Introduction to System Configuration

Outline

  • Filesystem Hierarchy Standard
  • Basic System Configuration
  • Network Configuration
  • System Log

Some slides are taken from 小小郭.

Filesystem Hierarchy Standard

Why FHS?

  • Enables 1) software to predict the location of installed files and directories, and 2) users to predict the location of installed files and directories.

  • The following command can see the related manual

$ man hier

See Also: Filesystem Hierarchy Standard

The Filesystem

shareable unshareable

static

/usr

/etc

/opt

/boot

variable

/var/mail

/var/run

/var/spool/news

/var/lock

Directory Tree

  • The following directories are required in the root filesystem
Directory Description

bin

Essential command binaries

boot

Static files of the boot loader

dev

Device files

etc

Host-specific system configuration

Directory Tree (Cont'd)

Directory Description

lib

Essential shared libraries and kernel modules

media

Mount point for removeable media

mnt

Mount point for mounting a filesystem temporarily

opt

Add-on application software packages

Directory Tree (Cont'd)

Directory Description

sbin

Essential system binaries

srv

Data for services provided by this system

tmp

Temporary files

usr

Secondary hierarchy

Directory Tree (Cont'd)

Directory Description

var

Variable data

Directory Tree (Cont'd)

  • The following directories, or symbolic links to directories, must be in /, if the corresponding subsystem is installed
Directory Description

home

User home directories (optional)

lib<qual>

Alternate format essential shared libraries (optional)

root

Home directory for the root user (optional)

Directory Tree (Cont'd)

Appendix C.2. The Directory Tree

The /usr Hierarchy

  • Some people calls it Unix System Resources

The /usr Hierarchy

Directories Required in /usr
Directory Description

bin

Most user commands

include

Header files included by C programs

lib

Libraries

The /usr Hierarchy (Cont'd)

Directory Description

local

Local hierarchy (empty after main installation)

sbin

Non-vital system binaries

share

Architecture-independent data; reference file

The /var Hierarchy

  • Variable data

  • /var contains variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files.

The /var Hierarchy (Cont'd)

Directories Required in /var
Directory Description

cache

Application cache data

lib

Variable state information (e.g. database)

local

Variable data for /usr/local

lock

Lock files

The /var Hierarchy (Cont'd)

Directory Description

log

Log files and directories

run

Data relevant to running processes (usually link to /run)

spool

Application spool data (e.g. email)

tmp

Temporary files preserved between system reboots

Operating System Specific Annex

Directory Description

/proc

Kernel and process information virtual filesystem

Miscellaneous (not in FHS)

  • /sys: system loaded module
  • lost+found folder: ext2, ext3, and ext4 use this folder.
    • If you accidentally delete lost+found, don't re-create it with mkdir, use mklost+found if available.
    • purpose
  • /run: a new tmpfs location for the storage of transient state files.

Basic System Administration

  • Most system config file are located in /etc
    • /etc: Host-specific system configuration
  • Naming
    • XXX.conf
    • XXX.d/
    • XXXrc

Access Control

Access Control - /etc/passwd

  • Format: 7 columns
    1. login name
    2. optional encrypted password: a lower-case “x” => then the encrypted password is actually stored in the shadow(5) file instead
      • password is moved to /etc/shadow
    3. numerical user ID
    4. numerical group ID
    5. user name or comment field

Access Control - /etc/passwd (Cont'd)

  • Format (Cont'd):
    1. user home directory
    2. optional user command interpreter (login shell)
  • Example:
    • root:x:0:0:root:/root:/bin/bash
    • phi:x:65603:200:phi:/home/dept/ta/phi:/bin/bash
    • nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Access Control - /etc/shadow

  • Format: 9 columns
    1. login name
    2. encrypted password
    3. date of last password changed
    4. minimum password age
    5. maximum password age

Access Control - /etc/shadow (Cont'd)

  • Format (Cont'd)
    1. password warning period
    2. password inactivity period
    3. account expiration date
    4. reserved field

Access Control - /etc/shadow (Cont'd)

  • Example
    • phi:6ae64XPxK$RlFHDifjxCO/5KmrCZUaufZQx8eX3O 7oiJXYebSEGDjm6EUJsHtsPuUitVvUPPBRAuaD3gvSSA7b 9k9v8/PX.:16184:0:99999:7:::

Access Control - /etc/group (Cont'd)

  • Format: 4 columns
    1. group name
    2. password
    3. GID
    4. user list
  • Example:
    • root:x:0:
    • ta:*:200:ta217

Access Control

  • You can use following command to see specified entry

    $ getent passwd [username]
    $ getent group [groupname]
  • adduser and addgroup
    • They are friendlier front ends to the low level tools like useradd, groupadd and usermod programs

Access Control - LDAP

  • Lightweight Directory Access Protocol
  • Currently, LDAP is used in the workstations.

    $ ldapsearch -x uid=<student_id>
  • It seems complicated to introduce it in this course, so we just skip it. Some teams choose this as the topic of final project (Setup Mail Server). They will try to do this, and show us. Let's wait and see :).

/sbin/sysctl

  • Configure kernel parameters at runtime

    $ sysctl -a                         # show all variables
    $ sysctl [variable]                 # read some variable
    $ sysctl -w [variable[=value] ...]  # write some variable                  

sudo

  • Execute a command as another user
    • /etc/sudoers
    • Give people limited superuser access
  • Two commands

    $ sudo su # Calls `sudo` with the command `su`
    $ su # switch user; when no parameter is given, it switches to root
  • visudo: edit the sudoers file

Time & Timezone

  • /etc/localtime, /etc/timezone...

    $ dpkg-reconfigure tzdata 
    # see or change what timezone is configured for
  • NTP server configured on /etc/ntp.conf

Locale

  • Available language setting file: /etc/locale.gen
  • Use locale-gen to regenerate language file.
  • Use locale-gen <newlanguage> to add new language.

Locale (Cont'd)

$ locale
LANG=en_US.utf8
LANGUAGE=en_US:en
LC_CTYPE="en_US.utf8"
LC_NUMERIC="en_US.utf8"
LC_TIME="en_US.utf8"
LC_COLLATE="en_US.utf8"
LC_MONETARY="en_US.utf8"
LC_MESSAGES="en_US.utf8"
LC_PAPER="en_US.utf8"
LC_NAME="en_US.utf8"
LC_ADDRESS="en_US.utf8"
LC_TELEPHONE="en_US.utf8"
LC_MEASUREMENT="en_US.utf8"
LC_IDENTIFICATION="en_US.utf8"
LC_ALL=
  • man locale

實做題來了

  • 利用 sysctl,設定 core dump 的檔名。例如:core-<pid>-signal_number

Network configuration & commands

Hostname

  • /etc/hostname
    • Set during boot
    • Stored in kernel
    • Not FQDN (w/o domain name)

Hostname Lookup

  • /etc/hosts
    • Static lookup table
    • All OS have it (even Windows)
    • Format: IP FQDN Alias

      140.112.30.46  linux15.csie.ntu.edu.tw linux15
  • /etc/resolv.conf
    • DNS Resolver (Name servers)
    • resolvconf package
      • Read DNS config from network config
      • Write settings to /etc/resolv.conf

/etc/network/interfaces

  • static

    auto eth0
    iface eth0 inet static
       address 140.112.30.46
       netmask 255.255.255.0
       network 140.112.30.0
       broadcast 140.112.30.255
       gateway 140.112.30.254
       dns-nameservers 140.112.30.21 140.112.254.4 140.112.2.2
       dns-search csie.ntu.edu.tw
       #up route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.2                   
       #down route del -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.2
  • DHCP

    auto eth0
    iface eth0 inet dhcp
  • man interfaces

iptables

  • Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel.

  • table: filter (default table), nat, mangle, raw, security

  • chain: a set of rules in a table

iptables (Cont'd)

ip

$ ip link show
$ ip link set <device_name> <up|down>
$ ip address show
# man ip for more information

System Log

/var/log

  • Most Logs are stored in /var/log
  • Format: <time> <hostname> <process> <message>
  • Example:

/var/log (Cont'd)

  • System Level log

    dmesg          # Boot message log
    lastlog        # read by lastlog command
    syslog         # Almost all log collected here
    messages       # Leave some error message
    auth.log       # Authendication Log
    wtmp, faillog  # User Logging Information; last && faillog command
  • Application logs (Especially for daemon)

    [Example] mail.X, apt, apache, cups ...

rsyslog

  • Controlled by daemon rsyslog.service
  • /etc/rsyslog.conf and /etc/rsyslog.d/

rsyslog (Cont'd)

  • Security Levels (RFC 5424)

    \* emerg (panic) > alert > crit > err (error) >           
    warning (warn) > notice > info > debug
  • man rsyslog.conf

Logrotate - Introduction

  • Why logrotate?
    • Archive(!)
      • logs stored in local file system can be modified by intruders.
      • Sometimes, it helps to find out the intruders if you backup the logs.
    • Reduce disk usage after compressing the log
    • improve the performance of IO (e.g. use vim to open a large file)
    • outdated logs are not useful

Logrotate - Configuration

  • Files on /etc/logrotate.conf and /etc/logrotate.d/*
  • Example

    /var/log/syslog
    {
       rotate 7
       daily
       missingok
       notifempty
       delaycompress
       compress
       postrotate
      invoke-rc.d rsyslog rotate > /dev/null
       endscript
    }
  • man logrotate

Logrotate - Command

  • Show logrotate procedure

    logrotate -v /etc/logrotate.conf             
  • Force logrotate

    logrotate -fv /etc/logrotate.conf            

Miscellaneous

Some Cases

  • Open Proxy on Workstation
    • If you don't know that, you should know that this is prohibited in workstation.
    • IT IS PROHIBITED.
  • Fail2Ban tries to ban IPs that show the malicious signs.

實做題(工商時間?)

  • mrtg,請問你可以看到幾台機器的資訊?
  • esystem