Edition 1
smb.conf Fileproc File SystemDHCP, BIND, Apache HTTP Server, Postfix, Sendmail and other enterprise-class servers and software
kdump
/etc/sysconfig/network-scripts/ directory. Read this chapter for information how to use these files to configure network interfaces.
systemctl utility.
sshd service, as well as a basic usage of the ssh, scp, sftp client utilities. Read this chapter if you need a remote access to a machine.
rsyslog daemon, and explains how to locate, view, and monitor log files. Read this chapter to learn how to work with log files.
cron, at, and batch utilities. Read this chapter to learn how to use these utilities to perform automated tasks.
rpm command instead of yum. Read this chapter if you cannot update a kernel package with the Yum package manager.
kdump service in Fedora, and provides a brief overview of how to analyze the resulting core dump using the crash debugging utility. Read this chapter to learn how to enable kdump on your system.
rpm utility. Read this appendix if you need to use rpm instead of yum.
/etc/sysconfig/ directory. Read this appendix if you want to learn more about these files and directories, their function, and their contents.
proc file system (that is, the /proc/ directory). Read this appendix if you want to learn more about this file system.
Mono-spaced Bold
To see the contents of the filemy_next_bestselling_novelin your current working directory, enter thecat my_next_bestselling_novelcommand at the shell prompt and press Enter to execute the command.
Press Enter to execute the command.Press Ctrl+Alt+F2 to switch to the first virtual terminal. Press Ctrl+Alt+F1 to return to your X-Windows session.
mono-spaced bold. For example:
File-related classes includefilesystemfor file systems,filefor files, anddirfor directories. Each class has its own associated set of permissions.
Choose → → from the main menu bar to launch Mouse Preferences. In the Buttons tab, click the Left-handed mouse check box and click to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).To insert a special character into a gedit file, choose → → from the main menu bar. Next, choose → from the Character Map menu bar, type the name of the character in the Search field and click . The character you sought will be highlighted in the Character Table. Double-click this highlighted character to place it in the Text to copy field and then click the button. Now switch back to your document and choose → from the gedit menu bar.
Mono-spaced Bold ItalicProportional Bold Italic
To connect to a remote machine using ssh, typesshat a shell prompt. If the remote machine isusername@domain.nameexample.comand your username on that machine is john, typessh john@example.com.Themount -o remountcommand remounts the named file system. For example, to remount thefile-system/homefile system, the command ismount -o remount /home.To see the version of a currently installed package, use therpm -qcommand. It will return a result as follows:package.package-version-release
Publican is a DocBook publishing system.
mono-spaced roman and presented thus:
books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs
mono-spaced roman but add syntax highlighting as follows:
package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); } }
root is allowed to set the system date and time. To unlock the configuration tool for changes, click the button in the top-right corner of the window, and provide the correct password when prompted.
root:
date +%D -s YYYY-MM-DDYYYY is a four-digit year, MM is a two-digit month, and DD is a two-digit day of the month. For example, to change the date to 2 June 2010, type:
~]# date +%D -s 2010-06-02date without any additional argument.
root:
date +%T -s HH:MM:SSHH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form. If your system clock is set to use UTC (Coordinated Universal Time), also add the following option:
date +%T -s HH:MM:SS -u~]# date +%T -s 23:26:00 -udate without any additional argument.
ntpdate command in the following form:
ntpdate -q server_address0.fedora.pool.ntp.org, type:
~]$ ntpdate -q 0.fedora.pool.ntp.org
server 204.15.208.61, stratum 2, offset -39.275438, delay 0.16083
server 69.65.40.29, stratum 2, offset -39.269122, delay 0.17191
server 148.167.132.201, stratum 2, offset -39.270239, delay 0.20482
17 Oct 17:41:09 ntpdate[10619]: step time server 204.15.208.61 offset -39.275438 secroot, run the ntpdate command followed with one or more server addresses:
ntpdate server_address…~]# ntpdate 0.fedora.pool.ntp.org 1.fedora.pool.ntp.org
17 Oct 17:42:13 ntpdate[10669]: step time server 204.15.208.61 offset -39.275436 secdate command with no additional arguments.
root:
systemctl enable ntpdate.service/var/log/boot.log system log, try to add the following line to /etc/sysconfig/network:
NETWORKWAIT=1
ntpd daemon to synchronize the time at boot time automatically:
root, open the NTP configuration file /etc/ntp.conf in a text editor, creating a new one if it does not already exist.
server 0.fedora.pool.ntp.org iburst server 1.fedora.pool.ntp.org iburst server 2.fedora.pool.ntp.org iburst
iburst directive is added at the end of each server line.
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1
systemctl restart ntpd.servicentpd daemon is started at boot time:
systemctl enable ntpd.servicedate(1) — The manual page for the date utility.
ntpdate(8) — The manual page for the ntpdate utility.
ntpd(8) — The manual page for the ntpd service.
root, and access permissions can be changed by both the root user and file owner.
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this “group protection” is not necessary since every user has their own private group.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
/etc/shadow file, any commands which create or modify password aging information do not work. The following is a list of utilities and commands that do not work without first enabling shadow passwords:
chage utility.
gpasswd utility.
usermod command with the -e or -f option.
useradd command with the -e or -f option.
root user is allowed to configure users and groups. To unlock the configuration tool for all kinds of changes, click the button in the top-right corner of the window, and provide the correct password when prompted.
Administrator and Standard (the default option).
/etc/skel/ directory into the new home directory.
system-config-users at a shell prompt. Note that unless you have superuser privileges, the application will prompt you to authenticate as root.
/home/username/. You can choose not to create the home directory by clearing the Create home directory check box, or change this directory by editing the content of the Home Directory text box. Note that when the home directory is created, default configuration files are copied into it from the /etc/skel/ directory.
| Utilities | Description |
|---|---|
useradd, usermod, userdel
| Standard utilities for adding, modifying, and deleting user accounts. |
groupadd, groupmod, groupdel
| Standard utilities for adding, modifying, and deleting groups. |
gpasswd
|
Standard utility for administering the /etc/group configuration file.
|
pwck, grpck
| Utilities that can be used for verification of the password, group, and associated shadow files. |
pwconv, pwunconv
| Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords. |
root:
useradd[options]username
options are command line options as described in Table 3.2, “useradd command line options”.
useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password:
passwdusername
| Option | Description |
|---|---|
-c 'comment'
|
comment can be replaced with any string. This option is generally used to specify the full name of a user.
|
-d home_directory
|
Home directory to be used instead of default /home/.
|
-e date
| Date for the account to be disabled in the format YYYY-MM-DD. |
-f days
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g group_name
| Group name or group number for the user's default group. The group must exist prior to being specified here. |
-G group_list
| List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
-m
| Create the home directory if it does not exist. |
-M
| Do not create the home directory. |
-N
| Do not create a user private group for the user. |
-p password
|
The password encrypted with crypt.
|
-r
| Create a system account with a UID less than 1000 and without a home directory. |
-s
|
User's login shell, which defaults to /bin/bash.
|
-u uid
| User ID for the user, which must be unique and greater than 999. |
useradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd:
juan:x:501:501::/home/juan:/bin/bash
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow:
juan:!!:14798:0:99999:7:::
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group:
juan:x:501:
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow:
juan:!::
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory:
~]# ls -l /home
total 4
drwx------. 4 juan juan 4096 Mar 3 18:23 juanjuan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory:
~]# ls -la /home/juan
total 28
drwx------. 4 juan juan 4096 Mar 3 18:23 .
drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozillajuan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
root:
groupadd[options]group_name
options are command line options as described in Table 3.3, “groupadd command line options”.
| Option | Description |
|---|---|
-f, --force
|
When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
|
-g gid
| Group ID for the group, which must be unique and greater than 999. |
-K, --key key=value
|
Override /etc/login.defs defaults.
|
-o, --non-unique
| Allow to create groups with duplicate. |
-p, --password password
| Use this encrypted password for the new group. |
-r
| Create a system group with a GID less than 1000. |
chage command.
chage command. For more information, see Section 3.1.2, “Shadow Passwords”.
root:
chage[options]username
options are command line options as described in Table 3.4, “chage command line options”. When the chage command is followed directly by a username (that is, when no command line options are specified), it displays the current password aging values and allows you to change them interactively.
| Option | Description |
|---|---|
-d days
| Specifies the number of days since January 1, 1970 the password was changed. |
-E date
| Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. |
-I days
|
Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
|
-l
| Lists current account aging settings. |
-m days
|
Specify the minimum number of days after which the user must change passwords. If the value is 0, the password does not expire.
|
-M days
|
Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
|
-W days
| Specifies the number of days before the password expiration date to warn the user. |
root:
passwdusername
passwd-dusername
root:
chage-d0username
root, an unattended login session may pose a significant security risk. To reduce this risk, you can configure the system to automatically log out idle users after a fixed period of time:
root:
yuminstallscreen
root, add the following line at the beginning of the /etc/profile file to make sure the processing of this file cannot be interrupted:
trap "" 1 2 3 15
/etc/profile file to start a screen session each time a user logs in to a virtual console or remotely:
SCREENEXEC="screen" if [ -w $(tty) ]; then trap "exec $SCREENEXEC" 1 2 3 15 echo -n 'Starting session in 10 seconds' sleep 10 exec $SCREENEXEC fi
sleep command.
/etc/screenrc configuration file to close the screen session after a given period of inactivity:
idle 120 quit autodetach off
idle directive.
idle 120 lockscreen autodetach off
/opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone.
root, create the /opt/myproject/ directory by typing the following at a shell prompt:
mkdir /opt/myprojectmyproject group to the system:
groupadd myproject/opt/myproject/ directory with the myproject group:
chown root:myproject /opt/myprojectchmod 2775 /opt/myprojectmyproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:
~]# ls -l /opt
total 4
drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject/etc/group file.
/etc/group file.
/etc/passwd and /etc/shadow files.
Table of Contents
yum to install, update or remove packages on your system. All examples in this chapter assume that you have already obtained superuser privileges by using either the su or sudo command.
yumcheck-update
~]# yum check-update
Loaded plugins: langpacks, presto, refresh-packagekit
PackageKit.x86_64 0.6.14-2.fc15 fedora
PackageKit-command-not-found.x86_64 0.6.14-2.fc15 fedora
PackageKit-device-rebind.x86_64 0.6.14-2.fc15 fedora
PackageKit-glib.x86_64 0.6.14-2.fc15 fedora
PackageKit-gstreamer-plugin.x86_64 0.6.14-2.fc15 fedora
PackageKit-gtk-module.x86_64 0.6.14-2.fc15 fedora
PackageKit-gtk3-module.x86_64 0.6.14-2.fc15 fedora
PackageKit-yum.x86_64 0.6.14-2.fc15 fedora
PackageKit-yum-plugin.x86_64 0.6.14-2.fc15 fedora
gdb.x86_64 7.2.90.20110429-36.fc15 fedora
kernel.x86_64 2.6.38.6-26.fc15 fedora
rpm.x86_64 4.9.0-6.fc15 fedora
rpm-libs.x86_64 4.9.0-6.fc15 fedora
rpm-python.x86_64 4.9.0-6.fc15 fedora
yum.noarch 3.2.29-5.fc15 fedoraPackageKit — the name of the package
x86_64 — the CPU architecture the package was built for
0.6.14 — the version of the updated package to be installed
fedora — the repository in which the updated package is located
yum and rpm packages), as well as their dependencies (such as the kernel-firmware, rpm-libs, and rpm-python packages), all using yum.
root:
yumupdatepackage_name
~]# yum update udev
Loaded plugins: langpacks, presto, refresh-packagekit
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package gdb.x86_64 0:7.2.90.20110411-34.fc15 will be updated
---> Package gdb.x86_64 0:7.2.90.20110429-36.fc15 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
gdb x86_64 7.2.90.20110429-36.fc15 fedora 1.9 M
Transaction Summary
================================================================================
Upgrade 1 Package(s)
Total download size: 1.9 M
Is this ok [y/N]:Loaded plugins: — yum always informs you which Yum plug-ins are installed and enabled. Here, yum is using the langpacks, presto, and refresh-packagekit plug-ins. Refer to Section 4.4, “Yum Plug-ins” for general information on Yum plug-ins, or to Section 4.4.3, “Plug-in Descriptions” for descriptions of specific plug-ins.
gdb.x86_64 — you can download and install new gdb package.
yum presents the update information and then prompts you as to whether you want it to perform the update; yum runs interactively by default. If you already know which transactions yum plans to perform, you can use the -y option to automatically answer yes to any questions yum may ask (in which case it runs non-interactively). However, you should always examine which changes yum plans to make to the system so that you can easily troubleshoot any problems that might arise.
yum history command as described in Section 4.2.6, “Working with Transaction History”.
yum always installs a new kernel in the same sense that RPM installs a new kernel when you use the command rpm -i kernel. Therefore, you do not need to worry about the distinction between installing and upgrading a kernel package when you use yum: it will do the right thing, regardless of whether you are using the yum update or yum install command.
rpm -i kernel command (which installs a new kernel) instead of rpm -u kernel (which replaces the current kernel). Refer to Section B.2.2, “Installing and Upgrading” for more information on installing/updating kernels with RPM.
yum update (without any arguments):
yum updateyum command with a set of highly-useful security-centric commands, subcommands and options. Refer to Section 4.4.3, “Plug-in Descriptions” for specific information.
yumsearchterm…
~]# yum search meld kompare
Loaded plugins: langpacks, presto, refresh-packagekit
============================== N/S Matched: meld ===============================
meld.noarch : Visual diff and merge tool
python-meld3.x86_64 : HTML/XML templating system for Python
============================= N/S Matched: kompare =============================
komparator.x86_64 : Kompare and merge two folders
Name and summary matches only, use "search all" for everything.yum search command is useful for searching for packages you do not know the name of, but for which you know a related term.
yum list and related commands provide information about packages, package groups, and repositories.
* (which expands to match any character multiple times) and ? (which expands to match any one character).
yum command, otherwise the Bash shell will interpret these expressions as pathname expansions, and potentially pass all files in the current directory that match the globs to yum. To make sure the glob expressions are passed to yum as intended, either:
yum list glob_expression… ~]# yum list abrt-addon\* abrt-plugin\*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
abrt-addon-ccpp.x86_64 2.0.2-5.fc15 @fedora
abrt-addon-kerneloops.x86_64 2.0.2-5.fc15 @fedora
abrt-addon-python.x86_64 2.0.2-5.fc15 @fedora
abrt-plugin-bugzilla.x86_64 2.0.2-5.fc15 @fedora
abrt-plugin-logger.x86_64 2.0.2-5.fc15 @fedora
Available Packages
abrt-plugin-mailx.x86_64 2.0.2-5.fc15 updates
abrt-plugin-reportuploader.x86_64 2.0.2-5.fc15 updates
abrt-plugin-rhtsupport.x86_64 2.0.2-5.fc15 updatesyum list all ~]# yum list all
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
ConsoleKit.x86_64 0.4.4-1.fc15 @fedora
ConsoleKit-libs.x86_64 0.4.4-1.fc15 @fedora
ConsoleKit-x11.x86_64 0.4.4-1.fc15 @fedora
GConf2.x86_64 2.32.3-1.fc15 @fedora
GConf2-gtk.x86_64 2.32.3-1.fc15 @fedora
ModemManager.x86_64 0.4-7.git20110201.fc15 @fedora
NetworkManager.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-glib.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-gnome.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-openconnect.x86_64 0.8.1-9.git20110419.fc15 @fedora
[output truncated]yum list installed ~]# yum list installed "krb?-*"
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
krb5-libs.x86_64 1.9-7.fc15 @fedorayum list available ~]# yum list available gstreamer\*plugin\*
Loaded plugins: langpacks, presto, refresh-packagekit
Available Packages
gstreamer-plugin-crystalhd.x86_64 3.5.1-1.fc14 fedora
gstreamer-plugins-bad-free.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-devel.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-devel-docs.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-extras.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-base.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-base-devel.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-base-devel-docs.noarch 0.10.33-1.fc15 updates
gstreamer-plugins-base-tools.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-espeak.x86_64 0.3.3-3.fc15 fedora
gstreamer-plugins-fc.x86_64 0.2-2.fc15 fedora
gstreamer-plugins-good.x86_64 0.10.29-1.fc15 updates
gstreamer-plugins-good-devel-docs.noarch 0.10.29-1.fc15 updatesyum grouplist ~]# yum grouplist
Loaded plugins: langpacks, presto, refresh-packagekit
Setting up Group Process
Installed Groups:
Administration Tools
Design Suite
Dial-up Networking Support
Fonts
GNOME Desktop Environment
[output truncated]yum repolist ~]# yum repolist
Loaded plugins: langpacks, presto, refresh-packagekit
repo id repo name status
fedora Fedora 15 - i386 19,365
updates Fedora 15 - i386 - Updates 3,848
repolist: 23,213yuminfopackage_name…
~]# yum info abrt
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name : abrt
Arch : x86_64
Version : 2.0.1
Release : 2.fc15
Size : 806 k
Repo : installed
From repo : fedora
Summary : Automatic bug detection and reporting tool
URL : https://fedorahosted.org/abrt/
License : GPLv2+
Description : abrt is a tool to help users to detect defects in applications and
: to create a bug report with all informations needed by maintainer
: to fix it. It uses plugin system to extend its functionality.yum info package_name command is similar to the rpm -q --info package_name command, but provides as additional information the ID of the Yum repository the RPM package is found in (look for the From repo: line in the output).
yumdbinfopackage_name
user indicates it was installed by the user, and dep means it was brought in as a dependency). For example, to display additional information about the yum package, type:
~]# yumdb info yum
Loaded plugins: langpacks, presto, refresh-packagekit
yum-3.2.29-4.fc15.noarch
checksum_data = 249f21fb43c41381c8c9b0cd98d2ea5fa0aa165e81ed2009cfda74c05af67246
checksum_type = sha256
from_repo = fedora
from_repo_revision = 1304429533
from_repo_timestamp = 1304442346
installed_by = 0
reason = user
releasever = $releaseveryumdb command, refer to the yumdb(8) manual page.
yuminstallpackage_name
yuminstallpackage_namepackage_name…
.arch to the package name. For example, to install the sqlite2 package for i586, type:
~]# yum install sqlite2.i586~]# yum install audacious-plugins-\*yum install. If you know the name of the binary you want to install, but not its package name, you can give yum install the path name:
~]# yum install /usr/sbin/namedyum then searches through its package lists, finds the package which provides /usr/sbin/named, if any, and prompts you as to whether you want to install it.
named binary, but you do not know in which bin or sbin directory is the file installed, use the yum provides command with a glob expression:
~]# yum provides "*bin/named"
Loaded plugins: langpacks, presto, refresh-packagekit
32:bind-9.8.0-3.P1.fc15.i686 : The Berkeley Internet Name Domain (BIND) DNS
: (Domain Name System) server
Repo : fedora
Matched from:
Filename : /usr/sbin/namedyum provides "*/file_name" is a common and useful trick to find the packages that contain file_name.
yum grouplist -v command lists the names of all package groups, and, next to each of them, their groupid in parentheses. The groupid is always the term in the last pair of parentheses, such as kde-desktop in the following example:
~]# yum -v grouplist kde\*
Not loading "blacklist" plugin, as it is disabled
Loading "langpacks" plugin
Loading "presto" plugin
Loading "refresh-packagekit" plugin
Not loading "whiteout" plugin, as it is disabled
Adding en_US to language list
Config time: 0.900
Yum Version: 3.2.29
Setting up Group Process
rpmdb time: 0.002
group time: 0.995
Available Groups:
KDE Software Compilation (kde-desktop)
KDE Software Development (kde-software-development)
Donegroupinstall:
yumgroupinstallgroup_name
yumgroupinstallgroupid
install command if you prepend it with an @-symbol (which tells yum that you want to perform a groupinstall):
yuminstall@group
KDE Desktop group:
~]#yum groupinstall "KDE Desktop"~]#yum groupinstall kde-desktop~]#yum install @kde-desktop
root:
yumremovepackage_name…
~]# yum remove totem rhythmbox sound-juicerinstall, remove can take these arguments:
install syntax:
yumgroupremovegroup
yumremove@group
KDE Desktop group:
~]#yum groupremove "KDE Desktop"~]#yum groupremove kde-desktop~]#yum remove @kde-desktop
yum to remove only those packages which are not required by any other packages or groups by adding the groupremove_leaf_only=1 directive to the [main] section of the /etc/yum.conf configuration file. For more information on this directive, refer to Section 4.3.1, “Setting [main] Options”.
yum history command allows users to review information about a timeline of Yum transactions, the dates and times on when they occurred, the number of packages affected, whether transactions succeeded or were aborted, and if the RPM database was changed between transactions. Additionally, this command can be used to undo or redo certain transactions.
root, either run yum history with no additional arguments, or type the following at a shell prompt:
yumhistorylist
all keyword:
yumhistorylistall
yumhistoryliststart_id..end_id
yumhistorylistglob_expression…
~]# yum history list 1..5
Loaded plugins: langpacks, presto, refresh-packagekit
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
5 | Jaromir ... <jhradilek> | 2011-07-29 15:33 | Install | 1
4 | Jaromir ... <jhradilek> | 2011-07-21 15:10 | Install | 1
3 | Jaromir ... <jhradilek> | 2011-07-16 15:27 | I, U | 73
2 | System <unset> | 2011-07-16 15:19 | Update | 1
1 | System <unset> | 2011-07-16 14:38 | Install | 1106
history listyum history list command produce tabular output with each row consisting of the following columns:
ID — an integer value that identifies a particular transaction.
Login user — the name of the user whose login session was used to initiate a transaction. This information is typically presented in the Full Name <username>System <unset> is used instead.
Date and time — the date and time when a transaction was issued.
Action(s) — a list of actions that were performed during a transaction as described in Table 4.1, “Possible values of the Action(s) field”.
Altered — the number of packages that were affected by a transaction, possibly followed by additional information as described in Table 4.2, “Possible values of the Altered field”.
| Action | Abbreviation | Description |
|---|---|---|
Downgrade
|
D
| At least one package has been downgraded to an older version. |
Erase
|
E
| At least one package has been removed. |
Install
|
I
| At least one new package has been installed. |
Obsoleting
|
O
| At least one package has been marked as obsolete. |
Reinstall
|
R
| At least one package has been reinstalled. |
Update
|
U
| At least one package has been updated to a newer version. |
| Symbol | Description |
|---|---|
<
|
Before the transaction finished, the rpmdb database was changed outside Yum.
|
>
|
After the transaction finished, the rpmdb database was changed outside Yum.
|
*
| The transaction failed to finish. |
#
|
The transaction finished successfully, but yum returned a non-zero exit code.
|
E
| The transaction finished successfully, but an error or a warning was displayed. |
P
|
The transaction finished successfully, but problems already existed in the rpmdb database.
|
s
|
The transaction finished successfully, but the --skip-broken command line option was used and certain packages were skipped.
|
root:
yumhistorysummary
yumhistorysummarystart_id..end_id
yum history list command, you can also display a summary of transactions regarding a certain package or packages by supplying a package name or a glob expression:
yumhistorysummaryglob_expression…
~]# yum history summary 1..5
Loaded plugins: langpacks, presto, refresh-packagekit
Login user | Time | Action(s) | Altered
-------------------------------------------------------------------------------
Jaromir ... <jhradilek> | Last day | Install | 1
Jaromir ... <jhradilek> | Last week | Install | 1
Jaromir ... <jhradilek> | Last 2 weeks | I, U | 73
System <unset> | Last 2 weeks | I, U | 1107
history summaryyum history summary command produce simplified tabular output similar to the output of yum history list.
yum history list and yum history summary are oriented towards transactions, and although they allow you to display only transactions related to a given package or packages, they lack important details, such as package versions. To list transactions from the perspective of a package, run the following command as root:
yumhistorypackage-listglob_expression…
~]# yum history package-list subscription-manager\*
Loaded plugins: langpacks, presto, refresh-packagekit
ID | Action(s) | Package
-------------------------------------------------------------------------------
3 | Updated | subscription-manager-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-firstboot-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-gnome-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
1 | Install | subscription-manager-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-firstboot-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-gnome-0.95.11-1.el6.x86_64
history package-listroot, use the yum history summary command in the following form:
yumhistorysummaryid
root:
yumhistoryinfoid…
id argument is optional and when you omit it, yum automatically uses the last transaction. Note that when specifying more than one transaction, you can also use a range:
yumhistoryinfostart_id..end_id
~]# yum history info 4..5
Loaded plugins: langpacks, presto, refresh-packagekit
Transaction ID : 4..5
Begin time : Thu Jul 21 15:10:46 2011
Begin rpmdb : 1107:0c67c32219c199f92ed8da7572b4c6df64eacd3a
End time : 15:33:15 2011 (22 minutes)
End rpmdb : 1109:1171025bd9b6b5f8db30d063598f590f1c1f3242
User : Jaromir Hradilek <jhradilek>
Return-Code : Success
Command Line : install screen
Command Line : install yum-plugin-fs-snapshot
Transaction performed with:
Installed rpm-4.8.0-16.el6.x86_64
Installed yum-3.2.29-17.el6.noarch
Installed yum-metadata-parser-1.1.2-16.el6.x86_64
Packages Altered:
Install screen-4.0.3-16.el6.x86_64
Install yum-plugin-fs-snapshot-1.1.30-6.el6.noarch
history inforoot:
yumhistoryaddon-infoid
yum history info, when no id is provided, yum automatically uses the latest transaction. Another way to refer to the latest transaction is to use the last keyword:
yumhistoryaddon-infolast
yum history addon-info command would provide the following output:
~]# yum history addon-info 4
Loaded plugins: langpacks, presto, refresh-packagekit
Transaction ID: 4
Available additional history information:
config-main
config-repos
saved_tx
history addon-infoconfig-main — global Yum options that were in use during the transaction. Refer to Section 4.3.1, “Setting [main] Options” for information on how to change global options.
config-repos — options for individual Yum repositories. Refer to Section 4.3.2, “Setting [repository] Options” for information on how to change options for individual repositories.
saved_tx — the data that can be used by the yum load-transaction command in order to repeat the transaction on another machine (see below).
root:
yumhistoryaddon-infoidinformation
yum history command provides means to revert or repeat a selected transaction. To revert a transaction, type the following at a shell prompt as root:
yumhistoryundoid
root, run the following command:
yumhistoryredoid
last keyword to undo or repeat the latest transaction.
yum history undo and yum history redo commands merely revert or repeat the steps that were performed during a transaction: if the transaction installed a new package, the yum history undo command will uninstall it, and vice versa. If possible, this command will also attempt to downgrade all updated packages to their previous version, but these older packages may no longer be available. If you need to be able to restore the system to the state before an update, consider using the fs-snapshot plug-in described in Section 4.4.3, “Plug-in Descriptions”.
root:
yum-qhistoryaddon-infoidsaved_tx>file_name
root:
yumload-transactionfile_name
rpmdb version stored in the file must by identical to the version on the target system. You can verify the rpmdb version by using the yum version nogroups command.
root:
yumhistorynew
/var/lib/yum/history/ directory. The old transaction history will be kept, but will not be accessible as long as a newer database file is present in the directory.
yum and related utilities is located at /etc/yum.conf. This file contains one mandatory [main] section, which allows you to set Yum options that have global effect, and may also contain one or more [repository] sections, which allow you to set repository-specific options. However, best practice is to define individual repositories in new or existing .repo files in the /etc/yum.repos.d/directory. The values you define in the [main] section of the /etc/yum.conf file may override values set in individual [repository] sections.
[main] section of the /etc/yum.conf configuration file;
[repository] sections in /etc/yum.conf and .repo files in the /etc/yum.repos.d/ directory;
/etc/yum.conf and files in the /etc/yum.repos.d/ directory so that dynamic version and architecture values are handled correctly;
/etc/yum.conf configuration file contains exactly one [main] section, and while some of the key-value pairs in this section affect how yum operates, others affect how Yum treats repositories. You can add many additional options under the [main] section heading in /etc/yum.conf.
/etc/yum.conf configuration file can look like this:
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
[comments abridged]
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d[main] section:
assumeyes=valuevalue is one of:
0 — yum should prompt for confirmation of critical actions it performs. This is the default.
1 — Do not prompt for confirmation of critical yum actions. If assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
cachedir=directorydirectory is an absolute path to the directory where Yum should store its cache and database files. By default, Yum's cache directory is /var/cache/yum/$basearch/$releasever.
$basearch and $releasever Yum variables.
debuglevel=valuevalue is an integer between 1 and 10. Setting a higher debuglevel value causes yum to display more detailed debugging output. debuglevel=0 disables debugging output, while debuglevel=2 is the default.
exactarch=valuevalue is one of:
0 — Do not take into account the exact architecture when updating packages.
1 — Consider the exact architecture when updating packages. With this setting, yum will not install an i686 package to update an i386 package already installed on the system. This is the default.
exclude=package_name [more_package_names]* and ?) are allowed.
gpgcheck=valuevalue is one of:
0 — Disable GPG signature-checking on packages in all repositories, including local package installation.
1 — Enable GPG signature-checking on all packages in all repositories, including local package installation. gpgcheck=1 is the default, and thus all packages' signatures are checked.
[main] section of the /etc/yum.conf file, it sets the GPG-checking rule for all repositories. However, you can also set gpgcheck=value for individual repositories instead; that is, you can enable GPG-checking on one repository while disabling it on another. Setting gpgcheck=value for an individual repository in its corresponding .repo file overrides the default if it is present in /etc/yum.conf.
groupremove_leaf_only=valuevalue is one of:
0 — yum should not check the dependencies of each package when removing a package group. With this setting, yum removes all packages in a package group, regardless of whether those packages are required by other packages or groups. groupremove_leaf_only=0 is the default.
1 — yum should check the dependencies of each package when removing a package group, and remove only those packages which are not not required by any other package or group.
installonlypkgs=space separated list of packagesyum can install, but will never update. Refer to the yum.conf(5) manual page for the list of packages which are install-only by default.
installonlypkgs directive to /etc/yum.conf, you should ensure that you list all of the packages that should be install-only, including any of those listed under the installonlypkgs section of yum.conf(5). In particular, kernel packages should always be listed in installonlypkgs (as they are by default), and installonly_limit should always be set to a value greater than 2 so that a backup kernel is always available in case the default one fails to boot.
installonly_limit=valuevalue is an integer representing the maximum number of versions that can be installed simultaneously for any single package listed in the installonlypkgs directive.
installonlypkgs directive include several different kernel packages, so be aware that changing the value of installonly_limit will also affect the maximum number of installed versions of any single kernel package. The default value listed in /etc/yum.conf is installonly_limit=3, and it is not recommended to decrease this value, particularly below 2.
keepcache=valuevalue is one of:
0 — Do not retain the cache of headers and packages after a successful installation. This is the default.
1 — Retain the cache after a successful installation.
logfile=file_namefile_name is an absolute path to the file in which yum should write its logging output. By default, yum logs to /var/log/yum.log.
multilib_policy=valuevalue is one of:
best — install the best-choice architecture for this system. For example, setting multilib_policy=best on an AMD64 system causes yum to install 64-bit versions of all packages.
all — always install every possible architecture for every package. For example, with multilib_policy set to all on an AMD64 system, yum would install both the i586 and AMD64 versions of a package, if both were available.
obsoletes=valuevalue is one of:
0 — Disable yum's obsoletes processing logic when performing updates.
1 — Enable yum's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed. obsoletes=1 the default.
plugins=valuevalue is one of:
0 — Disable all Yum plug-ins globally.
Yum services. Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
1 — Enable all Yum plug-ins globally. With plugins=1, you can still disable a specific Yum plug-in by setting enabled=0 in that plug-in's configuration file.
reposdir=directorydirectory is an absolute path to the directory where .repo files are located. All .repo files contain repository information (similar to the [repository] sections of /etc/yum.conf). yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for transactions. If reposdir is not set, yum uses the default directory /etc/yum.repos.d/.
retries=valuevalue is an integer 0 or greater. This value sets the number of times yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 10.
[main] options, refer to the [main] OPTIONS section of the yum.conf(5) manual page.
[repository] sections, where repository is a unique repository ID such as my_personal_repo (spaces are not permitted), allow you to define individual Yum repositories.
[repository] section takes:
[repository] name=repository_namebaseurl=repository_url
[repository] section must contain the following directives:
name=repository_namerepository_name is a human-readable string describing the repository.
baseurl=repository_urlrepository_url is a URL to the directory where the repodata directory of a repository is located:
http://path/to/repo
ftp://path/to/repo
file:///path/to/local/repo
username:password@linkbaseurl link could be specified as http://user:password@www.example.com/repo/.
baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
$releasever, $arch, and $basearch variables in URLs. For more information about Yum variables, refer to Section 4.3.3, “Using Yum Variables”.
[repository] directive is the following:
enabled=valuevalue is one of:
0 — Do not include this repository as a package source when performing updates and installs. This is an easy way of quickly turning repositories on and off, which is useful when you desire a single package from a repository that you do not want to enable for updates or installs.
1 — Include this repository as a package source.
--enablerepo=repo_name or --disablerepo=repo_name option to yum, or through the Add/Remove Software window of the PackageKit utility.
[repository] options exist. For a complete list, refer to the [repository] OPTIONS section of the yum.conf(5) manual page.
yum commands and in all Yum configuration files (that is, /etc/yum.conf and all .repo files in the /etc/yum.repos.d/ directory):
$releasever$releasever from the distroverpkg=value line in the /etc/yum.conf configuration file. If there is no such line in /etc/yum.conf, then yum infers the correct value by deriving the version number from the redhat-release package.
$archos.uname() function. Valid values for $arch include: i586, i686 and x86_64.
$basearch$basearch to reference the base architecture of the system. For example, i686 and i586 machines both have a base architecture of i386, and AMD64 and Intel64 machines have a base architecture of x86_64.
$YUM0-9/etc/yum.conf for example) and a shell environment variable with the same name does not exist, then the configuration file variable is not replaced.
$” sign) in the /etc/yum/vars/ directory, and add the desired value on its first line.
$osname, create a new file with “Fedora” on the first line and save it as /etc/yum/vars/osname:
~]# echo "Fedora" > /etc/yum/vars/osname.repo files:
name=$osname $releasever
[main] section of the /etc/yum.conf file), run the yum-config-manager with no command line options:
yum-config-manageryum-config-managersection…
yum-config-managerglob_expression…
~]$ yum-config-manager main \*
Loaded plugins: langpacks, presto, refresh-packagekit
================================== main ===================================
[main]
alwaysprompt = True
assumeyes = False
bandwith = 0
bugtracker_url = https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=yum
cache = 0
[output truncated]yum-config-manager command.
[repository] section to the /etc/yum.conf file, or to a .repo file in the /etc/yum.repos.d/ directory. All files with the .repo file extension in this directory are read by yum, and best practice is to define your repositories here instead of in /etc/yum.conf.
.repo file. To add such a repository to your system and enable it, run the following command as root:
yum-config-manager--add-reporepository_url
repository_url is a link to the .repo file. For example, to add a repository located at http://www.example.com/example.repo, type the following at a shell prompt:
~]# yum-config-manager --add-repo http://www.example.com/example.repo
Loaded plugins: langpacks, presto, refresh-packagekit
adding repo from: http://www.example.com/example.repo
grabbing file http://www.example.com/example.repo to /etc/yum.repos.d/example.repo
example.repo | 413 B 00:00
repo saved to /etc/yum.repos.d/example.reporoot:
yum-config-manager--enablerepository…
repository is the unique repository ID (use yum repolist all to list available repository IDs). Alternatively, you can use a glob expression to enable all matching repositories:
yum-config-manager--enableglob_expression…
[example], [example-debuginfo], and [example-source]sections, type:
~]# yum-config-manager --enable example\*
Loaded plugins: langpacks, presto, refresh-packagekit
============================== repo: example ==============================
[example]
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/6Server
baseurl = http://www.example.com/repo/6Server/x86_64/
cache = 0
cachedir = /var/cache/yum/x86_64/6Server/example
[output truncated]yum-config-manager --enable command displays the current repository configuration.
root:
yum-config-manager--disablerepository…
repository is the unique repository ID (use yum repolist all to list available repository IDs). Similarly to yum-config-manager --enable, you can use a glob expression to disable all matching repositories at the same time:
yum-config-manager--disableglob_expression…
yum-config-manager --disable command displays the current configuration.
~]# yum install createrepo/mnt/local_repo/.
createrepo --database command on that directory:
~]# createrepo --database /mnt/local_repoyum operations.
yum command. For example:
~]# yum info yum
Loaded plugins: langpacks, presto, refresh-packagekit
[output truncated]Loaded plugins are the names you can provide to the --disableplugins=plugin_name option.
plugins= is present in the [main] section of /etc/yum.conf, and that its value is set to 1:
plugins=1
plugins=0.
Yum services. Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
/etc/yum/pluginconf.d/ directory. You can set plug-in specific options in these files. For example, here is the refresh-packagekit plug-in's refresh-packagekit.conf configuration file:
[main] enabled=1
[main] section (similar to Yum's /etc/yum.conf file) in which there is (or you can place if it is missing) an enabled= option that controls whether the plug-in is enabled when you run yum commands.
enabled=0 in /etc/yum.conf, then all plug-ins are disabled regardless of whether they are enabled in their individual configuration files.
yum command, use the --noplugins option.
yum command, add the --disableplugin=plugin_name option to the command. For example, to disable the presto plug-in while updating a system, type:
~]# yum update --disableplugin=presto--disableplugin= option are the same names listed after the Loaded plugins line in the output of any yum command. You can disable multiple plug-ins by separating their names with commas. In addition, you can match multiple plug-in names or shorten long ones by using glob expressions:
~]# yum update --disableplugin=presto,refresh-pack*yum-plugin-plugin_name package-naming convention, but not always: the package which provides the presto plug-in is named yum-presto, for example. You can install a Yum plug-in in the same way you install other packages. For instance, to install the security plug-in, type the following at a shell prompt:
~]# yum install yum-plugin-security/) must be on an LVM (Logical Volume Manager) or Btrfs volume. To use the fs-snapshot plug-in on an LVM volume, take the following steps:
vgdisplay command in the following form as root:
vgdisplayvolume_group
Free PE / Size line.
root, run the pvcreate command in the following form to initialize a physical volume for use with the Logical Volume Manager:
pvcreatedevice
vgextend command in the following form as root to add the physical volume to the volume group:
vgextendvolume_groupphysical_volume
/etc/yum/pluginconf.d/fs-snapshot.conf, and make the following changes to the [lvm] section:
enabled option to 1:
enabled = 1
#) from the beginning of the lvcreate_size_args line, and adjust the number of logical extents to be allocated for a snapshot. For example, to allocate 80 % of the size of the original logical volume, use:
lvcreate_size_args = -l 80%ORIGIN
fs-snapshot.conf directives” for a complete list of available configuration options.
yum command, and make sure fs-snapshot is included in the list of loaded plug-ins (the Loaded plugins line) before you confirm the changes and proceed with the transaction. The fs-snapshot plug-in displays a line in the following form for each affected logical volume:
fs-snapshot: snapshottingfile_system(/dev/volume_group/logical_volume):logical_volume_yum_timestamp
lvremove command as root:
lvremove/dev/volume_group/logical_volume_yum_timestamp
root, run the command in the following form to merge a snapshot into its original logical volume:
lvconvert--merge/dev/volume_group/logical_volume_yum_timestamp
lvconvert command will inform you that a restart is required in order for the changes to take effect.
root:
rebootyum command, and make sure fs-snapshot is included in the list of loaded plug-ins (the Loaded plugins line) before you confirm the changes and proceed with the transaction. The fs-snapshot plug-in displays a line in the following form for each affected file system:
fs-snapshot: snapshottingfile_system:file_system/yum_timestamp
root:
btrfssubvolumedeletefile_system/yum_timestamp
root:
btrfssubvolumelistfile_system
root, configure the system to mount this snapshot by default:
btrfssubvolumeset-defaultidfile_system
root:
rebootfs-snapshot.conf directives| Section | Directive | Description |
|---|---|---|
[main]
|
enabled=value
|
Allows you to enable or disable the plug-in. The value must be either 1 (enabled), or 0 (disabled). When installed, the plug-in is enabled by default.
|
exclude=list
|
Allows you to exclude certain file systems. The value must be a space-separated list of mount points you do not want to snapshot (for example, /srv /mnt/backup). This option is not included in the configuration file by default.
| |
[lvm]
|
enabled=value
|
Allows you to enable or disable the use of the plug-in on LVM volumes. The value must be either 1 (enabled), or 0 (disabled). This option is disabled by default.
|
lvcreate_size_args=value
|
Allows you to specify the size of a logical volume snapshot. The value must be the -l or -L command line option for the lvcreate utility followed by a valid argument (for example, -l 80%ORIGIN).
|
yum is run. The refresh-packagekit plug-in is installed by default.
RHN Classic. This allows systems registered with RHN Classic to update and install packages from this system.
yum with a set of highly-useful security-related commands, subcommands and options.
~]# yum check-update --security
Loaded plugins: langpacks, presto, refresh-packagekit, security
Limiting package lists to security relevant ones
updates-testing/updateinfo | 329 kB 00:00
9 package(s) needed for security, out of 270 available
ConsoleKit.x86_64 0.4.5-1.fc15 updates
ConsoleKit-libs.x86_64 0.4.5-1.fc15 updates
ConsoleKit-x11.x86_64 0.4.5-1.fc15 updates
NetworkManager.x86_64 1:0.8.999-2.git20110509.fc15 updates
NetworkManager-glib.x86_64 1:0.8.999-2.git20110509.fc15 updates
[output truncated]yum update --security or yum update-minimal --security to update those packages which are affected by security advisories. Both of these commands update all packages on the system for which a security advisory has been issued. yum update-minimal --security updates them to the latest packages which were released as part of a security advisory, while yum update --security will update all packages affected by a security advisory to the latest version of that package available.
yum update-minimal --security will update you to kernel-2.6.38.6-22, and yum update --security will update you to kernel-2.6.38.6-26. Conservative system administrators may want to use update-minimal to reduce the risk incurred by updating packages as much as possible.
yum.
Yum Guides section of the Yum wiki contains more documentation.
gpk-update-viewer command at the shell prompt. In the Software Updates window, all available updates are listed along with the names of the packages being updated (minus the .rpm suffix, but including the CPU architecture), a short summary of the package, and, usually, short descriptions of the changes the update provides. Any updates you do not wish to install can be de-selected here by unchecking the checkbox corresponding to the update.
kernel package, then it will prompt you after installation, asking you whether you want to reboot the system and thereby boot into the newly-installed kernel.
name=My Repository Name field of all [repository] sections in the /etc/yum.conf configuration file, and in all repository.repo/etc/yum.repos.d/ directory.
enabled=<1 or 0> field in [repository] sections. Checking an unchecked box enables the Yum repository, and unchecking it disables it. Performing either function causes PolicyKit to prompt for superuser authentication to enable or disable the repository. PackageKit actually inserts the enabled=<1 or 0> line into the correct [repository] section if it does not exist, or changes the value if it does. This means that enabling or disabling a repository through the Software Sources window causes that change to persist after closing the window or rebooting the system. The ability to quickly enable and disable repositories based on our needs is a highly-convenient feature of PackageKit.
gpk-application command at the shell prompt.
package_name-devel
package package-devel
package-libs
package-libs-devel
package-debuginfo
crontabs-1.10-32.1.el6.noarch.rpm) are never filtered out by checking . This filter has no affect on non-multilib systems, such as x86 machines.
htop, a colorful and enhanced version of the top process viewer, by opening a shell prompt and entering:
htoptop is good enough for us and we want to uninstall it. Remembering that we need to change the filter we recently used to install it to in → , we search for htop again and uncheck it. The program did not install any dependencies of its own; if it had, those would be automatically removed as well, as long as they were not also dependencies of any other packages still installed on our system.
gpk-log command at the shell prompt.
Updated Packages or Installed Packages, the Date on which that action was performed, the Username of the user who performed the action, and the front end Application the user used (such as Add/Remove Software, or Update System). The Details column provides the types of the transactions, such as Updated, Installed, or Removed, as well as the list of packages the transactions were performed on.
packagekitd daemon back end, which communicates with a package manager-specific back end that utilizes Yum to perform the actual transactions, such as installing and removing packages, etc.
| Window Title | Function | How to Open | Shell Command |
|---|---|---|---|
| Add/Remove Software | Install, remove or view package info |
From the GNOME panel: → →
| gpk-application |
| Software Update | Perform package updates |
From the GNOME panel: → →
| gpk-update-viewer |
| Software Sources | Enable and disable Yum repositories |
From Add/Remove Software: →
| gpk-repo |
| Software Log Viewer | View the transaction log |
From Add/Remove Software: →
| gpk-log |
| Software Update Preferences | Set PackageKit preferences | gpk-prefs | |
| (Notification Area Alert) | Alerts you when updates are available |
From the GNOME panel: → → , Startup Programs tab
| gpk-update-icon |
packagekitd daemon runs outside the user session and communicates with the various graphical front ends. The packagekitd daemon[1] communicates via the DBus system message bus with another back end, which utilizes Yum's Python API to perform queries and make changes to the system. On Linux systems other than Red Hat Enterprise Linux and Fedora, packagekitd can communicate with other back ends that are able to utilize the native package manager for that system. This modular architecture provides the abstraction necessary for the graphical interfaces to work with many different package managers to perform essentially the same types of package management tasks. Learning how to use the PackageKit front ends means that you can use the same familiar graphical interface across many different Linux distributions, even when they utilize a native package manager other than Yum.
packagekitd daemon, which runs outside of the user session.
gnome-packagekit package instead of by PackageKit and its dependencies. Users working in a KDE environment may prefer to install the kpackagekit package, which provides a KDE interface for PackageKit.
pkcon.
systemctl command and can be turned on or off permanently by using the systemctl enable or systemctl disablecommands. They can typically be recognized by a “d” appended to their name, such as the packagekitd daemon. Refer to Chapter 8, Services and Daemons for information about system services.
Table of Contents
DSL and PPPoE (Point-to-Point over Ethernet). In addition, NetworkManager allows for the configuration of network aliases, static routes, DNS information and VPN connections, as well as many connection-specific parameters. Finally, NetworkManager provides a rich API via D-Bus which allows applications to query and control network configuration and state.
system-config-network after its command line invocation. In Fedora 17, NetworkManager replaces the former Network Administration Tool while providing enhanced functionality, such as user-specific and mobile broadband configuration. It is also possible to configure the network in Fedora 17 by editing interface configuration files; refer to Chapter 7, Network Interfaces for more information.
~]# yum install NetworkManager
~]# service NetworkManager status
NetworkManager (pid 1527) is running...
service command will report NetworkManager is stopped if the NetworkManager service is not running. To start it for the current session:
~]# service NetworkManager start
chkconfig command to ensure that NetworkManager starts up every time the system boots:
~]# chkconfig NetworkManager on
~]$ nm-applet &
/etc/sysconfig/network-scripts/ directory (mainly in ifcfg-<network_type> interface configuration files), user connection settings are stored in the GConf configuration database and the GNOME keyring, and are only available during login sessions for the user who created them. Thus, logging out of the desktop session causes user-specific connections to become unavailable.
/etc/sysconfig/network-scripts/ directory, and to delete the GConf settings from the user's session. Conversely, converting a system to a user-specific connection causes NetworkManager to remove the system-wide configuration files and create the corresponding GConf/GNOME keyring settings.
automatic. These defaults will suffice unless you are associating a wired connection with a second or specific NIC, or performing advanced networking. In such cases, refer to the following descriptions:
ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the eth0 interface (which is 52:54:00:26:9e:f1) immediately follows the link/ether keyword:
~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe26:9ef1/64 scope link
valid_lft forever preferred_lft foreverip addr command, and then copy and paste that value into the MAC address text-entry field.
1500 when using IPv4, or a variable number 1280 or higher for IPv6, and does not generally need to be specified or changed.
a/b/g/n) connection to an Access Point.
ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the wlan0 interface (which is 00:1c:bf:02:f8:70) immediately follows the link/ether keyword:
~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe26:9ef1/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:1c:bf:02:f8:70 brd ff:ff:ff:ff:ff:ff
inet 10.200.130.67/24 brd 10.200.130.255 scope global wlan0
inet6 fe80::21c:bfff:fe02:f870/64 scope link
valid_lft forever preferred_lft foreverip addr command, and then copy and paste that value into the MAC address text-entry field.
~]$ nm-connection-editor &
~]$ nm-connection-editor &
1 window then appears. This window presents settings customized for the type of VPN connection you selected in Step 5.
~]$ nm-connection-editor &
/etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
/etc/hosts 127.0.0.1) as localhost.localdomain. For more information, refer to the hosts(5) manual page.
/etc/resolv.conf /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-interface-name /etc/sysconfig/networking/ directory is used by the now deprecated Network Administration Tool (system-config-network). Its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion. For more information about configuring network interfaces using graphical configuration tools, refer to Chapter 6, NetworkManager.
ifcfg-name , where name refers to the name of the device that the configuration file controls.
/etc/sysconfig/network-scripts/ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-ethX files (where X is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
BONDING_OPTS=parameters /etc/sysconfig/network-scripts/ifcfg-bondN (see Section 7.2.2, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in /sys/class/net/bonding_device/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
BONDING_OPTS directive in ifcfg-name. Do not specify options for the bonding device in /etc/modprobe.d/bonding.conf, or in the deprecated /etc/modprobe.conf file.
BOOTPROTO=protocol protocol is one of the following:
none — No boot-time protocol should be used.
bootp — The BOOTP protocol should be used.
dhcp — The DHCP protocol should be used.
BROADCAST=addressaddress is the broadcast address. This directive is deprecated, as the value is calculated automatically with ipcalc.
DEVICE=name name is the name of the physical device (except for dynamically-allocated PPP devices where it is the logical name).
DHCP_HOSTNAME=namename is a short hostname to be sent to the DHCP server. Use this option only if the DHCP server requires the client to specify a hostname before receiving an IP address.
DNS{1,2}=addressaddress is a name server address to be placed in /etc/resolv.conf if the PEERDNS directive is set to yes.
ETHTOOL_OPTS=options options are any device-specific options supported by ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"
ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
autoneg off option. This option needs to be stated first, as the option entries are order-dependent.
HOTPLUG=answeranswer is one of the following:
yes — This device should be activated when it is hot-plugged (this is the default option).
no — This device should not be activated when it is hot-plugged.
HOTPLUG=no option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
HWADDR=MAC-address MAC-address is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should not be used in conjunction with MACADDR.
/etc/udev/rules.d/70-persistent-net.rules.
IPADDR=address address is the IP address.
LINKDELAY=time time is the number of seconds to wait for link negotiation before configuring the device.
MACADDR=MAC-address MAC-address is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF.
HWADDR directive.
MASTER=bond-interface bond-interface is the channel bonding interface to which the Ethernet interface is linked.
SLAVE directive.
NETMASK=mask mask is the netmask value.
NETWORK=address address is the network address. This directive is deprecated, as the value is calculated automatically with ipcalc.
NM_CONTROLLED=answer answer is one of the following:
yes — NetworkManager is permitted to configure this device.This is the default behavior and can be omitted.
no — NetworkManager is not permitted to configure this device.
ONBOOT=answeranswer is one of the following:
yes — This device should be activated at boot-time.
no — This device should not be activated at boot-time.
PEERDNS=answeranswer is one of the following:
yes — Modify /etc/resolv.conf if the DNS directive is set. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SLAVE=answeranswer is one of the following:
yes — This device is controlled by the channel bonding interface specified in the MASTER directive.
no — This device is not controlled by the channel bonding interface specified in the MASTER directive.
MASTER directive.
SRCADDR=address address is the specified source IP address for outgoing packets.
USERCTL=answer answer is one of the following:
yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
bonding kernel module and a special network interface called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/sysconfig/network-scripts/ directory called ifcfg-bondN, replacing N with the number for the interface, such as 0.
DEVICE directive is bondN, replacing N with the number for the interface.
DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="bonding parameters separated by spaces"MASTER and SLAVE directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
eth0 and eth1 may look like the following example:
DEVICE=ethN
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=noN with the numerical value for the interface.
bonding.conf/etc/modprobe.d/ directory. Note that you can name this file anything you like as long as it ends with a .conf extension. Insert the following line in this new file:
alias bondN bondingN with the interface number, such as 0. For each configured channel bonding interface, there must be a corresponding entry in your new /etc/modprobe.d/bonding.conf file.
BONDING_OPTS="bonding parameters" directive in the ifcfg-bondN interface file. Do not specify options for the bonding device in /etc/modprobe.d/bonding.conf, or in the deprecated /etc/modprobe.conf file. For further instructions and advice on configuring the bonding module and to view the list of bonding parameters, refer to Section 22.7.2, “Using Channel Bonding”.
/etc/sysconfig/network-scripts/ directory called ifcfg-brN, replacing N with the number for the interface, such as 0.
DEVICE directive is given an interface name as its argument in the format brN, where N is replaced with the number of the interface.
TYPE directive is given an argument Bridge or Ethernet. This directive determines the device type and the argument is case sensitive.
DELAY=0, is added to prevent the bridge from waiting while it monitors traffic, learns where hosts are located, and builds a table of MAC addresses on which to base its filtering decisions. The default delay of 30 seconds is not needed if no routing loops are possible.
NM_CONTROLLED=no should be added to the Ethernet interface to prevent NetworkManager from altering the file. It can also be added to the bridge configuration file in case future versions of NetworkManager support bridge configuration.
DEVICE=br0 TYPE=Bridge IPADDR=192.168.1.1 NETMASK=255.255.255.0 ONBOOT=yes BOOTPROTO=static NM_CONTROLLED=no DELAY=0
/etc/sysconfig/network-scripts/ifcfg-ethX, where X is a unique number corresponding to a specific interface, as follows:
DEVICE=ethX TYPE=Ethernet HWADDR=AA:BB:CC:DD:EE:FF BOOTPROTO=none ONBOOT=yes NM_CONTROLLED=no BRIDGE=br0
DEVICE directive, almost any interface name could be used as it does not determine the device type. Other commonly used names include tap, dummy and bond for example. TYPE=Ethernet is not strictly required. If the TYPE directive is not set, the device is treated as an Ethernet device (unless it's name explicitly matches a different interface configuration file.)
root:
systemctl restart network.service DEVICE=ethX TYPE=Ethernet USERCTL=no SLAVE=yes MASTER=bond0 BOOTPROTO=none HWADDR=AA:BB:CC:DD:EE:FF NM_CONTROLLED=no
ethX as the interface name is common practice but almost any name could be used. Names such as tap, dummy and bond are commonly used.
/etc/sysconfig/network-scripts/ifcfg-bond0, as follows:
DEVICE=bond0 ONBOOT=yes BONDING_OPTS='mode=1 miimon=100' BRIDGE=brbond0 NM_CONTROLLED=noFor further instructions and advice on configuring the bonding module and to view the list of bonding parameters, refer to Section 22.7.2, “Using Channel Bonding”.
/etc/sysconfig/network-scripts/ifcfg-brbond0, as follows:
DEVICE=brbond0 ONBOOT=yes TYPE=Bridge IPADDR=192.168.1.1 NETMASK=255.255.255.0 NM_CONTROLLED=no
bond 0. This in turn leads to a virtual interface called BR Bond 0 on the right. From there a path leads to a virtual network below.
MASTER=bond0 directive. These point to the configuration file named /etc/sysconfig/network-scripts/ifcfg-bond0, which contains the DEVICE=bond0 directive. This ifcfg-bond0 in turn points to the /etc/sysconfig/network-scripts/ifcfg-brbond0 configuration file, which contains the IP address, and acts as an interface to the virtual networks inside the host.
root:
systemctl restart network.service lsmod | grep 8021qmodprobe 8021q/etc/sysconfig/network-scripts/ifcfg-ethX, where X is a unique number corresponding to a specific interface, as follows:
DEVICE=ethX TYPE=Ethernet BOOTPROTO=none ONBOOT=yes
/etc/sysconfig/network-scripts. The configuration filename should be the physical interface plus a . character plus the VLAN ID number. For example, if the VLAN ID is 192, and the physical interface is eth0, then the configuration filename should be ifcfg-eth0.192:
DEVICE=ethX.192 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.1 NETMASK=255.255.255.0 USERCTL=no NETWORK=192.168.1.0 VLAN=yes
eth0 , add a new file with the name eth0.193 with the VLAN configuration details.
root:
systemctl restart network.service ip command of the iproute package now supports assigning multiple address to the same interface it is no longer necessary to use this method of binding multiple addresses to the same interface.
ifcfg files. For example, if ifcfg-eth0 and ifcfg-eth0:1 files are present, NetworkManager creates two connections, which will cause confusion.
ifcfg-if-name:alias-value naming scheme.
ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
ifcfg-if-name-clone-name. While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called eth0, may look similar to this:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user:
USERCTL=yes
eth0 interface using the /sbin/ifup eth0-user command because the configuration options from ifcfg-eth0 and ifcfg-eth0-user are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
ifcfg-pppX X is a unique number corresponding to a specific interface.
wvdial, the Network Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit this file manually.
ifcfg-ppp0 file:
DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600
ifcfg-sl0.
DEFROUTE=answer answer is one of the following:
yes — Set this interface as the default route.
no — Do not set this interface as the default route.
DEMAND=answeranswer is one of the following:
yes — This interface allows pppd to initiate a connection when someone attempts to use it.
no — A connection must be manually established for this interface.
IDLETIMEOUT=valuevalue is the number of seconds of idle activity before the interface disconnects itself.
INITSTRING=stringstring is the initialization string passed to the modem device. This option is primarily used in conjunction with SLIP interfaces.
LINESPEED=valuevalue is the baud rate of the device. Possible standard values include 57600, 38400, 19200, and 9600.
MODEMPORT=devicedevice is the name of the serial device that is used to establish the connection for the interface.
MTU=valuevalue is the Maximum Transfer Unit (MTU) setting for the interface. The MTU refers to the largest number of bytes of data a frame can carry, not counting its header information. In some dialup situations, setting this to a value of 576 results in fewer packets dropped and a slight improvement to the throughput for a connection.
NAME=namename is the reference to the title given to a collection of dialup connection configurations.
PAPNAME=namename is the username given during the Password Authentication Protocol (PAP) exchange that occurs to allow connections to a remote system.
PERSIST=answeranswer is one of the following:
yes — This interface should be kept active at all times, even if deactivated after a modem hang up.
no — This interface should not be kept active at all times.
REMIP=addressaddress is the IP address of the remote system. This is usually left unspecified.
WVDIALSECT=name name associates this interface with a dialer configuration in /etc/wvdial.conf. This file contains the phone number to be dialed and other important information for the interface.
ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo, should never be edited manually. Doing so can prevent the system from operating correctly.
ifcfg-irlan0 ifcfg-plip0 /etc/sysconfig/network-scripts/ directory: /sbin/ifdown and /sbin/ifup.
ifup and ifdown interface scripts are symbolic links to scripts in the /sbin/ directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
ifup eth0ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
/etc/rc.d/init.d/functions and /etc/sysconfig/network-scripts/network-functions. Refer to Section 7.5, “Network Function Files” for more information.
/etc/sysconfig/network-scripts/ directory:
ifup-aliases ifup-ippp and ifdown-ippp ifup-ipv6 and ifdown-ipv6 ifup-plip ifup-plusb ifup-post and ifdown-post ifup-ppp and ifdown-ppp ifup-routes ifdown-sit and ifup-sit ifup-wireless /etc/sysconfig/network-scripts/ directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
systemctl command on the network service (/etc/rc.d/init.d/network), as illustrated by the following command:
systemctl action network.serviceaction can be either start, stop, or restart.
systemctl status network.serviceip route command to display the IP routing table. If static routes are required, they can be added to the routing table by means of the ip route add command and removed using the ip route del command. To add a static route to a host address, that is to say to a single IP address, issue the following command as root:
ip route add X.X.X.X
where X.X.X.X is the IP address of the host in dotted decimal notation. To add a static route to a network, that is to say to an IP address representing a range of IP addresses, issue the following command as root:
ip route add X.X.X.X/Y
where X.X.X.X is the IP address of the network in dotted decimal notation and Y is the network prefix. The network prefix is the number of enabled bits in the subnet mask. This format of network address slash prefix length is referred to as CIDR notation.
/etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives. These are described below.
/etc/sysconfig/network file. This file specifies gateway and host information for all network interfaces. For more information about this file and the directives it accepts, refer to Section D.1.13, “ /etc/sysconfig/network ”.
default viaX.X.X.Xdevinterface
X.X.X.X is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway. The dev option can be omitted, it is optional.
X.X.X.X/YviaX.X.X.Xdevinterface
X.X.X.X/Y is the network address and netmask for the static route. X.X.X.X and interface are the IP address and interface for the default gateway respectively. The X.X.X.X address does not have to be the default gateway IP address. In most cases, X.X.X.X will be an IP address in a different subnet, and interface will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
default via 192.168.0.1 dev eth0 10.10.10.0/24 via 192.168.0.1 dev eth0 172.16.1.0/24 via 192.168.0.1 dev eth0
eth0 interface in the 192.168.0.0/24 subnet, and an eth1 interface (10.10.10.1) in the 10.10.10.0/24 subnet:
10.10.10.0/24 via 10.10.10.1 dev eth1
ifup command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "X.X.X.X" is a garbage.', where X.X.X.X is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=X.X.X.XNETMASK0=X.X.X.XGATEWAY0=X.X.X.X
ADDRESS0=X.X.X.X is the network number for the static route.
NETMASK0=X.X.X.X is the netmask for the network number defined with ADDRESS0=X.X.X.X.
GATEWAY0=X.X.X.X is the default gateway, or an IP address that can be used to reach ADDRESS0=X.X.X.X
route-eth0 file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.0.1 ADDRESS1=172.16.1.0 NETMASK1=255.255.255.0 GATEWAY1=192.168.0.1
ADDRESS0, ADDRESS1, ADDRESS2, and so on.
eth0 interface in the 192.168.0.0/24 subnet, and an eth1 interface (10.10.10.1) in the 10.10.10.0/24 subnet:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1
/etc/sysconfig/network-scripts/network-functions file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
/etc/sysconfig/network-scripts/network-functions-ipv6 file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
/usr/share/doc/initscripts-version/sysconfig.txt httpd if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
/etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility.
irqbalance service is enabled. In most cases, this service is installed and configured to run during the Fedora 17 installation. To verify that irqbalance is running, type the following at a shell prompt:
systemctl status irqbalance.servicesystemctl command in the following form:
systemctlenableservice_name.service
httpd service by typing the following at a shell prompt as root:
~]# systemctl enable httpd.servicesystemctl command in the following form:
systemctldisableservice_name.service
telnet service is disabled by running the following command as root:
~]# systemctl disable telnet.service/etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility.
systemctl command in the following form:
systemctlstatusservice_name.service
systemctl command in the following form instead:
systemctlis-activeservice_name.service
httpd service at boot time. Imagine that the system has been restarted and you need to verify that the service is really running. You can do so by typing the following at a shell prompt:
~]$ systemctl is-active httpd.service
active~]$ systemctl status httpd.service
httpd.service - LSB: start and stop Apache HTTP Server
Loaded: loaded (/etc/rc.d/init.d/httpd)
Active: active (running) since Mon, 23 May 2011 21:38:57 +0200; 27s ago
Process: 2997 ExecStart=/etc/rc.d/init.d/httpd start (code=exited, status=0/SUCCESS)
Main PID: 3002 (httpd)
CGroup: name=systemd:/system/httpd.service
├ 3002 /usr/sbin/httpd
├ 3004 /usr/sbin/httpd
├ 3005 /usr/sbin/httpd
├ 3006 /usr/sbin/httpd
├ 3007 /usr/sbin/httpd
├ 3008 /usr/sbin/httpd
├ 3009 /usr/sbin/httpd
├ 3010 /usr/sbin/httpd
└ 3011 /usr/sbin/httpdsystemctl list-units --type=serviceUNIT — A systemd unit name. In this case, a service name.
LOAD — Information whether the systemd unit was properly loaded.
ACTIVE — A high-level unit activation state.
SUB — A low-level unit activation state.
JOB — A pending job for the unit.
DESCRIPTION — A brief description of the unit.
~]$ systemctl list-units --type=service
UNIT LOAD ACTIVE SUB JOB DESCRIPTION
abrt-ccpp.service loaded active exited LSB: Installs coredump handler which saves segfault data
abrt-oops.service loaded active running LSB: Watches system log for oops messages, creates ABRT dump directories for each oops
abrtd.service loaded active running ABRT Automated Bug Reporting Tool
accounts-daemon.service loaded active running Accounts Service
atd.service loaded active running Job spooling tools
[output truncated]abrtd service is loaded, active, and running, and it does not have any pending jobs.
systemctl command in the following form:
systemctlstartservice_name.service
httpd service at boot time. You can start the service immediately by typing the following at a shell prompt as root:
~]# systemctl start httpd.servicesystemctl command in the following form:
systemctlstopservice_name.service
telnet service at boot time. You can stop the service immediately by running the following command as root:
~]# systemctl stop telnet.servicesystemctl command in the following form:
systemctlrestartservice_name.service
/etc/ssh/sshd_config configuration file to take effect, it is required that you restart the sshd service. You can do so by typing the following at a shell prompt as root:
~]# systemctl restart sshd.servicesystemctl(1) — The manual page for the systemctl utility.
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
LDAP server.
Transport Layer Security (TLC) will be used to encrypt passwords sent to the LDAP server. The option allows you to specify a URL from which to download a valid Certificate Authority certificate (CA). A valid CA certificate must be in the Privacy Enhanced Mail (PEM) format.
ldaps:// server address is specified in the LDAP Server field.
openldap-clients package must be installed for this option to work.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to section Using Kerberos of the Fedora 17 Managing Single Sign-On and Smart Cards guide.
ldaps:// server address or use TLS for LDAP authentication.
portmap and ypbind services are started and are also enabled to start at boot time.
krb5-server package must be installed, and Kerberos must be configured properly.
winbind should use. For more information about domain controllers, please refer to Section 16.1.6.3, “Domain Controller”.
winbindd daemon uses the value chosen here to specify the login shell for that user.
winbindd service, refer to Section 16.1.2, “Samba Daemons and Related Services”.
/etc/security/access.conf is consulted for authorization of a user.
authconfig man page or by typing authconfig --help at the shell prompt.
| Option | Description |
|---|---|
--enableshadow, --useshadow
| Enable shadow passwords |
--disableshadow
| Disable shadow passwords |
--passalgo=
| Hash/crypt algorithm to be used |
--enablenis
| Enable NIS for user account configuration |
--disablenis
| Disable NIS for user account configuration |
--nisdomain=
| Specify an NIS domain |
--nisserver=
| Specify an NIS server |
--enableldap
| Enable LDAP for user account configuration |
--disableldap
| Disable LDAP for user account configuration |
--enableldaptls
| Enable use of TLS with LDAP |
--disableldaptls
| Disable use of TLS with LDAP |
--enablerfc2307bis
| Enable use of RFC-2307bis schema for LDAP user information lookups |
--disablerfc2307bis
| Disable use of RFC-2307bis schema for LDAP user information lookups |
--enableldapauth
| Enable LDAP for authentication |
--disableldapauth
| Disable LDAP for authentication |
--ldapserver=
| Specify an LDAP server |
--ldapbasedn=
| Specify an LDAP base DN (Distinguished Name) |
--ldaploadcacert=
| Load a CA certificate from the specified URL |
--enablekrb5
| Enable Kerberos for authentication |
--disablekrb5
| Disable Kerberos for authentication |
--krb5kdc=
| Specify Kerberos KDC server |
--krb5adminserver=
| Specify Kerberos administration server |
--krb5realm=
| Specify Kerberos realm |
--enablekrb5kdcdns
| Enable use of DNS to find Kerberos KDCs |
--disablekrb5kdcdns
| Disable use of DNS to find Kerberos KDCs |
--enablekrb5realmdns
| Enable use of DNS to find Kerberos realms |
--disablekrb5realmdns
| Disable use of DNS to find Kerberos realms |
--enablewinbind
| Enable winbind for user account configuration |
--disablewinbind
| Disable winbind for user account configuration |
--enablewinbindauth
| Enable winbindauth for authentication |
--disablewinbindauth
| Disable winbindauth for authentication |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| Directory that winbind users have as their home |
--winbindtemplateprimarygroup=
| Group that winbind users have as their primary group |
--winbindtemplateshell=
| Shell that winbind users have as their default login shell |
--enablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are domain users |
--disablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are not domain users |
--winbindjoin=
| Joins the winbind domain or ADS realm as the specified administrator |
--enablewinbindoffline
| Configures winbind to allow offline login |
--disablewinbindoffline
| Configures winbind to prevent offline login |
--smbsecurity=
| Security mode to use for the Samba and Winbind services |
--smbrealm=
| Default realm for Samba and Winbind services when security is set to |
--enablewins
| Enable Wins for hostname resolution |
--disablewins
| Disable Wins for hostname resolution |
--enablesssd
| Enable SSSD for user information |
--disablesssd
| Disable SSSD for user information |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--enablelocauthorize
| Local authorization is sufficient for local users |
--disablelocauthorize
| Local users are also authorized through a remote service |
--enablesysnetauth
| Authenticate system accounts with network services |
--disablesysnetauth
| Authenticate system accounts with local files only |
--enablepamaccess
|
Check /etc/security/access.conf during account authorization
|
--disablepamaccess
|
Do not check /etc/security/access.conf during account authorization
|
--enablemkhomedir
| Create a home directory for a user on the first login |
--disablemkhomedir
| Do not create a home directory for a user on the first login |
--enablesmartcard
| Enable authentication with a smart card |
--disablesmartcard
| Disable authentication with a smart card |
--enablerequiresmartcard
| Require smart card for authentication |
--disablerequiresmartcard
| Do not require smart card for authentication |
--smartcardmodule=
| Default smart card module to use |
--smartcardaction=
| Action to be taken when smart card removal is detected |
--enablefingerprint
| Enable fingerprint authentication |
--disablefingerprint
| Disable fingerprint authentication |
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--test
| Do not update the configuration files, only print the new settings |
--update, --kickstart
|
Opposite of --test, update configuration files with changed settings
|
--updateall
| Update all configuration files |
--probe
| Probe and display network defaults |
--savebackup=
| Save a backup of all configuration files |
--restorebackup=
| Restore a backup of all configuration files |
--restorelastbackup
| Restore the backup of configuration files saved before the previous configuration change |
nsswitch.conf file configuration, with which you can only request user information from a single server of any particular type (LDAP, NIS, etc.). With SSSD, you can create multiple domains of the same, or of different types of identity provider.
sssd and deleting the corresponding cache file. These cache files are stored in the /var/lib/sss/db/ directory.
cache_DOMAINNAME.ldb.
ldap_referrals option to TRUE in the LDAP domain configuration section of the /etc/sssd/sssd.conf file. This will enable anonymous access to the second LDAP server.
kate in the ldap.example.com domain from the user kate in the ldap.myhome.com domain. You can use SSSD to make requests using fully-qualified usernames. If you request information for kate, you will receive the information from whichever domain is listed first in the look-up order. If you request information for kate@ldap.myhome.com, however, you will receive the correct user information.
filter_users option, which you can use to exclude certain users from being fetched from the database. Refer to the sssd.conf(5) manual page for full details about this option.
ipa_dyndns_update, used to enable dynamic DNS updates; and ipa_dyndns_iface, which specifies the interface whose IP address should be used for dynamic DNS updates.
# yum install sssd
/etc/sssd/sssd.conf file to the new format, and copy the existing version to /etc/sssd/sssd.conf.bak.
upgrade_config.py [
-f INFILE
] [
-o OUTFILE
] [
-verbose
] [
--no-backup
]
-f INFILE — the configuration file to upgrade. If not specified, this defaults to /etc/sssd/sssd.conf
-o OUTFILE — the name of the upgraded configuration file. If not specified, this defaults to /etc/sssd/sssd.conf
-verbose — produce more verbose output during the upgrade process
--no-backup — do not produce a back-up file. If not specified, this defaults to INFILE.bakservice command or the /etc/init.d/sssd script to control SSSD. For example, run the following command to start sssd:
# systemctl start sssd.service
systemctl command, as follows:
# systemctl enable sssd.service
/etc/sssd/sssd.conf file. This file consists of various sections, each of which contains a number of key/value pairs. Some keys accept multiple values; use commas to separate multiple values for such keys. This configuration file uses data types of string (no quotes required), integer and Boolean (with values of TRUE or FALSE). Comments are indicated by either a hash sign (#) or a semicolon (;) in the first column. The following example illustrates some of this syntax:
[section] # Keys with single values key1 = value key2 = val2 # Keys with multiple values key10 = val10,val11
-c (or --config) parameter on the command line to specify a different configuration file for SSSD.
sssd_nss, so that you can configure your system to use SSSD to retrieve user information. Edit the /etc/nsswitch.conf file for your system to use the sss name database. For example:
passwd: files sss group: files sss
/etc/pam.d/system-auth file. Edit this file to reflect the following example, and then restart sssd:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
/home, and if your system is configured to create home directories the first time your users log in, then these directories will be created with the wrong permissions. For example, instead of a typical home directory such as /home/<username>, your users might have home directories that include their locale, such as /home/<locale>/<username>. If this is true for your system, the following steps need to be taken (preemptively):
/home directory to the home directory that you use on your system. In the example above, the following command would achieve this result (replace the directory names with those that apply to your system):
# semanage fcontext -a -e /home /home/locale
pam_oddjob_mkhomedir.so library, which the Authentication Configuration tool will then use to create your custom home directories. You need to use this library to create your home directories, and not the default pam_mkhomedir.so library, because the latter cannot create SELinux labels.
pam_oddjob_mkhomedir.so library if it is available. Otherwise, it will default to using pam_mkhomedir.so.
# semanage fcontext -a -e /home /home/locale # restorecon -R -v /home/locale
include statements in PAM configurations. For example:
... session include system-auth session optional pam_console.so ...
sufficient condition from system-auth returns PAM_SUCCESS, pam_console.so will not be executed.
access_provider option in the [domain/<NAME>] section in the /etc/sssd/sssd.conf file.
access_provider option to simple, and then add usernames as a comma-separated list to either the simple_allow_users or simple_deny_users options.
example.com is one of the domains specified in the [sssd] section, and only shows the Simple Access Provider-specific options.
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
simple as an access provider.
simple_allow_users is set, only users from this list are allowed access. This setting supersedes the simple_deny_users list (which would be redundant).
simple_allow_users list is empty, users are allowed access unless they appear in the simple_deny_users list.
simple_allow_users and simple_deny_users is a configuration error. If this occurs, SSSD will output an error to the /var/log/sssd/sssd_default.log log file when loading the back end, but continue to start normally. Future versions of SSSD will output an error and fail to start.
access_provider=ldap) and the associated filter option (ldap_access_filter) to specify which users are granted access to the specified host. Note that these two options are codependent; if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access. If you are not using LDAP as your access provider, then the ldap_access_filter option has no effect.
example.com is one of the domains specified in the [sssd] section, and only shows the LDAP Access Provider-specific options.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
[domain/<NAME>] sections of the /etc/sssd/sssd.conf file, and listed in order of preference. This list can contain any number of servers.
ldap_uri values:
ldap_uri = ldap://ldap0.mydomain.org, ldap://ldap1.mydomain.org, ldap://ldap2.mydomain.org
ldap://ldap0.mydomain.org functions as the primary server. If this server fails, the SSSD failover mechanism first attempts to connect to ldap1.mydomain.org, and if that server is unavailable, it then attempts to connect to ldap2.mydomain.org.
ldap_uri, krb5_server, …) is not specified, the back end defaults to using Use service discovery. Refer to Section 9.2.3.2.4.1, “Using SRV Records with Failover” for more information on service discovery.
ldap_uri parameters to specify your failover servers. The failover servers must be entered as a comma-separated list of values for a single ldap_uri parameter. If you enter multiple ldap_uri parameters, SSSD only recognizes the last entry.
ldap_uri entries.
priority and weight attributes of SRV records provide further opportunity for specifying which servers should be contacted first in the event that the primary server fails.
_service._protocol._domain TTL priority weight port hostname
service._protocol._domain, for example, _ldap._tcp._redhat.com. The client then sorts this list according to the priorities and weights, and connects to the first server in this sorted list.
[sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
NSS — An NSS provider service that answers NSS requests from the sssd_nss module.
PAM — A PAM provider service that manages a PAM conversation through the sssd_pam PAM module.
monitor — A special service that monitors all other SSSD services, and starts or restarts them as needed. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
debug_level (integer)
[service/<NAME>] sections in the SSSD configuration file).
reconnection_retries (integer)
DNS lookup fails to return an IPv4 address for a hostname, SSSD attempts to look up an IPv6 address before returning a failure. Note that this only ensures that the async resolver identifies the correct address; there is currently a bug in the LDAP code that prevents SSSD from connecting to an LDAP server over IPv6. This is being investigated separately.
Name Service Switch (NSS) service. Refer to the sssd.conf(5) manual page for full details about each option.
enum_cache_timeout (integer)
entry_cache_nowait_percentage (integer)
0 disables this feature).
entry_cache_timeout value for the domain.
0-99, and represent a percentage of the entry_cache_timeout value for each domain.
entry_negative_timeout (integer)
filter_users, filter_groups (string)
root.
filter_users_in_groups (Boolean)
TRUE, specifies that users listed in the filter_users list do not appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, defaults to TRUE.
Pluggable Authentication Module (PAM) service.
offline_credentials_expiration (integer)
0 (no limit).
offline_failed_login_attempts (integer)
0 (no limit).
offline_failed_login_delay (integer)
offline_failed_login_attempts has been reached before a new log in attempt is possible.
0, the user cannot authenticate offline if the value of offline_failed_login_attempts has been reached. Only a successful online authentication can re-enable offline authentication. If not specified, defaults to 5.
[sssd] section. This example shows only the configuration of Kerberos authentication; it does not include any identity provider.
[domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM
[domain/<NAME>] sections of the /etc/sssd/sssd.conf file, and then add the list of domains to the domains attribute of the [sssd] section, in the order you want them to be queried.
min_id,max_id (integer)
min_id is 1; the default value for max_id is 0 (unbounded).
min_id is unspecified, it defaults to 1 for any back end. This default was chosen to provide compatibility with existing systems and to ease any migration attempts. LDAP administrators should be aware that granting identities in this range may conflict with users in the local /etc/passwd file. To avoid these conflicts, min_id should be set to 1000 or higher wherever possible.
min_id option determines the minimum acceptable value for both UID and GID numbers. Accounts with either UID or GID values below the min_id value are filtered out and not made available on the client.
enumerate (Boolean)
FALSE. Set this value to TRUE to enable enumeration of users and groups of a domain.
timeout (integer)
10 seconds. Raising this timeout might prove useful for slower back ends, such as distant LDAP servers.
timeout = 0, SSSD reverts to the default value; you cannot force a timeout value of zero, because this would force the sssd daemon into a loop.
cache_credentials (Boolean)
FALSE. You should set this value to TRUE for domains other than local if you want to enable offline authentication.
id_provider (string)
NSS provider (for example, nss_nis).
id_provider to proxy, ensure that you also specify a value for proxy_lib_name. Refer to Section 9.2.7, “Configuring a Proxy Domain” for information on this attribute.
SSSD internal local provider.
LDAP provider.
entry_cache_timeout (integer)
use_fully_qualified_names (Boolean)
TRUE, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name.
ipauser01, and the use_fully_qualified_names attribute is set to TRUE:
# getent passwd ipauser01[no output]# getent passwd ipauser01@IPAipauser01@IPA:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
use_fully_qualified_names attribute is set to FALSE:
# getent passwd ipauser01ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh# getent passwd ipauser01@IPAipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
use_fully_qualified_names is set to FALSE, you can continue to use the fully-qualified name in your requests, but only the simplified version is displayed in the output.
name@domain, not name@realm. You can, however, use the same name for both your domain and your realm.
auth_provider (string)
id_provider if it is set and can handle authentication requests.
proxy_pam_target (string)
auth_provider option is set to proxy, and specifies the target to which PAM must proxy.
/etc/pam.d/ directory.
pam_sss.so.
proxy_lib_name (string)
id_provider option is set to proxy, and specifies which existing NSS library to proxy identity requests through.
nis to use the existing libnss_nis.so file.
id_provider option is set to ldap (id_provider = ldap). Such a domain requires a running LDAP server against which to authenticate. This can be an open source LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports Microsoft Active Directory 2003 (+Services for UNIX) and Active Directory 2008 (+Subsystem for UNIX-based Applications). In all cases, the client configuration is stored in the /etc/sssd/sssd.conf file.
TLS/SSL or LDAPS is required. If the LDAP server is used only as an identity provider, an encrypted channel is not needed.
/etc/sssd/sssd.conf file to include the following settings:
# A native LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_uri option instead of the server name, for example, if GSSAPI is used to avoid time consuming DNS lookups, the TSL/SSL setup might fail. This is due to the fact that TSL/SSL certificates contain the server name only. However, a special field in the certificate, called Subject Alternative Name (subjectAltName), can be used to additionally set the IP address of the server.
key.pem key) into a certificate request:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
/etc/pki/tls/certs/slapd.pem), execute the following command:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnf configuration file to include the following line under the [ v3_ca ] section:
subjectAltName = IP:10.0.0.10
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
openssl x509 command creates the new certificate.
-req option tells the command to expect a certificate request as an input.
-in and -out options specify the input and output files.
-extfile option expects a file containing certificate extensions to use (in our case the subjectAltName extension).
-extensions option specifies the section of the openssl.cnf file to add certificate extensions from (in this case, the [ v3_ca ] section).
-signkey option tells the command to self-sign the input file using the supplied private key.
man x509.
old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
DNS subject alternative names for certificate creation only.
ldap_schema attribute to either rfc2307 or rfc2307bis. These schema define how groups in LDAP are specified. In RFC 2307, group objects use a multi-valued attribute, memberuid, which lists the names of the users that belong to that group. In RFC 2307bis, instead of the memberuid, group objects use the member attribute. Rather than just the name of the user, this attribute contains the full Distinguished Name (DN) of another object in the LDAP database. This means that groups can have other groups as members. That is, it adds support for nested groups.
/etc/sssd/sssd.conf file accordingly, this can impact how your users and groups are displayed. It also means that some groups will not be available and network resources may be inaccessible even though you have permissions to use them.
id command to display these groups:
[f12server@ipaserver ~]$ id uid=500(f12server) gid=500(f12server) groups=500(f12server),510(f12tester)
ldap_search_timeout (integer) — Specifies the timeout (in seconds) that LDAP searches are allowed to run before they are canceled and cached results are returned (and offline mode is entered). If not specified:
enumerate = False
enumerate = True. This option is forced to a minimum of 30 in this case.
ldap_network_timeout (integer) — Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity.
ldap_opt_timeout (integer) — Specifies the timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. This option also controls the timeout when communicating with the KDC in case of a SASL bind.
DNS service discovery feature allows the LDAP back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to Section 9.2.3.2.4.1, “Using SRV Records with Failover”.
/etc/sssd/sssd.conf file that ships with SSSD contains the following sample configuration for Active Directory 2003:
# Example LDAP domain where the LDAP server is an Active Directory 2003 server. [domain/AD] description = LDAP domain with AD server enumerate = false min_id = 1000 ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
/etc/openldap/cacerts) and that the c_rehash function has been used to create the appropriate symlinks.
/etc/sssd/sssd.conf to support Active Directory 2003 R2 or Active Directory 2008 as a back end is similar to that for AD 2003. The following example configuration highlights the necessary changes.
# Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server. [domain/AD] description = LDAP domain with AD server ; debug_level = 9 enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/test.cer ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group
/etc/openldap/cacerts) and that the c_rehash function has been used to create the appropriate symlinks.
/etc/sssd/sssd.conf file.
id_provider = ldap). Some information required by the Kerberos 5 authentication back end must be supplied by the identity provider, such as the user's Kerberos Principal Name (UPN). The identity provider configuration should contain an entry to specify this UPN. Refer to the manual page for the applicable identity provider for details on how to configure the UPN.
username@krb5_realm.
krb5_kpasswd option to specify where your password changing service is running, or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC in order to change the password. Refer to the sssd-krb5(5) manual page for more information about this and all Kerberos configuration options.
/etc/sssd/sssd.conf file to include the following settings:
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM krb5_changepw_principal = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15
DNS service discovery feature allows the Kerberos 5 authentication back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to Section 9.2.3.2.4.1, “Using SRV Records with Failover”.
-randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
kadmin: addprinc -randkey ldap/server.example.com
ktadd command to write the service principal to a file:
kadmin: ktadd -k /root/ldap.keytab ldap/server.example.com
-randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
kadmin: addprinc -randkey host/client.example.com
ktadd command to write the host principal to a file:
kadmin: ktadd -k /root/client.keytab host/client.example.com
/root/ldap.keytab file from the KDC to the /etc/openldap/ directory and name it ldap.keytab.
/etc/openldap/ldap.keytab file read-writable for the ldap user and readable for the ldap group only.
/root/ldap.keytab file from the KDC to the /etc/dirsrv/ directory and name it ldap.keytab.
KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:
# In order to use SASL/GSSAPI the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately KRB5_KTNAME=/etc/dirsrv/ldap.keytab; export KRB5_KTNAME
/root/client.keytab file from the KDC to the /etc/ directory and name it krb5.keytab. If the /etc/krb5.keytab file exists already, use the ktutil utility to merge both files properly. For more information on the ktutil utility, refer to man ktutil.
ldap_sasl_mech = gssapi ldap_sasl_authid = host/client.example.com@EXAMPLE.COM ldap_krb5_keytab = /etc/krb5.keytab (default) ldap_krb5_init_creds = true (default) ldap_krb5_ticket_lifetime = 86400 (default) krb5_realm = EXAMPLE.COM
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
/etc/pam.d/sssdpamproxy file which provides the needed module interfaces. Note that the pam_ldap.so file can be substituted with a PAM module of your choice.
/etc/pam.d/sssdpamproxy file (if not already created) and specify the following settings in it:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
/etc/pam.d/sssdproxyldap file which provides the needed module interfaces.
man sssd.conf
/etc/pam.d/sssdproxyldap file (if not already created) and specify the following settings in it:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/nslcd.conf file (the default configuration file for the LDAP name service daemon) to include the following settings:
uid nslcd gid ldap uri ldaps://ldap.mydomain.org:636 base dc=mydomain,dc=org ssl on tls_cacertdir /etc/openldap/cacerts
man nslcd.conf
/var/log/sssd/ directory.
/etc/sssd/sssd.conf file), as well as an sssd_pam.log and an sssd_nss.log file. This level of granularity can help you to quickly isolate and resolve any errors or issues you might experience with SSSD.
/var/log/secure file, which logs authentication failures and the reason for the failure. For example, if you see Reason 4: System Error reported against any failure, you should increase the debug level of the log files.
debug_level option in the /etc/sssd/sssd.conf for the domain that is causing concern, and then restart SSSD. Refer to the sssd.conf(5) manual page for more information on how to set the debug_level for a specific domain.
FALSE in the /etc/sssd/sssd.conf file:
--debug-timestamps=FALSE
# sssd -d4
[sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf file and ensure you have at least one properly configured domain, and then try to start SSSD.
# sssd -d4
[sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf file and ensure you have at least one available service providers, and then try to start SSSD.
services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
NSS, their symptoms, and how to resolve them.
NSS fails to return user information
# systemctl is-active sssd.service
sssd (pid 21762) is running...
[nss] section of the /etc/sssd/sssd.conf file. For example, ensure that you have not misconfigured the filter_users or filter_groups attributes. Refer to the NSS configuration options section of the sssd.conf(5) manual page for information on how to configure these attributes.
nss in the list of services that sssd should start
/etc/nsswitch.conf file. Refer to the section Section 9.2.3.2.1, “Configuring NSS” for information on how to correctly configure this file.
PAM, their symptoms, and how to resolve them.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok option is correctly configured in your /etc/pam.d/system-auth file.
nscd daemon, and will likely generate warnings in the SSSD log files. Even though SSSD does not directly conflict with nscd, the use of both at the same time can result in unexpected behavior (specifically with how long entries are being cached).
resolv.conf file. This file is typically only read once, and so any changes made to this file are not automatically applied.
nscd service is running, unless that service is manually restarted.
hosts and services in the /etc/nscd.conf file, and to rely on the SSSD cache for the passwd and group entries. With nscd answering hosts and services requests, these entries would have been cached and returned by nscd during the boot process.
use_fully_qualified_domains attribute to TRUE in the /etc/sssd/sssd.conf file.
sssd.conf(5)
sssd-ipa(5)
sssd-krb5(5)
sssd-ldap(5)
sssd(8)
sssd_krb5_locator_plugin(8)
pam_sss(8)
[sssd] config_file_version = 2 services = nss, pam domains = mybox.example.com, ldap.example.com, ipa.example.com, nis.example.com # sbus_timeout = 300 [nss] nss_filter_groups = root nss_filter_users = root nss_entry_cache_timeout = 30 nss_enum_cache_timeout = 30 [domain/mybox.example.com] domain_type = local enumerate = true min_id = 1000 # max_id = 2000 local_default_shell = /bin/bash local_default_homedir = /home # Possible overrides # id_provider = local # auth_provider = local # authz_provider = local # passwd_provider = local [domain/ldap.example.com] domain_type = ldap server = ldap.example.com, ldap3.example.com, 10.0.0.2 # ldap_uri = ldaps://ldap.example.com:9093 # ldap_use_tls = ssl ldap_search_base = dc=ldap,dc=example,dc=com enumerate = false # Possible overrides # id_provider = ldap # id_server = ldap2.example.com # auth_provider = krb5 # auth_server = krb5.example.com # krb5_realm = KRB5.EXAMPLE.COM [domain/ipa.example.com] domain_type = ipa server = ipa.example.com, ipa2.example.com enumerate = false # Possible overrides # id_provider = ldap # id_server = ldap2.example.com # auth_provider = krb5 # auth_server = krb5.example.com # krb5_realm = KRB5.EXAMPLE.COM [domain/nis.example.com] id_provider = proxy proxy_lib = nis auth_provider = proxy proxy_auth_target = nis_pam_proxy
SSH (Secure Shell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
root by typing:
su -ssh, scp, and sftp), and those for the server (the sshd daemon).
/etc/ssh/ directory. See Table 10.1, “System-wide configuration files” for a description of its content.
| Configuration File | Description |
|---|---|
/etc/ssh/moduli
| Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication. |
/etc/ssh/ssh_config
|
The default SSH client configuration file. Note that it is overridden by ~/.ssh/config if it exists.
|
/etc/ssh/sshd_config
|
The configuration file for the sshd daemon.
|
/etc/ssh/ssh_host_dsa_key
|
The DSA private key used by the sshd daemon.
|
/etc/ssh/ssh_host_dsa_key.pub
|
The DSA public key used by the sshd daemon.
|
/etc/ssh/ssh_host_key
|
The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
|
/etc/ssh/ssh_host_key.pub
|
The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
|
/etc/ssh/ssh_host_rsa_key
|
The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
|
/etc/ssh/ssh_host_rsa_key.pub
|
The RSA public key used by the sshd for version 2 of the SSH protocol.
|
~/.ssh/ directory. See Table 10.2, “User-specific configuration files” for a description of its content.
| Configuration File | Description |
|---|---|
~/.ssh/authorized_keys
| Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file. |
~/.ssh/id_dsa
| Contains the DSA private key of the user. |
~/.ssh/id_dsa.pub
| The DSA public key of the user. |
~/.ssh/id_rsa
|
The RSA private key used by ssh for version 2 of the SSH protocol.
|
~/.ssh/id_rsa.pub
|
The RSA public key used by ssh for version 2 of the SSH protocol
|
~/.ssh/identity
|
The RSA private key used by ssh for version 1 of the SSH protocol.
|
~/.ssh/identity.pub
|
The RSA public key used by ssh for version 1 of the SSH protocol.
|
~/.ssh/known_hosts
| Contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server. |
ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files.
sshd daemon, type the following at a shell prompt:
systemctl start sshd.servicesshd daemon, use the following command:
systemctl stop sshd.servicesystemctl enable sshd.service@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ directory (see Table 10.1, “System-wide configuration files” for a complete list), and restore them whenever you reinstall the system.
telnet, rsh, rlogin, and vsftpd.
systemctl stop telnet.servicesystemctl stop rsh.servicesystemctl stop rlogin.servicesystemctl stop vsftpd.service
systemctl disable telnet.servicesystemctl disable rsh.servicesystemctl disable rlogin.servicesystemctl disable vsftpd.service
/etc/ssh/sshd_config configuration file in a text editor, and change the PasswordAuthentication option as follows:
PasswordAuthentication no
ssh, scp, or sftp to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.
root, only root will be able to use the keys.
~/.ssh/ directory. After reinstalling, copy it back to your home directory. This process can be done for all users on your system, including root.
~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):~/.ssh/id_rsa) for the newly created key.
Your identification has been saved in /home/john/.ssh/id_rsa. Your public key has been saved in /home/john/.ssh/id_rsa.pub. The key fingerprint is: e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 john@penguin.example.com The key's randomart image is: +--[ RSA 2048]----+ | E. | | . . | | o . | | . .| | S . . | | + o o ..| | * * +oo| | O +..=| | o* o.| +-----------------+
~/.ssh/ directory:
~]$ chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keys~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_dsa):~/.ssh/id_dsa) for the newly created key.
Your identification has been saved in /home/john/.ssh/id_dsa. Your public key has been saved in /home/john/.ssh/id_dsa.pub. The key fingerprint is: 81:a1:91:a8:9f:e8:c5:66:0d:54:f5:90:cc:bc:cc:27 john@penguin.example.com The key's randomart image is: +--[ DSA 1024]----+ | .oo*o. | | ...o Bo | | .. . + o. | |. . E o | | o..o S | |. o= . | |. + | | . | | | +-----------------+
~/.ssh/ directory:
~]$ chmod 775 ~/.ssh~/.ssh/id_dsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keys~]$ ssh-keygen -t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/john/.ssh/identity):~/.ssh/identity) for the newly created key.
Your identification has been saved in /home/john/.ssh/identity. Your public key has been saved in /home/john/.ssh/identity.pub. The key fingerprint is: cb:f6:d5:cb:6e:5f:2b:28:ac:17:0c:e4:62:e4:6f:59 john@penguin.example.com The key's randomart image is: +--[RSA1 2048]----+ | | | . . | | o o | | + o E | | . o S | | = + . | | . = . o . .| | . = o o..o| | .o o o=o.| +-----------------+
~/.ssh/ directory:
~]$ chmod 755 ~/.ssh~/.ssh/identity.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keysssh-agent authentication agent. To save your passphrase for a certain shell prompt, use the following command:
~]$ ssh-add
Enter passphrase for /home/john/.ssh/id_rsa:ssh allows you to log in to a remote machine and execute commands there. It is a secure replacement for the rlogin, rsh, and telnet programs.
telnet, to log in to a remote machine named penguin.example.com, type the following command at a shell prompt:
~]$ ssh penguin.example.comssh username@hostname form. For example, to log in as john, type:
~]$ ssh john@penguin.example.comThe authenticity of host 'penguin.example.com' can't be established. RSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to confirm. You will see a notice that the server has been added to the list of known hosts, and a prompt asking for your password:
Warning: Permanently added 'penguin.example.com' (RSA) to the list of known hosts. john@penguin.example.com's password:
~/.ssh/known_hosts file. To do so, open the file in a text editor, and remove a line containing the remote machine name at the beginning. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
ssh program can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax for that is ssh [username@]hostname command. For example, if you want to execute the whoami command on penguin.example.com, type:
~]$ ssh john@penguin.example.com whoami
john@penguin.example.com's password:
johnscp Utilityscp can be used to transfer files between machines over a secure, encrypted connection. In its design, it is very similar to rcp.
scp localfile username@hostname:remotefiletaglist.vim to a remote machine named penguin.example.com, type the following at a shell prompt:
~]$ scp taglist.vim john@penguin.example.com:.vim/plugin/taglist.vim
john@penguin.example.com's password:
taglist.vim 100% 144KB 144.5KB/s 00:00.vim/plugin/ to the same directory on the remote machine penguin.example.com, type the following command:
~]$ scp .vim/plugin/* john@penguin.example.com:.vim/plugin/
john@penguin.example.com's password:
closetag.vim 100% 13KB 12.6KB/s 00:00
snippetsEmu.vim 100% 33KB 33.1KB/s 00:00
taglist.vim 100% 144KB 144.5KB/s 00:00scp username@hostname:remotefile localfile.vimrc configuration file from the remote machine, type:
~]$ scp john@penguin.example.com:.vimrc .vimrc
john@penguin.example.com's password:
.vimrc 100% 2233 2.2KB/s 00:00sftp Utilitysftp utility can be used to open a secure, interactive FTP session. In its design, it is similar to ftp except that it uses a secure, encrypted connection.
sftp username@hostnamepenguin.example.com with john as a username, type:
~]$ sftp john@penguin.example.com
john@penguin.example.com's password:
Connected to penguin.example.com.
sftp>sftp utility accepts a set of commands similar to those used by ftp (see Table 10.3, “A selection of available sftp commands”).
| Command | Description |
|---|---|
ls [directory]
|
List the content of a remote directory. If none is supplied, a current working directory is used by default.
|
cd directory
|
Change the remote working directory to directory.
|
mkdir directory
|
Create a remote directory.
|
rmdir path
|
Remove a remote directory.
|
put localfile [remotefile]
|
Transfer localfile to a remote machine.
|
get remotefile [localfile]
|
Transfer remotefile from a remote machine.
|
sftp man page.
ssh -Y username@hostnamepenguin.example.com with john as a username, type:
~]$ ssh -Y john@penguin.example.com
john@penguin.example.com's password:~]$ system-config-printer &TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
localhost, use a command in the following form:
ssh -L local-port:remote-hostname:remote-port username@hostnamemail.example.com using POP3 through an encrypted connection, use the following command:
~]$ ssh -L 1100:mail.example.com:110 mail.example.com1100 on the localhost to check for new email. Any requests sent to port 1100 on the client system will be directed securely to the mail.example.com server.
mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
~]$ ssh -L 1100:mail.example.com:110 other.example.com1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, other.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new email. Note that when using this technique, only the connection between the client system and other.example.com SSH server is secure.
No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.
man sshman scpman sftpman sshdman ssh-keygenman ssh_configman sshd_configTable of Contents
smb.conf Filedhcp package contains an ISC DHCP server. First, install the package as root:
yum install dhcpdhcp package creates a file, /etc/dhcp/dhcpd.conf, which is merely an empty configuration file:
# # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.sample # see dhcpd.conf(5) man page #
/usr/share/doc/dhcp-version/dhcpd.conf.sample. You should use this file to help you configure /etc/dhcp/dhcpd.conf, which is explained in detail below.
/var/lib/dhcpd/dhcpd.leases to store the client lease database. Refer to Section 11.2.2, “Lease Database” for more information.
root:
systemctl restart dhcpd.serviceomshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-search, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-search "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-search "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}hardware ethernet parameter within a host declaration. As demonstrated in Example 11.3, “Static IP address using DHCP”, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}shared-network declaration as shown in Example 11.4, “Shared-network declaration”. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-search "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}cp /usr/share/doc/dhcp-version-number/dhcpd.conf.sample /etc/dhcp/dhcpd.confversion-number is the DHCP version number.
dhcp-options man page.
/var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
systemctl start dhcpd.servicesystemctl stop dhcpd.servicesystemctl enable dhcpd.service/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p portnum — Specifies the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Section 11.2.4, “DHCP Relay Agent” for details.
-f — Runs the daemon as a foreground process. This is mostly used for debugging.
-d — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf filename — Specifies the location of the configuration file. The default location is /etc/dhcp/dhcpd.conf.
-lf filename — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcpd/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
systemctl start dhcrelay.service/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Fedora does not support this feature.)
PEERDNS=answer , where answer yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
dhclient and dhclient.conf man pages.
/etc/sysconfig/dhcpd and /etc/dhcp/dhcpd.conf files.
/etc/sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces:
DHCPDARGS="eth0 eth1";
eth0, eth1, and eth2 -- and it is only desired that the DHCP daemon listens on eth0, then only specify eth0 in /etc/sysconfig/dhcpd:
DHCPDARGS="eth0";
/etc/dhcp/dhcpd.conf file, for a server that has two network interfaces, eth0 in a 10.0.0.0/24 network, and eth1 in a 172.16.0.0/24 network. Multiple subnet declarations allow different settings to be defined for multiple networks:
default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; }
subnet 10.0.0.0 netmask 255.255.255.0; subnet declaration is required for every network your DHCP server is serving. Multiple subnets require multiple subnet declarations. If the DHCP server does not have a network interface in a range of a subnet declaration, the DHCP server does not serve that network.
subnet declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: No subnet declaration for eth0 (0.0.0.0). dhcpd: ** Ignoring requests on eth0. If this is not what dhcpd: you want, please write a subnet declaration dhcpd: in your dhcpd.conf file for the network segment dhcpd: to which interface eth1 is attached. ** dhcpd: dhcpd: dhcpd: Not configured to listen on any interfaces!
option subnet-mask 255.255.255.0; option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same.
option routers 10.0.0.1; option routers option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
range 10.0.0.5 10.0.0.15; range option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
dhcpd.conf(5) man page.
/etc/dhcp/dhcpd.conf, the DHCP daemon fails to start.
/etc/sysconfig/dhcpd and /etc/dhcp/dhcpd.conf files.
/etc/dhcp/dhcpd.conf example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; } host example0 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 10.0.0.20; } host example1 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 172.16.0.20; }
host example0 host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations.
host declarations, and as such, this name can anything, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name for each host declaration, otherwise the DHCP daemon fails to start. Systems are identified by the hardware ethernet option, not the name in the host declaration.
hardware ethernet 00:1A:6B:6A:2E:0B; hardware ethernet option identifies the system. To find this address, run the ip link command.
fixed-address 10.0.0.20; fixed-address option assigns a valid IP address to the system specified by the hardware ethernet option. This address must be outside the IP address pool specified with the range option.
option statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
/etc/dhcp/dhcpd.conf line 20: semicolon expected. dhcpd: } dhcpd: ^ dhcpd: /etc/dhcp/dhcpd.conf line 38: unexpected end of file dhcpd: dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
host interface0 {
hardware ethernet 00:1a:6b:6a:2e:0b;
fixed-address 10.0.0.18;
}
host interface1 {
hardware ethernet 00:1A:6B:6A:27:3A;
fixed-address 10.0.0.18;
}interface0 is the first network interface, and interface1 is the second interface. The different hardware ethernet options identify each interface.
host declarations, remembering to:
fixed-address for the network the host is connecting to.
host declaration unique.
host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: /etc/dhcp/dhcpd.conf line 31: host interface0: already exists dhcpd: } dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host interface0 declarations defined in /etc/dhcp/dhcpd.conf.
/etc/dhcp/dhcpd6.conf.
/usr/share/doc/dhcp-version/dhcpd6.conf.sample.
systemctl start dhcpd6.servicesubnet6 2001:db8:0:1::/64 {
range6 2001:db8:0:1::129 2001:db8:0:1::254;
option dhcp6.name-servers fec0:0:0:1::1;
option dhcp6.domain-search "domain.example";
}dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Describes a persistent database of leases.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-version/ — Contains sample files, README files, and release notes for current versions of the DHCP service.
DNS (Domain Name System), also known as a nameserver, is a network system that associates hostnames with their respective IP addresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using the nameserver allows them to change the IP address for a host without ever affecting the name-based queries, or to decide which machines handle these queries.
bob.sales.example.com
.). In the example above, com defines the top-level domain, example its subdomain, and sales the subdomain of example. In this case, bob identifies a resource record that is part of the sales.example.com domain. With the exception of the part furthest to the left (that is, bob), each of these sections is called a zone and defines a specific namespace.
named, an administration utility called rndc, and a debugging tool called dig. Refer to Chapter 8, Services and Daemons for more information on how to configure services in Fedora.
BIND (Berkeley Internet Name Domain), the DNS server included in Fedora. It focuses on the structure of its configuration files, and describes how to administer it both locally and remotely.
named service is started, it reads the configuration from the files as described in Table 12.1, “The named service configuration files”.
| Path | Description |
|---|---|
/etc/named.conf
| The main configuration file. |
/etc/named/
| An auxiliary directory for configuration files that are included in the main configuration file. |
{ and }). Note that when editing the file, you have to be careful not to make any syntax error, otherwise the named service will not start. A typical /etc/named.conf file is organized as follows:
statement-1["statement-1-name"] [statement-1-class] {option-1;option-2;option-N; };statement-2["statement-2-name"] [statement-2-class] {option-1;option-2;option-N; };statement-N["statement-N-name"] [statement-N-class] {option-1;option-2;option-N; };
/var/named/chroot environment. In that case, the initialization script will mount the above configuration files using the mount --bind command, so that you can manage the configuration outside this environment.
/etc/named.conf:
acl acl (Access Control List) statement allows you to define groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form:
aclacl-name{match-element; ... };
acl-name statement name is the name of the access control list, and the match-element option is usually an individual IP address (such as 10.0.1.1) or a CIDR network notation (for example, 10.0.1.0/24). For a list of already defined keywords, see Table 12.2, “Predefined access control lists”.
| Keyword | Description |
|---|---|
any
| Matches every IP address. |
localhost
| Matches any IP address that is in use by the local system. |
localnets
| Matches any IP address on any network to which the local system is connected. |
none
| Does not match any IP address. |
acl statement can be especially useful with conjunction with other statements such as options. Example 12.1, “Using acl in conjunction with options” defines two access control lists, black-hats and red-hats, and adds black-hats on the blacklist while granting red-hats a normal access.
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
1234:5678::9abc/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-query-cache { red-hats; };
};include include statement allows you to include files in the /etc/named.conf, so that potentially sensitive data can be placed in a separate file with restricted permissions. It takes the following form:
include "file-name"file-name statement name is an absolute path to a file.
include "/etc/named.rfc1912.zones";
options options statement allows you to define global server configuration options as well as to set defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more. It takes the following form:
options {
option;
...
};option directives, see Table 12.3, “Commonly used options” below.
| Option | Description |
|---|---|
allow-query
| Specifies which hosts are allowed to query the nameserver for authoritative resource records. It accepts an access control lists, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default. |
allow-query-cache
|
Specifies which hosts are allowed to query the nameserver for non-authoritative data such as recursive queries. Only localhost and localnets are allowed by default.
|
blackhole
|
Specifies which hosts are not allowed to query the nameserver. This option should be used when particular host or network floods the server with requests. The default option is none.
|
directory
|
Specifies a working directory for the named service. The default option is /var/named/.
|
dnssec-enable
|
Specifies whether to return DNSSEC related resource records. The default option is yes.
|
dnssec-validation
|
Specifies whether to prove that resource records are authentic via DNSSEC. The default option is yes.
|
forwarders
| Specifies a list of valid IP addresses for nameservers to which the requests should be forwarded for resolution. |
forward
|
Specifies the behavior of the
forwarders directive. It accepts the following options:
|
listen-on
| Specifies the IPv4 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default. |
listen-on-v6
| Specifies the IPv6 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default. |
max-cache-size
|
Specifies the maximum amount of memory to be used for server caches. When the limit is reached, the server causes records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default option is 32M.
|
notify
|
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
|
pid-file
|
Specifies the location of the process ID file created by the named service.
|
recursion
|
Specifies whether to act as a recursive server. The default option is yes.
|
statistics-file
|
Specifies an alternate location for statistics files. The /var/named/named.stats file is used by default.
|
allow-query-cache option to restrict recursive DNS services for a particular subset of clients only.
named.conf manual page for a complete list of available options.
options {
allow-query { localhost; };
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
max-cache-size 256M;
directory "/var/named";
statistics-file "/var/named/data/named_stats.txt";
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
};zone zone statement allows you to define the characteristics of a zone, such as the location of its configuration file and zone-specific options, and can be used to override the global options statements. It takes the following form:
zonezone-name[zone-class] {option; ... };
zone-name attribute is the name of the zone, zone-class is the optional class of the zone, and option is a zone statement option as described in Table 12.4, “Commonly used options”.
zone-name attribute is particularly important, as it is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file. For example, if a zone statement defines the namespace for example.com, use example.com as the zone-name so that it is placed at the end of hostnames within the example.com zone file.
| Option | Description |
|---|---|
allow-query
|
Specifies which clients are allowed to request information about this zone. This option overrides global allow-query option. All query requests are allowed by default.
|
allow-transfer
| Specifies which secondary servers are allowed to request a transfer of the zone's information. All transfer requests are allowed by default. |
allow-update
|
Specifies which hosts are allowed to dynamically update information in their zone. The default option is to deny all dynamic update requests.
Note that you should be careful when allowing hosts to update information about their zone. Do not set IP addresses in this option unless the server is in the trusted network. Instead, use TSIG key as described in Section 12.2.5.3, “Transaction SIGnatures (TSIG)”.
|
file
|
Specifies the name of the file in the named working directory that contains the zone's configuration data.
|
masters
|
Specifies from which IP addresses to request authoritative zone information. This option is used only if the zone is defined as type slave.
|
notify
|
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
|
type
|
Specifies the zone type. It accepts the following options:
|
/etc/named.conf file of a primary or secondary nameserver involve adding, modifying, or deleting zone statements, and only a small subset of zone statement options is usually needed for a nameserver to work efficiently.
example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also allows only a secondary nameserver (192.168.0.2) to transfer the zone.
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer { 192.168.0.2; };
};zone statement is slightly different. The type is set to slave, and the masters directive is telling named the IP address of the master server.
named service is configured to query the primary server at the 192.168.0.1 IP address for information about the example.com zone. The received information is then saved to the /var/named/slaves/example.com.zone file. Note that you have to put all slave zones to /var/named/slaves directory, otherwise the service will fail to transfer the zone.
zone "example.com" {
type slave;
file "slaves/example.com.zone";
masters { 192.168.0.1; };
};/etc/named.conf:
controls controls statement allows you to configure various security requirements necessary to use the rndc command to administer the named service.
rndc utility and its usage.
key key statement allows you to define a particular key by name. Keys are used to authenticate various actions, such as secure updates or the use of the rndc command. Two options are used with key:
algorithm algorithm-name — The type of algorithm to be used (for example, hmac-md5).
secret "key-value" — The encrypted key.
rndc utility and its usage.
logging logging statement allows you to use multiple types of logs, so called channels. By using the channel option within the statement, you can construct a customized type of log with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when the named service is restarted.
named sends standard messages to the rsyslog daemon, which places them in /var/log/messages. Several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
server server statement allows you to specify options that affect how the named service should respond to remote nameservers, especially with regard to notifications and zone transfers.
transfer-format option controls the number of resource records that are sent with each message. It can be either one-answer (only one resource record), or many-answers (multiple resource records). Note that while the many-answers option is more efficient, it is not supported by older versions of BIND.
trusted-keys trusted-keys statement allows you to specify assorted public keys used for secure DNS (DNSSEC). Refer to Section 12.2.5.4, “DNS Security Extensions (DNSSEC)” for more information on this topic.
view view statement allows you to create special views depending upon which network the host querying the nameserver is on. This allows some hosts to receive one answer regarding a zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.
match-clients option allows you to specify the IP addresses that apply to a particular view. If the options statement is used within a view, it overrides the already configured global options. Finally, most view statements contain multiple zone statements that apply to the match-clients list.
view statements are listed is important, as the first statement that matches a particular client's IP address is used. For more information on this topic, refer to Section 12.2.5.1, “Multiple Views”.
/etc/named.conf file can also contain comments. Comments are ignored by the named service, but can prove useful when providing additional information to a user. The following are valid comment tags:
//// characters to the end of the line is considered a comment. For example:
notify yes; // notify all secondary nameservers
## character to the end of the line is considered a comment. For example:
notify yes; # notify all secondary nameservers
/* and *//* and */ is considered a comment. For example:
notify yes; /* notify all secondary nameservers */
named working directory located in /var/named/ by default, and each zone file is named according to the file option in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
| Path | Description |
|---|---|
/var/named/
|
The working directory for the named service. The nameserver is not allowed to write to this directory.
|
/var/named/slaves/
|
The directory for secondary zones. This directory is writable by the named service.
|
/var/named/dynamic/
|
The directory for other files, such as dynamic DNS (DDNS) zones or managed DNSSEC keys. This directory is writable by the named service.
|
/var/named/data/
|
The directory for various statistics and debugging files. This directory is writable by the named service.
|
$) followed by the name of the directive, and usually appear at the top of the file. The following directives are commonly used in zone files:
$INCLUDE $INCLUDE directive allows you to include another file at the place where it appears, so that other zone settings can be stored in a separate zone file.
$INCLUDE /var/named/penguin.example.com
$ORIGIN $ORIGIN directive allows you to append the domain name to unqualified records, such as those with the hostname only. Note that the use of this directive is not necessary if the zone is specified in /etc/named.conf, since the zone name is used by default.
. character) are appended with example.com.
$ORIGIN example.com.
$TTL $TTL directive allows you to set the default Time to Live (TTL) value for the zone, that is, how long is a zone record valid. Each resource record can contain its own TTL value, which overrides this directive.
$TTL 1D
A hostnameIN AIP-address
hostname value is omitted, the record will point to the last specified hostname.
server1.example.com are pointed to 10.0.1.3 or 10.0.1.5.
server1 IN A 10.0.1.3
IN A 10.0.1.5CNAME alias-nameIN CNAMEreal-name
CNAME records are most commonly used to point to services that use a common naming scheme, such as www for Web servers. However, there are multiple restrictions for their usage:
A record binds a hostname to an IP address, while the CNAME record points the commonly used www hostname to it.
server1 IN A 10.0.1.5 www IN CNAME server1
MX IN MXpreference-valueemail-server-name
email-server-name is a fully qualified domain name (FQDN). The preference-value allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The MX resource record with the lowest preference-value is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
mail.example.com email server is preferred to the mail2.example.com email server when receiving email destined for the example.com domain.
example.com. IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.NS IN NS nameserver-namenameserver-name should be a fully qualified domain name (FQDN). Note that when two nameservers are listed as authoritative for the domain, it is not important whether these nameservers are secondary nameservers, or if one of them is a primary server. They are both still considered authoritative.
IN NS dns1.example.com. IN NS dns2.example.com.
PTR last-IP-digitIN PTRFQDN-of-system
last-IP-digit directive is the last number in an IP address, and the FQDN-of-system is a fully qualified domain name (FQDN).
PTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to Section 12.2.2.4.2, “A Reverse Name Resolution Zone File” for more examples of PTR records in use.
SOA @ IN SOAprimary-name-serverhostmaster-email(serial-numbertime-to-refreshtime-to-retrytime-to-expireminimum-TTL)
@ symbol places the $ORIGIN directive (or the zone's name if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record.
primary-name-server directive is the hostname of the primary nameserver that is authoritative for this domain.
hostmaster-email directive is the email of the person to contact about the namespace.
serial-number directive is a numerical value incremented every time the zone file is altered to indicate it is time for the named service to reload the zone.
time-to-refresh directive is the numerical value secondary nameservers use to determine how long to wait before asking the primary nameserver if any changes have been made to the zone.
time-to-retry directive is a numerical value used by secondary nameservers to determine the length of time to wait before issuing a refresh request in the event that the primary nameserver is not answering. If the primary server has not replied to a refresh request before the amount of time specified in the time-to-expire directive elapses, the secondary servers stop responding as an authority for requests concerning that namespace.
minimum-TTL directive is the amount of time other nameservers cache the zone's information. In BIND 9, it defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (that is, 3H).
M), hours (H), days (D), and weeks (W). Table 12.6, “Seconds compared to other time units” shows an amount of time in seconds and the equivalent time in another format.
| Seconds | Other Time Units |
|---|---|
| 60 |
1M
|
| 1800 |
30M
|
| 3600 |
1H
|
| 10800 |
3H
|
| 21600 |
6H
|
| 43200 |
12H
|
| 86400 |
1D
|
| 259200 |
3D
|
| 604800 |
1W
|
| 31536000 |
365D
|
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 daynamed service, but can prove useful when providing additional information to the user. Any text after the semicolon character (that is, ;) to the end of the line is considered a comment. For example:
604800 ; expire after 1 week
SOA values.
$ORIGIN example.com.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
;
IN NS dns1.example.com.
IN NS dns2.example.com.
dns1 IN A 10.0.1.1
IN AAAA aaaa:bbbb::1
dns2 IN A 10.0.1.2
IN AAAA aaaa:bbbb::2
;
;
@ IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.
mail IN A 10.0.1.5
IN AAAA aaaa:bbbb::5
mail2 IN A 10.0.1.6
IN AAAA aaaa:bbbb::6
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
services IN A 10.0.1.10
IN AAAA aaaa:bbbb::10
IN A 10.0.1.11
IN AAAA aaaa:bbbb::11
ftp IN CNAME services.example.com.
www IN CNAME services.example.com.
;
;dns1.example.com and dns2.example.com, and are tied to the 10.0.1.1 and 10.0.1.2 IP addresses respectively using the A record.
MX records point to mail and mail2 via A records. Since these names do not end in a trailing period (that is, the . character), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com.
www.example.com (WWW), are pointed at the appropriate servers using the CNAME record.
zone statement in the /etc/named.conf similar to the following:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};PTR resource records are used to link the IP addresses to a fully qualified domain name as shown in Example 12.15, “A reverse name resolution zone file”.
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
@ IN NS dns1.example.com.
;
1 IN PTR dns1.example.com.
2 IN PTR dns2.example.com.
;
5 IN PTR server1.example.com.
6 IN PTR server2.example.com.
;
3 IN PTR ftp.example.com.
4 IN PTR ftp.example.com.10.0.1.1 through 10.0.1.6 are pointed to the corresponding fully qualified domain name.
zone statement in the /etc/named.conf file similar to the following:
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
rndc utility is a command line tool that allows you to administer the named service, both locally and from a remote machine. Its usage is as follows:
rndc[option...]command[command-option]
named must be configured to listen on the selected port (that is, 953 by default), and an identical key must be used by both the service and the rndc utility.
rndc configuration is located in /etc/rndc.conf. If the file does not exist, the utility will use the key located in /etc/rndc.key, which was generated automatically during the installation process using the rndc-confgen -a command.
named service is configured using the controls statement in the /etc/named.conf configuration file as described in Section 12.2.1.2, “Other Statement Types”. Unless this statement is present, only the connections from the loopback address (that is, 127.0.0.1) will be allowed, and the key located in /etc/rndc.key will be used.
/etc/rndc.key file:
~]# chmod o-rwx /etc/rndc.keynamed service, use the following command:
~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running~]# rndc reload
server reload successfulreload command, for example:
~]# rndc reload localhost
zone reload up-to-date~]# rndc reconfigfreeze command first:
~]# rndc freeze localhostthaw command to allow the DDNS again and reload the zone:
~]# rndc thaw localhost
The zone reload and thaw was successful.sign command. For example:
~]# rndc sign localhostauto-dnssec option has to be set to maintain in the zone statement. For instance:
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
auto-dnssec maintain;
};~]# rndc validation on~]# rndc validation offoptions statement described in Section 12.2.1.1, “Common Statement Types” for information on how configure this option in /etc/named.conf.
~]# rndc querylogstatus command as described in Section 12.2.3.2, “Checking the Service Status”.
dig utility is a command line tool that allows you to perform DNS lookups and debug a nameserver configuration. Its typical usage is as follows:
dig[@server] [option...]nametype
types.
dignameNS
dig utility is used to display nameservers for example.com.
~]$ dig example.com NS
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57883
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN NS
;; ANSWER SECTION:
example.com. 99374 IN NS a.iana-servers.net.
example.com. 99374 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:04:06 2010
;; MSG SIZE rcvd: 77dignameA
dig utility is used to display the IP address of example.com.
~]$ dig example.com A
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4849
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 155606 IN A 192.0.32.10
;; AUTHORITY SECTION:
example.com. 99175 IN NS a.iana-servers.net.
example.com. 99175 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:07:25 2010
;; MSG SIZE rcvd: 93dig-xaddress
dig utility is used to display the hostname assigned to 192.0.32.10.
~]$ dig -x 192.0.32.10
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> -x 192.0.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29683
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; QUESTION SECTION:
;10.32.0.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.32.0.192.in-addr.arpa. 21600 IN PTR www.example.com.
;; AUTHORITY SECTION:
32.0.192.in-addr.arpa. 21600 IN NS b.iana-servers.org.
32.0.192.in-addr.arpa. 21600 IN NS c.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS d.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS ns.icann.org.
32.0.192.in-addr.arpa. 21600 IN NS a.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 13688 IN A 192.0.34.43
b.iana-servers.org. 5844 IN A 193.0.0.236
b.iana-servers.org. 5844 IN AAAA 2001:610:240:2::c100:ec
c.iana-servers.net. 12173 IN A 139.91.1.10
c.iana-servers.net. 12173 IN AAAA 2001:648:2c30::1:10
ns.icann.org. 12884 IN A 192.0.34.126
;; Query time: 156 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:25:15 2010
;; MSG SIZE rcvd: 310named service to provide name resolution services or to act as an authority for a particular domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
view statement to the /etc/named.conf configuration file. Use the match-clients option to match IP addresses or entire networks and give them special options and zone data.
SERFVAIL response is returned for each resource record that fails the validation.
dig utility as described in Section 12.2.4, “Using the dig Utility”. Useful options are +dnssec (requests DNSSEC-related resource records by setting the DNSSEC OK bit), +cd (tells recursive nameserver not to validate the response), and +bufsize=512 (changes the packet size to 512B to get through some firewalls).
AAAA resource records, and the listen-on-v6 directive as described in Table 12.3, “Commonly used options”.
/etc/named.conf file can prevent the named service from starting.
. character) correctlynamed service will append the name of the zone or the value of $ORIGIN to complete it.
named service to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
version with the version of the bind package installed on the system:
/usr/share/doc/bind-version//usr/share/doc/bind-version/arm//usr/share/doc/bind-version/draft//usr/share/doc/bind-version/misc/migration document for specific changes they must make when moving to BIND 9. The options file lists all of the options implemented in BIND 9 that are used in /etc/named.conf.
/usr/share/doc/bind-version/rfc/man rndcrndc containing the full documentation on its usage.
man namednamed containing the documentation on assorted arguments that can be used to control the BIND nameserver daemon.
man lwresdlwresd containing the full documentation on the lightweight resolver daemon and its usage.
man named.confnamed configuration file.
man rndc.confrndc configuration file.
HTTP (Hypertext Transfer Protocol) server, or a web server, is a network service that serves content to a client over the web. This typically means web pages, but any other documents can be served as well.
httpd service, and covers advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
httpd service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.
httpd service configuration:
LoadModule directive for each module that has been renamed.
/etc/httpd/conf.d/ssl.conf to enable the Secure Sockets Layer (SSL) protocol.
service httpd configtesthttpd service, make sure you have the httpd installed. You can do so by using the following command as root:
yum install httpdhttpd service, type the following at a shell prompt as root:
systemctl start httpd.servicesystemctl enable httpd.servicehttpd service, type the following at a shell prompt as root:
systemctl stop httpd.servicesystemctl disable httpd.servicehttpd service:
root:
systemctl restart httpd.servicehttpd service, and then start it again. Use this command after installing or removing a dynamically loaded module such as PHP.
root, type:
systemctl reload httpd.servicehttpd service to reload the configuration file. Note that any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
root:
service httpd gracefulhttpd service to reload the configuration file. Note that any requests being currently processed will use the old configuration.
systemctl is-active httpd.servicehttpd service is started, by default, it reads the configuration from locations that are listed in Table 13.1, “The httpd service configuration files”.
httpd service.
service httpd configtest/etc/httpd/conf/httpd.conf configuration file:
<Directory> <Directory> directive allows you to apply certain directives to a particular directory only. It takes the following form:
<Directorydirectory>directive… </Directory>
directory can be either a full path to an existing directory in the local file system, or a wildcard expression.
cgi-bin directories for server-side scripts located outside the directory that is specified by ScriptAlias. In this case, the ExecCGI and AddHandler directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755).
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
<IfDefine> IfDefine directive allows you to use certain directives only when a particular parameter is supplied on the command line. It takes the following form:
<IfDefine [!]parameter>directive… </IfDefine>
parameter can be supplied at a shell prompt using the -Dparameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the parameter is not specified.
<IfDefine EnableHome> UserDir public_html </IfDefine>
<IfModule> <IfModule> directive allows you to use certain directive only when a particular module is loaded. It takes the following form:
<IfModule [!]module>directive… </IfModule>
module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the module is not loaded.
<IfModule mod_disk_cache.c> CacheEnable disk / CacheRoot /var/cache/mod_proxy </IfModule>
<Location> <Location> directive allows you to apply certain directives to a particular URL only. It takes the following form:
<Locationurl>directive… </Location>
url can be either a path relative to the directory specified by the DocumentRoot directive (for example, /server-info), or an external URL such as http://example.com/server-info.
<Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from .example.com </Location>
<Proxy> <Proxy> directive allows you to apply certain directives to the proxy server only. It takes the following form:
<Proxypattern>directive… </Proxy>
pattern can be an external URL, or a wildcard expression (for example, http://example.com/*).
<Proxy *> Order deny,allow Deny from all Allow from .example.com </Proxy>
<VirtualHost> <VirtualHost> directive allows you apply certain directives to particular virtual hosts only. It takes the following form:
<VirtualHostaddress[:port]…>directive… </VirtualHost>
address can be an IP address, a fully qualified domain name, or a special form as described in Table 13.2, “Available <VirtualHost> options”.
| Option | Description |
|---|---|
*
| Represents all IP addresses. |
_default_
| Represents unmatched IP addresses. |
<VirtualHost *:80> ServerAdmin webmaster@penguin.example.com DocumentRoot /www/docs/penguin.example.com ServerName penguin.example.com ErrorLog logs/penguin.example.com-error_log CustomLog logs/penguin.example.com-access_log common </VirtualHost>
AccessFileName AccessFileName directive allows you to specify the file to be used to customize access control information for each directory. It takes the following form:
AccessFileName filename…filename is a name of the file to look for in the requested directory. By default, the server looks for .htaccess.
Files tag to prevent the files beginning with .ht from being accessed by web clients. This includes the .htaccess and .htpasswd files.
AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files>
Action Action directive allows you to specify a CGI script to be executed when a certain media type is requested. It takes the following form:
Actioncontent-typepath
content-type has to be a valid MIME type such as text/html, image/png, or application/pdf. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/process-image.cgi).
Action image/png /cgi-bin/process-image.cgi
AddDescription AddDescription directive allows you to specify a short description to be displayed in server-generated directory listings for a given file. It takes the following form:
AddDescription "description"filename…
description should be a short text enclosed in double quotes (that is, "). The filename can be a full file name, a file extension, or a wildcard expression.
AddDescription "GZIP compressed tar archive" .tgz
AddEncoding AddEncoding directive allows you to specify an encoding type for a particular file extension. It takes the following form:
AddEncodingencodingextension…
encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz).
AddEncoding x-gzip .gz .tgz
AddHandler AddHandler directive allows you to map certain file extensions to a selected handler. It takes the following form:
AddHandlerhandlerextension…
handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi).
.cgi extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.
AddHandler cgi-script .cgi
AddIcon AddIcon directive allows you to specify an icon to be displayed for a particular file in server-generated directory listings. It takes the following form:
AddIconpathpattern…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/folder.png). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:
| Option | Description |
|---|---|
^^DIRECTORY^^
| Represents a directory. |
^^BLANKICON^^
| Represents a blank line. |
AddIcon /icons/text.png .txt README
AddIconByEncoding AddIconByEncoding directive allows you to specify an icon to be displayed for a particular encoding type in server-generated directory listings. It takes the following form:
AddIconByEncodingpathencoding…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/compressed.png). The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc.
AddIconByEncoding /icons/compressed.png x-compress x-gzip
AddIconByType AddIconByType directive allows you to specify an icon to be displayed for a particular media type in server-generated directory listings. It takes the following form:
AddIconByTypepathcontent-type…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/text.png). The content-type has to be either a valid MIME type (for example, text/html or image/png), or a wildcard expression such as text/*, image/*, etc.
AddIconByType /icons/video.png video/*
AddLanguage AddLanguage directive allows you to associate a file extension with a specific language. It takes the following form:
AddLanguagelanguageextension…
language has to be a valid MIME language such as cs, en, or fr. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
AddLanguage cs .cs .cz
AddType AddType directive allows you to define or override the media type for a particular file extension. It takes the following form:
AddTypecontent-typeextension…
content-type has to be a valid MIME type such as text/html, image/png, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
AddType application/x-gzip .gz .tgz
Alias Alias directive allows you to refer to files and directories outside the default directory specified by the DocumentRoot directive. It takes the following form:
Aliasurl-pathreal-path
url-path must be relative to the directory specified by the DocumentRoot directive (for example, /images/). The real-path is a full path to a file or directory in the local file system.
Directory tag with additional permissions to access the target directory. By default, the /icons/ alias is created so that the icons from /var/www/icons/ are displayed in server-generated directory listings.
Alias /icons/ /var/www/icons/ <Directory "/var/www/icons"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all <Directory>
AllowAllow directive allows you to specify which clients have permission to access a given directory. It takes the following form:
Allow from client…client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
Allow from 192.168.1.0/255.255.255.0
AllowOverride AllowOverride directive allows you to specify which directives in a .htaccess file can override the default configuration. It takes the following form:
AllowOverride type…type has to be one of the available grouping options as described in Table 13.4, “Available AllowOverride options”.
| Option | Description |
|---|---|
All
|
All directives in .htaccess are allowed to override earlier configuration settings.
|
None
|
No directive in .htaccess is allowed to override earlier configuration settings.
|
AuthConfig
|
Allows the use of authorization directives such as AuthName, AuthType, or Require.
|
FileInfo
|
Allows the use of file type, metadata, and mod_rewrite directives such as DefaultType, RequestHeader, or RewriteEngine, as well as the Action directive.
|
Indexes
|
Allows the use of directory indexing directives such as AddDescription, AddIcon, or FancyIndexing.
|
Limit
|
Allows the use of host access directives, that is, Allow, Deny, and Order.
|
Options[=option,…]
|
Allows the use of the Options directive. Additionally, you can provide a comma-separated list of options to customize which options can be set using this directive.
|
AllowOverride FileInfo AuthConfig Limit
BrowserMatch BrowserMatch directive allows you to modify the server behavior based on the client's web browser type. It takes the following form:
BrowserMatchpatternvariable…
pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.
BrowserMatch "Mozilla/2" nokeepalive
CacheDefaultExpire CacheDefaultExpire option allows you to set how long to cache a document that does not have any expiration date or the date of its last modification specified. It takes the following form:
CacheDefaultExpire timetime is specified in seconds. The default option is 3600 (that is, one hour).
CacheDefaultExpire 3600
CacheDisable CacheDisable directive allows you to disable caching of certain URLs. It takes the following form:
CacheDisable pathpath must be relative to the directory specified by the DocumentRoot directive (for example, /files/).
CacheDisable /temporary
CacheEnable CacheEnable directive allows you to specify a cache type to be used for certain URLs. It takes the following form:
CacheEnabletypeurl
type has to be a valid cache type as described in Table 13.5, “Available cache types”. The url can be a path relative to the directory specified by the DocumentRoot directive (for example, /images/), a protocol (for example, ftp://), or an external URL such as http://example.com/.
| Type | Description |
|---|---|
mem
| The memory-based storage manager. |
disk
| The disk-based storage manager. |
fd
| The file descriptor cache. |
CacheEnable disk /
CacheLastModifiedFactor CacheLastModifiedFactor directive allows you to customize how long to cache a document that does not have any expiration date specified, but that provides information about the date of its last modification. It takes the following form:
CacheLastModifiedFactor numbernumber is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1 (that is, one tenth).
CacheLastModifiedFactor 0.1
CacheMaxExpire CacheMaxExpire directive allows you to specify the maximum amount of time to cache a document. It takes the following form:
CacheMaxExpire timetime is specified in seconds. The default option is 86400 (that is, one day).
CacheMaxExpire 86400
CacheNegotiatedDocs CacheNegotiatedDocs directive allows you to enable caching of the documents that were negotiated on the basis of content. It takes the following form:
CacheNegotiatedDocs optionoption has to be a valid keyword as described in Table 13.6, “Available CacheNegotiatedDocs options”. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off.
| Option | Description |
|---|---|
On
| Enables caching the content-negotiated documents. |
Off
| Disables caching the content-negotiated documents. |
CacheNegotiatedDocs On
CacheRoot CacheRoot directive allows you to specify the directory to store cache files in. It takes the following form:
CacheRoot directorydirectory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/.
CacheRoot /var/cache/mod_proxy
CustomLog CustomLog directive allows you to specify the log file name and the log file format. It takes the following form:
CustomLogpathformat
path refers to a log file, and must be relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat directive.
CustomLog logs/access_log combined
DefaultIcon DefaultIcon directive allows you to specify an icon to be displayed for a file in server-generated directory listings when no other icon is associated with it. It takes the following form:
DefaultIcon pathpath refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/unknown.png).
DefaultIcon /icons/unknown.png
DefaultType DefaultType directive allows you to specify a media type to be used in case the proper MIME type cannot be determined by the server. It takes the following form:
DefaultType content-typecontent-type has to be a valid MIME type such as text/html, image/png, application/pdf, etc.
DefaultType text/plain
Deny Deny directive allows you to specify which clients are denied access to a given directory. It takes the following form:
Deny from client…client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
Deny from 192.168.1.1
DirectoryIndex DirectoryIndex directive allows you to specify a document to be served to a client when a directory is requested (that is, when the URL ends with the / character). It takes the following form:
DirectoryIndex filename…filename is a name of the file to look for in the requested directory. By default, the server looks for index.html, and index.html.var.
DirectoryIndex index.html index.html.var
DocumentRoot DocumentRoot directive allows you to specify the main directory from which the content is served. It takes the following form:
DocumentRoot directorydirectory must be a full path to an existing directory in the local file system. The default option is /var/www/html/.
DocumentRoot /var/www/html
ErrorDocument ErrorDocument directive allows you to specify a document or a message to be displayed as a response to a particular error. It takes the following form:
ErrorDocumenterror-codeaction
error-code has to be a valid code such as 403 (Forbidden), 404 (Not Found), or 500 (Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, ").
ErrorDocument 403 "Access Denied" ErrorDocument 404 /404-not_found.html
ErrorLog ErrorLog directive allows you to specify a file to which the server errors are logged. It takes the following form:
ErrorLog pathpath refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is logs/error_log
ErrorLog logs/error_log
ExtendedStatus ExtendedStatus directive allows you to enable detailed server status information. It takes the following form:
ExtendedStatus optionoption has to be a valid keyword as described in Table 13.7, “Available ExtendedStatus options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables generating the detailed server status. |
Off
| Disables generating the detailed server status. |
ExtendedStatus On
Group Group directive allows you to specify the group under which the httpd service will run. It takes the following form:
Group groupgroup has to be an existing UNIX group. The default option is apache.
Group is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.
Group apache
HeaderName HeaderName directive allows you to specify a file to be prepended to the beginning of the server-generated directory listing. It takes the following form:
HeaderName filenamefilename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html.
HeaderName HEADER.html
HostnameLookups HostnameLookups directive allows you to enable automatic resolving of IP addresses. It takes the following form:
HostnameLookups optionoption has to be a valid keyword as described in Table 13.8, “Available HostnameLookups options”. To conserve resources on the server, the default option is Off.
| Option | Description |
|---|---|
On
| Enables resolving the IP address for each connection so that the hostname can be logged. However, this also adds a significant processing overhead. |
Double
| Enables performing the double-reverse DNS lookup. In comparison to the above option, this adds even more processing overhead. |
Off
| Disables resolving the IP address for each connection. |
HostnameLookups Off
Include Include directive allows you to include other configuration files. It takes the following form:
Include filenamefilename can be an absolute path, a path relative to the directory specified by the ServerRoot directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/ directory are loaded by default.
Include conf.d/*.conf
IndexIgnore IndexIgnore directive allows you to specify a list of file names to be omitted from the server-generated directory listings. It takes the following form:
IndexIgnore filename…filename option can be either a full file name, or a wildcard expression.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexOptions IndexOptions directive allows you to customize the behavior of server-generated directory listings. It takes the following form:
IndexOptions option…option has to be a valid keyword as described in Table 13.9, “Available directory listing options”. The default options are Charset=UTF-8, FancyIndexing, HTMLTable, NameWidth=*, and VersionSort.
| Option | Description |
|---|---|
Charset=encoding
|
Specifies the character set of a generated web page. The encoding has to be a valid character set such as UTF-8 or ISO-8859-2.
|
Type=content-type
|
Specifies the media type of a generated web page. The content-type has to be a valid MIME type such as text/html or text/plain.
|
DescriptionWidth=value
|
Specifies the width of the description column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
|
FancyIndexing
| Enables advanced features such as different icons for certain files or possibility to re-sort a directory listing by clicking on a column header. |
FolderFirst
| Enables listing directories first, always placing them above files. |
HTMLTable
| Enables the use of HTML tables for directory listings. |
IconsAreLinks
| Enables using the icons as links. |
IconHeight=value
|
Specifies an icon height. The value is a number of pixels.
|
IconWidth=value
|
Specifies an icon width. The value is a number of pixels.
|
IgnoreCase
| Enables sorting files and directories in a case-sensitive manner. |
IgnoreClient
| Disables accepting query variables from a client. |
NameWidth=value
|
Specifies the width of the file name column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
|
ScanHTMLTitles
|
Enables parsing the file for a description (that is, the title element) in case it is not provided by the AddDescription directive.
|
ShowForbidden
| Enables listing the files with otherwise restricted access. |
SuppressColumnSorting
| Disables re-sorting a directory listing by clicking on a column header. |
SuppressDescription
| Disables reserving a space for file descriptions. |
SuppressHTMLPreamble
|
Disables the use of standard HTML preamble when a file specified by the HeaderName directive is present.
|
SuppressIcon
| Disables the use of icons in directory listings. |
SuppressLastModified
| Disables displaying the date of the last modification field in directory listings. |
SuppressRules
| Disables the use of horizontal lines in directory listings. |
SuppressSize
| Disables displaying the file size field in directory listings. |
TrackModified
|
Enables returning the Last-Modified and ETag values in the HTTP header.
|
VersionSort
| Enables sorting files that contain a version number in the expected manner. |
XHTML
| Enables the use of XHTML 1.0 instead of the default HTML 3.2. |
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8
KeepAlive KeepAlive directive allows you to enable persistent connections. It takes the following form:
KeepAlive optionoption has to be a valid keyword as described in Table 13.10, “Available KeepAlive options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables the persistent connections. In this case, the server will accept more than one request per connection. |
Off
| Disables the keep-alive connections. |
KeepAliveTimeout to a low number, and monitor the /var/log/httpd/logs/error_log log file carefully.
KeepAlive Off
KeepAliveTimeout KeepAliveTimeout directive allows you to specify the amount of time to wait for another request before closing the connection. It takes the following form:
KeepAliveTimeout timetime is specified in seconds. The default option is 15.
KeepAliveTimeout 15
LanguagePriority LanguagePriority directive allows you to customize the precedence of languages. It takes the following form:
LanguagePriority language…language has to be a valid MIME language such as cs, en, or fr.
LanguagePriority sk cs en
Listen Listen directive allows you to specify IP addresses or ports to listen to. It takes the following form:
Listen [ip-address:]port[protocol]
ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80.
httpd service.
Listen 80
LoadModule LoadModule directive allows you to load a Dynamic Shared Object (DSO) module. It takes the following form:
LoadModulenamepath
name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/ on 32-bit and /usr/lib64/httpd/ on 64-bit systems by default).
LoadModule php5_module modules/libphp5.so
LogFormat LogFormat directive allows you to specify a log file format. It takes the following form:
LogFormatformatname
format is a string consisting of options as described in Table 13.11, “Common LogFormat options”. The name can be used instead of the format string in the CustomLog directive.
| Option | Description |
|---|---|
%b
| Represents the size of the response in bytes. |
%h
| Represents the IP address or hostname of a remote client. |
%l
|
Represents the remote log name if supplied. If not, a hyphen (that is, -) is used instead.
|
%r
| Represents the first line of the request string as it came from the browser or client. |
%s
| Represents the status code. |
%t
| Represents the date and time of the request. |
%u
|
If the authentication is required, it represents the remote user. If not, a hyphen (that is, -) is used instead.
|
%{
|
Represents the content of the HTTP header field. The common options include %{Referer} (the URL of the web page that referred the client to the server) and %{User-Agent} (the type of the web browser making the request).
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogLevel LogLevel directive allows you to customize the verbosity level of the error log. It takes the following form:
LogLevel optionoption has to be a valid keyword as described in Table 13.12, “Available LogLevel options”. The default option is warn.
| Option | Description |
|---|---|
emerg
| Only the emergency situations when the server cannot perform its work are logged. |
alert
| All situations when an immediate action is required are logged. |
crit
| All critical conditions are logged. |
error
| All error messages are logged. |
warn
| All warning messages are logged. |
notice
| Even normal, but still significant situations are logged. |
info
| Various informational messages are logged. |
debug
| Various debugging messages are logged. |
LogLevel warn
MaxKeepAliveRequests MaxKeepAliveRequests directive allows you to specify the maximum number of requests for a persistent connection. It takes the following form:
MaxKeepAliveRequests numbernumber can improve the performance of the server. Note that using 0 allows unlimited number of requests. The default option is 100.
MaxKeepAliveRequests 100
NameVirtualHost NameVirtualHost directive allows you to specify the IP address and port number for a name-based virtual host. It takes the following form:
NameVirtualHostip-address[:port]
ip-address can be either a full IP address, or an asterisk (that is, *) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [ and ]). The port is optional.
NameVirtualHost *:80
Options Options directive allows you to specify which server features are available in a particular directory. It takes the following form:
Options option…option has to be a valid keyword as described in Table 13.13, “Available server features”.
| Option | Description |
|---|---|
ExecCGI
| Enables the execution of CGI scripts. |
FollowSymLinks
| Enables following symbolic links in the directory. |
Includes
| Enables server-side includes. |
IncludesNOEXEC
| Enables server-side includes, but does not allow the execution of commands. |
Indexes
| Enables server-generated directory listings. |
MultiViews
| Enables content-negotiated “MultiViews”. |
SymLinksIfOwnerMatch
| Enables following symbolic links in the directory when both the link and the target file have the same owner. |
All
|
Enables all of the features above with the exception of MultiViews.
|
None
| Disables all of the features above. |
Options Indexes FollowSymLinks
Order Order directive allows you to specify the order in which the Allow and Deny directives are evaluated. It takes the following form:
Order optionoption has to be a valid keyword as described in Table 13.14, “Available Order options”. The default option is allow,deny.
| Option | Description |
|---|---|
allow,deny
|
Allow directives are evaluated first.
|
deny,allow
|
Deny directives are evaluated first.
|
Order allow,deny
PidFile PidFile directive allows you to specify a file to which the process ID (PID) of the server is stored. It takes the following form:
PidFile pathpath refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is run/httpd.pid.
PidFile run/httpd.pid
ProxyRequests ProxyRequests directive allows you to enable forward proxy requests. It takes the following form:
ProxyRequests optionoption has to be a valid keyword as described in Table 13.15, “Available ProxyRequests options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables forward proxy requests. |
Off
| Disables forward proxy requests. |
ProxyRequests On
ReadmeName ReadmeName directive allows you to specify a file to be appended to the end of the server-generated directory listing. It takes the following form:
ReadmeName filenamefilename is a name of the file to look for in the requested directory. By default, the server looks for README.html.
ReadmeName README.html
Redirect Redirect directive allows you to redirect a client to another URL. It takes the following form:
Redirect [status]pathurl
status is optional, and if provided, it has to be a valid keyword as described in Table 13.16, “Available status options”. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot directive (for example, /docs). The url refers to the current locatio