, which is
mounted under /proc. You change the parameters by writing them into the
corresponding files in the /proc directory.
The following lists several sysctl commands and their effect on network
performance:
Table 7-6 Tuning the Network Performance Using sysctl
sysctl command Effect
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_tw_recycle=1
When a TCP connection has been closed,
the corresponding socket stays in the TIME-
WAIT status for a while.
Setting these two parameters enables the
reuse of these sockets for new connections.
On a system with many TCP connections,
this can reduce the number of open
connections and the utilization of system
resources.
297 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To set values at boot time, the values need to be added to the /etc/sysctl.conf
file. Its syntax is token = value, as shown below in a sample /etc/
sysctl.conf file:
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1
# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536
# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
Change Your Network Environment
Because networking involves more than one system, you should consider which
changes to other hosts or your network infrastructure can improve the network
performance.
The following are some suggestions for improving network performance:
Monitor all other system components: Before you change your network
infrastructure, you should make sure that your problem is really caused by the
network connection.
Monitor all other components carefully over a longer period of time, especially
the CPU and memory utilization.
Limit the collision domain: If you see a lot of collisions when you monitor your
system's network interface, there are probably too many systems that share the
same Ethernet collision domain.
In this case, you should restructure your network or use switches instead of hubs.
Check cable quality: If you see a lot of transmission errors when you monitor a
network interface, you might have a problem with your network cable. Replace
the network cable and monitor the interface again.
sysctl -w net.ipv4.tcp_keepalive_time=900 TCP connections are usually kept alive for a
specific amount of time. After this time
period, a system probes to see if the
connection partner is still reachable. If not,
the connection is closed and the used
resources are freed.
The default time for SUSE Linux Enterprise
Server 11 is 7200 seconds (two hours). By
reducing this time, you can reduce the
number of opened but unused connections.
sysctl command Effect
Version 1 298
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Check both sides of a connection: If your server has connectivity problems
with a specific client and all other clients are working correctly, you should check
the connection from the client side.
Change network adapters: In some cases, a driver for a network adapter can be
faulty and cause a performance bottleneck. Try switching to an adapter from a
different vendor and monitor the system to see if performance improves.
Upgrade to a faster network type: If other measures do not lead to improved
performance, upgrading to a faster network technology (such as Gigabit
Ethernet) might help.
However, you must make sure that the other components of your system (such as
the chipset) can handle this speed.
299 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Find Performance Bottlenecks To find performance bottlenecks, you should monitor
the following components of your system:
CPU: Value of the CPU load is measured by the
average number of process that are waiting to be
executed.
The load can be displayed with uptime or top. top
can also be used to display the processes that
cause the highest CPU utilization.
Memory: Lack of physical memory is a very
common performance bottleneck.
When the system needs to page out memory pages
to swap memory, the overall system performance is
affected.
You can display the paging and swapping activities
with the vmstat tool.
Storage System: A good indicator for the storage
load of a system is the time that an application
needs to wait for an I/O request and the amount of
time an average I/O request takes.
Both values can be displayed with the iostat
tool.
Network components: KDE System Guard
displays various parameters of network utilization
such as packets, errors, and collisions.
Reduce System and Memory Load To reduce the system and memory load, you can do the
following:
Determine which processes utilize most of the
processing power. Determine whether this is a
failure or part of normal operation.
Run only software that is required to fulfill the
purpose of the system.
Keep your software up to date.
Optimize swap memory by spreading it over multiple
disks.
Upgrade the CPU and the physical memory.
Version 1 300
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Optimize the Storage System To enhance the performance of the storage system,
you can do the following:
Use hdparm to ensure an optimal configuration of
your hard disks.
Set kernel parameters to optimize disk access.
Tune access to the file systems on your disks.
Change slow components of your storage system.
Tune the Network Performance Adapt the network parameters of the Linux kernel for
your needs.
Reconfigure your network environment. This
includes the following:
Reduce the collision domain of Ethernet
networks.
Check the physical quality of the connection
(such as cables and plugs).
Check both sides of a faulty network connection.
Replace or upgrade your network equipment.
Objective Summary
301 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 8 Create Shell Scripts
Bash scripts play a key role in the administration of SUSE Linux Enterprise 11. All
start scripts in the /etc/init.d/ directory, for instance, are Bash scripts.
As a Linux system administrator, you are often faced with recurring tasks that consist
of commands that have to be called in a certain order. By combining these commands
into a script, you can make your job a lot easier.
This section covers the basic elements of shell scripts to help you understand existing
shell scripts in your Linux system and to help you write shell scripts of your own that
fit your needs.
When writing shell scripts, you usually have many different options to solve a
problem. Please note that our project will not necessarily use the most efficient way
of coding. The purpose here is, first of all, to introduce you to the elements of Bash
scripting and to use examples that are easy to understand.
Objectives
1. Bash Basics on page 302
2. Use Basic Script Elements on page 307
3. Understand Variables and Command Substitution on page 312
4. Use Control Structures on page 316
5. Use Arithmetic Operators on page 325
6. Read User Input on page 328
7. Use Arrays on page 331
8. Finalize the Course Project on page 334
9. Use Advanced Scripting Techniques on page 337
10. Learn about Useful Commands in Shell Scripts on page 341
Version 1 302
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Bash Basics
The default Linux shell Bash (Bourne Again SHell) can control the system with
commands, perform file operations, or start applications. It can be used interactively
on the command line, or you can create a file that includes several shell commands
and start this file like an application.
Before diving into shell scripting, lets review some of the features of Bash:
Bash Command Line on page 302
Bash Variables on page 304
Return Values on page 306
All the elements covered in this objective for interactive use of Bash can be employed
within shell scripts as well.
Bash Command Line
A command entered on the command line consists of the command and optional
arguments:
On the left there is the command prompt, geeko@da10:~>. The command cp is
followed by argumentsin this case, the option -a and the parameters Photos and
/tmp. After pressing Enter, the command is executed. As there is no error message,
the command was successful.
Each element in the command line above is called a word. A word (also called a
token) is a sequence of characters considered as a single unit by the shell. Words are
separated from each other by spaces, tabs, or one of the following characters: | & ; (
) < >.
Depending on the type of command or its options, some messages appear on the
screen. Messages that indicate normal or expected behavior are written to the file
descriptor 1, Standard Out (stdout) which, in interactive use of Bash, is connected to
the terminal where you entered the command:
When there is an error message, this message is written to the file descriptor 2,
Standard Error (stderr) which, in interactive use is also connected to the terminal
where you entered the command:
geeko@da10:~> cp -a Photos /tmp
geeko@da10:~>
geeko@da10:~> cp -av Photos /tmp
"Photos/vacation/beach.jpg" -> "/tmp/Photos/vacation/beach.jpg"
...
geeko@da10:~> cp -av Fotos /tmp
cp: cannot stat `Fotos': No such file or directory
geeko@da10:~>
303 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
While within a terminal, stdout and stderr look the same, but they are indeed
different, as you can see when you redirect them to a file. To redirect stdout to a file,
you use the > operator (or >> to append to a file):
It is also possible to redirect stderr to a file. This is especially useful if there are a lot
of error messages or some error messages in a lot of normal output. Redirecting stderr
allows you to view the messages using a pager like less. To redirect stderr, you use
the 2> operator:
As you can see in both examples, when stdout and stderr are redirected, no output is
written to the terminal.
You can also redirect stdout and stderr to separate files in one command line:
It is also possible to redirect stdout and stderr to one file, using the 2>&1 operator,
which has to appear after the redirection of stdout on the command line:
In addition to stdout and stderr, by default there is a third file descriptor, Standard In
(stdin, file descriptor 0). In interactive use, this is usually connected to the keyboard.
But it can be redirected to a file as well, and the operator to redirect stdin is <:
In Linux, a typical program will open these three file descriptors (Standard In, file
descriptor 0; Standard Out, file descriptor 1; Standard Error, file descriptor 2) when it
starts.
geeko@da10:~> cp -av Photos /tmp > output.txt
geeko@da10:~> cat output.txt
"Photos/vacation/beach.jpg" -> "/tmp/Photos/vacation/beach.jpg"
...
geeko@da10:~> cp -av Fotos /tmp 2> error.txt
geeko@da10:~> cat error.txt
cp: cannot stat Fotos: No such file or directory
geeko@da10:~>
geeko@da10:~> cp -av Fotos Photos /tmp > output.txt 2> error.txt
geeko@da10:~>
geeko@da10:~> cp -av Fotos Photos /tmp > out-err.txt 2>&1
geeko@da10:~>
geeko@da10:~> mail -s "Output and Errors" geeko < out-err.txt
geeko@da10:~>
Version 1 304
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If you want to process the output of one command by another command, you could
write the output of the first program to a file and use that file as input for the second
command, as shown in the above example for the mail command. However, you can
use the output of one command directly as the input for another command using the
pipe operator |:
Instead of reading from a file, the shell can be instructed to read from the current
source with a so-called here document, using the << redirector, as illustrated in the
following example:
The text after the cat << EOF line is printed once the same string (EOF in the
example above) appears in a line with no trailing whitespace. This syntax is often
used in scripts to write several lines to the screen.
NOTE: For a full explanation of redirection, see man bash and search for redirection.
Bash Variables
A variable is a label assigned to a location in computer memory that holds an item of
data. Bash variables are not typed. They are essentially character strings, but some
arithmetic operations are possible when the variable contains only digits.
Variables can serve different purposes. The following types of variables exist,
although the differentiation is to some extent arbitrary, because positional parameters,
for instance, could also be included under shell variables:
Shell Variables on page 304
Positional Parameters on page 305
Environment Variables on page 305
Shell Variables
Shell variables are used to control the behavior of the shell itself. Some of them are
assigned default values by Bash, and some can be assigned values by the startup
geeko@da10:~> cp -av Fotos Photos /tmp 2>&1 | mail -s "Output and
Errors" geeko
geeko@da10:~>
geeko@da10:~> cat << EOF
> This is printed after
> writing EOF in a single line.
> EOF
This is printed after
writing EOF in a single line.
305 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
scripts Bash reads when it starts (such as /etc/profile or ~/.bashrc). These include the
following:
IFS: Internal Field Separator. A list of characters that separate fields and are used
to determine the beginning and end of a word (token).
PS1: Primary Prompt String. The string that determines how your normal prompt
in a terminal window looks like.
BASH: The full path name used to execute the current instance of Bash.
HISTSIZE: The maximum number of commands kept in the history list.
NOTE: For a full explanation of shell variables, see man bash and search for Shell Variables.
Positional Parameters
When a command or script is called, the $0 parameter is assigned the command or
script name. The first parameter after this is $1, the second $2, and so on. If you want
to refer to all positional parameters, you would use $* (all positional parameters seen
as one single word) or $@ (all positional parameters seen as separate words).
The following should give you an idea how they can be used:
Environment Variables
Every process has an environment, which consists of variables that it may reference
and which can be used by the process to influence its execution. This is true for the
shell as well.
Environment variables can be used to regulate the behavior of Bash. They are usually
set by the scripts Bash reads when it starts, including /etc/profile, ~/
.bashrc and others. Environment variables include the following:
USER: User who invoked the shell.
geeko@da10:~> cat script.sh
echo The command itself: "$0"
echo The first parameter: "$1"
echo The second parameter: "$2"
echo All parameters '($*)': "$*"
echo All parameters '($@)': "$@"
geeko@da10:~> ./script.sh first second
The command itself: ./script.sh
The first parameter: first
The second parameter: second
All parameters ($*): first second
All parameters ($@): first second
geeko@da10:~>
Version 1 306
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
MANDIR: Directories to search for manual pages
LS_COLORS: Colors used for the output of the ls command.
By default, various environment variables are set. You can view them and their
content with the export and set commands.
Return Values
Every command returns a value to the calling shell that indicates whether the
program terminated normally (return value 0) or there were errors (return value not
0).
The return value of the last process run by Bash is stored in the $? variable. Using
the echo command, you can view the content of this variable:
Using the return value, you can make the execution of a second command dependant
on the outcome of the first. The operators to use are && (the second command is
executed if the first one returns 0) or || (second command is executed if the first
command returns a value different from 0).
This command displays the content of the message.txt file if it exists:
test -f message.txt && cat message.txt
This command installs the package sysstat if it is not installed:
rpm -q sysstat || yast2 -i sysstat
Within a script, decisions on how to proceed are frequently based on the return value
of a command.
geeko@da10:~> ls -ld Desktop
drwxr-xr-x 2 geeko users 440 13. Jan 15:57 Desktop
geeko@da10:~> echo $?
0
geeko@da10:~> ls -ld abcd
ls: cannot access abcd: No such file or directory
geeko@da10:~> echo $?
2
geeko@da10:~>
307 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Use Basic Script Elements
An important but sometimes neglected task is the backing up of files. As shell
scripting is best understood and learned by actually writing scripts, we will develop
in this section a Bash script to back up your home directory.
Usually backups are written to external media, like external hard drives or tape
drives. As you probably dont have such a drive at your disposal in your study
environment, in the script we will back up the files to different directories on your
hard drive. Once you have understood the scripting basics covered in this section, you
should be able to adapt what you have learned to other environments, such as your
personal backups at home, or the backups in your company to safeguard company
information.
To write a simple shell script, you have to understand the following:
Elements of a Shell Script on page 307
A Simple Backup Script on page 308
Debug Options on page 310
Elements of a Shell Script
A shell script is basically an ASCII text file containing commands to be executed in
sequence. To allow this, it is important that permissions for the script file are set to r
(readable) and x (executable) for the user that runs it.
However, the execute permission is not granted by default to newly created files. To
assign this permission, you need to use a command such as the following:
chmod +x script.sh
NOTE: You can also execute the script from another shell with a command such as the following:
bash script.sh
In this example, it is not necessary to make the script executable.
On SUSE Linux Enterprise 11, /bin/sh is a link to /bin/bash. When invoked as sh
script.sh, some Bash features are not available and your script might not work as intended if it
relies on some of these features.
If you want to be able to run the script by using its name alone, the directory where
the script is located must be listed in the $PATH variable. If there is a bin directory
in the home directory of a user, this directory is included in $PATH by default in
SUSE Linux Enterprise 11.
Shell scripts in a directory that is not listed in $PATH must be started with the full
path name or a relative path name such as ./script.sh.
Version 1 308
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When naming script files, it is a good idea to add an .sh extension to the filename.
Linux doesnt require it, but it ensures that the file can easily be recognized by the
system administrator as a shell script.
If you do not add the suffix, you need to make sure the filename is not identical to
existing commands. For example, a common mistake is to name a script test
which interferes with the test command line tool.
Within a script, empty lines and lines starting with a # character are ignored. The #
character is used to add comments to your script. As a general practice, you should
add a comment in the beginning giving a brief overview what the script is supposed
to do, and also add comments throughout your script to explain what a line or section
does. This makes it much easier for you and others to understand the script when you
go back to it after some time to modify it.
The first line of a script defines the shell used to execute the script. This line is
sometimes referred to as the she-bang line. Only this first line is interpreted despite
the fact it starts with a # character. It has the following syntax:
#!/bin/bash
All subsequent lines of the script are either comments (starting with a # character) or
actual commands.
A Simple Backup Script
The core command that we will use to make the backups is rsync. rsync allows to
efficiently copy files from one directory to another or from one machine over the
network to another. Its main advantage is that when updating a backup, only the
differences between files are copied, not the entire files, speeding up the update
remarkably.
rsync can be controlled with various options. Therefore, even if our script contains
only one command, it can save some typing as there is no need to type the options
each time it is invoked.
What the script is supposed to do is to copy the users home directory to the /backup
directory.
The elements you need are the she-bang line, a comment that explains what the script
does, and the rsync command itself. The script could look like the following:
#!/bin/bash
#
# simple-backup1.sh
# Back up geekos home directory to /backup using rsync
rsync -a --no-whole-file /home/geeko /backup
The -a (archive) option ensures the permissions are kept and directories are copied
recursively. The --no-whole-file option makes sure only the changed parts of
the files are updated, not the whole files copied. This does not make a difference on
the initial copy, but speeds up updates.
309 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you execute this script, you might get an error similar to the following:
The reason is that the directory /backup doesnt exist and, as a normal user, you are
not allowed to create files or directories in /. We will integrate some error handling
later; for now, just create (as root) the directory /backup with the command
mkdir -m 1777 /backup
and run the script again as a normal user.
When you execute the script, there is no output, which is consistent with the usual
behavior of Linux command line programs of no message = success. However, if
you want to see some information, you can add a message to the script:
#!/bin/bash
#
# simple-backup2.sh
# Backup geekos home directory to /backup using rsync
echo "Backing up /home/geeko to /backup/"
rsync -a --no-whole-file /home/geeko /backup
The echo command can be used to output text to the terminal, which is enclosed in
double quotes. The option -e lets echo interpret backslash sequences. These can be
used to format the output to some extent.
The following is a list of other backslash sequences that can be used with echo and
what they output:
\\ Backslash
\a Alert (beep tone)
\b Backspace
\c Trailing new line
\f Form feed
\n New line
\r Carriage return
\t Horizontal tab
\v Vertical tab
geeko@da10:~/bin> simple-backup1.sh
rsync: writefd_unbuffered failed to write 4 bytes [sender]: Broken
pipe (32)
rsync: mkdir "/backup" failed: Permission denied (13)
rsync error: error in file IO (code 11) at main.c(576)
[receiver=3.0.4]
rsync: connection unexpectedly closed (9 bytes received so far)
[sender]
rsync error: error in rsync protocol data stream (code 12) at
io.c(632) [sender=3.0.4]
Version 1 310
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Debug Options
It is probably more the exception than the rule that a script does exactly what you
want it to do at once. If it does not do what you want you have to find the error.
There are several ways you can instruct the shell to output more information that
helps you to find the error:
#!/bin/bash -x: Add -x to the first line of your script.
bash -x script.sh: Start the script in a separate shell with the -x option. The
advantage of this approach is that you dont have to change the script itself.
set -x: Using set -x in the current shell turns on the additional output for all
scripts started from this shell. You can turn this off again with set +x. No
changes to the script itself are necessary.
311 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-1 Create a Simple Shell Script
In this exercise, you create your first shell script.
(End of Exercise)
Version 1 312
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Understand Variables and Command Substitution
Variables are an important component of all programming languages. You can
understand variables as containers that hold data. Instead of the data itself, the
variable is used in the program code.
Look at the following example:
#!/bin/bash
#
# variables1.sh
NAME="Geeko"
echo "Hello, my name is ""$NAME"
The string Geeko is assigned to the variable NAME. Then the variable NAME,
with a $ character in front, is used in the echo command.
There are a few things to be aware of:
When you assign a variable, you use just the name of the variable. When you
access the data of a variable, you put a $ before the variable name.
When you assign data to a variable, there must be no spaces between the variable
name, the = character, and the data.
If the string you assign to the variable contains spaces you need to enclose the
string in quotation marks (). To ensure proper processing of the spaces you
should enclose the variable ($NAME in the example above) in quotation marks
as well. If you forget that, you can get unexpected results, as your string might
get processed as several words although you didnt intend that.
The following is the output of the example script:
We use $NAME in the echo line and the variable is replaced with its content.
The advantage of the use of variables is that you define them at one point and then
use them throughout the rest of the script. If you have to change the variable, you
change it at one point, not throughout the script. With this, you can improve the
backup script by using a variable to hold the users name, as shown in the following:
#!/bin/bash
#
# variables2.sh
# Back up someone's home directory to /backup using rsync
USERNAME="geeko"
echo -e "Backing up /home/""$USERNAME" to /backup/"
rsync -a --no-whole-file /home/"$USERNAME" /backup
geeko@da10:~/bin> variables1.sh
Hello, my name is Geeko
313 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Variables can contain not only strings but also numbers. By default, a variable in a
shell script can hold any kind of data. However, it is possible to limit a variable to a
specific type (for example a string) with the declare command.
So far, we have assigned only static values to variables, but its also possible to assign
the output of a command to a variable or to use a command directly where the output
is needed. This is called command substitution.
This basically means that the output of a command is used in a shell command line or
a shell script.
In the following example, the output of the date command is used to generate the
output of the current date:
#!/bin/bash
#
#command_subs1.sh
echo "Today's date is ""$(date +%m/%d/%Y)"
An alternate syntax for the last line includes the use of backticks (` ... `), as shown
below; however, the version using $(...) is the recommended one.
echo "Today's date is `date +%m/%d/%Y`"
Instead of printing the output of a command to the screen with echo, it can also be
assigned to a variable, as in the following:
#!/bin/bash
#
#command_subs2.sh
TODAY="$(date +%m/%d/%Y)"
echo "Today's date is ""$TODAY"
In this case, the output of date is assigned to the variable TODAY, and then the
content of the TODAY variable is printed to the screen with echo. Again, make sure
that there are no spaces before or after the equal sign.
The output is the same in both cases:
NOTE: Try command_subs2.sh without the quotes when assigning the value to the TODAY
variable, and spaces instead of the slashes, as in the following: TODAY=$(date +%m %d %Y). You
will see that the quotes do make a difference.
Now improve your backup script with what you have learned. Change the script so
that a log file that contains the filenames of the backed-up files is written every time
the script is run. The log file contains date and time as part of its filename.
geeko@da10:~/bin> command_subs1.sh
Today's date is 03/12/2009
geeko@da10:~/bin> command_subs2.sh
Today's date is 03/12/2009
Version 1 314
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The script could look like the following:
#!/bin/bash
#
# command_subs3.sh
#
# Back up someone's home directory to /backup using rsync
#
# Write a log file in the format backup-log_YYYYMMDD-hhmm
# that contains the names of the files backed
#
#
# Variables:
#
USERNAME="geeko"
NOW="$(date +%Y%m%d-%H%M)"
#
# The backup:
#
echo -e "Backing up /home/""$USERNAME"" to /backup/"
rsync -av --no-whole-file /home/"$USERNAME" /backup > \
/backup/backup-log_"$NOW"
NOTE: Instead of setting USERNAME within the script, you could use the $USER environment
variable in the echo and rsync commands. This would make the script more flexible, as the user
calling the script would back up his home directory, without having to edit the script.
315 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-2 Use Variables and Command Substitution
In this exercise, you use variables and command substitution.
(End of Exercise)
Version 1 316
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Use Control Structures
With the scripting techniques you have learned so far, you can develop only scripts
that run sequentially from the beginning to the end.
In this objective, you learn how to use control structures to make the execution of
parts of your script dependent on certain conditions or to repeat script parts.
In this objective we will cover the following;
Create Branches on page 316
Create Loops on page 320
Create Branches
A branch in a script means that a part of your script is executed only under a certain
condition. The two control structures used for this purpose are the following:
The if Control Structure on page 316
The case Control Structure on page 319
The if Control Structure
A very common control structure for this uses the if command:
if commandA
then
commands
fi
If commandA returns true (0), then one or more commands are executed. In many
cases, commandA is a test for some condition, but it can be any command. Note the
closing fi word which ends the if control structure.
The if statement can be extended with an optional else statement, as shown in the
following example:
if commandA
then
command1
else
command2
fi
317 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
In this case command2 is executed when the if condition is not true (i.e.. the return
value of commandA is not 0).
Now add an if structure to our backup script. Test for the return value of the rsync
command, and if it is non-zero, have the script send a mail to geeko. This is
especially useful for scripts that are executed regularly by the cron daemon, because
errors (such as no space left on the backup device) can remain unnoticed if the user is
not informed of the failure.
The script could look like the following:
#!/bin/bash
#
# control_struc1.sh
#
# This script does the following:
# - Back up someone's home directory to /backup using rsync
# - Write a log file in the format backup-log_YYYYMMDD-hhmm
# and that contains the names of the files backed
# - Send log files per mail
#
# Variables:
#
USERNAME="geeko"
#
# The backup:
#
echo -e "Backing up /home/""$USERNAME"" to /backup/"
rsync -av --no-whole-file /home/"$USERNAME" /backup > /backup/backup-
log_"$NOW" 2>/backup/backup-errorlog_"$NOW"
#
# Send log files per mail to user
#
if test "$?" -eq 0
then
mail -s "Backup successful" "$USERNAME" < /backup/backup-log_"$NOW"
else
mail -s "Some error occurred during backup" "$USERNAME" < /backup/
backup-errorlog_"$NOW"
fi
The test command is used to check if the return value of the previous command is
equal to 0. If this is true, test returns the value 0; otherwise, the value is 1.
Almost all command line tools have a return value. 0 always means something like
true or everything is OK. Otherwise a value different from 0 is returned. An if
condition is true when the program used for testing returns 0.
Version 1 318
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
test can also be used for many things other than checking if one number is equal to
another. The following is an overview of the most important the test options:
test STRING1 = STRING2: Strings are equal
test STRING1 != STRING2: Strings are not equal
test INTEGER1 -eq INTEGER2: INTEGER1 is equal to INTEGER2
test INTEGER1 -lt INTEGER2: INTEGER1 is less than INTEGER2
test INTEGER1 -gt INTEGER2: INTEGER1 is greater than INTEGER2
test -e FILE. FILE exists
NOTE: For a complete list of all test options, see the test man page.
When you look at scripts written by someone else, you will also see a different syntax
for test. Instead of test $? -eq 0, you can also leave out the test command
and put the expression in square brackets like [ $? -eq 0 ]. Please note the
space after the [ bracket and the space before the ] bracket. Without these spaces,
you get an error message when executing the script.
One other thing you might have noticed is that the lines after then and else are
indented. This is not required but is a very common method to identify logical blocks
and to make the code more readable.
With if you can create even more complex structures in your script, using an
optional elif statement, as shown in the following example:
if commandA
then
command1
elif commandB
then
command2
else
command3
fi
With elif, you add more conditions in case the one in the initial if statement was
not true.
In this case, command2 is executed in case the return value of commandA is false
(not 0) and the return value of commandB is true. command3 is executed only if
commandA and commandB have a non-zero return value.
You can have several elif sections within an if control structure.
319 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The case Control Structure
Another way to create multiple branches is to use case. In a case statement, the
expression contained in a variable is compared with a number of expressions.
Commands are executed for the first expression that matches.
A case statement has the following syntax:
case $variable in
expression1) command1;;
expression2) command2;;
esac
case statements are often easier to understand than if/elif/else statements, but they can
have the same functionality, as shown in the following two examples:
if [ "$number" -eq 10 ]
then echo "The value is 10"
elif [ "$number" -eq 20 ]
then echo "The value is 10"
else
echo "I don't know"
fi
case "$number" in
10) echo "The value is 10";;
20) echo "The value is 20";;
*) echo "I don't know";;
esac
The variable $number is compared with 10, 20 and *. * matches for every value and
is, therefore, the default action of the case statement.
Version 1 320
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-3 Use an if Control Structure
In this exercise, your expand the backup script with the use of an if control structure.
(End of Exercise)
Create Loops
Another common control structure is the loop. A loop is often used when a certain
task has to be repeated more than once. Instead of repeating the same code in the
script, a loop structure can be implemented.
There are a several options for implementing a loop in shell scripts.
The for Loop
The syntax of the for loop looks like the following:
for variable in element1 element2 element3
do
commands
done
The line starting with for defines how many times the code between do and
done has to be executed. For each pass of the loop, the variable variable has one
of the values defined in the list after in.
Here is an example:
#!/bin/bash
#
# for_loop1.sh
for i in 1 2 3
do
echo "$i"
done
The list after in contains three elements: the numbers 1, 2, and 3 separated by
spaces. This means that the code between do and done is executed three times,
and each time the variable i has a different value from 1 to 3. When you run this
script, it simply outputs 1 2 3:
The list defined after in is not necessarily static. The for loop is very often used to
go through a list of files. An easy way to do this is to use * after in:
geeko@da10:~/bin> for_loop1.sh
1
2
3
321 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
#!/bin/bash
#
# for_loop2.sh
for i in *
do
lower="$(echo "$i" | tr [:upper:] [:lower:])"
echo mv "$i" "$lower"
done
This script loops through all files in the current working directory and (after
removing the echo in front of mv which is included to test the script without actually
affecting any files) renames the files from upper to lower case. * is expanded to a list
of all these files by the shell.
For every pass of the loop, the variable $i contains one filename. The filename is
converted to lower case and stored in the variable lower. Then the original file is
renamed with mv to lower case.
NOTE: This is just a demo script. For a production script, you would have to add some code that
makes sure that an existing lowercase file is not accidentally overwritten.
Another way of creating a list is a command substitution:
#!/bin/bash
#
# for_loop3.sh
for i in $(find -name "*.mp3")
do
echo rm "$i"
done
This script uses find to create a list of all .mp3 files in the current directory and all
subdirectories. These files are deleted in the for loop (after removing the echo
included for testing purposes).
There is a special syntax that can be used with for in case you want to iterate through
the loop a specific number of times:
#!/bin/bash
#
# for_loop4.sh
for ((i=1;i<=10;i++))
do
echo "$i"
done
With syntax, the variable i is set to 1 (i=1) for the first run through the loop and then
increased by one (i++) on each subsequent run. This is done as long as the condition
in the middle (i<=10) is true.
Version 1 322
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The while and until Loops
The while loop has the following syntax:
while condition
do
commands
done
Very similar to the while loop is the until loop:
until condition
do
commands
done
Both loop types depend on a condition. In a while loop the commands are executed
as long as the condition is true; in an until loop, the commands are executed until
the condition becomes true.
We will use a while loop to allow the user to add additional directories or files he
wants to back up in addition to his home directory.
One way to iterate through the positional parameters $1, $2, etc., from the command
line is to use the shift command. After calling shift, $2 becomes $1, $3 becomes $2,
and so on.
One possible way to solve the task is shown in the following script:
#!/bin/bash
#
# while_loop1.sh
# - Back up directories or files listed on the command line
#
# Variables:
#
USERNAME="geeko"
#
# The backup of the directories listed on the command line
#
while test -n "$1"
do
echo -e "\nBacking up ""$1"" to /backup/"
rsync -av --no-whole-file "$1" /backup
shift
done
#
323 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
# The backup of the home directory:
#
echo "Backing up /home/""$USERNAME"" to /backup/"
rsync -av --no-whole-file /home/"$USERNAME" /backup > /backup/backup-
log_"$NOW" 2>/backup/backup-errorlog_"$NOW"
...
The test command checks if the value of the $1 parameter has a non-zero string
length. If so, then the commands between do and done are executed. The shift
command moves $2 to $1, and the new $1 value is tested. If there is no $2 value, the
new $1 is empty and the processing of the loop is stopped.
If you omit the shift command, an endless loop is created; in this case, you have to
interrupt the processing of the script with Ctrl+c.
It is possible to nest an if control structure between do and done and leave the
while loop in case a certain condition is met. The command to interrupt the
processing of the while loop is break, as shown in the following:
while conditionA
do
commands
if conditionB
then
break
fi
done
It is also possible to skip further processing of the loop and to enter the next iteration,
using the continue command, as shown in the following:
while conditionA
do
commands
if conditionB
then
continue
fi
more commands
done
Version 1 324
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-4 Use a while Loop
In this exercise, you use a while loop to iterate through the positional parameters
included on the command line.
(End of Exercise)
325 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Use Arithmetic Operators
Shell scripts often use values assigned to variables for calculation. There are several
ways to implement this.
The Bash shell comes with built-in support for arithmetic operations, but there are
some limitations to this. Specifically, the arithmetic capabilities of Bash are limited in
the following ways:
Only operations with whole numbers (integers) can be performed.
All values are signed 64-bit values. Thus, possible values range from -263 to
+263-1.
So when using Bash, you might need to use external commands, such as bc, for
floating-point calculations.
The following paragraphs list all possible methods and formats for arithmetic
operations. All of them are based on this sample operation:
B=5 A=B+10
Use the external command expr (Bourne shell compatible)
A=$(expr $B + 10)
Since an external command is used, this method will also work with the
traditional Bourne shell. Scripts using external commands will always perform
slower than those relying on built-in commands.
Use the Bash built-in command let
let A="$B + 10"
In Bash, you can use the let command to perform an arithmetic expression.
Use arithmetic expressions inside parentheses or brackets (two different
formats)
A=$((B + 10))
or
A=$[B + 10]
Arithmetic expressions can be enclosed in double parentheses or in brackets for
expansion by Bash. Both $((. . .)) and $[. . .] are possible, but the
latter is considered deprecated and should be avoided.
Use the built-in command declare
declare -i A
declare -i B
A=B+10
This declares a variable as an integer.
If all variables involved in a calculation have previously been declared as
integers through declare -i, arithmetic evaluation of these variables happens
automatically when a value is assigned to them.
Version 1 326
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This means that the variable B, for example, does not have to be prefixed with
the $ to be evaluated.
With the expr command, only the following five operators are available: + - * /
and % (modulo, remainder of a division). Additional operators (which are identical to
those of the C programming language) can be used with all of the above Bash
formats.
NOTE: For a complete list, consult the man page for Bash.
We can use an arithmetic operator to modify the backup script to change the
condition of the while loop. Instead of testing for the content of $1, we can count
down the number of positional parameters until all are processed. The while loop in
the script could look like the following:
count=1
PARAMNUM="$#"
#
# The backup of the directories listed on the command line
#
while test "$count" -le "$PARAMNUM"
do
echo -e "\nBacking up ""$1"" to /backup/"
rsync -av --no-whole-file "$1" /backup
count=$(($count + 1))
shift
done
We create the count variable and assign the value 1 to it. The variable PARAMNUM
is set to the number of parameters included on the command line ($#). In the while
loop, the value of count is increased by one each time the loop is run through. When
the value of count is greater than PARAMNUM the processing of the loop ends.
Instead of
count=$(($count + 1))
the following syntax could be used as well:
((count++))
327 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-5 Use Arithmetic Operators
In this exercise, you use arithmetic operators.
(End of Exercise)
Version 1 328
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 6 Read User Input
One way to read user input is to use the read command. The read command takes a
variable as an argument and stores the read input in the variable. The variable can
then be used to process the user input.
The following example reads user input into the variable with the name VARIABLE:
read VARIABLE
The script pauses at this point, waiting for user input, until the Enter key is pressed.
To tell the user to enter something, you need to print (echo) a line with some
information, such as the following:
echo "Please enter a value for the variable:"
read VARIABLE
If you do not add a variable name after read, the user input is assigned to the
variable REPLY. You can also specify more than one variable, like in the following
example:
read FIRST SECOND REST
In this example, the first word entered is assigned to the variable FIRST, the second
to the variable SECOND, and all subsequent words to the variable REST. If only one
word is entered, the variables SECOND and REST are assigned empty values.
If you want to change the backup script to inform the user that he can back up
additional directories and ask for them, instead of expecting them on the command
line, a possible solution could look like this:
#!/bin/bash
#
# read_input1.sh
#
# - Back up directories or files entered by user
#
# Variables:
#
USERNAME="geeko"
DIRECTORIES=""
#
# Get input from user
#
cat <<EOF
This script backs up the /home/$USERNAME directory to /backup,
329 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
as well as any files and directories you specify here.
Type their names separated by spaces, then press Enter.
If you do not want to back up additional directories,
just press Enter.
EOF
read DIRECTORIES
#
# Back up the directories entered by user
#
for i in $DIRECTORIES
do
echo -e "\nBacking up ""$i"" to /backup/"
rsync -av --no-whole-file "$i" /backup
done
...
The for loop is entered for each element contained in the DIRECTORIES variable
(which may not be enclosed in quotation marks in the line starting with for, to keep
the directories entered by the user as separate directories). If the variable is empty, the
for loop is not run through.
NOTE: This approach does not work for files or directories with spaces in their names.
Version 1 330
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-6 Read User Input
In this exercise, you read user input and process the input in your script.
(End of Exercise)
331 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 7 Use Arrays
Arrays are basically variables that can hold more than one value. To identify a value
in an array, a numerical index is used. The index is written in square brackets after the
array name.
lines[0]="Hello World"
This line assigns the string Hello World to the index 0 of the array with the name
lines.
To access a value in an array, you have to specify an index and put braces around the
array name:
echo ${lines[0]}
Arrays are very useful to store list data like a list of files, names, or similar data.
We can use an array to store the files or directories the user wants to back up. He
enters one after the other, which makes it easier to deal for instance with space
characters.
The first part would be to fill an array with the filenames; the second part would be to
back up those files.
Look at the following modifications of the backup script (from now on we will list
only those parts of the code that have been modified):
DIRECTORY=""
counter=0
#
# Get input from user
#
cat <<EOF
This script backs up the /home/$USERNAME directory to /backup,
as well as any files and directories you specify here.
Type the name of a directory or file name you want to
back up, then press enter.
Repeat for each directory or file name you want to back up.
When done (or if you do not want to back up additional
files or directories) just press Enter.
EOF
read DIRECTORY
# Check if $DIRECTORY is empty, if so do nothing,
# as user pressed enter as first action
if [ -z "$DIRECTORY" ]
then
:
else
Version 1 332
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
# Process user input, then prompt again
while test -n "$DIRECTORY"
do
TOBACKUP[$counter]="$DIRECTORY"
((counter++))
DIRECTORY=""
read DIRECTORY
done
fi
#
# Back up the directories entered by user
#
for i in ${TOBACKUP[@]}
do
echo -e "\nBacking up ""$i"" to /backup"
rsync -av --no-whole-file "$i" /backup
done
#
#
# The same, a bit more complicated:
#
#for ((i=0;i<${#TOBACKUP[@]};i++))
#do
# echo -e "\nBacking up ${TOBACKUP[$i]} to /backup"
# rsync -av --no-whole-file "${TOBACKUP[$i]}" /backup
#done
In the while loop, the requests are stored into the array TOBACKUP. The variable
counter, which is initialized at the start of the script and is used as an index, is
incremented in every cycle of the while loop.
In the for loop, the content of the array is integrated into an rsync command.
In the second example (lines starting with a comment character) a different syntax for
the for loop is used, which is similar to the for loop in the C programming language.
for ((i=1;i<${#TOBACKUP[@]};i++)) means that the loop runs as long as
the variable i is less than (<) the number of elements in the array TOBACKUP.
${#TOBACKUP[@]} is a way to access the number of elements in an array.
The index variable i is initially set to 0 and incremented with every cycle of the for
loop.
333 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-7 Use Arrays
In this exercise, you use arrays.
(End of Exercise)
Version 1 334
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 8 Finalize the Course Project
Sometimes you do not need the last version of a file, but rather the version of the file
from a day, a week, or a month ago. You could of course simply make a separate full
backup of your home directory every few hours, but that would consume a lot of
storage space.
rsync has a feature that is probably not so well known that allows to create backups to
different directoriesbut instead of creating a copy of an unchanged file, only a hard
link to the file in the earlier backup is created. This feature allows you to keep many
earlier versions of files, as only those files actually changed or added get copied,
saving storage space.
What you need:
An initial first backup
This can be done with the rsync command we used so far; however, you should
use a directory name for your backup that is based on date and time.
#
# If there is no directory /backup/YYYYMMDD-hhdd then this is
# probably the first run of the script.
#
# Creation of the first backup:
ls -d /backup/20??????-???? > /dev/null 2>&1 || rsync -a \
/home/"$USERNAME" /backup/"$NOW"
An rsync command that creates a backup in a separate directory with links
against the previous backup.
#
# Establish the last backup directory
#
LAST_BACKUP_DIR="$(basename $(ls -d /backup/20*-* | sort | \
tail -1))"
#
# Backup linked against the previous backup
#
rsync -aA --link-dest=/backup/"$LAST_BACKUP_DIR" \
/home/"$USERNAME" /backup/"$NOW"
A command that deletes the oldest version of the backups.
335 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
#
# Remove past backup directories
#
cd /backup || exit 2
# Let's keep a maximum of 100 past backups/versions
if [ "$(ls -d 20*-* | wc -l)" -gt 100 ] ; then
rm -r $(ls -d 20*-* | sort | head -1)
fi
A cron job that runs the backup as often as you need it, such as every two hours
during work hours, daily, or weekly. Using the crontab -e command, you could
define the following cron job:
10 */2 * * * /home/geeko/bin/versioned-backup1.sh
With the topics covered in this section, you could add several additional features to
the script:
A list of files that should not be backed up, such as those in the browser cache
directory (for instance, using a here document to write a temporary file from the
script, using the --exclude-from= option of rsync, and deleting the file at
the end of the script).
Use of the trap command to delete the temporary file despite the fact the user
ended the script with Ctrl+c.
Log files and mail messages as covered previously.
Version 1 336
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-8 Use rsync to Keep Versions of Files
In this exercise, you use rsync to keep past versions of your files.
(End of Exercise)
337 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 9 Use Advanced Scripting Techniques
In this objective, you learn about the following advanced scripting techniques, which
will help you solve common script development problems:
Use Shell Functions on page 337
Read Options with getopts on page 338
Use Shell Functions
Sometime you need to perform a task multiple times in a shell script. Instead of
writing the same code again and again, you can use functions.
Shell functions act like script modules because they make an entire script section
available under a single name. Shell functions are normally defined at the beginning
of a script. You can store several functions in a separate file and include this file
whenever the functions are needed in your current script using the command
source /path/filename
There are two ways to declare a function in a script. The following is the basic syntax
of a function:
functionname () {
commands
commands
}
The following generates a function with the function command:
function functionname {
commands
commands
}
The name of the function can be composed of any regular character string.
The following is a simple function that creates a directory and then changes to that
directory:
# mcd: mkdir + cd; creates a new directory and
# changes into that new directory right away
mcd (){
mkdir $1
cd $1
}
After having been created, this function can be called in a shell script, as in the
following:
...
mcd /tmp/new_directory
...
Version 1 338
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The parameter /tmp/new_directory is called an argument. Within a function,
arguments can be accessed with the variables $1, $2, $3, and so on, depending on the
number of arguments passed to the function.
The following function can be used to create a pause in a script. The script resumes
only after the Enter key is pressed:
# pause: causes a script to take a break
pause (){
echo "To continue, hit RETURN."
read q
}
You can also create functions that stop their processing from within, similar to exiting
a loop (iteration), with the break and continue commands.
To exit a function, use the return command. If return is called without an
argument, the return value of the function is identical to the exit status of the last
command executed in that function.
Otherwise, the return value is identical to the one supplied as an argument to return.
NOTE: The command typeset -f shows the functions defined in the current shell.
Read Options with getopts
With the shell built-in command getopts, you can extract the options supplied to a
script on the command line. The shell interprets command line arguments as
command options only if they are prefixed with a - (the default when using the shell
interactively).
This makes it possible to place options in different positions on the command line and
to supply them in an arbitrary order.
This means that the command:
cp -dpR *.txt texts/
achieves the same thing as the command
cp -R *.txt -d texts/ -p
getopts recognizes options in the same way. The following is the getopts syntax:
getopts optionstring variable
The optionstring describes all options to be recognized. For instance, getopts abc
declares a, b, and c as the options to be processed.
If a parameter is expected for the option (such as -m maxvalue), the corresponding
option must be followed by a : in the string (as in getopts m:).
The option string is followed by a variable which all the command line options
specified are assigned to as a list.
339 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The getopts command is most frequently used in a while loop together with case to
define which command to execute for a given option, as in the following:
while getopts abc:d:e variable
do
case $variable in
a ) echo "The option -a was used." ;;
b ) echo "The option -b was used." ;;
c ) option_c="$OPTARG"
echo "Option c has been set to $option_c." ;;
d ) option_d="$OPTARG"
echo "Option d has been set to $option_d." ;;
e ) echo "the option -e was used." ;;
esac
done
echo
If the option -a , -b, or -e is used, the script prints out a message that the
corresponding option was used. If the option -c value is used, the value is
assigned to the variable option_c and printed on the screen, same with option -d
and the variable option_d.
The parameter of an option can be accessed with the variable OPTARG.
NOTE: When no parameter is supplied to an option that expects one, the result can be unexpected.
For instance if the user enters -d -e in the above example, the OPTARG variable for -d contains -e,
and -e is not recognized as an option of its own.
Version 1 340
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 8-9 Use Shell Functions
In this exercise, you learn how to use shell functions.
(End of Exercise)
341 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 10 Learn about Useful Commands in Shell Scripts
This objective gives you an overview of useful commands that are frequently used in
shell scripts.
This objective discusses the following:
Use the cat Command on page 341
Use the cut Command on page 341
Use the date Command on page 342
Use the grep and egrep Commands on page 342
Use the sed Command on page 343
Use the test Command on page 345
Use the tr Command on page 347
Use the cat Command
When combined with the here operator (<<), the cat command is a good choice to
output several lines of text from a script. In interactive use, the command is mostly
run with a filename as an argument, in which case cat prints the file contents on
standard output.
Use the cut Command
The cut command is used to cut out sections of lines from a file so that only the
specified section is printed on standard output.
The command is applied to each line of text as available in a file or on standard input.
You can use cut -f to cut out text fields. cut -c works with the specified
characters.
You can specify single sections (characters or fields) or several sections. The default
delimiter to separate fields from each other is a tab, but you can specify a different
field separator with the -d option.
The following are some examples of using cut:
geeko@da10:~> cut -d : -f1 /etc/passwd
root
bin
daemon
lp
mail
news
Version 1 342
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The above command specifies that the field separator should be a colon. In every line
of /etc/passwd, the field that comes before the first colon is taken and printed to
stdout:
The above command takes the output of the ls command and cuts out everything
from the twenty-seventh character. This is piped to sort, so the final output is sorted
according to file size.
Use the date Command
You can use the date command whenever there is a need to obtain a date or time
string for further processing by a script. Without any options specified, the
commands output looks like the following:
The date command lets you change the output format in almost every detail. With the
-I option (as in the following), date prints the date and time in ISO format (which is
the same as if the options had been +%Y-%m-%d):
To view a list with all the possible format options for date, see man date. You
should be able to customize the output to exactly match the requirements of your
script.
Use the grep and egrep Commands
The command grep and its variant egrep are used to search files for certain
patterns, and they use the following syntax:
geeko@da10:~> ls -l somedir/ | cut -c 27- | sort -n
687 Sep 20 17:06 file2
2199 Sep 20 17:05 file1
6593 Sep 20 17:06 file3
geeko@da10:~> date
Sat Mar 14 15:58:46 CET 2009
geeko@da10:~> date -I
2009-03-14
geeko@da10:~> date "+%m-%d %H:%M"
03-14 16:01
geeko@da10:~> date date "+%D, %r"
03/14/09, 04:02:34 PM
geeko@da10:~> date +%d.%m.%y
14.03.09
geeko@da10:~> date +%d.%m.%Y
14.03.2009
geeko@da10:~> date "+%e.%-m.%y, %l.%M %p"
14.3.09, 4.05 PM
geeko@da10:~> date "+%A, %e. %B %Y"
Saturday, 14. March 2009
geeko@da10:~> date
343 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
grep searchpattern filename ...
The command prints lines that contain the given search pattern. You can specify
several files, from which grep will print the matching line and the corresponding
filenames.
Several options are available to specify that only the line number should be printed,
for instance, or that the matching line should be printed together with leading and
trailing context lines.
Search patterns can be supplied in the form of regular expressions, although the grep
command is limited in this regard.
To search for more complex patterns, use the egrep command, which accepts
extended regular expressions. As a simple way to deal with the difference between
the two variants, make sure you use egrep in all of your shell scripts.
The regular expressions used with egrep need to be in accordance with the standard
regex syntax.
To avoid having special characters in search patterns interpreted by the shell, enclose
the pattern in quotation marks, as in the following:
Use the sed Command
The sed program is a stream editor, used from the command line rather than
interactively. sed performs text transformations on a line-by-line basis.
You can specify sed commands either directly on the command line or in a special
command script loaded by the program on execution.
The following is the syntax for the sed command:
sed editing-command filename
The available editing commands include single-character arguments such as the
following:
d: Delete
s: Substitute (replace)
p: Output line
a: Append after
As with other commands, the output of sed normally goes to standard output, but it
can also be redirected to a file.
Apart from the single-character commands for text transformations, you can also
specify options to influence the overall behavior of the sed program.
geeko@da10:~> egrep (b|B)lurb file*
bash: syntax error near unexpected token |
geeko@da10:~> egrep "(b|B)lurb" file*
file1:blurb
file2:Blurb
Version 1 344
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following are some important command line options for sed:
-n, --quiet, --silent: By default, sed will print all lines on standard output after
they have been processed. This option suppresses the output so sed prints only
those lines for which the p editing command has been given to explicitly re-
enable printing.
-e command1 -e command2 ...: This option is necessary when specifying two or
more editing commands. It must be inserted before each additional editing
command.
-f filename: With this option, you can specify a script file from which sed should
read its editing commands.
Each sed command must be preceded by an exact address or address range specifying
the lines to which the editing command applies. One of the more frequently used
address labels is $, which stands for the last line.
The following are two examples of the sed command:
sed -n 1,9p somefile
This command prints only lines 1 through 9 on stdout.
sed 10,$d somefile
This command deletes everything from line 10 to the end of the file and also
prints the first 9 lines of somefile.
You can use a regular expression to define the address or address range for an editing
command. Regular expressions must be enclosed in forward slashes. If an address is
defined with such an expression, sed processes every line that includes the given
pattern.
The following is an example of using regular expressions:
sed -n /Murphy.*/p somefile
This example prints all lines that have the pattern Murphy.* in them.
If you want sed to perform several editing commands for the same address, you need
to enclose the commands in braces, as in the following:
sed 1,10{command1 ; command2}
The following lists the most important editing commands available for sed:
Table 8-1 sed Commands
Command Example Editing Action
a sed a\text\text file Insert text before the specified line.
c sed 2000,$c\text file Replace specified lines with the text.
d sed 10,$d file Delete line.
i sed i\text\text file Replace specified lines with the text.
345 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can use the following options with the s command (search and replace):
I: Do not distinguish between uppercase and lowercase letters.
g: Replace globally wherever the search pattern is found in the line (instead of
replacing only the first instance).
n: Replace the nth matching pattern only.
p: Print the line after replacing.
w: Write the resulting text to the specified file rather than printing it on stdout.
The following are some examples of using the s command:
sed s/:/ / /etc/passwd
This replaces the first colon in each line with a space.
sed s/:/ /g /etc/passwd
This replaces all colons in all lines with a space.
sed s/:/ /2 /etc/passwd
This replaces only the second colon in each line with a space.
sed -n s/$[aeiou]$/\1\1/Igp
This replaces all single vowels with double vowels. The example shows how
matched patterns can be referenced with \1 if the search pattern is given in
parentheses (which have to be escaped). The I option ensures that sed ignores
the case.
The g option causes characters to be replaced globally. The p option tells sed to
print all lines processed in this way.
Use the test Command
The test command exists both as a built-in command and as an external command.
It is used to compare values and to check for files and their properties (whether a file
exists, whether it is executable, and so on).
If a tested condition is true, test returns an exit status of 0; if the condition is not true,
the exit status is 1. In shell scripts, test is used mainly to declare conditions to
influence the operation of loops, branches, and other statements.
The following is the test syntax:
s sed s/x/y/option Search and replace. The search pattern x is
replaced with pattern y. The search and the
replacement pattern are regular expressions in
most cases, and the search and replace behavior
can be influenced through various options.
y sed y/abc/xyz/ Replace every character from the set of source
characters with the character that has the same
position in the set of destination characters.
Command Example Editing Action
Version 1 346
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
test condition or [ condition ]
You can use the test command to do the following:
Test whether a file exists. Following are some of the available options:
Table 8-2 test Options for Files
Compare two files. Following are some of the available operators:
Table 8-3 test Options for Files
Compare two integers. The available operators are:
Table 8-4 test Options for Integers
Test strings. Following are some of the available operators:
Option Description
-d File exists and is a directory
-e File exists
-f File exists and is a regular file
-x File exists and is an executable file
Option Description
-ef Refers to the same inode (such as a hard link)
-nt Newer than
-ot Older than
Option Description
-eq Equal to
-ge Greater than or equal to
-gt Greater than
-le Less than or equal to
-lt Less than
-ne Not equal to
347 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Table 8-5 test Options for Strings
Combine tests. Following are some of the available operators:
Table 8-6 test options for Conditions
NOTE: For more detailed information about test, in a terminal window enter help test or man
test (the built-in test command and the external one have identical features).
Use the tr Command
The tr command translates (replaces) or deletes characters. It reads from standard
input and prints the result on standard output. With tr, you can replace regular
characters or sequences of such characters and special characters like \t (horizontal
tab) or \r (return).
A complete list of all special characters handled by tr is included in the man page of
the program.
The following is the standard syntax of tr:
tr set1 set2
The characters included in set1 are replaced with the characters included in set2.
The following is an example of using the tr command:
cat text-file | tr a-z A-Z
Option Description
test -z string Exit status is 0 (true) if the string has zero
length (is empty)
test string
(same as test -n string)
Exit status is 0 (true) if the string has
nonzero length (consists of at least one
character)
test string1 = string2 Exit status is 0 (true) if the strings are
equal
test string1 != string2 Exit status is 0 (true) if the strings are not
equal
Option Description
test ! condition Exit status is 0 (true) if the
condition is not true.
test condition1 -a condition2 Exit status is 0 (true) if both
conditions are true.
test condition1 -o condition2 Exit status is 0 (true) if either
condition is true.
Version 1 348
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This command causes all lowercase characters in a file to be changed to uppercase,
and the result is printed to stdout.
You can use tr to delete characters from the first set by entering the following:
tr -d set1
This will not translate anything; it only deletes the characters included in set1,
printing the rest to standard output.
The following is another example of using the tr command:
VAR=echo $VAR | tr -d %
In this example, tr deletes the percent sign from the original value of VAR and the
result is assigned as a new value to the same variable.
By entering a command like
tr -s set1 char
you can also use tr to replace a set of characters with a single character.
349 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Bash Basics The Bourne Again SHell (Bash) is the default shell in
SUSE Linux Enterprise 11.
On the command line, you enter the command and
optional parameters.
The output of a command can be redirected to a file
using the > (or >>) operator. Error messages can be
redirected to a file using the 2> operator. Use 2>&1 to
redirect error messages to file descriptor 1 instead of 2.
The output of one command can be used as input of
another command using the pipe (|) operator.
Variable are used to store and access data in memory
during the execution of a program.
Based on the return value of a program, decisions can
be made regarding the next steps to be take within a
script.
Use Basic Script Elements A shell script is basically an ASCII text file containing
commands to be executed in sequence. To allow this, it
is important that permissions for the script file are set to
r (readable) and x (executable) for the user that runs it.
Any command you use at the command line can also
be used in a shell script.
A shell script always starts with a line like #!/bin/
bash to indicate the interpreter of the script.
Understand Variables and
Command Substitution
Variables are an important component of all
programming languages. You can consider variables as
containers that hold data. Instead of the data itself, the
variable is used in the program code.
When you assign a variable, you use just the name of
the variable. When you access the data of a variable,
you put a $ before the variable name.
The term command substitution basically means that
the output of a command is used in a shell command
line or a shell script.
The commands are included in $(...).
Use Control Structures Control structures are used to make the execution of
parts of a script dependent on certain conditions or to
repeat parts of a script.
Branches can be created with if or case. Loops are
implemented with while, until, or for.
Version 1 350
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Use Arithmetic Operators Shell scripts often use values assigned to variables for
calculation. There are several ways to implement this.
The Bash shell comes with built-in support for
arithmetic operations, but there are some limitations to
this. The arithmetic capabilities of Bash are limited in
the following ways:
Only operations with whole numbers (integers) can
be performed.
All values are signed 64-bit values. Thus, possible
values range from -2
63
to +2
63
-1.
For flaoting point operations you need to use external
commands, such as bc, when working with bash.
Read User Input One way to read user input is to use the read
command. The read command takes one or several
variables as arguments and stores the read input in the
variable or variables. The variables can then be used to
process the user input.
The following example reads user input into the variable
with the name VARIABLE:
read VARIABLE
Use Arrays Arrays are basically variables that can hold more than
one value. To identify a value in an array, a numerical
index is used. The index is written in square brackets
after the array name.
lines[1]=Hello World
This line assigns the string Hello World to the index 1
of the array with the name lines.
To access a value in an array, you have to put braces
around the array name:
echo ${lines[1]}
Finalize the Course Project In this objective, you created a backup script that keeps
versions of files.
Use Advanced Scripting Techniques In this objective, you learned how to create and use
shell functions and how to evaluate command line
options.
Objective Summary
351 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Learn about Useful Commands in
Shell Scripts
Useful commands that can be used in shell scripts
include the following:
cat
cut
date
grep
sed
test
tr
Objective Summary
Version 1 352
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
353 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 9 Deploy SUSE Linux Enterprise 11
This section explains how to deploy SUSE Linux Enterprise 11 (SLE11), which
refers to both SUSE Linux Enterprise Server 11 (SLES11) and SUSE Linux
Enterprise Desktop 11 (SLES11). Which deployment method you choose will depend
to a large degree on the number of desktops or servers you want to deploy. The
installation of hundreds of machines requires a different approach than the
installation of just one or a few.
Objectives
1. Introduction to AutoYaST on page 354
2. Installation Server: Setup and Use on page 358
3. Set Up PXE Boot for Installations on page 371
4. Create a Configuration File for AutoYaST on page 381
5. Perform an Automated Installation on page 385
Version 1 354
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Introduction to AutoYaST
This objective covers the basic concept of automated installation. Later objectives go
into the details of setting up an environment that makes automated installations easy
and explains how to configure the AutoYaST control file.
To get a better idea what automated installations are about on SUSE Linux Enterprise
11, you need to understand the following:
Autoinstallation Basics on page 354
Installation Options and Deployment Strategies on page 355
Autoinstallation Basics
AutoYaST is the tool for automated installations of SUSE Linux Enterprise 11. All
information needed during installation (e.g., partitioning or software selection) is
provided by a control file in XML format. No manual intervention is necessary
during the installation process.
If you have to install several systems with the same setup, you can save time by
automating the installation. Depending on your requirements, you can ensure all
systems are set up with the same configuration or configure systems individually with
specific control files.
You should not confuse auto installation with cloning or imaging. An automated
installation is a regular installation where answers to questions asked during the
installation are contained in the control file. The hardware detection is still done so
that the same control file can be used on diverse hardware. Imaging or cloning
generally requires identical hardware of source and target of the image.
AutoYaST is optimally used in conjunction with an installation server also providing
a TFTP and a DHCP server. The advantages to this are the following:
To start the installation, you only have to insert a suitable boot disk. If you are
using PXE boot-enabled network interface cards, not even a boot disk is
required.
The computer receives all information necessary for the installation via the
network.
Even on-site attendance of an administrator is unnecessary for the installation if
the network card supports Wake on Lan.
The installation server can be accessed via the NFS, HTTP, FTP, and CIFS/SMB
protocols.
This results in a highly simplified installation of a large number of individually
configured computers.
AutoYaST can also be used to copy additional files into the installed system, and it
can include scripts which are executed at the end of the installation.
It is possible to create a control file at installation time. In the last menu of the
installation process, you can select the Clone This System option. This will create an
355 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
autoinst.xml file in the home directory of the root user (/root). The creation of an
AutoYaST control file using the YaST AutoYaST module is covered later in this
section.
Installation Options and Deployment Strategies
For a single machine, a manual installation using the installation DVD is certainly the
best option. However, alternatives are needed when the number of machines to install
increases.
The installation can be started using the SUSE Linux Enterprise Desktop or Server 11
DVD, a PXE capable network card, or boot floppy disks. The installation source can
be the DVD itself as well as an installation server in the network. The supported
protocols for accessing the repository on the installation server are NFS, HTTP, FTP,
and SMB/CIFS.
To find the optimum solution for your needs, you have to understand the following:
Installation Options on page 355
Deployment Strategies on page 356
Installation Options
SUSE Linux Enterprise 11 can be installed in various ways. There are three aspects
you need to consider:
Boot Media on page 355
Installation Source on page 356
Boot Media
To install a machine, you have to choose a boot medium to boot the machine.
Installation DVD
The installation DVD is bootable and can be used to start the installation or to
boot a rescue system.
Different kernel parameters can be set if there is trouble with the default
parameters. For example, it is possible to disable ACPI or local APIC or to use
safe settings.
PXE capable network card
If the machine is equipped with a PXE capable network card, it can load the boot
image from a TFTP server in the network. If the network card also supports
Wake on Lan, a completely remote installation is possible.
Floppy or USB disk
If your hardware supports it, you can use floppy disks or an USB device to boot
the machine. However, current computers are generally not equipped with floppy
drives any more, and not all BIOSes allow booting from USB devices.
Version 1 356
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To create boot floppy disks or make a USB stick bootable, run the mkbootdisk
command in the boot/i386 directory of the installation DVD. mkbootdisk --
help displays the needed options and syntax.
Installation Source
You can use different installation sources:
Installation DVD
The installation DVD contains all files needed to install SUSE Linux Enterprise
Desktop or Server 11.
Installation Server
The files needed for installation can be stored on a server in the network.
Protocols that can be used are HTTP, FTP, NFS, or SMB/CIFS. SLP can be used
to advertise the installation server in the network.
Deployment Strategies
Your deployment strategy will depend to a large degree on the number of machines to
deploy. Lets consider three different orders of magnitude:
Deploy up to 10 Workstations on page 356
Deploy up to 100 Workstations on page 356
Deploy More than 100 Workstations on page 357
Deploy up to 10 Workstations
If you have to deploy only a few workstations, it might not be worth the effort to set
up an installation server, much less to create an AutoYaST control file.
The approach that takes the least preparation is a manual installation using the
installation DVD. As an installation server is very convenient and does not take long
to set up, you might still consider using one. Additional installations will be
facilitated and also adding software to existing installations later will not require the
installation DVD to be at hand.
Setting up an installation server is covered in Installation Server: Setup and Use
on page 358.
Deploy up to 100 Workstations
If you have to deploy more than 10 workstations, an installation server and the use of
the remote installation capabilities of SUSE Linux Enterprise 11 greatly facilitate the
task.
While physical access to the machines is still required to boot them, you do not need
to sit in front of each machine during the whole installation. Using remote access via
VNC or SSH, the administrator can control the installation of different machines at
the same time from his workstation.
357 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Setting up DHCP and TFTP servers in addition to the installation server makes it
unnecessary to physically access the machines to boot them, provided the hardware
allows booting from the network as well as Wake on Lan. Without AutoYaST, you
would still have to configure them manually via the network.
The more machines you have to install, the more worthwhile it becomes to avoid the
manual configuration. The effort to create and test workable AutoYaST control files
is outweighed by the reduced time spent on configuring individual machines.
Deploy More than 100 Workstations
With so many machines, walking from machine to machine to install them all is no
longer an option. Even remote configuration becomes cumbersome.
The roll-out of a large number of machines is facilitated by AutoYaST. AutoYaST
controls the installation with an XML file which contains the machine specific
information, like IP address, hostname, partitioning, etc. Manual intervention during
the installation process is unnecessary.
AutoYaST allows you to create profiles containing all configuration information. As
the hardware detection of YaST is used during installation, the same file can be used
to install machines with dissimilar hardware.
If the differences in hardware are significant, it is also possible to create rules that
determine which of several AutoYaST files should be used for the hardware found.
Not only the hardware can serve as criteria, but other parameters like IP addresses
can be used as well. You could create different profiles for development workstations
and for workstations used in HR, and then base the decision of which profile to use
for installation on the IP address the workstation gets via DHCP.
Version 1 358
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Installation Server: Setup and Use
An installation server offers the files needed for the installation of SUSE Linux
Enterprise Desktop or Server 11 via the network. To provide such a server in your
network, you need to understand how to do the following:
Set Up an Installation Server on page 358
Use the Installation Server on page 369
Set Up an Installation Server
The installation repository requires the same layout of directories and files as the
layout on the installation DVD.
The most convenient way to set up such an installation repository is to use SUSE
Linux Enterprise Server 11 and its YaST Installation Server module. This module
creates the necessary directory structure, prompts to insert the DVD to copy its
content to the proper directories, and sets up the server (NFS, HTTP, FTP) used to
distribute the files.
NOTE: Using SUSE Linux Enterprise Desktop 11 as an installation server is also possible, but you
have to set up the server manually because there is no YaST module for this purpose included in the
Desktop distribution.
The following steps are required:
Fill the Installation Repository on page 358
Make Add-on-Products Available on page 359
Fill the Installation Repository
First create a directory where you want to store the installation repository, such as /
srv/install-repo/sled11 for SLED11, using the command mkdir -p /
srv/install-repo/sled11.
Filling the repository is very simple: Just insert the SUSE Linux Enterprise Desktop
11 installation DVD and copy all files on it to the repository:
cp -a /media/SUSE_SLED-11-0-0.001/* /srv/install-repo/
sled11
NOTE: The same procedure is used for SUSE Linux Enterprise 11 service packs, as they replace the
original installation media.
359 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Make Add-on-Products Available
In addition to the packages available for installation on the DVD, it is possible to
make further packages available. The directory structure described in the following
can be used for updates, add-on products, or RPM packages of your own.
You can set up the add-on products repository using the YaST Add-On Creator
module or command line commands.
To access the add-on products repository during the automatic installation, you can
either include a pointer to it in the AutoYaST control file or add an
add_on_products.xml file to the root of your product installation repository.
This manual covers the following two approaches:
Yast Add-On-Creator Module and autoinst.xml on page 359
Manual Creation of Repository and add_on_products.xml file on page 365
Yast Add-On-Creator Module and autoinst.xml
The YaST Add-On Creator module guides you through the steps necessary to create a
repository with the correct layout of directories and files. Take the following steps to
create an add-on repository and to modify your control file:
1. (Conditional) If you have not created a gpg key pair, in a terminal window (as
root) enter the command
gpg --gen-key
and follow the prompts to create your own key pair.
2. Copy the RPM files you want to include in your add-on repository to a temporary
directory, such as /tmp/repo-files.
3. Start YaST and select Miscellaneous > Add-On Creator.
Version 1 360
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 9-1 Add-On Product Creator
To create an add-on repository from scratch, select Create an Add-On from the
Beginning and click Next.
4. In the Add-On Product Creator dialog that appears, fill in the text boxes with
the name and version of your repository and the directory that holds your RPM
files.
361 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The dialog will look similar to the following.
Figure 9-2 Add-On Product Creator
To continue click Next.
Version 1 362
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
A Product Definition dialog appears, as shown in the following:
Figure 9-3 Product Definition
5. In the Product Definition dialog, select Vendor and click Edit. In the dialog that
appears, enter a vendor name, such as your company name or the name of the
provider of the RPM files.
In the Product Definition dialog click Next.
The Package Descriptions dialog appears.
6. The Package Descriptions dialog lists the packages that are part of your add-on
repository. To continue click Next.
The Editor for Patterns dialog appears.
7. In the Editor for Patterns dialog, you can create Patterns for your add-on
products. To continue click Next.
363 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The Output Settings dialog appears, as shown in the following:
Figure 9-4 Output Settings
8. In the Path to Output Directory text box, type the directory where you want
your add-on product repository to reside.
To continue click Next.
A Signing the Add-On Product dialog appears.
9. In the GPG Key ID text box, type the ID, such as the e-mail address you entered
during the creation of your key pair, of the GPG key you want to use to sign the
content file in the root of the repository.
Type the passphrase to unlock the private key and click Next to continue.
An Overview dialog appears.
10. In the Overview dialog review your settings and click Finish.
Version 1 364
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
An Add-On Creator Overview dialog appears, as shown in the following:
Figure 9-5 Add-On Creator Configuration Overview
11. In the Add-On Creator Overview, click Build.
(Optional) If a message appears that informs you that the obs-productconverter
package needs to be installed, click Install.
The directory structure for the repository is created, the RPMs are copied to their
correct location and content files in the root of the repository are created and
signed.
12. Click Finish to close the Add-On Creator module.
13. Open the AutoYaST profile used to install machines in an editor and add the
following lines below the line starting with <profile ...
<add-on>
<add_on_products config:type="list">
<listentry>
<media_url>nfs://172.17.8.1/srv/install-repo/Add-On</
media_url>
<product>My Add-Ons</product>
<product_dir>/</product_dir>
<name>My Add-Ons</name>
</listentry>
</add_on_products>
</add-on>
14. In the AutoYaST profile, look for the line
<import_gpg_key config:type="boolean">false</import_gpg_key>
365 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Change the value from false to true. The line should look like the following:
<import_gpg_key config:type="boolean">true</import_gpg_key>
Save the file and close the editor.
NOTE: The creation of an AutoYaST profile is explained in Create a Configuration File for
AutoYaST on page 381.
Manual Creation of Repository and add_on_products.xml file
Instead of using YaST, you can also use command line tools to create the repository
layout and files. If you want to use an add_on_products.xml file in the root
directory of the product installation repository, you have to sign a file containing a
checksum of the add_on_products.xml file and to include the GPG public key in the
initial ramdisk used during installation.
NOTE: When you use an add_on_products.xml file as described in the following steps it is
not necessary to add an <add-on> ... </add-on> section to the AutoYaST profile used to
install the individual machines.
Take the following steps to set up your repository and use the add_on_products.xml
file during installation:
1. (Conditional) If you have not created a gpg key pair, in a terminal window (as
root) enter the command
gpg --gen-key
and follow the prompts to create your own key pair.
2. Install the inst-source-utils package if it is not yet installed by entering the
following as root in a terminal window:
rpm -q inst-source-utils || yast -i inst-source-utils
3. Run the following command with the root of your installation repository as
argument:
This will create the updates and yast directories with several subdirectories
and files within your installation repository.
NOTE: Despite the fact that the directory created is named updates, it can be used for add-on
products as well.
4. Using the mkdir -p command, create the updates/suse/
architecture/ directory and copy any RPM files you want to make
available to that directory.
da10:~ # create_update_source.sh /srv/install-repo/sled11/
Creating /srv/install-repo/sled10//updates.....
Version 1 366
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: The following steps have to be repeated every time you change the content of this
directory (i.e., add or delete files to it).
5. Change to the updates/suse directory and run the following command:
This creates the packages, packages.DU, and packages.en files in the
updates/suse/setup/descr directory.
6. Change to the directory updates/suse/setup/descr and create an
updated directory.yast file:
7. Change back to the updates directory and run the create_sha1sums -x
-n command.
The result is a contents file that contains SHA1 hashes for the files created in
the previous step:
8. Create an add_on_products.xml file in the root of your installation
repository that points to the servers and directories with add-on products:
da10:/srv/install-repo/sled11 # cd updates/suse
da10:/srv/install-repo/sled11/updates/suse #
da10:/srv/install-repo/sled11/updates/suse # create_package_descr
-x setup/descr/EXTRA_PROV
using settings:
datadirs: .
languages: english
output dir: ./setup/descr/
is not a directory: ignoring
extra_provides: setup/descr/EXTRA_PROV
done
processed 1 packages
now recoding to UTF-8: packages packages.DU packages.en
da10:/srv/install-repo/sled11/updates/suse #
da10:/srv/install-repo/sled11/updates/suse/setup/descr # ls > \
directory.yast
da10:/srv/install-repo/sled11/updates/ # create_sha1sums -x -n
da10:/srv/install-repo/sled11/updates/ # cat content
CONTENTSTYLE 11
...
SUMMARY SUSE Linux Enterprise Server
VENDOR SUSE LINUX Products GmbH, Nuernberg, Germany
VERSION 11
META SHA1 b907a3d5593c3a2f0108f9ba27e3c5b8ef0121d5 packages
META SHA1 4a0c3656cd8c61a68cccf2c75ec83f1f132556ec packages.DU
META SHA1 94e8d1bf3d7b53fd7c8ce32d6f6ea70cf47ede87 packages.en
367 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
<?xml version="1.0"?>
<add_on_products xmlns="http://www.suse.com/1.0/yast2ns"
xmlns:config="http://www.suse.com/1.0/configns">
<product_items config:type="list">
<product_item>
<name>SLED11 Add-on</name>
<url>nfs://172.17.8.1//srv/install-repo/sled11/
updates</url>
<path>/</path>
<ask_user config:type="boolean">false</ask_user>
<selected config:type="boolean">true</selected>
</product_item>

<product_item />
</product_items>
</add_on_products>
9. Create a file containing the SHA1 sum of the add_on_products.xml file.
With SLE 11, every file on the installation source needs a checksum in a content
or a SHA1SUMS file, and those files have to be digitally signed. These
signatures are checked during installation. For your own repositories, you need to
sign them and make the signing key available during installation.
Run the sha1sum command to create the checksum:
10. Sign the SHA1SUMS file with the gpg command:
NOTE: If you have several private keys, use the -u username option to specify the key.
This command creates the SHA1SUMS.asc file that contains the digital
signature.
Every time you change the add_on_products.xml file, you have to create a
new SHA1SUMS file and digitally sign it again.
11. Sign the content file you created in Step 7 with gpg as well.
12. The key to verify the signatures has to be available in the root of the installation
repository. You also have to update the directory.yast file in the root
directory of your installation repository.
da10:/srv/install-repo/sled11/ # sha1sum add_on_products.xml >
SHA1SUMS
da10:/srv/install-repo/sled11/ # cat SHA1SUMS
e13af51a0b1993bf20d597408c457681aea382c0 add_on_products.xml
da10:/srv/install-repo/sled11/ # gpg -b --sign --armor SHA1SUMS
Version 1 368
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Run the following commands:
13. The last step is to include your public key in the initrd.
In addition to the root directory of the installation repository, the key used to
verify the signatures (SHA1SUMS.key from the previous step) has to be
available with a .gpg file extension in the root (/) directory of the initrd used
during installation.
The initrd is in the /boot/i386/loader/ directory on the installation DVD.
Copy the initrd and my-key.gpg to a directory of your choice, such as /
tmp, and add the my-key.gpg file to the initrd as shown in the following:
The modified initrd file can be used on your tftp server for PXE booting.
When your add-on repository is set up, you can specify any RPM file that is
contained in it for installation in an AutoYaST control file.
da10:/srv/install-repo/sled11/ # gpg --export --armor \
your_keyid > SHA1SUMS.key
da10:/srv/install-repo/sled11/ # ls > directory.yast
da10:/srv/install-repo/sled11/ # cp SHA1SUMS.key /tmp/my-key.gpg
da10:/srv/install-repo/sled11/ # cd /tmp/
da10:/tmp/ # mv initrd initrd.gz
da10:/tmp/ # gunzip initrd.gz
da10:/tmp/ # find my-key.gpg | cpio -o -A -F initrd -H newc
da10:/tmp/ # gzip initrd
da10:/tmp/ # mv initrd.gz initrd
369 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Use the Installation Server
To use the installation server, you have to specify the server when the initial boot
screen shows up. With the Down key, move to Installation, then press F4. From the
menu, select the installation server type you want to use:
Figure 9-6 Installation via NFS
Another dialog opens where you have to specify the hostname of the server and the
directory on the server. Depending on the server type, there might be additional
parameters to specify.
Instead of selecting NFS from the menu and specifying the IP address and path in the
dialog, you can type install=nfs://IP_address/path/to/
repository/ in the Boot Options field.
After pressing Enter, the installation system connects to the installation server and
loads all files needed for installation over the network.
Version 1 370
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 9-1 Set Up an Installation Server
In this exercise, you copy the files of the installation DVD to a directory and make
this directory accessible over the network using NFS.
Then you prepare the installation repository to provide additional RPMs that are not
part of the installation media.
(End of Exercise)
371 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Set Up PXE Boot for Installations
PXE (Preboot Execution Environment) is a procedure to boot a computer system over
the network. This is independent of the local storage media or operating system.
The firmware of the network card sends out bootp requests and receives an IP address
as well as information on where to retrieve a boot loader image from a bootp/DHCP
server. It downloads the boot loader image based on that information using TFTP.
The image is transferred from the server and loaded into RAM. The control of the
boot process passes from the network card to the boot loader. This boot loader then
fetches the kernel and initrd from the TFTP server and passes the control to the
kernel.
In addition to a PXE-capable network card on the client side, the following packages
are needed on the server side:
tftp: TFTP Server
syslinux: Contains the bootloader pxelinux
dhcpd: DHCP Server
A DHCP server is available only on SUSE Linux Enterprise Server 11, not on the
Desktop distribution. However, you can add the SUSE Linux Enterprise Server 11
DVD to the installation sources to be able to install a DHCP server on SUSE Linux
Enterprise Desktop 11 as well.
To set up PXE boot, you need to understand how to do the following:
Install and Configure tftp on page 371
Configure pxelinux on page 372
Install and Configure the DHCP Server on page 375
Install and Configure tftp
To begin, install the tftp package with the yast -i tftp command. The TFTP
server needs a directory for the files it is supposed to distribute, which is created by
the mkdir /tftpboot command.
Version 1 372
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
As the TFTP server is started via xinetd, it is necessary to edit /etc/xinet.d/
tftp. It should look similar to the following example:
To access the TFTP server, it is necessary to start xinetd with the rcxinetd
start command. If a client contacts the TFTP server port (69), xinetd starts the
TFTP server and hands the connection over to that server.
If you want xinetd to start during system boot, add it to the proper runlevel directories
with the insserv xinetd command.
Configure pxelinux
The syslinux package contains the files the client needs to boot via the network. To
configure pxelinux for network boot, you have to understand the following:
pxelinux Files and Directories on page 372
Configure pxelinux on page 373
pxelinux Files and Directories
The first step is to install the syslinux package (if it isnt installed already) using the
yast -i syslinux command. Then copy the /usr/share/syslinux/
pxelinux.0 file to /tftpboot/.
In addition to the files from the syslinux package, the kernel and initrd of the system
you want to install are needed in the /tftpboot directory.
From the SUSE Linux Enterprise Server 11 installation DVD, copy the linux,
initrd, and message files from the /mountpoint/boot/i386/loader/
directory to /tftpboot/. If you want to be able to install different products, like
Desktop and Server, rename the files accordingly (such as initrd_sled11,
initrd_sles11, linux_sled11, etc.) to avoid naming conflicts.
# default: off
# description: tftp service is provided primarily for
# booting or when a router needs an upgrade. Most sites
# run this only on machines acting as "boot servers".
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot -r blksize
# disable = yes
}
373 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Configure pxelinux
pxelinux expects its configuration in the /tftpboot/pxelinux.cfg/ directory.
To configure pxelinux, you have to understand the following:
Configuration Filename Convention on page 373
Configuration File Content on page 373
Configuration Filename Convention
As more than one system may be booted from the same server, the configuration
filename depends on the IP address of the booting machine. In this way, it is possible
to have different configurations for different machines.
pxelinux will search for the configuration file on the boot server in the following
way:
First it will search for a configuration file based on the MAC address of the NIC
of the client in lower hexadecimal notation, and the ARP type (Ethernet: ARP
type 1). For example, if the MAC address is AA:BB:CC:11:22:33, the
corresponding filename will be 01-aa-bb-cc-11-22-33.
Next it will search for the configuration file using the IP address of the client in
hexadecimal notation; the address 172.17.8.1, for example, corresponds to
AC110801. The gethostip program from the syslinux package can be used to
calculate this value.
If that file is not found, it will remove one hexadecimal digit and try again
(AC11080 in the above example). If no success, another hexadecimal digit is
removed with each try, until a file is found (AC1108,AC110, AC11, and so on, in
the above example).
If no file with one of these names is found, pxelinux searches for a file named
default.
Configuration File Content
The content of the file defines which kernel and initrd are loaded. Together with the
message file, it is possible to display a menu on the client side where the
administrator can select which files to load. For example, you can implement such a
menu when you want to offer a choice of which system to install (SLED11, SLES11,
etc.), or for different boot options.
The content of the file could look like the following (the options after append need
to be in one line):
default harddisk
# SLED11
label SLED11
kernel linux_sled11
append initrd=initrd_sled11 ramdisk_size=65536 insmod=e100
netdevice=eth0 install=nfs://172.17.8.1/srv/install-repo/sled11
vga=0x317
# SLES11
label SLES11
Version 1 374
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
kernel linux_sles11
append initrd=initrd_sles11 ramdisk_size=65536 insmod=e100
netdevice=eth0
...
# hard disk (default)
label harddisk
localboot 0
implicit 0
display message
prompt 1
timeout 100
The options that can be used in the file are described in /usr/share/doc/
packages/syslinux/syslinux.txt. Those used here have the following
significance:
default value: The default option defines which label is used in case the user
does not enter anything. In the example above, the computer boots from
harddisk.
label value: Under each label, it is possible to define which kernel to load and
which options to append. The parameters listed after append are kernel
parameters or linuxrc key=value combinations. A list of keys can be found in
/usr/share/doc/packages/linuxrc/README.linuxrc after
installing the linuxrc package from the SUSE Linux Enterprise Server 11 DVD.
The location of files has to be specified relative to the directory where pxelinux.0
resides. In the example above, linux and initrd are in the same directory as
pxelinux.0; therefore, no path has to be set.
implicit 0|1: If the value is 0, a kernel image is not loaded unless it is explicitly
named in a label statement.
display filename: The filename that contains the information to display to the
user.
prompt 0|1: If the value is 1, always display the boot: prompt.
timeout timeout: The number of 1/10 seconds after which the default is loaded
automatically.
In a message file, you can include an explanation of each possible choice, as in the
following example:
To boot from harddisk, just press <return>.
Available boot options:
SLED11 - AutoYaST-Installation of SLED11
SLES11 - AutoYaST-Installation of SLES11
To install SLED11, enter SLED11 at the prompt.
375 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Install and Configure the DHCP Server
This section covers only the main configuration options relevant for an installation
server; it does not cover the DHCP configuration in detail.
To install the DHCP server, select the YaST Software Management module and then
in the Software Management dialog, search for dhcp, select dhcp-server on the
right, and then click Accept.
There are two configuration files that need to be edited:
/etc/sysconfig/dhcpd on page 375
/etc/dhcpd.conf on page 376
/etc/sysconfig/dhcpd
The /etc/sysconfig/dhcpd file contains configuration options which are
submitted as parameters to the DHCP daemon by the /etc/init.d/dhcpd start
script. The first parameter defines the interfaces which the DHCP server listens on for
requests.
For example, if the DHCP server listens on the two interfaces eth0 and eth1, set the
variable DHCPD_INTERFACE to the following
DHCPD_INTERFACE="eth0 eth1"
The DHCP server will listen only to the interfaces specified here.
Two other variables enhance the security of the server:
DHCPD_RUN_CHROOTED="yes"
and
DHCPD_RUN_AS="dhcpd"
The first of these variables configures the DHCP server processes to run in a chroot
environment. The new root directory for all DHCP server related processes is /var/
lib/dhcp.
The second variable defines the user to be used for running the processes. Normally
there is no reason to change the default settings of these variables.
The DHCP server can read additional configuration files that are included in the main
configuration file. As the server processes are running in a chroot environment, these
additional configuration files have to be copied into the chroot environment too. The
files will be copied automatically when the DHCP server is started if they are listed in
/etc/sysconfig/dhcpd.
DHCPD_CONF_INCLUDE_FILES="/etc/dhcpd.conf.shared /etc/dhcpd.conf.d
As shown here, the name of a directory can also be provided. All files located in this
directory will be included.
Version 1 376
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
/etc/dhcpd.conf
The configuration file for the DHCP server is /etc/dhcpd.conf. Global
definitions are made at the top of the configuration file. The parameters defined here
apply to all subsequent sections unless they are explicitly overwritten in the
respective sections. The entries in the configuration file belong to two categories:
Parameter statements: These describe the following:
How to do something (for example, define the length of time an IP address
remains valid without renewal)
Whether to do something (for example, whether IP addresses should be
assigned to unknown clients)
Which parameters should be provided to clients (for example, the IP address
of the default gateway)
Declarations: Describe the topology of the network, describe the clients, or
provide the address ranges to serve clients from.
Each statement has to be terminated using the semicolon (;).
In the case of an error in the configuration file, dhcpd will not start but will print out
an error message. This message can be used to locate the error in the configuration
file.
SUSE Linux Enterprise Server 11 ships with a sample configuration file for the
DHCP server. You will not need all the configuration statements that are provided
with this sample file. It is better to start with an empty configuration and to enter only
those statements you really need.
Comments can be used at any location in the configuration file. They start with the
hash sign (#). The rest of the line after the hash sign will be ignored.
Starting with DHCP server version 3, dynamic updates of a DNS server are possible.
This means when the DHCP server assigns an IP address to a client, it can update the
corresponding information on the DNS server. The statement describing how to do
this dynamic update (ddns-update-style) is mandatory. If no dynamic update is done
(as in this example), specify none as the parameter to this statement:
#
# /etc/dhcpd.conf
#
ddns-update-style none;
The following are statements regarding the lease times (the validity period for
assigned IP addresses):
#
# specify default and maximum lease time
#
default-lease-time 86400;max-lease-time 86400;
When a client requests an IP address without providing any information on the
desired lease time, the IP address will be assigned for the specified default lease time
(in this example, 86400 seconds, which is one day).
377 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: You can enter a maximum of 2
31
-1 seconds for the lease time. That is about 68 years.
Shortly before the assigned IP address expires, the client will request a renewal of the
address. Normally, the lease time for this address will be extended.
Depending on its configuration, a client can request a specific lease time. Normally,
this specific lease time request is accepted. You have to distinguish two cases:
If the requested lease time is shorter than the default lease time, the DHCP server
will assign the IP address for the requested time.
If the requested lease time is longer than the default lease time and if no
maximum time has been specified, the DHCP server will accept it. If the max-
lease-time statement is present, this time will be the longest available.
In the example above, both times are the same. Setting a maximum lease time
prohibits clients from requesting an infinite lease time (resulting in a permanent IP
address).
The following section of dhcpd.conf shows how to provide information on the DNS
domain to be used:
#
# What is the DNS domain and where is the name server?
#
option domain-name "digitalairlines.com";
option domain-name-servers 172.17.8.1, 172.17.8.10;
These configuration options start with the keyword option.
If a list of name server addresses (separated by commas) is provided, the list reflects
the order of preference for contacting a name server.
As the last parameter, specify the addresses of routers in the subnet:
#
# This is a router
#
option routers 172.17.8.1;
If several routers are specified here (separated by commas), the list reflects the order
of preference for using these routers. The first router is the default gateway.
There are several options that are needed to enable booting using PXE:
allow bootp;
next-server 172.17.8.1;
server-name "da1.digitalairlines.com";
filename "pxelinux.0";
The bootp flag is used to tell dhcpd whether or not to respond to bootp queries.
next-server specifies the machine to get the boot loader image from, and
filename specifies its name. The server-name statement can be used to inform
the client of the name of the server it is booting from.
Version 1 378
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Finally, define the range of addresses that can be used for assigning IP addresses to
clients. This declaration starts with the keyword subnet and specifies the subnet
and corresponding network mask:
#
# Which IP addresses may be assigned to the clients?
#
subnet 10.0.0.0 netmask 255.255.255.0
{
range 10.0.0.101 10.0.0.120;
}
When a client requests an IP address, it will be assigned a free address from this
range. Starting with version 3 of the DHCP server, assignment will start with the
highest addresses (in the case above, 10.0.0.120). If no parameters are defined inside
this subnet declaration, all globally defined parameters will be used. There can be
more than one range statement inside a subnet declaration.
It is possible to configure specific hosts as well. Hosts are identified by their MAC
address. In the following example, the host with the MAC address specified after
hardware ethernet is assigned the IP address 10.0.0.150:
#
# Host specific configuration
#
host da150 {
fixed-address 10.0.0.150;
hardware ethernet 00:11:22:33:44:55;
}
The man pages for dhcp-options and dhcpd.conf provide more information on the
available configuration options.
After the configuration has been completed, start the DHCP server with the
rcdhcpd start command. If there are any mistakes in your configuration, there
will be error messages pointing you to a line in the configuration file near the
mistake. Fix it and try again to start the server.
If you want the server to start automatically at system start, add the proper links to the
runlevel directories with the insserv dhcpd command.
You are now ready to test your setup. In the same network as your DHCP and TFTP
server, boot a machine that has a PXE-capable network card. (It might be necessary to
change the BIOS of that machine to include the network card as a boot medium.) The
machine should get an IP address from your DHCP server and briefly after that, you
should see the information from your message file.
In this SUSE Linux Enterprise Server 11 Administration course manual, we
explained a simple DHCP configuration that supports PXE. More information on the
configuration of a DHCP server is available at several locations:
The man pages on your local system:
man dhcpd (DHCP server)
379 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
man dhcpd.conf (configuration file)
man dhcp-options (configuration options)
In directories on your local system:
/usr/share/doc/packages/dhcp/
/usr/share/doc/packages/dhcp-server/
On the Web:
http://www.isc.org/software/dhcp/
In books:
The DHCP Handbook by Ralphs Droms and Ted Lemon (Sams Publishing)
Version 1 380
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 9-2 Set Up PXE Boot for Installations
In this exercise, you set up a TFTP server, fill the /tftpboot directory with the files
needed for PXE boot, and set up a DHCP server.
(End of Exercise)
381 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Create a Configuration File for AutoYaST
The easiest way to create a configuration file for AutoYaST is to use the YaST
Autoinstallation module. Select Computer > Yast > Miscellaneous >
Autoinstallation, or log in as root and enter yast2 autoyast in a terminal
window.
This module starts with the following dialog:
Figure 9-7 Autoinstallation Configuration
The left part of the window contains the YaST groups you know from the left frame
of the YaST dialog. The center frame contains the YaST modules available in the
group. The right frame lists the settings made in this module for the autoinstallation.
NOTE: At the beginning, default values based on the current system configuration are listed in the
right frame.
You do not need to configure every single aspect of the machines to be installed,
because the automated installation makes use of the hardware detection capabilities
of YaST. For example, you do not need to provide the type of network card because
the hardware detection will take care of this.
Clicking Edit opens the same YaST configuration dialogs as those you see when
installing or administering SUSE Linux Enterprise 11. However, the configuration
information is written to the AutoYaST control file. Nothing is changed on the
installation you work on.
Version 1 382
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You would usually define disk layout, software selection, language settings, network
parameters, and root password. Depending on your needs, you can specify other
items, such as users and their passwords, NFS client configuration, or printer
configuration.
If you want to perform completely unattended installations, in the General Options
module in the System group of AutoYaST, select Edit. Click Next in the Mouse
Configuration dialog, and uncheck Confirm Installation in the Other Options
dialog. The default is to confirm installation to avoid recursive installs when the
system schedules a reboot after initial system setup. You should also be aware that
this might cause inadvertent installations under certain circumstances.
After you have completed the configuration, select File > Save as. A dialog box
opens with the default directory for AutoYaST configuration files, /var/lib/
autoinstall/repository/. Type a name for the file (hostname.xml, for
example).
You can change the default directory for AutoYaST configuration files via the File >
Settings menu.
If you do not want to begin from scratch, you can use the current machine as a
template. Select Tools > Create Reference Profile. The following dialog appears:
Figure 9-8 AutoYaST Reference Control File
The reference profile is created by reading information from the system you work on.
To add other necessary information for your machine, select the check boxes in the
main window.
383 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
NOTE: Be sure to examine any resulting control file carefully before using it to autoinstall a new
system.
To view the configuration created, select View > Source:
Figure 9-9 AutoYaST XML Code
After you have completed your configuration, save it by selecting File > Save as as
described above.
You can also create the control file using an editor of your choice. The advantage of
the YaST module is that it saves a lot of typing and the XML syntax of the resulting
file is correct. Another approach is to create a control file with YaST and then use an
editor for minor changes and additions.
On a system that was installed using AutoYaST, the control file used during
installation is stored as /var/adm/autoinstall/cache/
installedSystem.xml.
NOTE: More information on AutoYaST can be found in /usr/share/doc/packages/
autoyast2/html/index.html.
Version 1 384
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 9-3 Create an AutoYaST Control File
In this exercise, you create an AutoYaST control file.
(End of Exercise)
385 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Perform an Automated Installation
To start the automated installation, make the AutoYaST control file available on the
machine to be installed. This can be combined with any installation method, be it
from the installation media or an installation server in the network.
To perform automated installations, you need to do the following:
Provide the Control File on page 385
Boot and Install the System on page 385
Provide the Control File
Various ways exist to make the control file available.
One is to copy the file to a floppy disk containing a FAT file system format.
NOTE: Do not use a floppy disk with Ext2 file system format.
If you name the file on the floppy disk autoinst.xml and insert the floppy, it will be
automatically used. If you use a different name, you have to add the following to the
kernel command line at the boot prompt of the installation:
autoyast=floppy:///myconfig.xml
Another way to make the control file available is via the network. That is especially
useful in combination with an installation server. In this case, the kernel command
line would look similar to the following:
autoyast=nfs://172.17.8.1/srv/install-repo/sled11/ay/
myconfig.xml
Boot and Install the System
Once you have your control file created and tested, you have several options to install
machines with it:
Boot and Install from DVD on page 385
Boot from DVD, Install from an Installation Server on page 386
Boot via PXE, Install from an Installation Server on page 386
Boot and Install from DVD
It is possible to use a control file (on a floppy disk or on an exported file system) in
combination with the installation DVD to boot and install the computer.
Version 1 386
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
However, for larger deployment, this is not really efficient. While it saves the typing
of configuration information, you still have to walk from computer to computer,
insert the media, and start the installation manually. Later, you have to come back to
remove the installation media again.
Boot from DVD, Install from an Installation Server
Even when using the DVD or floppy disks to boot, an installation server has the
advantage that you can remove the boot media as soon as the actual installation has
started.
Provided you have a DHCP server running which provides all network information
during installation, the steps are as follows:
1. Insert the installation DVD into your machine and start the boot process.
2. On the first boot screen, select Installation (be sure to do this within 10 seconds;
otherwise, the system starts from harddisk).
3. Provide the necessary information for an automated installation with AutoYaST.
At the boot prompt, enter the following parameters (we assume here that the
installation repository is available via NFS from 172.17.8.1/srv/
install-repo/sled11/, and that the control file is available at the same
location):
autoyast=nfs://172.17.8.1/srv/install-repo/sled11/ay/
autoinst.xml install=nfs://172.17.8.1/srv/install-
repo/sled10 splash=verbose
The last parameter switches to the detailed display during the boot process, so
you can easily look at the boot messages.
After a short time, YaST starts. At this point, you can remove the boot medium. The
installation proceeds as usual but, because of the control file, no user interaction is
necessary. After some checks, the packages are copied from the NFS server.
The system is rebooted at the end of the installation process. After the reboot, you
may log in as root without a password if no password was set in the AutoYaST
configuration file. In this case, you should immediately set a password for root.
Boot via PXE, Install from an Installation Server
The advantage of using PXE for installation is that you do not have to bring a
separate boot medium to the computer. With a suitable configuration, you can offer a
menu to select what to install.
In fact, if the network card supports Wake on Lan, you do not have to walk to the
machine at all.
387 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The setup to support booting via the network is described in Configure pxelinux on
page 372. To integrate AutoYaST, an additional entry is needed in the append line of
the pxelinux configuration file:
...
# SLED11
label SLED11
kernel linux
append initrd=initrd ramdisk_size=65536 insmod=e100 netdevice=eth0
install=nfs://172.17.8.1/srv/install-repo/sled11 autoyast=nfs://
172.17.8.1/srv/install-repo/sled11/ay/autoinst.xml vga=0x317
...
When you now enter SLED11 at the message prompt, the computer is automatically
installed.
You could go one step further and make this entry the default:
default SLED11
# SLED11
label SLED11
...
In this case, the computer gets installed unless a user chooses a different option. This
configuration is probably useful only in initial rollouts in combination with Wake on
Lan, for these reasons:
Until you remove the pxelinux configuration file, there is an installation loop
after each reboot, the installation starts all over again.
If a user turns on the computer, it will get installed from scratch.
Do this as a workaround:
1. Create a file /tftpboot/pxelinux.cfg/default that contains the menu
options that you want to offer in the PXE menu once the computers are installed.
This could be to boot from harddisk only, or also contain additional entries
allowing installations when the user selects them.
2. Create another file, /tftpboot/pxelinux.cfg/install, that contains
the installation as default.
The name of the file is not important, as long it is not a filename pxelinux looks
for as described in Configuration Filename Convention on page 373.
3. Create links within the /tftpboot/pxelinux.cfg/ directory to the /
tftpboot/pxelinux.cfg/install file according to the pxelinux file
name convention. For example for the IP address 10.11.12.13, the command
would be
ln -s install 0A0B0C0D
4. Using Wake on Lan, turn on the machine.
5. Watch the TFTP log file, using the command
Version 1 388
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
tail -f /var/log/xinetd.log
It will show an entry when a computer connects to the TFTP server.
You could also watch /var/log/messages for entries indicating that the
respective client has mounted the installation server directory.
6. When the computer you turned on using Wake on Lan has fetched the necessary
files via TFTP according to the log file, remove the corresponding link in the
directory /tftpboot/pxelinux.cfg/:
rm 0A0B0C0D
When the computer reboots during the installation or later in the course of
normal production, the file fetched by pxelinux is /tftpboot/
pxelinux.cfg/default. As the default in this file is to boot from harddisk,
the computer starts normally unless the user chooses a different option.
389 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 9-4 Perform an Automated Installation of SUSE Linux Enterprise Server
11
In this exercise, you perform an automated installation of SUSE Linux Enterprise
Server 11.
You will find this exercise in the work the workbook
(End of Exercise)
Version 1 390
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 9-5 Activate PXE Booting and Install SUSE Linux Enterprise Server
(Conditional, depending on hardware support)
In this exercise, you work with a fellow student to boot your machine using PXE and
start the installation of SUSE Linux Enterprise Server 11.
(End of Exercise)
391 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Introduction to AutoYaST SUSE Linux Enterprise 11 can be deployed using
manual installation with the installation media or an
installation server, or automated installation with an
AutoYaST control file.
To boot the computer for installation, you can use the
DVD, boot floppies, or PXE-capable network cards in
conjunction with a boot loader image distributed via
TFTP.
Installation Server: Setup and Use Setup of an installation server consists of copying the
content of the installation DVD to a directory and
configuring NFS to provide access to that directory to
clients.
Set Up PXE Boot for Installations To boot a computer via the network using PXE, you
need a boot loader image distributed by TFTP.
The syslinux package contains the pxelinux.0 boot
loader image.
The tftp package contains a TFTP server that is started
by xinetd when a client accesses port 69. The files
needed by the clients are usually stored in the /
tftpboot directory
A DHCP server is contained in the dhcp-server
package.
Create a Configuration File for
AutoYaST
To create a configuration file for AutoYaST, use the
YaST module Autoinstallation:
yast2 > Miscellaneous > Autoinstallation
or start the module directly from the command line with
yast2 autoyast
The default directory for AutoYaST configuration files is
/var/lib/autoinstall/repository/.
Perform an Automated Installation The control file for automated installation can be made
available by various means, including a floppy disk, an
USB device, or a network share.
A DHCP server, which provides all network information,
and an installation server simplify the installation.
If combined with PXE completely, unattended
installations are possible.
Version 1 392
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
393 Version 1
Manage Virtualization with Xen
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 1 0 Manage Virtualization with Xen
SUSE Linux Enterprise Server 11 comes with built-in virtualization support through
the Xen virtual machine monitor. In this section, you learn about the Xen
virtualization technology in SUSE Linux Enterprise Server 11.
Objectives
1. Understand How Virtualization with Xen Works on page 394
2. Install Xen on page 398
3. Manage Xen Domains with Virt-Manager on page 409
4. Manage Xen Domains from the Command Line on page 415
5. Understand Xen Networking on page 422
Version 1 394
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Understand How Virtualization with Xen Works
Virtualization technology separates a running instance of an operating system from
the physical hardware. Instead of running on a physical machine, the operating
system runs in a so-called virtual machine. Multiple virtual machines share the
resources of the underlying hardware.
Virtualization allows you to run multiple virtual systems on one physical machine.
Figure 10-1 Physical Machine and Virtual Machines
In comparison with non-virtualized physical hardware, virtualization provides the
following advantages:
Efficient hardware utilization: Often systems are not using the full potential of
their hardware. When multiple virtual machines are run on the same hardware,
the resources are used more efficiently.
Reduced downtime: Virtual machines can be migrated to a new physical host
system. This reduces downtime in case of a hardware failure.
Flexible resource allocation: Hardware resources can be allocated on demand.
When the resource requirements of a virtual machine change, resource allocation
can be adjusted or the virtual machine can be migrated to a different physical
host.
SLES11comes with a virtualization technology called Xen. Xen allows you to run
multiple virtual machines on a single piece of Intel x86-based hardware.
To understand how Xen works, you need to do the following:
Understand Virtualization Methods on page 395
Understand the Xen Architecture on page 396
395 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Understand Virtualization Methods
You should understand the following virtualization methods:
Para-Virtualization: Instead of emulating a full virtual machine, para-
virtualization software provides an Application Programming Interface (API)
which is used by the guest OS to access hardware resources. The guest OS must
be aware that it runs in a virtual machine and must know how to access the API.
Figure 10-2 Para-Virtualization
Para-virtualization provides better performance because it does not emulate all
hardware details. However, the guest OS needs to be modified to run with para-
virtualization; therefore, only open source operating systems like Linux or BSD
can be installed. One exception is NetWare, which has been adjusted by Novell
to run in a Xen virtual machine.
Another advantage of para-virtualization is the flexible resource allocation.
Because the guest OS is aware of the virtual environment, Xen can, for example,
change the memory allocation of a virtual machine on the fly without requiring a
reboot of the virtual machine.
Full Virtualization. In this case, the virtualization software emulates a full
virtual machine, including all hardware resources. The operating system running
in the virtual machine (guest OS) communicates with these resources as if they
were physical hardware. VMware Workstation is a popular full virtualization
software.
Version 1 396
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Figure 10-3 Full Virtualization
Xen supports full virtualization on specialized x86 hardware developed by Intel
and AMD. Intel and AMD extended the x86 Standard to support virtualization.
Full virtualization works with unmodified guest operating systems, including
Microsoft Windows, but generates more overhead, resulting in a weaker
performance.
Understand the Xen Architecture
Xen consists of the following three major components:
Virtual Machine Monitor: The virtual machine monitor forms a layer between
physical hardware and virtual machines. In general, this kind of software is
called a hypervisor.
Xen kernel: The modified Linux kernel for Xen para-virtualization. It can be
used for Domain 0 as well as for Domain U (see below).
Xen tools: The Xen tools are a set of command line and graphical applications
that are used to administer virtual machines.
The virtual machine monitor must be loaded before any of the virtual machines are
started. When working with Xen, virtual machines are called domains.
The Xen virtual machine monitor includes neither any drivers to access the physical
hardware of the host machine nor an interface to communicate directly with an
administrator. These tasks are performed by an operating system running in the
privileged Domain 0 (Dom0).
397 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The following is an illustration of a Xen system with three domains:
Figure 10-4 Xen Domains
Xen plus the privileged Domain 0 can also be referred to as a Virtual Machine Server.
An unprivileged domain is called Domain U (DomU) in the Xen terminology, and is
also known as a Virtual Machine.
A process called xend runs in the Dom0 Linux installation. This process is used to
manage all Xen domains running on a system and to provide access to their consoles.
SUSE Linux Enterprise Server 11 can be used for privileged (Dom0) and
unprivileged (DomU) Xen domains.
Version 1 398
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Install Xen
A complete Xen installation includes the following tasks:
Install a Xen Server on page 398
Install a Xen Virtual Machine on page 400
Install a Xen Server
To set up a Xen server, which is a system capable of hosting Xen virtual machines,
you need to install the Xen kernel and additional Xen packages on top of a SUSE
Linux Enterprise Server 11 installation.
You have two choices:
Install Xen during Installation of SUSE Linux Enterprise 11 on page 398
Install Xen on an Installed SUSE Linux Enterprise Server 11 on page 400
Install Xen during Installation of SUSE Linux Enterprise 11
To install Xen as part of the SUSE Linux Enterprise Server 11 installation, in the
dialog presented in the first stage of the installation, select the Xen Virtual Machine
Host Server pattern. This installation on the physical hardware will be your future
Domain 0 (Dom0).
The other Xen domains (DomUs) are installed later in physical partitions or file
system images. If you plan to use physical partitions, make sure that the initial SUSE
Linux Enterprise Server 11 installation is not using all of the available disc space.
For maximum flexibility, use the logical volume manager (LVM) for a Xen system.
As a general rule, you should run services (such as a Web server, a database, or
Novell services like iFolder) in a DomU, not in Dom0. Therefore, it is not necessary
to select the respective patterns during the installation of Dom0.
The following packages have to be installed in the initial SUSE Linux Enterprise
Server 11 installation:
xen: Contains the Xen virtual machine monitor (Hypervisor).
xen-libs: Contains the libraries used to interact with the Xen virtual machine
monitor.
xen-tools: Contains xend and a collection of command line tools to administer a
Xen system.
vm-install: Contains Python scripts used to define a Xen virtual machine, and to
cause an operating system to begin installing within that virtual machine.
xen-doc-*: (Optional) Contains Xen documentation in various formats.
virt-manager: Provides a graphical interface to manage virtual machines.
399 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
virt-viewer: Provides a graphical console client for connecting to virtual
machines.
bridge-utils: Contains utilities to configure Linux ethernet bridges, which are
used to connect the domains to each other and to the physical network interface.
kernel-xen: Contains a modified Linux kernel that runs in a Xen domain, both
Dom0 and DomU.
Except for the last package, kernel-xen, these are all part of the Xen pattern.
The installation of the kernel-xen package automatically adds an entry like the
following into the /boot/grub/menu.lst bootloader configuration file.
###Don't change this comment - YaST2 identifier:
Original name: xen###
title Xen -- SUSE Linux Enterprise Server 11 - 2.6.27.19-5
root (hd0,1)
kernel /boot/xen.gz
module /boot/vmlinuz-2.6.27.19-5-xen root=/dev/disk/by-id/ata-
ST380815AS_6QZ2FW3T-part2 insmod=e100 resume=/dev/disk/by-id/ata-
ST380815AS_6QZ2FW3T-part1 splash=silent crashkernel= showopts
vga=0x317
module /boot/initrd-2.6.27.19-5-xen
The entry in menu.lst adds a new option to the boot menu of your system. When you
select this entry, the Xen virtual machine monitor is loaded (kernel /boot/
xen.gz) which starts SUSE Linux Enterprise Server 11 in Dom0 (see the lines
starting with module).
Before rebooting your system with the Xen option, you should check if the
automatically generated entry is correct. Make sure that
The line root (hd0,1) points to the partition which contains the Xen virtual
machine monitor and the Kernel of the Linux installation for Dom0. For
example, hd0,1 designates the second partition on the first hard drive in the
system. Also check if the parameter root= in the first module line points to the
root partition of the Dom0 installation.
The Xen version of the Linux kernel and the initrd are loaded in the module lines.
The names of the image files should end in -xen.
After checking the bootloader configuration file, you can reboot your system and
select the Xen option from the bootloader menu. In the early stages of the boot
process, you will see some messages of the Xen virtual machine monitor on the
screen. Then the Dom0 Linux operating system is started.
If the system is not booting properly, you can switch back to a non-virtualized system
by selecting the regular SUSE Linux Enterprise Server 11 boot option.
Version 1 400
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Install Xen on an Installed SUSE Linux Enterprise Server 11
You can easily add Xen to an existing installation of SUSE Linux Enterprise Server
11 using the YaST module created for this purpose.
In YaST, select Virtualization > Install Hypervisor and Tools. The required Xen
packages are installed.
The necessary changes are made to /boot/grub/menu.lst as described in Install Xen
during Installation of SUSE Linux Enterprise 11 on page 398 and a default network
bridge is configured.
Reboot the machine and select the Xen kernel from the boot menu.
To boot the Xen kernel by default, edit the default entry in /boot/grub/menu.lst:
# Modified by YaST2. Last modification on Thu Apr 2 17:27:29 CEST 2009
default 0
timeout 8
gfxmenu (hd0,1)/boot/message
##YaST - activate
###Don't change this comment - YaST2 identifier: Original name: xen###
title Xen -- SUSE Linux Enterprise Server 11 - 2.6.27.19-5
...
default 0 boots the first entry by default, default 1 the second, and so on.
If you want to find out which kernel is currently in use, enter uname -a in a
terminal window:
Install a Xen Virtual Machine
After you have installed Xen and the Xen tools, you can use vm-install to create
unprivileged Xen domains. vm-install can be started directly from the command
line or by starting YaST and selecting Virtualization > Create Virtual Machines.
This tool guides you step by step through the creation of a Xen domain on your
system.
da10:~ # uname -a
Linux da10 2.6.27.19-5-xen #1 SMP 2009-02-28 04:40:21 +0100 i686 i686
i386 GNU/Linux
401 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The first dialog looks like the following:
Figure 10-5 Virtual Machine Installation
This first page gives some information on the creation of a virtual machine. Selecting
Forward opens a dialog where you have a choice between a new installation of an
operating system and the use of an existing image.
Version 1 402
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
If you decide to install an operating system, the following dialog appears:
Figure 10-6 Virtual Machine Installation: OS Type
403 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Your choice of the type of operating system determines the suggested values in the
next dialog:
Figure 10-7 Virtual Machine Installation: Summary
It is necessary to specify the installation medium. Other values, such as the size of the
virtual hard disk, can be changed as needed.
To change a setting, select the blue headline.
We recommend switching to a fixed MAC address for Linux virtual machines.
Version 1 404
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Select Network Adapter on the Summary page to edit the suggested values or to
add another virtual network adapter. Select Edit on the Network Adapters page to
open the following dialog:
Figure 10-8 Virtual Machine Installation: Network Adapter
Selecting Randomly generated MAC address causes a new MAC address to be
created each time the virtual machine is started. With this setting and SLES11 as the
operating system within the virtual machine, the interface name within the virtual
machine changes each time the virtual machine is started.
To avoid this, select Specified MAC address. The vendor string for Xensource is
00:16:3e. Enter hex values in the spaces provided, making sure they are unique
within your network. Click Apply to return to the previous dialog.
405 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
In the Summary dialog, select Disks to change hard disk parameters or to add a hard
disk or a CDROM drive. The following dialog appears:
Figure 10-9 Virtual Machine Installation: Disks
Version 1 406
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Select Edit to change the highlighted entry. The following dialog appears:
Figure 10-10 Virtual Machine Installation: Virtual Disk
Here you can specify a different image file and change its size. When you select
Create Sparse Image File, the image file does not immediately use the specified
amount of disk space on the storage medium, but grows as space is actually used
within the virtual machine. It is also possible to specify a block device like /dev/sda5
instead of a file.
Select OK to return to the Disks dialog. Select Apply in the Disks dialog to return to
the Summary page.
The dialog for the CDROM drive is almost identical.
407 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To specify an installation medium, in the Summary dialog select Operating System
Installation. The following dialog appears:
Figure 10-11 Virtual Machine Installation: OS Installation
In the Network URL text box, you can specify an installation source located in the
network, such as nfs://172.17.8.101/data/install/SLES11.
Select Apply to return to the Summary dialog.
To start the installation, select OK in the Summary dialog. A VNC window appears
that allows you to control and configure the operating system installation.
When you install SUSE Linux Enterprise Server 11 in a virtual machine, the device
name for the first hard disk within the virtual machine is /dev/xvda, the device name
for the second disk is /dev/xvdb, and so on. Apart from this detail, a virtual
installation is almost identical to an installation on real hardware.
Version 1 408
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 10-1 Install a Xen Server and an Unprivileged Domain
In this exercise, you learn how to install Xen and configure Dom0, and how to install
SUSE Linux Enterprise Server 11 in a Xen guest domain using vm-install.
(End of Exercise)
409 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Manage Xen Domains with Virt-Manager
Virt-Manager is a graphical tool used to manage virtual domains. It can be started by
entering the virt-manager command or by selecting Virtualization > Virtual
Machine Manager in YaST.
Figure 10-12 Virt-Manager
Version 1 410
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Double-click a virtual machine entry to open a VNC window:
Figure 10-13 DomU
In the screenshot above, the virtual machine is running. You could pause the machine
or shut it down using the respective buttons. Closing the VNC window as such does
not affect the state of the machine. It continues to run and you can attach to the VNC
session again by double-clicking the respective entry in Virt-Manager.
If you double-click an entry of a virtual machine that is not currently running, the
window appears empty and you can start the machine by clicking the Run button.
To release the mouse cursor from the VNC window, press Ctrl+Alt.
411 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
When you select an entry in the Virtual Machine Manager window with the right
mouse button and then select Details, another dialog appears:
Figure 10-14 DomU: Utilization
The Overview tab shows a graph of CPU and memory usage.
Version 1 412
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The Hardware tab allows you to view and change certain hardware parameters:
Figure 10-15 DomU: Hardware Details
You can add or remove virtual processors, change the memory currently used, or add
and remove hard disks and CDROM/DVD drives.
Removing and adding the CDROM drive is necessary when changing a CDROM in
the drive. Currently, CDROM drives appear as hard disks within the virtual machines
and media changes are not detected automatically.
Due to a bug at the time of this writing, adding and removing CDROM drives in Virt-
Manager is not possible. You have to use the xm command to access the content of a
CDROM/DVD or to change it. (The xm command will be covered in more detail in
Use the xm Tool on page 416.)
To change a DVD or CDROM in a virtual machine, do the following:
1. Put the CDROM or DVD in the DVD drive.
It will be mounted automatically in Dom0.
2. Open a terminal window, su - to root, then add the drive with the command
xm block-attach domainID dev_in_Dom0 dev_in_DomU r
for instance
xm block-attach sles11 phy:/dev/sr0 /dev/xvdb r
413 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
3. Within DomU, mount the device (/dev/xvdb in the example above).
When you want to change the CDROM/DVD, unmount the device in DomU.
4. In Dom0, find out the ID for the CDROM entry and then remove this entry from
the virtual machine with the xm commands as shown below:
5. Change the CDROM/DVD in the drive and attach the device again as explained
in Step 2.
da10:~ # xm block-list sles11
Vdev BE handle state evt-ch ring-ref BE-path
51712 0 0 4 16 8 /local/domain/0/backend/vbd/
1/51712
51728 0 0 4 18 897 /local/domain/0/backend/vbd/
1/51728
da10:~ # xm block-detach sles11 51728
da10:~ #
Version 1 414
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 10-2 Change Memory Allocation of a Guest Domain
In this exercise, you learn how to change the memory allocation of a guest domain
using the Virtual Machine Manager.
(End of Exercise)
415 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Manage Xen Domains from the Command Line
In this objective, you learn how to manage Xen domains at the command line. To do
this, you need to
Understand Managed and Unmanaged Domains on page 415
Understand a Domain Configuration File on page 415
Use the xm Tool on page 416
Use the virsh Tool on page 418
Automate Domain Startup and Shutdown on page 420
Understand Managed and Unmanaged Domains
In Xen version 2, all DomUs were configured by a configuration file. You can still
use configuration files with Xen version 3. Virtual domains that are configured by
configuration files only are referred to as unmanaged domains.
Unmanaged domains appear in Virt-Manager or in the output of the xm list
command (covered later in this objective) only when they are running.
With Xen version 3, configuration details can be stored in the Xenstore database
located in /var/lib/xenstored/tdb. One advantage is that the virtual
machines always appear in virt-manager, even when not running, and can be started
as described in the previous objective. Virtual machines that have their configuration
in the Xenstore database are referred to as managed domains.
You can use the xm new configfile command to move configuration
information from a configuration file into the Xenstore database.
Currently it is not possible to export a configuration from the Xenstore database to a
configuration file. To remove configuration information from the Xenstore database,
use the xm delete vm_name command. This command removes only the
configuration information from the database; the disk image files remain unchanged.
When a virtual machine is created with vm-install, the configuration is written to /
etc/xen/vm/vm_name and to the Xenstore database simultaneously. Later
changes to the configuration file have no effect on the information in the Xenstore
database.
To change the configuration in the Xenstore database, delete the configuration from
the database with xm delete vm_name, edit the configuration file in /etc/
xen/vm/, and integrate the new configuration in the database with xm new
configfile.
Understand a Domain Configuration File
The configuration files for domains created with vm-install are located in /etc/
xen/vm/.
Version 1 416
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
A configuration file contains several keywords which configure different aspects of a
Xen domain. A configuration file created by vm-install during the installation of a
virtual machine could look like the following:
Under /etc/xen/examples/, you find example files which can be used to create
a configuration from scratch. The comments in these files (lines starting with a #
sign) give more information on the available options and the required syntax.
NOTE: A good source for detailed documentation and HOWTOs about Xen and the domain
configuration files is the Xen wiki at: http://wiki.xensource.com/ (http://wiki.xensource.com/).
Use the xm Tool
The xm command line uses the following format:
xm subcommand [options] [arguments] [variables]
xm is the administration command line tool for Xen domains. xm communicates with
the xend management process running on the Dom0 Linux installation.
You can get a complete list of the xm subcommands by entering xm help. The xm
manual page contains information on the available options for each of the
subcommands. This manual covers only the more frequently used subcommands.
You can use the create subcommand to start an unmanaged virtual machine:
xm create -c -f /data/xen/SLES11-WebServer.conf
The -c option lets xm connect to the terminal of the started domain, so that you can
interact with the system. To disconnect from the terminal and return to the original
command line, enter the key combination Ctrl-].
The -f option specifies the configuration file of the domain that should be started.
name="sles11"
uuid="3eb65cbd-ae8e-2a79-cf1e-89189489d085"
memory=512
maxmem=512
vcpus=2
on_poweroff="destroy"
on_reboot="restart"
on_crash="destroy"
localtime=0
keymap="en-us"
builder="linux"
bootloader="/usr/bin/pygrub"
bootargs=""
extra=" "
disk=[ 'file:/var/lib/xen/images/sles11/disk0,xvda,w', 'phy:/dev/
sr0,xvdb:cdrom,r', ]
vif=[ 'mac=00:16:3e:31:24:13,bridge=br0', ]
vfb=['type=vnc,vncunused=1']
417 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The list command displays information about all managed Xen domains and the
currently running unmanaged Xen domains:
The output of the list command contains the following fields:
name: Name of the domain as specified in the configuration file.
ID: Numeric, consecutive domain ID, which is automatically assigned when the
domain starts.
Mem: Amount of memory assigned to the domain.
VCPUs: Number of virtual CPUs utilized by this domain.
State: Current state of the domain. This could be:
r: Domain is running.
b: Domain has been created but is currently blocked. This can happen when
a domain is waiting for I/O or when there is nothing to do for a domain.
p: Domain is paused. The state of the domain is saved and can be restored.
s: Domain is in the process of being shut down.
c: Domain has crashed due to an error or misconfiguration.
Time: Total run time of the domain as accounted for by Xen.
An alternative to list is the command top, which displays domain information
updated in realtime.
To start a managed domain, use the following command:
xm start vm_name
The console command connects you with the terminal of a running domain:
xm console domain_id
The command takes the domain id as a parameter, which can be determined with the
list command (field: ID). The name (field: Name) works as well. As mentioned
before, use the key combination Ctrl-] to disconnect from a terminal.
With the pause command, you can interrupt the execution of a domain temporarily:
xm pause domain_id
A paused domain is not completely shut down. The current state is saved and the
execution of the domain can be continued with the unpause command:
xm unpause domain_id
da10:~ # xm list
Name ID Mem VCPUs State Time(s)
Domain-0 0 1481 2 r----- 298.3
sles11 1 512 2 -b---- 23.0
Version 1 418
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
To shut down a domain, use the shutdown command:
xm shutdown domain_id
This is equivalent to using the appropriate command within the virtual machine
(shutdown -h now in Linux).
If the domain is not responding anymore, you can force the shutdown of the domain
with the destroy command:
xm destroy domain_id
This is equivalent to pulling the plug on a physical machine.
To save the state of a domain for a longer time (for example, over a reboot of Dom0)
you can use the save command:
xm save domain_id filename
The domain can be restored from the resulting file with the restore command:
xm restore filename
Another commonly used command is mem-set, which allows you to change the
memory allocation of a domain:
xm mem_set domain_id amount_of_memory
The amount of memory is specified in megabytes.
Block devices can be added to DomUs with the xm block-attach command:.
xm block-attach domainID dev_in_Dom0 dev_in_DomU r/w
To remove the device again, first use xm block-list to find out what DeviceID
to use in the xm block-detach command:
xm block-list domainID
xm block-detach domainID DeviceID
Use the virsh Tool
The virsh command is similar to the xm command. The basic structure of the virsh
command is as follows:
virsh subcommand <domainID> [options]
virsh can be used to administer Xen domains. The options are similar to those of
the xm command, however there are also some options that are different.
You can get a complete list of the virsh subcommands by entering virsh help.
The virsh manual page contains information on the available options for each of the
subcommands. This manual covers only the more frequently used subcommands.
419 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
You can use the create subcommand to start an unmanaged virtual machine, using
a configuration file in xml format:
virsh create /data/xen/da-xen.xml
The console subcommand connects you with the terminal of a running domain:
virsh console domain_id
The command takes the domain id as a parameter, which can be determined with the
xm list command (field: ID). The name (field: Name) works as well. Use the key
combination Ctrl-] to disconnect from a terminal.
The virsh list command displays information about running Xen domains,
however the xm list command gives you more information, as it also lists managed
domain that are not currently running.
To start a managed domain, use the following command:
virsh start vm_name
With the suspend subcommand, you can interrupt the execution of a domain
temporarily:
virsh suspend domain_id
A suspended domain is not completely shut down. The current state is saved and the
execution of the domain can be continued with the resume subcommand:
virsh resume domain_id
To shut down a domain, use the shutdown subcommand:
virsh shutdown domain_id
This is equivalent to using the appropriate command within the virtual machine
(shutdown -h now in Linux).
If the domain is not responding anymore, you can force the shutdown of the domain
with the destroy command:
virsh destroy domain_id
This is equivalent to pulling the plug on a physical machine.
To save the state of a domain for a longer time (for example, over a reboot of Dom0)
you can use the save subcommand:
virsh save domain_id filename
The domain can be restored from the resulting file with the restore subcommand:
virsh restore filename
Another commonly used subcommand is setmem, which allows you to change the
memory allocation of a domain:
virsh setmem domain_id amount_of_memory
Version 1 420
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The amount of memory is specified in kilobytes.
Block devices can be added to DomUs with the disk-attach subcommand:.
virsh attach-disk domainID dev_in_Dom0 dev_in_DomU
To remove the device again, use in the detach-disk subcommand:
virsh detach-disk domainID dev_in_DomU
Automate Domain Startup and Shutdown
When you start, shut down, or reboot the Dom0 of a Xen system, other running Xen
domains are also affected. The other Xen domains cannot operate without a running
Dom0.
SUSE Linux Enterprise Server 11 comes with a start script called xendomains
which is included in the xen-tools package.
The script, which should be installed on Dom0, does the following:
When Dom0 is booted, all domains with configuration files located under /
etc/xen/auto/ are started. It is recommended to create a symbolic link in
this directory pointing to the actual configuration file in /etc/xen/vm/.
When Dom0 is shut down or rebooted, running Xen domains are shut down
automatically.
NOTE: If you have a configuration file for a domain that is also in the Xenstore database, the
automatic start uses the information in the configuration file and ignores the information in
Xenstore, which may be different from that in the configuration file.
To start and stop managed domains automatically you can create a start script based
on the /etc/init.d/skeleton file, using the applicable xm commands, such as
xm start vm_name and xm shutdown vm_name.
The xendomains script has configuration options that can be adjusted in the file /
etc/sysconfig/xendomains. The configuration variables in this file are
explained in accompanying comments.
One interesting option is to migrate domains automatically to a different host when a
Dom0 is shut down. This can be configured in the variable
XENDOMAINS_MIGRATE. The variable has to be set to the IP address of the target
machine. When the variable is empty, no migration is performed. Migration of virtual
machines is not covered in this course, though.
421 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 10-3 Automate Domain Startup
In this exercise, you learn how to start up domains automatically when the system is
booted.
(End of Exercise)
Version 1 422
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 5 Understand Xen Networking
Usually the network connection of Xen domains works out of the box. However, if
you would like to change the configuration, networking with Xen can be a bit tricky.
The following should give you an overview of how Xen domains are connected to the
physical network. You need to
Understand Bridging on page 422
Understand the Xen Networking Concept on page 423
Understand Bridging
When you install Xen using the YaST Install Hypervisor and Tools module, the
network configuration is changed by YaST to include a network bridge.
Bridging basically means that multiple network interfaces are combined to one.
Traditionally, this technique is used to connect two network segments.
In the context of Xen, it is the default mechanism to connect virtual and physical
interfaces in Dom0. You can consider the bridge as a kind of virtual switch which
virtual and physical interfaces are connected to. The physical interface connects to
the physical network and the DomUs connect to the virtual interfaces, thus allowing
DomUs to access the physical network.
In a setup without a bridge, the configuration for the eth0 interface is contained in the
/etc/sysconfig/network/ifcfg-eth0 file. With the change to a bridge,
this file is deleted and a /etc/sysconfig/network/ifcfg-br0 file created.
Its content looks similar to the following:
The IP address is no longer assigned to the interface eth0 as before, but to the bridge
(in this case using dhcp). The interface that actually connects to the physical network
is attached to the bridge (BRIDGE_PORTS=eth0) but does not have an IP
address of its own.
da10:~ # cat /etc/sysconfig/network/ifcfg-br0
BOOTPROTO='dhcp'
BRIDGE='yes'
BRIDGE_FORWARDDELAY='0'
BRIDGE_PORTS='eth0'
BRIDGE_STP='off'
STARTMODE='onboot'
USERCONTROL='no'
423 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
This is reflected in the output of the ip command:
The command to configure network bridges is brctl. It can be used to list the
current setup, as in the following example:
Other brctl commands include the following:
brctl addbr name: Creates a new bridge named name.
brctl delbr name: Deletes the bridge named name. The network interface
corresponding to the bridge must be down before it can be deleted.
brctl addif brname ifname: Adds the interface ifname to the bridge brname.
brctl delif brname ifname: Deletes the interface ifname from the bridge brname.
Understand the Xen Networking Concept
In a Xen setup, the xend management process in Dom0 controls the physical network
interfaces of a host system. When a DomU starts up, the /etc/xen/scripts/
network-bridge script takes care of the virtual interface needed to connect the
new DomU to the physical network via the bridge.
When a new Domain U is created, the following changes to the network
configuration are made (simplified):
1. Xen provides a virtual network device to the new domain. Within that domain,
that device will appear as ethx.
2. xend creates a new virtual interface in Dom0.
da10:~ # ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
...
2: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast state DOWN qlen 1000
link/ether 00:80:c8:f6:88:9f brd ff:ff:ff:ff:ff:ff
inet6 fe80::280:c8ff:fef6:889f/64 scope link
state UP qlen 100
link/ether 00:19:d1:9f:17:87 brd ff:ff:ff:ff:ff:ff
inet6 fe80::219:d1ff:fe9f:1787/64 scope link
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN
inet 172.17.8.1/16 brd 172.17.255.255 scope global br0
da10:~ # brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0019d19f1787 no eth0
Version 1 424
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
3. The virtual interface in Dom0 and the virtual network device in the unprivileged
domain are connected through a virtual point-to-point connection.
4. The virtual interface in Dom0 is added to the bridge with the physical interface.
These steps affect only the general network connectivity. The IP configuration inside
the unprivileged domain is done separately with DHCP or a static network
configuration.
The following graphic illustrates the relationship of the various interfaces involved:
Figure 10-16 Xen Networking
The output of ip a s shows the new interface:
The new interface is added to the existing bridge, as shown in the output of brctl:
da10:~ # ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
...
2: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast state DOWN qlen 1000
...
state UP qlen 100
...
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN
inet 172.17.8.1/16 brd 172.17.255.255 scope global br0
5: vif1.0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 32
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
da10:~ # brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0019d19f1787 no eth0
vif1.0
425 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
The naming scheme is
vifdomain_number.interface_number
For example, the counterpart for eth0 in domain number 2 is vif2.0.
The /etc/xen/scripts directory contains additional scripts that can be used to set up
NAT or routing instead of the default bridge setup. In the /etc/xen/xend-
config.sxp file you can configure which network scripts are used by xend.
NOTE: Because of the complexity of the Xen network setup, the default firewall (SuSEFirewall2)
is not working correctly in Dom0. We recommend that you disable SuSEFirewall2 and then set up a
customized firewall script if needed.
Version 1 426
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Exercise 10-4 Check the Network Configuration
In this exercise, you learn how to use the brctl show command to view the bridge
setup and changes to it.
(End of Exercise)
427 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Summary
Objective Summary
Understand How Virtualization with
Xen Works
Virtualization technology separates a running instance
of an operating system from the physical hardware.
Instead of running on a physical machine, the operating
system runs in a so-called virtual machine. Multiple
virtual machines share the resources of the underlying
hardware.
There are two different kinds of virtualization:
Full virtualization
Para-virtualization
Para-virtualization requires modifications to the
operating system running in the virtual machine.
Install Xen To use Xen, you have to install the Xen hypervisor, a
kernel that is aware of Xen, and the Xen management
tools in the SLES 11 installation running on the physical
hardware (the virtual machine server).
After booting the Xen kernel, you can install virtual
machines using the vm-install tool.
Manage Xen Domains with Virt-
Manager
Virt-Manager can be used to manage Xen domains.
Virt-Manager allows you to start virtual domains, open a
VNC window to view the graphical interface, and
change virtual hardware parameters such as available
RAM or hard disk space.
Virt-Manager displays all managed domains (running or
not) and running unmanaged domains.
Manage Xen Domains from the
Command Line
xm is the command line administration tool for xen
domains.
To start a virtual machine, the create subcommand is
used for unmanaged machines, while start is used for
managed machines:
xm create -c -f /etc/xen/vm/SLES11.conf
xm start sled11
Other frequently used xm subcommands are
shutdown, stop, new, and delete. Use xm help for
a complete list of available commands.
Version 1 428
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Understand Xen Networking Domain 0 (Dom0) is the central point to configure the
network connections on a Xen system. The
configuration in Dom0 determines what virtual network
hardware is available within a domain U (DomU).
All unprivileged domains are connected with the
physical network through Dom0.
A network bridge in Dom0 is used as a virtual switch.
This bridge is controlled by xend.
The IP configuration of virtual network cards is done
from within the unprivileged domains.
Objective Summary
429 Version 1
Prepare for the Novell CLP 11 Practicum
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
SECTI ON 1 1 Prepare for the Novell CLP 11 Practicum
In this section, you work through the following scenarios to prepare for the Novell
CLP (Certified Linux Professional) 11 practicum exam:
1. Install a Xen Environment on page 430
2. Configure a Web Server on page 431
3. Configure a Samba File Server on page 432
4. Automate System Tasks on page 433
Remember that skills from all three Novell CLP courses might be necessary to fulfill
the required tasks.
NOTE: There might be not enough time to complete all of the objectives in this section on the last
day of the course. We recommend you complete the remaining parts at home.
Scenario
DigitalAirlines is planning on deploying SUSE Linux in its IT infrastructure. During
the first phase, SUSE Linux Enterprise Server 11 will be used on the back-end
systems like file, Web, and network-infrastructure servers.
As the network administrator for your DigitalAirlines office, you (along with the
management) have designed a migration plan which includes the following services
to be migrated to SUSE Linux Enterprise Server 11:
Intranet Web server
File and print services for Windows clients.
Both services should run on the same physical system in separate Xen domains.
You decide to start by installing and testing these services on a computer in the test
lab.
Version 1 430
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 1 Install a Xen Environment
To create a base for the Samba and the Apache system, its required to reinstall your
physical machine and to set up three Xen domains. One domain0 and two domainUs.
Set up your system according to the following guidelines:
Delete the existing installation on your system and reinstall SUSE Linux
During the installation, create a partition which has a enough space to hold the
file system image files of two SUSE Linux Enterprise Server 11 Xen
installations. Mount this partition under /xen in domain0.
Install Xen and boot into domain0 of the Xen system.
Create two Xen domains with YaST and install SUSE Linux Enterprise Server
11. Make sure that the file system image files are stored under /xen.
Make sure that networking works in domain0 and in the two domainU systems.
431 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 2 Configure a Web Server
Your DigitalAirlines office runs an internal Web server which provides vital
information for employees. The server hosts a general portal site and a virtual host for
every department.
Because the Web server needs to be migrated to SUSE Linux Enterprise Server 11,
you decide to create a prototype system for the general portal site and two
departments (accounting and marketing) in one of the Xen domains (domainU).
Set up the prototype system using the following guidelines:
Install and configure an Apache Web server that hosts the general portal site and
two virtual hosts for the departments accounting and marketing.
Use the Apache example pages as demo content.
The virtual host from accounting should run under SSL and should be accessible
only to the users in the accounting group.
Make additional entries in the file /etc/hosts to test the virtual host setup.
From each department, one user should be allowed to log in using SSH on the
server to change the content of the virtual host.
Create the users JNelson and SRife on your system. JNelson should be
responsible for the marketing department and SRife for the accounting
department.
All pages which you have to migrate end in .htm. Create a shell script which
replaces the .htm with .html.
Version 1 432
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 3 Configure a Samba File Server
As part of the SUSE Linux migration plan for your DigitalAirlines office, you need to
move file and print services to a Samba server running on SUSE Linux Enterprise
Server 11.
You decide to test this migration for the marketing department on the other Xen
domain (domainU).
Set up the Samba server using the following guidelines:
Install the Samba server and client software.
Configure a marketing workgroup.
Create a UNIX group named marketing.
Create two normal users (PSmith and JWattson) who are members of the
accounting group and are included in the smbpasswd file.
Create one shared folder for the group accounting.
Test your shares (you can use smbclient).
433 Version 1
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Objective 4 Automate System Tasks
In order to make the administration of the SUSE Linux Enterprise Server 11 system
as convenient as possible, certain task should be automated with shell scripts.
Do the following:
On domain0, develop a shell script which can be used to start and stop the Web
server and the Samba server domains. The scripts should simply take the
parameters start and stop.
Every call of the scripts should be documented by sending a mail to the root user.
First, develop a script for the Web server domain. When this script works
properly, make a copy and adjust it for the Samba server domain.
Both scripts should be installed in the ~/bin directory of the root user.
On the Samba server, develop a script that searches for Windows executables in
the shared folder of the accounting department.
Use the file command to determine whether a file is a Windows executable or
not.
When a file is detected as a Windows executable, it should be moved to a
quarantine directory in roots home directory. Additionally, a mail should be sent
to the root user for every executable found. The mail should include information
about the filename and the location where the file was found.
On the Web server domain, develop a backup script that makes an incremental
backup of the /srv/www/ directory. Status information about the backup
should be mailed to the root user when the backup has been completed.
Version 1 434
N
o
v
e
l
l

T
r
a
i
n
i
n
g

S
e
r
v
i
c
e
s

(
e
n
)

1
5

A
p
r
i
l

2
0
0
9
Index
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 15-435
Index
Symbols
/etc/apache2/ 8-230
/etc/auto.master 4-32
/etc/cups/cupsd.conf 5-1055-106
/etc/cups/ppd/ 5-94
/etc/cups/printers.conf 5-100
/etc/dhcpd.conf 12-376
/etc/exports 4-24
/etc/group 6-122
/etc/init.d/ntp 4-47
/etc/nsswitch.conf 6-146
/etc/passwd 6-122
/etc/printcap 5-102
/etc/samba/smb.conf 7-179
/etc/samba/smbpasswd 7-192
/etc/shadow 6-122
/etc/sysconfig/clock 4-38
/etc/sysconfig/dhcpd 12-375
/etc/sysconfig/ntp 4-49
/etc/xen/vm/ 13-415
/etc/xinetd.conf 4-56
/etc/xinetd.d/ 4-57
/srv/www/htdocs 8-225
/var/lib/autoinstall/repository/ 12-382
/var/log/ntp 4-49
/var/spool/cups/ 5-99
Numerics
6in4 tunnel 9-270
6to4 tunnel 9-266
A
accept 5-94
add_on_products.xml 12-359, 12-365
Add-On Creator 12-359
add-on product 12-359
adjtimex 4-37
Allow from 8-238
Apache 8-224
access control 8-237
configuration 8-229
installation 8-226
PHP 8-248
SSL 8-241
apache2ctl configtest 8-231
arithmetic operations 11-325
array 11-331
attribute 6-130
autofs 4-32
automated installation 12-385
AutoYaST 12-354
Create configuration file 12-381
reference profile 12-382
B
Backup Domain Controller 7-211
Bash 11-30111-302
BDC 7-211
bind= 4-25
bottleneck 10-274
bridge 13-422
C
cancel 5-93
case 11-319
certificate 8-243
chkconfig
xinetd 4-59
CIDR 9-256
cifs 7-204
classless interdomain routing 9-256
CMOS clock 4-36
command substitution 11-313
common name 6-135
Common UNIX Printing System 5-73
container objects 6-128
context 6-134
control structures 11-316
country object 6-129
create_package_descr 12-366
create_sha1sums 12-366
create_update_source.sh 12-365
crossmnt 4-25
15-436 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
CUPS 5-73
access log 5-102
access restrictions 5-107, 5-109
Berkeley style commands 5-91
browsing 5-106
classes 5-115
configuration 5-74
configuration file 5-105
documentation 5-115
error log 5-104
page log 5-104
print queues 5-100
System V style commands 5-91
web interface 5-113
cups
policies 5-109
cupsd, start and stop 5-97
cupsdisable 5-94
cupsenable 5-94
cupsomatic 5-99
cut 11-341
D
DAP 6-126
date 4-37, 11-342
Deny from 8-238
deployment strategy 12-356
DHCP Server 12-371
DIB 6-125
Directory Access Protocol 6-126
Directory Information Database 6-125
Directory Information Shadowing Protocol 6-127
Directory Information Tree 6-126
Directory System Agent 6-126
Directory System Protocol 6-127
Directory User Agent 6-126
DISP 6-127
Displays 10-275
distinguished name 6-135
DIT 6-126
document root 8-225
Dom0 13-396
domain
managed 13-415
unmanaged 13-415
Domain 0 13-396
domain component objects 6-128
domain controller 7-207, 7-210
domain database 7-210
Domain U 13-397
domains 7-210
DomU 13-397
drift 4-42
DSA 6-126
DSP 6-127
DUA 6-126
E
egrep 11-342
encryption 8-241
exportfs 4-26
F
file descriptor 11-303
File Transfer Protocol 4-63
for loop 11-320
free 10-277
fsid=0 4-25
FTP 4-63
active 4-64
anonymous 4-66
passive 4-64
protocol 4-63
FTP server 4-64
full virtualization 13-395
function 11-337
G
gethostip 12-373
getopts 11-338
GMT 4-37
Gnome System Monitor 10-282
Greenwich Mean Time 4-37
grep 11-342
groupadd 6-155
groupdel 6-155
groupmod 6-155
H
hardware clock 4-36
HTML 8-224
htpasswd2 8-239
HTTP
headers 8-226
Index
Request method 8-225
HTTPS 8-226
hwclock 4-374-38
Hyper-Text Markup Language 8-224
I
IETF 9-255
if 11-316
installation
automated 12-354, 12-385
deployment strategy 12-356
options 12-355
installation repository 12-358
installation server 12-358
inst-source-utils 12-365
Internet Engineering Task Force 9-255
Internet Printing Protocol 5-73
Internet Protocol Version 6 9-255
iostat 10-279
ip 9-265
IPP 5-73
IPv6 9-255
address types 9-257
addresses 9-256
autoconfiguration 9-261
features 9-256
host address 9-259
ip command 9-265
network addresses 9-258
unicast addresses 9-258
J
jitter 4-42
K
KDE System Guard 10-275, 10-282
L
LDAP 6-122, 6-127
LDAP Browser 6-145
LDAP browser 6-165
LDAP client, installation 6-145
LDAP Data Interchange Format 6-156
LDAP Directory Tree 6-127
LDAP server, installation 6-136
LDAP, root entry 6-145
LDAP, user management in YaST 6-159
ldapadd 6-157
ldapdelete 6-159
ldapmodify 6-158
ldapsearch 6-155
LDIF 6-156
leaf objects 6-128
Lightweight Directory Access Protocol 6-122, 6-127
link local address 9-258
local master browser 7-209
local time 4-37
lp 5-91
lpadmin 5-89
lpoptions 5-92, 5-95
lpq 5-92
lpr 5-91
lprm 5-93
lpstat 5-92
M
machine accounts 7-215
master browser 7-209
memory 10-275
mount 7-204
N
NetBIOS 7-174
NetBIOS name 7-175
NetBIOS Suffix 7-175
netdate 4-37, 4-39
Network Basic Input/Output System 7-174
Network File System 4-18
network prefix 9-257
Network Time Protocol 4-36
NFS 4-18
client options 4-30
Configuration 4-21
Manual server configuration 4-24
Server Configuration with YaST 4-21
nmbd 7-177
nmblookup 7-177, 7-202
no_root_squash 4-25
no_subtree_check 4-25
NTP 4-36, 4-40
configuration with YaST 4-43
control server 4-49
server 4-43
server monitoring 4-50
stratum 4-40
terms 4-42
ntpd 4-37, 4-41
ntpdate (deprecated) 4-49
ntpq 4-51
ntptrace 4-50
O
object 6-130
object, property 6-130
objects, types of 6-130
OpenLDAP 6-121
openssl 8-244
Order deny,allow 8-238
organizational units 6-128
P
para-virtualization 13-395
passwd 6-155
PDC 7-210
performance 10-273
PHP 8-248
installation 8-248
phpinfo 8-250
pipe operator 11-304
portmapper 4-19
Preboot Execution Environment 12-371
Primary Domain Controller 7-210
print queues 5-100
printer
add with YaST 5-76
printing process 5-99
privileged Domain 13-397
processor utilization 10-274
property 6-130
PureFTPd 4-64
authorized users 4-68
configuration 4-66
installation 4-65
logs 4-70
user management 4-69
virtual hosts 4-67
pure-pw 4-69
PXE 12-371
pxelinux 12-372
R
RAM 10-276
rccups 5-97
rcnfsserver 4-26
rcnmb 7-179
rcntp 4-50
rcsmb 7-179
read 11-328
Real Time Clock 4-36
reject 5-94
relative distinguished name 6-135
Remote Procedure Call 4-19
return value 11-306
root_squash 4-25
RPC 4-19
rpcbind 4-19
rpcinfo 4-34
rsync 11-308, 11-334
RTC 4-36
rules of containment 6-133
S
Samba 7-174
client tools 7-202
configurationtest 7-185
domain controller 7-207
domain controller configuration 7-211
global section 7-180
homes section 7-181
LDAP as user database 7-193
manual configuration 7-179
printers 7-183
user database 7-192
Samba authentication 7-192
schema 6-130, 6-133
Secure Socket Layer 8-241
sed 11-343
Server Message Block 7-174
set -x 11-310
share 7-174
configuration 7-182
printers 7-183
she-bang 11-308
shell 11-301
shell script 11-307
shell scripts 11-301
showmount 4-34
Index
SMB 7-174, 7-176
SMB commands 7-176
smbclient 7-177, 7-202
smbd 7-177
smbpasswd 7-192
sntp 4-50
SSL 8-241
Standard Error 11-302
Standard In 11-303
Standard Out 11-302
stderr 11-302
stdin 11-303
stdout 11-302
stratum 4-40
subtree_check 4-25
swap partition 10-276
syslinux 12-372
system memory 10-275
system time 4-36
T
test 11-317, 11-345
testparm 7-185
TFTP server 12-371
top 10-274
tr 11-347
trust 7-211
trust relationships 7-211
tunnel broker 9-270
U
UNC 7-174
Uniform Resource Locator 8-226
Universal Naming Convention 7-174
Universal Time Coordinated 4-37
until loop 11-322
uptime 10-274
URL 8-226
useradd 6-155
userdel 6-155
usermod 6-155
UTC 4-37
utilization 10-274
V
variable 11-304, 11-312
virt-manager 13-409
virtual host 8-233
configuration 8-234
virtualization 13-395
vm-install 13-400
vmstat 10-27710-278
W
while loop 11-322
winbind 7-177
Windows domain 7-210
Windows domain membership 7-219
Windows Internet Naming Service 7-175
WINS 7-175
WINS server 7-175
workgroup 7-180, 7-207
workstation machine account 7-215
X
X.500 6-125
X.500 Directory 6-125
Xen 13-393
Xen networking 13-422
Xen server 13-398
Xen virtual machine 13-400
Xen virtual machine installation 13-401
xend 13-397
xinetd 4-53
access control 4-59
configuration defaults 4-56
log file 4-61
manual configuration 4-55
xm 13-415
Y
YaST
IPv6 9-262
YaST LDAP browser 6-165
YaST module
Autoinstallation 12-381

3103 Manual

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

3103 Manual

Încărcat de

Drepturi de autor:

Formate disponibile

www. novel l .

com Novel l Trai ni ng Servi ces

S-ar putea să vă placă și