System Administration Specific
* Micro-intro to Text Editors
* Adding and Deleting User Accounts
* Basic Firewalling/Masquerading with iptables
* Compiling a Custom Kernel with lackernel
* Very Concise Guide to Updating and Compiling Your Debian Kernel
Introduction to Text Editors
Sub-topics:
* Opening and Closing Files
* Further Resources
One can usually find a GUI tool in each distribution to assist with system configuration; the GUI tools tend to vary per distribution, however. What is common in each Linux distribution is that configuration options are usually specified in text files, and one can tweak system settings by editing appropriate text files with a text editor. Popular text editors available in nearly every Linux distribution include Emacs, Pico (or GNU nano, a free Pico clone), and Vi (say "vee eye").
For beginners, we recommend Emacs or nano (or Pico), and we focus on the (extreme) basic functionality of these editors in this document. In the examples, we work on a file named sample.txt that exists in (or that is to be created in) ones home directory /home/user. One should substitute pico for nano (and Pico for nano) below if one is using Pico and not nano.
Opening and Closing Files
One opens sample.txt at the command line with Emacs by doing
$ emacs file.txt
If one is in an X session, append an & to run Emacs in the background, thereby retaining usage of the command line from which the command was executed. Open test.txt with nano by doing
$ nano file.txt
Do not append an & in this case, for nano will run in the terminal window in which the command was executed. If one does accidently invoke nano in the background by appending an &, get back the the stopped nano session by doing
$ fg
In either of these editors, move the cursor with the arrow keys, and make desired changes with the keyboard. To save changes and exit, in Emacs do
Ctrl-x Ctrl-c
Note: hold down a Control key and press the x key and then the c key.
If changes where made, emacs will ask if you would like to save.
Save file /home/user/file.txt? (y, n, !, ., q, C-r or C-h)
answer yes if you want to save:
y
If you would like to save the document as you work use:
Ctrl-x Ctrl-s
To save and exit in nano, do
Ctrl-o (edit the file name if desired) Enter Ctrl-x
Further Resources
The Emacs home page is at
http://www.nano-editor.org/
Info about Pico is available at
http://www.washington.edu/pine/man/#pico
which, assuming Pine (the e-mail client) is installed in your system, is available at pico(1).
For those interested in Vi (it's really worth giving it a try, but read some documentation first!!), we suggest starting at
http://www.thomer.com/vi/vi.html
back to top
Adding and Deleting User Accounts
Sub-topics:
* User root
* Changing Passwords
* Creating User Accounts
* Deleting User Accounts
User root
The root account is analogous to Administrator in MS Win2k (or to all users in MS Win 9x), and should be used with care. Using the root account is not recommended other than when performing system maintenance. The root account has full read/write privileges on the file system; with one mistake, it is possible to render ones Linux side unbootable (by deleting an essential boot file, for example). One is unable to make such a mistake as a regular user, since one will have, at most, read-only access to critical boot files. It is a reasonable policy to always login as a regular user, and become root by doing
$ su -
for administrative purposes only (the "-" causes root's login files to be read, which typically causes system commands in /usr/sbin and /sbin to be in ones path).
Changing Passwords
User root can change the password for any user by doing
# passwd [username]
where one substitutes for [username] the name of the user whose password one intends to change. By executing passwd without arguments, a user can change ones own password. Only root can specify a user name with the passwd command.
Creating User Accounts
One can make user accounts with a GUI tool (which vary per GNU/Linux distribution), or at the command line with useradd. For example, if one does
# useradd -c "Jane User" -m -g users janeuser
followed by
# echo "change.me" | passwd --stdin janeuser
one will have created a user with login name janeuser, full name "Jane User" (by the -c), janeuser's home directory will be created (typically at /home/janeuser) and populated with default config files from /etc/skel (by the -m), and janeuser's password will be initialized to change.me. See useradd(8) for full details.
Deleting User Accounts
One can delete account janeuser and the associated home directory and mail spool (an mbox file named janeuser, typically in /var/spool/mail/ or /var/mail/) by doing
# userdel -r janeuser
The -r is the cause for ~/janeuser and for the janeuser mbox file to be purged from the system. Consult userdel(8) for full details.
back to top
Basic Masquerading/Firewalling with iptables
Sub-topics:
* Requirements
* Sample Script
* Comments About the Script
netfilter/iptables provides sophisticated packet filtering functionality in GNU/Linux systems running 2.4 or later kernels. This section is intended to demonstrate how to enable masquerading (to share an Internet connection with an internal network) using iptables.
Requirements
One must have two NICs in ones system running Linux 2.4 or 2.5, and netfilter/iptables must be enabled in the kernel (compiled in or modules). We refer to the NIC connected to the Internet as ext, and the NIC connected to the internal network as int.
Sample Script
If one sets variables int, ext, and ipaddr in the following script and executes it in ones system, ones Internet connection will be available to an internal network. This script is available by anonymous FTP at
ftp://ftp.laclinux.com/lac/scripts/firewall
One must be root, and iptables must be in ones path for the script to work (i.e. become root by doing "su -").
#!/bin/sh
# int belongs to the internal network.
# ext is connected to the Internet (e.g. eth0, ppp0).
int=eth1
ext=eth0
# If you use a static IP address for eth0 (connected to the Internet),
# put it in the quotes. For DHCP, leave blank.
extip=""
# Enable IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush all rules.
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
#####
# Masquerade for internal network at int via ext.
iptables -A INPUT -i $ext -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ext -o $int -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $int -o $ext -j ACCEPT
# Use SNAT for static ext interface, MASQUERADE for DHCP ext interface.
if [ -n "$extip" ]; then
iptables -t nat -A POSTROUTING -o $ext -j SNAT --to-source $extip
else
iptables -t nat -A POSTROUTING -o $ext -j MASQUERADE
fi
# Let anything in through int.
iptables -A INPUT -i $int -j ACCEPT
#####
# e.g. Uncomment this line allow incoming SSH.
#iptables -A INPUT -i $ext --protocol tcp --dport ssh -j ACCEPT
# Uncomment this line to respond to ping requests.
#iptables -A INPUT --protocol icmp --icmp-type echo-request -j ACCEPT
# REJECT (rather than DROP) remaining INPUTs
iptables -A INPUT -i $ext -p tcp -j REJECT
iptables -A INPUT -i $ext -p udp -j REJECT
Comments About the Script
As presented, port scans of a machine using the above script will reveal no open ports. By uncommenting the line
#iptables -A INPUT -i $ext --protocol tcp --dport ssh -j ACCEPT
and reexecuting the script, a port scan will show that the machine is listening on TCP port 22 (assuming sshd is running). We can use "ssh" rather than the port number 22 because there is an entry for ssh in /etc/services. Have a look at this file to see the port(s) associated with other services.
back to top
Compiling a Custom Kernel with lackernel
Sub-topics:
Common Reasons for Boot Failure
Hardware Requirements
Software Requirements
Downloading and Installing lackernel
lackernel Sample Run
Even for experienced Linux users, compiling a custom kernel for ones system can be a daunting prospect, if not out of the question. In this section, we comment briefly about compiling a custom kernel, and we document a utility (lackernel) available in our anonymous FTP area one can use to configure a kernel that is sure to boot ones system, assuming the system hardware meets requirements we provide below, one answers the questions correctly, and one installs the kernel and configures the boot loader properly.
The supported hardware list is limited to begin with, because we extracted the utility from among a herd of Python scrips we use to configure our new computer systems; it currently supports hardware that exists in LAC systems. We are happy to add support for additional hardware. If your non-LAC system does not meet the requirements (or if you are not sure if yours does) and you want to give lackernel a try, e-mail the output of lspci -v to LAC support.
We recommend you leave a working kernel installed and available as a boot option, until you are sure the new kernel will boot your system.
Common Reasons for Boot Failure
The most common reasons for boot failure after compiling a new kernel are:
*
Kernel not installed properly or boot loader (e.g. GRUB or LILO) not configured properly. After running lackernel, one will be presented with step by step instructions for compiling and installing the new kernel, with sample GRUB and LILO configuration entries based on mount point information obtained from /etc/mtab in ones system, and with instructions for what to do with the new entries.
* Necessary hardware support to boot the system (especially SCSI or IDE driver) not available. lackernel will ask questions to keep this from happening. If one answer the questions correctly (CPU type, south bridge, SCSI support required or not) and follows the kernel installation and boot loader configuration instructions, the new kernel will be capable of booting ones system.
*
Necessary file system support (e.g. Ext3 or ReiserFS) not available. lackernel will allow one to choose what file system support one needs. Currently, Ext2 and Ext3 are always compiled in, and one can optionally choose to compile in ReiserFS support.
Hardware Requirements
lackernel currently configures kernels to support the following hardware:
CPU
AMD Athlon K7, Intel Pentium II, Intel Pentium III, Intel Pentium 4, Intel Pentium 4 Xeon; uni-processor or SMP detected at run time. (If one runs lackernel in a multi-processor system while running a non-SMP kernel, lackernel will only detect one CPU and will configure a non-SMP kernel.) This is an exclusive option, because PCs have one type of CPU.
South Bridge
The south bridge provides IDE, PCI and USB support. If ones system uses IDE disks, it is important to get this right, for without proper support compiled in, the system might boot (due to the presence of generic PCI IDE support), but performance will be a fraction of what it should be. lackernel currently configures for AMD, Intel, SiS, and VIA south bridge support. This is an exclusive option, because PC motherboards have one south bridge chip.
Other IDE Chipsets
It is common for a motherboard to have an additional IDE chipset (e.g. Promise or Highpoint), or for one to have a PCI IDE card that one wants to use. It is not possible without the availability of proper kernel support. We frequently install Promise IDE cards in computer systems, and lackernel will configure for Promise IDE chipset support (PDC20268 and later). This is a yes/no option, because either a Promise chip is present and one desires to use it, or not.
North Bridge
Making the correct north bridge choice will provide an agpgart.o module that supports the AGP hardware in ones motherboard. While an incorrect choice here will typically not keep ones system from booting, it will typically limit graphics performance. lackernel currently configures for AMD, Intel, and VIA north bridge support. This is an exclusive option, because PC motherboards have one north bridge chip.
SCSI Support
Next, indicate whether or not SCSI support should be compiled in. If one has a SCSI system disk, one must choose yes here, or one must make an initial ramdisk containing the appropriate SCSI card driver (which we do not address in this document). The options are y for yes or m for no (in which case, lackernel configures for SCSI support with loadable modules, so one can use non-system disk items requiring SCSI support, such as recordable IDE optical drives and USB block devices).
If one chooses yes, lackernel assumes one has a PCI SCSI controller (perhaps onboard), and offers a choice of SCSI controllers. lackernel currently configures for an Adaptec AIC7xxx controller. This is currently an exclusive option, and one must choose Adaptec here if one chooses yes for SCSI support.
Software Requirements
lackernel must be executed at the top level of the source tree for an LAC Linux kernel. LAC kernels are available by anonymous FTP at
ftp://ftp.laclinux.com/lac/kernel/linux-2.4/
Kernel source trees are usually found in /usr/src. To unpack an LAC kernel source tree at /tmp/linux-2.4.20-lac3.tar.bz2 in /usr/src, do
$ cd /usr/src ; tar xjf /tmp/linux-2.4.20-lac3.tar.bz2
or
$ cd /usr/src ; bunzip2 -c /tmp/linux-2.4.20-lac3.tar.bz2 | tar xf -
Unless one is comfortable with building kernels in ones Linux box, one should do
$ make mrproper
each time before running the script.
lackernel is a Python script, which requires Python 2.1 or newer.
Due to changing kernel configuration options, each version of lackernel is limited in the versions of LAC kernels with which it will work. Execute with the -s option to see which LAC kernels your version of lackernel supports. The latest version of lackernel will always support the latest LAC kernel tree found in our anonymous FTP area.
Downloading and Installing lackernel
lackernel is available by anonymous FTP at
ftp://ftp.laclinux.com/lac/progs/lackernel/
To install, one must unpack the tarball, make lackernel executable, and put it in ones path.
lackernel Sample Run
To view command line options, do
$ lackernel -h
Usage: lackernel <-v|-w|-s|-c|-h>
-v: show version
-w: show warranty
-s: show supported LAC kernel versions
-c: show copying info
-h: this message
To configure an LAC kernel using lackernel, one must execute lackernel from the top level of an LAC kernel source tree. A sample session follows.
Your output will likely differ from that in the sample session. Be sure to save the sample GRUB and LILO entries that display after you run the script in your system. The sample entries in the session below will likely not work in your system.
$ lackernel
lackernel v0.1.4, Copyright (C) 2003 Los Alamos Computers, LLC.
lackernel comes with ABSOLUTELY NO WARRANTY; for details start with `-w'.
This is free software, and you are welcome to redistribute it under
certain conditions; start with `-c' for details.
2 CPUs detected -- enabling SMP.
--> CPU support.
Support options:
1. amd
2. p4
3. pII
4. pIII
Choose [1/2/3/4]: 1
--> South Bridge support.
Support options:
1. amd
2. intel
3. sis
4. via
Choose [1/2/3/4]: 1
--> Other IDE Chipset support.
Support options:
1. promise
Choose [1] ([Enter] for none):
--> North Bridge support.
Support options:
1. amd
2. intel
3. via
Choose [1/2/3]: 1
--> SCSI support.
Do you want SCSI support? [y/m]: y
Support options:
1. adaptec
Choose [1]: 1
--> File System support.
Support options:
1. reiserfs
One can do xconfig or oldconfig in place of menuconfig in the sample session above in order to be presented with a different kernel configuration interface. One might enjoy a look around the kernel configuration interface to familiarize oneself with various Linux kernel options and with various hardware options supported by Linux.
If one answered the questions correctly, one will be facing a default kernel configuration that will boot ones system, with proper (and only proper) CPU, IDE, SCSI, and AGP support. The default configuration provides an abundance of device support via kernel modules (Linux drivers) that use a small amount of disk space and do not affect the size of the running kernel unless loaded.
back to top
Very Concise Guide to Updating and Compiling Your Debian Kernel
This will create a .deb file of your custom kernel that can be installed using dpkg.
NOTE: commands beginning with "$" should be run as a user and commands staring with "#" must be run as root. Do not include the "$" or "#" as part of the command.
Start by getting the required pckages. The following packages you will need for the graphical configuration (xconfig).
#apt-get install libqt3-mt-dev build-essential kernel-package
If you are unable to use a graphical environment you can alternately use the command line configuration, "menuconfig" You will need "libncurses5-dev"
apt-get install libncurses5 build-essential kernel-package
Add your user to the src group
#usermod usermod -G src user
Replace "user" with your username. Logout and login for permissions to take effect.
Go to kernel.org and download the kernel version you want (f=full version). Save the file linux-x.x.xx.tar.bz2 into /usr/src/
Enter into the /usr/src directory:
$ cd /usr/src
Unpack the kernel:
$ tar xfvj linux-x.x.xx.tar.bz2
Make a symbolic link from /usr/src/linux to /usr/src/linux-x.x.xx for scripts that may expect the source of your kernel to be there.
$ ln -s /usr/src/linux-x.x.xx /usr/src/linux
Enter into the linux folder:
$ cd /usr/src/linux
Start the configuration:
for graphical configuration:
$ make xconfig
or command line, non-graphical:
$ make menuconfig
Select the options you want compiled into the kernel. Save the config when you exit, then type:
$ make-kpkg clean
Now, to compile the kernel:
$ make-kpkg --revision CustomeNameX --append-to-version DescriptiveName kernel_image --rootcmd fakeroot
You can change --revision "CustomeNameX" (a custome name followed by a revision number denoting the revision of that kernel, e.g. 1,2,3, etc) and --append-to-version "DescriptiveName" to a more descriptive name (e.g. realtime, johndoe, etc.).
If the kernel errors on compilation. Read the last few lines to see what it failed on. Go back into the configuration (make xconfig/make menuconfig) and try to correct the problem. Save the kernel config and repeat the above steps. When the kernel compiles correctly you will find the .deb in the /usr/src folder.
To install the kernel (as root, su to root if you don't use sudo):
# dpkg -i /usr/src/kernel-image-x.x.xxDescriptiveName_CustomNameX_i386.deb
Answer the questions (if any) and reboot into the new kernel.
back to top
|
