Red Hat Linux 7.2 User Manual

Download

Page 1

Red Hat Linux 7.2

The Official Red Hat Linux Customization Guide

Page 2

ISBN: N/A

Red Hat, Inc.

2600 Meridian Parkway Durham, NC 27713 USA +1 919 547 0012 (Voice) +1 919 547 0024 (FAX) 888 733 4281 (Voice) P.O. Box 13588 Research Triangle Park, NC 27709 USA

Copyright © 2001 by Red Hat, Inc. This material may be distributed only subject tothe terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.

Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries.

Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. Compaq and the names of Compaq products referenced herein are either trademarks and/or service

marks or registered trademarks and/or service marks of Compaq. Itanium is a registered trademark of Intel Corporation. Netscape is a registered trademark of Netscape Communications Corporation in the United States and

other countries. Windows is a registered trademark of Microsoft Corporation. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. FireWire is a trademark of Apple Computer Corporation. All other trademarks and copyrights referred to are the property of their respective owners. Printed in Canada, Ireland, and Japan

Page 3

This manual is dedicated to Carole Williams, a valuable contributor to the Red Hat documentation team. Carole, we wish you all the best in your future endeavors. We miss your wisdom, superior editing skills, ability to write humor into just about any topic, and jokes that made each day a joy to work with you. Every time we eat a piece of chocolate we will think of you!

iii

Page 4

Contents

Red Hat Linux 7.2

Introduction...................... .................. ..................... ..................... . xi

Document Conventions.................................................................... xi

More to Come .............................................................................. xv

Part I Installation-Related Reference. ..................... ................. 17

Chapter 1 Kickstart Installations.... ..................... ................... 19

1.1 What are Kickstart Installations?................................................ 19

1.2 How Do You Perform a Kickstart Installation?................................. 19

1.3 Starting a Kickstart Installation.................................................. 21

1.4 The Kickstart File................................................................. 23

1.5 Kickstart Options ................................................................. 24

Chapter 2 Kickstart Configurator... ..................... ................... 47

2.1 Basic Configuration............................................................... 47

2.2 Boot Loader Options ............................................................. 49

2.3 Installation Method ............................................................... 50

2.4 Partition Information.............................................................. 52

2.5 Network Configuration ........................................................... 54

2.6 Authentication..................................................................... 55

2.7 Firewall Configuration............................................................ 56

2.8 X Configuration ................................................................... 56

2.9 Package Selection................................................................ 60

2.10 Pre-Installation Script ............................................................ 61

2.11 Post-Installation Script ........................................................... 62

2.12 Saving the File .................................................................... 64

Chapter 3 Rescue Mode ....... ..................... ..................... ......... 65

Page 5

3.1 What is Rescue Mode? .......................................................... 65

Chapter 4 Redundant Array of Independent Disks (RAID) .71

4.1 What is RAID? .................................................................... 71

4.2 Who Should Use RAID? ......................................................... 71

4.3 Hardware RAID versus Software RAID ........................................ 71

4.4 RAID Levels and Linear Support................................................ 72

Chapter 5 Software RAID Configuration......... ..................... . 75

Part II Network-Related References....... ..................... .............. 79

Chapter 6 Network Configuration ............ ..................... ......... 81

6.1 Adding Network Hardware....................................................... 81

6.2 Adding a Device .................................................................. 83

6.3 Managing DNS Settings ......................................................... 85

Chapter 7 Basic Firewall Configuration .. ..................... ......... 87

7.1 Basic............................................................................... 88

7.2 Local Hosts........................................................................ 89

7.3 DHCP.............................................................................. 89

7.4 Configuring Services............................................................. 90

7.5 Activating the Firewall............................................................ 91

Chapter 8 Controlling Access to Services......... ................... 93

8.1 Runlevels.......................................................................... 94

8.2 TCP Wrappers.................................................................... 94

8.3 Serviceconf........................................................................ 95

8.4 ntsysv.............................................................................. 97

8.5 chkconfig .......................................................................... 98

8.6 Additional Resources ............................................................ 99

Page 6

Chapter 9 OpenSSH......... ..................... ..................... .............. 101

9.1 Why Use OpenSSH?............................................................. 101

9.2 Configuring an OpenSSH Server............................................... 101

9.3 Configuring an OpenSSH Client ................................................ 102

9.4 Additional Resources ............................................................ 107

Chapter 10 Network File System (NFS) .. ..................... ............ 109

10.1 Why Use NFS? ................................................................... 109

10.2 Mounting NFS Filesystems...................................................... 109

10.3 Exporting NFS Filesystems ..................................................... 111

10.4 Additional Resources ............................................................ 112

Chapter 11 Samba. .................. ..................... ..................... ......... 115

11.1 Why Use Samba? ................................................................ 115

11.2 Configuring Samba............................................................... 115

11.3 Connecting to a Samba Share .................................................. 116

11.4 Using Samba with Windows NT 4.0 and Windows 2000..................... 117

11.5 Additional Resources ............................................................ 118

Chapter 12 Dynamic Host Configuration Protocol (DHCP) .. 121

12.1 Why Use DHCP? ................................................................. 121

12.2 Configuring a DHCP Server..................................................... 121

12.3 Configuring a DHCP Client...................................................... 127

12.4 Additional Resources ............................................................ 128

Chapter 13 Kerberos.......... ..................... ..................... .............. 129

13.1 Configuring a Kerberos 5 Server................................................ 129

13.2 Configuring a Kerberos 5 Client................................................. 131

13.3 Additional Resources ............................................................ 132

Chapter 14 Apache Configuration...... ..................... ................. 135

14.1 Basic Settings..................................................................... 136

14.2 Default Settings................................................................... 137

Page 7

14.3 Virtual Hosts Settings ............................................................ 145

14.4 Server Settings ................................................................... 150

14.5 Performance Tuning.............................................................. 152

14.6 Saving Your Settings ............................................................. 154

14.7 Additional Resources ............................................................ 155

Chapter 15 Apache Secure Server Configuration.............. .... 157

15.1 Introduction........................................................................ 157

15.2 An Overview of Security-Related Packages................................... 157

15.3 An Overview of Certificates and Security ...................................... 160

15.4 Using Pre-Existing Keys and Certificates ...................................... 161

15.5 Types of Certificates.............................................................. 162

15.6 Generating a Key................................................................. 163

15.7 Generating a Certificate Request to Send to a CA ........................... 165

15.8 Creating a Self-Signed Certificate .............................................. 167

15.9 Testing Your Certificate .......................................................... 168

15.10 Accessing Your Secure Server.................................................. 169

15.11 Additional Resources ............................................................ 170

Chapter 16 BIND Configuration........ ..................... ................... 173

16.1 Adding a Forward Master Zone ................................................. 174

16.2 Adding a Reverse Master Zone................................................. 176

16.3 Adding a Slave Zone ............................................................. 178

Part III System Configuration .. ..................... ..................... ......... 181

Chapter 17 Console Access. .................... ..................... ............ 183

17.1 Disabling Shutdown Via Ctrl-Alt-Del............................................ 183

17.2 Disabling Console Program Access ............................................ 184

17.3 Disabling All Console Access ................................................... 184

17.4 Defining the Console............................................................. 184

17.5 Making Files Accessible From the Console.................................... 185

17.6 Enabling Console Access for Other Applications ............................. 185

vii

Page 8

17.7 The floppy Group ................................................................. 186

Chapter 18 Time and Date Configuration.. .................. ............ 187

18.1 Time and Date Properties ....................................................... 187

18.2 Time Zone Configuration ........................................................ 189

Chapter 19 User and Group Configuration.. ..................... ...... 191

19.1 Adding a New User............................................................... 192

19.2 Modifying User Properties....................................................... 193

19.3 Adding a New Group............................................................. 194

19.4 Modifying Group Properties ..................................................... 195

Chapter 20 Gathering System Information.. ..................... ...... 197

20.1 System Processes................................................................ 197

20.2 Memory Usage ................................................................... 199

20.3 Filesystems ....................................................................... 200

20.4 Hardware.......................................................................... 201

20.5 Sysreport .......................................................................... 202

20.6 Additional Resources ............................................................ 203

Chapter 21 Printer Configuration.......... ..................... .............. 205

21.1 Adding a Local Printer ........................................................... 207

21.2 Adding a Remote UNIX Printer ................................................. 210

21.3 Adding a Samba (SMB) Printer ................................................. 212

21.4 Adding a Novell NetWare (NCP) Printer ....................................... 215

21.5 Adding a JetDirect Printer ....................................................... 216

21.6 Selecting the Print Driver and Finishing........................................ 218

21.7 Printing a Test Page.............................................................. 220

21.8 Modifying Existing Printers ...................................................... 220

21.9 Saving the Configuration File.................................................... 223

21.10 Managing Your Print Jobs ....................................................... 224

21.11 Additional Resources ............................................................ 224

viii

Page 9

Chapter 22 Automated Tasks............ ..................... ................... 227

22.1 Cron................................................................................ 227

22.2 Configuring a Cron Task......................................................... 227

22.3 Anacron............................................................................ 229

22.4 Additional Resources ............................................................ 230

Chapter 23 Ugrading the Kernel. ................... ..................... ...... 233

23.1 The 2.4 Kernel .................................................................... 233

23.2 Preparing to Upgrade ............................................................ 234

23.3 Downloading the Upgraded Kernel ............................................. 235

23.4 Performing the Upgrade ......................................................... 235

23.5 Configuring the Boot Loader .................................................... 236

23.6 Additional Resources ............................................................ 239

Chapter 24 Kernel Modules............ ..................... ..................... . 241

24.1 Kernel Module Utilities ........................................................... 241

24.2 Additional Resources ............................................................ 243

Part IV Package Management ..... ..................... ..................... ...... 245

Chapter 25 Package Management with RPM............ .............. 247

25.1 RPM Design Goals ............................................................... 247

25.2 Using RPM ........................................................................ 248

25.3 Checking a Package’s Signature ............................................... 254

25.4 Impressing Your Friends with RPM ............................................. 256

25.5 Additional Resources ............................................................ 258

Chapter 26 Gnome-RPM....... .................... ..................... ............ 261

26.1 Starting Gnome-RPM ............................................................ 262

26.2 The Package Display............................................................. 264

26.3 Installing New Packages......................................................... 265

26.4 Configuration...................................................................... 267

26.5 Package Manipulation............................................................ 273

Page 10

Chapter 27 Red Hat Network..... ..................... ..................... ...... 279

Part V Appendixes............ ..................... ..................... ................. 281

Appendix A Building a Custom Kernel. ................... ................. 283

A.1 Building a Modularized Kernel .................................................. 283

A.2 Making an initrd Image........................................................... 286

A.3 Configuring the Boot Loader .................................................... 286

A.4 Building a Monolithic Kernel..................................................... 289

Appendix B Getting Started with Gnu Privacy Guard............ . 291

B.1 An Introduction to GnuPG ....................................................... 291

B.2 Generating a Keypair............................................................. 292

B.3 Generating a Revocation Certificate............................................ 294

B.4 Exporting your Public Key ....................................................... 295

B.5 Importing a Public Key........................................................... 298

B.6 What Are Digital Signatures? ................................................... 299

B.7 Additional Resources ............................................................ 299

Page 11

Section 0.1:Document Conventions xi

Introduction

Welcome to the Official Red Hat Linux Customization Guide. The Official Red Hat Linux Customization Guide contains information on how to customize your Red

HatLinux systemto fityour needs. If you are looking for step-by-step, task-oriented guides for configuring and customizing yoursystem, this is the guide for you. This manual discusses manyintermediate topics such as the following:

• Setting up a network interface card (NIC)

• Performing a Kickstart installation

• Configuring Samba shares

• Managing your software with RPM

• Upgrading your kernel This manual is divided into the following main categories:

• Installation-Related Reference

• Network-Related Reference

• System Configuration

• Package Management

This guide assumes you have a basic understanding of your Red Hat Linux system. If you need reference material which covers more basic issues, please refer to the Official Red Hat Linux Getting

Started Guide. If you need more advanced documentation, please refer to the Official Red Hat Linux Reference Guide.

HTML and PDF versions of all the Official Red Hat Linux manuals are available online at http://www.redhat.com/support/manuals/.

Document Conventions

When you read this manual, you will see that certain words are represented in different fonts, typefaces, sizes and weights. This highlighting is systematic; different words are represented in the same style to indicate their inclusion in a specific category. The types of words that are represented this way include the following:

command

Page 12

xii Introduction

Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type in the word or phrase on the command line and press

[Enter] to invoke a command. Sometimes a command contains words that would be

displayed in a different style on their own (e.g., filenames). In these cases, they are considered to be part of the command, so the entire phrase will be displayed as a command. For example:

Use the cat testfile command to view the contents of a file, named testfile, in the current working directory.

filename

Filenames, directory names, paths and RPM package names are represented this way. This style should indicate that a particular file or directory exists by that name on your Red Hat Linux system. Examples:

The .bashrc file in your home directory contains bash shell definitions and aliases for your own use.

The /etc/fstab file contains information about different system devices and filesystems. The /usr/share/doc directory contains documentation for various programs. Install the webalizer RPM if you want to use a Web server log file analysis program.

application

This style should indicate to you that the program named is an end-user application (as opposed to system software). For example:

Use Netscape Navigator to browse the Web.

[key]

A key on the keyboard is shown in this style. For example: To use

[Tab] completion, type in a character and then press the [Tab] key. Your terminal will

display the list of files in the directory that start with that letter.

[key]-[combination]

A combination of keystrokes is represented in this way. For example: The

[Ctrl]-[Alt]-[Backspace] key combination will restart the X Window System.

text found on a GUI interface

A title, word or phrase found on a GUI interface screen or window will be shown in this style. When you see text shown in this style, it is being used to identify a particular GUI screen or an element on a GUI screen (e.g., text associated with a checkbox or field). Examples:

On the GNOME

Control Center screen, you can customize your GNOME window manager.

Page 13

Section 0.1:Document Conventions xiii

Selectthe Require Passwordcheckbox if you would likeyour screensaverto require a password before stopping.

top level of a menu on a GUI screen or window

When you see a word in this style, it indicates that the word is the top levelof a pulldown menu. If you click on the word on the GUI screen, the rest of the menu should appear. For example:

Under

Settings on a GNOME terminal, you will see the following menu items: Preferences,

Reset Terminal, Reset and Clear, and Color selector.

If you need to type in a sequence of commands from a GUI menu, they will be shown like the following example:

Click on

Programs=>Applications=>Emacs to start the Emacs text editor.

button on a GUI screen or window

This style indicates that the text will be found on a clickable button on a GUI screen. For example:

Click on the

Back button to return to the Web page you last viewed.

computer output

When you see text in this style, it indicates text displayed by the computer on the command line. You will see responses to commands you typed in, error messages and interactive prompts for your input during scripts or programs shown this way. For example:

Use the ls to display the contents of a directory:

$ls Desktop axhome logs paulwesterberg.gif Mail backupfiles mail reports

The output returned in response to the command (in this case, the contents of the directory) is shown in this style.

prompt

A prompt, which is a computer’s way of signifying that it is ready for you to input something, will be shown in this style. Examples:

$ # [stephen@maturin stephen]$ leopard login:

user input

Page 14

xiv Introduction

Text that the user has to type, either on the command line, or into a text box on a GUI screen, is displayed in this style. In the following example, text is displayed in this style:

To boot your system into the text based installation program, you will need to type in the text command at the boot: prompt.

Another example, with the word root displayed as something the user needs to type in: If you need to log in as root when you first log into your system, and you are using the graphical

glossary entry

A word that appears in the glossary will be shown in the body of the document in this style. For example:

The lpd daemon handles printing requests. In this case, the style of the word daemon should indicate to you that a definition of the term is

available in the glossary.

Additionally, we use several different strategies to draw your attention to certain pieces of information. In order of how critical the information is to your system, these items will be marked as a note, a caution or a warning. For example:

Note

Remember that Linux is case sensitive. In other words, a rose is not a ROSE is not a rOsE.

CAUTION

Do not do routine tasks as root — use a regular user account unless you need to use the root account to administer your system.

Page 15

Section 0.3:Sign Up for Support xv

WARNING

If you choose not to partition manually,a server installation will remove all existing partitions on all installed hard drives. Do not choose this installation class unless you are sure you have no data you need to save.

More to Come

The Official Red Hat Linux Customization Guide is part of Red Hat’s growing commitment to provide useful and timely support to Red Hat Linux users. As new tools and applications are released, this guide will be expanded to include them.

Send in Your Feedback

If you spot a typo in the Official Red Hat Linux Customization Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla ( http://www.redhat.com/bugzilla) against the component rhl-cg.

Be sure to mention the manual’s identifier:

rhl-cg(EN)-7.2-Print-RHI (2001-08-30T14:29-0400)

If you mention this manual’s identifier, we will know exactly which version of the guide you have. If you have a suggestion for improving the documentation, try to be as specific as possible. If you

have found an error, please include the section number and some of the surrounding text so we can find it easily.

If you have an official edition of Red Hat Linux 7.2, please remember to sign up for the benefits you are entitled to as a Red Hat customer.

You will be entitled to any or all of the following benefits, depending upon the OfficialRed Hat Linux product you purchased:

• Official Red Hat support — Get help with your installation questions from Red Hat, Inc.’s support team.

• Red Hat Network — Easily update your packages and receive security notices that are customized for your system. Go to http://rhn.redhat.com for more details.

Page 16

xvi Introduction

• Under the Brim: The Official Red Hat E-Newsletter — Every month, get the latest news and product information directly from Red Hat.

To sign up, go to http://www.redhat.com/apps/activate/. You will find your Product ID on a black, red, and white card in your Official Red Hat Linux box.

Toread more about technical support for OfficialRed Hat Linux, refer to the Getting TechnicalSupport Appendix in the Official Red Hat Linux Installation Guide.

Good luck, and thank you for choosing Red Hat Linux!

The Red Hat Documentation Team

Page 17

Part I Installation-Related Reference

Page 18

Page 19

Section 1.2:How Do You Perform a Kickstart Installation? 19

1 Kickstart Installations

1.1 What are Kickstart Installations?

Many system administrators would prefer to use an automated installation method to install Red Hat Linuxon their machines. Toanswer this need, Red Hatcreated the kickstart installation method. Using kickstart, a system administrator can create a single file containing the answers to all the questions that would normally be asked during a typical Red Hat Linux installation.

Kickstart files can be kept on single server system, and read by individual computers during the installation. This installation method can support the use of a single kickstart file to install Red Hat Linux on multiple machines, making it ideal for network and system administrators.

Kickstart lets you automate most of a Red Hat Linux installation, including:

• Language selection

• Mouse configuration

• Keyboard selection

• Boot loader installation

• Disk partitioning

• Network configuration

• NIS, LDAP, Kerberos, Hesiod, and Samba authentication

• Firewall configuration

• Package selection

• X Window System configuration

1.2 How Do You Perform a Kickstart Installation?

Kickstart installations can be performed using a local CD-ROM, a local hard drive, or via NFS, FTP or HTTP.

To use kickstart mode, you must first create a kickstart file (ks.cfg), and make it available to the Red Hat Linux installation program.

1.2.1 Where to Put A Kickstart File

A kickstart file must be placed in one of two locations:

Page 20

20 Chapter 1:Kickstart Installations

• On a boot disk

• On a network

Normally a kickstart file is copied to the boot disk, or made available on the network. The network-based approach is most commonly used, as most kickstart installations tend to be performed on networked computers.

Let us take a more in-depth look at where the kickstart file may be placed. To perform a diskette-based kickstart installation, the kickstart file must be named ks.cfg and must

belocated in the boot disk’s top-leveldirectory. Note that theRed Hat Linux boot disks are inMS-DOS format, so it is easy to copy the kickstart file under Linux using the mcopy command:

mcopy ks.cfg a:

Alternatively, you can use Windows to copy the file. You can also mount the MS-DOS boot disk and cp the file over. Although there’s no technological requirement for it, most diskette-based kickstart installations install Red Hat Linux from a local CD-ROM.

Network installations using kickstart are quite common, because system administrators can easily automate the installation on many networked computers quickly and painlessly. In general, the approach most commonly used is for the administrator to have both a BOOTP/DHCP server and an NFS server on the local network. The BOOTP/DHCPserver is used to give the client system its networking information, while the actual files used during the installation are served by the NFS server. Often, these two servers run on the same physical machine, but they are not required to.

To perform a network-based kickstart installation, you must have a BOOTP/DHCP server on your network, and it must include configuration information for the machine on which you are attempting to install Red Hat Linux. The BOOTP/DHCP server will provide the client with its networking information as well as the location of the kickstart file.

If a kickstart file is specified by the BOOTP/DHCP server, the client system will attempt an NFS mount of the file’s path, and will copy the specified file to the client, using it as the kickstart file. The exact settings required vary depending on the BOOTP/DHCP server you use.

Here’s an example of a line from the dhcpd.conf file for the DHCP server shipped with Red Hat Linux:

filename

"/usr/new-machine/kickstart/"

;

next-server

blarg.redhat.com;

Note that you should replace the value after filename with the name of the kickstart file (or the directory in which the kickstart file resides) and the value after next-server with the NFS server name.

Page 21

Section 1.3:Starting a Kickstart Installation 21

If the filename returned by the BOOTP/DHCP server ends with a slash ("/"), then it is interpreted as a path only. In this case, the client system mounts that path using NFS, and searches for a particular file. The filename the client searches for is:

<ip-addr>

-kickstart

The

<ip-addr>

section of the filename should be replaced with the client’s IP address in dotted

decimal notation. For example, the filename for a computer with an IP address of 10.10.0.1 would be

10.10.0.1-kickstart. Note that if you don’t specify a server name, then the client system will attempt to use the server that

answered the BOOTP/DHCP request as its NFS server. If you don’t specify a path or filename, the client system will try to mount /kickstart from the BOOTP/DHCPserver, and will try to find the kickstart file using the same

<ip-addr>

-kickstart filename as described above.

1.3 Starting a Kickstart Installation

To begin a kickstart installation, you must boot the system from a Red Hat Linux boot diskette or the CD-ROM and enter a special boot command at the boot prompt. If the kickstart file is located on a boot diskette that was created from the boot.img or bootnet.img image file, the correct boot command would be:

boot: linux ks=floppy

The linux ks=floppy command also works if the ks.cfg file is located on a vfat filesystem on a floppy diskette and you boot from the Red Hat Linux CD-ROM.

An alternate boot command for booting off the Red Hat Linux CD-ROM and having the kickstart file on a vfat filesystem on a floppy diskette is:

boot: linux ks=hd:fd0/ks.cfg

If you need to use a driver disk with kickstart, you can still have the kickstart file on a floppy disk:

boot: linux ks=floppy dd

The Red Hat Linux installation program looks for a kickstart file if the ks command line argument is passed to the kernel. The command line argument can take a number of forms:

ks=nfs:

The installation program will look for the kickstart file on the NFS server <server>, as file <path>. The installation program will use DHCP to configure the Ethernet card. For example,

if your NFS server is server.example.com and the kickstart file is in the NFS share /mydir/ks.cfg, thecorrect boot command would be ks=nfs:server.example.com:/mydir/ks.cfg.

ks=http:

Page 22

22 Chapter 1:Kickstart Installations

The installation program will look for the kickstart file on the HTTP server <server>:, as file <path>. The installation program will use DHCP to configure the Ethernet card. For example,

if your HTTP server is server.example.com and the kickstart file is in the HTTP directory /mydir/ks.cfg, the correct boot command would be ks=http:server.example.com:/my- dir/ks.cfg.

ks=floppy

The installation program looks for the file ks.cfg on a vfat filesystem on the floppy in drive /dev/fd0.

ks=hd:

The installation program will mount the filesystem on <device> (which must be vfat or ext2), and look for the kickstart configuration file as <file> in that filesystem (for example, ks=hd:sda3/mydir/ks.cfg).

ks=file:/

<file>

The installation program will try to read the file <file> from the filesystem; no mounts will be done. This is normally used if the kickstart file is already on the initrd image.

ks=cdrom:/

<path>

The installation program will look for the kickstart file on CD-ROM, as file <path>.

If ks is used alone, the installation program will configure the Ethernet card in the system using DHCP. The system will use the "bootServer" from the DHCP response as an NFS server to read the kickstart file from (by default, this is the same as the DHCP server). The name of the kickstart file is one of the following:

• If DHCP is specified and the bootfile begins with a /, the bootfile provided by DHCP is looked for on the NFS server.

• If DHCP is specified and the bootfile begins with something other then a /, the bootfile provided by DHCP is looked for in the /kickstart directory on the NFS server.

• If DHCP did not specify a bootfile, then the installation program tries to read the file /kickstart/1.2.3.4-kickstart, where 1.2.3.4 is the numeric IP address of the machine being installed.

ksdevice=

The installation program will use this network device to connect to the network. For example, to start a kickstart installation with the kickstart file on an nfs server that is connected to the

Page 23

Section 1.4:The Kickstart File 23

system through the eth1 device, use the command ks=nfs:

<server:>/<path>

ksde-

vice=eth1 at the boot: prompt.

1.4 The Kickstart File

Now that you have some background information on kickstart installations, let’s take a look at the kickstart file itself. The kickstart fileis a simple text file, containing a list of items, each identified by a keyword. You can create it by editing a copy of the sample.ks file found in the RH-DOCS directory of the Red Hat Linux Documentation CD-ROM, using the Kickstart Configurator application, or writing it from scratch. You should be able to edit it with any text editor or word processor that can save files as ASCII text.

First, be aware of the following issues when you are creating your kickstart file:

• Items must be specified in order. That order is: – Command section — Refer to Section 1.5, Kickstart Options for a list of kickstart options.

You must include the required options.

– The %packages section — Refer to Section 1.5.29,

%packages

— Package Selection for

details.

– The %pre and %post sections — These two sections can be in any order and arenot required.

Refer to Section 1.5.30,

%pre

— Pre-Installation Configuration Section and Section 1.5.31,

%post

— Post-Installation Configuration Section for details.

• Items that are not required can be omitted.

• Omitting any required item will result in the installation program prompting the user for an answer to the related item, just as the user would be prompted during a typical installation. Once the answer is given, the installation will continue unattended (unless it finds another missing item).

• Lines starting with a pound sign ("#") are treated as comments, and are ignored.

• For kickstart upgrades, the following items are required: – Language – Installation method – Device specification (if device is needed to perform installation) – Keyboard setup – The upgrade keyword – LILO configuration

Page 24

24 Chapter 1:Kickstart Installations

If any other items are specified for an upgrade, those items will be ignored (note that this includes package selection).

1.5 Kickstart Options

The following options can be placed in a kickstart file. If you prefer to use a graphical interface for creating your kickstart file, you can use the Kickstart Configurator application. Refer to Chapter 2,

Kickstart Configurator

for details.

1.5.1 autostep

autostep (optional)

Similar to interactive except it goes to the next screen for you. It is used mostly for debugging.

1.5.2 auth — Authentication Options

auth or authconfig (required)

Sets up the authentication options for the system. It’s similar to the authconfig command, which can be run after the install. By default, passwords are normally encrypted and are not shadowed.

--enablemd5

Use md5 encryption for user passwords.

--enablenis

Turns on NIS support. By default, --enablenis uses whatever domain it finds on the network. A domain should almost always be set by hand (via --nisdomain).

--nisdomain

NIS domain name to use for NIS services.

--nisserver

Server to use for NIS services (broadcasts by default).

--useshadow or --enableshadow

Use shadow passwords.

--enableldap

Turns on LDAP support in /etc/nsswitch.conf, allowing your system to retrieve information about users (UIDs, home directories, shells, etc.) from an LDAP directory.

Page 25

Section 1.5:Kickstart Options 25

To use this option, you must have the nss_ldap package installed. You must also specify a server and a base DN.

--enableldapauth

Use LDAPas an authentication method. This enables the pam_ldap module for authentication and changing passwords, using an LDAP directory. To use this option, you must have the nss_ldap package installed. You must also specify a server and a base DN.

--ldapserver=

If you specified either --enableldap or --enableldapauth, the name of the LDAP server to use. This option is set in the /etc/ldap.conf file.

--ldapbasedn=

The DN (distinguished name) in your LDAP directory tree under which user information is stored. This option is set in the /etc/ldap.conf file.

--enableldaptls

Use TLS (TransportLayer Security) lookups. This option allows LDAPto send encrypted usernames and passwords to an LDAP server before authentication.

--enablekrb5

Use Kerberos 5 for authenticating users. Kerberos itself does not know about home directories, UIDs, or shells. So if you enable Kerberos you will need to make users’ accounts known to this workstation by enabling LDAP, NIS, or Hesiod or by using the /usr/sbin/useradd command to make their accounts known to this workstation. If you use this option, you must have the pam_krb5 package installed.

--krb5realm

The Kerberos 5 realm to which your workstation belongs.

--krb5kdc

The KDC (or KDCs) that serve requests for the realm. Ifyou have multiple KDCs in your realm, separate their names with commas (,).

--krb5adminserver

The KDC in your realm that is also running kadmind. This server handles password changing and other administrative requests. This server must be run on the master KDC if you have more than one KDC.

--enablehesiod

Page 26

26 Chapter 1:Kickstart Installations

Enable Hesiod support for looking up user home directories, UIDs, and shells. More information on setting up and using Hesiod on your network is in /usr/share/doc/glibc-2.x.x/README.hesiod, which is included in the glibc package. Hesiod is an extension of DNS that uses DNS records to store information about users, groups, and various other items.

--hesiodlhs

The Hesiod LHS ("left-hand side") option, set in /etc/hesiod.conf. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP’s use of a base DN.

--hesiodrhs

The Hesiod RHS ("right-hand side") option, set in /etc/hesiod.conf. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP’s use of a base DN.

Tip

To look up user information for "jim", the Hesiod library looks up jim.passwd<LHS><RHS>, which should resolve to a TXT record that looks like what his passwd entry would look like (jim:*:501:501:Jungle Jim:/home/jim:/bin/bash). For groups, the situa- tion is identical, except jim.group<LHS><RHS> would be used.

Looking up users and groups by number is handled by making "501.uid"a CNAMEfor "jim.passwd", and "501.gid" a CNAME for "jim.group". Note that the LHS and RHS do not haveperiods

[.] put in front of them when the library determines the name

for which to search, so the LHS and RHS usually begin with periods.

--enablesmbauth

Enables authentication of users against an SMB server (typically a Samba or Windows server). SMB authentication support does not know about home directories, UIDs, or shells. So if you enable it you will need to make users’ accounts known to the workstation by enabling LDAP, NIS, or Hesiod or by using the /usr/sbin/useradd command to make their accounts known to the workstation. To use this option, you must have the pam_smb package installed.

Page 27

Section 1.5:Kickstart Options 27

--smbservers=

The name of the server(s) to use for SMB authentication. Tospecify more than one server, separate the names with commas (,).

--smbworkgroup=

The name of the workgroup for the SMB servers.

--enablecache

Enables the nscd service. The nscd service caches information about users, groups, and various other types of information. Caching is especially helpful if you choose to distribute information about users and groups over your network using NIS, LDAP, or hesiod.

1.5.3 bootloader

bootloader (required)

Specifies how the boot loader should be installed and whether the bootloader should be LILO or GRUB.

--append

Specifies kernel parameters.

--location=

Specifies where the boot record is written. Valid values are the following: mbr (the default), partition (installs the boot loader on the first sector of the partition containing the kernel), or none (do not install the boot loader).

--password=

mypassword

If using GRUB, sets the GRUBbootloader password to mypassword. This should be used to restrict access to the GRUB shell where arbitrary kernel options can be passed.

--md5pass=

mypassword

If using GRUB, similar to --password except mypassword should be the password already encrypted.

--useLilo

Use LILO instead of GRUB as the boot loader.

--linear

Page 28

28 Chapter 1:Kickstart Installations

If using LILO, use the linear LILO option; this is only for backwards compatibility (and linear is now used by default).

--nolinear

If using LILO, use the nolinear LILO option; linear is the default.

--lba32

If using LILO, force use of lba32 mode instead of autodetecting.

1.5.4 clearpart — Removing Partitions Based On Partition Type

clearpart (optional)

Removespartitions from the system, prior to creation of newpartitions. By default, no partitions are removed.

--linux

Erases all Linux partitions.

--all

Erases all partitions from the system.

--drives

Specifies which drives to clear partitions from.

--initlabel

Initializes the disk label to the default for your architecture (msdos for x86 and gpt for Itanium). It is useful so that the installation program does not ask if it should initialize the disk label if installing to a brand new hard drive.

1.5.5 device

device (optional)

On most PCI systems, the installation program will autoprobe for Ethernet and SCSI cards properly. On older systems and some PCI systems, however, kickstart needs a hint to find the proper devices. The devicecommand, which tells Anaconda to install extra modules, is in this format:

device

--opts

Page 29

Section 1.5:Kickstart Options 29

<type> should be one of "scsi" or "eth", and <moduleName> is the name of the kernel module which should be installed.

--opts

Options to pass to the kernel module. Note that multiple options may be passed if they are put in quotes. For example:

--opts "aic152x=0x340 io=11"

1.5.6 deviceprobe

deviceprobe (optional)

Forces a probe of the PCI bus and loads modules for all the deviced found if a module is available.

1.5.7 driverdisk

driverdisk (optional)

Driver disks can be used during kickstart installations. You will need to copy the driver disk’s contents to the root directory of a partition on the system’s hard drive. Then you will need to use the driverdisk command to tell the installation program where to look for the driver disk.

driverdisk

[--type

]

<partition> is the partition containing the driver disk.

--type

Filesystem type (for example, vfat, ext2, or ext3).

1.5.8 firewall

firewall (optional)

Firewall options can be configured in kickstart. This configuration corresponds to the

Firewall

Configuration

screen in the installation program.

firewall [--high | --medium | --disabled] [--trust

] [--dhcp] [--ssh] [--telnet] [--smtp] [--http]

[--ftp] [--port

]

Levels of security

Choose one of the following levels of security:

Page 30

30 Chapter 1:Kickstart Installations

• --high

• --medium

• --disabled

--trust

Listing a device here, such as eth0, allows all traffic coming from that device to go through the firewall. To list more than one device, use --trust eth0 --trust eth1. Do NOT use a comma-separated format such as --trust eth0, eth1.

Allow incoming

Enabling these options allow the specified services to pass through the firewall.

• --dhcp

• --ssh

• --telnet

• --smtp

• --http

• --ftp

--port <portspec>

You can specify that ports be allowedthrough the firewallusing the port:protocol format. Forexample, if you wanted to allow IMAP access through your firewall, you can specify imap:tcp. You can also specify numeric ports explicitly; for example, to allow UDP packets on port 1234 through, specify 1234:udp. To specify multiple ports, separate them by commas.

1.5.9 install

install (optional)

Tells the system to install a fresh system rather than upgrade an existing system. This is the default mode.

1.5.10 Installation Methods

You must use one of these four commands to specify what type of kickstart installation is being performed:

nfs

Install from the NFS server specified.

Page 31

Section 1.5:Kickstart Options 31

• --server

Server from which to install (hostname or IP).

• --dir

<dir>

Directory containing the Red Hat installation tree.

For example:

nfs --server

--dir

<dir>

cdrom

Install from the first CD-ROM drive on the system. For example:

cdrom

harddrive

Install from a Red Hat installation tree on a local drive, which must be either vfat or ext2.

• --partition

Partition to install from (such as, sdb2).

• --dir

<dir>

Directory containing the Red Hat installation tree.

For example:

harddrive --partition

--dir

<dir>

url

Install from a Red Hat installation tree on a remote server via FTP or HTTP. For example:

url --url http://<server>/<dir> url --url ftp://<username>:<password>@<server>/<dir>

1.5.11 interactive

interactive (optional)

Usesthe information providedin the kickstart fileduring theinstallation, but allowfor inspection and modification of the values given. You will be presented with each screen of the installation

Page 32

32 Chapter 1:Kickstart Installations

program with the values from the kickstart file. Either accept the values by clicking Next or change the values and click

Next to continue. See also Section 1.5.1,

autostep

1.5.12 keyboard

keyboard (required)

Sets system keyboard type. Here’s the list of available keyboards on i386 and Alpha machines:

ANSI-dvorak, azerty, be-latin1, be2-latin1, bg, br-abnt2, cf, croat, cz, cz-lat2, cz-lat2-prog, cz-us-qwertz, de, de-latin1, de-latin1-nodeadkeys, defkeymap, defkeymap_V1.0, dk, dk-latin1, dvorak, dvorak-l, dvorak-r, emacs, emacs2, es, es-cp850, et, et-nodeadkeys, fi, fi-latin1, fr, fr-latin0, fr-latin1, fr-pc, fr_CH, fr_CH-latin1, gr, gr-pc, hebrew, hu, hu101, is-latin1, it, it-ibm, it2, jp106, la-latin1, lt, lt.l4, lv-latin4, lv-latin7,mk, nl, nl-latin1, nl-latin1-nodeadkeys, no, no-latin1, pc-dvorak-latin1, pc110, pl, pl1, pt-latin1, pt-old, ro, ru, ru-cp1251, ru-ms, ru-yawerty, ru1, ru2, ru3, ru4, ru_win, se-latin1, sg, sg-latin1, sg-latin1-lk450, sk-prog, sk-prog-qwerty, sk-prog-qwerty, sk-qwerty, sk-qwertz, slovene, sr, sr, tr_f-latin5, tr_q-latin5, tralt, trf, trq, ua, ua-utf, ua-utf-ws, ua-ws, uaw, uaw_uni, uk, us, us-latin1, wangbe

Here’s the list for SPARC machines:

sun-pl-altgraph, sun-pl, sundvorak, sunkeymap, sunt4-es, sunt4-no-latin1, sunt5-cz-us, sunt5-de-latin1, sunt5-es, sunt5-fi-latin1, sunt5-fr-latin1, sunt5-ru, sunt5-uk, sunt5-us-cz

1.5.13 lang

lang (required)

Sets the language to use during installation. For example, to set the language to English, the kickstart file should contain the following line:

lang en_US

Valid language codes are the following(please note that these are subject to change at any time):

cs_CZ, da_DK, en_US, fr_FR, de_DE, hu_HU, is_IS, it_IT, ja_JP.eucJP, no_NO, ro_RO, sk_SK, sl_SI, sr_YU, es_ES, ru_RU.KOI8-R, uk_UA.KOI8-U, sv_SE, tr_TR

1.5.14 langsupport

langsupport

Page 33

Section 1.5:Kickstart Options 33

Sets the language(s) to install on the system. The same language codes used with lang can be used with langsupport.

--default

Sets the default language to use for any language-specific aspect of the installed system.

An example to install English and French and use English as the default language:

languagesupport --default en_US fr_FR

1.5.15 lilo

lilo (replaced by bootloader)

WARNING

This option has been replaced by bootloader and is only available for backwards compatibility. Refer to Section 1.5.3,

boot-

loader

Specifies how the boot loader should be installed on the system. By default, LILO installs on the MBR of the first disk, and installs a dual-boot system if a DOS partition is found (the DOS/Windows system will boot if the user types dos at the LILO: prompt).

--append <params>

Specifies kernel parameters.

--linear

Use the linear LILO option; this is only for backwards compatibility (and linear is now used by default).

--nolinear

Use the nolinear LILO option; linear is now used by default.

--location

Specifies where the LILO boot record is written. Valid values are the following: mbr (the default) or partition (installs the boot loader on the first sector of the partition containing the kernel). If no location is specified, LILO is not installed.

--lba32

Forces the use of lba32 mode instead of autodetecting.

Page 34

34 Chapter 1:Kickstart Installations

1.5.16 lilocheck

lilocheck (optional)

If lilocheck is present, the installation program checks for LILO on the MBR of the first hard drive, and reboots the system if it is found — in this case, no installation is performed. This can prevent kickstart from reinstalling an already installed system.

1.5.17 mouse

mouse (required)

Configures the mouse for the system, both in GUI and text modes. Options are:

--device <dev>

Device the mouse is on (such as --device ttyS0).

--emulthree

If present, simultaneous clicks on the left and right mouse buttons will be recognized as the middle mouse button by the X Window System. This option should be used if you have a two button mouse.

After options, the mouse type may be specified as one of the following:

alpsps/2, ascii, asciips/2, atibm, generic, generic3, genericps/2, generic3ps/2, genericusb, generic3usb, geniusnm, geniusnmps/2,geniusprops/2, geniusscrollps/2, thinking, thinkingps/2, logitech, logitechcc, logibm, logimman, logimmanps/2, logimman+, logimman+ps/2, logimmusb, microsoft, msnew, msintelli, msintellips/2, msintelliusb, msbm, mousesystems, mmseries, mmhittab, sun, none

If the mouse command is given without any arguments, or it is omitted, the installation program will attempt to autodetect the mouse. This procedure works for most modern mice.

1.5.18 network

network (optional)

Page 35

Section 1.5:Kickstart Options 35

Configures network information for the system. If the kickstart installation does not require networking (in other words, it is not installed over NFS, HTTP, or FTP), networking is not configured for the system. If the installation does require networking and network information is not provided in the kickstart file, the Red Hat Linux installation program assumes that the installation should be done over eth0 via a dynamic IP address (BOOTP/DHCP), and configures the final, installed system to determine its IP address dynamically. The network option configures networking information for kickstart installations via a network as well as for the installed system.

--bootproto

One of dhcp, bootp,orstatic (defaults to DHCP, and dhcp and bootp are treated the same). Must be static for static IP information to be used.

--device <device>

Used to select a specific Ethernet device for installation. Note that using --device <device> will not be effective unless the kickstart file is a local file (such as ks=floppy), since the installation program will configure the network to find the kickstart file. Example:

network --bootproto dhcp --device eth0

--ip

IP address for the machine to be installed.

--gateway

Default gateway as an IP address.

--nameserver

Primary nameserver, as an IP address.

--netmask

Netmask for the installed system.

--hostname

Hostname for the installed system.

There are three different methods of network configuration:

• DHCP

• BOOTP

• static

Page 36

36 Chapter 1:Kickstart Installations

The DHCP method uses a DHCP server system to obtain its networking configuration. As you might guess, the BOOTPmethod is similar, requiring a BOOTPserver to supply the networking configuration.

The static method requires that you enter all the required networkinginformation in the kickstart file. As the name implies, this information is static, and will be used during the installation, and after the installation as well.

To direct a system to use DHCP to obtain its networking configuration, use the following line:

network --bootproto dhcp

To direct a machine to use BOOTP to obtain its networking configuration, use the following line in the kickstart file:

network --bootproto bootp

The line for static networking is more complex, as you must include all network configuration information on one line. You’ll need to specify:

• IP address

• Netmask

• Gateway IP address

• Nameserver IP address Here’s an example static line:

network–bootproto static –ip10.0.2.15 –netmask255.255.255.0 –gateway 10.0.2.254 –nameserver10.0.2.1

If you use the static method, be aware of the following two restrictions:

• All static networking configuration information must be specified on one line; you cannot wrap lines using a backslash, for example.

• You can only specify one nameserver here. However,you can use the kickstart file’s%post section (described in Section 1.5.31,

%post

— Post-Installation Configuration Section)to

add more name servers, if needed.

1.5.19 part

part or partition (required for installs, ignored for upgrades)

Creates a partition on the system. The <mntpoint> is where the partition will be mounted and must be of one of the following

forms:

Page 37

Section 1.5:Kickstart Options 37

For example, /, /usr, /home

swap

The partition will be used as swap space.

raid.<id>

The partition will be used for software RAID (see the Section 1.5.20,

raid

below).

--size

<size>

The minimum partition size in megabytes. Specify an integer value here such as 500. Do not append the number with MB.

--grow

Tells thepartition to growto fill availablespace(if any), or up to themaximum size setting.

--maxsize

<size>

The maximum partition size in megabytes when the partition is set to grow. Specify an integer value here, and do not append the number with MB.

--noformat

Tells the installation program not to format the partition, for use with the --onpart command.

--onpart

<part>

or --usepart

<part>

Tells the installation program to put the partition on the already existing device <part>. For example, partition /home --onpart hda1 will put /home on

/dev/hda1, which must already exist.

--ondisk

<disk>

or --ondrive

<drive>

Forces the partition to be created on a particular disk. For example, --ondisk sdb will put the partition on the second disk on the system.

--onprimary

<N>

Forces the partition to be created on the primary partition <N> or fail. <N> can be 1 through 4. For example, --onprimary=1 specifies that the partition is to be created on the first primary partition.

--asprimary

Forces automatic allocation of the partition as a primary partition or the partitioning will fail.

--bytes-per-inode=

<N>

Page 38

38 Chapter 1:Kickstart Installations

<N> represents the number of bytes per inode on the filesystem when it is created. It must be given in decimal format. This option is useful for applications where you want to increase the number of inodes on the filesystem.

--type=

<X>

(replaced by fstype)

This option is no longer available. Use fstype.

--fstype

Sets the filesystem type for the partition. Valid values are ext2, ext3, swap, vfat.

--start

Specifies the starting cylinder for the partition. It requires that a drive be specified with

--ondisk or ondrive. It also requires that the ending cylinder be specified with

--end or the partition size be specified with --size.

--end

Specifies the ending cylinder for the partition. It requires that the starting cylinder be specified with --start.

--badblocks

Specifies that the partition should be checked for bad sectors.

All partitions created will be formatted as part of the installation process unless --noformat and --onpart are used.

Note

If--clearpart is used inthe ks.cfg file,then --onpart cannot be used on a logical partition.

Note

If partitioning fails for any reason, diagnostic messages will appear on virtual console 3.

1.5.20 raid

raid (optional)

Assembles a software RAID device. This command is of the form:

Page 39

Section 1.5:Kickstart Options 39

raid

--level

<level>

--device

The <mntpoint> is the location where the RAID filesystem is mounted. If it is /, the RAID level must be 1 unless a boot partition (/boot) is present. If a boot partition is present, the /boot partition must be level 1 and the root (/) partition can be any of the available types. The <partitions*> (which denotes that multiple partitions can be listed) lists the RAID identifiers to add to the RAID array.

--level

<level>

RAID level to use (0, 1, or 5).

--device

Name of the RAID device to use (such as md0 or md1). RAID devices range from md0 to md7, and each may only be used once.

--spares=

Specifies that there should be N spare drives allocated for the RAID array. Spare drives are used to rebuild the array in case of drive failure.

--fstype

Sets the filesystem type for the RAID array. Valid values are ext2, ext3, swap, and vfat.

--noformat

Do not format the RAID array.

The following example shows how to create a RAID level 1 partition for /, and a RAID level 5 for /usr, assuming there are three SCSI disks on the system. It also creates three swap partitions, one on each drive.

part raid.01 --size 60 --ondisk sda part raid.02 --size 60 --ondisk sdb part raid.03 --size 60 --ondisk sdc

part swap --size 128 --ondisk sda part swap --size 128 --ondisk sdb part swap --size 128 --ondisk sdc

part raid.11 --size 1 --grow --ondisk sda part raid.12 --size 1 --grow --ondisk sdb part raid.13 --size 1 --grow --ondisk sdc

raid / --level 1 --device md0 raid.01 raid.02 raid.03 raid /usr --level 5 --device md1 raid.11 raid.12 raid.13

Page 40

40 Chapter 1:Kickstart Installations

1.5.21 reboot

reboot (optional)

Reboot after the installation is complete (no arguments). Normally, kickstart displays a message and waits for the user to press a key before rebooting.

1.5.22 rootpw

rootpw (required)

rootpw [--iscrypted]

Sets the system’s root password to the <password> argument.

--iscrypted

If this is present, the password argument is assumed to already be encrypted.

1.5.23 skipx

skipx (optional)

If present, X is not configured on the installed system.

1.5.24 text

text (optional)

Performthe kickstart installation in text mode. Kickstart installations are performed in graphical mode by default.

1.5.25 timezone

timezone (required)

timezone [--utc]

Sets the system time zone to <timezone> which may be any of the time zones listed by timeconfig.

--utc

If present, the system assumes the hardware clock is set to UTC (Greenwich Mean) time.

Page 41

Section 1.5:Kickstart Options 41

1.5.26 upgrade

upgrade (optional)

Tells the system to upgrade an existing system rather than install a fresh system.

1.5.27 xconfig

xconfig (optional)

Configures the X Window System. If this option is not given, the user will need to configure X manually during the installation, if X was installed; this option should not be used if X is not installed on the final system.

--noprobe

Do not probe the monitor.

--card

<card>

Use card <card>; this card name should be from the list of cards in Xconfigurator.If this argument is not provided, Anaconda will probe the PCI bus for the card. Since AGP is part of the PCI bus, AGP cards will be detected if supported. The probe order is determined by the PCI scan order of the motherboard.

--videoram

<vram>

Specify the amount of video RAM the video card has.

--monitor

<mon>

Use monitor <mon>; this monitor name should be from the list of monitors in Xconfigurator. This is ignored if --hsync or --vsync is provided. If no monitor information

is provided, the installation program tries to probe for it automatically.

--hsync

<sync>

Specifies the horizontal sync frequency of the monitor.

--vsync

<sync>

Specifies the vertical sync frequency of the monitor.

--defaultdesktop=GNOME or --defaultdesktop=KDE

Sets the default desktop to either GNOME or KDE (and assumes that GNOME and/or KDE has been installed through %packages).

--startxonboot

Use a graphical login on the installed system.

Page 42

42 Chapter 1:Kickstart Installations

--resolution

<res>

Specifythe default resolution for theX WindowSystem on the installedsystem. Validvalues are 640x480, 800x600, 1024x768, 1152x864, 1280x1024, 1400x1050, 1600x1200. Be sure to specify a resolution that is compatible with the video card and monitor.

--depth

Specify the default color depth for the X Window System on the installed system. Valid values are 8, 16, 24, and 32. Be sure to specify a color depth that is compatible with the video card and monitor.

1.5.28 zerombr — Partition Table Initialization

zerombr (optional)

If zerombr is specified, and yes is its sole argument, any invalid partition tables found on disks are initialized. This will destroy all of the contents of disks with invalid partition tables. This command should be in the following format:

zerombr yes

No other format is effective.

1.5.29 %packages — Package Selection

Use the %packages command to begin a kickstart file section that lists the packages you’d like to install (this is for installations only, as package selection during upgrades is not supported).

Packages can be specified by component or by individual package name. The installation program defines several components that group together related packages. See the RedHat/base/comps file on any Red Hat Linux CD-ROMfor a list of components. The components are defined by the lines that begin with a number followed by a space and then the component name. Each package in that component is then listed, line-by-line. Individual packages lack the leading number found in front of component lines.

Additionally, there are three other types of lines in the comps file:

Architecture specific (i386:, ia64:, alpha:, and sparc64:)

If a package name begins with an architecture type, you only need to type in the package name, not the architecture name. For example:

For i386: apmd you only need to use the apmd part for that specific package to be installed.

This option is new to Red Hat Linux 7.2.

Page 43

Section 1.5:Kickstart Options 43

Lines beginning with ?

Lines that begin with a ? are used by the installation program and should not be altered.

Lines beginning with --hide

If a package name begins with --hide, you only need to type in the package name, without the --hide. For example:

For --hide Network Server you only need to use the Network Server part for that specific package to be installed.

In most cases, it’s only necessary to list the desired components and not individual packages. Note that the Base component is always selected by default, so it’s not necessary to specify it in the %pack- ages section.

Here’s an example %packages selection:

%packages @ Network Managed Workstation @ Development @ Web Server @ X Window System xgammon

As you can see, components are specified, one to a line, starting with an @ symbol, a space, and then the full component name as given in the comps file. Specify individual packages with no additional characters (the xgammon line in the example above is an individual package).

Note

You can also direct the kickstart installation to install the default packages for a workstation (KDE or GNOME) or server installation (or choose an everything installation to install all packages). To do this, simply add one of the following lines to the %packages section:

@ GNOME @ KDE @ Server @ Everything

1.5.30 %pre — Pre-Installation Configuration Section

You can add commands to run on the system immediately after the ks.cfg has been parsed. This section must be at the end of the kickstart file (after the commands) and must start with the %pre

Page 44

44 Chapter 1:Kickstart Installations

command. Note that you can access the network in the %pre section; however, name service has not been configured at this point, so only IP addresses will work. Here’s an example %pre section:

%pre

# add comment to /etc/motd echo "Kickstart-installed Red Hat Linux ‘/bin/date‘" > /etc/motd

# add another nameserver echo "nameserver 10.10.0.2" >> /etc/resolv.conf

This section creates a message-of-the-day file containing the date the kickstart installation took place. It also gets around the network command’s limitation of only one name server by adding another nameserver to /etc/resolv.conf.

Note

Note that the pre-install script is not run in the change root environment.

1.5.31 %post — Post-Installation Configuration Section

You have the option of adding commands to run on the system once the installation is complete. This section must be at the end of the kickstart file and must start with the %post command.

Note

If you configured the network with static IP information, including a nameserver, you can access the network and resolve IP addresses in the

%post section. If you configured the network for DHCP, the /etc/re- solv.conf file has not been completed when the installation executes the %post section. You can access the network, but you can not resolve IP

addresses. Thus, if you are using DHCP, you must specify IP addresses in the %post section.

Here’s an example %post section that creates a message of the day file containing the date that the kickstart installation took place, and gets around the network command’s limitation of one nameserver only by adding another nameserver to /etc/resolv.conf.

%post

# add comment to /etc/motd echo "Kickstart-installed Red Hat Linux ‘/bin/date‘" > /etc/motd

Page 45

Section 1.5:Kickstart Options 45

# add another nameserver echo "nameserver 10.10.0.2" >> /etc/resolv.conf

Note

The post-install script is run in a chroot environment; therefore, performing tasks such as copying scripts or RPMs from the installation media will not work.

--nochroot

Allows you to specify commands that you would like to run outside of the chroot environment. The following example copies the file /etc/resolv.conf to the filesystem that was just

installed.

%post --nochroot cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf

--interpreter /usr/bin/perl

Allows you to specify a different scripting language, such as Perl. Replace /usr/bin/perl with the scripting language of your choice.

The following example uses a Perl script to replace /etc/HOSTNAME.

%post --interpreter /usr/bin/perl

# replace /etc/HOSTNAME open(HN, ">HOSTNAME"); print HN "1.2.3.4 an.ip.address\n";

More examples of post-installation scripts can be found in Section 2.11, Post-Installation Script.

Page 46

46 Chapter 1:Kickstart Installations

Page 47

Section 2.1:Basic Configuration 47

2 Kickstart Configurator

Kickstart Configuratorallowsyou to create a kickstart file using agraphical user interface, so that you do not have to remember the correct syntax of the file. After choosing the kickstart options, click the

Save File button, verify the options you have chosen, and save the kickstart file to a desired location.

To use Kickstart Configurator, you must by running the X Window System. Tostart Kickstart Configurator, use one of the following methods:

• On the GNOME desktop, go to the

Main Menu Button

(on the Panel) => Programs => System

=> Kickstart Configurator.

• On the KDE desktop, go to the

Main Menu Button (on the Panel) => Red Hat => System =>

Kickstart Configurator.

• Typethe command ksconfig at a shell prompt (for example, in an XTerm or GNOMEterminal).

2.1 Basic Configuration

Figure 2–1 Basic Configuration

Page 48

48 Chapter 2:Kickstart Configurator

Choose the language to use during the installation from the Language menu. Choose the language to use after installation from the

Language Support menu. Select the system keyboard type from the

Keyboard menu.

Choose the mouse for the system from the

Mouse menu. If you choose No Mouse, no mouse will be

configured. If you choose

Probe for Mouse the installation program will try to autodetect the mouse.

Probing works for most modern mice. If you have a two-button button mouse, you can emulate a three-button mouse by selecting

Emulate

3 Buttons

. If this option is selected, simultaneously clicking the left and right mouse buttons will be

recognized as a middle mouse button click. From the

Time Zone menu, choose the time zone to use for the system.

Enter the desired root password for the system in the

Root Password

text entry box. If you want to

save the password as an encrypted password in the file, select

Encrypt root password. When the file

is saved, the plaintext password that you typed will be encrypted and written to the kickstart file. Do not type an already encrypted password and select to encrypt it.

Choosing

Reboot system after installation will reboot your system automatically after the installa-

tion is finished. Kickstart installations are performed in graphical mode by default. To override this default and use

text mode instead, check the

Perform installation in text mode button.

You can perform a kickstart installation in interactive mode. This means that the installation program will use all the options pre-configured in the kickstart file, but it will allow you to preview the options in each screen before you can continue to the next screen. To continue to the next screen, click the

button after you have approved the settings. If you are not satisfied with the pre-configured options, you can change them before continuing the installation. If you prefer this type of installation, check the

Perform installation in interactive mode button.

Page 49

Section 2.2:Boot Loader Options 49

2.2 Boot Loader Options

Figure 2–2 Boot Loader Options

You have the option of installing GRUB or LILO as the boot loader. If you do not want to install a boot loader, uncheck the

Install Boot Loader checkbutton. If you choose not to install a boot loader,

make sure you create a boot disk or have another way to boot (such as a third-party boot loader) your Red Hat Linux system.

If you choose to install a boot loader, you must also choose which boot loader to install (GRUB or LILO) and where to to install the boot loader (the Master Boot Record or the first sector of the /boot partition). Install the boot loader on the MBR if you plan to use it as your boot loader. If you are using a different boot loader, install LILO or GRUB on the first sector of the /boot partition and configure the other boot loader to boot Red Hat Linux.

If you need to pass any special parameters to the kernel to be used when the system boots, enter them in the

Kernel parameters text field. For example, if you have an IDE CD-ROM burner, you can

tell the kernel to use the SCSI emulation driver that must be loaded before using cdrecord by typing hdd=ide-scsi as a kernel parameter (where hdd is the CD-ROM device).

If you choose LILO as the boot loader, choose whether you want to use linear mode and whether you want to force the use of lba32 mode.

Page 50

50 Chapter 2:Kickstart Configurator

If you choose GRUBas the boot loader,you can passwordprotect it by configuring a GRUBpassword. Enter a password in the

Use GRUB Password text entry area.

2.3 Installation Method

Figure 2–3 Installation Method

The Installation Method page allows you to choose whether you want to perform a full installation or an upgrade. If you choose upgrade, the

Partition Information and Package Selection pages will

be disabled. They are not supported for kickstart upgrades. Also choose the type of kickstart installation to perform from this page. You can choose from the

following options:

•

CD-ROM — Choose this option if you wish to install Red Hat Linux from the Red Hat Linux

CD-ROMs.

•

NFS — Choose this option if you wish to install Red Hat Linux from an NFS shared directory.

Two text entry boxes for the NFS server and NFS directory will appear. Enter the fully-qualified domain name or IP address of the NFS server. For the NFS directory, enter the name of the NFS directory that contains the RedHat directory. For example, if your NFS server contains the directory /mirrors/redhat/i386/RedHat, enter /mirrors/redhat/i386 for the NFS directory.

Page 51

Section 2.3:Installation Method 51

• FTP — Choose this option if you wish to install Red Hat Linux from an FTP server. Two text entry boxes for the FTP server and FTP directory will appear. Enter the fully-qualified domain name or IP address of the FTP server. For the FTP directory, enter the name of the FTP directory that contains the RedHat directory. For example, if your FTP server contains the directory /mir- rors/redhat/i386/RedHat, enter /mirrors/redhat/i386 for the FTP directory.

•

HTTP — Choose this option if you wish to install Red Hat Linux from an HTTP server. Two

text entry boxes for the HTTP server and HTTP directory will appear. Enter the fully-qualified domain name or IP address of the HTTP server. For the HTTP directory, enter the name of the HTTP directory that contains the RedHat directory. For example, if your HTTP server contains the directory /mirrors/redhat/i386/RedHat, enter /mirrors/redhat/i386 for the HTTP directory.

•

HardDrive — Choose this option if you wish to install Red Hat Linux from a hard drive. Two text

entry boxes for hard drive partition and hard drive directory will appear. Hard drive installations require the use of ISO (or CD-ROM) images. Be sure to verify that the ISO images are intact before you start the installation. To verify them, use an md5sum program. Enter the hard drive partition that contains the ISO images (for example, /dev/hda1) in the

Hard Drive Partition

text box, and enter the directory that contains the ISO images in the Hard Drive Directory text box.

Page 52

52 Chapter 2:Kickstart Configurator

2.4 Partition Information

Figure 2–4 Partition Information

To clear the Master Boot Record, select Yes beside the option on the top of the page. You can choose to keep the existing partitions, remove all the existing partitions, or remove all the existing Linux partitions by selecting

None, All,orLinux, respectively, next to Remove Partitions.

You can initialize the disk label to the default for the architecture of the system (msdos for x86 and gpt for Itanium). Choose

Yes if you are installing on a brand new hard drive.

2.4.1 Creating Partitions

To create a partition, click the Add button. The Partition Options window shown in Section 2.4.1, Creating Partitions will appear. Choose mount point, filesystem type, and partition size for the new partition. Optionally, you can also choose from the following:

• Additional Size Options — Choose to make the partition a fixed size, up to a chosen size, or fill the remaining space on the hard drive.

• Force the partition to be created as a primary partition.

• Create the partition on a specific hard drive.

Page 53

Section 2.4:Partition Information 53

• Use an existing partition.

• Format the partition as the chosen filesystem type.

Figure 2–5 Creating Partitions

To edit an existing partition, select the partition from the list and click the Edit button. The same

Partitions Options window that appears when you add a partition appears, except it contains the

values for the selected partition. Modify the partition options and click OK. To delete an existing partition, select the partition from the list and click the

Delete button.

Page 54

54 Chapter 2:Kickstart Configurator

2.5 Network Configuration

Figure 2–6 Network Configuration

There are three network configuration options: DHCP, Static IP, and None. If there is not an ethernet card in the system, choose

None.

Networking is only required if you choose a networking-type installation method (NFS orFTP). If you areunsure which to choose,choose

None. Networking can always be configured afterinstallation with

Network Configurator (redhat-config-network). If you select

Static IP, you must provide additional networking information in the table below the

network types.

Page 55

Section 2.6:Authentication 55

2.6 Authentication

Figure 2–7 Authentication

In the Authentication section, select whether to use shadow passwords and md5 encryption for user passwords. These options are highly recommended and chosen by default.

The

Authentication Configuration page allows you to configure the following methods of authenti-

cation:

• NIS

•LDAP

• Kerberos 5

• Hesiod

• SMB

• Name Switch Cache They are not enabled by default. To enable one or more of these methods, click the appropriate tab,

click the checkbutton next to

Enable, and enter the appropriate information for the authentication

method.

Page 56

56 Chapter 2:Kickstart Configurator

2.7 Firewall Configuration

Figure 2–8 Firewall Configuration

The Firewall Configuration page is identical to the screen in the Red Hat Linux installation program and provides the same functionality. Choose between

High, Medium, and Disabled security levels.

Refer to the Official Red Hat Linux Installation Guide for detailed information about these security levels.

2.8 X Configuration

If you are installing the X Window System, you can configure it during the kickstart installation by checking the

Configure the X Window System button on the X Configuration page as shown in

Figure 2–9, X Configuration - General. If this option is not chosen, the X configuration options will be disabled and the skipx option will be written to the kickstart file.

Page 57

Section 2.8:X Configuration 57

2.8.1 General

Figure 2–9 X Configuration - General

The first step in configuring X is to choose the default color depth and resolution. Select them from their respective pulldown menus. Be sure to specify a color depth and resolution that is compatible with the video card and monitor for the system.

If you are installing both the GNOME and KDE desktops, you need to choose which desktop you want to be the default. If you are just installing one desktop, be sure to choose it. Once the system is installed, users can choose which desktop they want to be their default. For more information about GNOME and KDE, refer to the Official Red Hat Linux Installation Guide and the Official Red Hat Linux Getting Started Guide.

Next, choose whether to start the X Window System when the system is booted. This option will start the system in runlevel 5 with the graphical login screen. After the system is installed, this can be changed by modifying the /etc/inittab configuration file.

Page 58

58 Chapter 2:Kickstart Configurator

2.8.2 Video Card

Select the video card from the list on the Video Card tab as shown in Figure 2–10, X Configuration Video Card. Also select the amount of video RAM the selected video card has from the Video Card

RAM

pulldown menu.

Figure 2–10 X Configuration - Video Card

2.8.3 Monitor

After configuring the video card, click on the Monitor tab shown in Figure 2–11, X Configuration Monitor and select the monitor for the system. You can specify the horizontal and vertical sync rates

instead of specifying a monitor by checking the

Specify hysnc and vsync instead of monitor option.

This option is useful if the monitor for the system is not listed. Notice that when this option is enabled, the monitor list is disabled.

Page 59

Section 2.8:X Configuration 59

Figure 2–11 X Configuration - Monitor

Page 60

60 Chapter 2:Kickstart Configurator

2.9 Package Selection

Figure 2–12 Package Selection

The Package Selection page allows you to choose which package categories to install. Currently, Kickstart Configurator does not allow you to select individual packages. To install individual packages, modify the %packages section of the kickstart file after you save it.

Page 61

Section 2.10:Pre-Installation Script 61

2.10 Pre-Installation Script

Figure 2–13 Pre-Installation Script

You can add commands to run on the system immediately after the kickstart file has been parsed and before the installation begins. If you have configured the network in the kickstart file, the network is enabled before this section is processed. If you would like to include a pre-installation script, type it in the text area.

CAUTION

Do not include the %pre command. It will be added for you.

Page 62

62 Chapter 2:Kickstart Configurator

2.11 Post-Installation Script

Figure 2–14 Post-Installation Script

You can also add commands to execute on the system after the installation is completed. If you have properly configured the network in the kickstart file, the network is enabled. If you would like to include a post-installation script, type it in the text area.

CAUTION

Do not include the %post command. It will be added for you.

For example, to change the message of the day for the newly installed system, add the following command to the %post section:

echo "Hackers will be punished!" > /etc/motd

Page 63

Section 2.11:Post-Installation Script 63

2.11.1 Chroot Environment

If you want your post-installation script to run outside of the chroot environment, click the checkbutton next to this option on the top of the

Post-Installation page. This is equivalent to the using the

--nochroot option in the %post section.

Tip

If you want to make any changes to the newly installed filesystem in the postinstallationsection outside of the chroot environment, you need to append the directory name with /mnt/sysimage.

For example, if you check the Run outside of the chroot environment button, the previous example needs to be changed to the following:

echo "Hackers will be punished!" > /mnt/sysimage/etc/motd

2.11.2 Use an Interpreter

If you want to specify a scripting language to use to execute your script, click the

Use an interpreter

button and enter the interpreter in the text box beside the button. For example, /usr/bin/perl can be specified for a Perl script. This option corresponds to using %post --interpreter

/usr/bin/perl

in your kickstart file.

2.11.3 Examples

The post-installation script can be used to perform any useful functions such as the following examples.

Turn services on and off:

/sbin/chkconfig --level 345 telnet off /sbin/chkconfig --level 345 finger off /sbin/chkconfig --level 345 lpd off /sbin/chkconfig --level 345 httpd on

Run a script named runme from an NFS share:

mkdir /mnt/temp mount 10.10.0.2:/usr/new-machines /mnt/temp open -s -w -- /mnt/temp/runme umount /mnt/temp

Add a user to the system:

Page 64

64 Chapter 2:Kickstart Configurator

/usr/sbin/useradd bob /usr/bin/chfn -f "Bob Smith" bob /usr/sbin/usermod -p ’kjdf$04930FTH/ ’ bob

2.12 Saving the File

After you have finished choosing your kickstart options, click the Save File button. A dialog box similar to Figure 2–15, Confirm Options will appear to allowyou to reviewyour choices before saving the file.

Figure 2–15 Confirm Options

If you are happy with your choices, click the Save File button within the dialog box. A save file dialog box will appear and allow you to choose where to save the file. The default file name to save it as is ks.cfg.

After saving the file, refer to Section 1.3, Starting a Kickstart Installation for information on how to start the kickstart installation.

Page 65

Section 3.1:What is Rescue Mode? 65

3 Rescue Mode

When things go wrong, there are ways to fix problems. However, these methods require that you understand the system well. This chapter will describe the ways that you can boot into rescue mode and single user mode, where you can use your own knowledge to repair the system.

3.1 What is Rescue Mode?

Rescue mode provides the ability to boot a small Linux environment entirely from a diskette, CD-ROM, or using some other method.

As the name implies, rescue mode is provided to rescue you from something. During normal operation, your Red Hat Linux system uses files located on your system’s hard drive to do everything — run programs, store your files, and more.

However, there may be times when you are unable to get Linux running completely enough to access its files on your system’s hard drive. Using rescue mode, you can access the files stored on your system’s hard drive, even if you cannot actually run Linux from that hard drive.

Normally, you will need to get into rescue mode for one of two reasons:

• You are unable to boot Linux.

• You are having hardware or software problems, and you want to get a few important files off your system’s hard drive.

Next, we will take a closer look at each of these scenarios.

3.1.1 Unable to Boot Linux

This problem is often caused by the installation of another operating system after you have installed Red Hat Linux. Some other operating systems assume that you have no other operating systems on yourcomputer, and they overwritethe Master Boot Record(MBR) that originally contained the GRUB or LILO boot loader. If the boot loader is overwritten in this manner, you will not be able to boot Red Hat Linux unless you can get into rescue mode.

Another common problem is if you use a partitioning tool to resize a partition or create a new partition from free space after installation and it changes the order of your partitions. If the partition number of your / partition changes, the boot loader will not be able to find it to mount the partition. To fix this problem, boot in rescue mode and modify /boot/grub/grub.conf if you are using GRUB or /etc/lilo.conf if you are using LILO.

Page 66

66 Chapter 3:Rescue Mode

3.1.2 Hardware/Software Problems

This category includes a wide varietyof different situations. Two examples include failing hard drives and forgetting to run LILO after building a new kernel (if you are using LILO as your boot loader). In both of these situations, you may be unable to boot Red Hat Linux. If you can get into rescue mode, you might be able to resolve the problem or at least get copies of your most important files.

3.1.3 Booting Rescue Mode

To boot your system in rescue mode, boot off of a Red Hat Linux boot disk orRed Hat Linux CD-ROM #1, and enter the following command at the installation boot prompt:

boot: linux rescue

You can get to the installation boot prompt in one of these ways:

• By booting your system from an installation boot diskette made from the boot.img image. This method requires that the Red Hat Linux CD-ROM #1 be inserted as the rescue image or that the rescue image be on the hard drive as an ISO image.

• By booting your system from the Red Hat Linux CD-ROM #1.

• By booting from a network disk made from the bootnet.img or PCMCIA boot disk made from pcmcia.img. You can only do this if your network connection is working. You will need to identify the network host and transfer type. For an explanation of how to specify this information, see Installing over the Network in the Official Red Hat Linux Installation Guide.

After booting off a boot disk or Red Hat Linux CD-ROM #1 and providing a valid rescue image, you will see the following message:

The rescue environment will now attempt to find your Red Hat Linux installation and mount it under the directory /mnt/sysimage. You can then make any changes required to your system. If you want to proceed with this step choose ’Continue’. If for some reason this process fails you can choose ’Skip’ and this step will be skipped and you will go directly to a command shell.

If you select Continue, it will attempt to mount your filesystem under the directory /mnt/sysimage. If it fails to mount a partition, it will notify you. If you select Skip, your filesystem will not be

mounted. Choose

Skip if you think your filesystem is corrupted.

To create an installation boot diskette, insert a blank floppy disk and use the images/boot.img file on the

Red Hat Linux CD-ROM #1 with the command dd if=boot.img of=/dev/fd0.

Page 67

Section 3.1:What is Rescue Mode? 67

Once you have your system in rescue mode, a prompt appears on VC (virtual console) 1 and VC 2 (use the

[Ctrl]-[Alt]-[F1] key combination to access VC 1 and [Ctrl]-[Alt]-[F2]

key combination to access

VC 2):

bash#

If you selected Continue to mount your partitions automatically and they were mounted successfully, you are in single-user mode.

To mount a Linux partition manually inside rescue mode, create a directory such as

/foo

, and type

the following command:

mount -t ext3

/dev/hda5 /foo

In the above command, /foo is a directory that you have created and

/dev/hda5

is the partition you

want to mount. If the partition is of type ext2, replace ext3 with ext2. If you do not know the names of your partitions, use the following command to list them:

fdisk -l

If your filesystem is mounted and you want to make your system the root partition, use the command chroot /mnt/sysimage. This is useful if you need to run commands such as rpm that require your root partition to be mounted as /. To exit the chroot environment,type exit, and you will return to the bash# prompt.

From the bash# prompt, you can run many useful commands including:

anaconda gzip mkfs.ext2 ps badblocks head mknod python bash hwclock mkraid python1.5 cat ifconfig mkswap raidstart chattr init mlabel raidstop chmod insmod mmd rcp chroot less mmount rlogin clock ln mmove rm collage loader modprobe rmmod cp ls mount route cpio lsattr mpartition rpm dd lsmod mrd rsh ddcprobe mattrib mread sed depmode mbadblocks mren sh df mcd mshowfat sync e2fsck mcopy mt tac fdisk mdel mtools tail fsck mdeltree mtype tar fsck.ext2 mdir mv touch fsck.ext3 mdu mzip traceroute

Page 68

68 Chapter 3:Rescue Mode

ftp mformat open umount gnome-pty-helper minfo pico uncpio grep mkdir ping uniq gunzip mke2fs probe zcat

3.1.4 Booting Single-User Mode Directly

You may be able to boot single-user mode directly. If your system boots, but does not allow you to log in when it has completed booting, try single-user mode.

If you are using GRUB, use the following steps to boot into single-user mode:

1. If you have a GRUB password configured, type p and enter the password.

2. Select

Red Hat Linux with the version of the kernel that you wish to boot and type e for edit.

You will be presented with a list of items in the configuration file for the title you just selected.

3. Select the line that starts with kernel and type e to edit the line.

4. Go to the end of the line and type single as a separate word (press the

[Spacebar] and then type

single). Press [Enter] to exit edit mode.

5. Back at the GRUB screen, type b to boot into single user mode.

If you are using LILO, specify one of these options at the LILO boot prompt (if you are using the graphical LILO, you must press

[Ctrl]-[x]

to exit the graphical screen and go to the boot: prompt):

boot: linux single boot: linux emergency

In single-user mode, you computer boots to runlevel 1. Your local filesystems will be mounted, but your network will not be activated. You will have a usable system maintenance shell.

In emergency mode, you are booted into the most minimal environment possible. The root filesystem will be mounted read-only and almost nothing will be set up. The main advantageof emergency mode over linux single is that your initfiles are not loaded. If init is corrupted or not working, you can still mount filesystems to recover data that could be lost during a re-installation.

Have you ever rebuilt a kernel and, eager to try out your new handiwork, rebooted before running /sbin/lilo? If you did not have an entry for an older kernel in lilo.conf, you had a problem. If you would like to know a solution to this problem, read this section.

In many cases, you can boot your Red Hat Linux system from the Red Hat Linux boot disk

with

your root filesystem mounted and ready to go. Here is how to do it: Enter the following command at the boot disk’s boot: prompt:

linux single root=/dev/hdXXinitrd=

Page 69

Section 3.1:What is Rescue Mode? 69

Replace theXXin /dev/hdXXwith the appropriate letter and number for your root partition. What does this command do? First, it starts the boot process in single-user mode, with the root par-

tition set to your root partition. The empty initrd specification bypasses the installation-related image on the boot disk, which will cause you to enter single-user mode immediately.

Is there a negativeside to using this technique? Unfortunately,yes. Because the kernel on the Red Hat Linux boot disk only has support for IDE built-in, if your system is SCSI-based, you will not be able to do this. In that case, you will have to access rescue mode using the linux rescue command mentioned above.

Page 70

70 Chapter 3:Rescue Mode

Page 71

Section 4.3:Hardware RAID versus Software RAID 71

4 Redundant Array of Independent Disks (RAID)

4.1 What is RAID?

The basic idea behind RAID is to combine multiple small, inexpensive disk drives into an array to accomplish performance or redundancy goals not attainable with one large and expensive drive. This array of drives will appear to the computer as a single logical storage unit or drive.

RAID is a method in which information is spread across several disks, using techniques such as disk striping (RAID Level 0), disk mirroring(RAID level1), and disk striping with parity(RAID Level

5) to achieveredundancy, lower latency and/or increase bandwidth for reading or writing to disks, and maximize the ability to recover from hard disk crashes.

The underlying concept of RAID is that data may be distributed across each drive in the array in a consistent manner. To do this, the data must first be broken into consistently-sized "chunks" (often 32K or 64K in size, although different sizes can be used). Each chunk is then written to a hard drivein RAID according to the RAID level used. When the data is to be read, the process is reversed, giving the illusion that multiple drives are actually one large drive.

4.2 Who Should Use RAID?

Anyone who needs to keep large quantities of data on hand (such as an average system administrator) would benefit by using RAID technology. Primary reasons to use RAID include:

• Enhanced speed

• Increased storage capacity using a single virtual disk

• Lessening the impact of a disk failure

4.3 Hardware RAID versus Software RAID

There are two possible RAID approaches: Hardware RAID and Software RAID.

4.3.1 Hardware RAID

The hardware-based system manages the RAID subsystem independently from the host and presents to the host only a single disk per RAID array.

Page 72

72 Chapter 4:Redundant Array of Independent Disks (RAID)

An example of a Hardware RAID device would be one that connects to a SCSI controller and presents the RAID arrays as a single SCSI drive. An external RAID system moves all RAID handling "intelligence" into a controller located in the external disk subsystem. The whole subsystem is connected to the host via a normal SCSI controller and appears to the host as a single disk.

RAID controllers also come in the form of cards that act like a SCSI controller to the operating system but handle all of the actual drive communications themselves. In these cases, you plug the drives into the RAID controller just like you would a SCSI controller, but then you add them to the RAID controller’s configuration, and the operating system never knows the difference.

4.3.2 Software RAID

Software RAID implements the various RAID levels in the kernel disk (block device) code. It offers the cheapest possible solution, as expensivedisk controller cards or hot-swap chassis

are not required. Software RAID also works with cheaper IDE disks as well as SCSI disks. With today’s fast CPUs, Software RAID performance can excel against Hardware RAID.

The MD driver in the Linux kernel is an example of a RAID solution that is completely hardware independent. The performance of a software-based array is dependent on the server CPU performance and load.

For information on configuring Software RAID in the Red Hat Linux installation program, refer to the Chapter 5, Software RAID Configuration.

For those interested in learning more about what Software RAID has to offer, here is a brief list of the most important features:

• Threaded rebuild process

• Fully kernel-based configuration

• Portability of arrays between Linux machines without reconstruction

• Backgrounded array reconstruction using idle system resources

• Hot-swappable drive support

• Automatic CPU detection to take advantage of certain CPU optimizations

4.4 RAID Levels and Linear Support

RAID supports various configurations, including levels 0, 1, 4, 5, and linear. These RAID types are defined as follows:

A hot-swap chassis allows you to remove a hard drive without having to power-down your system.

Page 73

Section 4.4:RAID Levels and Linear Support 73

• Level 0 — RAID level 0, often called "striping," is a performance-oriented striped data mapping technique. This means the data being written to the array is broken down into strips and written across the member disks of the array, allowing high I/O performance at low inherent cost but provides no redundancy. The storage capacity of a level 0 array is equal to the total capacity of the member disks in a Hardware RAID or the total capacity of member partitions in a Software RAID.

• Level 1 — RAID level 1, or "mirroring," has been used longer than any other form of RAID. Level 1 provides redundancy by writing identical data to each member disk of the array, leaving a "mirrored" copy on each disk. Mirroring remains popular due to its simplicity and high level of data availability. Level 1 operates with two or more disks that may use parallel access for high data-transfer rates when reading but more commonly operate independently to provide high I/O transaction rates. Level 1 provides very good data reliability and improves performance for read-intensiveapplications but at a relatively high cost

The storage capacity of the level 1 array is equal to the capacity of one of the mirrored hard disks in a Hardware RAID or one of the mirrored partitions in a Software RAID.

• Level 4 — Level4 uses parity

concentrated on a single disk drive to protect data. It’s better suited to transaction I/O rather than large file transfers. Because the dedicated parity disk represents an inherent bottleneck, level 4 is seldom used without accompanying technologies such as write-back caching. Although RAID level 4 is an option in some RAID partitioning schemes, it is not an option allowed in Red Hat Linux RAID installations

The storage capacity of Hardware RAID level 4 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of Software RAID level 4 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.

• Level 5 — This is the most common type of RAID. By distributing parity across some or all of an array’s member disk drives, RAID level 5 eliminates the write bottleneck inherent in level

4. The only performance bottleneck is the parity calculation process. With modern CPUs and Software RAID, that usually isn’t a very big problem. As with level 4, the result is asymmetrical performance, with reads substantially outperforming writes. Level5 is often used with write-back caching to reduce the asymmetry. The storage capacity of Hardware RAID level 5 is equal to

RAID level 1 comes at a high cost because you write the same information to all of the disks in the array, which wastes drive space. For example, if you have RAID level 1 set up so that your root (/) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.

Parity information is calculated based on the contents of the rest of the member disks in the array. This information can then be used to reconstruct data when one disk in the array fails. The reconstructed data can then be used to satisfy I/O requests to the failed disk before it is replaced and to repopulate the failed disk after it has been replaced.

RAID level 4 takes up the same amount of space as RAID level 5, but level 5 has more advantages than level

4. For this reason, level 4 is not supported.

Page 74

74 Chapter 4:Redundant Array of Independent Disks (RAID)

the capacity of member disks, minus the capacity of one member disk. The storage capacity of Software RAID level 5 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.

• Linear RAID — Linear RAID is a simple grouping of drives to create a larger virtual drive. In linear RAID, the chunks are allocated sequentially from one member drive, going to the next drive only when the first is completely filled. This grouping provides no performance benefit, as it is unlikely that any I/O operations will be split between member drives. Linear RAID also offers no redundancy and, in fact, decreases reliability —— if any one member drive fails, the entire array cannot be used. The capacity is the total of all member disks.

Page 75

Software RAID Configuration 75

5 Software RAID Configuration

Read Chapter 4, Redundant Array of Independent Disks (RAID) first to learn about RAID and the differences between Hardware and Software RAID and the differences between RAID 0, 1, and 5.

Software RAID can be configured during the graphical installation of Red Hat Linux or during a kickstart installation. You can use fdisk or Disk Druid to create your RAID configuration, but these instructions will focus mainly on using Disk Druid to complete this task.

Before you can create a RAID device, you must first create RAID partitions, using the following step-by-step instructions.

Tip: If You Use fdisk

If you are using fdisk to create a RAID partition, remember that instead of creating a partition as type 83, which is Linux native, you must create the partition as type fd (Linux RAID). Also, for best performance, partitions within a given RAID array should span identical cylinders on drives.

• Create a partition. In Disk Druid, choose New to create a new partition (see Figure 5–1, Creating

a New RAID Partition).

Figure 5–1 Creating a New RAID Partition

• Choose software RAID from the Filesystem Type pull-down menu.

• You will not be able to enter a mount point (you will be able to do that once you have created your RAID device).

Page 76

76 Chapter 5:Software RAID Configuration

• for AllowableDrives, select the driveon which RAID will be created. If you havemultiple drives, all drives will be selected here and you must deselect those drives which will not have the RAID array on them.

• Enter the size that you want the partition to be.

• Select

Fill to maximum allowable size if you want the partition to grow to fill all available space

on the hard disk. If you make more than one partition growable, the partitions will share the available free space on the disk.

• Select

Force to be a primary partition if you want the partition to be a primary partition.

• Select

Check for bad blocks?

if you want the installation program to check for bad blocks on

the hard drive before formatting it.

Continue these steps to create as many partitions as needed for your RAID setup. Notice that all the partitions do not haveto be RAID partitions. For example, you can configure only the /home partition as a software RAID device.

Once you have all of your partitions created as

software RAID

partitions, select the Make RAID button

on the Disk Druid main partitioning screen (see Figure 5–3, Creating a RAID Array). Next, Figure 5–2, Making a RAID Device will appear, where you can make a RAID device.

Figure 5–2 Making a RAID Device

• First, enter a mount point.

• Next, choose the partition type for the partition.

• Choose your RAID type. You can choose from

RAID 0, RAID 1, and RAID 5.

Page 77

Software RAID Configuration 77

Please Note

If you are making a RAID partition of /boot, you must choose RAID level1 and it must use one of thefirst two drives (IDE first, SCSI second). If you are not creating a RAID partition of /boot, and you are making a RAID partition of /, it must be RAID level 1 and it must use one of the first two drives (IDE first, SCSI second).

• Select which partitions will go into this RAID array and then click Ok.

• A spare partition can be specified for RAID 1 and RAID 5. If a software RAID partition fails, the spare will automatically be used as a replacement. For each spare you want to specify, you must create an additional software RAID partition (in addition to the partitions for the RAID device). In the previous step, select the partitions for the RAID device and the partition(s) for the spare(s). Select the number of spares.

• Select whether you want the partition formatted.

• The RAID device will appear in the

Drive Summary list as shownin Figure 5–3, Creating a RAID

Array. At this point, you can continue with your installation process. Refer to the Official Red Hat Linux Installation Guide for further instructions.

Page 78

78 Chapter 5:Software RAID Configuration

Figure 5–3 Creating a RAID Array

Page 79

Part II Network-Related References

Page 80

Page 81

Section 6.1:Adding Network Hardware 81

6 Network Configuration

Red Hat Linux no longer includes the application netcfg to configure your network devices. The Red Hat Network Administration Tool has replaced netcfg and can be used to configure the different

types of network devices: Ethernet, Modem, ISDN, xDSL, CIPE, and Wireless. You can also configure a modem, ISDN, or an xDSL connection with internet-druid. Refer to the

Official Red Hat Linux Getting Started Guide for more details on internet-druid. To use the Red Hat Network Administration Tool, you must be running the X Window System and

have root privileges. To start the application, use one of the following methods:

• On the GNOME desktop, go to the

Main Menu Button (on the Panel) => Programs => System

=> Network Configuration.

• On the KDE desktop, go to the

Main Menu Button (on the Panel) => Red Hat => System =>

Network Configuration.

• Type the command neat at a shell prompt (for example, in an XTerm or a GNOME terminal).

If you make any changes to your network configuration using this tool, you must click the

Apply

button to have the changes take effect. If you prefer modifying the configuration files, refer to the Official Red Hat Linux Reference Guide

for information on their location and contents.

6.1 Adding Network Hardware

From the main Red Hat Network Administration Tool window, use the Hardware tab to add, edit, or delete Ethernet, modem, ISDN, and token ring hardware configurations.

Page 82

82 Chapter 6:Network Configuration

Figure 6–1 Network Hardware Configuration

6.1.1 Ethernet

You can configure the type of adapter (manufacturer and model) and kernel device name for an Ethernet device. The type of adapter you select determines which kernel module (driver) is loaded for the network interface card. After selecting the adapter, select the kernel device name for the network interface card (/dev/eth0, /dev/eth1, and so on). You can also configure the device’s system resource settings such as IRQ. After configuring the hardware settings for the Ethernet device, go to the

Device tab to configure its network settings such as using DHCP to obtain an IP address.

6.1.2 Modem

For a modem, you can configure the kernel device name, baud rate, flow control, modem volume, and whether to use touch tone dialing. If you want to configure a modem Internet connection, go to the

Device tab and select Modem as the Device Type.

6.1.3 ISDN

For an ISDN device, you can configure the adapter (manufacturer and model), system resources (such as IRQ), and D Channel Protocol. If you want to configure an ISDN Internet connection, go to the

Device tab and select ISDN as the Device Type.

Page 83

Section 6.2:Adding a Device 83

6.1.4 Token Ring

For a token ring device, you can select the type of adapter according to the manufacturer and model of the device. The type of adapter determines which kernel modules (driver) is loaded for the device. You can also configure the kernel device name (/dev/tr0, /dev/tr1, and so on) and the device’s system resources such as IRQ. After configuring the hardware settings for the token ring device, go to the

Device tab to configure its network settings such as using DHCP to obtain an IP address.

6.2 Adding a Device

To add a network device, start Red Hat Network Administration Tool and click Add in the Devices tab. From the Device Type menu, you have the following options:

• Ethernet — Select this option to configure a network interface card (NIC).

• Modem — Select this option to configure a modem for a dial-up connection.

• ISDN — Select this option if you subscribe to an ISDN Internet service.

• xDSL — Select this option if you subscribe to a type of xDSL service such as ADSL.

• CIPE — Select this option to configure a virtual CIPE device.

• Wireless — Select this option to configure a wireless network device.

• Token Ring — Select this option to configure a token ring device.

After selecting a device type, you will see a window with tabbed panes. The tabs vary depending on which device type you selected. All device types will have the following tabs:

•

General — Give the device a nickname, choose to activate the device when the computer boots,

and choose to allow users to enable and disable the device.

•

Protocols — Edit the TCP/IP settings such as an IP address (including DHCP), hostname, and

static network routes.

6.2.1 Ethernet

If you selected Ethernet as the device type, you will also see a Hardware Device tab. Use this tab to configure a device alias. A device alias allows you to setup multiple virtual devices for one physical device.

Page 84

84 Chapter 6:Network Configuration

Figure 6–2 Adding an Ethernet Device

6.2.2 Modem

Click the Provider tab to enter the phone number, login, and password for your dial-up account. Use the

Compression tab to enable different forms of compression. The Options tab allows you to con-

figure PPP options, and the

Advanced tab provides pulldown menus to customize the hangup timeout

value, the dial mode, and the modem port. You can also configure the device to restart if the connection dies using the

Advanced tab.

6.2.3 ISDN

The tabs for ISDN configuration are similar to the tabs for Modem configuration, except there is an additional tab that allows you to use callback and configure the callback settings.

6.2.4 xDSL

xDSL provides an Internet connection through an Ethernet card. To configure xDSL, you must configure an Ethernet device first. Most xDSL services require you to configure the Ethernet device to

Page 85

Section 6.3:Managing DNS Settings 85

obtain an IP address via DHCP. Consult your Internet provider for details. After configuring the Ethernet device, add an xDSL device. From the

Provider tab, select the appropriate Ethernet device to

use to establish your connection.

6.2.5 CIPE

CIPE stands for Crypto IP Encapsulation. It is used to configure an IP tunneling device. For example, CIPE can be used to grant access from the outside world into a Virtual Private Network (VPN). If you need to setup a CIPE device, contact your system administrator for the correct values.

6.2.6 Wireless

The tabs for Wireless configuration are similar to the tabs for an Ethernet device, except there is an extratab called Wireless Settings. This tab allowsyou to configure the network ID, mode, frequency, channel, transmit rate, and key for the wireless device.

6.2.7 Token Ring

The Token Ring device configuration is similar to the Ethernet device configuration. There is an additional Hardware Device tab.

6.3 Managing DNS Settings

The DNS tab allows you to configure the system’s hostname, domain, name servers, and search domain. Name servers are used to look up other hosts on the network. Note, the name servers section does not configure the system to be a name server.

The

Hosts tab allows you to add, edit, or remove hosts from the /etc/hosts file. This file contains

IP addresses and the hostnames to which the IP addresses should be resolved. When your system tries to resolve a hostname to an IP address or determine the hostname for an IP

address, it refers to the /etc/hosts file before using the name servers (if you are using the default Red Hat Linux configuration). If the IP address is listed in the /etc/hosts file, the name servers are not used.

To add an entry to the /etc/hosts file, click

Add in the Hosts tab, provide the requested informa-

tion, and click

OK. Click

Apply to write the entry to the file.

Page 86

86 Chapter 6:Network Configuration

Tip

To change lookup order, edit the /etc/host.conf file. The line order hosts, bind specifies that the /etc/hosts takes precedence over the

name servers. Changing the line to order bind, hosts configures your system to resolve hostnames and IP addresses using the name servers first. If the IP address can not be resolved through the name servers, your system looks for the IP address in the /etc/hosts file.

Page 87

Basic Firewall Configuration 87

7 Basic Firewall Configuration

During the Red Hat Linux installation, you are given the option to choose high, medium or no security level as well as allow specific devices, incoming services, and ports. These levels are based on the GNOME Lokkit firewall configuration application.

After installation, you can change the security level of your system by using GNOME Lokkit. GNOME Lokkit allows you to configure firewall settings for an average user by constructing basic

ipchains networking rules. Instead of having to write the rules, this program asks you a series of questions about how you use your system and then write it for you in the file /etc/syscon- fig/ipchains.

You should nottry to use GNOMELokkitto generate complex firewallrules. It is intended for average users who want to protect themselves while using a modem, cable, or DSL Internet connection. To configure specific firewall rules, refer to the Firewalling with

iptables

chapter in the Official Red

Hat Linux Reference Guide. To disable specific services and deny specific hosts and users, refer to Chapter 8, Controlling Access

to Services.

To start GNOME Lokkit, type the command gnome-lokkit at a shell prompt as root.

Page 88

88 Chapter 7:Basic Firewall Configuration

7.1 Basic

Figure 7–1 Basic

After starting the program, choose the appropriate security level for your system:

•

High Security — This option disables almost all network connects except DNS replies and DHCP

so that network interfaces can be activated. IRC, ICQ, and other instant messaging services as well as RealAudio™ will not work without a proxy.

•

Low Security — This option will not allow remote connections to the system, including NFS

connections and remote X Window System sessions. Services that run below port 1023 will not accept connections, including FTP, SSH, Telnet, and HTTP.

•

Disable Firewall — This option does not create any security rules. It is recommended that this

option only be chosen if the system is on a trusted network (not on the Internet), if the system is behind a larger firewall, or if you write your own custom firewall rules. If you choose this option and click

Next, proceed to Section 7.5, Activating the Firewall. The security of your system will

not be changed.

Page 89

Section 7.3:DHCP 89

7.2 Local Hosts

If there are Ethernet devices on the system, the Local Hosts page allows you to configure whether the firewall rules apply to connection requests sent to each device. If the device connects the system to a local area network behind a firewall and does not connect directly to the Internet, select

Yes. If the

Ethernet card connects the system to a cable or DSL modem, it is recommended that you select

No.

Figure 7–2 Local Hosts

7.3 DHCP

If you are using DHCP to activate any Ethernet interfaces on the system, you must say Yes to the DHCP question. If you say no, you will not be able to establish a connect using the Ethernet interface. Many cable and DSL Internet providers require you to use DHCP to establish an Internet connection.

Page 90

90 Chapter 7:Basic Firewall Configuration

Figure 7–3 DHCP

7.4 Configuring Services

GNOMELokkitalso allows you to turn common services on and off. If you answer Yes to configuring services, you are prompted about the following services:

•

Web Server — Choose this option if you want people to connect to a Web server such as Apache

running on your system. You do not need to choose this option if you want to view pages on your own system or on other servers on the network.

•

Incoming Mail — Choose this option if your system needs to accept incoming mail. You do not

need this option if you retrieve email using IMAP, POP3, or fetchmail.

•

Secure Shell — Secure Shell, or SSH, is a suite of tools for logging into and executingcommands

on a remote machine over an encrypted connection. If you need to access your machine remotely through ssh, select this option.

•

Telnet— Telnet allows you to log into your machine remotely; however, it is not secure. It sends

plain text (including passwords) over the network. Itis recommended that you use SSH to log into your machine remotely. If you are required to have telnet access to your system, select this option.

Page 91

Section 7.5:Activating the Firewall 91

Tip

To disable other services that you do not need, you can use Serviceconf. See Section 8.3,

Serviceconf

7.5 Activating the Firewall

Clicking Finish on the Activate the Firewall page will write the firewall rules to /etc/sysconfig/ipchains and start the firewall by starting the ipchains service.

It is highly recommended that you run GNOME Lokkit from the machine, not from a remote X session. If you disable remote access to your system, you will no longer be able to access it or disable the firewall rules.

Click

Cancel if you do not want to write the firewall rules.

7.5.1 Mail Relay

A mail relay is a system that allows other systems to send email through it. If your system is a mail relay, someone can possibly use it to spam others from your machine.

If you chose to enable mail services, after you click

Finish on the Activate the Firewall

page, you

will be prompted to check for mail relay. If you choose

Yes to check for mail relay, GNOME Lokkit

will attempt to connect to the Mail Abuse Prevention System website at http://www.mail-abuse.org/ and run a mail relay test program. The results of the test will be displayed when it is finished. If your system is open to mail relay, it is highly recommended that you configure Sendmail to prevent it.

7.5.2 Activating the ipchains Service

The firewallrules will only be active if the ipchains service is running. To manual start the service, use the command:

/sbin/service ipchains restart

To ensure that it is started when the system is booted, issue the command:

/sbin/chkconfig --level 345 ipchains on

Tip

You can also use Serviceconf to activateipchains. SeeSection 8.3,

Ser-

viceconf

Page 92

92 Chapter 7:Basic Firewall Configuration

Page 93

Controlling Access to Services 93

8 Controlling Access to Services

Maintaining security on your Red Hat Linux system is extremely important. One way to manage security on your system is to carefully manage access to system services. Your system may need to provide open access to particular services (for example, httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off — this will minimize your exposure to possible bug exploits.

There are several different methods for managing access to system services. You must decide which method you would like to use based on the service, your system’s configuration, and your level of Linux expertise.

The easiest way to deny access to a service is to simply turn it off. Both the services managed by xinetd (which we will talk about more later in this section) and the services in the /etc/rc.d hierarchy can be configured to start or stop using three different applications:

• serviceconf — a graphical application that displays a description of each service, displays whether each service is started at boot time (for runlevels 3, 4, and 5), and allows you to start, stop, and restart each service.

• ntsysv — a text-based application that allows you to configure which services are started at boot time for each runlevel. Changes do not take effect immediately. Services can not be started, stopped, or restarted using this program.

• chkconfig — a command-line utility that allows you to turn services on and off for the different runlevels. Changes do not take effect immediately. Services can not be started, stopped, or restarted using this utility.

You may find that these tools are easier to use than the alternatives — editing the numerous symbolic links located in the directories below /etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.

Another way to manage access to system services is by using iptables to configure an IP firewall. If you are a new Linux user, please realize that iptables may not be the best solution for you. Setting up iptables can be complicated and is best tackled by experienced UNIX/Linux system administrators.

On the other hand, the benefit of using iptables is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, ipchains can provide it for you. See the Official Red Hat Linux Reference Guide for more information about iptables.

Alternatively,if you are looking for a utility which will set general access rules for your home machine, and/or if you are new to Linux, you should try the GNOME Lokkit utility. GNOME Lokkit is a GUI utility which will ask you questions about how you want to use your machine. Based on your answers,

Page 94

94 Chapter 8:Controlling Access to Services

it will then configure a simple firewall for you. Refer to Chapter 7, Basic Firewall Configuration for more information.

8.1 Runlevels

Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or mode, that is defined by the services listed in the directory /etc/rc.d/rc

<x>

.d, where

<x> is the number of the runlevel. Red Hat Linux uses the following runlevels:

• 0 — Halt

• 1 — Single-user mode

• 2 — Not used (user-definable)

• 3 — Full multi-user mode

• 4 — Not used (user-definable)

• 5 — Full multi-user mode (with an X-based login screen)

• 6 — Reboot If you configured the X Window System during the Red Hat Linux installation program, you had the

option of choosing a graphical or text login screen. If you chose a text login screen, you are operating in runlevel 3. If you chose a graphical login screen, you are operating in runlevel 5.

The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the top of the file similar to the following:

id:3:initdefault:

Change the number in this line to the desired runlevel. The change will not take effect until you reboot the system.

To change the runlevel immediately, use the command telinit followed by the runlevel number. You must be root to use this command.

8.2 TCP Wrappers

Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the names imply, hosts.allow contains a list of rules clients allowed to access the network services controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow

Page 95

Section 8.3:Serviceconf 95

file takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. See the Official Red Hat Linux Reference Guide and the hosts_access man page for details.

8.2.1 xinetd

To control access to Internet services, use xinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to

start special-purpose servers. xinetd can be used to provide access only to particular hosts, to deny access to particular hosts, to provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, etc.

xinetd runs constantly and listens on all of the ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.

The configuration file for xinetd is /etc/xinetd.conf, but you will notice upon inspection of the file that it only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable a xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. If you edit any of the xinetd configuration files or change its enabled status using Serviceconf, ntsysv,orchkconfig, you must restart xinetd with the command service xinetd restart before the changes will take effect. For a list of network services controlled by xinetd list of the contents of the /etc/xinetd.d directory with the command ls /etc/xinetd.d.

8.3 Serviceconf

Serviceconf is a graphical application developed by Red Hat to configure which SysV services in

/etc/rc.d/init.d are started at boot time (for runlevels3, 4, and 5) and which xinetd services are enabled. It also allows you to start, stop, and restart SysV services as well as restart xinetd.

To start Serviceconf, use one of the following commands:

• On the GNOME desktop, go to the

Main Menu Button (on the Panel) => Programs => System

=> Serviceconf.

• On the KDE desktop, go to the

Main Menu Button (on the Panel) => Red Hat => System =>

Serviceconf.

• Type the command serviceconf at a shell prompt (for example, in an XTerm or a GNOME terminal).

Page 96

96 Chapter 8:Controlling Access to Services

Figure 8–1 Serviceconf

Serviceconf displays the current runlevel as well as which runlevel you are currently editing. Toedit a different runlevel, select

Edit Runlevel from the pulldown menu and select runlevel 3, 4, or 5. Refer

to Section 8.1, Runlevels for a description of runlevels.

Serviceconf lists the services from /etc/rc.d/init.d as well as the services controlled by xinetd. Click on a service to display a brief description of that service at the bottom of the window.

To start, stop, or restart a service immediately, select the service and choose the action from the

Ac-

tions

pulldown menu. You can also select the service and click the start, stop, or restart button on the

toolbar. If you select an xinetd service such as telnet, the

Start, Stop, and Restart buttons will not be active.

If you change the

Start at Boot value of an xinetd service, you must click the Save Changes

button

to restart xinetd and disable/enable the xinetd services that you changed. To enable a service at boot time for the currently selected runlevel, check the checkbox beside the

name of the service under the

Start at Boot column. After configuring the runlevel, you must apply

the changes. Select

File => Save Changes from the pulldown menu or click the Save Changes

button.

Page 97

Section 8.4:ntsysv 97

WARNING

When yousavechanges toxinetd services, xinetd is restarted. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.

If you check or uncheck the Start at Boot value for a service in /etc/rc.d/init.d, the Save

Changes

button will become active. Click it to reconfigure the currently selected runlevel. The changes do not affect the system immediately. For example, assume you are configuring runlevel 3. If you change the

Start at Boot value for the anacron service from checked to unchecked and then

click the Save Changes button, the runlevel 3 configuration changes so that anacron is not started at boot time. However, runlevel 3 is not reinitialized, so anacron is still running. Select one of following options at this point:

1. Stop the anacron service — Stop the service by selecting it from the list and clicking the

Stop

the selected service

button. A message will be displayed stating that the service was stopped

successfully.

2. Re-initialize the runlevel— Reinitialize the runlevel by going to a shell prompt (such as an XTerm

or GNOME terminal) and typing the command telinit 3 (where 3 is the runlevel number). This option is recommended if you change the

Start at Boot value of more than one service and

want to activate the changes immediately.

3. Do nothing else — You do not have to stop the anacron service. You can wait until the system is

rebooted for the service to stop. The next time the system is booted, the runlevel will be initialized without the anacron service running.

8.4 ntsysv

The ntsysv utility provides a simple interface for activating or deactivating services. You can use ntsysv to turn an xinetd-managed service on or off. You can also use ntsysv to start or stop a

service in the /etc/rc.d hierarchy; in that case, the ntsysv command (without options) is used toconfigure current runlevel. If you wantto configurea differentrunlevel, usesomething like ntsysv

--levels 016. (In this example, you would be setting the services for runlevels 0, 1 and 6.) The ntsysv interface works like the textmode installation program. Use the up and down arrows to

navigate up and down the list. The space bar selects/unselects services and is also used to "press" the

Ok and Cancel buttons. To move between the list of services and the

Ok and Cancel buttons, use the

[Tab] key. An * signifies that a service is set to on. The [F1] key will pop up a short description of each

service.

Page 98

98 Chapter 8:Controlling Access to Services

WARNING

Changes do not take effect immediately after using ntsysv. You must stop or start the individual service with the command service

dae-

mon

stop. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd. Replace stop with start or restart to start or restart the service. If you want to start or stop a service which is managed by xinetd, use the command service xinetd restart.

8.5 chkconfig

The chkconfig command can also be used to activate and deactivate services. If you use the chkconfig --list command, you will see a list of system services and whether they are started (on)

or stopped (off) in runlevels 0-6 (at the end of the list, you will see a section for the services managed by xinetd, which we’ll discuss later in this section).

If you use chkconfig --list to query a service managed by xinetd, you will see whether the

xinetd service is enabled (on) or disabled (off). For example, the following command shows that finger is enabled as an xinetd service:

$ chkconfig --list finger finger on

As shown above, if xinetd is running, finger is enabled. If you use chkconfig --list to query a service in /etc/rc.d, you will see the service’s set-

tings for each runlevel, like the following:

$ chkconfig --list anacron anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off

More importantly,chkconfig can be used to set a service to be started (or not) in a specific runlevel. For example, if we wanted to turn nscd off in runlevels 3, 4, and 5, we’d use a command like this:

chkconfig --level 345 nscd off

See the chkconfig man page for more information on how to use it.

Page 99

Section 8.6:Additional Resources 99

WARNING

Changes do not take effect immediately after using chkconfig.You must stop or start the individual service with the command service

daemon

stop. Inthepreviousexample, replace daemon with the name of the service youwant to stop; for example, httpd. Replace stop with start or restart to startor restart the service. If you want to start or stopa service which ismanagedbyxinetd, usethe command service xinetd restart.

8.6 Additional Resources

For more information on xinetd, refer to the following resources.

8.6.1 Installed Documentation

• man ntsysv — The ntsysv manual page.

• man chkconfig — The chkconfig manual page.

• man xinetd — The xinetd manual page.

• man xinetd.conf — The manual page for the xinetd.conf configuration file.

• man 5 hosts_access — The manual page for the format of host access control files (in section 5 of the man pages).

8.6.2 Useful Websites

• http://www.xinetd.org — The xinetd webpage. It contains the a more detailed list of features and sample configuration files.

Page 100

100 Chapter 8:Controlling Access to Services

Red Hat Linux 7.2 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual