Linux Administration Notes

<< | AdminNotes | >>

1.  Other Pages

2.  Random Password Generator

On PSI is installed APG (using the DAG rpm), a password generator that makes 'readable' passwords. Please use it to generate your new password...

$ apg -M NsCL
SloFlewk7
Skyrolg9
6Okqueg3
AtNeenCyt6
Dewpaij8
efKoolt6

Remember that you can change your password from any PSI pc using yppasswd.

3.  Attansic L2 Ethernet driver for the psidaq PC at ithemba

4.  Misc

5.  ACL (Access Control Lists) on Linux

(for 2.6 kernels only)

6.  SELinux

SELinux, or Security Enhanced Linux, is a system to define more fine-grained permissions for files, programs, users, etc. In brief, it is based on a concept of "types" - a program subject to SELinux, like httpd, will have a certain "type". Certain program types will then be able to access only certain types of files - even if these files are "world readable" in terms of Unix permissions.

If you have SElinux enabled, and you have problems with permissions,

  • read the how-to above
  • look at /var/log/audit/audit.log
  • use ls -laZ to see Unix and SELinux permissions
  • use chcon to change SEL permissions

See for example Web Pages.

There are many switches that can be tuned with getsebool / setsebool, like httpd_enable_homedirs. Please check those before going to the next, more complicated step.

If you have more "permanent" problems,

  • use audit2allow -l -i /var/log/audit/audit.log
  • yum install selinux-policy-targeted-sources

7.  To make sure things start after a reboot

Just as an example ....

sudo chkconfig mysqld on

8.  Text-mode screensaver

to activate full DPMS screen saver in text mode like you get in X11, you can put this in /etc/rc.local:

for n in 1 2 3 4 5 6 7 8 9 10 11; do
    setterm -powersave powerdown > /dev/tty$n
    setterm -powerdown 1 > /dev/tty$n
    setterm -store > /dev/tty$n
done

9.  printconf

printconf supports command line options to export/import the full printers configuration to/from XML files, making it quite easy to copy the same configuration to a number of PCs:

# printconf-tui --Xexport > printconf.xml
# printconf-tui --Ximport < printconf.xml 

I was being unable to stop the browsing; it did work after adding a Browsing Off line to /etc/cups/cupsd.conf

10.  Enabling ssh access from a new IP address range

Each IP address has to be explicitly allowed by the firewall. This is done by editing the iptables by editing and running the script.

/home/admpsi/bin/fw.psi.sh

Then if it's OK

/sbin/service iptables save

11.  limiting the rights of an SSH login

12.  get the SSHd fingerprint on the server:

 [sergio@psi ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
 1024 38:95:1c:67:03:35:e4:1d:10:46:2c:76:e2:5b:1e:b7 /etc/ssh/ssh_host_rsa_key.pub

13.  Enable Java Web Start (for JANIS)

 cd /usr/bin; sudo ln -sf /usr/java/j2sdk1.4.2_12/jre/javaws/javawsbin javaws

/etc/mailcap:

 # Java Web Start
application/x-java-jnlp-file; javaws %s

14.  Enable Java Plugin for Firefox on SL4

 cd /usr/lib/firefox-1.5.0.7/plugins/; sudo ln -sf /usr/lib/mozilla/plugins/* .

15.  Server Backup

In oder to backup the server, we need a place to put the data. This is one of the other machines in the group. If it is one of the Sun machines, format the extra space on the machine using:
mkfs.ext3 /dev/sda3

Then make the backups mount point
mkdir /BACKUPS

Then mount that partition by adding the following line to /etc/mtab
/dev/sda3 /BACKUPS ext3 rw,defaults 0 0

And export it by adding the following line to /etc/exports
/BACKUPS 146.141.41.19(rw,sync,no_root_squash)
and then reexport everything
exportfs -ra
and restart the nfs daemon
/etc/init.d/nfs restart
and keep it going
chkconfig nfs on
The final step is to allow connections from the file server to this machine by altering the iptables.
sudo iptables -I INPUT 6 -s psi -j ACCEPT


16.  History of incidents

Power Failure

Unfortunately, power failure is commonplace at the university. This can lead to a number problems in a machine that was rudely dumped.

  1. Panel problems: The panel icons are unresponsive or they appear to respond but no program is loaded or there are no icons, or there is no panel.
    • Delete the .gconf, .gconfd, and .gnome2/panel2.d directories
    • Restart the nfs server on psi: sudo /sbin/service nfs restart
  2. Now that we have a battery backup on the server, it will not come up immediately when the power returns. The clients will boot BEFORE the nfs and yp server are running. This will require the following commands to be used to start these client services once the server is up.
sudo service ypbind start
sudo service autofs start

2006 Feb 21: Schonlan Firewall

Schonlan stopped receiving mail. Wits had changed the mail server for maintenance and the firewall was blocking it.
Updating the firewall: Added the line FRIENDS[2]=146.141.15.5 to /root/fw.schonlan.sh then ran the script. Then called /etc/init.d/iptables save so that it is standard at boot.

2005 Nov 14: Squirrelmail error

Symptoms: At the Squirrelmail login after putting name and password the following error is encountered: "Error connecting to IMAP server: localhost. 111 : Connection refused"
imap was verified to be listening with
[root@SchonLAN log]#  netstat -tl | grep -i imap \\
tcp        0      0 *:imaps                 *:*                     LISTEN \\
tcp        0      0 *:imap                  *:*                     LISTEN
Solution: Squirrelmail connects on port 1143 which is an imap connection cached by imapproxy. It appears that imapproxy didn't come up again properly after a related to a power failure early Sunday morning. Restarted the imapproxy server which repaired the error.
Note: Now that we use Dovecot instead of UW-IMAPd, we do not need imapproxy to have good performance on the webmail, so it is not installed and the above cannot happen.